MySQL Fast Exploitation using json_arrayagg()

This commit is contained in:
Swissky 2020-09-23 17:19:34 +02:00
parent 4d5c10965d
commit a478356f43
3 changed files with 29 additions and 1 deletions

View File

@ -10,6 +10,7 @@
* [Weak Password Reset Token](#weak-password-reset-token) * [Weak Password Reset Token](#weak-password-reset-token)
* [Account Takeover Via Cross Site Scripting](#account-takeover-via-cross-site-scripting) * [Account Takeover Via Cross Site Scripting](#account-takeover-via-cross-site-scripting)
* [Account Takeover Via HTTP Request Smuggling](#account-takeover-via-http-request-smuggling) * [Account Takeover Via HTTP Request Smuggling](#account-takeover-via-http-request-smuggling)
* [Account Takeover via CSRF](#account-takeover-via-csrf)
* [References](#references) * [References](#references)
## Password Reset Feature ## Password Reset Feature
@ -117,12 +118,25 @@ Refer to **HTTP Request Smuggling** vulnerability page.
X: X X: X
``` ```
### Account Takeover via CSRF
1. Create a payload for the CSRF, e.g: "HTML form with auto submit for a password change"
2. Send the payload
Hackerone reports exploiting this bug Hackerone reports exploiting this bug
* https://hackerone.com/reports/737140 * https://hackerone.com/reports/737140
* https://hackerone.com/reports/771666 * https://hackerone.com/reports/771666
## TODO
* Broken cryptography
* Session hijacking
* OAuth misconfiguration
## References ## References
- [10 Password Reset Flaws - Anugrah SR](http://anugrahsr.me/posts/10-Password-reset-flaws/) - [10 Password Reset Flaws - Anugrah SR](http://anugrahsr.me/posts/10-Password-reset-flaws/)
- [$6,5k + $5k HTTP Request Smuggling mass account takeover - Slack + Zomato - Bug Bounty Reports Explained](https://www.youtube.com/watch?v=gzM4wWA7RFo&feature=youtu.be) - [$6,5k + $5k HTTP Request Smuggling mass account takeover - Slack + Zomato - Bug Bounty Reports Explained](https://www.youtube.com/watch?v=gzM4wWA7RFo&feature=youtu.be)
- [Broken Cryptography & Account Takeovers - Harsh Bothra - September 20, 2020](https://speakerdeck.com/harshbothra/broken-cryptography-and-account-takeovers?slide=28)

View File

@ -12,6 +12,7 @@
## Tools ## Tools
* [Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3v/Corsy/) * [Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3v/Corsy/)
* [PostMessage POC Builder - @honoki](https://tools.honoki.net/postmessage.html)
## Prerequisites ## Prerequisites

View File

@ -28,6 +28,7 @@
* [Into dumpfile method](#into-dumpfile-method) * [Into dumpfile method](#into-dumpfile-method)
* [MYSQL UDF command execution](#mysql-udf-command-execution) * [MYSQL UDF command execution](#mysql-udf-command-execution)
* [MYSQL Truncation](#mysql-truncation) * [MYSQL Truncation](#mysql-truncation)
* [MYSQL Fast Exploitation](#mysql-fast-exploitation)
* [MYSQL Out of band](#mysql-out-of-band) * [MYSQL Out of band](#mysql-out-of-band)
* [DNS exfiltration](#dns-exfiltration) * [DNS exfiltration](#dns-exfiltration)
* [UNC Path - NTLM hash stealing](#unc-path---ntlm-hash-stealing) * [UNC Path - NTLM hash stealing](#unc-path---ntlm-hash-stealing)
@ -421,6 +422,18 @@ In MYSQL "`admin `" and "`admin`" are the same. If the username column in the da
Payload: `username = "admin a"` Payload: `username = "admin a"`
## MYSQL Fast Exploitation
Requirement: `MySQL >= 5.7.22`
Use `json_arrayagg()` instead of `group_concat()` which allows less symbols to be displayed
* group_concat() = 1024 symbols
* json_arrayagg() > 16,000,000 symbols
```sql
SELECT json_arrayagg(concat_ws(0x3a,table_schema,table_name)) from INFORMATION_SCHEMA.TABLES;
```
## MYSQL UDF command execution ## MYSQL UDF command execution
First you need to check if the UDF are installed on the server. First you need to check if the UDF are installed on the server.