From a478356f43018dc8163d0d260437e0452863c7bf Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Wed, 23 Sep 2020 17:19:34 +0200 Subject: [PATCH] MySQL Fast Exploitation using json_arrayagg() --- Account Takeover/README.md | 16 +++++++++++++++- CORS Misconfiguration/README.md | 1 + SQL Injection/MySQL Injection.md | 13 +++++++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/Account Takeover/README.md b/Account Takeover/README.md index 47ec720..81e096e 100644 --- a/Account Takeover/README.md +++ b/Account Takeover/README.md @@ -10,6 +10,7 @@ * [Weak Password Reset Token](#weak-password-reset-token) * [Account Takeover Via Cross Site Scripting](#account-takeover-via-cross-site-scripting) * [Account Takeover Via HTTP Request Smuggling](#account-takeover-via-http-request-smuggling) +* [Account Takeover via CSRF](#account-takeover-via-csrf) * [References](#references) ## Password Reset Feature @@ -117,12 +118,25 @@ Refer to **HTTP Request Smuggling** vulnerability page. X: X ``` +### Account Takeover via CSRF + +1. Create a payload for the CSRF, e.g: "HTML form with auto submit for a password change" +2. Send the payload + Hackerone reports exploiting this bug * https://hackerone.com/reports/737140 * https://hackerone.com/reports/771666 +## TODO + +* Broken cryptography +* Session hijacking +* OAuth misconfiguration + + ## References - [10 Password Reset Flaws - Anugrah SR](http://anugrahsr.me/posts/10-Password-reset-flaws/) -- [$6,5k + $5k HTTP Request Smuggling mass account takeover - Slack + Zomato - Bug Bounty Reports Explained](https://www.youtube.com/watch?v=gzM4wWA7RFo&feature=youtu.be) \ No newline at end of file +- [$6,5k + $5k HTTP Request Smuggling mass account takeover - Slack + Zomato - Bug Bounty Reports Explained](https://www.youtube.com/watch?v=gzM4wWA7RFo&feature=youtu.be) +- [Broken Cryptography & Account Takeovers - Harsh Bothra - September 20, 2020](https://speakerdeck.com/harshbothra/broken-cryptography-and-account-takeovers?slide=28) \ No newline at end of file diff --git a/CORS Misconfiguration/README.md b/CORS Misconfiguration/README.md index 71efbe2..16c25a9 100644 --- a/CORS Misconfiguration/README.md +++ b/CORS Misconfiguration/README.md @@ -12,6 +12,7 @@ ## Tools * [Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3v/Corsy/) +* [PostMessage POC Builder - @honoki](https://tools.honoki.net/postmessage.html) ## Prerequisites diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md index 85d43eb..6da55b8 100644 --- a/SQL Injection/MySQL Injection.md +++ b/SQL Injection/MySQL Injection.md @@ -28,6 +28,7 @@ * [Into dumpfile method](#into-dumpfile-method) * [MYSQL UDF command execution](#mysql-udf-command-execution) * [MYSQL Truncation](#mysql-truncation) +* [MYSQL Fast Exploitation](#mysql-fast-exploitation) * [MYSQL Out of band](#mysql-out-of-band) * [DNS exfiltration](#dns-exfiltration) * [UNC Path - NTLM hash stealing](#unc-path---ntlm-hash-stealing) @@ -421,6 +422,18 @@ In MYSQL "`admin `" and "`admin`" are the same. If the username column in the da Payload: `username = "admin a"` +## MYSQL Fast Exploitation + +Requirement: `MySQL >= 5.7.22` + +Use `json_arrayagg()` instead of `group_concat()` which allows less symbols to be displayed +* group_concat() = 1024 symbols +* json_arrayagg() > 16,000,000 symbols + +```sql +SELECT json_arrayagg(concat_ws(0x3a,table_schema,table_name)) from INFORMATION_SCHEMA.TABLES; +``` + ## MYSQL UDF command execution First you need to check if the UDF are installed on the server.