Web CTF Notes
SQLi
SQLite3
Database info
sqlite_mastername- table name
MySQL
Database info
Command Injection
;&&|'or"- for closing strings#- comment%0a- execute two commands in different lines. ex:ls . %0a id`ls`$(ls)
Web Cache
Deception
Tricking a cache into sending a stored response from another user's request to you. Leaking sensitive information about that user depending on the response contents.
Poisoning
Being able to store a malicious entry on a cache that is then going to be loaded by another users.
Prototype Pollution
Keywords
__proto__constructor.prototype__defineGetter__
Session Hijacking
Apache Tomcat
Cookie tossing?
Technologies
GraphQL
- Batched queries
FULL Introspection Query
{
__schema {
queryType {
name
}
mutationType {
name
}
subscriptionType {
name
}
types {
...FullType
}
directives {
name
description
args {
...InputValue
}
}
}
}
fragment FullType on __Type {
kind
name
description
fields(includeDeprecated: true) {
name
description
args {
...InputValue
}
type {
...TypeRef
}
isDeprecated
deprecationReason
}
inputFields {
...InputValue
}
interfaces {
...TypeRef
}
enumValues(includeDeprecated: true) {
name
description
isDeprecated
deprecationReason
}
possibleTypes {
...TypeRef
}
}
fragment InputValue on __InputValue {
name
description
type {
...TypeRef
}
defaultValue
}
fragment TypeRef on __Type {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
}
}
}
}