Mysql Cheat Sheet Github

I create my own checklist for the first but very important step: Enumeration.

Mysql Cheat Sheet Github 2020
Php Mysql Github
Github Action Mysql
Mysql Cheat Sheet Github Download

Resources

Useful exploits: https://github.com/jivoi/pentest

SQL cheat sheet Basic Queries Views- filter your columns SELECT col1, col2, col3. FROM table1 - filter the rows WHERE col4 = 1 AND col5 = 2 - aggregate the data GROUP by - limit aggregated data HAVING count(.) 1 - order of the results ORDER BY col2 Useful keywords for SELECTS: DISTINCT. SQL injection A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. Attempting to manipulate SQL queries may have goals including: Information Leakage Disclosure of stored data Manipulation of stored data Bypassing authorisation controls Summary CheatSheet MSSQL Injection CheatSheet MySQL Injection CheatSheet. $ mysql # on another terminal mysql UPDATE mysql.user SET password=PASSWORD('newpass') WHERE user='root'; ## Switch back to the mysqldsafe terminal and kill the process using Control + $ /etc/init.d/mysql start Your commands may vary depending on your OS. 0 Comments for this cheatsheet.

MySQL Cheat Sheet.graffle Author: Jonathan Davis Created Date: 2200Z. MySQL command-line client Commands. Connect to MySQL server using mysql command-line.

Port 80/443/8000/8080 - HTTP

Web page

Open the web page, check http/https, check certificates to get users/emails
Click the plugin Wappalyzer to check web service & programming languages
Check robots.txt to get hidden folders: curl -i $IP/robots.txt
Run nikto -h $IP -p $PORT
Click all the links on the web page & always view page sources (Ctrl + u), focusing on href, comments or keywords like password, login , upload…
If directory Allow: PUT, try to upload text file then reverse shell through it
Get folders/files
Download suspicious images & check: exiftool $IMG, strings $IMG, xxd $IMG, steghide, binwalk $IMG
For open-source services, could download the codes and browse files to have better understanding on their functionalities, parameters, …
Searchsploit for every service, software version
Check path traversal on Linux and on Windows

Login forms

Check common creds: admin/admin, admin/password, root/root, administrator/?, guest/guest …
Search default creds of the web service on Google, documentations or usages (default users: admin, root, root@localhost …)
Capture http-post-form using BurpSuite
Brute-force with wfuzz using SecLists’s passwords (tut)

SQL injection

First try ', 1' or '1'='1-- -, ' or '1'='1-- -, ' or 1=1-- -

Tutorials

Cheat sheet: http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
http://www.thegreycorner.com/2017/01/exploiting-difficult-sql-injection.html
Blind SQL injection
- HTB-Falafel: write Python script to brute force admin’s password
HTB-Charon: change UNION to UNIoN to bypass the filter, bash script to enumerate a large number of rows in a table to get interesting creds
MariaDB
- HHC2016 - Analytics: play with Burp Sequencer to capture the Cookies
Oracle SQL
- Tutorial: http://www.securityidiots.com/Web-Pentest/SQL-Injection/Union-based-Oracle-Injection.html
- https://www.doyler.net/security-not-included/oracle-command-execution-sys-shell
- Cheat sheet: http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet
MSSQL (Stacked Query)
- https://www.exploit-db.com/papers/12975
- https://perspectiverisk.com/mysql-sql-injection-practical-cheat-sheet/?_ga=2.122859595.1915973150.1589228589-1090418158.1589228589
- http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
- https://webcache.googleusercontent.com/search?q=cache:KtfxjonYw58J:https://perspectiverisk.com/mssql-practical-injection-cheat-sheet/+&cd=1&hl=en&ct=clnk&gl=frhttp://www.securityidiots.com/Web-Pentest/SQL-Injection/MSSQL/MSSQL-Error-Based-Injection.html
- https://gracefulsecurity.com/sql-injection-cheat-sheet-mssql/
- Using xp_cmdshell:
  - https://github.com/xMilkPowderx/OSCP/blob/master/SQLi.md, https://github.com/garyhooks/oscp/blob/master/REFERENCE/mssql.md
  - HTB-Fighter
- Bypass filters: https://portswigger.net/support/sql-injection-bypassing-common-filters
- sqhs
MySQL
- Cheat sheet, https://gracefulsecurity.com/sql-injection-cheat-sheet-mysql/
- VH-DC 9: tut
SQL Out-of-band exploitation
- (https://gracefulsecurity.com/sql-injection-out-of-band-exploitation/)
- HTB-Giddy
NoSQL
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection
- HTB-Mango

LFI/RFI

Use Nikto, which will sometimes return LFI/RFI
Use Nmap’s HTTP NSE scripts
Check version names of the known CMS with know vulnerabilities, then simply Googling the version or whatever identifiable information
Bruteforce for directories and files, if PHPINFO() is present, check for allow_url and other indicators
If all else fails, fuzz parameter passings. Try to understand what the application is doing, many times it’s obvious that the parameter is looking for another file, like to a webpage; I.e: whatever.php?=home // this is looking to grab “home” which is likely a file stored locally. Try removing the value home, see how the server reacts. Try to read local files you know should exist on the file, depending on the OS maybe /etc/passwd for Linux and boot.ini for Windows. Use PHP wrappers such as php://filter/convert.base64-encode/resource=index to try to read the actual file whatever.php’s source code. This will convert it to base64 to prevent execution via the webserver. Decode it and you get the source code. Watch verbose error messages

Tutorials

https://0ff5ec.com/lfi-rfi/
https://highon.coffee/blog/lfi-cheat-sheet/#how-to-get-a-shell-from-lfi
https://www.hackingarticles.in/5-ways-exploit-lfi-vulnerability/
https://medium.com/@Aptive/local-file-inclusion-lfi-web-application-penetration-testing-cc9dc8dd3601

PHP

phpLiteAdmin: VH-Zico2
Simple PHP Blog (sphpblog): VH-PwnOS

Wordpress

Brute-force http://$IP/wp-admin, http://$IP/wp-login.php
Metasploit
- brute-force: msf > use auxiliary/scanner/http/wordpress_login_enum
Check http://$IP/wp-content/themes, http://$IP/wp-content/uploads
Possible attack vectors:
- After login, upload php reverse shell in 404.php of a theme (wp-content/themes/twentynineteen/404.php)
- msf > use exploit/unix/webapp/wp_admin_shell_upload
- Upload malicious plugins in zip
Frontrow port devices driver download. Check interesting files: /var/www/wp-config.php
Check plugins’ vulnerability
- WordPress Plugin User Role Editor (https://www.exploit-db.com/exploits/44595): THM-Jack

Writeups

Upload shell: VH-Stapler, VH-Mr. Robot
ReFlex Gallery plugin: VH-Web Developer 1
Activity Monitor plugin: VH-DC06

Joomla

Joomla 3.7.0 SQLi: https://github.com/XiphosResearch/exploits/tree/master/Joomblah

Drupal

Check /CHANGELOG.txt for Drupal version
Find endpoint_path and Services Endpoint
Attack vectors:
- Drupal 7.x Module Services - Remote Code Execution
- Drupalgeddon2 (March 2018): exploit
- Drupalgeddon3 (April 2018): exploit

Tutorials

Writeups

Drupal v7.54: HTB-Bastard
VH-DC1

Apache Tomcat

Try default creds in /manager: (tomcat/s3cret)
Deploy reverse shell in WAR format

Writeups

WebDAV

Port 21 - FTP

nmap scripts in /usr/share/nmap/scripts/
searchsploit FTP version
Metasploit
- Check version: msf> use auxiliary/scanner/ftp/ftp_version
- Anonymous login: msf> use auxiliary/scanner/ftp/anonymous
- Brute-force: msf> use auxiliary/scanner/ftp/ftp_login
Brute-force with hydra
Check whether we can upload a shell, if so how to trigger the shell
Examine configuration files: ftpusers, ftp.conf, proftpd.conf

Tutorials

https://hackercool.com/2017/07/hacking-ftp-telnet-and-ssh-metasploitable-tutorials/

Very Secure FTP Daemon (vsftpd)

Writeups

v2.3.4 exploit
- HTB-Lame, HTB-LaCasaDePapel