Virtual Hosts + Encoding and Transformations

2025-12-05 20:40:04 -08:00 · 2025-08-12 20:59:36 +02:00
parent cd15d85969
commit 5e0b097983
6 changed files with 225 additions and 4 deletions
--- a/Clobbering/README.md
+++ b/Clobbering/README.md
@@ -6,7 +6,7 @@

 - [Tools](#tools)
 - [Methodology](#methodology)
- [Lab](#lab)
+- [Labs](#labs)
 - [References](#references)

 ## Tools
@@ -130,7 +130,7 @@ Exploitation requires any kind of `HTML injection` in the page.

 - DomPurify allows the protocol `cid:`, which doesn't encode double quote (`"`): `<a id=defaultAvatar><a id=defaultAvatar name=avatar href="cid:&quot;onerror=alert(1)//">`

-## Lab
+## Labs

 - [PortSwigger - Exploiting DOM clobbering to enable XSS](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-xss-exploiting-dom-clobbering)
 - [PortSwigger - Clobbering DOM attributes to bypass HTML filters](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-clobbering-attributes-to-bypass-html-filters)
--- a/Transformations/README.md
+++ b/Transformations/README.md
@@ -0,0 +1,109 @@
+# Encoding and Transformations
+
+> Encoding and Transformations are techniques that change how data is represented or transferred without altering its core meaning. Common examples include URL encoding, Base64, HTML entity encoding, and Unicode transformations. Attackers use these methods as gadgets to bypass input filters, evade web application firewalls, or break out of sanitization routines.
+
+## Summary
+
+* [Unicode](#unicode)
+    * [Unicode Normalization](#unicode-normalization)
+    * [Punycode](#punycode)
+* [Base64](#base64)
+* [Labs](#labs)
+* [References](#references)
+
+## Unicode
+
+Unicode is a universal character encoding standard used to represent text from virtually every writing system in the world. Each character (letters, numbers, symbols, emojis) is assigned a unique code point (for example, U+0041 for "A"). Unicode encoding formats like UTF-8 and UTF-16 specify how these code points are stored as bytes.
+
+### Unicode Normalization
+
+Unicode normalization is the process of converting Unicode text into a standardized, consistent form so that equivalent characters are represented the same way in memory.
+
+[Unicode Normalization reference table](https://appcheck-ng.com/wp-content/uploads/unicode_normalization.html)
+
+* **NFC** (Normalization Form Canonical Composition): Combines decomposed sequences into precomposed characters where possible.
+* **NFD** (Normalization Form Canonical Decomposition): Breaks characters into their decomposed forms (base + combining marks).
+* **NFKC** (Normalization Form Compatibility Composition): Like NFC, but also replaces characters with compatibility equivalents (may change appearance/format).
+* **NFKD** (Normalization Form Compatibility Decomposition): Like NFD, but also decomposes compatibility characters.
+
+| Character    | Payload               | After Normalization   |
+| ------------ | --------------------- | --------------------- |
+| `‥` (U+2025) | `‥/‥/‥/etc/passwd` | `../../../etc/passwd` |
+| `︰` (U+FE30) | `︰/︰/︰/etc/passwd` | `../../../etc/passwd` |
+| `＇` (U+FF07) | `＇ or ＇1＇=＇1` | `' or '1'='1` |
+| `＂` (U+FF02) | `＂ or ＂1＂=＂1` | `" or "1"="1` |
+| `﹣` (U+FE63) | `admin'﹣﹣` | `admin'--` |
+| `。` (U+3002) | `domain。com` | `domain.com` |
+| `／` (U+FF0F) | `／／domain.com` | `//domain.com` |
+| `＜` (U+FF1C) | `＜img src=a＞` | `<img src=a/>` |
+| `﹛` (U+FE5B) | `﹛﹛3+3﹜﹜` | `{{3+3}}` |
+| `［` (U+FF3B) | `［［5+5］］` | `[[5+5]]` |
+| `＆` (U+FF06) | `＆＆whoami` | `&&whoami` |
+| `ｐ` (U+FF50) | `shell.ｐʰｐ` | `shell.php` |
+| `ʰ` (U+02B0) | `shell.ｐʰｐ` | `shell.php` |
+| `ª` (U+00AA) | `ªdmin` | `admin` |
+
+```py
+import unicodedata
+string = "ᴾᵃʸˡᵒᵃᵈˢ𝓐𝓵𝓵𝕋𝕙𝕖𝒯𝒽𝒾𝓃ℊ𝓈"
+print ('NFC: ' + unicodedata.normalize('NFC', string))
+print ('NFD: ' + unicodedata.normalize('NFD', string))
+print ('NFKC: ' + unicodedata.normalize('NFKC', string))
+print ('NFKD: ' + unicodedata.normalize('NFKD', string))
+```
+
+### Punycode
+
+Punycode is a way to represent Unicode characters (including non-ASCII letters, symbols, and scripts) using only the limited set of ASCII characters (letters, digits, and hyphens).
+
+It's mainly used in the Domain Name System (DNS), which traditionally supports only ASCII. Punycode allows internationalized domain names (IDNs), so that domain names can include characters from many languages by converting them into a safe ASCII form.
+
+| Visible in Browser (IDN support) | Actual ASCII (Punycode) |
+| -------------------------------- | ----------------------- |
+| раypal.com                       | xn--ypal-43d9g.com      |
+| paypal.com                       | paypal.com              |
+
+In MySQL, similar character are treated as equal. This behavior can be abused in Password Reset, Forgot Password, and OAuth Provider sections.
+
+```sql
+SELECT 'a' = 'ᵃ';
+-------------+
+| 'a' = 'ᵃ'   |
+-------------+
+|           1 |
+-------------+
+```
+
+This trick works the SQL query uses `COLLATE utf8mb4_0900_as_cs`.
+
+```sql
+SELECT 'a' = 'ᵃ' COLLATE utf8mb4_0900_as_cs;
+----------------------------------------+
+| 'a' = 'ᵃ' COLLATE utf8mb4_0900_as_cs   |
+----------------------------------------+
+|                                      0 |
+----------------------------------------+
+```
+
+## Base64
+
+Base64 encoding is a method for converting binary data (like images or files) or text with special characters into a readable string that uses only ASCII characters (A-Z, a-z, 0-9, +, and /). Every 3 bytes of input are divided into 4 groups of 6 bits and mapped to 4 Base64 characters. If the input isn't a multiple of 3 bytes, the output is padded with `=` characters.
+
+```ps1
+echo -n admin | base64                            
+YWRtaW4=
+
+echo -n YWRtaW4= | base64 -d
+admin
+```
+
+## Labs
+
+* [NahamCon - Puny-Code: 0-Click Account Takeover](https://github.com/VoorivexTeam/white-box-challenges/tree/main/punycode)
+* [PentesterLab - Unicode and NFKC](https://pentesterlab.com/exercises/unicode-transform)
+
+## References
+
+* [Puny-Code, 0-Click Account Takeover - Voorivex - June 1, 2025](https://blog.voorivex.team/puny-code-0-click-account-takeover)
+* [Unicode normalization vulnerabilities - Lazar - September 30, 2021](https://lazarv.com/posts/unicode-normalization-vulnerabilities/)
+* [WAF Bypassing with Unicode Compatibility - Jorge Lajara - February 19, 2020](https://jlajara.gitlab.io/Bypass_WAF_Unicode)
--- a/ASP/extensions.lst
+++ b/ASP/extensions.lst
@@ -0,0 +1,7 @@
+.asp
+.aspx
+.config
+.cer
+.asa
+.aspx;1.jpg
+.soap
--- a/PHP/extensions.lst
+++ b/PHP/extensions.lst
@@ -19,3 +19,4 @@
 .php\x00.png
 .php%00.jpg
 .php\x00.jpg
+.inc
--- a/Files/README.md
+++ b/Files/README.md
@@ -57,7 +57,8 @@ Here is a list of the default extensions for web shell pages in the selected lan
    .asp
    .aspx
    .config
-    .cer and .asa # (IIS <= 7.5)
+    .cer # (IIS <= 7.5)
+    .asa # (IIS <= 7.5)
    shell.aspx;1.jpg # (IIS < 7.0)
    shell.soap
    ```
@@ -93,7 +94,7 @@ Other extensions that can be abused to trigger other vulnerabilities.
    * `.php%00.jpg`
    * `.php\x00.jpg`
 * Special characters
-    * Multiple dots : `file.php......` , in Windows when a file is created with dots at the end those will be removed.
+    * Multiple dots : `file.php......` , on Windows when a file is created with dots at the end those will be removed.
    * Whitespace and new line characters
        * `file.php%20`
        * `file.php%0d%0a.jpg`
@@ -102,6 +103,15 @@ Other extensions that can be abused to trigger other vulnerabilities.
    * Slash: `file.php/`, `file.php.\`, `file.j\sp`, `file.j/sp`
    * Multiple special characters: `file.jsp/././././.`

+* On Windows OS, `include`, `require` and `require_once` functions will convert "foo.php" followed by one or more of the chars `\x20` ( ), `\x22` ("), `\x2E` (.), `\x3C` (<), `\x3E` (>) back to "foo.php".
+* On Windows OS, `fopen` function will convert "foo.php" followed by one or more of the chars `\x2E` (.), `\x2F` (/), `\x5C` (\) back to "foo.php".
+* On Windows OS, `move_uploaded_file` function will convert "foo.php" followed by one or more of the chars `\x2E` (.), `\x2F` (/), `\x5C` (\) back to "foo.php".
+
+* On Windows OS, when running PHP on IIS some characters are automatically converted to other characters when it is going to save a file (e.g. `web<<` becomes `web**` and can replace `web.config`).
+    * `\x3E` (>) is converted to `\x3F` (?)
+    * `\x3C` (<) is converted to `\x2A` (*)
+    * `\x22` (") is converted to `\x2E` (.), to use this trick in a file upload request the "`Content-Disposition`" header should use single quotes (e.g. filename='web"config').
+
 **File Identification**:

 MIME type, a MIME type (Multipurpose Internet Mail Extensions type) is a standardized identifier that tells browsers, servers, and applications what kind of file or data is being handled. It consists of a type and a subtype, separated by a slash. Change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif` to disguise the content as an image.
@@ -363,6 +373,7 @@ More payloads in the folder `CVE FFmpeg HLS/`.
 * [Bulletproof Jpegs Generator - Damien Cauquil (@virtualabs) - April 9, 2012](https://virtualabs.fr/Nasty-bulletproof-Jpegs-l)
 * [Encoding Web Shells in PNG IDAT chunks - phil - 04-06-2012](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
 * [File Upload - HackTricks - 20/7/2024](https://book.hacktricks.xyz/pentesting-web/file-upload)
+* [File Upload and PHP on IIS: >=? and <=* and "=. - Soroush Dalili (@irsdl) - July 23, 2014](https://soroush.me/blog/2014/07/file-upload-and-php-on-iis-wildcards/)
 * [File Upload restrictions bypass - Haboob Team - July 24, 2018](https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf)
 * [IIS - SOAP - Navigating The Shadows - 0xbad53c - 19/5/2024](https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap)
 * [Injection points in popular image formats - Daniel Kalinowski‌‌ - Nov 8, 2019](https://blog.isec.pl/injection-points-in-popular-image-formats/)
--- a/Hosts/README.md
+++ b/Hosts/README.md
@@ -0,0 +1,93 @@
+# Virtual Host
+
+> A **Virtual Host** (VHOST) is a mechanism used by web servers (e.g., Apache, Nginx, IIS) to host multiple domains or subdomains on a single IP address. When enumerating a webserver, default requests often target the primary or default VHOST only. **Hidden hosts** may expose extra functionality or vulnerabilities.
+
+## Summary
+
+* [Tools](#tools)
+* [Methodology](#methodology)
+* [References](#references)
+
+## Tools
+
+* [wdahlenburg/VhostFinder](https://github.com/wdahlenburg/VhostFinder) - Identify virtual hosts by similarity comparison.
+* [codingo/VHostScan](https://github.com/codingo/VHostScan) - A virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
+* [hakluke/hakoriginfinder](https://github.com/hakluke/hakoriginfinder) - Tool for discovering the origin host behind a reverse proxy. Useful for bypassing cloud WAFs.
+
+    ```ps1
+    prips 93.184.216.0/24 | hakoriginfinder -h https://example.com:443/foo
+    ```
+
+* [OJ/gobuster](https://github.com/OJ/gobuster) - Directory/File, DNS and VHost busting tool written in Go.
+
+    ```ps1
+    gobuster vhost -u https://example.com -w /path/to/wordlist.txt
+    ```
+
+## Methodology
+
+When a web server hosts multiple websites on the same IP address, it uses **Virtual Hosting** to decide which site to serve when a request comes in.
+
+In HTTP/1.1 and above, every request must contain a `Host` header:
+
+```http
+GET / HTTP/1.1
+Host: example.com
+```
+
+This header tells the server which domain the client is trying to reach.
+
+* If the server only has one site: The `Host` header is often ignored or set to a default.
+* If the server has multiple virtual hosts: The web server uses the `Host` header to route the request internally to the right content.
+
+Suppose the server is configured like:
+
+```ps1
+<VirtualHost *:80>
+    ServerName site-a.com
+    DocumentRoot /var/www/a
+</VirtualHost>
+
+<VirtualHost *:80>
+    ServerName site-b.com
+    DocumentRoot /var/www/b
+</VirtualHost>
+```
+
+A request with the default host ("site-a.com") returns the content for Site A.
+
+```http
+GET / HTTP/1.1
+Host: site-a.com
+```
+
+A request with an altered host ("site-b.com") returns content for Site B (possibly revealing something new).
+
+```http
+GET / HTTP/1.1
+Host: site-b.com
+```
+
+### Fingerprinting VHOSTs
+
+Setting `Host` to other known or guessed domains may give **different responses**.
+
+```ps1
+curl -H "Host: admin.example.com" http://10.10.10.10/
+```
+
+Common indicators that you're hitting a different VHOST:
+
+* Different HTML titles, meta descriptions, or brand names
+* Different HTTP Content-Length / body size
+* Different status codes (200 vs. 403 or redirect)
+* Custom error pages
+* Redirect chains to completely different domains
+* Certificates with Subject Alternative Names listing other domains
+
+**NOTE**: Leverage DNS history records to identify old IP addresses previously associated with your target’s domains. Then test (or "spray") the current domain names against those IPs. If successful, this can reveal the server’s real address, allowing you to bypass protections like Cloudflare or other WAFs by interacting directly with the origin server.
+
+## References
+
+* [Gobuster for directory, DNS and virtual hosts bruteforcing - erev0s - March 17, 2020](https://erev0s.com/blog/gobuster-directory-dns-and-virtual-hosts-bruteforcing/)
+* [Virtual Hosting – A Well Forgotten Enumeration Technique - Wyatt Dahlenburg - June 16, 2022](https://wya.pl/2022/06/16/virtual-hosting-a-well-forgotten-enumeration-technique/)