├── code-snippets.md ├── vulhub-htb-machines.md ├── syllabus.md ├── deserialization.md ├── reading.md └── README.md /code-snippets.md: -------------------------------------------------------------------------------- 1 | ## Python Server 2 | 3 | ``` 4 | # taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/ 5 | from http.server import HTTPServer, SimpleHTTPRequestHandler 6 | import ssl 7 | 8 | httpd = HTTPServer(('localhost', 4443), SimpleHTTPRequestHandler) 9 | httpd.socket = ssl.wrap_socket(httpd.socket, certfile='/tmp/server.pem', server_side=True) 10 | httpd.serve_forever() 11 | 12 | ``` 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | ## Upgrade to interacitve Shell 26 | 27 | ``` python -c ‘import pty;pty.spawn(“/bin/bash”)’ ``` 28 | 29 | export TERM=xterm #both this will enable clear and all 30 | ctrl +Z (will put it in background) 31 | stty raw -echo ( disable raw processing like ctrl+c and disable echo) 32 | type fg and press enter 33 | press enter twice. 34 | 35 | 36 | -------------------------------------------------------------------------------- /vulhub-htb-machines.md: -------------------------------------------------------------------------------- 1 | # HTB 2 | 3 | FALAFEL AND POPCORN 4 | • Challenges 5 | ○ Bypass File Upload Restrictions 6 | • Source code analysis requirments 7 | ○ Nope 8 | VAULT 9 | • Challenges 10 | ○ Enumeration 11 | ○ Port forwarding 12 | ○ File sharing with netcat 13 | ○ Use of PGP 14 | • Source code analysis requirments 15 | ○ Nope 16 | BLOCKY 17 | • Challenges 18 | ○ Use JD-GUI 19 | ○ Adapt CVEs Exploits 20 | ○ Vulnerability Chaining 21 | ○ Webshells 22 | ○ Use of PGP 23 | • Source code analysis requirments 24 | ○ Locate credentials within Jar file (1 file) 25 | ○ Decompile JAR files 26 | • 2 methods to gain root, the preferred for me is: 27 | ○ Use the creds to access phpmyadmin 28 | ○ change user and password 29 | ○ Access Wordpress and upload a crafted plugin 30 | ○ Escalate from www-data to root 31 | ARKHAM 32 | • Challenges 33 | ○ Use cryptsetup to dump/decrypt LUKS disks 34 | ○ Read Web Application’s Documentation 35 | ○ Know how to use crypto utility to encrypt a payload 36 | ○ Know how to use ysoserial to generate an RCE payload via insecure deserialsiation 37 | • Source code analysis requirments 38 | ○ Documentation reading 39 | 40 | #### SUMMARY 41 | Wrapping up the above info, I would say that only Arkham (up to user shell) and Blocky (also up to user shell) are worth for OSWE preparation. For anyone else, they are fairly funny machines (mostly vault and arkham). 42 | 43 | # VulnHub 44 | 45 | PIPE 46 | • Challenges 47 | ○ Know how to exploit PHP insecure deserialisation to achieve RCE 48 | • Source code analysis requirements 49 | ○ Source Code Analysis of 3 PHP files (Boringly simple) 50 | • OSWE Style Walkthrough: 51 | ○ Pipe 52 | RAVEN2 53 | • Challenges 54 | ○ Detect missing input validation 55 | ○ Debug PHP app via code augmentation [big word, small task] 56 | • Source code analysis requirements 57 | ○ Source Code Analysis of PHPMailer (Important files: 2) 58 | • OSWE Style Walkthrough: 59 | ○ Raven 60 | HOMELESS 61 | • Challenges 62 | ○ Know a bit of hashing functions 63 | • Source code analysis requirements 64 | ○ Source Code Analysis of 3-4 PHP files 65 | • OSWE Style Walkthrough: 66 | ○ Homeless 67 | TED 68 | • Challenges 69 | ○ Know how to exploit PHP Local File Inclusion to achieve RCE 70 | • Source code analysis requirements 71 | ○ Source Code Analysis of a few PHP files 72 | • OSWE Style Walkthrough: 73 | ○ Ted 74 | FLICK2 75 | • Challenges 76 | ○ Understand how APIs work 77 | ○ Know how to decompile/recompile an APK 78 | ○ A bit of enumeration 79 | • Source code analysis requirements 80 | ○ Little APK decompiled code analysis 81 | • OSWE Style Walkthrough: 82 | ○ Flick2 83 | ○ Additional Exercise at the end 84 | -------------------------------------------------------------------------------- /syllabus.md: -------------------------------------------------------------------------------- 1 | # oswe_preparation 2 | 3 | # Advanced Web Attacks & Exploitation 4 | 5 | All efforts for the AWAE course and preparation for the Offensive Security Web Expert (OSWE) exam. 6 | 7 | ## Study Strategy 8 | 9 | 10 | 11 | ## Course Completion 12 | Taken from publicly-available syllabus. 13 | * [ ] 1. Introduction 14 | * [ ] Videos 15 | * [ ] Read/Notes 16 | * [ ] 2. Tools & Methodologies 17 | * [ ] Videos 18 | * [ ] Read/Notes 19 | * [ ] 2.1.5 Exercise - Web Inspection 20 | * [ ] 2.2.1 Exercise - Python Requests 21 | * [ ] 2.3.3 Exercise - Decompilation 22 | * [ ] 3. Atmail Mail Server Appliance: from XSS to RCE 23 | * [X] Videos 24 | * [X] Read/Notes 25 | * [X] 3.3.1 Exercise - Vuln Discovery 26 | * [X] 3.4.1 Exercise - Session Hijack 27 | * [X] 3.5.4 Exercise - Session Riding 28 | * [X] 3.5.5 Extra Mile - Session Riding 29 | * [X] 3.6.5 Exercise - globalsaveAction Vuln Analysis 30 | * [X] 3.6.7 Exercise - Make it fully automagical 31 | * [X] 3.6.8 Extra Mile 32 | * [ ] 3.6.8 Extra Mile - Also see if you can background it completely 33 | * [ ] 4. ATutor Auth Bypass and RCE 34 | * [ ] Videos 35 | * [ ] Read/Notes 36 | * [ ] 4.3.1 Exercise - Vuln Discovery 37 | * [ ] 4.6.3 Exercise - Data Exfil 38 | * [ ] 4.6.4 Extra Mile - Data Exfil 39 | * [ ] 4.7.1 Exercise - ATutor Auth 40 | * [ ] 4.7.2 Extra Mile - ATutor Auth 41 | * [ ] 4.8.1 Exercise - ATutor Auth 42 | * [ ] 4.8.2 Extra Mile - ATutor Auth 43 | * [ ] 4.9.1 Exercise - File Upload 44 | * [ ] 4.10.5 Exercise - RCE 45 | * [ ] 4.10.6 Extra Mile - RCE 46 | * [ ] 5. ATutor LMS Type Juggling Vuln 47 | * [ ] Videos 48 | * [ ] Read/Notes 49 | * [ ] 5.4.1 Exercise - String Conversion 50 | * [ ] 5.6.3 Exercise - Loose Comparison 51 | * [ ] 5.6.4 Extra Mile - Loose Comparison 52 | * [ ] 6. ManageEngine Applications Manager AMUserResourcesSyncServlet SQL Injection RCE 53 | * [X] Videos 54 | * [X] Read/Notes 55 | * [X] 6.3.6 Exercise - Vuln Discovery 56 | * [X] 6.5.1 Exercise - Blind Bats 57 | * [X] 6.6.1 Exercise - Access FS 58 | * [ ] 6.6.3 Exercise - VBS file [!! Need to do the batch! Got the reverse shell... !!] 59 | * [ ] 6.6.4 Extra Mile - Shell via JSP 60 | * [X] 6.7.4 Exercise - PostgreSQL Extensions 61 | * [ ] 6.8.1 Exercise - UDF Reverse Shell 62 | * [ ] 6.9.3 Exercise - Moar Shells 63 | * [ ] 6.9.4 Extra Mile - Moar Shells 64 | * [ ] 7. Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability 65 | * [ ] Videos 66 | * [ ] Read/Notes 67 | * [ ] 7.6.1 Exercise - RevShell 68 | * [ ] 7.6.2 Extra Mile - RevShell 69 | * [ ] 8. DotNetNuke Deserialization RCE 70 | * [ ] Videos 71 | * [ ] Read/Notes 72 | * [ ] 8.4.3 Exercise - Serialization Basics 73 | * [ ] 8.4.5 Exercise - Serialization Basics 74 | * [ ] 8.4.7 Exercise - Serialization Basics 75 | * [ ] 8.5.3 Exercise - DNN Vuln Analysis 76 | * [ ] 8.6.4 Exercise - Payload Options 77 | * [ ] 8.6.7 Exercise - Payload Options 78 | * [ ] 8.7.1 Exercise - Payload Options 79 | * [ ] 8.8.1 Extra Mile - Y SO SERIAL? .NET 80 | * [ ] 8.8.2 Extra Mile - Y SO SERIAL? Java 81 | * [ ] 9. ERPNext Authentication Bypass and Server Side Template Injection 82 | * [X] Videos 83 | * [X] Read/Notes 84 | * [X] 9.1.1.1 Exercise - Configure Kali SMTPd server 85 | * [X] 9.1.2.1 Exercise - Configure remote debugging 86 | * [X] 9.1.3.1 Exercise - Configure MariaDB logging 87 | * [ ] 9.2.3.2 Exercise - Find whitelisted functions 88 | * [X] 9.3.1.2 Exercises - SQLi 89 | * [X] 9.4.2.1 Exercises - Access the admin acct 90 | * [X] 9.5.2.1 Exercise - Find the SSTI 91 | * [ ] 9.5.2.2 Extra Mile - Find another instance of SSTI 92 | * [X] 9.5.3.1 Exercise - Recreate the `__class__` rendering 93 | * [ ] 9.5.3.2 Extra Mile - Alternative filter bypass 94 | * [X] 9.6.1.1 Exercises - Recreate the filter bypass and exploit and find other classes to own 95 | * [X] 9.6.2.1 Exercises - Recreate RCE and get shell 96 | * [ ] 9.6.2.2 Extra Mile - Get output to display 97 | * [ ] 10. openCRX Authentication Bypass and Remote Code Execution 98 | * [X] Videos 99 | * [X] Read/Notes 100 | * [X] 10.2.1.1 Exercise - Recreate the Rando and SecureRando 101 | * [X] 10.2.4.1 Exercise - Generate a token list 102 | * [X] 10.2.4.2 Extra Mile - Update token program to take start/stop 103 | * [X] 10.2.5.2 Exercises - Reset password 104 | * [X] 10.2.5.3 Extra Mile - Automate the attack chain 105 | * [X] 10.3.6.2 Exercises - Recreate the XXE attack 106 | * [X] 10.3.6.3 Extra Mile - Script to parse XXE results 107 | * [X] 10.3.8.1 Exercise - Implement the "wrapper" payload 108 | * [X] 10.3.9.2 Exercise - Connect to HSQLDB 109 | * [X] 10.4.1.1 Exercises - Write file and confirm 110 | * [X] 10.4.2.1 Exercise - Find dir with JSP files 111 | * [X] 10.4.3.1 Exercises - Get. That. Shell. 112 | * [ ] 11. openITCOCKPITXSSandOSCommandInjection - Blackbox 113 | * [ ] Videos 114 | * [ ] Read/Notes 115 | * [ ] 11.5.1 Exercise - Recreate the XSS 116 | * [ ] 11.6.2.1 Exercises - DOM rewrite 117 | * [ ] 11.6.2.2 Extra Mile - Prevent new page load 118 | * [ ] 11.6.3.1 Exercises - Finish the script and initialize the DB 119 | * [ ] 11.6.4.1 Exercises - Finish the API script and get a fake login page with the XSS 120 | * [ ] 11.6.4.2 Extra Mile - Add cookie functionality 121 | * [ ] 11.6.5.1 Exercises - Exploit the XSS 122 | * [ ] 11.6.5.2 Extra Miles - Beef up dat XSS 123 | * [ ] 11.6.6.1 Exercise - Dump the SQLite DB 124 | * [ ] 11.7.4.1 Exercise - Fuzz and find cmds 125 | * [ ] 11.7.5.1 Exercise - Test cmd injection 126 | * [ ] 11.7.6.1 Exercise - Get a meterpreter shell 127 | * [ ] 10.7.7 Extra Mile - Get RCE via administrator session 128 | -------------------------------------------------------------------------------- /deserialization.md: -------------------------------------------------------------------------------- 1 | #### Deserialization: 2 | 3 | * [ ] [Deserialization\_Cheat\_Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) 4 | * [ ] [Insecure deserialization - 5 | PayloadAllthethings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Insecure%20Deserialization) 6 | * [ ] [[Paper] Deserialization 7 | Vulnerability](https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf) 8 | * [ ] [Serialization : A Big 9 | Threat](https://klezvirus.github.io/The_Big_Problem_of_Serialisation/) 10 | * [ ] ##### JAVA Deserialization 11 | 12 | * [ ] [Understanding & practicing java deserialization 13 | exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/) 14 | * [ ] [Understanding JAVA 15 | Deserialization](https://nytrosecurity.com/2018/05/30/understanding-java-deserialization/) 16 | * [ ] [Exploiting blind Java deserialization with Burp and 17 | Ysoserial](https://www.n00py.io/2017/11/exploiting-blind-java-deserialization-with-burp-and-ysoserial/) 18 | * [ ] [Details on Oracle Web Logic 19 | Desrialization](https://www.thezdi.com/blog/2020/5/8/details-on-the-oracle-weblogic-vulnerability-being-exploited-in-the-wild) 20 | * [ ] [Analysis of Weblogic 21 | Deserialization](https://medium.com/@knownsec404team/analysis-of-weblogic-deserialization-vulnerability-cve-2018-2628-164bbed7a71d) 22 | * [ ] [[Video] Matthias Kaiser - Exploiting Deserialization 23 | Vulnerabilities in 24 | Java](https://www.youtube.com/watch?v=VviY3O-euVQ) 25 | * [ ] ##### .NET Deserialization 26 | 27 | * [ ] [Use of Deserialization in .NET Framework Methods and 28 | Classes.](https://www.nccgroup.trust/globalassets/our-research/uk/images/whitepaper-new.pdf) 29 | * [ ] [Exploiting Deserialisation in ASP.NET via 30 | ViewState](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/) 31 | * [ ] [Remote Code Execution via Insecure Deserialization in 32 | Telerik 33 | UI](https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui) 34 | * [ ] [[Video] Friday the 13th: JSON Attacks - 35 | BlackHat](https://www.youtube.com/watch?v=oUAeWhW5b8c) 36 | * [ ] [[Paper] Are you My 37 | Type?](https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf) 38 | * [ ] [[Video] JSON Machine from HackTheBox - 39 | Ippsec](https://www.youtube.com/watch?v=FPgK_udcBig) \ 40 | * [ ] ##### PHP Object Injection/Deserialization {#php-object-injection-deserialization} 41 | 42 | * [ ] [What is PHP Object 43 | Injection](https://blog.ripstech.com/2018/php-object-injection/) 44 | * [ ] [phpBB 3.2.3: Phar Deserialization to 45 | RCE](https://blog.ripstech.com/2018/phpbb3-phar-deserialization-to-remote-code-execution/) 46 | * [ ] [Exploiting PHP 47 | Desrialization](https://medium.com/swlh/exploiting-php-deserialization-56d71f03282a) 48 | * [ ] [Analysis of typo3 Deserialization 49 | Vulnerability](https://medium.com/@knownsec404team/analysis-of-typo3-deserialization-vulnerability-cve-2019-12747-5863c48f39a7) 50 | * [ ] [Attack Surface of PHP Deserialization Vulnerability via 51 | Phar](https://medium.com/@knownsec404team/extend-the-attack-surface-of-php-deserialization-vulnerability-via-phar-d6455c6a1066) 52 | * [ ] [[Video] Intro to PHP Deserialization / Object Injection - 53 | Ippsec](https://www.youtube.com/watch?v=HaW15aMzBUM) 54 | * [ ] [[Video] Advanced PHP Deserialization - Phar Files - 55 | Ippsec](https://www.youtube.com/watch?v=fHZKSCMWqF4) 56 | * [ ] [[Video] Exploiting PHP7 unserialize 57 | (33c3)](https://www.youtube.com/watch?v=_Zj0B4D4TYc) 58 | * [ ] ##### NodeJS Deserialization 59 | 60 | * [ ] [Exploiting Node.js deserialization bug for Remote Code 61 | Execution](https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/) 62 | * [ ] [The good, the bad and RCE on NodeJS 63 | applications](https://www.linkedin.com/pulse/good-bad-rce-remote-code-execution-nodejs-ionut-indre/) 64 | * [ ] [Attacking Deserialization in 65 | JS](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/) 66 | * [ ] [Node.js Deserialization Attack – Detailed 67 | Tutorial](https://www.yeahhub.com/nodejs-deserialization-attack-detailed-tutorial-2018/) 68 | * [ ] [[Video] Celestial machine from HackTheBox - 69 | Ippsec](https://www.youtube.com/watch?v=aS6z4NgRysU) 70 | 71 | * [ ] Deserialization: 72 | * [ ] https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html 73 | * [ ] https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf 74 | * [ ] https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Deserialization_Cheat_Sheet.md 75 | * [ ] https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Aleksei%20Tiurin_Deserialization%20vulnerabilities.pdf 76 | * [ ] https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf 77 | * [ ] https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf 78 | 79 | 80 | * [ ] .NET Deserialization: 81 | * [ ] https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf 82 | * [ ] https://github.com/pwntester/ysoserial.net 83 | * [ ] https://github.com/0xd4d/dnSpy 84 | 85 | 86 | 87 | * [ ] Java Deserialization: 88 | * [ ] https://www.n00py.io/2017/11/exploiting-blind-java-deserialization-with-burp-and-ysoserial/ 89 | * [ ] https://www.owasp.org/images/7/71/GOD16-Deserialization.pdf 90 | * [ ] https://github.com/frohoff/ysoserial 91 | * [ ] https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md 92 | * [ ] https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/ 93 | -------------------------------------------------------------------------------- /reading.md: -------------------------------------------------------------------------------- 1 | # oswe_preparation 2 | 3 | # Advanced Web Attacks & Exploitation 4 | 5 | All efforts for the AWAE course and preparation for the Offensive Security Web Expert (OSWE) exam. 6 | 7 | ## To Read 8 | 9 | ## Cross-Site Scripting: 10 | * [ ] https://xhr.spec.whatwg.org/ 11 | 12 | 13 | 14 | ## Session Hijacking 15 | * [ ] https://popped.io/hijacking-sessions-using-socat/ 16 | * [ ] https://pentesterlab.com/exercises/xss_and_mysql_file/course 17 | 18 | 19 | ## Persistent Cross-Site Scripting 20 | * [ ] https://www.acunetix.com/blog/articles/persistent-xss/ 21 | * [ ] https://portswigger.net/web-security/cross-site-scripting 22 | 23 | 24 | ## Cross-Site Request Forgery 25 | * [ ] https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html 26 | 27 | 28 | * [ ] XSS and MySQL 29 | * [ ] https://www.vulnhub.com/entry/pentester-lab-xss-and-mysql-file,66/ 30 | 31 | 32 | ## Bypassing File Upload Restrictions: 33 | * [ ] https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf 34 | * [ ] http://www.securityidiots.com/Web-Pentest/hacking-website-by-shell-uploading.html 35 | * [ ] https://www.owasp.org/index.php/Unrestricted_File_Upload 36 | * [ ] Popcorn machine from HackTheBox 37 | * [ ] Vault machine from HackTheBox 38 | * [ ] [[Paper] File Upload Restrictions 39 | Bypass](https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf) 40 | * [ ] [Shell the web - Methods of a 41 | Ninja](http://www.securityidiots.com/Web-Pentest/hacking-website-by-shell-uploading.html) 42 | * [ ] [Unrestricted File 43 | Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload) 44 | * [ ] [Atlassian Crowd Pre-auth 45 | RCE](https://www.corben.io/atlassian-crowd-rce/) 46 | * [ ] [Popcorn machine from 47 | HackTheBox](https://www.youtube.com/watch?v=NMGsnPSm8iw) 48 | * [ ] [Vault machine from 49 | HackTheBox](https://www.youtube.com/watch?v=LfbwlPxToBc) 50 | 51 | 52 | 53 | ## Websocekts InSecurity 54 | 55 | * [ ] [Introduction to 56 | WebSockets](https://portswigger.net/web-security/websockets) 57 | * [ ] [[Video] Hacking with Websocket - 58 | BlackHat](https://www.youtube.com/watch?v=-ALjHUqSz_Y) 59 | * [ ] [Remote Hardware takeover via Websocket 60 | Hijacking](https://www.netsparker.com/blog/web-security/remote-hardware-takeover-via-vulnerable-admin-software/) 61 | * [ ] [Cross-Site WebSocket Hijacking to full Session 62 | Compromise](https://www.notsosecure.com/how-cross-site-websocket-hijacking-could-lead-to-full-session-compromise/) 63 | 64 | 65 | 66 | 67 | ## Source Code Audit 68 | 69 | * [ ] [Introduction to Code Review 70 | [PentesterLab]](https://pentesterlab.com/exercises/codereview/course) 71 | * [ ] [Static code analysis 72 | writeups](https://shells.systems/category/static-code-analysis/) 73 | * [ ] [TrendMicro - Secure Coding 74 | Dojo](https://trendmicro.github.io/SecureCodingDojo/codereview101/) 75 | * [ ] [Bug Hunting with Static Code Analysis 76 | [Video]](https://www.youtube.com/watch?v=Sb011qfbMkQ) 77 | * [ ] [Shopify Remote Code Execution - 78 | Hackerone](https://prakhar.prasad.pro/blog/shopify-remote-code-execution/) 79 | * [ ] [Finding vulnerabilities in source code ( 80 | APS.NET)](https://hydrasky.com/network-security/finding-vulnerabilities-in-source-code-aps-net/) 81 | * [ ] [A deep dive into ASP.NET 82 | Deserialization](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817) 83 | * [ ] [Writeups by mr\_me](https://srcincite.io/blog/) 84 | 85 | 86 | ## PHP Type Juggling: 87 | * [ ] https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf 88 | * [ ] https://medium.com/@Q2hpY2tlblB3bnk/php-type-juggling-c34a10630b10 89 | * [ ] https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-injection-and-sqli-oh-my/ 90 | * [ ] https://www.netsparker.com/blog/web-security/php-type-juggling-vulnerabilities/ 91 | * [ ] http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html 92 | * [ ] https://www.netsparker.com/blog/web-security/type-juggling-authentication-bypass-cms-made-simple/ 93 | * [ ] https://www.php.net/manual/en/types.comparisons.php 94 | * [ ] https://github.com/spaze/hashes 95 | * [ ] https://www.whitehatsec.com/blog/magic-hashes/ 96 | * [ ] Falafel machine from HackTheBox 97 | * [ ] [OWASP - PHPMagicTricks 98 | TypeJuggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf) 99 | * [ ] [PHP Type Juggling - 100 | Introduction](https://medium.com/@Q2hpY2tlblB3bnk/php-type-juggling-c34a10630b10) 101 | * [ ] [Type Juggling, PHP Object Injection, 102 | SQLi](https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-injection-and-sqli-oh-my/) 103 | * [ ] [Writing Exploits For PHP Type 104 | Juggling](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html) 105 | * [ ] [Type Juggling Authentication Bypass Vulnerability in CMS Made 106 | Simple](https://www.netsparker.com/blog/web-security/type-juggling-authentication-bypass-cms-made-simple/) 107 | * [ ] [PHP Magic 108 | Hashes](https://www.whitehatsec.com/blog/magic-hashes/) 109 | * [ ] [Detailed Explanation of PHP Type Juggling 110 | Vulnerabilities](https://www.netsparker.com/blog/web-security/php-type-juggling-vulnerabilities/) 111 | * [ ] [[Video] PHP Type Juggling Vulnerabilities, 112 | Netsparker](https://www.youtube.com/watch?v=ASYuK01H3Po) 113 | * [ ] [[Video] Falafel machine from 114 | HackTheBox](https://www.youtube.com/watch?v=CUbWpteTfio) 115 | 116 | 117 | 118 | 119 | 120 | ## JavaScript Injection: 121 | * [ ] https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html 122 | * [ ] https://capacitorset.github.io/mathjs/ 123 | * [ ] [Server Side JS 124 | Injection](https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html) 125 | * [ ] [Remote Code Execution in 126 | math.js](https://capacitorset.github.io/mathjs/) 127 | * [ ] [Arbitrary code execution in 128 | fast-redact](https://itnext.io/how-i-exploited-a-remote-code-execution-vulnerability-in-fast-redact-9e69fa35572f) 129 | * [ ] [NVIDIA GeForce Experience OS Command Injection - 130 | CVE-2019-5678](https://rhinosecuritylabs.com/application-security/nvidia-rce-cve-2019-5678/) 131 | * [ ] [SetTimeout and SetInterval use eval therefore are 132 | evil](https://idiallo.com/javascript/settimeout-and-setinterval-and-setevil) 133 | * [ ] [Pentesting Node.js Application : Nodejs Application 134 | Security](https://www.websecgeeks.com/2017/04/pentesting-nodejs-application-nodejs.html) 135 | * [ ] [NodeJS remote debugging with 136 | vscode](https://maikthulhu.github.io/2019-05-17-remote-debugging-node-vscode/) 137 | * [ ] [Escape NodeJS 138 | Sandboxes](https://blog.netspi.com/escape-nodejs-sandboxes/) 139 | 140 | 141 | 142 | ## NodeJS: 143 | * [ ] https://maikthulhu.github.io/2019-05-17-remote-debugging-node-vscode/ 144 | * [ ] https://github.com/ajinabraham/Node.Js-Security-Course 145 | * [ ] https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/ 146 | * [ ] https://www.yeahhub.com/nodejs-deserialization-attack-detailed-tutorial-2018/ 147 | * [ ] Celestial machine from HackTheBox 148 | 149 | 150 | 151 | ## SQLi: 152 | * [ ] [RCE with SQL Injection - 153 | MSSQL](https://medium.com/@notsoshant/a-not-so-blind-rce-with-sql-injection-13838026331e) 154 | * [ ] [SQL Injection to LFI to RCE - 155 | MySQL](https://medium.com/bugbountywriteup/sql-injection-to-lfi-to-rce-536bed29a862) 156 | * [ ] [From SQLi to SHELL (I and II) - 157 | PentesterLab](https://pentesterlab.com/exercises/from_sqli_to_shell_II/course) 158 | * [ ] [Pre-Auth Takeover of OXID 159 | eShops](https://blog.ripstech.com/2019/oxid-esales-shop-software/) 160 | * [ ] [Blind SQL 161 | Injection](https://www.acunetix.com/websitesecurity/blind-sql-injection/) 162 | * [ ] [[Paper] PostgreSQL 163 | Injection](https://www.infigo.hr/files/INFIGO-TD-2009-04_PostgreSQL_injection_ENG.pdf) 164 | * [ ] [Having Fun With 165 | PostgreSQL](http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt) 166 | * [ ] [Blind Postgresql Sql Injection 167 | Tutorial](https://dotcppfile.wordpress.com/2014/07/12/blind-postgresql-sql-injection-tutorial/) 168 | * [ ] [SQL Injection Cheat Sheet - 169 | PentestMonkey](http://pentestmonkey.net/category/cheat-sheet/sql-injection) 170 | * [ ] [SQL Injection Cheat Sheet - 171 | PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection) 172 | * [ ] [Exploiting H2 SQL injection to 173 | RCE](https://blog.ripstech.com/2019/dotcms515-sqli-to-rce/) \ 174 | * [ ] https://pentesterlab.com/exercises/from_sqli_to_shell/course 175 | * [ ] https://www.acunetix.com/websitesecurity/blind-sql-injection/ 176 | 177 | 178 | 179 | ## PostgreSQL 180 | * [ ] http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet 181 | * [ ] http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt 182 | * [ ] https://www.exploit-db.com/papers/13084 183 | * [ ] http://www.postgresqltutorial.com/postgresql-string-functions/ 184 | * [ ] https://www.linuxtopia.org/online_books/database_guides/Practical_PostgreSQL_database/c7547_002.htm 185 | * [ ] https://www.infigo.hr/files/INFIGO-TD-2009-04_PostgreSQL_injection_ENG.pdf 186 | * [ ] https://dotcppfile.wordpress.com/2014/07/12/blind-postgresql-sql-injection-tutorial/ 187 | 188 | 189 | 190 | ## XML External Entity (XXE) Attack 191 | 192 | * [ ] [A Deep Dive into XXE 193 | Injection](https://www.synack.com/blog/a-deep-dive-into-xxe-injection/) 194 | * [ ] [From XXE to RCE: Pwn2Win CTF 2018 195 | Writeup](https://bookgin.tw/2018/12/04/from-xxe-to-rce-pwn2win-ctf-2018-writeup/) 196 | * [ ] [Blind XXE to 197 | RCE](https://www.ambionics.io/blog/oracle-peoplesoft-xxe-to-rce) 198 | * [ ] [Apache Flex BlazeDS XXE 199 | Vulnerabilty](https://codewhitesec.blogspot.com/2015/08/cve-2015-3269-apache-flex-blazeds-xxe.html) 200 | * [ ] [WebLogic EJBTaglibDescriptor 201 | XXE](https://medium.com/@knownsec404team/weblogic-ejbtaglibdescriptor-xxe-vulnerability-analysis-cve-2019-2888-bd649f5fcfa6) 202 | 203 | 204 | ## Server Side Template Injection (SSTI) 205 | 206 | * [ ] [[Portswigger Research] Server Side Template 207 | Injection](https://portswigger.net/research/server-side-template-injection) 208 | * [ ] [[Video] SSTI : RCE For The Modern Web App - 209 | albinowax](https://www.youtube.com/watch?v=3cT0uE7Y87s) 210 | * [ ] [Server Side Template 211 | Injection](https://medium.com/server-side-template-injection/server-side-template-injection-faf88d0c7f34) 212 | * [ ] [Jinja2 template injection filter 213 | bypasses](https://0day.work/jinja2-template-injection-filter-bypasses/) 214 | * [ ] [Exploitation of Server Side Template Injection with Craft CMS 215 | plugin SEOmatic 216 | \<=3.1.3](http://ha.cker.info/exploitation-of-server-side-template-injection-with-craft-cms-plguin-seomatic/) 217 | 218 | ## Long Readings: 219 | * [ ] Use of Deserialization in .NET Framework Methods and Classes. https://www.nccgroup.trust/globalassets/our-research/uk/images/whitepaper-new.pdf 220 | * [ ] https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf 221 | 222 | 223 | ## Password Reset Vulnerability 224 | * [ ] [Testing Password rest 225 | functionalities](http://imranparay.blogspot.com/2018/09/testing-password-reset-functionalities.html) 226 | * [ ] [OWASP - Forgot Password 227 | Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html) 228 | * [ ] [How we hacked multiple user accounts using weak reset tokens 229 | for 230 | passwords](https://blog.appsecco.com/mass-account-pwning-or-how-we-hacked-multiple-user-accounts-using-weak-reset-tokens-for-passwords-c2d6c0831377) 231 | 232 | 233 | 234 | 235 | # OSWE Lab Machine Based 236 | 237 | #### Authentication Bypass to RCE 238 | 239 | * [ ] [ATutor 2.2.1 Authentication 240 | Bypass](https://rebraws.github.io/ATutorAuthBypass/) 241 | * [ ] [ATutor LMS password\_reminder TOCTOU Authentication 242 | Bypass](https://srcincite.io/advisories/src-2016-0009/) 243 | * [ ] [ATutor 2.2.1 - Directory Traversal / Remote Code 244 | Execution](https://www.exploit-db.com/exploits/39639) 245 | * [ ] [Cubecart Admin Authentication 246 | Bypass](https://blog.ripstech.com/2018/cubecart-admin-authentication-bypass/) 247 | * [ ] [Trendmicro smart protection bypass to 248 | RCE](https://underdefense.com/n-day-exploit-development-and-upgrade-to-rce/) 249 | 250 | 251 | #### XSS to RCE 252 | * [ ] [AtMail Email Server Appliance 6.4 - Persistent Cross-Site 253 | Scripting](https://www.exploit-db.com/exploits/20009) 254 | * [ ] [Chaining XSS, CSRF to achieve 255 | RCE](https://rhinosecuritylabs.com/application-security/labkey-server-vulnerabilities-to-rce/) 256 | * [ ] [Code analysis to gaining 257 | RCE](https://sarthaksaini.com/2019/awae/xss-rce.html) 258 | * [ ] [Magento 2.3.1: Unauthenticated Stored XSS to 259 | RCE](https://blog.ripstech.com/2019/magento-rce-via-xss/) 260 | * [ ] [Mybb 18.20 From Stored XSS to 261 | RCE](https://medium.com/@knownsec404team/the-analysis-of-mybb-18-20-from-stored-xss-to-rce-7234d7cc0e72) 262 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # oswe_preparation 2 | 3 | 4 | 5 | 6 | 7 | ## Curated List 8 | 9 | The following Links are curated from Below Sources. 10 | 11 | | Name | URL | 12 | | ------ | ------ | 13 | | M507 | [Github](https://github.com/M507/AWAE-Preparation/) | 14 | | Z-r0crypt OSWE/AWAE Preparation | [Blog](https://z-r0crypt.github.io/blog/2020/01/22/oswe/awae-preparation/) | 15 | | AWAE - OSWE Preparation / Resources | [Gitbook](https://jorgectf.gitbook.io/awae-oswe-preparation-resources/) | 16 | | HTB and Vulnhub: An OSWE Approach | [Blog](https://klezvirus.github.io/Misc/HTB-VH-OSWE/) | 17 | 18 | 19 | # reading 20 | 21 | # oswe_preparation 22 | 23 | # Advanced Web Attacks & Exploitation 24 | 25 | All efforts for the AWAE course and preparation for the Offensive Security Web Expert (OSWE) exam. 26 | 27 | ## To Read 28 | 29 | ## Cross-Site Scripting: 30 | * [ ] https://xhr.spec.whatwg.org/ 31 | 32 | 33 | 34 | ## Session Hijacking 35 | * [ ] https://popped.io/hijacking-sessions-using-socat/ 36 | * [ ] https://pentesterlab.com/exercises/xss_and_mysql_file/course 37 | 38 | 39 | ## Persistent Cross-Site Scripting 40 | * [ ] https://www.acunetix.com/blog/articles/persistent-xss/ 41 | * [ ] https://portswigger.net/web-security/cross-site-scripting 42 | 43 | 44 | ## Cross-Site Request Forgery 45 | * [ ] https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html 46 | 47 | 48 | * [ ] XSS and MySQL 49 | * [ ] https://www.vulnhub.com/entry/pentester-lab-xss-and-mysql-file,66/ 50 | 51 | 52 | ## Bypassing File Upload Restrictions: 53 | * [ ] https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf 54 | * [ ] http://www.securityidiots.com/Web-Pentest/hacking-website-by-shell-uploading.html 55 | * [ ] https://www.owasp.org/index.php/Unrestricted_File_Upload 56 | * [ ] Popcorn machine from HackTheBox 57 | * [ ] Vault machine from HackTheBox 58 | * [ ] [[Paper] File Upload Restrictions 59 | Bypass](https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf) 60 | * [ ] [Shell the web - Methods of a 61 | Ninja](http://www.securityidiots.com/Web-Pentest/hacking-website-by-shell-uploading.html) 62 | * [ ] [Unrestricted File 63 | Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload) 64 | * [ ] [Atlassian Crowd Pre-auth 65 | RCE](https://www.corben.io/atlassian-crowd-rce/) 66 | * [ ] [Popcorn machine from 67 | HackTheBox](https://www.youtube.com/watch?v=NMGsnPSm8iw) 68 | * [ ] [Vault machine from 69 | HackTheBox](https://www.youtube.com/watch?v=LfbwlPxToBc) 70 | 71 | 72 | 73 | ## Websocekts InSecurity 74 | 75 | * [ ] [Introduction to 76 | WebSockets](https://portswigger.net/web-security/websockets) 77 | * [ ] [[Video] Hacking with Websocket - 78 | BlackHat](https://www.youtube.com/watch?v=-ALjHUqSz_Y) 79 | * [ ] [Remote Hardware takeover via Websocket 80 | Hijacking](https://www.netsparker.com/blog/web-security/remote-hardware-takeover-via-vulnerable-admin-software/) 81 | * [ ] [Cross-Site WebSocket Hijacking to full Session 82 | Compromise](https://www.notsosecure.com/how-cross-site-websocket-hijacking-could-lead-to-full-session-compromise/) 83 | 84 | 85 | 86 | 87 | ## Source Code Audit 88 | 89 | * [ ] [Introduction to Code Review 90 | [PentesterLab]](https://pentesterlab.com/exercises/codereview/course) 91 | * [ ] [Static code analysis 92 | writeups](https://shells.systems/category/static-code-analysis/) 93 | * [ ] [TrendMicro - Secure Coding 94 | Dojo](https://trendmicro.github.io/SecureCodingDojo/codereview101/) 95 | * [ ] [Bug Hunting with Static Code Analysis 96 | [Video]](https://www.youtube.com/watch?v=Sb011qfbMkQ) 97 | * [ ] [Shopify Remote Code Execution - 98 | Hackerone](https://prakhar.prasad.pro/blog/shopify-remote-code-execution/) 99 | * [ ] [Finding vulnerabilities in source code ( 100 | APS.NET)](https://hydrasky.com/network-security/finding-vulnerabilities-in-source-code-aps-net/) 101 | * [ ] [A deep dive into ASP.NET 102 | Deserialization](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817) 103 | * [ ] [Writeups by mr\_me](https://srcincite.io/blog/) 104 | 105 | 106 | ## PHP Type Juggling: 107 | * [ ] https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf 108 | * [ ] https://medium.com/@Q2hpY2tlblB3bnk/php-type-juggling-c34a10630b10 109 | * [ ] https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-injection-and-sqli-oh-my/ 110 | * [ ] https://www.netsparker.com/blog/web-security/php-type-juggling-vulnerabilities/ 111 | * [ ] http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html 112 | * [ ] https://www.netsparker.com/blog/web-security/type-juggling-authentication-bypass-cms-made-simple/ 113 | * [ ] https://www.php.net/manual/en/types.comparisons.php 114 | * [ ] https://github.com/spaze/hashes 115 | * [ ] https://www.whitehatsec.com/blog/magic-hashes/ 116 | * [ ] Falafel machine from HackTheBox 117 | * [ ] [OWASP - PHPMagicTricks 118 | TypeJuggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf) 119 | * [ ] [PHP Type Juggling - 120 | Introduction](https://medium.com/@Q2hpY2tlblB3bnk/php-type-juggling-c34a10630b10) 121 | * [ ] [Type Juggling, PHP Object Injection, 122 | SQLi](https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-injection-and-sqli-oh-my/) 123 | * [ ] [Writing Exploits For PHP Type 124 | Juggling](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html) 125 | * [ ] [Type Juggling Authentication Bypass Vulnerability in CMS Made 126 | Simple](https://www.netsparker.com/blog/web-security/type-juggling-authentication-bypass-cms-made-simple/) 127 | * [ ] [PHP Magic 128 | Hashes](https://www.whitehatsec.com/blog/magic-hashes/) 129 | * [ ] [Detailed Explanation of PHP Type Juggling 130 | Vulnerabilities](https://www.netsparker.com/blog/web-security/php-type-juggling-vulnerabilities/) 131 | * [ ] [[Video] PHP Type Juggling Vulnerabilities, 132 | Netsparker](https://www.youtube.com/watch?v=ASYuK01H3Po) 133 | * [ ] [[Video] Falafel machine from 134 | HackTheBox](https://www.youtube.com/watch?v=CUbWpteTfio) 135 | 136 | 137 | 138 | 139 | 140 | ## JavaScript Injection: 141 | * [ ] https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html 142 | * [ ] https://capacitorset.github.io/mathjs/ 143 | * [ ] [Server Side JS 144 | Injection](https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html) 145 | * [ ] [Remote Code Execution in 146 | math.js](https://capacitorset.github.io/mathjs/) 147 | * [ ] [Arbitrary code execution in 148 | fast-redact](https://itnext.io/how-i-exploited-a-remote-code-execution-vulnerability-in-fast-redact-9e69fa35572f) 149 | * [ ] [NVIDIA GeForce Experience OS Command Injection - 150 | CVE-2019-5678](https://rhinosecuritylabs.com/application-security/nvidia-rce-cve-2019-5678/) 151 | * [ ] [SetTimeout and SetInterval use eval therefore are 152 | evil](https://idiallo.com/javascript/settimeout-and-setinterval-and-setevil) 153 | * [ ] [Pentesting Node.js Application : Nodejs Application 154 | Security](https://www.websecgeeks.com/2017/04/pentesting-nodejs-application-nodejs.html) 155 | * [ ] [NodeJS remote debugging with 156 | vscode](https://maikthulhu.github.io/2019-05-17-remote-debugging-node-vscode/) 157 | * [ ] [Escape NodeJS 158 | Sandboxes](https://blog.netspi.com/escape-nodejs-sandboxes/) 159 | 160 | 161 | 162 | ## NodeJS: 163 | * [ ] https://maikthulhu.github.io/2019-05-17-remote-debugging-node-vscode/ 164 | * [ ] https://github.com/ajinabraham/Node.Js-Security-Course 165 | * [ ] https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/ 166 | * [ ] https://www.yeahhub.com/nodejs-deserialization-attack-detailed-tutorial-2018/ 167 | * [ ] Celestial machine from HackTheBox 168 | 169 | 170 | 171 | ## SQLi: 172 | * [ ] [RCE with SQL Injection - 173 | MSSQL](https://medium.com/@notsoshant/a-not-so-blind-rce-with-sql-injection-13838026331e) 174 | * [ ] [SQL Injection to LFI to RCE - 175 | MySQL](https://medium.com/bugbountywriteup/sql-injection-to-lfi-to-rce-536bed29a862) 176 | * [ ] [From SQLi to SHELL (I and II) - 177 | PentesterLab](https://pentesterlab.com/exercises/from_sqli_to_shell_II/course) 178 | * [ ] [Pre-Auth Takeover of OXID 179 | eShops](https://blog.ripstech.com/2019/oxid-esales-shop-software/) 180 | * [ ] [Blind SQL 181 | Injection](https://www.acunetix.com/websitesecurity/blind-sql-injection/) 182 | * [ ] [[Paper] PostgreSQL 183 | Injection](https://www.infigo.hr/files/INFIGO-TD-2009-04_PostgreSQL_injection_ENG.pdf) 184 | * [ ] [Having Fun With 185 | PostgreSQL](http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt) 186 | * [ ] [Blind Postgresql Sql Injection 187 | Tutorial](https://dotcppfile.wordpress.com/2014/07/12/blind-postgresql-sql-injection-tutorial/) 188 | * [ ] [SQL Injection Cheat Sheet - 189 | PentestMonkey](http://pentestmonkey.net/category/cheat-sheet/sql-injection) 190 | * [ ] [SQL Injection Cheat Sheet - 191 | PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection) 192 | * [ ] [Exploiting H2 SQL injection to 193 | RCE](https://blog.ripstech.com/2019/dotcms515-sqli-to-rce/) \ 194 | * [ ] https://pentesterlab.com/exercises/from_sqli_to_shell/course 195 | * [ ] https://www.acunetix.com/websitesecurity/blind-sql-injection/ 196 | 197 | 198 | 199 | ## PostgreSQL 200 | * [ ] http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet 201 | * [ ] http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt 202 | * [ ] https://www.exploit-db.com/papers/13084 203 | * [ ] http://www.postgresqltutorial.com/postgresql-string-functions/ 204 | * [ ] https://www.linuxtopia.org/online_books/database_guides/Practical_PostgreSQL_database/c7547_002.htm 205 | * [ ] https://www.infigo.hr/files/INFIGO-TD-2009-04_PostgreSQL_injection_ENG.pdf 206 | * [ ] https://dotcppfile.wordpress.com/2014/07/12/blind-postgresql-sql-injection-tutorial/ 207 | 208 | 209 | 210 | ## XML External Entity (XXE) Attack 211 | 212 | * [ ] [A Deep Dive into XXE 213 | Injection](https://www.synack.com/blog/a-deep-dive-into-xxe-injection/) 214 | * [ ] [From XXE to RCE: Pwn2Win CTF 2018 215 | Writeup](https://bookgin.tw/2018/12/04/from-xxe-to-rce-pwn2win-ctf-2018-writeup/) 216 | * [ ] [Blind XXE to 217 | RCE](https://www.ambionics.io/blog/oracle-peoplesoft-xxe-to-rce) 218 | * [ ] [Apache Flex BlazeDS XXE 219 | Vulnerabilty](https://codewhitesec.blogspot.com/2015/08/cve-2015-3269-apache-flex-blazeds-xxe.html) 220 | * [ ] [WebLogic EJBTaglibDescriptor 221 | XXE](https://medium.com/@knownsec404team/weblogic-ejbtaglibdescriptor-xxe-vulnerability-analysis-cve-2019-2888-bd649f5fcfa6) 222 | 223 | 224 | ## Server Side Template Injection (SSTI) 225 | 226 | * [ ] [[Portswigger Research] Server Side Template 227 | Injection](https://portswigger.net/research/server-side-template-injection) 228 | * [ ] [[Video] SSTI : RCE For The Modern Web App - 229 | albinowax](https://www.youtube.com/watch?v=3cT0uE7Y87s) 230 | * [ ] [Server Side Template 231 | Injection](https://medium.com/server-side-template-injection/server-side-template-injection-faf88d0c7f34) 232 | * [ ] [Jinja2 template injection filter 233 | bypasses](https://0day.work/jinja2-template-injection-filter-bypasses/) 234 | * [ ] [Exploitation of Server Side Template Injection with Craft CMS 235 | plugin SEOmatic 236 | \<=3.1.3](http://ha.cker.info/exploitation-of-server-side-template-injection-with-craft-cms-plguin-seomatic/) 237 | 238 | ## Long Readings: 239 | * [ ] Use of Deserialization in .NET Framework Methods and Classes. https://www.nccgroup.trust/globalassets/our-research/uk/images/whitepaper-new.pdf 240 | * [ ] https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf 241 | 242 | 243 | ## Password Reset Vulnerability 244 | * [ ] [Testing Password rest 245 | functionalities](http://imranparay.blogspot.com/2018/09/testing-password-reset-functionalities.html) 246 | * [ ] [OWASP - Forgot Password 247 | Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html) 248 | * [ ] [How we hacked multiple user accounts using weak reset tokens 249 | for 250 | passwords](https://blog.appsecco.com/mass-account-pwning-or-how-we-hacked-multiple-user-accounts-using-weak-reset-tokens-for-passwords-c2d6c0831377) 251 | 252 | 253 | 254 | 255 | # OSWE Lab Machine Based 256 | 257 | #### Authentication Bypass to RCE 258 | 259 | * [ ] [ATutor 2.2.1 Authentication 260 | Bypass](https://rebraws.github.io/ATutorAuthBypass/) 261 | * [ ] [ATutor LMS password\_reminder TOCTOU Authentication 262 | Bypass](https://srcincite.io/advisories/src-2016-0009/) 263 | * [ ] [ATutor 2.2.1 - Directory Traversal / Remote Code 264 | Execution](https://www.exploit-db.com/exploits/39639) 265 | * [ ] [Cubecart Admin Authentication 266 | Bypass](https://blog.ripstech.com/2018/cubecart-admin-authentication-bypass/) 267 | * [ ] [Trendmicro smart protection bypass to 268 | RCE](https://underdefense.com/n-day-exploit-development-and-upgrade-to-rce/) 269 | 270 | 271 | #### XSS to RCE 272 | * [ ] [AtMail Email Server Appliance 6.4 - Persistent Cross-Site 273 | Scripting](https://www.exploit-db.com/exploits/20009) 274 | * [ ] [Chaining XSS, CSRF to achieve 275 | RCE](https://rhinosecuritylabs.com/application-security/labkey-server-vulnerabilities-to-rce/) 276 | * [ ] [Code analysis to gaining 277 | RCE](https://sarthaksaini.com/2019/awae/xss-rce.html) 278 | * [ ] [Magento 2.3.1: Unauthenticated Stored XSS to 279 | RCE](https://blog.ripstech.com/2019/magento-rce-via-xss/) 280 | * [ ] [Mybb 18.20 From Stored XSS to 281 | RCE](https://medium.com/@knownsec404team/the-analysis-of-mybb-18-20-from-stored-xss-to-rce-7234d7cc0e72) 282 | 283 | 284 | # oswe_preparation 285 | 286 | # Advanced Web Attacks & Exploitation 287 | 288 | All efforts for the AWAE course and preparation for the Offensive Security Web Expert (OSWE) exam. 289 | 290 | ## Study Strategy 291 | 292 | 293 | 294 | ## Course Completion 295 | Taken from publicly-available syllabus. 296 | * [ ] 1. Introduction 297 | * [ ] Videos 298 | * [ ] Read/Notes 299 | * [ ] 2. Tools & Methodologies 300 | * [ ] Videos 301 | * [ ] Read/Notes 302 | * [ ] 2.1.5 Exercise - Web Inspection 303 | * [ ] 2.2.1 Exercise - Python Requests 304 | * [ ] 2.3.3 Exercise - Decompilation 305 | * [ ] 3. Atmail Mail Server Appliance: from XSS to RCE 306 | * [X] Videos 307 | * [X] Read/Notes 308 | * [X] 3.3.1 Exercise - Vuln Discovery 309 | * [X] 3.4.1 Exercise - Session Hijack 310 | * [X] 3.5.4 Exercise - Session Riding 311 | * [X] 3.5.5 Extra Mile - Session Riding 312 | * [X] 3.6.5 Exercise - globalsaveAction Vuln Analysis 313 | * [X] 3.6.7 Exercise - Make it fully automagical 314 | * [X] 3.6.8 Extra Mile 315 | * [ ] 3.6.8 Extra Mile - Also see if you can background it completely 316 | * [ ] 4. ATutor Auth Bypass and RCE 317 | * [ ] Videos 318 | * [ ] Read/Notes 319 | * [ ] 4.3.1 Exercise - Vuln Discovery 320 | * [ ] 4.6.3 Exercise - Data Exfil 321 | * [ ] 4.6.4 Extra Mile - Data Exfil 322 | * [ ] 4.7.1 Exercise - ATutor Auth 323 | * [ ] 4.7.2 Extra Mile - ATutor Auth 324 | * [ ] 4.8.1 Exercise - ATutor Auth 325 | * [ ] 4.8.2 Extra Mile - ATutor Auth 326 | * [ ] 4.9.1 Exercise - File Upload 327 | * [ ] 4.10.5 Exercise - RCE 328 | * [ ] 4.10.6 Extra Mile - RCE 329 | * [ ] 5. ATutor LMS Type Juggling Vuln 330 | * [ ] Videos 331 | * [ ] Read/Notes 332 | * [ ] 5.4.1 Exercise - String Conversion 333 | * [ ] 5.6.3 Exercise - Loose Comparison 334 | * [ ] 5.6.4 Extra Mile - Loose Comparison 335 | * [ ] 6. ManageEngine Applications Manager AMUserResourcesSyncServlet SQL Injection RCE 336 | * [X] Videos 337 | * [X] Read/Notes 338 | * [X] 6.3.6 Exercise - Vuln Discovery 339 | * [X] 6.5.1 Exercise - Blind Bats 340 | * [X] 6.6.1 Exercise - Access FS 341 | * [ ] 6.6.3 Exercise - VBS file [!! Need to do the batch! Got the reverse shell... !!] 342 | * [ ] 6.6.4 Extra Mile - Shell via JSP 343 | * [X] 6.7.4 Exercise - PostgreSQL Extensions 344 | * [ ] 6.8.1 Exercise - UDF Reverse Shell 345 | * [ ] 6.9.3 Exercise - Moar Shells 346 | * [ ] 6.9.4 Extra Mile - Moar Shells 347 | * [ ] 7. Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability 348 | * [ ] Videos 349 | * [ ] Read/Notes 350 | * [ ] 7.6.1 Exercise - RevShell 351 | * [ ] 7.6.2 Extra Mile - RevShell 352 | * [ ] 8. DotNetNuke Deserialization RCE 353 | * [ ] Videos 354 | * [ ] Read/Notes 355 | * [ ] 8.4.3 Exercise - Serialization Basics 356 | * [ ] 8.4.5 Exercise - Serialization Basics 357 | * [ ] 8.4.7 Exercise - Serialization Basics 358 | * [ ] 8.5.3 Exercise - DNN Vuln Analysis 359 | * [ ] 8.6.4 Exercise - Payload Options 360 | * [ ] 8.6.7 Exercise - Payload Options 361 | * [ ] 8.7.1 Exercise - Payload Options 362 | * [ ] 8.8.1 Extra Mile - Y SO SERIAL? .NET 363 | * [ ] 8.8.2 Extra Mile - Y SO SERIAL? Java 364 | * [ ] 9. ERPNext Authentication Bypass and Server Side Template Injection 365 | * [X] Videos 366 | * [X] Read/Notes 367 | * [X] 9.1.1.1 Exercise - Configure Kali SMTPd server 368 | * [X] 9.1.2.1 Exercise - Configure remote debugging 369 | * [X] 9.1.3.1 Exercise - Configure MariaDB logging 370 | * [ ] 9.2.3.2 Exercise - Find whitelisted functions 371 | * [X] 9.3.1.2 Exercises - SQLi 372 | * [X] 9.4.2.1 Exercises - Access the admin acct 373 | * [X] 9.5.2.1 Exercise - Find the SSTI 374 | * [ ] 9.5.2.2 Extra Mile - Find another instance of SSTI 375 | * [X] 9.5.3.1 Exercise - Recreate the `__class__` rendering 376 | * [ ] 9.5.3.2 Extra Mile - Alternative filter bypass 377 | * [X] 9.6.1.1 Exercises - Recreate the filter bypass and exploit and find other classes to own 378 | * [X] 9.6.2.1 Exercises - Recreate RCE and get shell 379 | * [ ] 9.6.2.2 Extra Mile - Get output to display 380 | * [ ] 10. openCRX Authentication Bypass and Remote Code Execution 381 | * [X] Videos 382 | * [X] Read/Notes 383 | * [X] 10.2.1.1 Exercise - Recreate the Rando and SecureRando 384 | * [X] 10.2.4.1 Exercise - Generate a token list 385 | * [X] 10.2.4.2 Extra Mile - Update token program to take start/stop 386 | * [X] 10.2.5.2 Exercises - Reset password 387 | * [X] 10.2.5.3 Extra Mile - Automate the attack chain 388 | * [X] 10.3.6.2 Exercises - Recreate the XXE attack 389 | * [X] 10.3.6.3 Extra Mile - Script to parse XXE results 390 | * [X] 10.3.8.1 Exercise - Implement the "wrapper" payload 391 | * [X] 10.3.9.2 Exercise - Connect to HSQLDB 392 | * [X] 10.4.1.1 Exercises - Write file and confirm 393 | * [X] 10.4.2.1 Exercise - Find dir with JSP files 394 | * [X] 10.4.3.1 Exercises - Get. That. Shell. 395 | * [ ] 11. openITCOCKPITXSSandOSCommandInjection - Blackbox 396 | * [ ] Videos 397 | * [ ] Read/Notes 398 | * [ ] 11.5.1 Exercise - Recreate the XSS 399 | * [ ] 11.6.2.1 Exercises - DOM rewrite 400 | * [ ] 11.6.2.2 Extra Mile - Prevent new page load 401 | * [ ] 11.6.3.1 Exercises - Finish the script and initialize the DB 402 | * [ ] 11.6.4.1 Exercises - Finish the API script and get a fake login page with the XSS 403 | * [ ] 11.6.4.2 Extra Mile - Add cookie functionality 404 | * [ ] 11.6.5.1 Exercises - Exploit the XSS 405 | * [ ] 11.6.5.2 Extra Miles - Beef up dat XSS 406 | * [ ] 11.6.6.1 Exercise - Dump the SQLite DB 407 | * [ ] 11.7.4.1 Exercise - Fuzz and find cmds 408 | * [ ] 11.7.5.1 Exercise - Test cmd injection 409 | * [ ] 11.7.6.1 Exercise - Get a meterpreter shell 410 | * [ ] 10.7.7 Extra Mile - Get RCE via administrator session 411 | --------------------------------------------------------------------------------