Merge pull request #305 from the-rend/master

adding a new browser trick / adding a new type of SQL injection

pentesting-web/sql-injection/README.md

@@ -199,6 +199,15 @@ On the next examples we are going to retrieve the name of all the databases, the
 
 _There is a different way to discover this data on every different database, but it's always the same methodology._
 
+## Exploiting Hidden Union Based
+
+If you can see the output of the query but you can't achieve a union based injection, you are dealing with a hidden union based injection.  
+In this situation you end up with a blind injection. To turn the blind injection to a union based one, you need to extract the query being executed on the backend.  
+You can do so by use of the blind injection and the default tables of your target DBMS. To learn about those default tables read the documentation of your target DBMS.  
+After extracting the query, you need to adjust your payload accordingly, closing the original query safely. Then append a union query to your payload and start exploiting the newly obtained union based injection.  
+  
+Complete Article: https://medium.com/@Rend_/healing-blind-injections-df30b9e0e06f
+
 ## Exploiting Error based
 
 If for some reason you **cannot** see the **output** of the **query** but you can **see the error messages**, you can make this error messages to **ex-filtrate** data from the database.\

physical-attacks/escaping-from-gui-applications/README.md

@@ -144,6 +144,8 @@ Backup iKat versions:
 [http://swin.es/k/](http://swin.es/k/)\
 [http://www.ikat.kronicd.net/](http://www.ikat.kronicd.net)\
 
+Create a common dialog using JavaScript and access file explorer: `document.write('<input/type=file>')`  
+Source: https://medium.com/@Rend_/give-me-a-browser-ill-give-you-a-shell-de19811defa0
 
 ## iPad