mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-23 13:13:41 +00:00
481 lines
17 KiB
Markdown
481 lines
17 KiB
Markdown
# Mbinu za JS Zingine & Taarifa Husika
|
|
|
|
<details>
|
|
|
|
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
|
|
|
|
* Je, unafanya kazi katika **kampuni ya usalama wa mtandao**? Unataka kuona **kampuni yako ikitangazwa kwenye HackTricks**? au unataka kupata upatikanaji wa **toleo jipya la PEASS au kupakua HackTricks kwa PDF**? Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
|
|
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
|
|
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* **Jiunge na** [**💬**](https://emojipedia.org/speech-balloon/) [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **fuata** kwenye **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwenye** [**repo ya hacktricks**](https://github.com/carlospolop/hacktricks) **na** [**repo ya hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
|
|
|
|
</details>
|
|
|
|
## Fuzzing ya Javascript
|
|
|
|
### Herufi Halali za Maoni ya JS
|
|
```javascript
|
|
//This is a 1 line comment
|
|
/* This is a multiline comment*/
|
|
#!This is a 1 line comment, but "#!" must to be at the beggining of the line
|
|
-->This is a 1 line comment, but "-->" must to be at the beggining of the line
|
|
|
|
|
|
for (let j = 0; j < 128; j++) {
|
|
for (let k = 0; k < 128; k++) {
|
|
for (let l = 0; l < 128; l++) {
|
|
if (j == 34 || k ==34 || l ==34)
|
|
continue;
|
|
if (j == 0x0a || k ==0x0a || l ==0x0a)
|
|
continue;
|
|
if (j == 0x0d || k ==0x0d || l ==0x0d)
|
|
continue;
|
|
if (j == 0x3c || k ==0x3c || l ==0x3c)
|
|
continue;
|
|
if (
|
|
(j == 47 && k == 47)
|
|
||(k == 47 && l == 47)
|
|
)
|
|
continue;
|
|
try {
|
|
var cmd = String.fromCharCode(j) + String.fromCharCode(k) + String.fromCharCode(l) + 'a.orange.ctf"';
|
|
eval(cmd);
|
|
} catch(e) {
|
|
var err = e.toString().split('\n')[0].split(':')[0];
|
|
if (err === 'SyntaxError' || err === "ReferenceError")
|
|
continue
|
|
err = e.toString().split('\n')[0]
|
|
}
|
|
console.log(err,cmd);
|
|
}
|
|
}
|
|
}
|
|
//From: https://balsn.tw/ctf_writeup/20191012-hitconctfquals/#bounty-pl33z
|
|
|
|
// From: Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 43). Kindle Edition.
|
|
log=[];
|
|
for(let i=0;i<=0xff;i++){
|
|
for(let j=0;j<=0xfff;j++){
|
|
try {
|
|
eval(`${String.fromCodePoint(i,j)}%$£234$`)
|
|
log.push([i,j])
|
|
}catch(e){}
|
|
}
|
|
}
|
|
console.log(log)//[35,33],[47,47]
|
|
```
|
|
### Tabia Mpya za Mstari wa JS Zinazofaa
|
|
```javascript
|
|
//Javascript interpret as new line these chars:
|
|
String.fromCharCode(10) //0x0a
|
|
String.fromCharCode(13) //0x0d
|
|
String.fromCharCode(8232) //0xe2 0x80 0xa8
|
|
String.fromCharCode(8233) //0xe2 0x80 0xa8
|
|
|
|
for (let j = 0; j < 65536; j++) {
|
|
try {
|
|
var cmd = '"aaaaa";'+String.fromCharCode(j) + '-->a.orange.ctf"';
|
|
eval(cmd);
|
|
} catch(e) {
|
|
var err = e.toString().split('\n')[0].split(':')[0];
|
|
if (err === 'SyntaxError' || err === "ReferenceError")
|
|
continue;
|
|
err = e.toString().split('\n')[0]
|
|
}
|
|
console.log(`[${err}]`,j,cmd);
|
|
}
|
|
//From: https://balsn.tw/ctf_writeup/20191012-hitconctfquals/#bounty-pl33z
|
|
```
|
|
### Nafasi Halali za JS katika wito wa kazi
|
|
```javascript
|
|
// Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (pp. 40-41). Kindle Edition.
|
|
|
|
// Check chars that can be put in between in func name and the ()
|
|
function x(){}
|
|
|
|
log=[];
|
|
for(let i=0;i<=0x10ffff;i++){
|
|
try {
|
|
eval(`x${String.fromCodePoint(i)}()`)
|
|
log.push(i)
|
|
}catch(e){}
|
|
}
|
|
|
|
console.log(log)v//9,10,11,12,13,32,160,5760,8192,8193,8194,8195,8196,8197,8198,8199,8200,8201,8202,813 232,8233,8239,8287,12288,65279
|
|
```
|
|
### **Herufi Halali za Kuzalisha Maneno**
|
|
```javascript
|
|
// Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (pp. 41-42). Kindle Edition.
|
|
|
|
// Check which pairs of chars can make something be a valid string
|
|
log=[];
|
|
for(let i=0;i<=0x10ffff;i++){
|
|
try {
|
|
eval(`${String.fromCodePoint(i)}%$£234${String.fromCodePoint(i)}`)
|
|
log.push(i)
|
|
}catch(e){}
|
|
}
|
|
console.log(log) //34,39,47,96
|
|
//single quote, quotes, backticks & // (regex)
|
|
```
|
|
### **Surrogate Pairs BF**
|
|
|
|
Hii technique haitakuwa na manufaa sana kwa XSS lakini inaweza kuwa na manufaa ya kukiuka ulinzi wa WAF. Msimbo huu wa python hupokea kama kuingia 2bytes na hutafuta jozi mbadala ambayo ina byte ya kwanza kama byte ya mwisho ya jozi ya High surrogate na byte ya mwisho kama byte ya mwisho ya jozi ya chini surrogate.
|
|
```python
|
|
def unicode(findHex):
|
|
for i in range(0,0xFFFFF):
|
|
H = hex(int(((i - 0x10000) / 0x400) + 0xD800))
|
|
h = chr(int(H[-2:],16))
|
|
L = hex(int(((i - 0x10000) % 0x400 + 0xDC00)))
|
|
l = chr(int(L[-2:],16))
|
|
if(h == findHex[0]) and (l == findHex[1]):
|
|
print(H.replace("0x","\\u")+L.replace("0x","\\u"))
|
|
```
|
|
### Kujua Zaidi:
|
|
|
|
* [https://github.com/dreadlocked/ctf-writeups/blob/master/nn8ed/README.md](https://github.com/dreadlocked/ctf-writeups/blob/master/nn8ed/README.md)
|
|
* [https://mathiasbynens.be/notes/javascript-unicode](https://mathiasbynens.be/notes/javascript-unicode) [https://mathiasbynens.be/notes/javascript-encoding](https://mathiasbynens.be/notes/javascript-encoding)
|
|
|
|
### `javascript{}:` Itazame Fuzzing
|
|
```javascript
|
|
// Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 34). Kindle Edition.
|
|
log=[];
|
|
let anchor = document.createElement('a');
|
|
for(let i=0;i<=0x10ffff;i++){
|
|
anchor.href = `javascript${String.fromCodePoint(i)}:`;
|
|
if(anchor.protocol === 'javascript:') {
|
|
log.push(i);
|
|
}
|
|
}
|
|
console.log(log)//9,10,13,58
|
|
// Note that you could BF also other possitions of the use of multiple chars
|
|
|
|
// Test one option
|
|
let anchor = document.createElement('a');
|
|
anchor.href = `javascript${String.fromCodePoint(58)}:alert(1337)`;
|
|
anchor.append('Click me')
|
|
document.body.append(anchor)
|
|
|
|
// Another way to test
|
|
<a href="javascript:alert(1337)">Test</a>
|
|
```
|
|
### Kufuatilia URL
|
|
```javascript
|
|
// Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (pp. 36-37). Kindle Edition.
|
|
|
|
// Before the protocol
|
|
a=document.createElement('a');
|
|
log=[];
|
|
for(let i=0;i<=0x10ffff;i++){
|
|
a.href = `${String.fromCodePoint(i)}https://hacktricks.xyz`;
|
|
if(a.hostname === 'hacktricks.xyz'){
|
|
log.push(i);
|
|
}
|
|
}
|
|
console.log(log) //0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
|
|
|
|
// Between the slashes
|
|
a=document.createElement('a');
|
|
log=[];
|
|
for(let i=0;i<=0x10ffff;i++){
|
|
a.href = `/${String.fromCodePoint(i)}/hacktricks.xyz`;
|
|
if(a.hostname === 'hacktricks.xyz'){
|
|
log.push(i);
|
|
}
|
|
}
|
|
console.log(log) //9,10,13,47,92
|
|
```
|
|
### Kupotosha HTML
|
|
```javascript
|
|
// Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 38). Kindle Edition.
|
|
|
|
// Fuzzing chars that can close an HTML comment
|
|
|
|
let log=[];
|
|
let div = document.createElement('div');
|
|
for(let i=0;i<=0x10ffff;i++){
|
|
div.innerHTML=`<!----${String.fromCodePoint(i)}><span></span>-->`;
|
|
if(div.querySelector('span')){
|
|
log.push(i);
|
|
}
|
|
}
|
|
console.log(log)//33,45,62
|
|
```
|
|
## **Kuchambua sifa**
|
|
|
|
Chombo **Hackability inspector** kutoka Portswigger husaidia **uchambuzi** wa **sifa** za kipengele cha javascript. Angalia: [https://portswigger-labs.net/hackability/inspector/?input=x.contentWindow\&html=%3Ciframe%20src=//subdomain1.portswigger-labs.net%20id=x%3E](https://portswigger-labs.net/hackability/inspector/?input=x.contentWindow\&html=%3Ciframe%20src=//subdomain1.portswigger-labs.net%20id=x%3E)
|
|
|
|
## **Faili za .map js**
|
|
|
|
* Mbinu ya kupakua faili za .map js: [https://medium.com/@bitthebyte/javascript-for-bug-bounty-hunters-part-2-f82164917e7](https://medium.com/@bitthebyte/javascript-for-bug-bounty-hunters-part-2-f82164917e7)
|
|
* Unaweza kutumia chombo hiki kuchambua faili hizi [https://github.com/paazmaya/shuji](https://github.com/paazmaya/shuji)
|
|
|
|
## Uteuzi wa "--"
|
|
|
|
Mwendeshaji wa kupunguza `--` pia ni aina ya uteuzi. Mwendeshaji huyu huchukua thamani na kisha kuipunguza kwa moja. Ikiwa thamani hiyo si nambari, itawekwa kama `NaN`. Hii inaweza kutumika kuondoa **maudhui ya mizani kutoka kwa mazingira**.
|
|
|
|
![](<../../.gitbook/assets/image (993).png>)
|
|
|
|
![](<../../.gitbook/assets/image (329).png>)
|
|
|
|
## Mbinu za Kazi
|
|
|
|
### .call na .apply
|
|
|
|
Mbinu ya **`.call`** ya kazi hutumika kwa **kuendesha kazi**.\
|
|
**Hoja ya kwanza** inayotarajiwa kwa chaguo-msingi ni **thamani ya `this`** na ikiwa **hakuna** kinachotolewa, **`window`** itakuwa thamani hiyo (isipokuwa **`hali kali`** inatumika).
|
|
```javascript
|
|
function test_call(){
|
|
console.log(this.value); //baz
|
|
}
|
|
new_this={value:"hey!"}
|
|
test_call.call(new_this);
|
|
|
|
// To pass more arguments, just pass then inside .call()
|
|
function test_call() {
|
|
console.log(arguments[0]); //"arg1"
|
|
console.log(arguments[1]); //"arg2"
|
|
console.log(this); //[object Window]
|
|
}
|
|
test_call.call(null, "arg1", "arg2")
|
|
|
|
// If you use the "use strict" directive "this" will be null instead of window:
|
|
function test_call() {
|
|
"use strict";
|
|
console.log(this); //null
|
|
}
|
|
test_call.call(null)
|
|
|
|
//The apply function is pretty much exactly the same as the call function with one important difference, you can supply an array of arguments in the second argument:
|
|
function test_apply() {
|
|
console.log(arguments[0]); //"arg1"
|
|
console.log(arguments[1]); //"arg2"
|
|
console.log(this); //[object Window]
|
|
}
|
|
test_apply.apply(null, ["arg1", "arg2"])
|
|
```
|
|
### Kazi za mishale
|
|
|
|
Kazi za mishale kuruhusu kuunda kazi kwa mstari mmoja kwa urahisi zaidi (ukiwaelewa)
|
|
```javascript
|
|
// Traditional
|
|
function (a){ return a + 1; }
|
|
// Arrow forms
|
|
a => a + 100;
|
|
a => {a + 100};
|
|
|
|
// Traditional
|
|
function (a, b){ return a + b + 1; }
|
|
// Arrow
|
|
(a, b) => a + b + 100;
|
|
|
|
// Tradictional no args
|
|
let a = 4;
|
|
let b = 2;
|
|
function (){ return a + b + 1; }
|
|
|
|
// Arrow
|
|
let a = 4;
|
|
let b = 2;
|
|
() => a + b + 1;
|
|
```
|
|
Kwa hivyo, sehemu kubwa ya kazi zilizopita ni bure kwa sababu hatuzihifadhi mahali popote ili kuziita baadaye. Mfano wa kuunda kazi ya `plusone`:
|
|
```javascript
|
|
// Traductional
|
|
function plusone (a){ return a + 1; }
|
|
|
|
//Arrow
|
|
plusone = a => a + 100;
|
|
```
|
|
### Kazi ya Kufunga
|
|
|
|
Kazi ya kufunga inaruhusu kuunda **nakala** ya **kazi** ikibadilisha **kitu cha `this`** na **parameta** zilizotolewa.
|
|
```javascript
|
|
//This will use the this object and print "Hello World"
|
|
var fn = function ( param1, param2 ) {
|
|
console.info( this, param1, param2 );
|
|
}
|
|
fn('Hello', 'World')
|
|
|
|
//This will still use the this object and print "Hello World"
|
|
var copyFn = fn.bind();
|
|
copyFn('Hello', 'World')
|
|
|
|
//This will use the "console" object as "this" object inside the function and print "fixingparam1 Hello"
|
|
var bindFn_change = fn.bind(console, "fixingparam1");
|
|
bindFn_change('Hello', 'World')
|
|
|
|
//This will still use the this object and print "fixingparam1 Hello"
|
|
var bindFn_thisnull = fn.bind(null, "fixingparam1");
|
|
bindFn_change('Hello', 'World')
|
|
|
|
//This will still use the this object and print "fixingparam1 Hello"
|
|
var bindFn_this = fn.bind(this, "fixingparam1");
|
|
bindFn_change('Hello', 'World')
|
|
```
|
|
{% hint style="info" %}
|
|
Tafadhali kumbuka kwamba kwa kutumia **`bind`** unaweza kubadilisha kitu cha **`this`** ambacho kitatumika wakati wa kuita kazi.
|
|
{% endhint %}
|
|
|
|
### Kuvuja kwa msimbo wa kazi
|
|
|
|
Ikiwa unaweza **kupata kufikia kwa kitu** cha kazi unaweza **kupata msimbo** wa kazi hiyo
|
|
```javascript
|
|
function afunc(){
|
|
return 1+1;
|
|
}
|
|
console.log(afunc.toString()); //This will print the code of the function
|
|
console.log(String(afunc)); //This will print the code of the function
|
|
console.log(this.afunc.toString()); //This will print the code of the function
|
|
console.log(global.afunc.toString()); //This will print the code of the function
|
|
```
|
|
Katika kesi ambapo **function haina jina lolote**, bado unaweza kuchapisha **code ya function** kutoka ndani:
|
|
```javascript
|
|
(function (){ return arguments.callee.toString(); })()
|
|
(function (){ return arguments[0]; })("arg0")
|
|
```
|
|
Baadhi ya njia **za kubahatisha** za **kutoa msimbo** wa kazi (hata maoni) kutoka kwa kazi nyingine:
|
|
```javascript
|
|
(function (){ return retFunc => String(arguments[0]) })(a=>{/* Hidden commment */})()
|
|
(function (){ return retFunc => Array(arguments[0].toString()) })(a=>{/* Hidden commment */})()
|
|
(function (){ return String(this)}).bind(()=>{ /* Hidden commment */ })()
|
|
(u=>(String(u)))(_=>{ /* Hidden commment */ })
|
|
(u=>_=>(String(u)))(_=>{ /* Hidden commment */ })()
|
|
```
|
|
## Kutoroka kwa Sanduku la Kumaliza - Kurejesha kipengele cha dirisha
|
|
|
|
Kipengele cha Dirisha kuruhusu kufikia kazi zilizotajwa kimataifa kama vile onyo au tathmini.
|
|
```javascript
|
|
// Some ways to access window
|
|
window.eval("alert(1)")
|
|
frames
|
|
globalThis
|
|
parent
|
|
self
|
|
top //If inside a frame, this is top most window
|
|
|
|
// Access window from document
|
|
document.defaultView.alert(1)
|
|
// Access document from a node object
|
|
node = document.createElement('div')
|
|
node.ownerDocument.defaultView.alert(1)
|
|
|
|
// There is a path property on each error event whose last element is the window
|
|
<img src onerror=event.path.pop().alert(1337)>
|
|
// In other browsers the method is
|
|
<img src onerror=event.composedPath().pop().alert(1337)>
|
|
// In case of svg, the "event" object is called "evt"
|
|
<svg><image href=1 onerror=evt.composedPath().pop().alert(1337)>
|
|
|
|
// Abusing Error.prepareStackTrace to get Window back
|
|
Error.prepareStackTrace=function(error, callSites){
|
|
2 callSites.shift().getThis().alert(1337);
|
|
3 };
|
|
4 new Error().stack
|
|
|
|
// From an HTML event
|
|
// Events from HTML are executed in this context
|
|
with(document) {
|
|
with(element) {
|
|
//executed event
|
|
}
|
|
}
|
|
// Because of that with(document) it's possible to access properties of document like:
|
|
<img src onerror=defaultView.alert(1337)>
|
|
<img src onerror=s=createElement('script');s.append('alert(1337)');appendChild(s)>
|
|
```
|
|
{% endcode %}
|
|
|
|
## Kuvunja kwenye ufikiaji wa thamani
|
|
```javascript
|
|
// Stop when a property in sessionStorage or localStorage is set/get
|
|
// via getItem or setItem functions
|
|
sessionStorage.getItem = localStorage.getItem = function(prop) {
|
|
debugger;
|
|
return sessionStorage[prop];
|
|
}
|
|
|
|
localStorage.setItem = function(prop, val) {
|
|
debugger;
|
|
localStorage[prop] = val;
|
|
}
|
|
```
|
|
|
|
```javascript
|
|
// Stop when anyone sets or gets the property "ppmap" in any object
|
|
// For example sessionStorage.ppmap
|
|
// "123".ppmap
|
|
// Useful to find where weird properties are being set or accessed
|
|
// or to find where prototype pollutions are occurring
|
|
|
|
function debugAccess(obj, prop, debugGet=true){
|
|
|
|
var origValue = obj[prop];
|
|
|
|
Object.defineProperty(obj, prop, {
|
|
get: function () {
|
|
if ( debugGet )
|
|
debugger;
|
|
return origValue;
|
|
},
|
|
set: function(val) {
|
|
debugger;
|
|
origValue = val;
|
|
}
|
|
});
|
|
};
|
|
|
|
debugAccess(Object.prototype, 'ppmap')
|
|
```
|
|
## Upatikanaji wa Kivinjari kiotomatiki kwa vipakiaji vya majaribio
|
|
```javascript
|
|
//Taken from https://github.com/svennergr/writeups/blob/master/inti/0621/README.md
|
|
const puppeteer = require("puppeteer");
|
|
|
|
const realPasswordLength = 3000;
|
|
async function sleep(ms) {
|
|
return new Promise((resolve) => setTimeout(resolve, ms));
|
|
}
|
|
|
|
(async () => {
|
|
const browser = await puppeteer.launch();
|
|
const page = await browser.newPage();
|
|
//Loop to iterate through different values
|
|
for (let i = 0; i < 10000; i += 100) {
|
|
console.log(`Run number ${i}`);
|
|
const input = `${"0".repeat(i)}${realPasswordLength}`;
|
|
console.log(` https://challenge-0621.intigriti.io/passgen.php?passwordLength=${input}&allowNumbers=true&allowSymbols=true×tamp=1624556811000`);
|
|
//Go to the page
|
|
await page.goto(
|
|
`https://challenge-0621.intigriti.io/passgen.php?passwordLength=${input}&allowNumbers=true&allowSymbols=true×tamp=1624556811000`
|
|
);
|
|
//Call function "generate()" inside the page
|
|
await page.evaluate("generate()");
|
|
//Get node inner text from an HTML element
|
|
const passwordContent = await page.$$eval(
|
|
".alert .page-content",
|
|
(node) => node[0].innerText
|
|
);
|
|
//Transform the content and print it in console
|
|
const plainPassword = passwordContent.replace("Your password is: ", "");
|
|
if (plainPassword.length != realPasswordLength) {
|
|
console.log(i, plainPassword.length, plainPassword);
|
|
}
|
|
|
|
await sleep(1000);
|
|
}
|
|
await browser.close();
|
|
})();
|
|
```
|
|
<details>
|
|
|
|
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
|
|
|
|
* Je, unafanya kazi katika **kampuni ya usalama wa mtandao**? Je, ungependa kuona **kampuni yako ikitangazwa kwenye HackTricks**? au ungependa kupata upatikanaji wa **toleo jipya la PEASS au kupakua HackTricks kwa PDF**? Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
|
|
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
|
|
* Pata [**swagi rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* **Jiunge na** [**💬**](https://emojipedia.org/speech-balloon/) [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **nifuata** kwenye **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwenye** [**repo ya hacktricks**](https://github.com/carlospolop/hacktricks) **na** [**repo ya hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
|
|
|
|
</details>
|