MySQL injection
RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
Comments
Interesting Functions
Confirm Mysql:
Useful functions
All injection
from https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/
Flow
Remember that in "modern" versions of MySQL you can substitute "information_schema.tables" for "mysql.innodb_table_stats" (This could be useful to bypass WAFs).
Only 1 value
group_concat()
Limit X,1
Blind one by one
substr(version(),X,1)='r'
orsubstring(version(),X,1)=0x70
orascii(substr(version(),X,1))=112
mid(version(),X,1)='5'
Blind adding
LPAD(version(),1...lenght(version()),'1')='asd'...
RPAD(version(),1...lenght(version()),'1')='asd'...
SELECT RIGHT(version(),1...lenght(version()))='asd'...
SELECT LEFT(version(),1...lenght(version()))='asd'...
SELECT INSTR('foobarbar', 'fo...')=1
Detect number of columns
Using a simple ORDER
MySQL Union Based
SSRF
Learn here different options to abuse a Mysql injection to obtain a SSRF.
WAF bypass tricks
Information_schema alternatives
Remember that in "modern" versions of MySQL you can substitute information_schema.tables for mysql.innodb_table_stats or for sys.x$schema_flattened_keys or for sys.schema_table_statistics
MySQLinjection without COMMAS
Select 2 columns without using any comma (https://security.stackexchange.com/questions/118332/how-make-sql-select-query-without-comma):
Retrieving values without the column name
If at some point you know the name of the table but you don't know the name of the columns inside the table, you can try to find how may columns are there executing something like:
Supposing there is 2 columns (being the first one the ID) and the other one the flag, you can try to bruteforce the content of the flag trying character by character:
More info in https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952
MySQL history
You ca see other executions inside the MySQL reading the table: sys.x$statement_analysis
Version alternatives
Other MYSQL injection guides
References
RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
Last updated