Identification
Information Gathering
Enumerate Databases
Enumerate Tables
Without information_schema (MySQL 5.6+)
Enumerate Columns
Dump Data
String Functions
| Function | Description |
|---|---|
CONCAT(a,b) | Concatenate |
CONCAT_WS(':',a,b) | Concat with separator |
GROUP_CONCAT(a) | Aggregate concat |
SUBSTRING(str,pos,len) | Substring |
MID(str,pos,len) | Same as SUBSTRING |
LEFT(str,n) | Left N chars |
RIGHT(str,n) | Right N chars |
LENGTH(str) | String length |
ASCII(char) | ASCII value |
ORD(char) | Same as ASCII |
CHAR(n) | Char from ASCII |
HEX(str) | Hex encode |
UNHEX(hex) | Hex decode |
REVERSE(str) | Reverse string |
Conditional
Time Delay
File Read
File Write
DNS Exfiltration (Windows)
Error-Based
Password Hashes
hashcat -m 300 (MySQL4) or -m 7401 (MySQL5).
Stacked Queries
Only withmysqli_multi_query() or PDO: