diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/README.md b/network-services-pentesting/pentesting-web/php-tricks-esp/README.md index 4594fd093..7d8b02b2b 100644 --- a/network-services-pentesting/pentesting-web/php-tricks-esp/README.md +++ b/network-services-pentesting/pentesting-web/php-tricks-esp/README.md @@ -1,8 +1,8 @@ # PHP Tricks {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -362,6 +362,15 @@ phpinfo(); ``` +## PHP Sanitization bypass & Brain Fuck + +[**In this post**](https://blog.redteam-pentesting.de/2024/moodle-rce/) it's possible to find great ideas to generate a brain fuck PHP code with very few chars being allowed.\ +Moreover it's also proposed an interesting way to execute functions that allowed them to bypass several checks: + +```php +(1)->{system($_GET[chr(97)])} +``` + ## PHP Static analysis Look if you can insert code in calls to these functions (from [here](https://www.youtube.com/watch?v=SyWUsN0yHKI\&feature=youtu.be)): @@ -516,8 +525,8 @@ $___($_[_]); // ASSERT($_POST[_]); {% embed url="https://websec.nl/" %} {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
diff --git a/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md b/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md index 099ebf938..b6c4df3d7 100644 --- a/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md +++ b/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md @@ -1,8 +1,8 @@ # URL Format Bypass {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -172,6 +172,10 @@ https://metadata/expected/path/..%2f..%2f/vulnerable/path The tool [**recollapse**](https://github.com/0xacb/recollapse) can generate variations from a given input to try to bypass the used regex. Check [**this post**](https://0xacb.com/2022/11/21/recollapse/) also for more information. +### Automatic Custom Wordlists + +Check out the [**URL validation bypass cheat sheet** webapp](https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet) from portswigger were you can introduce the allowed host and the attacekrs one and it'll generate a list of URLs to try for you. It also considers if you can use the URL in a parameter, in a Host header or in a CORS header. + ### Bypass via redirect It might be possible that the server is **filtering the original request** of a SSRF **but not** a possible **redirect** response to that request.\ @@ -218,10 +222,9 @@ image from [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing- * [https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25](https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25) * [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md) - {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)