SQLI CheatSheet
SQLI Syntax On Multiple DMBS's
Transfering a payload to a host isn’t always as simple as using ftp, spinning up an smbserver/webserver, or using ssh. Sometimes we have to be a bit creative because the vector of transimission might be something like a stacked query in a sqli. Whatever the case is we the ability transmit binaries as strings while protecting them from getting corrupted en route is powerful.
There are four general steps:
It’s worthwile to try compressing the binary with upx.
upx -9 nc.exe
When we are converting payloads to strings its good practice to make the payload be a one line string.This means removing non printable characters such as carriage returns(0x0D), line feeds(0xA), vertical(0xB)/horizontal tabs(0x09), and anything other non essential characters. My preferred way to do this is with awk.
awk 'BEGIN{RS="\1";ORS="";getline;gsub("\t,"");gsub("\n"," ");print}'
We can remove as many characters as we need with gsubs.
Another handy thing is that we can specify characters with in hexadecimal notation.
awk 'BEGIN{RS="\1";ORS="";getline;gsub("\x09","");gsub("\n"," ");print}'
Here is an example with nc.exe.
We create a hex string of the binary on kali with:
# we want to trim the newlines otherwise we'll get cucked.
xxd -p /usr/share/windows-resources/binaries/nc.exe | tr -d \\n > nc-hex.txt
Next on windows we can turn in back into a binary with:
# read the textfile as single ASCII string
$hex = [System.IO.File]::ReadAllText('C:\Windows\temp\donkey.hex', [System.Text.Encoding]::ASCII)
# convert to bytes and write these as new binary file
[System.IO.File]::WriteAllBytes('C:\Windows\temp\donkey.exe', ($hex -split '(.{2})' -ne '' -replace '^', '0X'))
We can combine the two statements into the one liner below:
[System.IO.File]::WriteAllBytes('C:\Windows\temp\donkey.exe', ("$(gc 'C:\Windows\temp\donkey.hex')" -split '(.{2})' -ne '' -replace '^', '0X'))
If necessary we can specific an encoding to get-content via then -encoding parameter.
[System.IO.File]::WriteAllBytes('C:\Windows\temp\donkey.exe', ("$(gc 'C:\Windows\temp\donkey.hex' -encoding UTF8)" -split '(.{2})' -ne '' -replace '^', '0X'))
On the other hand, if we are on a windows host we can use powershell to create a hex dump of a binary in place of xxd (for exfiltrating a binary for example).
# read the binary data as byte array
[byte[]]$data = [System.IO.File]::ReadAllBytes('C:\Windows\temp\donkey.hex')
# write to new file as string of hex encoded characters
[System.IO.File]::WriteAllText('C:\Windows\temp\donkey.exe',[System.BitConverter]::ToString($data).Replace('-',''), [System.Text.Encoding]::ASCII)
$to_encode = get-content file
[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($to_encode))
$encoded = get-content file
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encoded)) | write-output
With some limitiations we can b64 encode/decode in dos using certutil.
certutil.exe -encode file-to-encode output-file
certutil.exe -decode file-to-decode output-file
base64 file | tr -d '\n'
base64 -d file | tr -d '\n'
This reads as match two characters and insert a percent character after each.
sed 's/../%&/g'
The is a bit more clear in powershell, note that the ^ in replace is regex the beginning of a match.
"$(gc 'C:\Windows\temp\donkey.hex')" -split '(.{2})' -ne '' -replace '^', '%'