no42

Long live the Snake's Legacy.

$5 wrench technique always a winner: https://xkcd.com/538/

and he becomes a master / ducky-jedi

Depends on how the database/system is implemented? Part 1: Getting access to the database. SQL injection through web applications is usually the most common ways, as web applications are so common these days. What people sometimes forgot is that binary/native/thick applications can also communicate with databases, and sometimes a network port is available. But usually if the application is in the public domain a web gateway is used to proxy the database traffic; as opposed to internal (eg. corporate) domains will have the databases accessible across an internal network. With logical access to the database services; you can try many other attacks; brute-force the login, apply any remote code election exploits, some database versions even suffer authentication bypasses. Part 2: Configuration of the database With access to the database, the next step is usually a privilege escalation to get database administrator (DBA) privileges; some databases are misconfigured that you may have logged in as the DBA. But if you haven't, your looking for a weakness in the functionality or a stored procedure to give you extra permissions or alternatively brute-force the dab admins credentials. Once dba privileges have been achieved you can plunder all the databases stored on the affected server. In addition to all the associated users passwords hashes; its likely that passwords are repeated by developers on other systems, or could be domain-accounts leading to further compromise.

Do you have a USB keyboard? and can you use a USB sniffer to captcha the key combination of \ looks like the encoder needs to be updated.

Does the following work? CTRL-ALT \

Just look at the ducky decode website, any newer encoders are now on google drive. Another way is to post the inject.bin file; i can easily reverse it; or hopefully others can, I'm pretty sporadic on here these days

Can you try the offline encoders? I want to figure out what version this bug might have crept in. Thanks ~

You have 2 options: 1) Use 2x HackRFs (1x receiver, 1x transmitter) - due to the 1/2 duplex nature 2) Use a bladeRF - as its full-duplex

Source code is available, just make the necessary changes and recompile.

This is currently only possible in the hard-coded firmware. Currently not possible in DuckyScript. Hardcode.zip

Easy enough to implement, I just don't have the time these days. The source is available, a suggestion would be to do it your-self.