OP 30 August, 2022 - 05:03 PM
Manually found blind SQLi!! BUT website uses WAF, no "SELECT", "SLEEP" allowed!
Custom backend, only info i got is they're using Nginx
Now, functions are also banned: Funcion() . BUT, i found a simple bypass, using a %20 as argument still executes on mariadb or mysql: Database(%20) !!!!
Also, load_file("path") allowed! Nice!
Wrote a simple script, got the database name, and other basic info. Remember, no select.
Three questions:
1) I am not able to make DNS exfiltration work, don't want to use a personal server for obvious reasons, can someone point me a free service and a working example?
2) I can exfiltrate files, they use nginx, but no /etc/nginx/nginx.conf file there. What other interesting files could i try to exfiltrate?
3) Any ideas on how to get RCE? Remember, SELECT cannot be used!! Tried many variations of the primitive, using comments, half capital letters (SeLeCT), initial 0x00 byte, different encondings, tried bypassing any non-recursive regex: SEselectLECT and also tried all tampering from SQLMAP (Which doesn't find ANY INJECTION AT ALL) , none works.
This is a BIG company lol, they have many security checks in place, CSRF tokens, 2FA, WAF, http-proxy (or load-balancer), they have port scanning obfuscation , and so on. How cool would it be do defeat them with a simple SQLi ? LOL
Hoping for your precious help my guys!
Custom backend, only info i got is they're using Nginx
Now, functions are also banned: Funcion() . BUT, i found a simple bypass, using a %20 as argument still executes on mariadb or mysql: Database(%20) !!!!
Also, load_file("path") allowed! Nice!
Wrote a simple script, got the database name, and other basic info. Remember, no select.
Three questions:
1) I am not able to make DNS exfiltration work, don't want to use a personal server for obvious reasons, can someone point me a free service and a working example?
2) I can exfiltrate files, they use nginx, but no /etc/nginx/nginx.conf file there. What other interesting files could i try to exfiltrate?
3) Any ideas on how to get RCE? Remember, SELECT cannot be used!! Tried many variations of the primitive, using comments, half capital letters (SeLeCT), initial 0x00 byte, different encondings, tried bypassing any non-recursive regex: SEselectLECT and also tried all tampering from SQLMAP (Which doesn't find ANY INJECTION AT ALL) , none works.
This is a BIG company lol, they have many security checks in place, CSRF tokens, 2FA, WAF, http-proxy (or load-balancer), they have port scanning obfuscation , and so on. How cool would it be do defeat them with a simple SQLi ? LOL
Hoping for your precious help my guys!