SQL injection: Understanding mysql command

SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. _OWASP

On this post, i’m going to introduce sql command that used on SQLi attack. Let’s go!

I use an example database as below:

user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+———+————+———–+———+———————————-+—————————————————-+———————+————–+
| 1 | admin | admin | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | http://192.168.1.5/DVWA/hackable/users/admin.jpg | 2017-09-01 11:40:16 | 0 |
| 2 | Gordon | Brown | gordonb | e99a18c428cb38d5f260853678922e03 | http://192.168.1.5/DVWA/hackable/users/gordonb.jpg | 2017-09-01 11:40:16 | 0 |
| 3 | Hack | Me | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b | http://192.168.1.5/DVWA/hackable/users/1337.jpg | 2017-09-01 11:40:16 | 0 |
| 4 | Pablo | Picasso | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 | http://192.168.1.5/DVWA/hackable/users/pablo.jpg | 2017-09-01 11:40:16 | 0 |
| 5 | Bob | Smith | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 | http://192.168.1.5/DVWA/hackable/users/smithy.jpg | 2017-09-01 11:40:16 | 0 |

The MID() Function

The MID() function is used to extract characters from a text field.

SQL MID() Syntax

SELECT MID(column_name,start,length) AS some_name FROM table_name;

The limit() Function

The SQL SELECT LIMIT statement is used to retrieve records from one or more tables in a database and limit the number of records returned based on a limit value.

SQL limit() Syntax

SELECT expressions
FROM tables
[WHERE conditions]
[ORDER BY expression [ ASC | DESC ]]
LIMIT number_rows [ OFFSET offset_value ];

 

  • using limit() function to get table name:
    select table_name from information_schema.tables where table_schema=database() limit 0,1;
  • Get the first character of the table name
    select substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1) m;

MySQL CONCAT() Function

The CONCAT() function concatenates two or more expressions together.

MySQL concat() Syntax

CONCAT(expression1expression2expression3,…)

MySQL CONCAT_WS() Function

The CONCAT_WS() function concatenates two or more expressions together and adds a separator between them.

MySQL CONCAT_WS() syntax

CONCAT_WS(separatorexpression1expression2expression3,…)

MySQL GROUP_CONCAT function

The MySQL GROUP_CONCAT function concatenates strings from a group into a single string with various options.

MySQL GROUP_CONCAT syntax

GROUP_CONCAT(DISTINCT expression
ORDER BY expression
SEPARATOR sep);

MySQL COUNT() Function

The COUNT() function returns the number of records in a select query.

mysql count() syntax

COUNT(expression)

MySQL RAND() Function

The RAND() function returns a random number or a random number within a range.

The RAND() function will return a value between 0 (inclusive) and 1 (exclusive).

The RAND() function will return a completely random number if no seed is provided, and a repeatable sequence of random numbers if a seed value is used.

MySQL rand() syntax

RAND(seed)

MySQL FLOOR() Function

The FLOOR() function returns the largest integer value that is less than or equal to a number.

MySQL FLOOR() syntax

FLOOR(number)
  • Using floor function to get database:
    select count(*),(concat(0x3a,database(),0x3a,floor(rand()*2))) first_name from information_schema.tables group by first_name;
  • Using floor function to get table name:
    select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 1,1),0x3a,floor(rand()*2)) name from information_schema.tables group by name;
  • Using floor function to get content:
    select count(*),concat(0x3a,0x3a,(select first_name from users limit 1,1),0x3a,floor(rand()*2)) name from information_schema.tables group by name;

SQL GROUP BY Statement

The GROUP BY statement is often used with aggregate functions (COUNT, MAX, MIN, SUM, AVG) to group the result-set by one or more columns.

sql group_by syntax

SELECT column_name(s)
FROM table_name
WHERE condition
GROUP BY column_name(s)
ORDER BY column_name(s);

MySQL SUBSTR() Function

The SUBSTR() function extracts a substring from a string (starting at any position).

MySQL substr() syntax

SUBSTR(string, start, length)

or

SUBSTR(string FROM start FOR length)

 

Reference: w3schools