mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-29 07:45:26 +00:00
Jetty RCE
This commit is contained in:
commit
11271d9072
6
BOOKS.md
6
BOOKS.md
@ -20,9 +20,9 @@
|
|||||||
- [OWASP Testing Guide: Stable](https://owasp.org/www-project-web-security-testing-guide/stable/)
|
- [OWASP Testing Guide: Stable](https://owasp.org/www-project-web-security-testing-guide/stable/)
|
||||||
- [Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman (2014)](https://nostarch.com/pentesting)
|
- [Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman (2014)](https://nostarch.com/pentesting)
|
||||||
- [Pentesting Azure Applications: The Definitive Guide to Testing and Securing Deployments by Matt Burrough (2018)](https://nostarch.com/azure)
|
- [Pentesting Azure Applications: The Definitive Guide to Testing and Securing Deployments by Matt Burrough (2018)](https://nostarch.com/azure)
|
||||||
- [Pratical Binary Analysis: Build Your Own Linux Tools for Binary instrumentation, Analysis, and Disassembly by Dennis Andriesse (2019)](https://nostarch.com/binaryanalysis)
|
- [Practical Binary Analysis: Build Your Own Linux Tools for Binary instrumentation, Analysis, and Disassembly by Dennis Andriesse (2019)](https://nostarch.com/binaryanalysis)
|
||||||
- [Pratical Forensic Imaging: Securing Digital Evidence with Linux Tools by Bruce Nikkel (2016)](https://nostarch.com/forensicimaging)
|
- [Practical Forensic Imaging: Securing Digital Evidence with Linux Tools by Bruce Nikkel (2016)](https://nostarch.com/forensicimaging)
|
||||||
- [Pratical IoT Hacking: The Definitive Guide to Attacking the Internet of Things by Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou and Beau Woods (2021)](https://nostarch.com/practical-iot-hacking)
|
- [Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things by Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou and Beau Woods (2021)](https://nostarch.com/practical-iot-hacking)
|
||||||
- [Practical Doomsday: A User's Guide to the End of the World by Michal Zalewski (2022)](https://nostarch.com/practical-doomsday)
|
- [Practical Doomsday: A User's Guide to the End of the World by Michal Zalewski (2022)](https://nostarch.com/practical-doomsday)
|
||||||
- [Practical Social Engineering: A Primer for the Ethical Hacker by Joe Gray (2022)](https://nostarch.com/practical-social-engineering)
|
- [Practical Social Engineering: A Primer for the Ethical Hacker by Joe Gray (2022)](https://nostarch.com/practical-social-engineering)
|
||||||
- [Real-World Bug Hunting: A Field Guide to Web Hacking by Peter Yaworski (2019)](https://nostarch.com/bughunting)
|
- [Real-World Bug Hunting: A Field Guide to Web Hacking by Peter Yaworski (2019)](https://nostarch.com/bughunting)
|
||||||
|
@ -6,30 +6,41 @@
|
|||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
* [Tools](#tools)
|
- [File Inclusion](#file-inclusion)
|
||||||
* [Basic LFI](#basic-lfi)
|
- [Summary](#summary)
|
||||||
* [Null byte](#null-byte)
|
- [Tools](#tools)
|
||||||
* [Double encoding](#double-encoding)
|
- [Basic LFI](#basic-lfi)
|
||||||
* [UTF-8 encoding](#utf-8-encoding)
|
- [Null byte](#null-byte)
|
||||||
* [Path and dot truncation](#path-and-dot-truncation)
|
- [Double encoding](#double-encoding)
|
||||||
* [Filter bypass tricks](#filter-bypass-tricks)
|
- [UTF-8 encoding](#utf-8-encoding)
|
||||||
* [Basic RFI](#basic-rfi)
|
- [Path and dot truncation](#path-and-dot-truncation)
|
||||||
* [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
|
- [Filter bypass tricks](#filter-bypass-tricks)
|
||||||
* [Wrapper php://filter](#wrapper-phpfilter)
|
- [Basic RFI](#basic-rfi)
|
||||||
* [Wrapper zip://](#wrapper-zip)
|
- [Null byte](#null-byte-1)
|
||||||
* [Wrapper data://](#wrapper-data)
|
- [Double encoding](#double-encoding-1)
|
||||||
* [Wrapper expect://](#wrapper-expect)
|
- [Bypass allow_url_include](#bypass-allow_url_include)
|
||||||
* [Wrapper input://](#wrapper-input)
|
- [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
|
||||||
* [Wrapper phar://](#wrapper-phar)
|
- [Wrapper php://filter](#wrapper-phpfilter)
|
||||||
* [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)
|
- [Wrapper zip://](#wrapper-zip)
|
||||||
* [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)
|
- [Wrapper data://](#wrapper-data)
|
||||||
* [LFI to RCE via upload](#lfi-to-rce-via-upload)
|
- [Wrapper expect://](#wrapper-expect)
|
||||||
* [LFI to RCE via upload (race)](#lfi-to-rce-via-upload-race)
|
- [Wrapper input://](#wrapper-input)
|
||||||
* [LFI to RCE via upload (FindFirstFile)](#lfi-to-rce-via-upload-findfirstfile)
|
- [Wrapper phar://](#wrapper-phar)
|
||||||
* [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo)
|
- [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)
|
||||||
* [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
|
- [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)
|
||||||
* [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
|
- [LFI to RCE via upload](#lfi-to-rce-via-upload)
|
||||||
* [LFI to RCE via credentials files](#lfi-o-rce-via-credentials-files)
|
- [LFI to RCE via upload (race)](#lfi-to-rce-via-upload-race)
|
||||||
|
- [LFI to RCE via upload (FindFirstFile)](#lfi-to-rce-via-upload-findfirstfile)
|
||||||
|
- [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo)
|
||||||
|
- [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
|
||||||
|
- [RCE via SSH](#rce-via-ssh)
|
||||||
|
- [RCE via Mail](#rce-via-mail)
|
||||||
|
- [RCE via Apache logs](#rce-via-apache-logs)
|
||||||
|
- [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
|
||||||
|
- [LFI to RCE via credentials files](#lfi-to-rce-via-credentials-files)
|
||||||
|
- [Windows version](#windows-version)
|
||||||
|
- [Linux version](#linux-version)
|
||||||
|
- [References](#references)
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
|
|
||||||
@ -444,4 +455,4 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa
|
|||||||
* [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
|
* [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
|
||||||
* [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1)
|
* [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1)
|
||||||
* [PHP LFI with Nginx Assistance](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
|
* [PHP LFI with Nginx Assistance](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
|
||||||
* [PHP LFI to arbitratry code execution via rfc1867 file upload temporary files (EN) - gynvael.coldwind - 2011-03-18](https://gynvael.coldwind.pl/?id=376)
|
* [PHP LFI to arbitrary code execution via rfc1867 file upload temporary files (EN) - gynvael.coldwind - 2011-03-18](https://gynvael.coldwind.pl/?id=376)
|
||||||
|
@ -5,19 +5,22 @@
|
|||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
* [Tools](#tools)
|
- [GraphQL injection](#graphql-injection)
|
||||||
* [Exploit](#exploit)
|
- [Summary](#summary)
|
||||||
* [Identify an injection point](#identify-an-injection-point)
|
- [Tools](#tools)
|
||||||
* [Enumerate Database Schema via Instropection](#enumerate-database-schema-via-introspection)
|
- [Exploit](#exploit)
|
||||||
* [Extract data](#extract-data)
|
- [Identify an injection point](#identify-an-injection-point)
|
||||||
* [Extract data using edges/nodes](#extract-data-using-edges-nodes)
|
- [Enumerate Database Schema via Introspection](#enumerate-database-schema-via-introspection)
|
||||||
* [Extract data using projections](#extract-data-using-projections)
|
- [List path](#list-path)
|
||||||
* [Enumerate the types' definition](#enumerate-the-type-definition)
|
- [Extract data](#extract-data)
|
||||||
* [Use mutations](#use-mutations)
|
- [Extract data using edges/nodes](#extract-data-using-edgesnodes)
|
||||||
* [NOSQL injection](#nosql-injection)
|
- [Extract data using projections](#extract-data-using-projections)
|
||||||
* [SQL injection](#sql-injection)
|
- [Enumerate the types' definition](#enumerate-the-types-definition)
|
||||||
* [GraphQL Batching Attacks](#graphql-batching-attacks)
|
- [Use mutations](#use-mutations)
|
||||||
* [References](#references)
|
- [NOSQL injection](#nosql-injection)
|
||||||
|
- [SQL injection](#sql-injection)
|
||||||
|
- [GraphQL Batching Attacks](#graphql-batching-attacks)
|
||||||
|
- [References](#references)
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
|
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate web logics or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name (?param1=value¶m1=value). As there is no formal way of parsing HTTP parameters, individual web technologies have their own unique way of parsing and reading URL parameters with the same name. Some taking the first occurance, some taking the last occurance, and some reading it as an array. This behavior is abused by the attacker in order to bypass pattern-based security mechanisms.
|
HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate web logics or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name (?param1=value¶m1=value). As there is no formal way of parsing HTTP parameters, individual web technologies have their own unique way of parsing and reading URL parameters with the same name. Some taking the first occurrence, some taking the last occurrence, and some reading it as an array. This behavior is abused by the attacker in order to bypass pattern-based security mechanisms.
|
||||||
|
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
@ -22,7 +22,7 @@ Origin Service - Reads second param. In this scenario, developer trusted WAF and
|
|||||||
Attacker -- http://example.com?search=Beth&search=' OR 1=1;## --> WAF (reads first 'search' param, looks innocent. passes on) --> Origin Service (reads second 'search' param, injection happens if no checks are done here.)
|
Attacker -- http://example.com?search=Beth&search=' OR 1=1;## --> WAF (reads first 'search' param, looks innocent. passes on) --> Origin Service (reads second 'search' param, injection happens if no checks are done here.)
|
||||||
```
|
```
|
||||||
|
|
||||||
### Table of refence for which technology reads which parameter
|
### Table of reference for which technology reads which parameter
|
||||||
When ?par1=a&par1=b
|
When ?par1=a&par1=b
|
||||||
| Technology | Parsing Result |outcome (par1=)|
|
| Technology | Parsing Result |outcome (par1=)|
|
||||||
| ------------------ |--------------- |:-------------:|
|
| ------------------ |--------------- |:-------------:|
|
||||||
@ -41,7 +41,7 @@ When ?par1=a&par1=b
|
|||||||
| IBM HTTP Server |First occurrence |a |
|
| IBM HTTP Server |First occurrence |a |
|
||||||
| Perl CGI/Apache |First occurrence |a |
|
| Perl CGI/Apache |First occurrence |a |
|
||||||
| mod_wsgi (Python)/Apache |First occurrence |a |
|
| mod_wsgi (Python)/Apache |First occurrence |a |
|
||||||
| Python/Zope |All occurences in array |['a','b'] |
|
| Python/Zope |All occurrences in array |['a','b'] |
|
||||||
|
|
||||||
## References
|
## References
|
||||||
- [HTTP Parameter Pollution - Imperva](https://www.imperva.com/learn/application-security/http-parameter-pollution/)
|
- [HTTP Parameter Pollution - Imperva](https://www.imperva.com/learn/application-security/http-parameter-pollution/)
|
||||||
|
@ -4,17 +4,20 @@
|
|||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
- [Tools](#tools)
|
- [JWT - JSON Web Token](#jwt---json-web-token)
|
||||||
- [JWT Format](#jwt-format)
|
- [Summary](#summary)
|
||||||
|
- [Tools](#tools)
|
||||||
|
- [JWT Format](#jwt-format)
|
||||||
- [Header](#header)
|
- [Header](#header)
|
||||||
- [Payload](#payload)
|
- [Payload](#payload)
|
||||||
- [JWT Signature - None algorithm](#jwt-signature---none-algorithm)
|
- [JWT Signature - None algorithm](#jwt-signature---none-algorithm)
|
||||||
- [JWT Signature - RS256 to HS256](#jwt-signature---rs256-to-hs256)
|
- [JWT Signature - RS256 to HS256](#jwt-signature---rs256-to-hs256)
|
||||||
- [Breaking JWT's secret](#breaking-jwts-secret)
|
- [Breaking JWT's secret](#breaking-jwts-secret)
|
||||||
- [JWT Tool](#jwt-tool)
|
- [JWT tool](#jwt-tool)
|
||||||
- [JWT cracker](#jwt-cracker)
|
- [JWT cracker](#jwt-cracker)
|
||||||
- [Hashcat](#hashcat)
|
- [Hashcat](#hashcat)
|
||||||
- [References](#references)
|
- [CVE](#cve)
|
||||||
|
- [References](#references)
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
|
|
||||||
@ -241,7 +244,7 @@ Please select an option from above (1-4):
|
|||||||
Please enter the known key:
|
Please enter the known key:
|
||||||
> secret
|
> secret
|
||||||
|
|
||||||
Please enter the keylength:
|
Please enter the key length:
|
||||||
[1] HMAC-SHA256
|
[1] HMAC-SHA256
|
||||||
[2] HMAC-SHA384
|
[2] HMAC-SHA384
|
||||||
[3] HMAC-SHA512
|
[3] HMAC-SHA512
|
||||||
|
@ -1,15 +1,17 @@
|
|||||||
# Open URL Redirection
|
# Open URL Redirection
|
||||||
|
|
||||||
> Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.
|
> Un-validated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Un-validated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.
|
||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
- [Exploitation](#exploitation)
|
- [Open URL Redirection](#open-url-redirection)
|
||||||
- [HTTP Redirection Status Code - 3xx](#http-redirection-status-code---3xx)
|
- [Summary](#summary)
|
||||||
- [Fuzzing](#fuzzing)
|
- [Exploitation](#exploitation)
|
||||||
- [Filter Bypass](#filter-bypass)
|
- [HTTP Redirection Status Code - 3xx](#http-redirection-status-code---3xx)
|
||||||
- [Common injection parameters](#common-injection-parameters)
|
- [Fuzzing](#fuzzing)
|
||||||
- [References](#references)
|
- [Filter Bypass](#filter-bypass)
|
||||||
|
- [Common injection parameters](#common-injection-parameters)
|
||||||
|
- [References](#references)
|
||||||
|
|
||||||
## Exploitation
|
## Exploitation
|
||||||
|
|
||||||
@ -25,7 +27,7 @@ What happens if we change the `famous-website.tld/account` to `evil-website.tld`
|
|||||||
https://famous-website.tld/signup?redirectUrl=https://evil-website.tld/account
|
https://famous-website.tld/signup?redirectUrl=https://evil-website.tld/account
|
||||||
```
|
```
|
||||||
|
|
||||||
By visiting this url, if we get redirected to `evil-website.tld` after the signup, we have an Open Redirect vulnerability. This can be abused by an attacker to display a phishing page asking you to enter your credentials.
|
By visiting this url, if we get redirected to `evil-website.tld` after the sign-up, we have an Open Redirect vulnerability. This can be abused by an attacker to display a phishing page asking you to enter your credentials.
|
||||||
|
|
||||||
|
|
||||||
## HTTP Redirection Status Code - 3xx
|
## HTTP Redirection Status Code - 3xx
|
||||||
|
@ -4,9 +4,12 @@
|
|||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
* [Tools](#tools)
|
- [Race Condition](#race-condition)
|
||||||
* [Turbo Intruder Examples](#turbo-intruder-examples)
|
- [Summary](#summary)
|
||||||
* [References](#references)
|
- [Tools](#tools)
|
||||||
|
- [Turbo Intruder Examples](#turbo-intruder-examples)
|
||||||
|
- [Turbo Intruder 2 Requests Examples](#turbo-intruder-2-requests-examples)
|
||||||
|
- [References](#references)
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
|
|
||||||
@ -42,7 +45,7 @@
|
|||||||
4. Click "Attack"
|
4. Click "Attack"
|
||||||
|
|
||||||
## Turbo Intruder 2 Requests Examples
|
## Turbo Intruder 2 Requests Examples
|
||||||
This follwoing template can use when use have to send race condition of request2 immediately after send a request1 when the window may only be a few milliseconds.
|
This following template can use when use have to send race condition of request2 immediately after send a request1 when the window may only be a few milliseconds.
|
||||||
```python
|
```python
|
||||||
def queueRequests(target, wordlists):
|
def queueRequests(target, wordlists):
|
||||||
engine = RequestEngine(endpoint=target.endpoint,
|
engine = RequestEngine(endpoint=target.endpoint,
|
||||||
|
@ -6,7 +6,7 @@ Attempting to manipulate SQL queries may have goals including:
|
|||||||
- Information Leakage
|
- Information Leakage
|
||||||
- Disclosure of stored data
|
- Disclosure of stored data
|
||||||
- Manipulation of stored data
|
- Manipulation of stored data
|
||||||
- Bypassing authorisation controls
|
- Bypassing authorization controls
|
||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
|
@ -4,59 +4,74 @@
|
|||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
* [Tools](#tools)
|
- [Templates Injections](#templates-injections)
|
||||||
* [Methodology](#methodology)
|
- [Summary](#summary)
|
||||||
* [ASP.NET Razor](#aspnet-razor)
|
- [Tools](#tools)
|
||||||
* [Basic injection](#aspnet-razor---basic-injection)
|
- [Methodology](#methodology)
|
||||||
* [Command execution](#aspnet-razor---command-execution)
|
- [ASP.NET Razor](#aspnet-razor)
|
||||||
* [Expression Language EL](#expression-language-el)
|
- [ASP.NET Razor - Basic injection](#aspnet-razor---basic-injection)
|
||||||
* [Basic injection](#expression-language-el---basic-injection)
|
- [ASP.NET Razor - Command execution](#aspnet-razor---command-execution)
|
||||||
* [Code execution](#expression-language-el---code-execution)
|
- [Expression Language EL](#expression-language-el)
|
||||||
* [Freemarker](#freemarker)
|
- [Expression Language EL - Basic injection](#expression-language-el---basic-injection)
|
||||||
* [Basic injection](#freemarker---basic-injection)
|
- [Expression Language EL - One-Liner injections not including code execution](#expression-language-el---one-liner-injections-not-including-code-execution)
|
||||||
* [Code execution](#freemarker---code-execution)
|
- [Expression Language EL - Code Execution](#expression-language-el---code-execution)
|
||||||
* [Groovy](#groovy)
|
- [Freemarker](#freemarker)
|
||||||
* [Basic injection](#groovy---basic-injection)
|
- [Freemarker - Basic injection](#freemarker---basic-injection)
|
||||||
* [Read/Create file](#groovy---read-and-create-file)
|
- [Freemarker - Read File](#freemarker---read-file)
|
||||||
* [HTTP Request](#groovy---http-request)
|
- [Freemarker - Code execution](#freemarker---code-execution)
|
||||||
* [Command execution](#groovy---command-execution)
|
- [Freemarker - Sandbox bypass](#freemarker---sandbox-bypass)
|
||||||
* [Sandbox bypass](#groovy---sandbox-bypass)
|
- [Groovy](#groovy)
|
||||||
* [Handlebars](#handlebars)
|
- [Groovy - Basic injection](#groovy---basic-injection)
|
||||||
* [Jade / Codepen](#jade--codepen)
|
- [Groovy - Read and create File](#groovy---read-and-create-file)
|
||||||
* [Java](#java)
|
- [Groovy - HTTP request:](#groovy---http-request)
|
||||||
* [Basic injection](#java---basic-injection)
|
- [Groovy - Command Execution](#groovy---command-execution)
|
||||||
* [Retrieve the system’s environment variables](#java---retrieve-the-systems-environment-variables)
|
- [Groovy - Sandbox Bypass](#groovy---sandbox-bypass)
|
||||||
* [Retrieve /etc/passwd](#java---retrieve-etcpasswd)
|
- [Handlebars](#handlebars)
|
||||||
* [Jinja2](#jinja2)
|
- [Handlebars - Command Execution](#handlebars---command-execution)
|
||||||
* [Basic injection](#jinja2---basic-injection)
|
- [Jade / Codepen](#jade--codepen)
|
||||||
* [Template format](#jinja2---template-format)
|
- [Java](#java)
|
||||||
* [Debug Statement](#jinja2---debug-statement)
|
- [Java - Basic injection](#java---basic-injection)
|
||||||
* [Dump all used classes](#jinja2---dump-all-used-classes)
|
- [Java - Retrieve the system’s environment variables](#java---retrieve-the-systems-environment-variables)
|
||||||
* [Dump all config variables](#jinja2---dump-all-config-variables)
|
- [Java - Retrieve /etc/passwd](#java---retrieve-etcpasswd)
|
||||||
* [Read remote file](#jinja2---read-remote-file)
|
- [Jinja2](#jinja2)
|
||||||
* [Write into remote file](#jinja2---write-into-remote-file)
|
- [Jinja2 - Basic injection](#jinja2---basic-injection)
|
||||||
* [Remote Code Execution](#jinja2---remote-code-execution)
|
- [Jinja2 - Template format](#jinja2---template-format)
|
||||||
* [Filter bypass](#jinja2---filter-bypass)
|
- [Jinja2 - Debug Statement](#jinja2---debug-statement)
|
||||||
* [Jinjava](#jinjava)
|
- [Jinja2 - Dump all used classes](#jinja2---dump-all-used-classes)
|
||||||
* [Basic injection](#jinjava---basic-injection)
|
- [Jinja2 - Dump all config variables](#jinja2---dump-all-config-variables)
|
||||||
* [Command execution](#jinjava---command-execution)
|
- [Jinja2 - Read remote file](#jinja2---read-remote-file)
|
||||||
* [Lessjs](#lessjs)
|
- [Jinja2 - Write into remote file](#jinja2---write-into-remote-file)
|
||||||
* [Mako](#mako)
|
- [Jinja2 - Remote Code Execution](#jinja2---remote-code-execution)
|
||||||
* [Pebble](#pebble)
|
- [Exploit the SSTI by calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread)
|
||||||
* [Basic injection](#pebble---basic-injection)
|
- [Exploit the SSTI by calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen)
|
||||||
* [Code execution](#pebble---code-execution)
|
- [Exploit the SSTI by calling Popen without guessing the offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset)
|
||||||
* [Ruby](#ruby)
|
- [Exploit the SSTI by writing an evil config file.](#exploit-the-ssti-by-writing-an-evil-config-file)
|
||||||
* [Basic injections](#ruby---basic-injections)
|
- [Jinja2 - Filter bypass](#jinja2---filter-bypass)
|
||||||
* [Retrieve /etc/passwd](#ruby---retrieve-etcpasswd)
|
- [Jinjava](#jinjava)
|
||||||
* [List files and directories](#ruby---list-files-and-directories)
|
- [Jinjava - Basic injection](#jinjava---basic-injection)
|
||||||
* [Smarty](#smarty)
|
- [Jinjava - Command execution](#jinjava---command-execution)
|
||||||
* [Twig](#twig)
|
- [Lessjs](#lessjs)
|
||||||
* [Basic injection](#twig---basic-injection)
|
- [Lessjs - SSRF / LFI](#lessjs---ssrf--lfi)
|
||||||
* [Template format](#twig---template-format)
|
- [Lessjs < v3 - Command Execution](#lessjs--v3---command-execution)
|
||||||
* [Arbitrary File Reading](#twig---arbitrary-file-reading)
|
- [Plugins](#plugins)
|
||||||
* [Code execution](#twig---code-execution)
|
- [Mako](#mako)
|
||||||
* [Velocity](#velocity)
|
- [Direct access to os from TemplateNamespace:](#direct-access-to-os-from-templatenamespace)
|
||||||
* [References](#references)
|
- [Pebble](#pebble)
|
||||||
|
- [Pebble - Basic injection](#pebble---basic-injection)
|
||||||
|
- [Pebble - Code execution](#pebble---code-execution)
|
||||||
|
- [Ruby](#ruby)
|
||||||
|
- [Ruby - Basic injections](#ruby---basic-injections)
|
||||||
|
- [Ruby - Retrieve /etc/passwd](#ruby---retrieve-etcpasswd)
|
||||||
|
- [Ruby - List files and directories](#ruby---list-files-and-directories)
|
||||||
|
- [Ruby - Code execution](#ruby---code-execution)
|
||||||
|
- [Smarty](#smarty)
|
||||||
|
- [Twig](#twig)
|
||||||
|
- [Twig - Basic injection](#twig---basic-injection)
|
||||||
|
- [Twig - Template format](#twig---template-format)
|
||||||
|
- [Twig - Arbitrary File Reading](#twig---arbitrary-file-reading)
|
||||||
|
- [Twig - Code execution](#twig---code-execution)
|
||||||
|
- [Velocity](#velocity)
|
||||||
|
- [References](#references)
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
|
|
||||||
@ -130,7 +145,7 @@ ${"".getClass().forName("java.lang.System").getDeclaredMethod("getProperty","".g
|
|||||||
#{session.getAttribute("rtc").setAccessible(true)}
|
#{session.getAttribute("rtc").setAccessible(true)}
|
||||||
#{session.getAttribute("rtc").getRuntime().exec("/bin/bash -c whoami")}
|
#{session.getAttribute("rtc").getRuntime().exec("/bin/bash -c whoami")}
|
||||||
|
|
||||||
// Method using processbuilder
|
// Method using process builder
|
||||||
${request.setAttribute("c","".getClass().forName("java.util.ArrayList").newInstance())}
|
${request.setAttribute("c","".getClass().forName("java.util.ArrayList").newInstance())}
|
||||||
${request.getAttribute("c").add("cmd.exe")}
|
${request.getAttribute("c").add("cmd.exe")}
|
||||||
${request.getAttribute("c").add("/k")}
|
${request.getAttribute("c").add("/k")}
|
||||||
|
@ -61,7 +61,7 @@ If we can make the calculated hash string Zero-like, and provide "0" in the $coo
|
|||||||
```
|
```
|
||||||
|
|
||||||
We have control over 3 elements in the cookie:
|
We have control over 3 elements in the cookie:
|
||||||
- $username - username you are targetting, probably "admin"
|
- $username - username you are targeting, probably "admin"
|
||||||
- $hmac - the provided hash, "0"
|
- $hmac - the provided hash, "0"
|
||||||
- $expiration - a UNIX timestamp, must be in the future
|
- $expiration - a UNIX timestamp, must be in the future
|
||||||
|
|
||||||
@ -104,5 +104,5 @@ var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
|
|||||||
## References
|
## References
|
||||||
|
|
||||||
* [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
|
* [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
|
||||||
* [Magic Hashes - WhieHatSec](https://www.whitehatsec.com/blog/magic-hashes/)
|
* [Magic Hashes - WhiteHatSec](https://www.whitehatsec.com/blog/magic-hashes/)
|
||||||
* [PHP Magic Tricks: Type Juggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf)
|
* [PHP Magic Tricks: Type Juggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf)
|
||||||
|
@ -26,7 +26,7 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
|
|||||||
|
|
||||||
## Methodology 2
|
## Methodology 2
|
||||||
|
|
||||||
1. Find an unkeyed input for a Cache Poisoning
|
1. Find an un-keyed input for a Cache Poisoning
|
||||||
```js
|
```js
|
||||||
Values: User-Agent
|
Values: User-Agent
|
||||||
Values: Cookie
|
Values: Cookie
|
||||||
@ -37,7 +37,7 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
|
|||||||
Header: X-Original-URL (Symfony)
|
Header: X-Original-URL (Symfony)
|
||||||
Header: X-Rewrite-URL (Symfony)
|
Header: X-Rewrite-URL (Symfony)
|
||||||
```
|
```
|
||||||
2. Cache poisoning attack - Example for `X-Forwarded-Host` unkeyed input (remember to use a buster to only cache this webpage instead of the main page of the website)
|
2. Cache poisoning attack - Example for `X-Forwarded-Host` un-keyed input (remember to use a buster to only cache this webpage instead of the main page of the website)
|
||||||
```js
|
```js
|
||||||
GET /test?buster=123 HTTP/1.1
|
GET /test?buster=123 HTTP/1.1
|
||||||
Host: target.com
|
Host: target.com
|
||||||
|
@ -1,11 +1,13 @@
|
|||||||
# XSLT Injection
|
# XSLT Injection
|
||||||
|
|
||||||
> Processing an unvalidated XSL stylesheet can allow an attacker to change the structure and contents of the resultant XML, include arbitrary files from the file system, or execute arbitrary code
|
> Processing an un-validated XSL stylesheet can allow an attacker to change the structure and contents of the resultant XML, include arbitrary files from the file system, or execute arbitrary code
|
||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
- [Tools](#tools)
|
- [XSLT Injection](#xslt-injection)
|
||||||
- [Exploit](#exploit)
|
- [Summary](#summary)
|
||||||
|
- [Tools](#tools)
|
||||||
|
- [Exploit](#exploit)
|
||||||
- [Determine the vendor and version](#determine-the-vendor-and-version)
|
- [Determine the vendor and version](#determine-the-vendor-and-version)
|
||||||
- [External Entity](#external-entity)
|
- [External Entity](#external-entity)
|
||||||
- [Read files and SSRF using document](#read-files-and-ssrf-using-document)
|
- [Read files and SSRF using document](#read-files-and-ssrf-using-document)
|
||||||
@ -13,7 +15,7 @@
|
|||||||
- [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper)
|
- [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper)
|
||||||
- [Remote Code Execution with Java](#remote-code-execution-with-java)
|
- [Remote Code Execution with Java](#remote-code-execution-with-java)
|
||||||
- [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net)
|
- [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net)
|
||||||
- [References](#references)
|
- [References](#references)
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
|
|
||||||
|
@ -4,29 +4,42 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
|
|||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
- [Exploit code or POC](#exploit-code-or-poc)
|
- [Cross Site Scripting](#cross-site-scripting)
|
||||||
|
- [Summary](#summary)
|
||||||
|
- [Exploit code or POC](#exploit-code-or-poc)
|
||||||
- [Data grabber for XSS](#data-grabber-for-xss)
|
- [Data grabber for XSS](#data-grabber-for-xss)
|
||||||
|
- [CORS](#cors)
|
||||||
- [UI redressing](#ui-redressing)
|
- [UI redressing](#ui-redressing)
|
||||||
- [Javascript keylogger](#javascript-keylogger)
|
- [Javascript keylogger](#javascript-keylogger)
|
||||||
- [Other ways](#other-ways)
|
- [Other ways](#other-ways)
|
||||||
- [Identify an XSS endpoint](#identify-an-xss-endpoint)
|
- [Identify an XSS endpoint](#identify-an-xss-endpoint)
|
||||||
- [XSS in HTML/Applications](#xss-in-htmlapplications)
|
- [Tools](#tools)
|
||||||
|
- [XSS in HTML/Applications](#xss-in-htmlapplications)
|
||||||
- [Common Payloads](#common-payloads)
|
- [Common Payloads](#common-payloads)
|
||||||
- [XSS using HTML5 tags](#xss-using-html5-tags)
|
- [XSS using HTML5 tags](#xss-using-html5-tags)
|
||||||
- [XSS using a remote JS](#xss-using-a-remote-js)
|
- [XSS using a remote JS](#xss-using-a-remote-js)
|
||||||
- [XSS in hidden input](#xss-in-hidden-input)
|
- [XSS in hidden input](#xss-in-hidden-input)
|
||||||
|
- [XSS when payload is reflected capitalized](#xss-when-payload-is-reflected-capitalized)
|
||||||
- [DOM based XSS](#dom-based-xss)
|
- [DOM based XSS](#dom-based-xss)
|
||||||
- [XSS in JS Context](#xss-in-js-context)
|
- [XSS in JS Context](#xss-in-js-context)
|
||||||
- [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
|
- [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
|
||||||
- [XSS in files (XML/SVG/CSS/Flash/Markdown)](#xss-in-files)
|
- [XSS in files](#xss-in-files)
|
||||||
- [XSS in PostMessage](#xss-in-postmessage)
|
- [XSS in XML](#xss-in-xml)
|
||||||
- [Blind XSS](#blind-xss)
|
- [XSS in SVG](#xss-in-svg)
|
||||||
|
- [XSS in SVG (short)](#xss-in-svg-short)
|
||||||
|
- [XSS in Markdown](#xss-in-markdown)
|
||||||
|
- [XSS in SWF flash application](#xss-in-swf-flash-application)
|
||||||
|
- [XSS in SWF flash application](#xss-in-swf-flash-application-1)
|
||||||
|
- [XSS in CSS](#xss-in-css)
|
||||||
|
- [XSS in PostMessage](#xss-in-postmessage)
|
||||||
|
- [Blind XSS](#blind-xss)
|
||||||
- [XSS Hunter](#xss-hunter)
|
- [XSS Hunter](#xss-hunter)
|
||||||
- [Other Blind XSS tools](#other-blind-xss-tools)
|
- [Other Blind XSS tools](#other-blind-xss-tools)
|
||||||
- [Blind XSS endpoint](#blind-xss-endpoint)
|
- [Blind XSS endpoint](#blind-xss-endpoint)
|
||||||
- [Mutated XSS](#mutated-xss)
|
- [Tips](#tips)
|
||||||
- [Polyglot XSS](#polyglot-xss)
|
- [Mutated XSS](#mutated-xss)
|
||||||
- [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads)
|
- [Polyglot XSS](#polyglot-xss)
|
||||||
|
- [Filter Bypass and exotic payloads](#filter-bypass-and-exotic-payloads)
|
||||||
- [Bypass case sensitive](#bypass-case-sensitive)
|
- [Bypass case sensitive](#bypass-case-sensitive)
|
||||||
- [Bypass tag blacklist](#bypass-tag-blacklist)
|
- [Bypass tag blacklist](#bypass-tag-blacklist)
|
||||||
- [Bypass word blacklist with code evaluation](#bypass-word-blacklist-with-code-evaluation)
|
- [Bypass word blacklist with code evaluation](#bypass-word-blacklist-with-code-evaluation)
|
||||||
@ -61,8 +74,30 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
|
|||||||
- [Bypass using BOM](#bypass-using-bom)
|
- [Bypass using BOM](#bypass-using-bom)
|
||||||
- [Bypass using weird encoding or native interpretation](#bypass-using-weird-encoding-or-native-interpretation)
|
- [Bypass using weird encoding or native interpretation](#bypass-using-weird-encoding-or-native-interpretation)
|
||||||
- [Bypass using jsfuck](#bypass-using-jsfuck)
|
- [Bypass using jsfuck](#bypass-using-jsfuck)
|
||||||
- [CSP Bypass](#csp-bypass)
|
- [CSP Bypass](#csp-bypass)
|
||||||
- [Common WAF Bypass](#common-waf-bypass)
|
- [Bypass CSP using JSONP from Google (Trick by @apfeifer27)](#bypass-csp-using-jsonp-from-google-trick-by-apfeifer27)
|
||||||
|
- [Bypass CSP by lab.wallarm.com](#bypass-csp-by-labwallarmcom)
|
||||||
|
- [Bypass CSP by Rhynorater](#bypass-csp-by-rhynorater)
|
||||||
|
- [Bypass CSP by @akita_zen](#bypass-csp-by-akita_zen)
|
||||||
|
- [Bypass CSP by @404death](#bypass-csp-by-404death)
|
||||||
|
- [Common WAF Bypass](#common-waf-bypass)
|
||||||
|
- [Cloudflare XSS Bypasses by @Bohdan Korzhynskyi](#cloudflare-xss-bypasses-by-bohdan-korzhynskyi)
|
||||||
|
- [25st January 2021](#25st-january-2021)
|
||||||
|
- [21st April 2020](#21st-april-2020)
|
||||||
|
- [22nd August 2019](#22nd-august-2019)
|
||||||
|
- [5th June 2019](#5th-june-2019)
|
||||||
|
- [3rd June 2019](#3rd-june-2019)
|
||||||
|
- [Cloudflare XSS Bypass - 22nd March 2019 (by @RakeshMane10)](#cloudflare-xss-bypass---22nd-march-2019-by-rakeshmane10)
|
||||||
|
- [Cloudflare XSS Bypass - 27th February 2018](#cloudflare-xss-bypass---27th-february-2018)
|
||||||
|
- [Chrome Auditor - 9th August 2018](#chrome-auditor---9th-august-2018)
|
||||||
|
- [Incapsula WAF Bypass by @Alra3ees- 8th March 2018](#incapsula-waf-bypass-by-alra3ees--8th-march-2018)
|
||||||
|
- [Incapsula WAF Bypass by @c0d3G33k - 11th September 2018](#incapsula-waf-bypass-by-c0d3g33k---11th-september-2018)
|
||||||
|
- [Incapsula WAF Bypass by @daveysec - 11th May 2019](#incapsula-waf-bypass-by-daveysec---11th-may-2019)
|
||||||
|
- [Akamai WAF Bypass by @zseano - 18th June 2018](#akamai-waf-bypass-by-zseano---18th-june-2018)
|
||||||
|
- [Akamai WAF Bypass by @s0md3v - 28th October 2018](#akamai-waf-bypass-by-s0md3v---28th-october-2018)
|
||||||
|
- [WordFence WAF Bypass by @brutelogic - 12th September 2018](#wordfence-waf-bypass-by-brutelogic---12th-september-2018)
|
||||||
|
- [Fortiweb WAF Bypass by @rezaduty - 9th July 2019](#fortiweb-waf-bypass-by-rezaduty---9th-july-2019)
|
||||||
|
- [References](#references)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -134,7 +169,7 @@ More exploits at [http://www.xss-payloads.com/payloads-list.html?a#category=all]
|
|||||||
|
|
||||||
## Identify an XSS endpoint
|
## Identify an XSS endpoint
|
||||||
|
|
||||||
This payload opens the debugger in the developper console rather than triggering a popup alert box.
|
This payload opens the debugger in the developer console rather than triggering a popup alert box.
|
||||||
|
|
||||||
```javascript
|
```javascript
|
||||||
<script>debugger;</script>
|
<script>debugger;</script>
|
||||||
@ -154,7 +189,7 @@ Better payload replacing `<script>alert(1)</script>`:
|
|||||||
<script>alert(document.domain.concat("\n").concat(window.origin))</script>
|
<script>alert(document.domain.concat("\n").concat(window.origin))</script>
|
||||||
```
|
```
|
||||||
|
|
||||||
While `alert()` is nice for reflected XSS it can quickly become a burden for stored XSS because it requires to close the popup for each execution, so `console.log()` can be used instead to display a message in the console of the developper console (doesn't require any interaction).
|
While `alert()` is nice for reflected XSS it can quickly become a burden for stored XSS because it requires to close the popup for each execution, so `console.log()` can be used instead to display a message in the console of the developer console (doesn't require any interaction).
|
||||||
|
|
||||||
Example:
|
Example:
|
||||||
|
|
||||||
|
@ -25,7 +25,7 @@ Stored XSS with CSS injection - Hello {}*{xss:expression(open(alert(1)))}
|
|||||||
|
|
||||||
Explanation of the vulnerability
|
Explanation of the vulnerability
|
||||||
|
|
||||||
> The Meta element forces IE’s document mode into IE7 compat which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert.
|
> The Meta element forces IE’s document mode into IE7 compatible which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert.
|
||||||
> A simple request of “rpo.php/” makes the relative style load the page itself as a style sheet. The actual request is “/labs/xss_horror_show/chapter7/rpo.php/styles.css” the browser thinks there’s another directory but the actual request is being sent to the document and that in essence is how an RPO attack works.
|
> A simple request of “rpo.php/” makes the relative style load the page itself as a style sheet. The actual request is “/labs/xss_horror_show/chapter7/rpo.php/styles.css” the browser thinks there’s another directory but the actual request is being sent to the document and that in essence is how an RPO attack works.
|
||||||
|
|
||||||
Demo 1 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo.php`
|
Demo 1 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo.php`
|
||||||
|
Loading…
Reference in New Issue
Block a user