diff --git a/.gitbook/assets/image (1) (8).png b/.gitbook/assets/image (1) (8).png
new file mode 100644
index 000000000..bda84db54
Binary files /dev/null and b/.gitbook/assets/image (1) (8).png differ
diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png
index bda84db54..ae902527d 100644
Binary files a/.gitbook/assets/image (1).png and b/.gitbook/assets/image (1).png differ
diff --git a/.gitbook/assets/image (2) (2) (3).png b/.gitbook/assets/image (2) (2) (3).png
new file mode 100644
index 000000000..f088f7973
Binary files /dev/null and b/.gitbook/assets/image (2) (2) (3).png differ
diff --git a/.gitbook/assets/image (2) (2).png b/.gitbook/assets/image (2) (2).png
index f088f7973..8cbefda25 100644
Binary files a/.gitbook/assets/image (2) (2).png and b/.gitbook/assets/image (2) (2).png differ
diff --git a/.gitbook/assets/image (2).png b/.gitbook/assets/image (2).png
index 8cbefda25..37e88406f 100644
Binary files a/.gitbook/assets/image (2).png and b/.gitbook/assets/image (2).png differ
diff --git a/.gitbook/assets/image (23) (2) (1).png b/.gitbook/assets/image (23) (2) (1).png
new file mode 100644
index 000000000..95d6ba326
Binary files /dev/null and b/.gitbook/assets/image (23) (2) (1).png differ
diff --git a/.gitbook/assets/image (23) (2).png b/.gitbook/assets/image (23) (2).png
index 95d6ba326..aa5ce3239 100644
Binary files a/.gitbook/assets/image (23) (2).png and b/.gitbook/assets/image (23) (2).png differ
diff --git a/.gitbook/assets/image (23).png b/.gitbook/assets/image (23).png
index aa5ce3239..ec4d7c9ff 100644
Binary files a/.gitbook/assets/image (23).png and b/.gitbook/assets/image (23).png differ
diff --git a/.gitbook/assets/image (24) (1) (2).png b/.gitbook/assets/image (24) (1) (2).png
new file mode 100644
index 000000000..aa73a32c5
Binary files /dev/null and b/.gitbook/assets/image (24) (1) (2).png differ
diff --git a/.gitbook/assets/image (24) (1).png b/.gitbook/assets/image (24) (1).png
index aa73a32c5..b2681ccdc 100644
Binary files a/.gitbook/assets/image (24) (1).png and b/.gitbook/assets/image (24) (1).png differ
diff --git a/.gitbook/assets/image (24).png b/.gitbook/assets/image (24).png
index b2681ccdc..6871f1a2a 100644
Binary files a/.gitbook/assets/image (24).png and b/.gitbook/assets/image (24).png differ
diff --git a/.gitbook/assets/image (29) (1) (2).png b/.gitbook/assets/image (29) (1) (2).png
new file mode 100644
index 000000000..b817e181c
Binary files /dev/null and b/.gitbook/assets/image (29) (1) (2).png differ
diff --git a/.gitbook/assets/image (29) (1).png b/.gitbook/assets/image (29) (1).png
index b817e181c..44b67923d 100644
Binary files a/.gitbook/assets/image (29) (1).png and b/.gitbook/assets/image (29) (1).png differ
diff --git a/.gitbook/assets/image (29).png b/.gitbook/assets/image (29).png
index 44b67923d..c873e2078 100644
Binary files a/.gitbook/assets/image (29).png and b/.gitbook/assets/image (29).png differ
diff --git a/.gitbook/assets/image (3) (2) (2).png b/.gitbook/assets/image (3) (2) (2).png
new file mode 100644
index 000000000..6be443037
Binary files /dev/null and b/.gitbook/assets/image (3) (2) (2).png differ
diff --git a/.gitbook/assets/image (3) (2).png b/.gitbook/assets/image (3) (2).png
index 6be443037..884a59fd2 100644
Binary files a/.gitbook/assets/image (3) (2).png and b/.gitbook/assets/image (3) (2).png differ
diff --git a/.gitbook/assets/image (3).png b/.gitbook/assets/image (3).png
index 884a59fd2..9a74fb3f3 100644
Binary files a/.gitbook/assets/image (3).png and b/.gitbook/assets/image (3).png differ
diff --git a/.gitbook/assets/image (31) (2).png b/.gitbook/assets/image (31) (2).png
new file mode 100644
index 000000000..57be91b1f
Binary files /dev/null and b/.gitbook/assets/image (31) (2).png differ
diff --git a/.gitbook/assets/image (31).png b/.gitbook/assets/image (31).png
index 57be91b1f..37e88406f 100644
Binary files a/.gitbook/assets/image (31).png and b/.gitbook/assets/image (31).png differ
diff --git a/.gitbook/assets/image (4) (3) (1).png b/.gitbook/assets/image (4) (3) (1).png
new file mode 100644
index 000000000..b03e5ae24
Binary files /dev/null and b/.gitbook/assets/image (4) (3) (1).png differ
diff --git a/.gitbook/assets/image (4) (3).png b/.gitbook/assets/image (4) (3).png
index b03e5ae24..1ad2a58a1 100644
Binary files a/.gitbook/assets/image (4) (3).png and b/.gitbook/assets/image (4) (3).png differ
diff --git a/.gitbook/assets/image (4).png b/.gitbook/assets/image (4).png
index 1ad2a58a1..e0409d6bf 100644
Binary files a/.gitbook/assets/image (4).png and b/.gitbook/assets/image (4).png differ
diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png
index ae902527d..7191ffb69 100644
Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ
diff --git a/SUMMARY.md b/SUMMARY.md
index 21afa402a..13fcfc3b1 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -521,6 +521,7 @@
* [OAuth to Account takeover](pentesting-web/oauth-to-account-takeover.md)
* [Open Redirect](pentesting-web/open-redirect.md)
* [Parameter Pollution](pentesting-web/parameter-pollution.md)
+* [Phone Number Injections](pentesting-web/phone-number-injections.md)
* [PostMessage Vulnerabilities](pentesting-web/postmessage-vulnerabilities/README.md)
* [Blocking main page to steal postmessage](pentesting-web/postmessage-vulnerabilities/blocking-main-page-to-steal-postmessage.md)
* [Bypassing SOP with Iframes - 1](pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-1.md)
diff --git a/emails-vulns.md b/emails-vulns.md
index 549f28abc..59c9f1471 100644
--- a/emails-vulns.md
+++ b/emails-vulns.md
@@ -1,93 +1,29 @@
-
+# Emails Vulnerabilities
-ποΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) ποΈ - π₯ Youtube π₯
+ποΈ HackTricks LIVE TwitchWednesdays 5.30pm (UTC) ποΈ -π₯ Youtube π₯
-- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
-- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
-- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-- **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
-- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+##
-# Payloads
-
-## Ignored parts of an email
-
-The symbols: **+, -** and **{}** in rare occasions can be used for tagging and ignored by most e-mail servers
-
-* E.g. john.doe+intigriti@example.com β john.doe@example.com
-
-**Comments between parentheses ()** at the beginning or the end will also be ignored
-
-* E.g. john.doe(intigriti)@example.com β john.doe@example.com
-
-## Whitelist bypass
-
-* inti(;inti@inti.io;)@whitelisted.com
-* inti@inti.io(@whitelisted.com)
-* inti+(@whitelisted.com;)@inti.io
-
-## IPs
-
-You can also use IPs as domain named between square brackets:
-
-* john.doe@\[127.0.0.1]
-* john.doe@\[IPv6:2001:db8::1]
-
-## Other vulns
-
-.png>)
-
-# Third party SSO
-
-## XSS
-
-Some services like **github** or **salesforce allows** you to create an **email address with XSS payloads on it**. If you can **use this providers to login on other services** and this services **aren't sanitising** correctly the email, you could cause **XSS**.
-
-## Account-Takeover
-
-If a **SSO service** allows you to **create an account without verifying the given email address** (like **salesforce**) and then you can use that account to **login in a different service** that **trusts** salesforce, you could access any account.\
-_Note that salesforce indicates if the given email was or not verified but so the application should take into account this info._
-
-# Reply-To
-
-You can send an email using _**From: company.com**_** ** and _**Replay-To: attacker.com**_ and if any **automatic reply** is sent due to the email was sent **from** an **internal address** the **attacker** may be able to **receive** that **response**.
-
-# **References**
-
-* [**https://drive.google.com/file/d/1iKL6wbp3yYwOmxEtAg1jEmuOf8RM8ty9/view**](https://drive.google.com/file/d/1iKL6wbp3yYwOmxEtAg1jEmuOf8RM8ty9/view)
-
-# Hard Bounce Rate
-
-Some applications like AWS have a **Hard Bounce Rate** (in AWS is 10%), that whenever is overloaded the email service is blocked.
-
-A **hard bounce** is an **email** that couldnβt be delivered for some permanent reasons. Maybe the **emailβs** a fake address, maybe the **email** domain isnβt a real domain, or maybe the **email** recipientβs server wonβt accept **emails**) , that means from total of 1000 emails if 100 of them were fake or were invalid that caused all of them to bounce, **AWS SES** will block your service.
-
-So, if you are able to **send mails (maybe invitations) from the web application to any email address, you could provoke this block by sending hundreds of invitations to nonexistent users and domains: Email service DoS.**
-
+##
-ποΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) ποΈ - π₯ Youtube π₯
+ποΈ HackTricks LIVE TwitchWednesdays 5.30pm (UTC) ποΈ -π₯ Youtube π₯
-- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
-- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
-- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-- **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
-- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
-
-
diff --git a/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md b/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md
index 1b86b91bc..cce1ad922 100644
--- a/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md
+++ b/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md
@@ -65,7 +65,7 @@ Example:
Inguz# show version
```
-
+
> **However, donβt forget that the EIGRP routing domain can be protected by authentication. But you still have a chance to connect to the routing domain. When hello packets are sent out, they also contain cryptographic hashes. If you can extract these hashes from the traffic dump and reset the password, you can log on to the routing domain with this password.**
@@ -97,7 +97,7 @@ During the establishment and maintenance of the neighborhood between EIGRP route
* **100.100.100.0/24 via 10.10.100.100;**
* **172.16.100.0/24 via 10.10.100.200**
-
+
Thus, after establishing the neighborhood, we know about the existence of these subnets, which makes it easier for us to pentest and save time. We can do without additional subnet scanning. Now we are in the EIGRP routing domain and we can develop some attack vectors. Letβs talk about them.
diff --git a/network-services-pentesting/49-pentesting-tacacs+.md b/network-services-pentesting/49-pentesting-tacacs+.md
index bdfbb646c..b8a8b2eaa 100644
--- a/network-services-pentesting/49-pentesting-tacacs+.md
+++ b/network-services-pentesting/49-pentesting-tacacs+.md
@@ -39,7 +39,7 @@ Now you need to run [Loki](https://c0decafe.de/svn/codename\_loki/trunk/). This
sudo loki_gtk.py
```
-
+
You also need to specify the path to the dictionary in order to bruteforce the encrypted key. Be sure to uncheck the **Use Bruteforce** option, otherwise Loki will bruteforce the password without using the dictionary.
@@ -61,7 +61,7 @@ Great, we managed to unlock the key, now we need to decrypt the TACACS traffic.
We see which banner was used.
-
+
We find the username of the user `admin`
diff --git a/pentesting-web/email-injections.md b/pentesting-web/email-injections.md
index 53ea99791..a4b15de6e 100644
--- a/pentesting-web/email-injections.md
+++ b/pentesting-web/email-injections.md
@@ -10,17 +10,19 @@ Get Access Today:
-ποΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) ποΈ - π₯ Youtube π₯
+ποΈ HackTricks LIVE TwitchWednesdays 5.30pm (UTC) ποΈ -π₯ Youtube π₯
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
-## Inject Cc and Bcc after sender argument
+## Inject in sent e-mail
+
+### Inject Cc and Bcc after sender argument
```
From:sender@domain.com%0ACc:recipient@domain.co,%0ABcc:recipient1@domain.com
@@ -28,7 +30,7 @@ From:sender@domain.com%0ACc:recipient@domain.co,%0ABcc:recipient1@domain.com
The message will be sent to the recipient and recipient1 accounts.
-## Inject argument
+### Inject argument
```
From:sender@domain.com%0ATo:attacker@domain.com
@@ -36,7 +38,7 @@ From:sender@domain.com%0ATo:attacker@domain.com
The message will be sent to the original recipient and the attacker account.
-## Inject Subject argument
+### Inject Subject argument
```
From:sender@domain.com%0ASubject:This is%20Fake%20Subject
@@ -44,7 +46,7 @@ From:sender@domain.com%0ASubject:This is%20Fake%20Subject
The fake subject will be added to the original subject and in some cases will replace it. It depends on the mail service behavior.
-## Change the body of the message
+### Change the body of the message
Inject a two-line feed, then write your message to change the body of the message.
@@ -52,7 +54,7 @@ Inject a two-line feed, then write your message to change the body of the messag
From:sender@domain.com%0A%0AMy%20New%20%0Fake%20Message.
```
-## PHP mail() function exploitation
+### PHP mail() function exploitation
```bash
# The function has the following definition:
@@ -70,7 +72,7 @@ Function [ function mail ] {
}
```
-### The 5th parameter ($additional\_parameters)
+#### The 5th parameter ($additional\_parameters)
This section is going to be based on **how to abuse this parameter supposing that an attacker controls it**.
@@ -90,20 +92,76 @@ Here are a few examples of different man pages of sendmail command/interface:
Depending on the **origin of the sendmail** binary different options have been discovered to abuse them and l**eak files or even execute arbitrary commands**. Check how in [**https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html**](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html)
+## Inject in the e-mail name
+
+### Ignored parts of an email
+
+The symbols: **+, -** and **{}** in rare occasions can be used for tagging and ignored by most e-mail servers
+
+* E.g. john.doe+intigriti@example.com β john.doe@example.com
+
+**Comments between parentheses ()** at the beginning or the end will also be ignored
+
+* E.g. john.doe(intigriti)@example.com β john.doe@example.com
+
+### Whitelist bypass
+
+
+
+### Quotes
+
+
+
+### IPs
+
+You can also use IPs as domain named between square brackets:
+
+* john.doe@\[127.0.0.1]
+* john.doe@\[IPv6:2001:db8::1]
+
+### Other vulns
+
+.png>)
+
+## Third party SSO
+
+### XSS
+
+Some services like **github** or **salesforce allows** you to create an **email address with XSS payloads on it**. If you can **use this providers to login on other services** and this services **aren't sanitising** correctly the email, you could cause **XSS**.
+
+### Account-Takeover
+
+If a **SSO service** allows you to **create an account without verifying the given email address** (like **salesforce**) and then you can use that account to **login in a different service** that **trusts** salesforce, you could access any account.\
+_Note that salesforce indicates if the given email was or not verified but so the application should take into account this info._
+
+## Reply-To
+
+You can send an email using _**From: company.com**_\*\* \*\* and _**Replay-To: attacker.com**_ and if any **automatic reply** is sent due to the email was sent **from** an **internal address** the **attacker** may be able to **receive** that **response**.
+
+## Hard Bounce Rate
+
+Some applications like AWS have a **Hard Bounce Rate** (in AWS is 10%), that whenever is overloaded the email service is blocked.
+
+A **hard bounce** is an **email** that couldnβt be delivered for some permanent reasons. Maybe the **emailβs** a fake address, maybe the **email** domain isnβt a real domain, or maybe the **email** recipientβs server wonβt accept **emails**) , that means from total of 1000 emails if 100 of them were fake or were invalid that caused all of them to bounce, **AWS SES** will block your service.
+
+So, if you are able to **send mails (maybe invitations) from the web application to any email address, you could provoke this block by sending hundreds of invitations to nonexistent users and domains: Email service DoS.**
+
## References
-* [**https://resources.infosecinstitute.com/email-injection/**](https://resources.infosecinstitute.com/email-injection/)
-* [**https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html**](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html)
+* [https://resources.infosecinstitute.com/email-injection/](https://resources.infosecinstitute.com/email-injection/)
+* [https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html)
+* [https://drive.google.com/file/d/1iKL6wbp3yYwOmxEtAg1jEmuOf8RM8ty9/view](https://drive.google.com/file/d/1iKL6wbp3yYwOmxEtAg1jEmuOf8RM8ty9/view)
+* [https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0](https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0)
-ποΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) ποΈ - π₯ Youtube π₯
+ποΈ HackTricks LIVE TwitchWednesdays 5.30pm (UTC) ποΈ -π₯ Youtube π₯
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md b/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md
index 6bb9af940..a8a096c13 100644
--- a/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md
+++ b/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md
@@ -2,13 +2,13 @@
-ποΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) ποΈ - π₯ Youtube π₯
+ποΈ HackTricks LIVE TwitchWednesdays 5.30pm (UTC) ποΈ -π₯ Youtube π₯
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
@@ -261,7 +261,7 @@ When processing a **partial request** that matches a synth rule, Varnish will **
To trigger a pause-based desync on a vulnerable front-end, start by sending your headers, promising a body, and then just wait. Eventually you'll receive a response and when you finally send send your request body, it'll be interpreted as a new request:
- (3).png>)
+ (3) (1).png>)
{% hint style="warning" %}
Apparently this was patched on the 25th January as [CVE-2022-23959](https://varnish-cache.org/security/VSV00008.html).
@@ -329,12 +329,12 @@ tc qdisc add dev eth0 parent 1:3 handle 10: netem delay 61s
-ποΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) ποΈ - π₯ Youtube π₯
+ποΈ HackTricks LIVE TwitchWednesdays 5.30pm (UTC) ποΈ -π₯ Youtube π₯
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/pentesting-web/phone-number-injections.md b/pentesting-web/phone-number-injections.md
new file mode 100644
index 000000000..01932ab0d
--- /dev/null
+++ b/pentesting-web/phone-number-injections.md
@@ -0,0 +1,39 @@
+# Phone Number Injections
+
+
+
+ποΈ HackTricks LIVE TwitchWednesdays 5.30pm (UTC) ποΈ -π₯ Youtube π₯
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
+
+It's possible to **add strings at the end the phone number** that could be used to exploit common injections (XSS, SQLi, SSRF...) or even to bypass protections:
+
+
+
+
+
+**OTP Bypass / Bruteforce** would work like this:
+
+
+
+## References
+
+* [https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0](https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0)
+
+
+
+ποΈ HackTricks LIVE TwitchWednesdays 5.30pm (UTC) ποΈ -π₯ Youtube π₯
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
diff --git a/todo/radio-hacking/flipper-zero/fz-ibutton.md b/todo/radio-hacking/flipper-zero/fz-ibutton.md
index 1c88e2dc9..0ecfde26f 100644
--- a/todo/radio-hacking/flipper-zero/fz-ibutton.md
+++ b/todo/radio-hacking/flipper-zero/fz-ibutton.md
@@ -44,7 +44,7 @@ It's possible to **emulate** saved iButtons (read or manually added).
If you cannot make the expected contacts of the Flipper Zero touch the reader you can **use the external GPIO:**
{% endhint %}
-
+
## References
diff --git a/todo/radio-hacking/flipper-zero/fz-sub-ghz.md b/todo/radio-hacking/flipper-zero/fz-sub-ghz.md
index dea759f27..229da7553 100644
--- a/todo/radio-hacking/flipper-zero/fz-sub-ghz.md
+++ b/todo/radio-hacking/flipper-zero/fz-sub-ghz.md
@@ -16,13 +16,13 @@
Flipper Zero can **receive and transmit radio frequencies in the range of 300-928 MHz** with its built-in module, which can read, save, and emulate remote controls. These controls are used for interaction with gates, barriers, radio locks, remote control switches, wireless doorbells, smart lights, and more. Flipper Zero can help you to learn if your security is compromised.
-
+
## Sub-GHz hardware
Flipper Zero has a built-in sub-1 GHz module based on a [ο»Ώ](https://www.st.com/en/nfc/st25r3916.html#overview)ο»Ώ[CC1101 chip](https://www.ti.com/lit/ds/symlink/cc1101.pdf) and a radio antenna (the maximum range is 50 meters). Both the CC1101 chip and the antenna are designed to operate at frequencies in the 300-348 MHz, 387-464 MHz, and 779-928 MHz bands.
-
+
## Actions
diff --git a/todo/radio-hacking/ibutton.md b/todo/radio-hacking/ibutton.md
index 9c520fcd1..88bc3595b 100644
--- a/todo/radio-hacking/ibutton.md
+++ b/todo/radio-hacking/ibutton.md
@@ -22,7 +22,7 @@ iButton is a generic name for an electronic identification key packed in a **coi
Usually, iButton implies the physical form of the key and reader - a round coin with two contacts. For the frame surrounding it, there are lots of variations from the most common plastic holder with a hole to rings, pendants, etc.
-
+
When the key reaches the reader, the **contacts come to touch** and the key is powered to **transmit** its ID. Sometimes the key is **not read** immediately because the **contact PSD of an intercom is larger** than it should be. So the outer contours of the key and the reader couldn't touch. If that's the case, you'll have to press the key over one of the walls of the reader.
diff --git a/todo/radio-hacking/infrared.md b/todo/radio-hacking/infrared.md
index f225cfbd0..ea36da4be 100644
--- a/todo/radio-hacking/infrared.md
+++ b/todo/radio-hacking/infrared.md
@@ -38,7 +38,7 @@ Bits are encoded by modulating the duration of the space between pulses. The wid
Bits are encoded by modulation of the pulse width. The width of space after pulse burst is constant.
-
+
**3. Phase Encoding**
diff --git a/todo/radio-hacking/sub-ghz-rf.md b/todo/radio-hacking/sub-ghz-rf.md
index 99e5c0c3e..68f9f11f0 100644
--- a/todo/radio-hacking/sub-ghz-rf.md
+++ b/todo/radio-hacking/sub-ghz-rf.md
@@ -23,11 +23,11 @@ In Europe 433.92MHz is commonly used and in U.S. and Japan it's the 315MHz.
## **Brute-force Attack**
-
+
If instead of sending each code 5 times (sent like this to make sure the receiver gets it) so just send it once, the time is reduced to 6mins:
-
+
and if you **remove the 2 ms waiting** period between signals you can **reduce the time to 3minutes.**
diff --git a/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md b/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
index f66b065a3..2af7db677 100644
--- a/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
+++ b/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
@@ -477,7 +477,7 @@ First, we obtain the hash of `Jane` with for instance Shadow Credentials (using
Next, we change the `userPrincipalName` of `Jane` to be `Administrator`. Notice that weβre leaving out the `@corp.local` part.
-
+
This is not a constraint violation, since the `Administrator` userβs `userPrincipalName` is `Administrator@corp.local` and not `Administrator`.
 (2).png)
 (2) (2).png)
 (1).png)
 (1) (2).png)
.png)
 (2).png)
 (1).png)
 (1) (2).png)
.png)
.png)
.png)
.png)
.png)
 (1).png)
.png)
 (2).png)
.png)
 (8).png)
.png)
 (2).png)
.png)
.png)
 (3).png)
.png)
 (2).png)
 (2) (3).png)