AWAE/OSWE

Preparation for coming AWAE Training.

Work in progress...

Facebook discuss group

• https://www.facebook.com/groups/262623168007439

Course syllabus

• https://www.offensive-security.com/documentation/awae-syllabus.pdf

Other resource

Burpsuite how to?

• https://portswigger.net/burp/documentation

Common web vulnerabilities

• https://portswigger.net/web-security

Atmail Mail Server Appliance: from XSS to RCE (6.4) CVE-2012-2593

• https://www.exploit-db.com/exploits/20009

ATutor Authentication Bypass and RCE (2.2.1) CVE-2016-2555

• Install: https://sourceforge.net/projects/atutor/files/atutor_2_2_1/
• https://www.exploit-db.com/exploits/39514

ATutor LMS Type Juggling Vulnerability (<=2.2.1) CVE-?

• Install: https://sourceforge.net/projects/atutor/files/atutor_2_2_1/
• https://srcincite.io/advisories/src-2016-0012/
• https://github.com/sourceincite/poc/blob/master/SRC-2016-0012.py
• Reference: PHP Type Juggling
  • https://www.youtube.com/watch?v=ASYuK01H3Po
  • https://www.netsparker.com/blog/web-security/type-juggling-authentication-bypass-cms-made-simple/

ManageEngine Applications Manager AMUserResourcesSyncServlet SQL Injection RCE CVE-?

• Install: http://archives.manageengine.com/applications_manager/12400/
• https://manageenginesales.co.uk/2018/05/manageengine-applications-manager-build-13730-released/

Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability (1.5.1) CVE-2014-7205

• Install: npm install bassmaster@1.5.1
• https://www.npmjs.com/package/bassmaster
• https://www.rapid7.com/db/modules/exploit/multi/http/bassmaster_js_injection
• https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/bassmaster_js_injection.rb
• https://www.exploit-db.com/exploits/40689

DotNetNuke Cookie Deserialization RCE (<9.1.1) CVE-2017-9822

• Install: https://github.com/dnnsoftware/Dnn.Platform/releases/tag/v9.1.0
• https://gist.github.com/pwntester/72f76441901c91b25ee7922df5a8a9e4
• https://paper.seebug.org/365/
• https://www.youtube.com/watch?v=oUAeWhW5b8c
• https://vulners.com/seebug/SSV:96326

Other Github Repo

• https://github.com/wetw0rk/AWAE-PREP