MySQL Fast Exploitation using json_arrayagg()
parent
4d5c10965d
commit
a478356f43
|
@ -10,6 +10,7 @@
|
|||
* [Weak Password Reset Token](#weak-password-reset-token)
|
||||
* [Account Takeover Via Cross Site Scripting](#account-takeover-via-cross-site-scripting)
|
||||
* [Account Takeover Via HTTP Request Smuggling](#account-takeover-via-http-request-smuggling)
|
||||
* [Account Takeover via CSRF](#account-takeover-via-csrf)
|
||||
* [References](#references)
|
||||
|
||||
## Password Reset Feature
|
||||
|
@ -117,12 +118,25 @@ Refer to **HTTP Request Smuggling** vulnerability page.
|
|||
X: X
|
||||
```
|
||||
|
||||
### Account Takeover via CSRF
|
||||
|
||||
1. Create a payload for the CSRF, e.g: "HTML form with auto submit for a password change"
|
||||
2. Send the payload
|
||||
|
||||
Hackerone reports exploiting this bug
|
||||
* https://hackerone.com/reports/737140
|
||||
* https://hackerone.com/reports/771666
|
||||
|
||||
|
||||
## TODO
|
||||
|
||||
* Broken cryptography
|
||||
* Session hijacking
|
||||
* OAuth misconfiguration
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [10 Password Reset Flaws - Anugrah SR](http://anugrahsr.me/posts/10-Password-reset-flaws/)
|
||||
- [$6,5k + $5k HTTP Request Smuggling mass account takeover - Slack + Zomato - Bug Bounty Reports Explained](https://www.youtube.com/watch?v=gzM4wWA7RFo&feature=youtu.be)
|
||||
- [$6,5k + $5k HTTP Request Smuggling mass account takeover - Slack + Zomato - Bug Bounty Reports Explained](https://www.youtube.com/watch?v=gzM4wWA7RFo&feature=youtu.be)
|
||||
- [Broken Cryptography & Account Takeovers - Harsh Bothra - September 20, 2020](https://speakerdeck.com/harshbothra/broken-cryptography-and-account-takeovers?slide=28)
|
|
@ -12,6 +12,7 @@
|
|||
## Tools
|
||||
|
||||
* [Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3v/Corsy/)
|
||||
* [PostMessage POC Builder - @honoki](https://tools.honoki.net/postmessage.html)
|
||||
|
||||
## Prerequisites
|
||||
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
* [Into dumpfile method](#into-dumpfile-method)
|
||||
* [MYSQL UDF command execution](#mysql-udf-command-execution)
|
||||
* [MYSQL Truncation](#mysql-truncation)
|
||||
* [MYSQL Fast Exploitation](#mysql-fast-exploitation)
|
||||
* [MYSQL Out of band](#mysql-out-of-band)
|
||||
* [DNS exfiltration](#dns-exfiltration)
|
||||
* [UNC Path - NTLM hash stealing](#unc-path---ntlm-hash-stealing)
|
||||
|
@ -421,6 +422,18 @@ In MYSQL "`admin `" and "`admin`" are the same. If the username column in the da
|
|||
|
||||
Payload: `username = "admin a"`
|
||||
|
||||
## MYSQL Fast Exploitation
|
||||
|
||||
Requirement: `MySQL >= 5.7.22`
|
||||
|
||||
Use `json_arrayagg()` instead of `group_concat()` which allows less symbols to be displayed
|
||||
* group_concat() = 1024 symbols
|
||||
* json_arrayagg() > 16,000,000 symbols
|
||||
|
||||
```sql
|
||||
SELECT json_arrayagg(concat_ws(0x3a,table_schema,table_name)) from INFORMATION_SCHEMA.TABLES;
|
||||
```
|
||||
|
||||
## MYSQL UDF command execution
|
||||
|
||||
First you need to check if the UDF are installed on the server.
|
||||
|
|
Loading…
Reference in New Issue