Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-17 06:28:27 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/xss-cross-site-scripting/other-js-tricks.md
Translator workflow 54a7bb5de7 Translated to Swahili
2024-02-11 02:13:58 +00:00

23 KiB
Raw Blame History

Vidokezo vingine vya JS & Habari muhimu

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Fuzzing ya Javascript

Herufi Halali za Maoni ya JS

//This is a 1 line comment
/* This is a multiline comment*/
#!This is a 1 line comment, but "#!" must to be at the beggining of the line
-->This is a 1 line comment, but "-->" must to be at the beggining of the line


for (let j = 0; j < 128; j++) {
for (let k = 0; k < 128; k++) {
for (let l = 0; l < 128; l++) {
if (j == 34 || k ==34 || l ==34)
continue;
if (j == 0x0a || k ==0x0a || l ==0x0a)
continue;
if (j == 0x0d || k ==0x0d || l ==0x0d)
continue;
if (j == 0x3c || k ==0x3c || l ==0x3c)
continue;
if (
(j == 47 && k == 47)
||(k == 47 && l == 47)
)
continue;
try {
var cmd = String.fromCharCode(j) + String.fromCharCode(k) + String.fromCharCode(l) + 'a.orange.ctf"';
eval(cmd);
} catch(e) {
var err = e.toString().split('\n')[0].split(':')[0];
if (err === 'SyntaxError' || err === "ReferenceError")
continue
err = e.toString().split('\n')[0]
}
console.log(err,cmd);
}
}
}
//From: https://balsn.tw/ctf_writeup/20191012-hitconctfquals/#bounty-pl33z

// From: Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 43). Kindle Edition.
log=[];
for(let i=0;i<=0xff;i++){
for(let j=0;j<=0xfff;j++){
try {
eval(`${String.fromCodePoint(i,j)}%$£234$`)
log.push([i,j])
}catch(e){}
}
}
console.log(log)//[35,33],[47,47]

Tabia Sahihi za Mstari Mpya za JS

Katika JavaScript, kuna tabia sahihi za mstari mpya ambazo zinaweza kutumika kwa ufanisi katika mashambulizi ya XSS (Cross-Site Scripting). Hapa chini ni orodha ya tabia hizo:

  • \n: Inawakilisha mstari mpya.
  • \r: Inawakilisha kurudi nyuma kwenye mwanzo wa mstari.
  • \u2028: Inawakilisha Unicode Line Separator.
  • \u2029: Inawakilisha Unicode Paragraph Separator.

Kwa kutumia tabia hizi sahihi za mstari mpya, unaweza kujaribu kuvunja usalama wa tovuti na kuingiza msimbo mbaya wa JavaScript. Ni muhimu kutambua kuwa tabia hizi zinaweza kutofautiana kulingana na jukwaa na mazingira ya utekelezaji wa JavaScript.

//Javascript interpret as new line these chars:
String.fromCharCode(10) //0x0a
String.fromCharCode(13) //0x0d
String.fromCharCode(8232) //0xe2 0x80 0xa8
String.fromCharCode(8233) //0xe2 0x80 0xa8

for (let j = 0; j < 65536; j++) {
try {
var cmd = '"aaaaa";'+String.fromCharCode(j) + '-->a.orange.ctf"';
eval(cmd);
} catch(e) {
var err = e.toString().split('\n')[0].split(':')[0];
if (err === 'SyntaxError' || err === "ReferenceError")
continue;
err = e.toString().split('\n')[0]
}
console.log(`[${err}]`,j,cmd);
}
//From: https://balsn.tw/ctf_writeup/20191012-hitconctfquals/#bounty-pl33z

Nafasi Halali za JS katika wito wa kazi

Unapojaribu kufanya mashambulizi ya XSS (Cross-Site Scripting), mara nyingi unahitaji kuingiza msimbo wa JavaScript ndani ya kificho cha HTML. Hata hivyo, kuna njia ambazo unaweza kutumia ili kuficha msimbo wako wa JavaScript ili usigunduliwe na filters au scanners.

Moja ya njia hizi ni kutumia nafasi halali za JavaScript katika wito wa kazi. Kwa kawaida, nafasi zote za ziada zinaondolewa wakati wa kuchanganua kificho cha JavaScript. Hata hivyo, kuna nafasi halali ambazo zinaweza kutumiwa bila kusababisha makosa.

Nafasi halali za JavaScript ni pamoja na:

  • Nafasi ya kawaida:
  • Tab: \t
  • Mstari mpya: \n
  • Kurudi nyuma: \r
  • Kichwa cha mshale: \v
  • Kichwa cha mshale kilichopindika: \f
  • Nafasi ya sifuri: \u200b

Unaweza kutumia nafasi hizi halali za JavaScript katika wito wa kazi ili kuficha msimbo wako wa JavaScript na kuepuka kugunduliwa na filters au scanners. Hii inaweza kuwa njia muhimu ya kufanikisha mashambulizi ya XSS.

// Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (pp. 40-41). Kindle Edition.

// Check chars that can be put in between in func name and the ()
function x(){}

log=[];
for(let i=0;i<=0x10ffff;i++){
try {
eval(`x${String.fromCodePoint(i)}()`)
log.push(i)
}catch(e){}
}

console.log(log)v//9,10,11,12,13,32,160,5760,8192,8193,8194,8195,8196,8197,8198,8199,8200,8201,8202,813 232,8233,8239,8287,12288,65279

Herufi Halali za Kuzalisha Maneno

The following characters can be used to generate strings:

  • Alphabets: A-Z, a-z
  • Numbers: 0-9
  • Special characters: ! @ # $ % ^ & * ( ) - _ = + [ ] { } | \ : ; " ' < > , . ? / ` ~

Herufi zifuatazo zinaweza kutumika kuzalisha maneno:

  • Herufi za alfabeti: A-Z, a-z
  • Nambari: 0-9
  • Herufi maalum: ! @ # $ % ^ & * ( ) - _ = + [ ] { } | \ : ; " ' < > , . ? / ` ~
// Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (pp. 41-42). Kindle Edition.

// Check which pairs of chars can make something be a valid string
log=[];
for(let i=0;i<=0x10ffff;i++){
try {
eval(`${String.fromCodePoint(i)}%$£234${String.fromCodePoint(i)}`)
log.push(i)
}catch(e){}
}
console.log(log) //34,39,47,96
//single quote, quotes, backticks & // (regex)

Surrogate Pairs BF

Tekniki hii haitakuwa na faida sana kwa XSS lakini inaweza kuwa na faida ya kuzunguka ulinzi wa WAF. Msimbo huu wa python unapokea kama kuingiza 2bytes na inatafuta jozi za mbadala ambazo zina byte ya kwanza kama byte ya mwisho ya jozi ya mbadala ya juu na byte ya mwisho kama byte ya mwisho ya jozi ya mbadala ya chini.

def unicode(findHex):
for i in range(0,0xFFFFF):
H = hex(int(((i - 0x10000) / 0x400) + 0xD800))
h = chr(int(H[-2:],16))
L = hex(int(((i - 0x10000) % 0x400 + 0xDC00)))
l = chr(int(L[-2:],16))
if(h == findHex[0]) and (l == findHex[1]):
print(H.replace("0x","\\u")+L.replace("0x","\\u"))

Maelezo zaidi:

Kufanya Fuzzing kwa Itifaki ya javascript{}:

// Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 34). Kindle Edition.
log=[];
let anchor = document.createElement('a');
for(let i=0;i<=0x10ffff;i++){
anchor.href = `javascript${String.fromCodePoint(i)}:`;
if(anchor.protocol === 'javascript:') {
log.push(i);
}
}
console.log(log)//9,10,13,58
// Note that you could BF also other possitions of the use of multiple chars

// Test one option
let anchor = document.createElement('a');
anchor.href = `javascript${String.fromCodePoint(58)}:alert(1337)`;
anchor.append('Click me')
document.body.append(anchor)

// Another way to test
<a href="&#12;javascript:alert(1337)">Test</a>

Kufanya majaribio ya URL

URL Fuzzing ni mbinu ya kufanya majaribio ya URL kwa kuingiza data isiyo halali au ya kipekee ili kugundua udhaifu katika programu ya wavuti. Mbinu hii inaweza kutumiwa kugundua mashimo ya usalama kama vile XSS (Cross-Site Scripting) na SQL injection.

Kuna njia kadhaa za kufanya majaribio ya URL kwa kutumia URL Fuzzing:

  1. Parameter Fuzzing: Kwa kubadilisha thamani ya vigezo katika URL, unaweza kujaribu kugundua udhaifu. Kwa mfano, unaweza kubadilisha thamani ya vigezo kama "id" au "user" na kuingiza data isiyo halali kama herufi zisizo za kawaida au maandishi ya kipekee.

  2. Path Fuzzing: Kwa kubadilisha sehemu ya njia ya URL, unaweza kujaribu kugundua udhaifu. Kwa mfano, unaweza kubadilisha sehemu ya njia kama "/admin" au "/profile" na kuingiza data isiyo halali au ya kipekee.

  3. Extension Fuzzing: Kwa kubadilisha kipengee cha ugani wa faili katika URL, unaweza kujaribu kugundua udhaifu. Kwa mfano, unaweza kubadilisha ugani wa faili kama ".php" au ".html" na kuingiza ugani usio wa kawaida au wa kipekee.

Kwa kufanya majaribio ya URL kwa kutumia URL Fuzzing, unaweza kugundua udhaifu ambao unaweza kutumiwa na wadukuzi kutekeleza mashambulizi ya XSS au SQL injection. Ni muhimu kwa watengenezaji wa programu ya wavuti kufanya majaribio ya usalama kwa kutumia mbinu hii ili kugundua na kurekebisha udhaifu kabla ya kuwa katika hatari ya shambulio.

// Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (pp. 36-37). Kindle Edition.

// Before the protocol
a=document.createElement('a');
log=[];
for(let i=0;i<=0x10ffff;i++){
a.href = `${String.fromCodePoint(i)}https://hacktricks.xyz`;
if(a.hostname === 'hacktricks.xyz'){
log.push(i);
}
}
console.log(log) //0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32

// Between the slashes
a=document.createElement('a');
log=[];
for(let i=0;i<=0x10ffff;i++){
a.href = `/${String.fromCodePoint(i)}/hacktricks.xyz`;
if(a.hostname === 'hacktricks.xyz'){
log.push(i);
}
}
console.log(log) //9,10,13,47,92

Kufanya majaribio ya HTML

HTML fuzzing ni mbinu ya kujaribu kuvunja usalama wa tovuti kwa kuingiza data isiyo salama au isiyotarajiwa katika vitu vya HTML. Hii inaweza kusababisha matatizo kama vile XSS (Cross-Site Scripting) au matumizi mabaya ya vitu vya HTML.

Kuna njia kadhaa za kufanya majaribio ya HTML fuzzing:

  1. Kuingiza maandishi yasiyotarajiwa: Jaribu kuingiza maandishi yasiyotarajiwa katika vitu vya HTML kama vile mashamba ya fomu, viungo, au maeneo ya maandishi. Kwa mfano, jaribu kuingiza herufi za kipekee, herufi za kigeni, au maandishi yasiyofaa.

  2. Kuingiza herufi maalum: Jaribu kuingiza herufi maalum kama vile alama za punctuation, herufi za kipekee, au herufi za kigeni katika vitu vya HTML. Kwa mfano, jaribu kuingiza alama za punctuation kama vile ishara ya swali (?), ishara ya alama (!), au ishara ya nukta (.) katika maeneo ya maandishi.

  3. Kuingiza kanuni za JavaScript: Jaribu kuingiza kanuni za JavaScript katika vitu vya HTML kama vile mashamba ya fomu au viungo. Hii inaweza kusababisha XSS (Cross-Site Scripting) ikiwa tovuti haijachuja au kuzuia kanuni za JavaScript zisizotarajiwa.

  4. Kuingiza vitambulisho vya HTML: Jaribu kuingiza vitambulisho vya HTML visivyotarajiwa katika vitu vya HTML. Kwa mfano, jaribu kuingiza vitambulisho vya HTML kama vile