MySQL SQL Injection Practical Cheat Sheet

There are lot of excellent SQL injection cheat sheets out there; however, I found the majority provide only the components of a SQL injection rather an entire, working string. As a result, successfully putting a valid query together can take some trial and error and waste precious time. I have thus attempted to create a list of pre-made strings for each type of SQL injection so that they can simply be pasted in with little modification.
As SQL injections can loosely be grouped into three categories, union based, error based (XPath and double query) and inferential (time based and boolean), I have listed them as such. Below you will find MySQL specific syntax whilst I will post my MSSQL cheat sheet shortly.
To avoid repetition, anywhere you see: version() (used to to retrieve the database version) you can replace it with:
database() – to retrieve the current database’s name
user() – to retrieve the username that the database runs under
@@hostname – to retrieve the hostname and IP address of the server
@@datadir – to retrieve the location of the database files
Note that my examples below will be constructed for injecting into an integer field. If it’s a string field, simply add a single quote after the vulnerable parameter. I’ve also included the comment character in my injection strings; however, they may not be necessary depending on where in the SQL query the injection occurs. Lastly, don’t forget the space after the comment!
UNION
UNION is used to append our SQL injection to a legitimate query and combine the information we wish to retrieve with that of the legitimate query. Note that you need to enumerate the number of columns first, this can be achieved by using the ORDER BY function or using UNION with NULL values.
Assuming there are two columns:
Retrieve database version:
Retrieve database names:
Retrieve table names:
Retrieve column names:
Retrieve data:
Retrieve data from another database:
Error Based
When there is no output except a MySQL error, you can force your data extraction through the error. Note that both of the below methods can be easily automated using Burp’s Intruder and the grep extract functionality.
XPath
The ExtractValue() function generates a SQL error when it is unable to parse the XML data passed to it. Fortunately, the XML data, and, in our case, the evaluated results of our SQL query, will be be embedded into the subsequent error message. Prepending a full stop or a colon (we use the hex representation of 0x3a below) to the beginning of the XML query will ensure the parsing will always fail, thus generating an error with our extracted data. Note that this only works on MySQL version 5.1 or later. Use the LIMIT function to cycle through database information.
Retrieve database version:
Retrieve database names:
Retrieve table names:
Retrieve column names:
Retrieve data:
Retrieve data from another database:
Double Query
The functions used below combine to produce a query which is accepted by the MySQL compiler but errors at runtime. The error is then returned, but it evaluates and includes the subquery (due to the double select), thus returning the results of our injection to the page. Increment the first LIMIT to cycle through the database information.
Retrieve database version:
Retrieve database names:
Retrieve table names:
Retrieve column names:
Retrieve data:
Retrieve data from another database:
Inferential
When no data or error messages are returned, you can use time delays or true/false responses to retrieve database information. Note that automated tools such as sqlmap significantly speed up the process.
Boolean
This type of extraction is used when the application returns differing results dependent on whether the SQL query we inject evaluates to true or false. If we convert each individual character of the piece of database information we wish to retrieve to their decimal representation using the ASCII function (table here), we can create true or false conditions using the greater than, less than and equals symbols. We can then cycle through the individual characters using the SUBSTRING function and the pieces of database information using the LIMIT function.
Test for the presence of the vulnerability. This query should result in the original page being displayed:
Whilst this query should return a different page:
Retrieve version:
Note, a better way to retrieve the version in this context is to use the LIKE function:
Retrieve databases:
Retrieve tables:
Retrieve columns:
Retrieve data:
Retrieve data from another database:
Time Based
If identical pages are returned for true or false responses, time delays can be created by the IF andSLEEP functions and used to deduce database information instead.
Test for the presence of the vulnerability:
Retrieve version:
Retrieve version using LIKE:
Retrieve databases:
Retrieve tables:
Retrieve columns:
Retrieve data:
Retrieve data from another database:
Sources Used
The above information was took from a variety of sources, including:
Pentest Monkey’s MySQL injection cheat sheet
Ferruh Mavituna’s cheat sheet
Kaotic Creations’s article on XPath injection
Kaotic Creations’s article on double query injection
Some other resources I recommend are:
DVWA – great test bed
SQLZoo – another great (online) test bed