Sql Injection Cheat Sheet Github

Posted on by



  1. Sql Injection Cheat Sheet Github Download
  2. Sql Injection Cheat Sheet Pdf
  3. Owasp Sql Injection Cheat Sheet Github
  4. Sql Injection Cheat Sheet Github Free
  5. Oracle Sql Injection Cheat Sheet

Penetration test has shown that the application is vulnerable to SQL Injection due to the fact that it is possible to inject malicious SQL statements in malformed parameter types. Sending improper variable type “Array” allows to bypass core SQL Injection sanitization. Cheatsheet to exploit and learn SQL Injection manually. View On GitHub; This project is maintained by AdmiralGaust. First try to figure out the vulnerable parameter. A1 SQL Injection. DO: Using an object relational mapper (ORM) or stored procedures is the most effective way of countering the SQL Injection vulnerability. DO: Use parameterized queries where a direct sql query must be used. In entity frameworks.

Studying from various sources for Offensive-Security OSCP. I would like to make my own cheatsheet for the exam.

GitHub Gist: instantly share code, notes, and snippets. GitHub Gist: instantly share code, notes, and snippets. 0x01 basic sqlinjection cheat sheet 0x01 basic: Check the current database version: VERSION @@ VERSION. Use sql injection can import export. PWK course & the OSCP Exam Cheatsheet 6 minute read Forked from sinfulz “JustTryHarder” is his “cheat sheet which will aid you through the PWK course & the OSCP Exam.” So here: “ JustTryHarder. JustTryHarder, a cheat sheet which will aid you through the PWK course & the OSCP Exam.

Enumeration

Enumeration is most important part. All finding should be noted for future reference. Without enumeration, we will have hard time to exploit the target.

DNS Enumeration

Forward Lookup brute force to find ip addres of host:

Reverse Lookup to find hostname:

Zone transfer and enumeration using Kali tools

Enumerate using Nmap

Port Scanning and Service Enumeration

Filter all open ports for nmap script scanning:


Automated Enumeration Script

Download: https://github.com/21y4d/nmapAutomator

Other Enumeration Command

Pentesting Specific Service

Port 21(FTP) Open

Scan FTP with Nmap

Login and Upload backdoor

Port 22(SSH) Open

Banner Grab

Quick Brute Forces

Port 25(SMTP) Open

Enumerate Using netcat. Used for username Enumeration. Useful for brute forcing

Port 53(DNS) Open

Enumerating with nslookup,dig and gobuster:

Other tools to try:

Port 79(Finger) Open

If finger service is running, it is possible to enumerate username, and useful for brute force purpose.

Port 80/443(HTTP/HTTPS) Open

What to check?

  1. Manually Browse Common Files.
  2. Identify Technology. Search Vulnerability with identified info.
  3. Gather information from SSL.
  4. Check if it has any proxy related vulnerability.
  5. Directory, Sensitive files brute force and spider any discovered directory.
  6. May need to find out the hidden parameters.
  7. Find all inputs point.
  8. Find subdomains using dnsrecon or dnsenum.

View sources, and also Browse Manually

Identify Technology with whatWeb

Scan with Nikto

If any CMS identified

Brute Force Directory and Files

  1. First use small common wordlist
  2. Then Big Word list
  3. Try with CMS related wordlist

Word list File to brute forces:

Brute force with Gobuster

Password brute Forcing(wordpress example)

Sql injection cheat sheet github pdf
LFI and RFI

If the URL parameter has file name, we can try to vulnerability for LFI/RFI. We should request invalid file and see if any error is displayed!

LFI Can execute code!

Send our malicious code using CURL or Burpsuite or even netcat:

Now execute command:

Command Execution

If found any parameters or input fields, we can try for command execution. Test Every parameters and input fields with these payload(Better to use burp suite intruder):

Reference and more payload: https://github.com/payloadbox/command-injection-payload-list

SQLi for Login Bypass

If any login page found, should be tried to bypass password check. These payload copied from: https://github.com/payloadbox/sql-injection-payload-list

CheatSheet:
MSSQL INJECTION: https://perspectiverisk.com/mssql-practical-injection-cheat-sheet/
MYSQL INJECTION: https://perspectiverisk.com/mysql-sql-injection-practical-cheat-sheet/

Exploit WebDav

If one method fail, another should be tested. If nothing work, Find different exploit!

Method 1:

Method 2:

Method 3:

Reference

File Inclusion: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion
SQL Injection: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
Command Injection: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection

Port 110(POP3) Open

Found an user login information?

Port 111 (RPCINFO) Open

Connect with Null session.

Port 137,138,139 Open

Port 445(SMB) Open

There is a big chance getting sensitive information with SMB. Need to check everything carefully!

Enumerating SMB

Connecting to share without password(Anonymous login)

Login with Password

Port 389(LDAP) Open

Port 1433(MSSQL) Open

Reference: https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server

Quick brute for pass “SA” password

Connect to MSSQL Server:

Enable xp_cmdshell:

Execute System Command:

Port 2049(NFS) Open

Sql

Sql Injection Cheat Sheet Github Download

Enumerate shares

Mount shares in Local Machine

After mounting the filesystem if don’t have read/write permission, we need to edit /etc/passwd and change UUID:

Now we can write files to the target fold of the network filesystem. For example:

Port 3306(MYSQL) Open

Port 3389(RDP) Open

Connect to RDP

Brute force if a valid username found:

Add user to RDP Group

Port 5900/5800(VNC) Open

Scan with nmap

Connect from Kali

Password Attack

Sometime we need to do password guessing(We should!). For better success rate we need a good password dictionary. Also we should search for default credential online!

I have collected some Username and password for quick brute force, usually used for CTF. These list could be used to exploit weak password. Uploaded in GitHub:

Default Username: https://raw.githubusercontent.com/bytefellow/pentest/master/common-username
Default Password: https://raw.githubusercontent.com/bytefellow/pentest/master/common-password

Common password
Generate Password with cewl
Brute Forcing with Burp

If it is an web form we can brute force in intruder and match grep. Some screenshot from burp suit:

To brute force web form with the hydra, we need to grab the post data from the burp suite carefully. Otherwise, we will get false positive and waste lots of time! I tried to brute force otrs and it worked.

Brute Force With Hydra

Vulnerability and Exploitation

I believe finding vulnerability for the OSCP exam machine would be simple and easy. All enumeration previously should be noted! Version detection using and Web CMS version is most important to find exploit.

Find Vulnerability with Nmap

Using Searchsploit

Find Exploits using Google

Three kind of search should be enough to find an working exploit

Working with Public Exploits

Sql injection login cheat sheet github

A public exploit might be coded in python, ruby, c/c++ or any other language. Before executing the exploit:

  • Read the instruction Carefully.
  • Edit Target address, Reverse connection ip and Ports.

Working with Shell

We may get shell, after exploiting some vulnerability. Now what?

Backdoor Files in Kali

Sql Injection Cheat Sheet Pdf

Kali already has some web shell.

Quick Shell in Different language

Here it is: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

Generate with metasploit

Upgrading Shell

Listening for Connection

Sql

Upgrading Shell when received connection!

Running Python http Server

Uploading Shell/File

After getting shell, we may need to upload additional files or stable backdoor.

Transfering file in Linux

Transfering file in Windows

Transfer file with impacket samba script

Piviot/Tunnel/Port Forwarding

  1. -L = Kali’s Port
  2. -R = Kali Port
  3. $ip:3306 is the port from target

Local Port Forwarding

Have SSH access with low privileges? and There are some ports open internally? Try Local Port Forwarding:

Owasp Sql Injection Cheat Sheet Github

Remote Port Forwarding

No SSH Access but limited shell? Also some weird port is open? Upload plink and Try Remote port forward with plink

Connect to the the tunneled port:

Dynamic Port Forwarding(Socks4)

Sql

Dynamic Port Forwarding from victim machine(Socks Proxy):

With Dynamic Port Forwarding We can access/browse any ip range of the victim machine. We just need to configure proxychains.conf as follows:

Now we can use any application through proxychains… such as:

Port Forwarding with Plink.exe

Remote Port Forwarding using Plink. Needed When we don’t have access to specific port on on target box!

Common Issue

Correct permission for SSH Key?

Load key “id_rsa”: invalid format ?

Try Removing additional space. Also keep the public key in the same directory of private key. We may get the warning, but it should work!

Unable to negotiate with x.x.x.x … no matching key exchange method found

SSH Error:

Solutions:

Practical Exploitation

Exploiting NFS and FTP

I have done enumeration with nmapautomator. Found NFS and ProFtpd 1.3.5 is running. But no HTTP. The exploitation step was:

The network File system mounted but does not have any contents. FTP version is vulnerable. So i had to exploit it manually(https://www.exploit-db.com/exploits/36803):

Sql Injection Cheat Sheet Github Free

This way, I was able to successfully exploit the system without directly using any tools!

Exploiting Jenkins Server

Was able to login as user admin and password admin. Then I have navigated to Manage Jenkins>>Script Console and pasted this code for reverse connection:

Clicked run and got shell!

Oracle Sql Injection Cheat Sheet

More Example: https://www.bytefellow.com/quick-initial-foothold-in-10-htb-machine/