mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-19 19:06:12 +00:00
MySQL Fast Exploitation using json_arrayagg()
This commit is contained in:
parent
4d5c10965d
commit
a478356f43
@ -10,6 +10,7 @@
|
|||||||
* [Weak Password Reset Token](#weak-password-reset-token)
|
* [Weak Password Reset Token](#weak-password-reset-token)
|
||||||
* [Account Takeover Via Cross Site Scripting](#account-takeover-via-cross-site-scripting)
|
* [Account Takeover Via Cross Site Scripting](#account-takeover-via-cross-site-scripting)
|
||||||
* [Account Takeover Via HTTP Request Smuggling](#account-takeover-via-http-request-smuggling)
|
* [Account Takeover Via HTTP Request Smuggling](#account-takeover-via-http-request-smuggling)
|
||||||
|
* [Account Takeover via CSRF](#account-takeover-via-csrf)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
## Password Reset Feature
|
## Password Reset Feature
|
||||||
@ -117,12 +118,25 @@ Refer to **HTTP Request Smuggling** vulnerability page.
|
|||||||
X: X
|
X: X
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Account Takeover via CSRF
|
||||||
|
|
||||||
|
1. Create a payload for the CSRF, e.g: "HTML form with auto submit for a password change"
|
||||||
|
2. Send the payload
|
||||||
|
|
||||||
Hackerone reports exploiting this bug
|
Hackerone reports exploiting this bug
|
||||||
* https://hackerone.com/reports/737140
|
* https://hackerone.com/reports/737140
|
||||||
* https://hackerone.com/reports/771666
|
* https://hackerone.com/reports/771666
|
||||||
|
|
||||||
|
|
||||||
|
## TODO
|
||||||
|
|
||||||
|
* Broken cryptography
|
||||||
|
* Session hijacking
|
||||||
|
* OAuth misconfiguration
|
||||||
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
- [10 Password Reset Flaws - Anugrah SR](http://anugrahsr.me/posts/10-Password-reset-flaws/)
|
- [10 Password Reset Flaws - Anugrah SR](http://anugrahsr.me/posts/10-Password-reset-flaws/)
|
||||||
- [$6,5k + $5k HTTP Request Smuggling mass account takeover - Slack + Zomato - Bug Bounty Reports Explained](https://www.youtube.com/watch?v=gzM4wWA7RFo&feature=youtu.be)
|
- [$6,5k + $5k HTTP Request Smuggling mass account takeover - Slack + Zomato - Bug Bounty Reports Explained](https://www.youtube.com/watch?v=gzM4wWA7RFo&feature=youtu.be)
|
||||||
|
- [Broken Cryptography & Account Takeovers - Harsh Bothra - September 20, 2020](https://speakerdeck.com/harshbothra/broken-cryptography-and-account-takeovers?slide=28)
|
@ -12,6 +12,7 @@
|
|||||||
## Tools
|
## Tools
|
||||||
|
|
||||||
* [Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3v/Corsy/)
|
* [Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3v/Corsy/)
|
||||||
|
* [PostMessage POC Builder - @honoki](https://tools.honoki.net/postmessage.html)
|
||||||
|
|
||||||
## Prerequisites
|
## Prerequisites
|
||||||
|
|
||||||
|
@ -28,6 +28,7 @@
|
|||||||
* [Into dumpfile method](#into-dumpfile-method)
|
* [Into dumpfile method](#into-dumpfile-method)
|
||||||
* [MYSQL UDF command execution](#mysql-udf-command-execution)
|
* [MYSQL UDF command execution](#mysql-udf-command-execution)
|
||||||
* [MYSQL Truncation](#mysql-truncation)
|
* [MYSQL Truncation](#mysql-truncation)
|
||||||
|
* [MYSQL Fast Exploitation](#mysql-fast-exploitation)
|
||||||
* [MYSQL Out of band](#mysql-out-of-band)
|
* [MYSQL Out of band](#mysql-out-of-band)
|
||||||
* [DNS exfiltration](#dns-exfiltration)
|
* [DNS exfiltration](#dns-exfiltration)
|
||||||
* [UNC Path - NTLM hash stealing](#unc-path---ntlm-hash-stealing)
|
* [UNC Path - NTLM hash stealing](#unc-path---ntlm-hash-stealing)
|
||||||
@ -421,6 +422,18 @@ In MYSQL "`admin `" and "`admin`" are the same. If the username column in the da
|
|||||||
|
|
||||||
Payload: `username = "admin a"`
|
Payload: `username = "admin a"`
|
||||||
|
|
||||||
|
## MYSQL Fast Exploitation
|
||||||
|
|
||||||
|
Requirement: `MySQL >= 5.7.22`
|
||||||
|
|
||||||
|
Use `json_arrayagg()` instead of `group_concat()` which allows less symbols to be displayed
|
||||||
|
* group_concat() = 1024 symbols
|
||||||
|
* json_arrayagg() > 16,000,000 symbols
|
||||||
|
|
||||||
|
```sql
|
||||||
|
SELECT json_arrayagg(concat_ws(0x3a,table_schema,table_name)) from INFORMATION_SCHEMA.TABLES;
|
||||||
|
```
|
||||||
|
|
||||||
## MYSQL UDF command execution
|
## MYSQL UDF command execution
|
||||||
|
|
||||||
First you need to check if the UDF are installed on the server.
|
First you need to check if the UDF are installed on the server.
|
||||||
|
Loading…
Reference in New Issue
Block a user