MSSQL Injection Cheat Sheet

Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query.

Misc Tips

In no particular order, here are some suggestions from pentestmonkey readers.

From Dan Crowley:

A way to extract data via SQLi with a MySQL backend

From Jeremy Bae:

Tip about sp_helpdb – included in table above.

From Trip:

List DBAs (included in table above now):

select name from master..syslogins where sysadmin = ’1′

From Daniele Costa:

Tips on using fn_my_permissions in 2005, 2008 – included in table above.

Also:

To check permissions on multiple database you will have to use the following pattern.

USE [DBNAME]; select permission_name FROM fn_my_permissions (NULL, ‘DATABASE’)

Note also that in case of using this data with a UNION query a collation error could occur.

In this case a simple trick is to use the following syntax:

select permission_name collate database_default FROM fn_my_permissions (NULL, ‘DATABASE’)

HOWTO : WPScan on Ubuntu Desktop 12.04 LTS

WPScan is a black box WordPress vulnerability scanner.



Step 1 :

To install wpscan and her related packages.

sudo apt-get install git libcurl4-gnutls-dev libruby libxml2 libxml2-dev libxslt1-dev ruby1.9.1-dev

sudo -sH
cd /opt
git clone https://github.com/wpscanteam/wpscan.git

HOWTO : Wireshark on Ubuntu Desktop 12.04 LTS

Wireshark is the world's foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.



Step 1 :

sudo apt-get update
sudo apt-get install wireshark

sudo dpkg-reconfigure wireshark-common

Answer "Yes" to the pop-up which allow non-root users to capture the packets. You can consider to enable it but it is danger.

HOWTO : Weevely on Ubuntu Desktop 12.04 LTS

Weevely is a stealth PHP web shell that simulate an SSH-like connection. It is an essential tool for web application post exploitation, and can be used as stealth backdoor or as a web shell to manage legit web accounts, even free hosted ones.

HOWTO : W3af on Ubuntu Desktop 12.04 LTS

W3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.



Step 1 :

Make sure you follow the steps below one by one.

sudo -sH
cd /opt

apt-get update
apt-get install git build-essential

HOWTO : Tor and Proxychains on Ubuntu Desktop 12.04 LTS

(A) Tor

Step 1 :

sudo nano /etc/apt/sources.list.d/tor.list

Append the following :

deb http://deb.torproject.org/torproject.org precise main

Save and exit.

sudo -sH

HOWTO : theharvester on Ubuntu Desktop 12.04 LTS

The objective of theharvester is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.



This tool is intended to help Penetration testers in the early stages of the penetration test in order to understand the customer footprint on the Internet. It is also useful for anyone that wants to know what an attacker can see about their organization.

HOWTO : Sqlmap on Ubuntu Desktop 12.04 LTS

Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.



Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems.

HOWTO : SlowHTTPTest on Ubuntu Desktop 12.04 LTS

SlowHTTPTest is a highly configurable tool that simulates some Application Layer Denial of Service attacks. It works on majority of Linux platforms, OSX and Cygwin - a Unix-like environment and command-line interface for Microsoft Windows.



It implements most common low-bandwidth Application Layer DoS attacks, such as slowloris, Slow HTTP POST, Slow Read attack (based on TCP persist timer exploit) by draining concurrent connections pool, as well as Apache Range Header attack by causing very significant memory and CPU usage on the server.

HOWTO : SET on Ubuntu Desktop 12.04 LTS

The Social-Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering.




Step 1 :

sudo apt-get install git

HOWTO : Reaver on Ubuntu Desktop 12.04 LTS

Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases.



Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.

On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.

HOWTO : OWASP Zaproxy on Ubuntu Desktop 12.04 LTS

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.



It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

HOWTO : OpenVAS on Ubuntu Desktop 12.04 LTS

OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.



Step 1 :

At the time of this writing, the "stable" is version 5 while the "nightly builds" is version 6.

sudo add-apt-repository ppa:openvas/stable

HOWTO : Nmap on Ubuntu Desktop 12.04 LTS

Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.

Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Step 1 :

sudo apt-get install nmap zenmap

Step 2 :

To run it. You can run it at any directory.

sudo -sH
nmap -sC -PN -T4 samiux.com

or

Graphical interface -

zenmap

HOWTO : Netcat on Ubuntu Desktop 12.04 LTS

Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.

It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.

Step 1 :

sudo -sH
cd /opt

wget http://garr.dl.sourceforge.net/sourceforge/netcat/netcat-0.7.1.tar.gz

tar -xvzf netcat-0.7.1.tar.gz
rm netcat-0.7.1.tar.gz

cd /opt/netcat-0.7.1
./configure
make

cd /opt
mkdir /opt/netcat
cp /opt/netcat-0.7.1/src/netcat /opt/netcat/
rm -R netcat-0.7.1/

Step 2 :

To run it.

sudo -sH
cd /opt/netcat
./netcat -h

Remarks :

Please do not delete the built-in netcat-openbsd as it will also delete the ubuntu-mininal package at the same time. Your compiled netcat is different to the built-in one.

HOWTO : Nessus on Ubuntu Desktop 12.04 LTS

Step 1 :

Go to the following link to download you copy of Nessus.

http://www.tenable.com/products/nessus/select-your-operating-system

For 32-bit :
wget "http://downloads.nessus.org/nessus3dl.php?file=Nessus-5.2.1-ubuntu1110_i386.deb&licence_accept=yes&t=8bd3179e2669137382555cb07611a795&__utma=96148739.876193166.1369081770.1369081770.1369084100.2&__utmb=96148739.3.10.1369084100&__utmc=96148739&__utmx=-&__utmz=96148739.1369084100.2.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided)&__utmv=-&__utmk=236900745" -O Nessus-5.2.1-ubuntu1110_i386.deb

For 64-bit :
wget "http://downloads.nessus.org/nessus3dl.php?file=Nessus-5.2.1-ubuntu1110_amd64.deb&licence_accept=yes&t=8bd3179e2669137382555cb07611a795&__utma=96148739.876193166.1369081770.1369081770.1369084100.2&__utmb=96148739.3.10.1369084100&__utmc=96148739&__utmx=-&__utmz=96148739.1369084100.2.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided)&__utmv=-&__utmk=236900745" -O Nessus-5.2.1-ubuntu1110_amd64.deb

Step 2 :

sudo dpkg -i Nessus-5.2.1-ubuntu1110_i386.deb

or

sudo dpkg -i Nessus-5.2.1-ubuntu1110_adm64.deb

Go to the following link to register your Nessus Plugin feed :

http://www.tenable.com/products/nessus/nessus-homefeed

sudo /etc/init.d/nessusd start

Point your Firefox to :

https://localhost:8834/

Follow the instructions on the browser.

Activate your Nessus plugin feed via the received email.

After that, you should disable the nessusd from being loaded automatically when bootup.

sudo update-rc.d nessusd disable

Step 3 :

To run it.

sudo /etc/init.d/nessusd start

Point your Browser to :

https://localhost:8834/

HOWTO : Metagoofil on Ubuntu Desktop 12.04 LTS

Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,docx,pptx,xlsx) belonging to a target company.

The tool will perform a search in Google to identify and download the documents to local disk and then will extract the metadata with different libraries like Hachoir, PdfMiner and others. With the results it will generate a report with usernames, software versions and servers or machine names that will help Penetration testers in the information gathering phase.

Step 1 :

sudo apt-get install subversion

sudo -sH
cd /opt
svn checkout http://metagoofil.googlecode.com/svn/trunk/ metagoofil
cd metagoofil

Step 2 :

To run it.

sudo -sH
cd /opt/metagoofil
python metagoofil.py -d samiux.com -t doc,pdf -l 200 -n 50 -o samiuxfiles -f results.html

HOWTO : Make-PDF tools on Ubuntu Desktop 12.04 LTS

make-pdf tools consists of make-pdf-javascript.py and make-pdf-embedded.py which allows penetration testers to embed file or javascript to a pdf file.

make-pdf-javascript.py allows one to create a simple PDF document with embedded JavaScript that will execute upon opening of the PDF document. It’s essentially glue-code for the mPDF.py module which contains a class with methods to create headers, indirect objects, stream objects, trailers and XREFs.

make-pdf-embedded.py creates a PDF file with an embedded file.

Step 1 :

sudo -sH
mkdir /opt/make-pdf
cd /opt/make-pdf

wget http://didierstevens.com/files/software/make-pdf_V0_1_4.zip
unzip make-pdf_V0_1_4.zip

rm make-pdf_V0_1_4.zip

Step 2 :

To run them.

sudo -sH
cd /opt/make-pdf
python make-pdf-embedded.py
python make-pdf-javascript.py

HOWTO : MAC Changer on Ubuntu Desktop 12.04 LTS

Mac Changer is a GNU/Linux utility for viewing/manipulating the MAC address of network interfaces.

Step 1 :

sudo apt-get install macchanger macchanger-gtk

Step 2 :

To run it. You can run it at any directory.

macchanger eth0

or

Graphical interface -

macchanger-gtk

HOWTO : Joomscan on Ubuntu Desktop 12.04 LTS

Joomscan is OWASP Joomla Vulnerability Scanner.

Joomla! is probably the most widely-used CMS out there due to its flexibility, user-friendlinesss, extensibility to name a few. So, watching its vulnerabilities and adding such vulnerabilities as KB to Joomla scanner takes ongoing activity.It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites.

However, it is not up-to-date. The latest version of vulnerability database is on October 22, 2012 (at the time of this writing).

Step 1 :

sudo apt-get install libwww-perl libwww-mechanize-perl

Joomscan is written in Perl. Download it.

sudo -sH
cd /opt
wget "http://downloads.sourceforge.net/project/joomscan/joomscan/2012-03-10/joomscan-latest.zip?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fjoomscan%2F%3Fsource%3Ddlp&ts=1368806935&use_mirror=ncu" -O joomscan-latest.zip

Step 2 :

Once downloaded, you need to extract the content.

sudo -sH
cd /opt
mkdir joomscan

cp joomscan-latest.zip /opt/joomscan/
rm joomscan-latest.zip

cd /opt/joomscan

unzip joomscan-latest.zip

Step 3 :

To run it.

sudo -sH
cd /opt/joomscan

perl joomscan.pl -u http://www.samiux.com

Step 4 :

To update it.

sudo -sH
cd /opt/joomscan

perl joomscan.pl update

HOWTO : John the Ripper on Ubuntu Desktop 12.04 LTS

John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version.

Step 1 :

sudo -sH
cd /opt
wget http://www.openwall.com/john/g/john-1.7.9-jumbo-7.tar.gz
tar -xvzf john-1.7.9-jumbo-7.tar.gz
mv john-1.7.9-jumbo-7 john
rm john-1.7.9-jumbo-7.tar.gz

Step 2 :

cd /opt/john/src

For 64-bit system :
# for general -
make clean linux-x86-64
# for cuda -
make clean linux-x86-64-cuda
# for opencl -
make clean linux-x86-64-opencl

For 32-bit system :
# for general -
make clean linux-x86-sse2
# for cuda -
make clean linux-x86-cuda
# for opencl -
make clean linux-x86-opencl

Step 3 :

To run it.

sudo -sH
cd /opt/john/run
./john

HOWTO : Fierce on Ubuntu Desktop 12.04 LTS

Fierce domain scan was born out of personal frustration after performing a web application security audit. It is traditionally very difficult to discover large swaths of a corporate network that is non-contiguous. It's terribly easy to run a scanner against an IP range, but if the IP ranges are nowhere near one another you can miss huge chunks of networks.

Step 1 :

sudo apt-get install libnet-dns*

sudo -sH
mkdir /opt/fierce
cd /opt/fierce

wget http://ha.ckers.org/fierce/fierce.pl
wget http://ha.ckers.org/fierce/hosts.txt

Step 2 :

sudo -sH
cd /opt/fierce
perl fierce.pl -dns samiux.com -wordlist hosts.txt -file output.txt

HOWTO : DirBuster on Ubuntu Desktop 12.04 LTS

DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers.

Step 1 :

sudo -sH

cd /opt

wget "http://downloads.sourceforge.net/project/dirbuster/DirBuster%20%28jar%20%2B%20lists%29/1.0-RC1/DirBuster-1.0-RC1.tar.bz2?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fdirbuster%2Ffiles%2FDirBuster%2520%2528jar%2520%252B%2520lists%2529%2F1.0-RC1%2F&ts=1370262745&use_mirror=nchc" -O DirBuster-1.0-RC1.tar.bz2

tar -xjvf DirBuster-1.0-RC1.tar.bz2

mv DirBuster-1.0-RC1 DirBuster

rm DirBuster-1.0-RC1.tar.bz2

Step 2 :

To run it.

sudo -sH

cd /opt/DirBuster

./DirBuster-1.0-RC1.sh

HOWTO : CUDA on Ubuntu Desktop 12.04 LTS

When install Ubuntu Desktop 12.04 LTS, select "nomodeset" by pressing F6 on the purple screen with boot up menu. The boot up menu can be reached by pressing "Enter" or "Spacebar" when seeing a keybroad and a human figure on the bottom of the screen during the boot up.

After the installation, the nvidia display driver is installed automatically.

Step 1 :

sudo add-apt-repository ppa:ginggs/backports
sudo apt-get update
sudo apt-get install nvidia-cuda-toolkit

HOWTO : Crunch on Ubuntu Desktop 12.04 LTS

Crunch is a wordlist generator where you can specify a standard character set or a character set you specify. crunch can generate all possible combinations and permutations.

Step 1 :

sudo apt-get install build-essential

sudo -sH
cd /opt
git clone git://git.code.sf.net/p/crunch-wordlist/code crunch

cd /opt/crunch
make
make install

rm -R /pentest

Step 2 :

To run it.

sudo -sH
cd /opt/crunch
./crunch

HOWTO : Burp Suite on Ubuntu Desktop 12.04 LTS

Burp Suite helps you secure your web applications by finding the vulnerabilities they contain.

Step 1 :

sudo -sH
cd /opt
mkdir burpsuite
cd /opt/burpsuite

wget http://portswigger.net/burp/burpsuite_free_v1.5.jar

Step 2 :

To run it.

sudo -sH
cd /opt/burpsuite
java -jar burpsuite_free_v1.5.jar

You can create a shell script to make the run more easier.

HOWTO : BeEF and Metasploit Integration on Ubuntu Desktop 12.04 LTS

Step 1 :

nano beef/extensions/metasploit/config.yaml

Make change to "host", "callback_host" and "msf_path". Where the last entry at "msf_path" should be the path of the Metasploit.

It will look like this :



Remarks : you are not required to change the "host", you can keep it as 127.0.0.1. However, you need to change the "callback_host" as it is the reverse connection IP address and it should be a public IP address.

Step 2 :

nano beef/config.yaml

Go to "extension:" and change the "false" to "true" under "metasploit".

It will look like this.



Step 3 :

Start Metasploit :

sudo /etc/init.d/metasploit start
cd /opt/metasploit/app
sudo msfconsole
db_connect

Under the msfconsole :

load msgrpc ServerHost=127.0.0.1 Pass=abc123

Start BeEF :

cd beef
./beef

Point your Firefox to the following url :

http://192.168.1.102:3000/ui/panel

Enter username and password for both "beef" to login.

Remarks :

Please note that the above IP address (192.168.1.102) is just an example.



The BeEF site has a tutorial for browser autopwn with Metasploit. You can refer to here.

HOWTO : BeEF on Ubuntu Desktop 12.04 LTS

BeEF - The Browser Exploitation Framework Project is a penetration testing tool that focuses on the web browser.

Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

Step 1 :

To download the latest version of BeEF to the current directory.

sudo -sH
cd /opt
apt-get install git
git clone git://github.com/beefproject/beef.git

Step 2 :

To install BeEF and her related packages.

cd beef

sudo apt-get install ruby1.9.1-dev libsqlite3-dev sqlite3 sqlite3-doc build-essentail

sudo gem install bundler

sudo bundle install

Step 3 :

To run it.

sudo -sH
cd /opt/beef

./beef

Then point the Firefox to http://[your IP address]:3000/ui/panel

Step 4 :

To update it.

sudo -sH
cd /opt/beef

./update-beef

Remarks :

If you also installed Metasploit, you can integrate Metasploit to BeEF to perform attacks, such as browsers autopwn.

HOWTO : Burp Suite with Tor on Mac OS X 10.8.4

Step 1 :

Go to the Burp Suite official site to download the free edition.

Then save it to Documents folder.

Step 2 :

Open a terminal.

nano burpsuite_free.sh

java -jar /Users/samiux/Documents/burpsuite_free_v1.5.jar

Replace "samiux" with your user name.

Step 3 :

Go to Java official site to download Java JRE

Step 4 :

Go to Tor official website to download and install "Tor Browser Bundle for 64-Bit Mac".

Step 5 :

Go to Privoxy official site to download Privoxy 3.0.21 64 bit.pkg and install.

Step 6 :

Open a terminal.

nano /usr/local/etc/privoxy/config

Append the following lines :

forward-socks5 / 127.0.0.1:9150 .
forward 192.168.*.*/ .

Restart the Mac.

Step 7 :

Open a terminal and go to the Documents folder.

./burpsuite_free.sh

Options >> Upstream Proxy Servers >> Add >> Proxy host >> 127.0.0.1
Options >> Upstream Proxy Servers >> Add >> Proxy port >> 8118

Step 8 :

Start "TorBrowser_en-US". The TorBrowser will launch.

ToBrowser >> Preferences >> Advanced >> Connection >> Settings

Select "Manual proxy configuration:".

HTTP Proxy >> 127.0.0.1 >> Port >> 8080
SOCKS Host >> 127.0.0.1 >> Port >> 9150

Step 9 :

Make sure Burp Suite is behind the Tor my visiting cmyip.com

Remarks :

To install in Ubuntu 12.04 LTS is similar. However, the port 9150 will be port 9050.

If any Questions Ping Us.

HOWTO : Metasploit on Ubuntu Desktop 12.04 LTS

Step 1 :

If the following packages not installed, you need to install them.

sudo apt-get install ruby1.9.1 build-essential

To download it.

For 32-bit systems :

wget http://downloads.metasploit.com/data/releases/metasploit-latest-linux-x32-installer.run

chmod +x metasploit-latest-linux-x32-installer.run

sudo ./metasploit-latest-linux-x32-installer.run


For 64-bit systems :

wget http://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run

chmod +x metasploit-latest-linux-x64-installer.run

sudo ./metasploit-latest-linux-x64-installer.run


Follow the instruction on the screen. You can choose your installed directory, default is/opt/metasploit. Select to install Metasploit as service.

Step 2 :

To register your community edition. If you don't, you cannot update the Metasploit. Point your Firefox to the following url :

https://localhost/:3790

You need to wait for about 3 to 5 minutes for the initialization. Shouldn't take longer then that.

Fill in the blank and you will receive the license key for activation. Then, activate the copy.

Step 2a :

sudo update-rc.d metasploit disable

Step 3 :

To run it.

sudo -sH
/etc/init.d/metasploit start
cd /opt/metasploit/app
sudo msfconsole

Step 4 :

To update it.

sudo -sH
/etc/init.d/metasploit start
cd /opt/metasploit/app
msfupdate

*** Make sure you wait for at least 3 minutes before executing "msfupdate". As it need time to load all the necessary modules after the Metasploit is started.

Remarks :

If you do not select to install as service, you need to do the following to start the Metasploit.

sudo /opt/metasploit/ctlscript.sh start