Sean Pesce SeanPesce

What is this cheat sheet ?

I recently stumbled on a blind SSTI injection on a bug bounty program (no output nor stack trace, only 500 status code on invalid syntax)

The version was up to date and it was not possible to RCE because the conf was following best practices and there is no public sandbox bypass on the latest version. So was it possible to do stuff anyway ? Yes I found some nice gadgets to enumerate all accessible variables from the engine, read data blindly or perform some DoS.

This is not meant to be complete, you will find classic payloads for freemarker on other cheat sheets this is only the new stuff from my research which is not public anywhere else

get versions

Unicode XSS via Combining Characters

Most application security practitioners are familiar with Unicode XSS, which typically arises from the Unicode character fullwidth-less-than-sign. It’s not a common vulnerability but does occasionally appear in applications that otherwise have good XSS protection. In this blog I describe another variant of Unicode XSS that I have identified, using combining characters. I’ve not observed this in the wild, so it’s primarily of theoretical concern. But the scenario is not entirely implausible and I’ve not otherwise seen this technique discussed, so I hope this is useful.

Recap of Unicode XSS

Lab: https://4t64ubva.xssy.uk/

A quick investigation of the lab shows that it is echoing the name parameter, and performing HTML escaping:

https://web.archive.org/web/20220308212352/https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2016/

Windows 2012 R2 Essentials: http://download.microsoft.com/download/8/F/7/8F7024D2-AB2A-4BE2-8406-1E3AC49C5C1F/9600.16384.WINBLUE_RTM.130821-1623_X64FRE_SERVER_SOLUTION_EN-US-IRM_SSSO_X64FRE_EN-US_DV5.ISO

Windows 2012 R2: http://download.microsoft.com/download/6/2/A/62A76ABB-9990-4EFC-A4FE-C7D698DAEB96/9600.17050.WINBLUE_REFRESH.140317-1640_X64FRE_SERVER_EVAL_EN-US-IR3_SSS_X64FREE_EN-US_DV9.ISO

Windows 2016: https://software-download.microsoft.com/download/pr/Windows_Server_2016_Datacenter_EVAL_en-us_14393_refresh.ISO

Windows 2019 Essentials: https://software-download.microsoft.com/download/pr/17763.737.190906-2324.rs5_release_svc_refresh_SERVERESSENTIALS_OEM_x64FRE_en-us_1.iso

Google dork cheatsheet

Search filters

Filter	Description	Example
allintext	Searches for occurrences of all the keywords given.	`allintext:"keyword"`
intext	Searches for the occurrences of keywords all at once or one at a time.	`intext:"keyword"`
inurl	Searches for a URL matching one of the keywords.	`inurl:"keyword"`
allinurl	Searches for a URL matching all the keywords in the query.	`allinurl:"keyword"`
intitle	Searches for occurrences of keywords in title all or one.	`intitle:"keyword"`

OpenSSL Cheat Sheet 🔐

Install

Install the OpenSSL on Debian based systems

sudo apt-get install openssl

Unicode Character Look-Alikes

Original Letter	Look-Alike(s)
a	а ạ ą ä à á ą
c	с ƈ ċ
d	ԁ ɗ
e	е ẹ ė é è
g	ġ
h	һ

Drozer - Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.
- Starting a session
  - adb forward tcp:31415 tcp:31415
  - drozer console connect
  - drozer console connect --server <ip>
- List modules
  - ls
  - ls activity
- Retrieving package information
run app.package.list -f

	am force-stop com.android.settings
	settings put global hidden_api_blacklist_exemptions "LClass1;->method1(
	15
	--runtime-args
	--setuid=1000
	--setgid=1000
	--runtime-flags=2049
	--mount-external-full
	--target-sdk-version=29
	--setgroups=3003

	# Depends on: msmtp, libsecret-tools
	#
	# Set password:
	# secret-tool store --label="msmtp password for [email protected]" service msmtp username [email protected]
	#
	# Send mail:
	# echo "Message Body" \| send-gmail myusername [email protected] "My Subject"
	send-gmail() {
	local user="$1"
	local to="$2"

	#/usr/bin/env sh

	curl --proxy http://127.0.0.1:8080/ --user-agent burl --insecure "$@"