LookOut Discovering RCE and Internal Access on Looker (Googl...

src/network-services-pentesting/pentesting-web/git.md

@@ -41,8 +41,24 @@ ls .git/hooks
 * **TruffleHog v3+**: entropy+regex with automatic Git history traversal. `trufflehog git file://$PWD --only-verified --json > secrets.json`
 * **Gitleaks** (v8+): fast regex ruleset, can scan unpacked tree or full history. `gitleaks detect -v --source . --report-format json --report-path gitleaks.json`
 
+### Server-side Git integration RCE via `hooksPath` override
+
+Modern web apps that integrate Git repos sometimes **rewrite `.git/config` using user-controlled identifiers**. If those identifiers are concatenated into `hooksPath`, you can redirect Git hooks to an attacker-controlled directory and execute arbitrary code when the server runs native Git (e.g., `git commit`). Key steps:
+
+* **Path traversal in `hooksPath`**: if a repo name/dependency name is copied into `hooksPath`, inject `../../..` to escape the intended hooks directory and point to a writable location. This is effectively a [path traversal](../../pentesting-web/file-inclusion/README.md) in Git config.
+* **Force the target directory to exist**: when the application performs server-side clones, abuse clone destination controls (e.g., a `ref`/branch/path parameter) to make it clone into `../../git_hooks` or a similar traversal path so intermediate folders are created for you.
+* **Ship executable hooks**: set the executable bit inside Git metadata so every clone writes the hook with mode `100755`:
+  ```bash
+  git update-index --chmod=+x pre-commit
+  ```
+  Add your payload (reverse shell, file dropper, etc.) to `pre-commit`/`post-commit` in that repo.
+* **Find a native Git code path**: libraries like **JGit** ignore hooks. Hunt for deployment flows/flags that fall back to system Git (e.g., forcing deploy-with-attached-repo parameters) so hooks will actually run.
+* **Race the config rewrite**: if the app sanitizes `.git/config` right before running Git, spam the endpoint that writes your malicious `hooksPath` while triggering the Git action to win a [race condition](../../pentesting-web/race-condition.md) and get your hook executed.
+
 ## References
 
 - [holly-hacker/git-dumper – parallel fast /.git dumper](https://github.com/holly-hacker/git-dumper)
 - [Ebryx/GitDump](https://github.com/Ebryx/GitDump)
+- [LookOut: RCE and internal access on Looker (Tenable)](https://www.tenable.com/blog/google-looker-vulnerabilities-rce-internal-access-lookout)
+
 {{#include ../../banners/hacktricks-training.md}}

src/pentesting-web/sql-injection/mysql-injection/README.md

@@ -247,18 +247,31 @@ Mitigations:
 Notes:
 - Prepared statements do not protect against semantic abuse of `REGEXP` or search operators. An input like `.*` remains a permissive regex even inside a quoted `REGEXP '.*'`. Use allow-lists or explicit guards.
 
+## Error-based exfiltration via `updatexml()`
+
+When the application only returns SQL errors (not raw result sets), you can leak data through MySQL error strings:
+
+```sql
+dimension: id {
+  type: number
+  sql: updatexml(null, concat(0x7e, IFNULL((SELECT name FROM project_state LIMIT 1 OFFSET 0), 'NULL'), 0x7e, '///'), null) ;;
+}
+```
+
+`updatexml()` raises an XPATH error that embeds the concatenated string, so the value from the inner `SELECT` appears in the error response between delimiters (`0x7e` = `~`). Iterate `LIMIT 1 OFFSET N` to enumerate rows. This works even when the UI forces “boolean” tests because the error message is still surfaced.
+
 ## Other MYSQL injection guides
 
 - [PayloadsAllTheThings – MySQL Injection cheatsheet](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
 
 ## References
 
-- [PayloadsAllTheThings – MySQL Injection cheatsheet](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
 - [Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)](https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/)
 - [MySQL Full-Text Search – Boolean mode](https://dev.mysql.com/doc/refman/8.4/en/fulltext-boolean.html)
 - [MySQL Full-Text Search – Overview](https://dev.mysql.com/doc/refman/8.4/en/fulltext-search.html)
 - [MySQL REGEXP documentation](https://dev.mysql.com/doc/refman/8.4/en/regexp.html)
 - [ReDisclosure: New technique for exploiting Full-Text Search in MySQL (myBB case study)](https://exploit.az/posts/wor/)
-
+- [LookOut: RCE and internal access on Looker (Tenable)](https://www.tenable.com/blog/google-looker-vulnerabilities-rce-internal-access-lookout)
 
 {{#include ../../../banners/hacktricks-training.md}}
+