mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-28 15:25:26 +00:00
Jetty RCE
This commit is contained in:
commit
11271d9072
BOOKS.md
File Inclusion
GraphQL Injection
HTTP Parameter Pollution
JSON Web Token
Kubernetes
Open Redirect
Race Condition
SQL Injection
Server Side Template Injection
Type Juggling
Web Cache Deception
XSLT Injection
XSS Injection
6
BOOKS.md
6
BOOKS.md
@ -20,9 +20,9 @@
|
||||
- [OWASP Testing Guide: Stable](https://owasp.org/www-project-web-security-testing-guide/stable/)
|
||||
- [Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman (2014)](https://nostarch.com/pentesting)
|
||||
- [Pentesting Azure Applications: The Definitive Guide to Testing and Securing Deployments by Matt Burrough (2018)](https://nostarch.com/azure)
|
||||
- [Pratical Binary Analysis: Build Your Own Linux Tools for Binary instrumentation, Analysis, and Disassembly by Dennis Andriesse (2019)](https://nostarch.com/binaryanalysis)
|
||||
- [Pratical Forensic Imaging: Securing Digital Evidence with Linux Tools by Bruce Nikkel (2016)](https://nostarch.com/forensicimaging)
|
||||
- [Pratical IoT Hacking: The Definitive Guide to Attacking the Internet of Things by Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou and Beau Woods (2021)](https://nostarch.com/practical-iot-hacking)
|
||||
- [Practical Binary Analysis: Build Your Own Linux Tools for Binary instrumentation, Analysis, and Disassembly by Dennis Andriesse (2019)](https://nostarch.com/binaryanalysis)
|
||||
- [Practical Forensic Imaging: Securing Digital Evidence with Linux Tools by Bruce Nikkel (2016)](https://nostarch.com/forensicimaging)
|
||||
- [Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things by Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou and Beau Woods (2021)](https://nostarch.com/practical-iot-hacking)
|
||||
- [Practical Doomsday: A User's Guide to the End of the World by Michal Zalewski (2022)](https://nostarch.com/practical-doomsday)
|
||||
- [Practical Social Engineering: A Primer for the Ethical Hacker by Joe Gray (2022)](https://nostarch.com/practical-social-engineering)
|
||||
- [Real-World Bug Hunting: A Field Guide to Web Hacking by Peter Yaworski (2019)](https://nostarch.com/bughunting)
|
||||
|
@ -6,30 +6,41 @@
|
||||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Basic LFI](#basic-lfi)
|
||||
* [Null byte](#null-byte)
|
||||
* [Double encoding](#double-encoding)
|
||||
* [UTF-8 encoding](#utf-8-encoding)
|
||||
* [Path and dot truncation](#path-and-dot-truncation)
|
||||
* [Filter bypass tricks](#filter-bypass-tricks)
|
||||
* [Basic RFI](#basic-rfi)
|
||||
* [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
|
||||
* [Wrapper php://filter](#wrapper-phpfilter)
|
||||
* [Wrapper zip://](#wrapper-zip)
|
||||
* [Wrapper data://](#wrapper-data)
|
||||
* [Wrapper expect://](#wrapper-expect)
|
||||
* [Wrapper input://](#wrapper-input)
|
||||
* [Wrapper phar://](#wrapper-phar)
|
||||
* [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)
|
||||
* [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)
|
||||
* [LFI to RCE via upload](#lfi-to-rce-via-upload)
|
||||
* [LFI to RCE via upload (race)](#lfi-to-rce-via-upload-race)
|
||||
* [LFI to RCE via upload (FindFirstFile)](#lfi-to-rce-via-upload-findfirstfile)
|
||||
* [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo)
|
||||
* [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
|
||||
* [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
|
||||
* [LFI to RCE via credentials files](#lfi-o-rce-via-credentials-files)
|
||||
- [File Inclusion](#file-inclusion)
|
||||
- [Summary](#summary)
|
||||
- [Tools](#tools)
|
||||
- [Basic LFI](#basic-lfi)
|
||||
- [Null byte](#null-byte)
|
||||
- [Double encoding](#double-encoding)
|
||||
- [UTF-8 encoding](#utf-8-encoding)
|
||||
- [Path and dot truncation](#path-and-dot-truncation)
|
||||
- [Filter bypass tricks](#filter-bypass-tricks)
|
||||
- [Basic RFI](#basic-rfi)
|
||||
- [Null byte](#null-byte-1)
|
||||
- [Double encoding](#double-encoding-1)
|
||||
- [Bypass allow_url_include](#bypass-allow_url_include)
|
||||
- [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
|
||||
- [Wrapper php://filter](#wrapper-phpfilter)
|
||||
- [Wrapper zip://](#wrapper-zip)
|
||||
- [Wrapper data://](#wrapper-data)
|
||||
- [Wrapper expect://](#wrapper-expect)
|
||||
- [Wrapper input://](#wrapper-input)
|
||||
- [Wrapper phar://](#wrapper-phar)
|
||||
- [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)
|
||||
- [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)
|
||||
- [LFI to RCE via upload](#lfi-to-rce-via-upload)
|
||||
- [LFI to RCE via upload (race)](#lfi-to-rce-via-upload-race)
|
||||
- [LFI to RCE via upload (FindFirstFile)](#lfi-to-rce-via-upload-findfirstfile)
|
||||
- [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo)
|
||||
- [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
|
||||
- [RCE via SSH](#rce-via-ssh)
|
||||
- [RCE via Mail](#rce-via-mail)
|
||||
- [RCE via Apache logs](#rce-via-apache-logs)
|
||||
- [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
|
||||
- [LFI to RCE via credentials files](#lfi-to-rce-via-credentials-files)
|
||||
- [Windows version](#windows-version)
|
||||
- [Linux version](#linux-version)
|
||||
- [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
@ -444,4 +455,4 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa
|
||||
* [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
|
||||
* [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1)
|
||||
* [PHP LFI with Nginx Assistance](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
|
||||
* [PHP LFI to arbitratry code execution via rfc1867 file upload temporary files (EN) - gynvael.coldwind - 2011-03-18](https://gynvael.coldwind.pl/?id=376)
|
||||
* [PHP LFI to arbitrary code execution via rfc1867 file upload temporary files (EN) - gynvael.coldwind - 2011-03-18](https://gynvael.coldwind.pl/?id=376)
|
||||
|
@ -5,19 +5,22 @@
|
||||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Exploit](#exploit)
|
||||
* [Identify an injection point](#identify-an-injection-point)
|
||||
* [Enumerate Database Schema via Instropection](#enumerate-database-schema-via-introspection)
|
||||
* [Extract data](#extract-data)
|
||||
* [Extract data using edges/nodes](#extract-data-using-edges-nodes)
|
||||
* [Extract data using projections](#extract-data-using-projections)
|
||||
* [Enumerate the types' definition](#enumerate-the-type-definition)
|
||||
* [Use mutations](#use-mutations)
|
||||
* [NOSQL injection](#nosql-injection)
|
||||
* [SQL injection](#sql-injection)
|
||||
* [GraphQL Batching Attacks](#graphql-batching-attacks)
|
||||
* [References](#references)
|
||||
- [GraphQL injection](#graphql-injection)
|
||||
- [Summary](#summary)
|
||||
- [Tools](#tools)
|
||||
- [Exploit](#exploit)
|
||||
- [Identify an injection point](#identify-an-injection-point)
|
||||
- [Enumerate Database Schema via Introspection](#enumerate-database-schema-via-introspection)
|
||||
- [List path](#list-path)
|
||||
- [Extract data](#extract-data)
|
||||
- [Extract data using edges/nodes](#extract-data-using-edgesnodes)
|
||||
- [Extract data using projections](#extract-data-using-projections)
|
||||
- [Enumerate the types' definition](#enumerate-the-types-definition)
|
||||
- [Use mutations](#use-mutations)
|
||||
- [NOSQL injection](#nosql-injection)
|
||||
- [SQL injection](#sql-injection)
|
||||
- [GraphQL Batching Attacks](#graphql-batching-attacks)
|
||||
- [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
|
@ -3,7 +3,7 @@
|
||||
|
||||
## Summary
|
||||
|
||||
HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate web logics or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name (?param1=value¶m1=value). As there is no formal way of parsing HTTP parameters, individual web technologies have their own unique way of parsing and reading URL parameters with the same name. Some taking the first occurance, some taking the last occurance, and some reading it as an array. This behavior is abused by the attacker in order to bypass pattern-based security mechanisms.
|
||||
HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate web logics or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name (?param1=value¶m1=value). As there is no formal way of parsing HTTP parameters, individual web technologies have their own unique way of parsing and reading URL parameters with the same name. Some taking the first occurrence, some taking the last occurrence, and some reading it as an array. This behavior is abused by the attacker in order to bypass pattern-based security mechanisms.
|
||||
|
||||
|
||||
## Tools
|
||||
@ -22,7 +22,7 @@ Origin Service - Reads second param. In this scenario, developer trusted WAF and
|
||||
Attacker -- http://example.com?search=Beth&search=' OR 1=1;## --> WAF (reads first 'search' param, looks innocent. passes on) --> Origin Service (reads second 'search' param, injection happens if no checks are done here.)
|
||||
```
|
||||
|
||||
### Table of refence for which technology reads which parameter
|
||||
### Table of reference for which technology reads which parameter
|
||||
When ?par1=a&par1=b
|
||||
| Technology | Parsing Result |outcome (par1=)|
|
||||
| ------------------ |--------------- |:-------------:|
|
||||
@ -41,7 +41,7 @@ When ?par1=a&par1=b
|
||||
| IBM HTTP Server |First occurrence |a |
|
||||
| Perl CGI/Apache |First occurrence |a |
|
||||
| mod_wsgi (Python)/Apache |First occurrence |a |
|
||||
| Python/Zope |All occurences in array |['a','b'] |
|
||||
| Python/Zope |All occurrences in array |['a','b'] |
|
||||
|
||||
## References
|
||||
- [HTTP Parameter Pollution - Imperva](https://www.imperva.com/learn/application-security/http-parameter-pollution/)
|
||||
|
@ -4,17 +4,20 @@
|
||||
|
||||
## Summary
|
||||
|
||||
- [Tools](#tools)
|
||||
- [JWT Format](#jwt-format)
|
||||
- [JWT - JSON Web Token](#jwt---json-web-token)
|
||||
- [Summary](#summary)
|
||||
- [Tools](#tools)
|
||||
- [JWT Format](#jwt-format)
|
||||
- [Header](#header)
|
||||
- [Payload](#payload)
|
||||
- [JWT Signature - None algorithm](#jwt-signature---none-algorithm)
|
||||
- [JWT Signature - RS256 to HS256](#jwt-signature---rs256-to-hs256)
|
||||
- [Breaking JWT's secret](#breaking-jwts-secret)
|
||||
- [JWT Tool](#jwt-tool)
|
||||
- [JWT Signature - None algorithm](#jwt-signature---none-algorithm)
|
||||
- [JWT Signature - RS256 to HS256](#jwt-signature---rs256-to-hs256)
|
||||
- [Breaking JWT's secret](#breaking-jwts-secret)
|
||||
- [JWT tool](#jwt-tool)
|
||||
- [JWT cracker](#jwt-cracker)
|
||||
- [Hashcat](#hashcat)
|
||||
- [References](#references)
|
||||
- [CVE](#cve)
|
||||
- [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
@ -241,7 +244,7 @@ Please select an option from above (1-4):
|
||||
Please enter the known key:
|
||||
> secret
|
||||
|
||||
Please enter the keylength:
|
||||
Please enter the key length:
|
||||
[1] HMAC-SHA256
|
||||
[2] HMAC-SHA384
|
||||
[3] HMAC-SHA512
|
||||
|
@ -1,15 +1,17 @@
|
||||
# Open URL Redirection
|
||||
|
||||
> Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.
|
||||
> Un-validated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Un-validated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.
|
||||
|
||||
## Summary
|
||||
|
||||
- [Exploitation](#exploitation)
|
||||
- [HTTP Redirection Status Code - 3xx](#http-redirection-status-code---3xx)
|
||||
- [Fuzzing](#fuzzing)
|
||||
- [Filter Bypass](#filter-bypass)
|
||||
- [Common injection parameters](#common-injection-parameters)
|
||||
- [References](#references)
|
||||
- [Open URL Redirection](#open-url-redirection)
|
||||
- [Summary](#summary)
|
||||
- [Exploitation](#exploitation)
|
||||
- [HTTP Redirection Status Code - 3xx](#http-redirection-status-code---3xx)
|
||||
- [Fuzzing](#fuzzing)
|
||||
- [Filter Bypass](#filter-bypass)
|
||||
- [Common injection parameters](#common-injection-parameters)
|
||||
- [References](#references)
|
||||
|
||||
## Exploitation
|
||||
|
||||
@ -25,7 +27,7 @@ What happens if we change the `famous-website.tld/account` to `evil-website.tld`
|
||||
https://famous-website.tld/signup?redirectUrl=https://evil-website.tld/account
|
||||
```
|
||||
|
||||
By visiting this url, if we get redirected to `evil-website.tld` after the signup, we have an Open Redirect vulnerability. This can be abused by an attacker to display a phishing page asking you to enter your credentials.
|
||||
By visiting this url, if we get redirected to `evil-website.tld` after the sign-up, we have an Open Redirect vulnerability. This can be abused by an attacker to display a phishing page asking you to enter your credentials.
|
||||
|
||||
|
||||
## HTTP Redirection Status Code - 3xx
|
||||
|
@ -4,9 +4,12 @@
|
||||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Turbo Intruder Examples](#turbo-intruder-examples)
|
||||
* [References](#references)
|
||||
- [Race Condition](#race-condition)
|
||||
- [Summary](#summary)
|
||||
- [Tools](#tools)
|
||||
- [Turbo Intruder Examples](#turbo-intruder-examples)
|
||||
- [Turbo Intruder 2 Requests Examples](#turbo-intruder-2-requests-examples)
|
||||
- [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
@ -42,7 +45,7 @@
|
||||
4. Click "Attack"
|
||||
|
||||
## Turbo Intruder 2 Requests Examples
|
||||
This follwoing template can use when use have to send race condition of request2 immediately after send a request1 when the window may only be a few milliseconds.
|
||||
This following template can use when use have to send race condition of request2 immediately after send a request1 when the window may only be a few milliseconds.
|
||||
```python
|
||||
def queueRequests(target, wordlists):
|
||||
engine = RequestEngine(endpoint=target.endpoint,
|
||||
|
@ -6,7 +6,7 @@ Attempting to manipulate SQL queries may have goals including:
|
||||
- Information Leakage
|
||||
- Disclosure of stored data
|
||||
- Manipulation of stored data
|
||||
- Bypassing authorisation controls
|
||||
- Bypassing authorization controls
|
||||
|
||||
## Summary
|
||||
|
||||
|
@ -4,59 +4,74 @@
|
||||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Methodology](#methodology)
|
||||
* [ASP.NET Razor](#aspnet-razor)
|
||||
* [Basic injection](#aspnet-razor---basic-injection)
|
||||
* [Command execution](#aspnet-razor---command-execution)
|
||||
* [Expression Language EL](#expression-language-el)
|
||||
* [Basic injection](#expression-language-el---basic-injection)
|
||||
* [Code execution](#expression-language-el---code-execution)
|
||||
* [Freemarker](#freemarker)
|
||||
* [Basic injection](#freemarker---basic-injection)
|
||||
* [Code execution](#freemarker---code-execution)
|
||||
* [Groovy](#groovy)
|
||||
* [Basic injection](#groovy---basic-injection)
|
||||
* [Read/Create file](#groovy---read-and-create-file)
|
||||
* [HTTP Request](#groovy---http-request)
|
||||
* [Command execution](#groovy---command-execution)
|
||||
* [Sandbox bypass](#groovy---sandbox-bypass)
|
||||
* [Handlebars](#handlebars)
|
||||
* [Jade / Codepen](#jade--codepen)
|
||||
* [Java](#java)
|
||||
* [Basic injection](#java---basic-injection)
|
||||
* [Retrieve the system’s environment variables](#java---retrieve-the-systems-environment-variables)
|
||||
* [Retrieve /etc/passwd](#java---retrieve-etcpasswd)
|
||||
* [Jinja2](#jinja2)
|
||||
* [Basic injection](#jinja2---basic-injection)
|
||||
* [Template format](#jinja2---template-format)
|
||||
* [Debug Statement](#jinja2---debug-statement)
|
||||
* [Dump all used classes](#jinja2---dump-all-used-classes)
|
||||
* [Dump all config variables](#jinja2---dump-all-config-variables)
|
||||
* [Read remote file](#jinja2---read-remote-file)
|
||||
* [Write into remote file](#jinja2---write-into-remote-file)
|
||||
* [Remote Code Execution](#jinja2---remote-code-execution)
|
||||
* [Filter bypass](#jinja2---filter-bypass)
|
||||
* [Jinjava](#jinjava)
|
||||
* [Basic injection](#jinjava---basic-injection)
|
||||
* [Command execution](#jinjava---command-execution)
|
||||
* [Lessjs](#lessjs)
|
||||
* [Mako](#mako)
|
||||
* [Pebble](#pebble)
|
||||
* [Basic injection](#pebble---basic-injection)
|
||||
* [Code execution](#pebble---code-execution)
|
||||
* [Ruby](#ruby)
|
||||
* [Basic injections](#ruby---basic-injections)
|
||||
* [Retrieve /etc/passwd](#ruby---retrieve-etcpasswd)
|
||||
* [List files and directories](#ruby---list-files-and-directories)
|
||||
* [Smarty](#smarty)
|
||||
* [Twig](#twig)
|
||||
* [Basic injection](#twig---basic-injection)
|
||||
* [Template format](#twig---template-format)
|
||||
* [Arbitrary File Reading](#twig---arbitrary-file-reading)
|
||||
* [Code execution](#twig---code-execution)
|
||||
* [Velocity](#velocity)
|
||||
* [References](#references)
|
||||
- [Templates Injections](#templates-injections)
|
||||
- [Summary](#summary)
|
||||
- [Tools](#tools)
|
||||
- [Methodology](#methodology)
|
||||
- [ASP.NET Razor](#aspnet-razor)
|
||||
- [ASP.NET Razor - Basic injection](#aspnet-razor---basic-injection)
|
||||
- [ASP.NET Razor - Command execution](#aspnet-razor---command-execution)
|
||||
- [Expression Language EL](#expression-language-el)
|
||||
- [Expression Language EL - Basic injection](#expression-language-el---basic-injection)
|
||||
- [Expression Language EL - One-Liner injections not including code execution](#expression-language-el---one-liner-injections-not-including-code-execution)
|
||||
- [Expression Language EL - Code Execution](#expression-language-el---code-execution)
|
||||
- [Freemarker](#freemarker)
|
||||
- [Freemarker - Basic injection](#freemarker---basic-injection)
|
||||
- [Freemarker - Read File](#freemarker---read-file)
|
||||
- [Freemarker - Code execution](#freemarker---code-execution)
|
||||
- [Freemarker - Sandbox bypass](#freemarker---sandbox-bypass)
|
||||
- [Groovy](#groovy)
|
||||
- [Groovy - Basic injection](#groovy---basic-injection)
|
||||
- [Groovy - Read and create File](#groovy---read-and-create-file)
|
||||
- [Groovy - HTTP request:](#groovy---http-request)
|
||||
- [Groovy - Command Execution](#groovy---command-execution)
|
||||
- [Groovy - Sandbox Bypass](#groovy---sandbox-bypass)
|
||||
- [Handlebars](#handlebars)
|
||||
- [Handlebars - Command Execution](#handlebars---command-execution)
|
||||
- [Jade / Codepen](#jade--codepen)
|
||||
- [Java](#java)
|
||||
- [Java - Basic injection](#java---basic-injection)
|
||||
- [Java - Retrieve the system’s environment variables](#java---retrieve-the-systems-environment-variables)
|
||||
- [Java - Retrieve /etc/passwd](#java---retrieve-etcpasswd)
|
||||
- [Jinja2](#jinja2)
|
||||
- [Jinja2 - Basic injection](#jinja2---basic-injection)
|
||||
- [Jinja2 - Template format](#jinja2---template-format)
|
||||
- [Jinja2 - Debug Statement](#jinja2---debug-statement)
|
||||
- [Jinja2 - Dump all used classes](#jinja2---dump-all-used-classes)
|
||||
- [Jinja2 - Dump all config variables](#jinja2---dump-all-config-variables)
|
||||
- [Jinja2 - Read remote file](#jinja2---read-remote-file)
|
||||
- [Jinja2 - Write into remote file](#jinja2---write-into-remote-file)
|
||||
- [Jinja2 - Remote Code Execution](#jinja2---remote-code-execution)
|
||||
- [Exploit the SSTI by calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread)
|
||||
- [Exploit the SSTI by calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen)
|
||||
- [Exploit the SSTI by calling Popen without guessing the offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset)
|
||||
- [Exploit the SSTI by writing an evil config file.](#exploit-the-ssti-by-writing-an-evil-config-file)
|
||||
- [Jinja2 - Filter bypass](#jinja2---filter-bypass)
|
||||
- [Jinjava](#jinjava)
|
||||
- [Jinjava - Basic injection](#jinjava---basic-injection)
|
||||
- [Jinjava - Command execution](#jinjava---command-execution)
|
||||
- [Lessjs](#lessjs)
|
||||
- [Lessjs - SSRF / LFI](#lessjs---ssrf--lfi)
|
||||
- [Lessjs < v3 - Command Execution](#lessjs--v3---command-execution)
|
||||
- [Plugins](#plugins)
|
||||
- [Mako](#mako)
|
||||
- [Direct access to os from TemplateNamespace:](#direct-access-to-os-from-templatenamespace)
|
||||
- [Pebble](#pebble)
|
||||
- [Pebble - Basic injection](#pebble---basic-injection)
|
||||
- [Pebble - Code execution](#pebble---code-execution)
|
||||
- [Ruby](#ruby)
|
||||
- [Ruby - Basic injections](#ruby---basic-injections)
|
||||
- [Ruby - Retrieve /etc/passwd](#ruby---retrieve-etcpasswd)
|
||||
- [Ruby - List files and directories](#ruby---list-files-and-directories)
|
||||
- [Ruby - Code execution](#ruby---code-execution)
|
||||
- [Smarty](#smarty)
|
||||
- [Twig](#twig)
|
||||
- [Twig - Basic injection](#twig---basic-injection)
|
||||
- [Twig - Template format](#twig---template-format)
|
||||
- [Twig - Arbitrary File Reading](#twig---arbitrary-file-reading)
|
||||
- [Twig - Code execution](#twig---code-execution)
|
||||
- [Velocity](#velocity)
|
||||
- [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
@ -130,7 +145,7 @@ ${"".getClass().forName("java.lang.System").getDeclaredMethod("getProperty","".g
|
||||
#{session.getAttribute("rtc").setAccessible(true)}
|
||||
#{session.getAttribute("rtc").getRuntime().exec("/bin/bash -c whoami")}
|
||||
|
||||
// Method using processbuilder
|
||||
// Method using process builder
|
||||
${request.setAttribute("c","".getClass().forName("java.util.ArrayList").newInstance())}
|
||||
${request.getAttribute("c").add("cmd.exe")}
|
||||
${request.getAttribute("c").add("/k")}
|
||||
|
@ -61,7 +61,7 @@ If we can make the calculated hash string Zero-like, and provide "0" in the $coo
|
||||
```
|
||||
|
||||
We have control over 3 elements in the cookie:
|
||||
- $username - username you are targetting, probably "admin"
|
||||
- $username - username you are targeting, probably "admin"
|
||||
- $hmac - the provided hash, "0"
|
||||
- $expiration - a UNIX timestamp, must be in the future
|
||||
|
||||
@ -104,5 +104,5 @@ var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
|
||||
## References
|
||||
|
||||
* [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
|
||||
* [Magic Hashes - WhieHatSec](https://www.whitehatsec.com/blog/magic-hashes/)
|
||||
* [Magic Hashes - WhiteHatSec](https://www.whitehatsec.com/blog/magic-hashes/)
|
||||
* [PHP Magic Tricks: Type Juggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf)
|
||||
|
@ -26,7 +26,7 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
|
||||
|
||||
## Methodology 2
|
||||
|
||||
1. Find an unkeyed input for a Cache Poisoning
|
||||
1. Find an un-keyed input for a Cache Poisoning
|
||||
```js
|
||||
Values: User-Agent
|
||||
Values: Cookie
|
||||
@ -37,7 +37,7 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
|
||||
Header: X-Original-URL (Symfony)
|
||||
Header: X-Rewrite-URL (Symfony)
|
||||
```
|
||||
2. Cache poisoning attack - Example for `X-Forwarded-Host` unkeyed input (remember to use a buster to only cache this webpage instead of the main page of the website)
|
||||
2. Cache poisoning attack - Example for `X-Forwarded-Host` un-keyed input (remember to use a buster to only cache this webpage instead of the main page of the website)
|
||||
```js
|
||||
GET /test?buster=123 HTTP/1.1
|
||||
Host: target.com
|
||||
|
@ -1,11 +1,13 @@
|
||||
# XSLT Injection
|
||||
|
||||
> Processing an unvalidated XSL stylesheet can allow an attacker to change the structure and contents of the resultant XML, include arbitrary files from the file system, or execute arbitrary code
|
||||
> Processing an un-validated XSL stylesheet can allow an attacker to change the structure and contents of the resultant XML, include arbitrary files from the file system, or execute arbitrary code
|
||||
|
||||
## Summary
|
||||
|
||||
- [Tools](#tools)
|
||||
- [Exploit](#exploit)
|
||||
- [XSLT Injection](#xslt-injection)
|
||||
- [Summary](#summary)
|
||||
- [Tools](#tools)
|
||||
- [Exploit](#exploit)
|
||||
- [Determine the vendor and version](#determine-the-vendor-and-version)
|
||||
- [External Entity](#external-entity)
|
||||
- [Read files and SSRF using document](#read-files-and-ssrf-using-document)
|
||||
@ -13,7 +15,7 @@
|
||||
- [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper)
|
||||
- [Remote Code Execution with Java](#remote-code-execution-with-java)
|
||||
- [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net)
|
||||
- [References](#references)
|
||||
- [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
|
@ -4,29 +4,42 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
|
||||
|
||||
## Summary
|
||||
|
||||
- [Exploit code or POC](#exploit-code-or-poc)
|
||||
- [Cross Site Scripting](#cross-site-scripting)
|
||||
- [Summary](#summary)
|
||||
- [Exploit code or POC](#exploit-code-or-poc)
|
||||
- [Data grabber for XSS](#data-grabber-for-xss)
|
||||
- [CORS](#cors)
|
||||
- [UI redressing](#ui-redressing)
|
||||
- [Javascript keylogger](#javascript-keylogger)
|
||||
- [Other ways](#other-ways)
|
||||
- [Identify an XSS endpoint](#identify-an-xss-endpoint)
|
||||
- [XSS in HTML/Applications](#xss-in-htmlapplications)
|
||||
- [Identify an XSS endpoint](#identify-an-xss-endpoint)
|
||||
- [Tools](#tools)
|
||||
- [XSS in HTML/Applications](#xss-in-htmlapplications)
|
||||
- [Common Payloads](#common-payloads)
|
||||
- [XSS using HTML5 tags](#xss-using-html5-tags)
|
||||
- [XSS using a remote JS](#xss-using-a-remote-js)
|
||||
- [XSS in hidden input](#xss-in-hidden-input)
|
||||
- [XSS when payload is reflected capitalized](#xss-when-payload-is-reflected-capitalized)
|
||||
- [DOM based XSS](#dom-based-xss)
|
||||
- [XSS in JS Context](#xss-in-js-context)
|
||||
- [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
|
||||
- [XSS in files (XML/SVG/CSS/Flash/Markdown)](#xss-in-files)
|
||||
- [XSS in PostMessage](#xss-in-postmessage)
|
||||
- [Blind XSS](#blind-xss)
|
||||
- [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
|
||||
- [XSS in files](#xss-in-files)
|
||||
- [XSS in XML](#xss-in-xml)
|
||||
- [XSS in SVG](#xss-in-svg)
|
||||
- [XSS in SVG (short)](#xss-in-svg-short)
|
||||
- [XSS in Markdown](#xss-in-markdown)
|
||||
- [XSS in SWF flash application](#xss-in-swf-flash-application)
|
||||
- [XSS in SWF flash application](#xss-in-swf-flash-application-1)
|
||||
- [XSS in CSS](#xss-in-css)
|
||||
- [XSS in PostMessage](#xss-in-postmessage)
|
||||
- [Blind XSS](#blind-xss)
|
||||
- [XSS Hunter](#xss-hunter)
|
||||
- [Other Blind XSS tools](#other-blind-xss-tools)
|
||||
- [Blind XSS endpoint](#blind-xss-endpoint)
|
||||
- [Mutated XSS](#mutated-xss)
|
||||
- [Polyglot XSS](#polyglot-xss)
|
||||
- [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads)
|
||||
- [Tips](#tips)
|
||||
- [Mutated XSS](#mutated-xss)
|
||||
- [Polyglot XSS](#polyglot-xss)
|
||||
- [Filter Bypass and exotic payloads](#filter-bypass-and-exotic-payloads)
|
||||
- [Bypass case sensitive](#bypass-case-sensitive)
|
||||
- [Bypass tag blacklist](#bypass-tag-blacklist)
|
||||
- [Bypass word blacklist with code evaluation](#bypass-word-blacklist-with-code-evaluation)
|
||||
@ -61,8 +74,30 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
|
||||
- [Bypass using BOM](#bypass-using-bom)
|
||||
- [Bypass using weird encoding or native interpretation](#bypass-using-weird-encoding-or-native-interpretation)
|
||||
- [Bypass using jsfuck](#bypass-using-jsfuck)
|
||||
- [CSP Bypass](#csp-bypass)
|
||||
- [Common WAF Bypass](#common-waf-bypass)
|
||||
- [CSP Bypass](#csp-bypass)
|
||||
- [Bypass CSP using JSONP from Google (Trick by @apfeifer27)](#bypass-csp-using-jsonp-from-google-trick-by-apfeifer27)
|
||||
- [Bypass CSP by lab.wallarm.com](#bypass-csp-by-labwallarmcom)
|
||||
- [Bypass CSP by Rhynorater](#bypass-csp-by-rhynorater)
|
||||
- [Bypass CSP by @akita_zen](#bypass-csp-by-akita_zen)
|
||||
- [Bypass CSP by @404death](#bypass-csp-by-404death)
|
||||
- [Common WAF Bypass](#common-waf-bypass)
|
||||
- [Cloudflare XSS Bypasses by @Bohdan Korzhynskyi](#cloudflare-xss-bypasses-by-bohdan-korzhynskyi)
|
||||
- [25st January 2021](#25st-january-2021)
|
||||
- [21st April 2020](#21st-april-2020)
|
||||
- [22nd August 2019](#22nd-august-2019)
|
||||
- [5th June 2019](#5th-june-2019)
|
||||
- [3rd June 2019](#3rd-june-2019)
|
||||
- [Cloudflare XSS Bypass - 22nd March 2019 (by @RakeshMane10)](#cloudflare-xss-bypass---22nd-march-2019-by-rakeshmane10)
|
||||
- [Cloudflare XSS Bypass - 27th February 2018](#cloudflare-xss-bypass---27th-february-2018)
|
||||
- [Chrome Auditor - 9th August 2018](#chrome-auditor---9th-august-2018)
|
||||
- [Incapsula WAF Bypass by @Alra3ees- 8th March 2018](#incapsula-waf-bypass-by-alra3ees--8th-march-2018)
|
||||
- [Incapsula WAF Bypass by @c0d3G33k - 11th September 2018](#incapsula-waf-bypass-by-c0d3g33k---11th-september-2018)
|
||||
- [Incapsula WAF Bypass by @daveysec - 11th May 2019](#incapsula-waf-bypass-by-daveysec---11th-may-2019)
|
||||
- [Akamai WAF Bypass by @zseano - 18th June 2018](#akamai-waf-bypass-by-zseano---18th-june-2018)
|
||||
- [Akamai WAF Bypass by @s0md3v - 28th October 2018](#akamai-waf-bypass-by-s0md3v---28th-october-2018)
|
||||
- [WordFence WAF Bypass by @brutelogic - 12th September 2018](#wordfence-waf-bypass-by-brutelogic---12th-september-2018)
|
||||
- [Fortiweb WAF Bypass by @rezaduty - 9th July 2019](#fortiweb-waf-bypass-by-rezaduty---9th-july-2019)
|
||||
- [References](#references)
|
||||
|
||||
|
||||
|
||||
@ -134,7 +169,7 @@ More exploits at [http://www.xss-payloads.com/payloads-list.html?a#category=all]
|
||||
|
||||
## Identify an XSS endpoint
|
||||
|
||||
This payload opens the debugger in the developper console rather than triggering a popup alert box.
|
||||
This payload opens the debugger in the developer console rather than triggering a popup alert box.
|
||||
|
||||
```javascript
|
||||
<script>debugger;</script>
|
||||
@ -154,7 +189,7 @@ Better payload replacing `<script>alert(1)</script>`:
|
||||
<script>alert(document.domain.concat("\n").concat(window.origin))</script>
|
||||
```
|
||||
|
||||
While `alert()` is nice for reflected XSS it can quickly become a burden for stored XSS because it requires to close the popup for each execution, so `console.log()` can be used instead to display a message in the console of the developper console (doesn't require any interaction).
|
||||
While `alert()` is nice for reflected XSS it can quickly become a burden for stored XSS because it requires to close the popup for each execution, so `console.log()` can be used instead to display a message in the console of the developer console (doesn't require any interaction).
|
||||
|
||||
Example:
|
||||
|
||||
|
@ -25,7 +25,7 @@ Stored XSS with CSS injection - Hello {}*{xss:expression(open(alert(1)))}
|
||||
|
||||
Explanation of the vulnerability
|
||||
|
||||
> The Meta element forces IE’s document mode into IE7 compat which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert.
|
||||
> The Meta element forces IE’s document mode into IE7 compatible which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert.
|
||||
> A simple request of “rpo.php/” makes the relative style load the page itself as a style sheet. The actual request is “/labs/xss_horror_show/chapter7/rpo.php/styles.css” the browser thinks there’s another directory but the actual request is being sent to the document and that in essence is how an RPO attack works.
|
||||
|
||||
Demo 1 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo.php`
|
||||
|
Loading…
Reference in New Issue
Block a user