mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-11-10 07:04:22 +00:00
fix: Fix spelling
This commit is contained in:
parent
55c9689487
commit
fc1f3b25a7
14 changed files with 174 additions and 135 deletions
6
BOOKS.md
6
BOOKS.md
|
@ -20,9 +20,9 @@
|
|||
- [OWASP Testing Guide: Stable](https://owasp.org/www-project-web-security-testing-guide/stable/)
|
||||
- [Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman (2014)](https://nostarch.com/pentesting)
|
||||
- [Pentesting Azure Applications: The Definitive Guide to Testing and Securing Deployments by Matt Burrough (2018)](https://nostarch.com/azure)
|
||||
- [Pratical Binary Analysis: Build Your Own Linux Tools for Binary instrumentation, Analysis, and Disassembly by Dennis Andriesse (2019)](https://nostarch.com/binaryanalysis)
|
||||
- [Pratical Forensic Imaging: Securing Digital Evidence with Linux Tools by Bruce Nikkel (2016)](https://nostarch.com/forensicimaging)
|
||||
- [Pratical IoT Hacking: The Definitive Guide to Attacking the Internet of Things by Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou and Beau Woods (2021)](https://nostarch.com/practical-iot-hacking)
|
||||
- [Practical Binary Analysis: Build Your Own Linux Tools for Binary instrumentation, Analysis, and Disassembly by Dennis Andriesse (2019)](https://nostarch.com/binaryanalysis)
|
||||
- [Practical Forensic Imaging: Securing Digital Evidence with Linux Tools by Bruce Nikkel (2016)](https://nostarch.com/forensicimaging)
|
||||
- [Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things by Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou and Beau Woods (2021)](https://nostarch.com/practical-iot-hacking)
|
||||
- [Practical Doomsday: A User's Guide to the End of the World by Michal Zalewski (2022)](https://nostarch.com/practical-doomsday)
|
||||
- [Practical Social Engineering: A Primer for the Ethical Hacker by Joe Gray (2022)](https://nostarch.com/practical-social-engineering)
|
||||
- [Real-World Bug Hunting: A Field Guide to Web Hacking by Peter Yaworski (2019)](https://nostarch.com/bughunting)
|
||||
|
|
|
@ -6,30 +6,41 @@
|
|||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Basic LFI](#basic-lfi)
|
||||
* [Null byte](#null-byte)
|
||||
* [Double encoding](#double-encoding)
|
||||
* [UTF-8 encoding](#utf-8-encoding)
|
||||
* [Path and dot truncation](#path-and-dot-truncation)
|
||||
* [Filter bypass tricks](#filter-bypass-tricks)
|
||||
* [Basic RFI](#basic-rfi)
|
||||
* [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
|
||||
* [Wrapper php://filter](#wrapper-phpfilter)
|
||||
* [Wrapper zip://](#wrapper-zip)
|
||||
* [Wrapper data://](#wrapper-data)
|
||||
* [Wrapper expect://](#wrapper-expect)
|
||||
* [Wrapper input://](#wrapper-input)
|
||||
* [Wrapper phar://](#wrapper-phar)
|
||||
* [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)
|
||||
* [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)
|
||||
* [LFI to RCE via upload](#lfi-to-rce-via-upload)
|
||||
* [LFI to RCE via upload (race)](#lfi-to-rce-via-upload-race)
|
||||
* [LFI to RCE via upload (FindFirstFile)](#lfi-to-rce-via-upload-findfirstfile)
|
||||
* [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo)
|
||||
* [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
|
||||
* [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
|
||||
* [LFI to RCE via credentials files](#lfi-o-rce-via-credentials-files)
|
||||
- [File Inclusion](#file-inclusion)
|
||||
- [Summary](#summary)
|
||||
- [Tools](#tools)
|
||||
- [Basic LFI](#basic-lfi)
|
||||
- [Null byte](#null-byte)
|
||||
- [Double encoding](#double-encoding)
|
||||
- [UTF-8 encoding](#utf-8-encoding)
|
||||
- [Path and dot truncation](#path-and-dot-truncation)
|
||||
- [Filter bypass tricks](#filter-bypass-tricks)
|
||||
- [Basic RFI](#basic-rfi)
|
||||
- [Null byte](#null-byte-1)
|
||||
- [Double encoding](#double-encoding-1)
|
||||
- [Bypass allow_url_include](#bypass-allow_url_include)
|
||||
- [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
|
||||
- [Wrapper php://filter](#wrapper-phpfilter)
|
||||
- [Wrapper zip://](#wrapper-zip)
|
||||
- [Wrapper data://](#wrapper-data)
|
||||
- [Wrapper expect://](#wrapper-expect)
|
||||
- [Wrapper input://](#wrapper-input)
|
||||
- [Wrapper phar://](#wrapper-phar)
|
||||
- [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)
|
||||
- [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)
|
||||
- [LFI to RCE via upload](#lfi-to-rce-via-upload)
|
||||
- [LFI to RCE via upload (race)](#lfi-to-rce-via-upload-race)
|
||||
- [LFI to RCE via upload (FindFirstFile)](#lfi-to-rce-via-upload-findfirstfile)
|
||||
- [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo)
|
||||
- [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
|
||||
- [RCE via SSH](#rce-via-ssh)
|
||||
- [RCE via Mail](#rce-via-mail)
|
||||
- [RCE via Apache logs](#rce-via-apache-logs)
|
||||
- [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
|
||||
- [LFI to RCE via credentials files](#lfi-to-rce-via-credentials-files)
|
||||
- [Windows version](#windows-version)
|
||||
- [Linux version](#linux-version)
|
||||
- [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
|
@ -444,4 +455,4 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa
|
|||
* [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
|
||||
* [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1)
|
||||
* [PHP LFI with Nginx Assistance](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
|
||||
* [PHP LFI to arbitratry code execution via rfc1867 file upload temporary files (EN) - gynvael.coldwind - 2011-03-18](https://gynvael.coldwind.pl/?id=376)
|
||||
* [PHP LFI to arbitrary code execution via rfc1867 file upload temporary files (EN) - gynvael.coldwind - 2011-03-18](https://gynvael.coldwind.pl/?id=376)
|
||||
|
|
|
@ -5,19 +5,22 @@
|
|||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Exploit](#exploit)
|
||||
* [Identify an injection point](#identify-an-injection-point)
|
||||
* [Enumerate Database Schema via Instropection](#enumerate-database-schema-via-introspection)
|
||||
* [Extract data](#extract-data)
|
||||
* [Extract data using edges/nodes](#extract-data-using-edges-nodes)
|
||||
* [Extract data using projections](#extract-data-using-projections)
|
||||
* [Enumerate the types' definition](#enumerate-the-type-definition)
|
||||
* [Use mutations](#use-mutations)
|
||||
* [NOSQL injection](#nosql-injection)
|
||||
* [SQL injection](#sql-injection)
|
||||
* [GraphQL Batching Attacks](#graphql-batching-attacks)
|
||||
* [References](#references)
|
||||
- [GraphQL injection](#graphql-injection)
|
||||
- [Summary](#summary)
|
||||
- [Tools](#tools)
|
||||
- [Exploit](#exploit)
|
||||
- [Identify an injection point](#identify-an-injection-point)
|
||||
- [Enumerate Database Schema via Introspection](#enumerate-database-schema-via-introspection)
|
||||
- [List path](#list-path)
|
||||
- [Extract data](#extract-data)
|
||||
- [Extract data using edges/nodes](#extract-data-using-edgesnodes)
|
||||
- [Extract data using projections](#extract-data-using-projections)
|
||||
- [Enumerate the types' definition](#enumerate-the-types-definition)
|
||||
- [Use mutations](#use-mutations)
|
||||
- [NOSQL injection](#nosql-injection)
|
||||
- [SQL injection](#sql-injection)
|
||||
- [GraphQL Batching Attacks](#graphql-batching-attacks)
|
||||
- [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
|
||||
## Summary
|
||||
|
||||
HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate web logics or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name (?param1=value¶m1=value). As there is no formal way of parsing HTTP parameters, individual web technologies have their own unique way of parsing and reading URL parameters with the same name. Some taking the first occurance, some taking the last occurance, and some reading it as an array. This behavior is abused by the attacker in order to bypass pattern-based security mechanisms.
|
||||
HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate web logics or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name (?param1=value¶m1=value). As there is no formal way of parsing HTTP parameters, individual web technologies have their own unique way of parsing and reading URL parameters with the same name. Some taking the first occurrence, some taking the last occurrence, and some reading it as an array. This behavior is abused by the attacker in order to bypass pattern-based security mechanisms.
|
||||
|
||||
|
||||
## Tools
|
||||
|
@ -22,7 +22,7 @@ Origin Service - Reads second param. In this scenario, developer trusted WAF and
|
|||
Attacker -- http://example.com?search=Beth&search=' OR 1=1;## --> WAF (reads first 'search' param, looks innocent. passes on) --> Origin Service (reads second 'search' param, injection happens if no checks are done here.)
|
||||
```
|
||||
|
||||
### Table of refence for which technology reads which parameter
|
||||
### Table of reference for which technology reads which parameter
|
||||
When ?par1=a&par1=b
|
||||
| Technology | Parsing Result |outcome (par1=)|
|
||||
| ------------------ |--------------- |:-------------:|
|
||||
|
@ -41,7 +41,7 @@ When ?par1=a&par1=b
|
|||
| IBM HTTP Server |First occurrence |a |
|
||||
| Perl CGI/Apache |First occurrence |a |
|
||||
| mod_wsgi (Python)/Apache |First occurrence |a |
|
||||
| Python/Zope |All occurences in array |['a','b'] |
|
||||
| Python/Zope |All occurrences in array |['a','b'] |
|
||||
|
||||
## References
|
||||
- [HTTP Parameter Pollution - Imperva](https://www.imperva.com/learn/application-security/http-parameter-pollution/)
|
||||
|
|
|
@ -4,17 +4,20 @@
|
|||
|
||||
## Summary
|
||||
|
||||
- [Tools](#tools)
|
||||
- [JWT Format](#jwt-format)
|
||||
- [JWT - JSON Web Token](#jwt---json-web-token)
|
||||
- [Summary](#summary)
|
||||
- [Tools](#tools)
|
||||
- [JWT Format](#jwt-format)
|
||||
- [Header](#header)
|
||||
- [Payload](#payload)
|
||||
- [JWT Signature - None algorithm](#jwt-signature---none-algorithm)
|
||||
- [JWT Signature - RS256 to HS256](#jwt-signature---rs256-to-hs256)
|
||||
- [Breaking JWT's secret](#breaking-jwts-secret)
|
||||
- [JWT Tool](#jwt-tool)
|
||||
- [JWT Signature - None algorithm](#jwt-signature---none-algorithm)
|
||||
- [JWT Signature - RS256 to HS256](#jwt-signature---rs256-to-hs256)
|
||||
- [Breaking JWT's secret](#breaking-jwts-secret)
|
||||
- [JWT tool](#jwt-tool)
|
||||
- [JWT cracker](#jwt-cracker)
|
||||
- [Hashcat](#hashcat)
|
||||
- [References](#references)
|
||||
- [CVE](#cve)
|
||||
- [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
|
@ -241,7 +244,7 @@ Please select an option from above (1-4):
|
|||
Please enter the known key:
|
||||
> secret
|
||||
|
||||
Please enter the keylength:
|
||||
Please enter the key length:
|
||||
[1] HMAC-SHA256
|
||||
[2] HMAC-SHA384
|
||||
[3] HMAC-SHA512
|
||||
|
|
|
@ -1,15 +1,17 @@
|
|||
# Open URL Redirection
|
||||
|
||||
> Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.
|
||||
> Un-validated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Un-validated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.
|
||||
|
||||
## Summary
|
||||
|
||||
- [Exploitation](#exploitation)
|
||||
- [HTTP Redirection Status Code - 3xx](#http-redirection-status-code---3xx)
|
||||
- [Fuzzing](#fuzzing)
|
||||
- [Filter Bypass](#filter-bypass)
|
||||
- [Common injection parameters](#common-injection-parameters)
|
||||
- [References](#references)
|
||||
- [Open URL Redirection](#open-url-redirection)
|
||||
- [Summary](#summary)
|
||||
- [Exploitation](#exploitation)
|
||||
- [HTTP Redirection Status Code - 3xx](#http-redirection-status-code---3xx)
|
||||
- [Fuzzing](#fuzzing)
|
||||
- [Filter Bypass](#filter-bypass)
|
||||
- [Common injection parameters](#common-injection-parameters)
|
||||
- [References](#references)
|
||||
|
||||
## Exploitation
|
||||
|
||||
|
@ -25,7 +27,7 @@ What happens if we change the `famous-website.tld/account` to `evil-website.tld`
|
|||
https://famous-website.tld/signup?redirectUrl=https://evil-website.tld/account
|
||||
```
|
||||
|
||||
By visiting this url, if we get redirected to `evil-website.tld` after the signup, we have an Open Redirect vulnerability. This can be abused by an attacker to display a phishing page asking you to enter your credentials.
|
||||
By visiting this url, if we get redirected to `evil-website.tld` after the sign-up, we have an Open Redirect vulnerability. This can be abused by an attacker to display a phishing page asking you to enter your credentials.
|
||||
|
||||
|
||||
## HTTP Redirection Status Code - 3xx
|
||||
|
|
|
@ -4,9 +4,12 @@
|
|||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Turbo Intruder Examples](#turbo-intruder-examples)
|
||||
* [References](#references)
|
||||
- [Race Condition](#race-condition)
|
||||
- [Summary](#summary)
|
||||
- [Tools](#tools)
|
||||
- [Turbo Intruder Examples](#turbo-intruder-examples)
|
||||
- [Turbo Intruder 2 Requests Examples](#turbo-intruder-2-requests-examples)
|
||||
- [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
|
@ -42,7 +45,7 @@
|
|||
4. Click "Attack"
|
||||
|
||||
## Turbo Intruder 2 Requests Examples
|
||||
This follwoing template can use when use have to send race condition of request2 immediately after send a request1 when the window may only be a few milliseconds.
|
||||
This following template can use when use have to send race condition of request2 immediately after send a request1 when the window may only be a few milliseconds.
|
||||
```python
|
||||
def queueRequests(target, wordlists):
|
||||
engine = RequestEngine(endpoint=target.endpoint,
|
||||
|
|
|
@ -6,7 +6,7 @@ Attempting to manipulate SQL queries may have goals including:
|
|||
- Information Leakage
|
||||
- Disclosure of stored data
|
||||
- Manipulation of stored data
|
||||
- Bypassing authorisation controls
|
||||
- Bypassing authorization controls
|
||||
|
||||
## Summary
|
||||
|
||||
|
|
|
@ -4,59 +4,74 @@
|
|||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Methodology](#methodology)
|
||||
* [ASP.NET Razor](#aspnet-razor)
|
||||
* [Basic injection](#aspnet-razor---basic-injection)
|
||||
* [Command execution](#aspnet-razor---command-execution)
|
||||
* [Expression Language EL](#expression-language-el)
|
||||
* [Basic injection](#expression-language-el---basic-injection)
|
||||
* [Code execution](#expression-language-el---code-execution)
|
||||
* [Freemarker](#freemarker)
|
||||
* [Basic injection](#freemarker---basic-injection)
|
||||
* [Code execution](#freemarker---code-execution)
|
||||
* [Groovy](#groovy)
|
||||
* [Basic injection](#groovy---basic-injection)
|
||||
* [Read/Create file](#groovy---read-and-create-file)
|
||||
* [HTTP Request](#groovy---http-request)
|
||||
* [Command execution](#groovy---command-execution)
|
||||
* [Sandbox bypass](#groovy---sandbox-bypass)
|
||||
* [Handlebars](#handlebars)
|
||||
* [Jade / Codepen](#jade--codepen)
|
||||
* [Java](#java)
|
||||
* [Basic injection](#java---basic-injection)
|
||||
* [Retrieve the system’s environment variables](#java---retrieve-the-systems-environment-variables)
|
||||
* [Retrieve /etc/passwd](#java---retrieve-etcpasswd)
|
||||
* [Jinja2](#jinja2)
|
||||
* [Basic injection](#jinja2---basic-injection)
|
||||
* [Template format](#jinja2---template-format)
|
||||
* [Debug Statement](#jinja2---debug-statement)
|
||||
* [Dump all used classes](#jinja2---dump-all-used-classes)
|
||||
* [Dump all config variables](#jinja2---dump-all-config-variables)
|
||||
* [Read remote file](#jinja2---read-remote-file)
|
||||
* [Write into remote file](#jinja2---write-into-remote-file)
|
||||
* [Remote Code Execution](#jinja2---remote-code-execution)
|
||||
* [Filter bypass](#jinja2---filter-bypass)
|
||||
* [Jinjava](#jinjava)
|
||||
* [Basic injection](#jinjava---basic-injection)
|
||||
* [Command execution](#jinjava---command-execution)
|
||||
* [Lessjs](#lessjs)
|
||||
* [Mako](#mako)
|
||||
* [Pebble](#pebble)
|
||||
* [Basic injection](#pebble---basic-injection)
|
||||
* [Code execution](#pebble---code-execution)
|
||||
* [Ruby](#ruby)
|
||||
* [Basic injections](#ruby---basic-injections)
|
||||
* [Retrieve /etc/passwd](#ruby---retrieve-etcpasswd)
|
||||
* [List files and directories](#ruby---list-files-and-directories)
|
||||
* [Smarty](#smarty)
|
||||
* [Twig](#twig)
|
||||
* [Basic injection](#twig---basic-injection)
|
||||
* [Template format](#twig---template-format)
|
||||
* [Arbitrary File Reading](#twig---arbitrary-file-reading)
|
||||
* [Code execution](#twig---code-execution)
|
||||
* [Velocity](#velocity)
|
||||
* [References](#references)
|
||||
- [Templates Injections](#templates-injections)
|
||||
- [Summary](#summary)
|
||||
- [Tools](#tools)
|
||||
- [Methodology](#methodology)
|
||||
- [ASP.NET Razor](#aspnet-razor)
|
||||
- [ASP.NET Razor - Basic injection](#aspnet-razor---basic-injection)
|
||||
- [ASP.NET Razor - Command execution](#aspnet-razor---command-execution)
|
||||
- [Expression Language EL](#expression-language-el)
|
||||
- [Expression Language EL - Basic injection](#expression-language-el---basic-injection)
|
||||
- [Expression Language EL - One-Liner injections not including code execution](#expression-language-el---one-liner-injections-not-including-code-execution)
|
||||
- [Expression Language EL - Code Execution](#expression-language-el---code-execution)
|
||||
- [Freemarker](#freemarker)
|
||||
- [Freemarker - Basic injection](#freemarker---basic-injection)
|
||||
- [Freemarker - Read File](#freemarker---read-file)
|
||||
- [Freemarker - Code execution](#freemarker---code-execution)
|
||||
- [Freemarker - Sandbox bypass](#freemarker---sandbox-bypass)
|
||||
- [Groovy](#groovy)
|
||||
- [Groovy - Basic injection](#groovy---basic-injection)
|
||||
- [Groovy - Read and create File](#groovy---read-and-create-file)
|
||||
- [Groovy - HTTP request:](#groovy---http-request)
|
||||
- [Groovy - Command Execution](#groovy---command-execution)
|
||||
- [Groovy - Sandbox Bypass](#groovy---sandbox-bypass)
|
||||
- [Handlebars](#handlebars)
|
||||
- [Handlebars - Command Execution](#handlebars---command-execution)
|
||||
- [Jade / Codepen](#jade--codepen)
|
||||
- [Java](#java)
|
||||
- [Java - Basic injection](#java---basic-injection)
|
||||
- [Java - Retrieve the system’s environment variables](#java---retrieve-the-systems-environment-variables)
|
||||
- [Java - Retrieve /etc/passwd](#java---retrieve-etcpasswd)
|
||||
- [Jinja2](#jinja2)
|
||||
- [Jinja2 - Basic injection](#jinja2---basic-injection)
|
||||
- [Jinja2 - Template format](#jinja2---template-format)
|
||||
- [Jinja2 - Debug Statement](#jinja2---debug-statement)
|
||||
- [Jinja2 - Dump all used classes](#jinja2---dump-all-used-classes)
|
||||
- [Jinja2 - Dump all config variables](#jinja2---dump-all-config-variables)
|
||||
- [Jinja2 - Read remote file](#jinja2---read-remote-file)
|
||||
- [Jinja2 - Write into remote file](#jinja2---write-into-remote-file)
|
||||
- [Jinja2 - Remote Code Execution](#jinja2---remote-code-execution)
|
||||
- [Exploit the SSTI by calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread)
|
||||
- [Exploit the SSTI by calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen)
|
||||
- [Exploit the SSTI by calling Popen without guessing the offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset)
|
||||
- [Exploit the SSTI by writing an evil config file.](#exploit-the-ssti-by-writing-an-evil-config-file)
|
||||
- [Jinja2 - Filter bypass](#jinja2---filter-bypass)
|
||||
- [Jinjava](#jinjava)
|
||||
- [Jinjava - Basic injection](#jinjava---basic-injection)
|
||||
- [Jinjava - Command execution](#jinjava---command-execution)
|
||||
- [Lessjs](#lessjs)
|
||||
- [Lessjs - SSRF / LFI](#lessjs---ssrf--lfi)
|
||||
- [Lessjs < v3 - Command Execution](#lessjs--v3---command-execution)
|
||||
- [Plugins](#plugins)
|
||||
- [Mako](#mako)
|
||||
- [Direct access to os from TemplateNamespace:](#direct-access-to-os-from-templatenamespace)
|
||||
- [Pebble](#pebble)
|
||||
- [Pebble - Basic injection](#pebble---basic-injection)
|
||||
- [Pebble - Code execution](#pebble---code-execution)
|
||||
- [Ruby](#ruby)
|
||||
- [Ruby - Basic injections](#ruby---basic-injections)
|
||||
- [Ruby - Retrieve /etc/passwd](#ruby---retrieve-etcpasswd)
|
||||
- [Ruby - List files and directories](#ruby---list-files-and-directories)
|
||||
- [Ruby - Code execution](#ruby---code-execution)
|
||||
- [Smarty](#smarty)
|
||||
- [Twig](#twig)
|
||||
- [Twig - Basic injection](#twig---basic-injection)
|
||||
- [Twig - Template format](#twig---template-format)
|
||||
- [Twig - Arbitrary File Reading](#twig---arbitrary-file-reading)
|
||||
- [Twig - Code execution](#twig---code-execution)
|
||||
- [Velocity](#velocity)
|
||||
- [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
|
@ -130,7 +145,7 @@ ${"".getClass().forName("java.lang.System").getDeclaredMethod("getProperty","".g
|
|||
#{session.getAttribute("rtc").setAccessible(true)}
|
||||
#{session.getAttribute("rtc").getRuntime().exec("/bin/bash -c whoami")}
|
||||
|
||||
// Method using processbuilder
|
||||
// Method using process builder
|
||||
${request.setAttribute("c","".getClass().forName("java.util.ArrayList").newInstance())}
|
||||
${request.getAttribute("c").add("cmd.exe")}
|
||||
${request.getAttribute("c").add("/k")}
|
||||
|
|
|
@ -61,7 +61,7 @@ If we can make the calculated hash string Zero-like, and provide "0" in the $coo
|
|||
```
|
||||
|
||||
We have control over 3 elements in the cookie:
|
||||
- $username - username you are targetting, probably "admin"
|
||||
- $username - username you are targeting, probably "admin"
|
||||
- $hmac - the provided hash, "0"
|
||||
- $expiration - a UNIX timestamp, must be in the future
|
||||
|
||||
|
@ -104,5 +104,5 @@ var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
|
|||
## References
|
||||
|
||||
* [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
|
||||
* [Magic Hashes - WhieHatSec](https://www.whitehatsec.com/blog/magic-hashes/)
|
||||
* [Magic Hashes - WhiteHatSec](https://www.whitehatsec.com/blog/magic-hashes/)
|
||||
* [PHP Magic Tricks: Type Juggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf)
|
||||
|
|
|
@ -26,7 +26,7 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
|
|||
|
||||
## Methodology 2
|
||||
|
||||
1. Find an unkeyed input for a Cache Poisoning
|
||||
1. Find an un-keyed input for a Cache Poisoning
|
||||
```js
|
||||
Values: User-Agent
|
||||
Values: Cookie
|
||||
|
@ -37,7 +37,7 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
|
|||
Header: X-Original-URL (Symfony)
|
||||
Header: X-Rewrite-URL (Symfony)
|
||||
```
|
||||
2. Cache poisoning attack - Example for `X-Forwarded-Host` unkeyed input (remember to use a buster to only cache this webpage instead of the main page of the website)
|
||||
2. Cache poisoning attack - Example for `X-Forwarded-Host` un-keyed input (remember to use a buster to only cache this webpage instead of the main page of the website)
|
||||
```js
|
||||
GET /test?buster=123 HTTP/1.1
|
||||
Host: target.com
|
||||
|
|
|
@ -1,19 +1,21 @@
|
|||
# XSLT Injection
|
||||
|
||||
> Processing an unvalidated XSL stylesheet can allow an attacker to change the structure and contents of the resultant XML, include arbitrary files from the file system, or execute arbitrary code
|
||||
> Processing an un-validated XSL stylesheet can allow an attacker to change the structure and contents of the resultant XML, include arbitrary files from the file system, or execute arbitrary code
|
||||
|
||||
## Summary
|
||||
|
||||
- [Tools](#tools)
|
||||
- [Exploit](#exploit)
|
||||
- [Determine the vendor and version](#determine-the-vendor-and-version)
|
||||
- [External Entity](#external-entity)
|
||||
- [Read files and SSRF using document](#read-files-and-ssrf-using-document)
|
||||
- [Remote Code Execution with Embedded Script Blocks](#remote-code-execution-with-embedded-script-blocks)
|
||||
- [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper)
|
||||
- [Remote Code Execution with Java](#remote-code-execution-with-java)
|
||||
- [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net)
|
||||
- [References](#references)
|
||||
- [XSLT Injection](#xslt-injection)
|
||||
- [Summary](#summary)
|
||||
- [Tools](#tools)
|
||||
- [Exploit](#exploit)
|
||||
- [Determine the vendor and version](#determine-the-vendor-and-version)
|
||||
- [External Entity](#external-entity)
|
||||
- [Read files and SSRF using document](#read-files-and-ssrf-using-document)
|
||||
- [Remote Code Execution with Embedded Script Blocks](#remote-code-execution-with-embedded-script-blocks)
|
||||
- [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper)
|
||||
- [Remote Code Execution with Java](#remote-code-execution-with-java)
|
||||
- [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net)
|
||||
- [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
|
|
|
@ -25,7 +25,7 @@ Stored XSS with CSS injection - Hello {}*{xss:expression(open(alert(1)))}
|
|||
|
||||
Explanation of the vulnerability
|
||||
|
||||
> The Meta element forces IE’s document mode into IE7 compat which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert.
|
||||
> The Meta element forces IE’s document mode into IE7 compatible which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert.
|
||||
> A simple request of “rpo.php/” makes the relative style load the page itself as a style sheet. The actual request is “/labs/xss_horror_show/chapter7/rpo.php/styles.css” the browser thinks there’s another directory but the actual request is being sent to the document and that in essence is how an RPO attack works.
|
||||
|
||||
Demo 1 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo.php`
|
||||
|
|
Loading…
Reference in a new issue