Attack Queries

Once the injectable parameters and DBMS type are identified we need to attack the database. Below you will find various section to aid you in escalating privileges, exfiltrating data, and more.

Information Gathering

It is often valuable to gather information about any testing environment; version numbers, user accounts, and databases all help in escalating vulnerabilities. Below are common methods for this.

Data Targeting

Being able to properly target and identify sensitive information can exponentially decrease time spent in a database. This means less time spent poking around and more time spent researching other vectors.

Privilege Escalation

Certain functionalities require a privileged user and for escalating a vulnerability a privileged user is always the first step.

Executing OS Commands

Running an OS command is one of the primary objectives of SQL injection, this aids in getting full control of the host OS. This may happen by directly executing commands, modifying existing data to put a shell on a webpage, or exploiting hidden functionality in the database.

Reading and Writing Files

Reading and writing to files aids in data gathering as well as data exfiltration. Many methods include writing to the webroot, which enables a web shell to be executed, or allowing data to be exfiltrated over port 80/443.

Lateral Movement

Lateral movement allows a tester to gain access to different sets of functionality/data that don't explicitly require a more privileged user. Switching user accounts laterally will expose different information and could aid in compromising a more privileged user.

Data Exfiltration

Exfiltrating data allows easier data analysis, as well as an offline copy of any compromised data. Data can be exfiltrated through files, various Layer 4 requests, and hidden techniques.

© 2017 Copyright by NetSPI. All rights reserved.