From 6456c7762e817d7546f05dee827c98d24c172642 Mon Sep 17 00:00:00 2001 From: CPol Date: Tue, 7 Feb 2023 10:56:16 +0000 Subject: [PATCH] GITBOOK-3770: No subject --- SUMMARY.md | 2 +- .../pentesting-smtp/README.md | 22 ++- .../xss-cross-site-scripting/README.md | 182 ++++++++++++++---- .../other-js-tricks.md | 162 +++++++++------- 4 files changed, 248 insertions(+), 120 deletions(-) diff --git a/SUMMARY.md b/SUMMARY.md index 22d317c6d..dad3f5594 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -577,7 +577,7 @@ * [Dom Clobbering](pentesting-web/xss-cross-site-scripting/dom-clobbering.md) * [DOM XSS](pentesting-web/xss-cross-site-scripting/dom-xss.md) * [Iframes in XSS, CSP and SOP](pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md) - * [Other JS Tricks](pentesting-web/xss-cross-site-scripting/other-js-tricks.md) + * [Misc JS Tricks & Relevant Info](pentesting-web/xss-cross-site-scripting/other-js-tricks.md) * [PDF Injection](pentesting-web/xss-cross-site-scripting/pdf-injection.md) * [Server Side XSS (Dynamic PDF)](pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md) * [SOME - Same Origin Method Execution](pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.md) diff --git a/network-services-pentesting/pentesting-smtp/README.md b/network-services-pentesting/pentesting-smtp/README.md index a919236c7..4455be66f 100644 --- a/network-services-pentesting/pentesting-smtp/README.md +++ b/network-services-pentesting/pentesting-smtp/README.md @@ -2,13 +2,13 @@
-πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ +πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
@@ -266,6 +266,11 @@ A **complete guide of these countermeasures** can be found in [https://seanthege ### SPF +{% hint style="danger" %} +SPF [was "deprecated" in 2014](https://aws.amazon.com/premiumsupport/knowledge-center/route53-spf-record/). This means that instead of creating a **TXT record** in `_spf.domain.com` you create it in `domain.com` using the **same syntax**.\ +Moreover, to reuse previous spf records it's quiet common to find something like `"v=spf1 include:_spf.google.com ~all"` +{% endhint %} + **Sender Policy Framework** (SPF) provides a mechanism that allows MTAs to check if a host sending an email is authorized.\ Then, the organisations can define a list of authorised mail servers and the MTAs can query for this lists to check if the email was spoofed or not.\ In order to define IP addresses/ranges, domains and others that are **allowed to send email on behalf a domain name**, different "**Mechanism**" cam appear in the SPF registry. @@ -405,12 +410,12 @@ nmap -p25 --script smtp-open-relay 10.10.10.10 -v ### Send Spoof Email * [**https://www.mailsploit.com/index**](https://www.mailsploit.com/index) -* ****[**http://www.anonymailer.net/**](http://www.anonymailer.net)**** -* [**https://emkei.cz/**](https://emkei.cz/)**** +* [**http://www.anonymailer.net/**](http://www.anonymailer.net) +* [**https://emkei.cz/**](https://emkei.cz/)\*\*\*\* **Or you could use a tool:** -* [**https://github.com/magichk/magicspoofing**](https://github.com/magichk/magicspoofing)**** +* [**https://github.com/magichk/magicspoofing**](https://github.com/magichk/magicspoofing)\*\*\*\* ```bash # This will send a test email from test@victim.com to destination@gmail.com @@ -447,7 +452,8 @@ K9B7U1w0CJFUk6+4Qutr2ROqKtNOff9KuNRLAOiAzH3ZbQ== {% tabs %} {% tab title="PHP" %} 
# This will send an unsigned message
-mail("your_email@gmail.com", "Test Subject!", "hey! This is a test", "From: administrator@victim.com");
+mail("your_email@gmail.com", "Test Subject!", "hey! This is a test", "From: administrator@victim.com"); + {% endtab %} {% tab title="Python" %} @@ -596,12 +602,12 @@ Entry_8:
-πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ +πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/pentesting-web/xss-cross-site-scripting/README.md b/pentesting-web/xss-cross-site-scripting/README.md index 9c9e66c60..db2ff3046 100644 --- a/pentesting-web/xss-cross-site-scripting/README.md +++ b/pentesting-web/xss-cross-site-scripting/README.md @@ -1,18 +1,6 @@ # XSS (Cross Site Scripting) -
- -πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ - -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). - -
- - + / **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! @@ -87,6 +75,13 @@ In this case your input is reflected between **``** tags * `';-alert(1)//` * `\';alert(1)//` * If reflected inside template literals you can **embed JS expressions** using `${ ... }` syntax: `` var greetings = `Hello, ${alert(1)}` `` +* **Unicode encode** works to write **valid javascript code**: + +```javascript +\u{61}lert(1) +\u0061lert(1) +\u{0061}lert(1) +``` #### Javascript Hoisting @@ -496,7 +491,13 @@ T**he XSS payload will be something like this: `" accesskey="x" onclick="alert(1 ### Blacklist Bypasses -Several tricks with using different encoding were exposed already inside this section. Go **back to learn where can you use HTML encoding, Unicode encoding, URL encoding, Hex and Octal encoding and even data encoding**. +Several tricks with using different encoding were exposed already inside this section. Go **back to learn where can you use:** + +* **HTML encoding (HTML tags)** +* **Unicode encoding (can be valid JS code):** `\u0061lert(1)` +* **URL encoding** +* **Hex and Octal encoding** +* **data encoding** **Bypasses for HTML tags and attributes** @@ -555,7 +556,18 @@ If `<>` are being sanitised you can still **escape the string** where your input In order to construct **strings** apart from single and double quotes JS also accepts **backticks** **` `` `** . This is known as template literals as they allow to **embedded JS expressions** using `${ ... }` syntax.\ Therefore, if you find that your input is being **reflected** inside a JS string that is using backticks, you can abuse the syntax `${ ... }` to execute **arbitrary JS code**: -This can be **abused** using: `${alert(1)}` +This can be **abused** using: + +```javascript +`${alert(1)}` +`${`${`${`${alert(1)}`}`}`}` +``` + +```````````````javascript +// This is valid JS code, because each time the function returns itself it's recalled with `` +function loop(){return loop} +loop`````````````` +``````````````` ### Encoded code execution @@ -566,6 +578,14 @@ This can be **abused** using: `${alert(1)}`