maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-web/rsql-injection.md'] to sw

Browse Source
This commit is contained in:
Translator 2025-04-15 00:02:14 +00:00
parent 41208039ca
commit 2f24316735
1 changed files with 49 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
src/pentesting-web/rsql-injection.md
View File

@ -7,7 +7,7 @@
## RSQL Injection ## RSQL Injection
## What is RSQL? ## What is RSQL?
RSQL ni lugha ya kuandika maswali iliyoundwa kwa ajili ya kuchuja pembejeo kwa kutumia vigezo katika RESTful APIs. Imejengwa kwa msingi wa FIQL (Feed Item Query Language), ambayo ilitolewa awali na Mark Nottingham kwa ajili ya kuuliza Atom feeds, RSQL inajitofautisha kwa urahisi wake na uwezo wa kueleza maswali magumu kwa njia fupi na inayokubalika na URI juu ya HTTP. Hii inafanya kuwa chaguo bora kama lugha ya jumla ya maswali kwa kutafuta mwisho wa REST. RSQL ni lugha ya kuandika maswali iliyoundwa kwa ajili ya kuchuja pembejeo kwa kutumia vigezo katika RESTful APIs. Imejengwa kwa msingi wa FIQL (Feed Item Query Language), ambayo ilitolewa awali na Mark Nottingham kwa ajili ya kuuliza Atom feeds, RSQL inajitofautisha kwa urahisi wake na uwezo wa kueleza maswali magumu kwa njia fupi na inayokubalika na URI juu ya HTTP. Hii inafanya kuwa chaguo bora kama lugha ya maswali ya jumla kwa kutafuta mwisho wa REST.
## Overview ## Overview
RSQL Injection ni udhaifu katika programu za wavuti zinazotumia RSQL kama lugha ya maswali katika RESTful APIs. Kama [SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection) na [LDAP Injection](https://owasp.org/www-community/attacks/LDAP_Injection), udhaifu huu hutokea wakati vichujio vya RSQL havijasafishwa ipasavyo, ikiruhusu mshambuliaji kuingiza maswali mabaya ili kufikia, kubadilisha au kufuta data bila idhini. RSQL Injection ni udhaifu katika programu za wavuti zinazotumia RSQL kama lugha ya maswali katika RESTful APIs. Kama [SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection) na [LDAP Injection](https://owasp.org/www-community/attacks/LDAP_Injection), udhaifu huu hutokea wakati vichujio vya RSQL havijasafishwa ipasavyo, ikiruhusu mshambuliaji kuingiza maswali mabaya ili kufikia, kubadilisha au kufuta data bila idhini.
@ -17,42 +17,42 @@ RSQL inakuwezesha kujenga maswali ya juu katika RESTful APIs, kwa mfano:
```bash ```bash
/products?filter=price>100;category==electronics /products?filter=price>100;category==electronics
``` ```
Hii inatafsiri kama ombi lililo na muundo linalochuja bidhaa zenye bei zaidi ya 100 na kundi "electronics". Hii inatafsiri kama ombi lililo na muundo ambalo linachuja bidhaa zenye bei zaidi ya 100 na kundi "electronics".
Ikiwa programu haithibitishi ipasavyo pembejeo za mtumiaji, mshambuliaji anaweza kubadilisha chujio ili kutekeleza maombi yasiyotarajiwa, kama vile: Ikiwa programu haitathmini ipasavyo pembejeo za mtumiaji, mshambuliaji anaweza kubadilisha chujio ili kutekeleza maombi yasiyotarajiwa, kama:
```bash ```bash
/products?filter=id=in=(1,2,3);delete_all==true /products?filter=id=in=(1,2,3);delete_all==true
``` ```
Or even take advantage to extract sensitive information with Boolean queries or nested subqueries. Au hata kutumia fursa ya kutoa taarifa nyeti kwa kutumia maswali ya Boolean au subqueries zilizozungushwa.
## Risks ## Hatari
- **Ufunuo wa data nyeti:** Mshambuliaji anaweza kupata taarifa ambazo hazipaswi kupatikana. - **Ufunuo wa data nyeti:** Mshambuliaji anaweza kupata taarifa ambazo hazipaswi kupatikana.
- **Mabadiliko au kufutwa kwa data:** Kuingiza vichujio vinavyobadilisha rekodi za hifadhidata. - **Mabadiliko au kufutwa kwa data:** Kuingiza vichujio vinavyobadilisha rekodi za hifadhidata.
- **Kuongezeka kwa mamlaka:** Manipulation ya vitambulisho vinavyotoa majukumu kupitia vichujio ili kudanganya programu kwa kufikia kwa mamlaka ya watumiaji wengine. - **Kuongezeka kwa mamlaka:** Manipulation ya vitambulisho vinavyotoa majukumu kupitia vichujio ili kudanganya programu kwa kufikia kwa mamlaka ya watumiaji wengine.
- **Kuepuka udhibiti wa ufikiaji:** Manipulation ya vichujio ili kufikia data zilizozuiliwa. - **Kuepuka udhibiti wa ufikiaji:** Manipulation ya vichujio ili kufikia data zilizozuiliwa.
- **Ujanja au IDOR:** Mabadiliko ya vitambulisho kati ya watumiaji kupitia vichujio vinavyoruhusu ufikiaji wa taarifa na rasilimali za watumiaji wengine bila kuthibitishwa ipasavyo kama hivyo. - **Ujanja au IDOR:** Mabadiliko ya vitambulisho kati ya watumiaji kupitia vichujio vinavyoruhusu ufikiaji wa taarifa na rasilimali za watumiaji wengine bila kuthibitishwa ipasavyo kama hivyo.
## Supported RSQL operators ## Watoa huduma wa RSQL wanaoungwa mkono
| Operator | Description | Example | | Opereta | Maelezo | Mfano |
|:----: |:----: |:------------------:| |:----: |:----: |:------------------:|
| `;` / `and` | Logical **AND** operator. Filters rows where *both* conditions are *true* | `/api/v2/myTable?q=columnA==valueA;columnB==valueB` | | `;` / `and` | Opereta wa **AND** wa kimantiki. Huchuja safu ambapo *masharti yote* ni *ya kweli* | `/api/v2/myTable?q=columnA==valueA;columnB==valueB` |
| `,` / `or` | Logical **OR** operator. Filters rows where *at least one* condition is *true*| `/api/v2/myTable?q=columnA==valueA,columnB==valueB` | | `,` / `or` | Opereta wa **OR** wa kimantiki. Huchuja safu ambapo *angalau moja* ya masharti ni *ya kweli*| `/api/v2/myTable?q=columnA==valueA,columnB==valueB` |
| `==` | Performs an **equals** query. Returns all rows from *myTable* where values in *columnA* exactly equal *queryValue* | `/api/v2/myTable?q=columnA==queryValue` | | `==` | Hufanya uchunguzi wa **sawa**. Inarudisha safu zote kutoka *myTable* ambapo thamani katika *columnA* ni sawa kabisa na *queryValue* | `/api/v2/myTable?q=columnA==queryValue` |
| `=q=` | Performs a **search** query. Returns all rows from *myTable* where values in *columnA* contain *queryValue* | `/api/v2/myTable?q=columnA=q=queryValue` | | `=q=` | Hufanya uchunguzi wa **kutafuta**. Inarudisha safu zote kutoka *myTable* ambapo thamani katika *columnA* zina *queryValue* | `/api/v2/myTable?q=columnA=q=queryValue` |
| `=like=` | Performs a **like** query. Returns all rows from *myTable* where values in *columnA* are like *queryValue* | `/api/v2/myTable?q=columnA=like=queryValue` | | `=like=` | Hufanya uchunguzi wa **kama**. Inarudisha safu zote kutoka *myTable* ambapo thamani katika *columnA* ni kama *queryValue* | `/api/v2/myTable?q=columnA=like=queryValue` |
| `=in=` | Performs an **in** query. Returns all rows from *myTable* where *columnA* contains *valueA* OR *valueB* | `/api/v2/myTable?q=columnA=in=(valueA, valueB)` | | `=in=` | Hufanya uchunguzi wa **ndani**. Inarudisha safu zote kutoka *myTable* ambapo *columnA* ina *valueA* AU *valueB* | `/api/v2/myTable?q=columnA=in=(valueA, valueB)` |
| `=out=` | Performs an **exclude** query. Returns all rows of *myTable* where the values in *columnA* are neither *valueA* nor *valueB* | `/api/v2/myTable?q=columnA=out=(valueA,valueB)` | | `=out=` | Hufanya uchunguzi wa **ondoa**. Inarudisha safu zote za *myTable* ambapo thamani katika *columnA* si *valueA* wala *valueB* | `/api/v2/myTable?q=columnA=out=(valueA,valueB)` |
| `!=` | Performs a *not equals* query. Returns all rows from *myTable* where values in *columnA* do not equal *queryValue* | `/api/v2/myTable?q=columnA!=queryValue` | | `!=` | Hufanya uchunguzi wa *sio sawa*. Inarudisha safu zote kutoka *myTable* ambapo thamani katika *columnA* si sawa na *queryValue* | `/api/v2/myTable?q=columnA!=queryValue` |
| `=notlike=` | Performs a **not like** query. Returns all rows from *myTable* where values in *columnA* are not like *queryValue* | `/api/v2/myTable?q=columnA=notlike=queryValue` | | `=notlike=` | Hufanya uchunguzi wa **sio kama**. Inarudisha safu zote kutoka *myTable* ambapo thamani katika *columnA* si kama *queryValue* | `/api/v2/myTable?q=columnA=notlike=queryValue` |
| `<` & `=lt=` | Performs a **lesser than** query. Returns all rows from *myTable* where values in *columnA* are lesser than *queryValue* | `/api/v2/myTable?q=columnA<queryValue` <br> `/api/v2/myTable?q=columnA=lt=queryValue` | | `<` & `=lt=` | Hufanya uchunguzi wa **chini ya**. Inarudisha safu zote kutoka *myTable* ambapo thamani katika *columnA* ni chini ya *queryValue* | `/api/v2/myTable?q=columnA<queryValue` <br> `/api/v2/myTable?q=columnA=lt=queryValue` |
| `=le=` & `<=` | Performs a **lesser than** or **equal to** query. Returns all rows from *myTable* where values in *columnA* are lesser than or equal to *queryValue* | `/api/v2/myTable?q=columnA<=queryValue` <br> `/api/v2/myTable?q=columnA=le=queryValue` | | `=le=` & `<=` | Hufanya uchunguzi wa **chini ya** au **sawa na**. Inarudisha safu zote kutoka *myTable* ambapo thamani katika *columnA* ni chini ya au sawa na *queryValue* | `/api/v2/myTable?q=columnA<=queryValue` <br> `/api/v2/myTable?q=columnA=le=queryValue` |
| `>` & `=gt=` | Performs a **greater than** query. Returns all rows from *myTable* where values in *columnA* are greater than *queryValue* | `/api/v2/myTable?q=columnA>queryValue` <br> `/api/v2/myTable?q=columnA=gt=queryValue` | | `>` & `=gt=` | Hufanya uchunguzi wa **zaidi ya**. Inarudisha safu zote kutoka *myTable* ambapo thamani katika *columnA* ni zaidi ya *queryValue* | `/api/v2/myTable?q=columnA>queryValue` <br> `/api/v2/myTable?q=columnA=gt=queryValue` |
| `>=` & `=ge=` | Performs a **equal** to or **greater than** query. Returns all rows from *myTable* where values in *columnA* are equal to or greater than *queryValue* | `/api/v2/myTable?q=columnA>=queryValue` <br> `/api/v2/myTable?q=columnA=ge=queryValue` | | `>=` & `=ge=` | Hufanya uchunguzi wa **sawa na** au **zaidi ya**. Inarudisha safu zote kutoka *myTable* ambapo thamani katika *columnA* ni sawa na au zaidi ya *queryValue* | `/api/v2/myTable?q=columnA>=queryValue` <br> `/api/v2/myTable?q=columnA=ge=queryValue` |
| `=rng=` | Performs a **from to** query. Returns all rows from *myTable* where values in *columnA* are equal or greater than the *fromValue*, and lesser than or equal to the *toValue* | `/api/v2/myTable?q=columnA=rng=(fromValue,toValue)` | | `=rng=` | Hufanya uchunguzi wa **kuanzia hadi**. Inarudisha safu zote kutoka *myTable* ambapo thamani katika *columnA* ni sawa au zaidi ya *fromValue*, na chini ya au sawa na *toValue* | `/api/v2/myTable?q=columnA=rng=(fromValue,toValue)` |
**Note**: Table based on information from [**MOLGENIS**](https://molgenis.gitbooks.io/molgenis/content/) and [**rsql-parser**](https://github.com/jirutka/rsql-parser) applications. **Kumbuka**: Jedwali lina msingi wa taarifa kutoka [**MOLGENIS**](https://molgenis.gitbooks.io/molgenis/content/) na [**rsql-parser**](https://github.com/jirutka/rsql-parser) programu.
#### Examples #### Mifano
- name=="Kill Bill";year=gt=2003 - name=="Kill Bill";year=gt=2003
- name=="Kill Bill" and year>2003 - name=="Kill Bill" and year>2003
- genres=in=(sci-fi,action);(director=='Christopher Nolan',actor==*Bale);year=ge=2000 - genres=in=(sci-fi,action);(director=='Christopher Nolan',actor==*Bale);year=ge=2000
@ -62,35 +62,34 @@ Or even take advantage to extract sensitive information with Boolean queries or
- genres=in=(sci-fi,action);genres=out=(romance,animated,horror),director==Que*Tarantino - genres=in=(sci-fi,action);genres=out=(romance,animated,horror),director==Que*Tarantino
- genres=in=(sci-fi,action) and genres=out=(romance,animated,horror) or director==Que*Tarantino - genres=in=(sci-fi,action) and genres=out=(romance,animated,horror) or director==Que*Tarantino
**Note**: Table based on information from [**rsql-parser**](https://github.com/jirutka/rsql-parser) application. **Kumbuka**: Jedwali lina msingi wa taarifa kutoka [**rsql-parser**](https://github.com/jirutka/rsql-parser) programu.
## Common filters ## Vichujio vya kawaida
These filters help refine queries in APIs: Vichujio hivi husaidia kuboresha maswali katika APIs:
| Filter | Description | Example | | Kichujio | Maelezo | Mfano |
|--------|------------|---------| |--------|------------|---------|
| `filter[users]` | Filters results by specific users | `/api/v2/myTable?filter[users]=123` | | `filter[users]` | Huchuja matokeo kwa watumiaji maalum | `/api/v2/myTable?filter[users]=123` |
| `filter[status]` | Filters by status (active/inactive, completed, etc.) | `/api/v2/orders?filter[status]=active` | | `filter[status]` | Huchuja kwa hali (hai/siyo hai, kukamilika, nk.) | `/api/v2/orders?filter[status]=active` |
| `filter[date]` | Filters results within a date range | `/api/v2/logs?filter[date]=gte:2024-01-01` | | `filter[date]` | Huchuja matokeo ndani ya kipindi cha tarehe | `/api/v2/logs?filter[date]=gte:2024-01-01` |
| `filter[category]` | Filters by category or resource type | `/api/v2/products?filter[category]=electronics` | | `filter[category]` | Huchuja kwa aina au aina ya rasilimali | `/api/v2/products?filter[category]=electronics` |
| `filter[id]` | Filters by a unique identifier | `/api/v2/posts?filter[id]=42` | | `filter[id]` | Huchuja kwa kitambulisho cha kipekee | `/api/v2/posts?filter[id]=42` |
## Parameta za kawaida
Parameta hizi husaidia kuboresha majibu ya API:
## Common parameters | Parameta | Maelezo | Mfano |
These parameters help optimize API responses:
| Parameter | Description | Example |
|-----------|------------|---------| |-----------|------------|---------|
| `include` | Includes related resources in the response | `/api/v2/orders?include=customer,items` | | `include` | Inajumuisha rasilimali zinazohusiana katika jibu | `/api/v2/orders?include=customer,items` |
| `sort` | Sorts results in ascending or descending order | `/api/v2/users?sort=-created_at` | | `sort` | Hupanga matokeo kwa mpangilio wa kuongezeka au kupungua | `/api/v2/users?sort=-created_at` |
| `page[size]` | Controls the number of results per page | `/api/v2/products?page[size]=10` | | `page[size]` | Inadhibiti idadi ya matokeo kwa kila ukurasa | `/api/v2/products?page[size]=10` |
| `page[number]` | Specifies the page number | `/api/v2/products?page[number]=2` | | `page[number]` | Inabainisha nambari ya ukurasa | `/api/v2/products?page[number]=2` |
| `fields[resource]` | Defines which fields to return in the response | `/api/v2/users?fields[users]=id,name,email` | | `fields[resource]` | Inafafanua ni maeneo gani ya kurudishwa katika jibu | `/api/v2/users?fields[users]=id,name,email` |
| `search` | Performs a more flexible search | `/api/v2/posts?search=technology` | | `search` | Hufanya utafutaji wa kubadilika zaidi | `/api/v2/posts?search=technology` |
## Information leakage and enumeration of users ## Ufunuo wa taarifa na uhesabuji wa watumiaji
The following request shows a registration endpoint that requires the email parameter to check if there is any user registered with that email and return a true or false depending on whether or not it exists in the database: Ombi lifuatalo linaonyesha mwisho wa usajili ambao unahitaji parameta ya barua pepe ili kuangalia kama kuna mtumiaji yeyote aliyejiandikisha kwa barua pepe hiyo na kurudisha kweli au uongo kulingana na kama ipo katika hifadhidata:
### Request ### Ombi
``` ```
GET /api/registrations HTTP/1.1 GET /api/registrations HTTP/1.1
Host: localhost:3000 Host: localhost:3000
@ -239,7 +238,7 @@ Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: * Access-Control-Allow-Origin: *
``` ```
Tena tunatumia filters na opereta maalum ambazo zitaturuhusu njia mbadala ya kupata taarifa za watumiaji na kuepuka udhibiti wa ufikiaji. Kwa mfano, chujio kwa wale *watumiaji* ambao wana herufi “*a*” katika *ID* yao ya mtumiaji: Tena tunatumia filters na opereta maalum ambazo zitaturuhusu njia mbadala ya kupata taarifa za watumiaji na kuepuka udhibiti wa ufikiaji. Kwa mfano, chujio kwa *watumiaji* ambao wana herufi “*a*” katika *ID* yao ya mtumiaji:
### Request ### Request
``` ```
GET /api/users?filter[users]=id=in=(*a*) HTTP/1.1 GET /api/users?filter[users]=id=in=(*a*) HTTP/1.1
@ -313,9 +312,9 @@ Access-Control-Allow-Origin: *
}, { }, {
................ ................
``` ```
## Kuinua Haki ## Privilege Escalation
Ni uwezekano mkubwa kupata mwisho fulani ambao huangalia haki za mtumiaji kupitia jukumu lao. Kwa mfano, tunashughulika na mtumiaji ambaye hana haki: Ni uwezekano mkubwa kupata mwisho fulani ambao huangalia haki za mtumiaji kupitia jukumu lao. Kwa mfano, tunashughulika na mtumiaji ambaye hana haki:
### Ombi ### Request
``` ```
GET /api/companyUsers?include=role HTTP/1.1 GET /api/companyUsers?include=role HTTP/1.1
Host: localhost:3000 Host: localhost:3000
@ -348,7 +347,7 @@ Access-Control-Allow-Origin: *
"data": [] "data": []
} }
``` ```
Kwa kutumia opereta fulani tunaweza kuhesabu watumiaji wa usimamizi: Kwa kutumia opereta fulani tunaweza kuhesabu watumiaji wa msimamizi:
### Request ### Request
``` ```
GET /api/companyUsers?include=role&filter[companyUsers]=user.id=='94****************************' HTTP/1.1 GET /api/companyUsers?include=role&filter[companyUsers]=user.id=='94****************************' HTTP/1.1
@ -460,7 +459,7 @@ Access-Control-Allow-Origin: *
....... .......
``` ```
## Impersonate or Insecure Direct Object References (IDOR) ## Impersonate or Insecure Direct Object References (IDOR)
Mbali na matumizi ya parameter ya `filter`, inawezekana kutumia parameters nyingine kama `include` ambayo inaruhusu kujumuisha katika matokeo parameters fulani (kwa mfano lugha, nchi, nywila...). Mbali na matumizi ya parameter ya `filter`, inawezekana kutumia parameters nyingine kama `include` ambayo inaruhusu kujumuisha katika matokeo parameters fulani (mfano: lugha, nchi, nywila...).
Katika mfano ufuatao, taarifa za wasifu wetu wa mtumiaji zinaonyeshwa: Katika mfano ufuatao, taarifa za wasifu wetu wa mtumiaji zinaonyeshwa:
### Request ### Request